[PATCH] crypto: Fix PKCS11 decrypt key check
20 views
Skip to first unread message
Jelena Sehovac
Feb 11, 2026, 11:07:49 AM (4 days ago) Feb 11
to swupdate
Check if the provided decryption key string starts with the "pkcs11" identifier.
This condition determines whether the key uses PKCS#11 (Public Key Cryptography Standard #11)
for hardware security module or cryptographic token operations.
Signed-off-by: sjelena <jelena....@chipglobe.com>
---
core/decrypt_keys.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/decrypt_keys.c b/core/decrypt_keys.c
index 95c7c13b..9d3bf047 100644
--- a/core/decrypt_keys.c
+++ b/core/decrypt_keys.c
@@ -84,10 +84,10 @@ int set_aes_key(const char *key, const char *ivt)
ret = ascii_to_bin(decrypt_keys->ivt, AES_BLK_SIZE, ivt);
keylen = strlen(key);
- if (!strcmp("pkcs11", key)) {
+ const char *pkcs11_prefix = "pkcs11";
+ if (strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) == 0) {
is_pkcs11 = true;
decrypt_keys->keylen = keylen;
-
} else {
switch (keylen) {
case AES_128_KEY_LEN * 2:
--
2.25.1
This condition determines whether the key uses PKCS#11 (Public Key Cryptography Standard #11)
for hardware security module or cryptographic token operations.
Signed-off-by: sjelena <jelena....@chipglobe.com>
---
core/decrypt_keys.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/decrypt_keys.c b/core/decrypt_keys.c
index 95c7c13b..9d3bf047 100644
--- a/core/decrypt_keys.c
+++ b/core/decrypt_keys.c
@@ -84,10 +84,10 @@ int set_aes_key(const char *key, const char *ivt)
ret = ascii_to_bin(decrypt_keys->ivt, AES_BLK_SIZE, ivt);
keylen = strlen(key);
- if (!strcmp("pkcs11", key)) {
+ const char *pkcs11_prefix = "pkcs11";
+ if (strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) == 0) {
is_pkcs11 = true;
decrypt_keys->keylen = keylen;
-
} else {
switch (keylen) {
case AES_128_KEY_LEN * 2:
--
2.25.1
Stefano Babic
Feb 11, 2026, 11:16:43 AM (4 days ago) Feb 11
to Jelena Sehovac, swupdate
Hi Jelena,
On 2/11/26 17:01, Jelena Sehovac wrote:
> Check if the provided decryption key string starts with the "pkcs11"
> identifier.
> This condition determines whether the key uses PKCS#11 (Public Key
> Cryptography Standard #11)
> for hardware security module or cryptographic token operations.
>
> Signed-off-by: sjelena <jelena....@chipglobe.com>
> ---
> core/decrypt_keys.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/core/decrypt_keys.c b/core/decrypt_keys.c
> index 95c7c13b..9d3bf047 100644
> --- a/core/decrypt_keys.c
> +++ b/core/decrypt_keys.c
> @@ -84,10 +84,10 @@ int set_aes_key(const char *key, const char *ivt)
> ret = ascii_to_bin(decrypt_keys->ivt, AES_BLK_SIZE, ivt);
> keylen = strlen(key);
>
> - if (!strcmp("pkcs11", key)) {
> + const char *pkcs11_prefix = "pkcs11";
> + if (strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) == 0) {
Apart using the strncmp function, can you better elaborate this and
where is the bug ? I have not got it.
"if (!strcmp("pkcs11", key))" and "if (strncmp(key, pkcs11_prefix,
strlen(pkcs11_prefix)) == 0)" are exactly the same.
Best regards,
Stefano Babic
> is_pkcs11 = true;
> decrypt_keys->keylen = keylen;
> -
> } else {
> switch (keylen) {
> case AES_128_KEY_LEN * 2:
> --
> 2.25.1
>
> --
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/
> swupdate/dc448922-028e-453f-989c-405f9bd3dd29n%40googlegroups.com
> <https://groups.google.com/d/msgid/swupdate/
> dc448922-028e-453f-989c-405f9bd3dd29n%40googlegroups.com?
> utm_medium=email&utm_source=footer>.
On 2/11/26 17:01, Jelena Sehovac wrote:
> Check if the provided decryption key string starts with the "pkcs11"
> identifier.
> This condition determines whether the key uses PKCS#11 (Public Key
> Cryptography Standard #11)
> for hardware security module or cryptographic token operations.
>
> Signed-off-by: sjelena <jelena....@chipglobe.com>
> ---
> core/decrypt_keys.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/core/decrypt_keys.c b/core/decrypt_keys.c
> index 95c7c13b..9d3bf047 100644
> --- a/core/decrypt_keys.c
> +++ b/core/decrypt_keys.c
> @@ -84,10 +84,10 @@ int set_aes_key(const char *key, const char *ivt)
> ret = ascii_to_bin(decrypt_keys->ivt, AES_BLK_SIZE, ivt);
> keylen = strlen(key);
>
> - if (!strcmp("pkcs11", key)) {
> + const char *pkcs11_prefix = "pkcs11";
> + if (strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) == 0) {
where is the bug ? I have not got it.
"if (!strcmp("pkcs11", key))" and "if (strncmp(key, pkcs11_prefix,
strlen(pkcs11_prefix)) == 0)" are exactly the same.
Best regards,
Stefano Babic
> is_pkcs11 = true;
> decrypt_keys->keylen = keylen;
> -
> } else {
> switch (keylen) {
> case AES_128_KEY_LEN * 2:
> --
> 2.25.1
>
> You received this message because you are subscribed to the Google
> Groups "swupdate" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to swupdate+u...@googlegroups.com
> <mailto:swupdate+u...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/
> swupdate/dc448922-028e-453f-989c-405f9bd3dd29n%40googlegroups.com
> <https://groups.google.com/d/msgid/swupdate/
> dc448922-028e-453f-989c-405f9bd3dd29n%40googlegroups.com?
> utm_medium=email&utm_source=footer>.
Jelena Sehovac
Feb 11, 2026, 11:56:35 AM (4 days ago) Feb 11
to swupdate
Hi Stefano,
strcmp("pkcs11", key) compares two full strings and it will return 0 if strings are exactly equal and that is not what we want, because key is not exactly equal to "pkcs11". That is the bug.
strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) compares only the first strlen(pkcs11_prefix) characters, so it will return 0 if the first strlen(pkcs11_prefix) characters match. That is valid approach.
Here is an example of PKCS#11 URL:
pkcs11:slot-id=42;id=%CA%FE%BA%BE?pin-value=1234&module-path=/usr/lib/libsofthsm2.so 65D793B87B6724BB27954C7664F15FF3
So the key is not equal to pkcs11, it starts with pkcs11.
Best Regards,
Jelena Sehovac
strcmp("pkcs11", key) compares two full strings and it will return 0 if strings are exactly equal and that is not what we want, because key is not exactly equal to "pkcs11". That is the bug.
strncmp(key, pkcs11_prefix, strlen(pkcs11_prefix)) compares only the first strlen(pkcs11_prefix) characters, so it will return 0 if the first strlen(pkcs11_prefix) characters match. That is valid approach.
Here is an example of PKCS#11 URL:
pkcs11:slot-id=42;id=%CA%FE%BA%BE?pin-value=1234&module-path=/usr/lib/libsofthsm2.so 65D793B87B6724BB27954C7664F15FF3
So the key is not equal to pkcs11, it starts with pkcs11.
Best Regards,
Jelena Sehovac
Reply all
Reply to author
Forward
0 new messages