Merge branch 'master' of https://github.com/Jakuje/yubico-piv-tool into Jakuje-master

This commit is contained in:
Trevor Bentley
2017-11-20 14:03:48 +01:00
7 changed files with 292 additions and 42 deletions
+21 -10
View File
@@ -31,6 +31,7 @@
#include "openssl_utils.h"
#include <stdbool.h>
#include "../tool/util.h" // TODO: share this better?
#include "../tool/openssl-compat.h" // TODO: share this better?
#include "debug.h"
#include <string.h>
@@ -115,8 +116,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
if(bignum_e == NULL)
goto create_empty_cert_cleanup;
rsa->n = bignum_n;
rsa->e = bignum_e;
RSA_set0_key(rsa, bignum_n, bignum_e, NULL);
if (EVP_PKEY_set1_RSA(key, rsa) == 0)
goto create_empty_cert_cleanup;
@@ -165,6 +165,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
#if OPENSSL_VERSION_NUMBER < 10100000L
// Manually set the signature algorithms.
// OpenSSL 1.0.1i complains about empty DER fields
// 8 => md5WithRsaEncryption
@@ -174,6 +175,8 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
// Manually set a signature (same reason as before)
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, (unsigned char*)"\x00", 1);
ASN1_BIT_STRING_set(cert->signature, (unsigned char*)"\x00", 1);
#endif
len = i2d_X509(cert, NULL);
if (len < 0)
@@ -316,7 +319,7 @@ CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) {
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) {
switch (key->type) {
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
return CKK_RSA;
@@ -349,18 +352,20 @@ CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) {
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
RSA *rsa;
const BIGNUM *n;
rsa = EVP_PKEY_get1_RSA(key);
if (rsa == NULL)
return CKR_FUNCTION_FAILED;
if ((CK_ULONG)BN_num_bytes(rsa->n) > *len) {
RSA_get0_key(rsa, &n, NULL, NULL);
if ((CK_ULONG)BN_num_bytes(n) > *len) {
RSA_free(rsa);
rsa = NULL;
return CKR_BUFFER_TOO_SMALL;
}
*len = (CK_ULONG)BN_bn2bin(rsa->n, data);
*len = (CK_ULONG)BN_bn2bin(n, data);
RSA_free(rsa);
rsa = NULL;
@@ -372,18 +377,20 @@ CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len)
CK_ULONG e = 0;
RSA *rsa;
const BIGNUM *bn_e;
rsa = EVP_PKEY_get1_RSA(key);
if (rsa == NULL)
return CKR_FUNCTION_FAILED;
if ((CK_ULONG)BN_num_bytes(rsa->e) > *len) {
RSA_get0_key(rsa, NULL, &bn_e, NULL);
if ((CK_ULONG)BN_num_bytes(bn_e) > *len) {
RSA_free(rsa);
rsa = NULL;
return CKR_BUFFER_TOO_SMALL;
}
*len = (CK_ULONG)BN_bn2bin(rsa->e, data);
*len = (CK_ULONG)BN_bn2bin(bn_e, data);
RSA_free(rsa);
rsa = NULL;
@@ -406,7 +413,7 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
const EC_POINT *ecp;
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
switch(key->type) {
switch(EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
@@ -470,16 +477,20 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus,
CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen) {
ykcs11_rsa_key_t *k;
BIGNUM *k_n = NULL, *k_e = NULL;
if (modulus == NULL || exponent == NULL)
return CKR_ARGUMENTS_BAD;
if ((k = RSA_new()) == NULL)
return CKR_HOST_MEMORY;
if ((k->n = BN_bin2bn(modulus, mlen, NULL)) == NULL)
if ((k_n = BN_bin2bn(modulus, mlen, NULL)) == NULL)
return CKR_FUNCTION_FAILED;
if ((k->e = BN_bin2bn(exponent, elen, NULL)) == NULL)
if ((k_e = BN_bin2bn(exponent, elen, NULL)) == NULL)
return CKR_FUNCTION_FAILED;
if (RSA_set0_key(k, k_n, k_e, NULL) == 0)
return CKR_FUNCTION_FAILED;
*key = k;
+45 -7
View File
@@ -273,6 +273,32 @@ static void test_login() {
}
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length,
unsigned char *sigret, unsigned int *siglen, const RSA *rsa) {
sigret = malloc(1);
sigret = "";
*siglen = 1;
return 0;
}
static void bogus_sign_cert(X509 *cert) {
EVP_PKEY *pkey = EVP_PKEY_new();
RSA *rsa = RSA_new();
RSA_METHOD *meth = RSA_meth_dup(RSA_get_default_method());
BIGNUM *e = BN_new();
BN_set_word(e, 65537);
RSA_generate_key_ex(rsa, 1024, e, NULL);
RSA_meth_set_sign(meth, bogus_sign);
RSA_set_method(rsa, meth);
EVP_PKEY_set1_RSA(pkey, rsa);
X509_sign(cert, pkey, EVP_md5());
EVP_PKEY_free(pkey);
}
#endif
// Import a newly generated P256 pvt key and a certificate
// to every slot and use the key to sign some data
static void test_import_and_sign_all_10() {
@@ -358,11 +384,15 @@ static void test_import_and_sign_all_10() {
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
cert->sig_alg->algorithm = OBJ_nid2obj(8);
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
#else
bogus_sign_cert(cert);
#endif
p = value_c;
if ((cert_len = (CK_ULONG) i2d_X509(cert, &p)) == 0 || cert_len > sizeof(value_c))
@@ -385,7 +415,7 @@ static void test_import_and_sign_all_10() {
for (i = 0; i < 24; i++) {
for (j = 0; j < 10; j++) {
if(RAND_pseudo_bytes(some_data, sizeof(some_data)) == -1)
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
exit(EXIT_FAILURE);
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");
@@ -480,6 +510,7 @@ static void test_import_and_sign_all_10_RSA() {
CK_BYTE_PTR s_ptr;
CK_ULONG r_len;
CK_ULONG s_len;
const BIGNUM *bp, *bq, *biqmp, *bdmp1, *bdmq1;
unsigned char *px;
@@ -522,11 +553,13 @@ static void test_import_and_sign_all_10_RSA() {
asrt(RSA_generate_key_ex(rsak, 1024, e_bn, NULL), 1, "GENERATE RSAK");
asrt(BN_bn2bin(rsak->p, p), 64, "GET P");
asrt(BN_bn2bin(rsak->q, q), 64, "GET Q");
asrt(BN_bn2bin(rsak->dmp1, dp), 64, "GET DP");
asrt(BN_bn2bin(rsak->dmq1, dp), 64, "GET DQ");
asrt(BN_bn2bin(rsak->iqmp, qinv), 64, "GET QINV");
RSA_get0_factors(rsak, &bp, &bq);
RSA_get0_crt_params(rsak, &bdmp1, &bdmq1, &biqmp);
asrt(BN_bn2bin(bp, p), 64, "GET P");
asrt(BN_bn2bin(bq, q), 64, "GET Q");
asrt(BN_bn2bin(bdmp1, dp), 64, "GET DP");
asrt(BN_bn2bin(bdmq1, dp), 64, "GET DQ");
asrt(BN_bn2bin(biqmp, qinv), 64, "GET QINV");
@@ -549,11 +582,16 @@ static void test_import_and_sign_all_10_RSA() {
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* putting bogus data to signature to make some checks happy */
cert->sig_alg->algorithm = OBJ_nid2obj(8);
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
#else
bogus_sign_cert(cert);
#endif
px = value_c;
if ((cert_len = (CK_ULONG) i2d_X509(cert, &px)) == 0 || cert_len > sizeof(value_c))
@@ -576,7 +614,7 @@ static void test_import_and_sign_all_10_RSA() {
for (i = 0; i < 24; i++) {
for (j = 0; j < 10; j++) {
if(RAND_pseudo_bytes(some_data, sizeof(some_data)) == -1)
if(RAND_bytes(some_data, sizeof(some_data)) == -1)
exit(EXIT_FAILURE);
asrt(funcs->C_Login(session, CKU_USER, "123456", 6), CKR_OK, "Login USER");