diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c index f4a0d78..fd85abd 100644 --- a/ykcs11/mechanisms.c +++ b/ykcs11/mechanisms.c @@ -19,7 +19,8 @@ static const CK_MECHANISM_TYPE sign_mechanisms[] = { CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS, CKM_ECDSA, - CKM_ECDSA_SHA1 + CKM_ECDSA_SHA1, + CKM_ECDSA_SHA256 }; // Supported mechanisms for key pair generation @@ -126,6 +127,7 @@ CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m) { case CKM_SHA384_RSA_PKCS_PSS: case CKM_SHA512_RSA_PKCS_PSS: case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: case CKM_SHA_1: case CKM_SHA256: case CKM_SHA384: @@ -160,6 +162,7 @@ CK_RV apply_sign_mechanism_init(op_info_t *op_info) { case CKM_SHA256_RSA_PKCS: case CKM_SHA256_RSA_PKCS_PSS: + case CKM_ECDSA_SHA256: return do_md_init(YKCS11_SHA256, &op_info->op.sign.md_ctx); case CKM_SHA384_RSA_PKCS: @@ -201,6 +204,7 @@ CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG i case CKM_SHA384_RSA_PKCS_PSS: case CKM_SHA512_RSA_PKCS_PSS: case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: rv = do_md_update(op_info->op.sign.md_ctx, in, in_len); if (rv != CKR_OK) return CKR_FUNCTION_FAILED; @@ -278,6 +282,7 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) { return do_pkcs_1_t1(op_info->buf, len, op_info->buf, &op_info->buf_len, op_info->op.sign.key_len); case CKM_ECDSA_SHA1: + case CKM_ECDSA_SHA256: // Finalize the hash rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid); if (rv != CKR_OK) @@ -358,7 +363,7 @@ CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG if (op_info->op.gen.rsa == CK_FALSE) return CKR_ATTRIBUTE_VALUE_INVALID; - if (*((CK_ULONG_PTR)templ[i].pValue) != 1024 && + if (*((CK_ULONG_PTR) templ[i].pValue) != 1024 && *((CK_ULONG_PTR) templ[i].pValue) != 2048) { // TODO: make define? DBG(("Unsupported MODULUS_BITS (key length)")); return CKR_ATTRIBUTE_VALUE_INVALID; @@ -386,6 +391,7 @@ CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG case CKA_ENCRYPT: case CKA_VERIFY: case CKA_WRAP: + case CKA_DERIVE: // Ignore these attributes for now break; @@ -451,6 +457,7 @@ CK_RV check_pvtkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG case CKA_SIGN: case CKA_PRIVATE: case CKA_TOKEN: + case CKA_DERIVE: // Ignore these attributes for now break; diff --git a/ykcs11/pkcs11t.h b/ykcs11/pkcs11t.h index 9543f5c..f793cfe 100644 --- a/ykcs11/pkcs11t.h +++ b/ykcs11/pkcs11t.h @@ -647,6 +647,12 @@ typedef CK_ULONG CK_MECHANISM_TYPE; //#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040 // Deprecated in 2.11 #define CKM_ECDSA 0x00001041UL #define CKM_ECDSA_SHA1 0x00001042UL +/* NOT STANDARD */ +#define CKM_ECDSA_SHA224 0x00001043UL +#define CKM_ECDSA_SHA256 0x00001044UL +#define CKM_ECDSA_SHA384 0x00001045UL +#define CKM_ECDSA_SHA512 0x00001046UL +/* NOT STANDARD */ /* Added for 2.4 */ #define CKM_ECDH1_DERIVE 0x00001050UL diff --git a/ykcs11/yubico_token.c b/ykcs11/yubico_token.c index 5915780..b005d3a 100644 --- a/ykcs11/yubico_token.c +++ b/ykcs11/yubico_token.c @@ -32,6 +32,7 @@ static const CK_MECHANISM_TYPE token_mechanisms[] = { // KEEP ALIGNED WITH token //CKM_ECDSA_KEY_PAIR_GEN, Same as CKM_EC_KEY_PAIR_GEN, deprecated in 2.11 CKM_ECDSA, CKM_ECDSA_SHA1, + CKM_ECDSA_SHA256, CKM_SHA_1, CKM_SHA256, CKM_SHA384, @@ -57,6 +58,7 @@ static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH //{, , }, // CKM_ECDSA_KEY_PAIR_GEN Same as CKM_EC_KEY_PAIR_GEN deprecated in 2.11 {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA1 + {MIN_ECC_KEY_SIZE, MAX_ECC_KEY_SIZE, CKF_HW | CKF_SIGN}, // CKM_ECDSA_SHA256 {0, 0, CKF_DIGEST}, // CKM_SHA_1 {0, 0, CKF_DIGEST}, // CKM_SHA256 {0, 0, CKF_DIGEST}, // CKM_SHA384