Some improvements on sign.
This commit is contained in:
+50
-18
@@ -7,12 +7,12 @@
|
|||||||
|
|
||||||
#define D(x) do { \
|
#define D(x) do { \
|
||||||
printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
|
printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
|
||||||
printf x;; \
|
printf x; \
|
||||||
printf ("\n"); \
|
printf ("\n"); \
|
||||||
} while (0)
|
} while (0)
|
||||||
|
|
||||||
#define YKCS11_DBG 1 // General debug, must be either 1 or 0
|
#define YKCS11_DBG 1 // General debug, must be either 1 or 0
|
||||||
#define YKCS11_DINOUT 0 // Function in/out debug, must be either 1 or 0
|
#define YKCS11_DINOUT 1 // Function in/out debug, must be either 1 or 0
|
||||||
|
|
||||||
#define YKCS11_MANUFACTURER "Yubico (www.yubico.com)"
|
#define YKCS11_MANUFACTURER "Yubico (www.yubico.com)"
|
||||||
#define YKCS11_LIBDESC "PKCS#11 PIV Library (SP-800-73)"
|
#define YKCS11_LIBDESC "PKCS#11 PIV Library (SP-800-73)"
|
||||||
@@ -57,6 +57,12 @@ static struct {
|
|||||||
static piv_obj_id_t token_objects[PIV_CERT_OBJ_LAST]; // TODO: tide this up, also build at runtime (during open session)?
|
static piv_obj_id_t token_objects[PIV_CERT_OBJ_LAST]; // TODO: tide this up, also build at runtime (during open session)?
|
||||||
static CK_ULONG n_token_objects = 0;
|
static CK_ULONG n_token_objects = 0;
|
||||||
|
|
||||||
|
static struct {
|
||||||
|
CK_BBOOL active;
|
||||||
|
CK_MECHANISM mechanism;
|
||||||
|
CK_OBJECT_HANDLE key;
|
||||||
|
} sign_info;
|
||||||
|
|
||||||
extern CK_FUNCTION_LIST function_list; // TODO: check all return values
|
extern CK_FUNCTION_LIST function_list; // TODO: check all return values
|
||||||
|
|
||||||
/* General Purpose */
|
/* General Purpose */
|
||||||
@@ -809,27 +815,32 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)(
|
|||||||
}
|
}
|
||||||
vendor = get_vendor(slots[session_info.slotID].vid); // TODO: make a token field in slot_t ?;
|
vendor = get_vendor(slots[session_info.slotID].vid); // TODO: make a token field in slot_t ?;
|
||||||
|
|
||||||
|
find_obj.active = CK_TRUE;
|
||||||
|
find_obj.idx = 0;
|
||||||
|
find_obj.num = n_token_objects; // TOTO: actually malloc here so that the array can be changed
|
||||||
|
find_obj.objects = token_objects;
|
||||||
|
|
||||||
if (ulCount == 0) {
|
if (ulCount == 0) {
|
||||||
DBG(("Find ALL the objects!"));
|
DBG(("Find ALL the objects!"));
|
||||||
find_obj.active = CK_TRUE;
|
|
||||||
find_obj.num = n_token_objects;
|
|
||||||
find_obj.idx = 0;
|
|
||||||
find_obj.objects = token_objects;
|
|
||||||
DOUT;
|
DOUT;
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
// return CKR_FUNCTION_FAILED;
|
|
||||||
DBG(("Initialized search with %lu parameters", ulCount));
|
DBG(("Initialized search with %lu parameters", ulCount));
|
||||||
|
|
||||||
if (pTemplate == NULL_PTR)
|
if (pTemplate == NULL_PTR) {
|
||||||
|
find_obj.active = CK_FALSE;
|
||||||
return CKR_ARGUMENTS_BAD;
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
}
|
||||||
find_obj.active = CK_TRUE;
|
|
||||||
|
|
||||||
for (i = 0; i < ulCount; i++) {
|
for (i = 0; i < ulCount; i++) {
|
||||||
DBG(("Parameter %lu\nType: %lu Value: %lu Len: %lu", i, pTemplate[i].type, *((CK_ULONG_PTR)pTemplate[i].pValue), pTemplate[i].ulValueLen));
|
DBG(("Parameter %lu\nType: %lu Value: %lu Len: %lu", i, pTemplate[i].type, *((CK_ULONG_PTR)pTemplate[i].pValue), pTemplate[i].ulValueLen));
|
||||||
|
// TODO: remove objects that don't match
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TOTO: do it properly here, jsut a test now
|
||||||
|
find_obj.num = 1;
|
||||||
|
find_obj.objects = token_objects + 3;
|
||||||
|
|
||||||
DOUT;
|
DOUT;
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
@@ -872,13 +883,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)(
|
|||||||
|
|
||||||
*phObject = find_obj.objects[find_obj.idx++];
|
*phObject = find_obj.objects[find_obj.idx++];
|
||||||
*pulObjectCount = 1;
|
*pulObjectCount = 1;
|
||||||
return CKR_OK;
|
|
||||||
|
|
||||||
// NEVER REACHED
|
DBG(("Returning object %lu", *phObject));
|
||||||
DBG(("GETTING SOMETHING ELSE"));
|
|
||||||
*phObject = PIV_DATA_OBJ_X509_DS;
|
|
||||||
*pulObjectCount = 2;
|
|
||||||
DOUT;
|
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1092,6 +1099,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)(
|
|||||||
return CKR_ARGUMENTS_BAD;
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
|
||||||
DBG(("Trying to sign some data with mechanism %lu and key %lu", pMechanism->mechanism, hKey));
|
DBG(("Trying to sign some data with mechanism %lu and key %lu", pMechanism->mechanism, hKey));
|
||||||
|
|
||||||
|
sign_info.active = CK_TRUE;
|
||||||
|
memcpy(&sign_info.mechanism, pMechanism, sizeof(CK_MECHANISM));
|
||||||
|
sign_info.key = hKey;
|
||||||
|
// TODO: also allocate some space for the signature
|
||||||
|
|
||||||
|
|
||||||
DOUT;
|
DOUT;
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
@@ -1115,14 +1129,32 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
|
|||||||
)
|
)
|
||||||
{
|
{
|
||||||
DIN;
|
DIN;
|
||||||
|
|
||||||
|
if (sign_info.active == CK_FALSE)
|
||||||
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
// TODO: check conditions
|
// TODO: check conditions
|
||||||
char test_buf[] = "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20\xa7\x47\x16\x1b\x15\x5f\xd0\x05\xbc\xbe\x84\x4a\x28\xa9\x6c\x74\xfe\xf6\x6a\x42\x84\xa0\x4e\x05\x7a\x0c\x88\xe2\xc8\x83\xc0\x00";
|
char test_buf[] = "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20\xa7\x47\x16\x1b\x15\x5f\xd0\x05\xbc\xbe\x84\x4a\x28\xa9\x6c\x74\xfe\xf6\x6a\x42\x84\xa0\x4e\x05\x7a\x0c\x88\xe2\xc8\x83\xc0\x00";
|
||||||
CK_ULONG sig_len_in = sizeof(test_buf) - 1;
|
CK_ULONG sig_len_in = sizeof(test_buf) - 1;
|
||||||
CK_ULONG sig_len_out = 1024;
|
CK_ULONG sig_len_out = 1024;
|
||||||
ykpiv_rc r;
|
ykpiv_rc r;
|
||||||
|
CK_CHAR key;
|
||||||
|
|
||||||
DBG(("Sending %lu bytes to sign", /*ulDataLen*/sig_len_in));
|
DBG(("Sending %lu bytes to sign", /*ulDataLen*/sig_len_in));
|
||||||
dump_hex(test_buf, sig_len_in, stderr, CK_TRUE);
|
dump_hex(test_buf, sig_len_in, stderr, CK_TRUE);
|
||||||
if ((r = ykpiv_sign_data(piv_state, /*pData*/test_buf, /*ulDataLen*/sig_len_in, sig_buf, &sig_len_out, YKPIV_ALGO_RSA2048, YKPIV_KEY_AUTHENTICATION)) != YKPIV_OK) {
|
|
||||||
|
if (sign_info.key == PIV_DATA_OBJ_X509_PIV_AUTH) {
|
||||||
|
key = YKPIV_KEY_AUTHENTICATION;
|
||||||
|
DBG(("Using key 9a"));
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
key = YKPIV_KEY_SIGNATURE;
|
||||||
|
DBG(("Using key 9c"));
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO: check that mechanism makes sense for the key that we have.
|
||||||
|
|
||||||
|
if ((r = ykpiv_sign_data(piv_state, /*pData*/test_buf, /*ulDataLen*/sig_len_in, sig_buf, &sig_len_out, YKPIV_ALGO_RSA2048, key)) != YKPIV_OK) {
|
||||||
DBG(("Sign error %s", ykpiv_strerror(r)));
|
DBG(("Sign error %s", ykpiv_strerror(r)));
|
||||||
return CKR_FUNCTION_FAILED;
|
return CKR_FUNCTION_FAILED;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user