diff --git a/ykcs11/objects.c b/ykcs11/objects.c index 44e94e5..91b3380 100644 --- a/ykcs11/objects.c +++ b/ykcs11/objects.c @@ -186,7 +186,6 @@ static void asn1_encode_oid(CK_CHAR_PTR oid, CK_BYTE_PTR asn1_oid, CK_ULONG_PTR p++; } - l = 0; if (*p == '.') { *p = 0; l = (CK_ULONG) atoi((char *)q); @@ -195,7 +194,7 @@ static void asn1_encode_oid(CK_CHAR_PTR oid, CK_BYTE_PTR asn1_oid, CK_ULONG_PTR } else { l = (CK_ULONG) atoi((char *)q); - q = p; + // q = p; } /* Digit is in l. */ diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c index 17ba0ae..1ce68a0 100644 --- a/ykcs11/openssl_utils.c +++ b/ykcs11/openssl_utils.c @@ -9,11 +9,6 @@ CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) { const unsigned char *p = data; // Mandatory temp variable required by OpenSSL int cert_len; - /**cert = X509_new(); - if (*cert == NULL) - return CKR_HOST_MEMORY;*/ - //dump_hex(data, len, stderr, CK_TRUE); - if (*p == 0x70) { // The certificate is in "PIV" format 0x70 len 0x30 len ... p++; @@ -25,23 +20,18 @@ CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) { cert_len += get_length(p + 1, &cert_len) + 1; } + if ((CK_ULONG)cert_len > len) + return CKR_ARGUMENTS_BAD; + *cert = d2i_X509(NULL, &p, cert_len); if (*cert == NULL) return CKR_FUNCTION_FAILED; - /* - BIO *STDout = BIO_new_fp(stderr, BIO_NOCLOSE); - - X509_print_ex(STDout, *cert, 0, 0); - - BIO_free(STDout); - */ - return CKR_OK; } -CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_ULONG key_len, +CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { X509 *cert = NULL; @@ -53,7 +43,6 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_ EC_GROUP *ecg = NULL; EC_POINT *ecp = NULL; ASN1_TIME *tm = NULL; - time_t t; unsigned char *data_ptr; unsigned char *p; @@ -160,16 +149,16 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_ if (len < 0) goto create_empty_cert_cleanup; - if (len > *out_len) { + if ((CK_ULONG)len > *out_len) { rv = CKR_BUFFER_TOO_SMALL; goto create_empty_cert_cleanup; } - p = in; + p = out; if ((*out_len = i2d_X509(cert, &p)) == 0) goto create_empty_cert_cleanup; - /* TODO REMOVE THIS */ + /* TODO: REMOVE THIS */ BIO *STDout = BIO_new_fp(stderr, BIO_NOCLOSE); X509_print_ex(STDout, cert, 0, 0); @@ -320,7 +309,7 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { rsa = EVP_PKEY_get1_RSA(key); - if (RSA_size(rsa) > *len) { + if ((CK_ULONG)RSA_size(rsa) > *len) { RSA_free(rsa); rsa = NULL; return CKR_BUFFER_TOO_SMALL; @@ -461,13 +450,16 @@ CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid, OpenSSL_add_all_digests(); // TODO: rand must be seeded first (should be automatic) - if (*out_len < RSA_size(key)) + if (*out_len < (CK_ULONG)RSA_size(key)) CKR_BUFFER_TOO_SMALL; DBG(("Apply PSS padding to %lu bytes and get %d\n", in_len, RSA_size(key))); + if (out != in) + memcpy(out, in, in_len); + // In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD - if (RSA_padding_add_PKCS1_PSS(key, em, in, EVP_get_digestbynid(nid), -2) == 0) { + if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) { EVP_cleanup(); return CKR_FUNCTION_FAILED; } diff --git a/ykcs11/openssl_utils.h b/ykcs11/openssl_utils.h index 6fef0ff..12f8dde 100644 --- a/ykcs11/openssl_utils.h +++ b/ykcs11/openssl_utils.h @@ -10,7 +10,7 @@ #include "pkcs11t.h" CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert); -CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_ULONG key_len, +CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_BYTE_PTR out, CK_ULONG_PTR out_len); CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG_PTR cert_len); CK_RV free_cert(X509 *cert); diff --git a/ykcs11/token_vendors.c b/ykcs11/token_vendors.c index d634f5f..6d0c2bd 100644 --- a/ykcs11/token_vendors.c +++ b/ykcs11/token_vendors.c @@ -58,7 +58,7 @@ static CK_RV COMMON_token_generate_key(ykpiv_state *state, CK_BBOOL rsa, CK_BYTE // Create a new empty certificate for the key recv_len = sizeof(data); - if ((rv = do_create_empty_cert(data, recv_len, rsa, key_len, data, &recv_len)) != CKR_OK) + if ((rv = do_create_empty_cert(data, recv_len, rsa, data, &recv_len)) != CKR_OK) return rv; if (recv_len < 0x80)