Added sign_data2 to libykpiv to disable padding.
This commit is contained in:
+17
-3
@@ -520,7 +520,7 @@ ykpiv_rc ykpiv_hex_decode(const char *hex_in, size_t in_len,
|
|||||||
static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
||||||
const unsigned char *raw_in, size_t in_len,
|
const unsigned char *raw_in, size_t in_len,
|
||||||
unsigned char *out, size_t *out_len,
|
unsigned char *out, size_t *out_len,
|
||||||
unsigned char algorithm, unsigned char key, bool decipher) {
|
unsigned char algorithm, unsigned char key, bool decipher, bool padding) {
|
||||||
unsigned char indata[1024];
|
unsigned char indata[1024];
|
||||||
unsigned char *dataptr = indata;
|
unsigned char *dataptr = indata;
|
||||||
unsigned char data[1024];
|
unsigned char data[1024];
|
||||||
@@ -544,8 +544,12 @@ static ykpiv_rc _general_authenticate(ykpiv_state *state,
|
|||||||
if(in_len + RSA_PKCS1_PADDING_SIZE > pad_len) {
|
if(in_len + RSA_PKCS1_PADDING_SIZE > pad_len) {
|
||||||
return YKPIV_SIZE_ERROR;
|
return YKPIV_SIZE_ERROR;
|
||||||
}
|
}
|
||||||
|
if (padding) {
|
||||||
RSA_padding_add_PKCS1_type_1(sign_in, pad_len, raw_in, in_len);
|
RSA_padding_add_PKCS1_type_1(sign_in, pad_len, raw_in, in_len);
|
||||||
in_len = pad_len;
|
in_len = pad_len;
|
||||||
|
}
|
||||||
|
else if (in_len != pad_len)
|
||||||
|
return YKPIV_SIZE_ERROR;
|
||||||
} else {
|
} else {
|
||||||
if(in_len != pad_len) {
|
if(in_len != pad_len) {
|
||||||
return YKPIV_SIZE_ERROR;
|
return YKPIV_SIZE_ERROR;
|
||||||
@@ -629,7 +633,17 @@ ykpiv_rc ykpiv_sign_data(ykpiv_state *state,
|
|||||||
unsigned char algorithm, unsigned char key) {
|
unsigned char algorithm, unsigned char key) {
|
||||||
|
|
||||||
return _general_authenticate(state, raw_in, in_len, sign_out, out_len,
|
return _general_authenticate(state, raw_in, in_len, sign_out, out_len,
|
||||||
algorithm, key, false);
|
algorithm, key, false, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
ykpiv_rc ykpiv_sign_data2(ykpiv_state *state,
|
||||||
|
const unsigned char *raw_in, size_t in_len,
|
||||||
|
unsigned char *sign_out, size_t *out_len,
|
||||||
|
unsigned char algorithm, unsigned char key,
|
||||||
|
int padding) {
|
||||||
|
|
||||||
|
return _general_authenticate(state, raw_in, in_len, sign_out, out_len,
|
||||||
|
algorithm, key, false, padding);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -637,7 +651,7 @@ ykpiv_rc ykpiv_decipher_data(ykpiv_state *state, const unsigned char *in,
|
|||||||
size_t in_len, unsigned char *out, size_t *out_len,
|
size_t in_len, unsigned char *out, size_t *out_len,
|
||||||
unsigned char algorithm, unsigned char key) {
|
unsigned char algorithm, unsigned char key) {
|
||||||
return _general_authenticate(state, in, in_len, out, out_len,
|
return _general_authenticate(state, in, in_len, out, out_len,
|
||||||
algorithm, key, true);
|
algorithm, key, true, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len) {
|
ykpiv_rc ykpiv_get_version(ykpiv_state *state, char *version, size_t len) {
|
||||||
|
|||||||
+5
-1
@@ -64,7 +64,8 @@ extern "C"
|
|||||||
ykpiv_rc ykpiv_init(ykpiv_state **state, int verbose);
|
ykpiv_rc ykpiv_init(ykpiv_state **state, int verbose);
|
||||||
ykpiv_rc ykpiv_done(ykpiv_state *state);
|
ykpiv_rc ykpiv_done(ykpiv_state *state);
|
||||||
ykpiv_rc ykpiv_connect(ykpiv_state *state, const char *wanted);
|
ykpiv_rc ykpiv_connect(ykpiv_state *state, const char *wanted);
|
||||||
ykpiv_rc ykpiv_connect2(ykpiv_state *state, const char *wanted, unsigned char **readers, unsigned long *len);
|
ykpiv_rc ykpiv_connect2(ykpiv_state *state, const char *wanted,
|
||||||
|
unsigned char **readers, unsigned long *len); // Allow to return a reader string
|
||||||
ykpiv_rc ykpiv_disconnect(ykpiv_state *state);
|
ykpiv_rc ykpiv_disconnect(ykpiv_state *state);
|
||||||
ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ,
|
ykpiv_rc ykpiv_transfer_data(ykpiv_state *state, const unsigned char *templ,
|
||||||
const unsigned char *in_data, long in_len,
|
const unsigned char *in_data, long in_len,
|
||||||
@@ -76,6 +77,9 @@ extern "C"
|
|||||||
ykpiv_rc ykpiv_sign_data(ykpiv_state *state, const unsigned char *sign_in,
|
ykpiv_rc ykpiv_sign_data(ykpiv_state *state, const unsigned char *sign_in,
|
||||||
size_t in_len, unsigned char *sign_out, size_t *out_len,
|
size_t in_len, unsigned char *sign_out, size_t *out_len,
|
||||||
unsigned char algorithm, unsigned char key);
|
unsigned char algorithm, unsigned char key);
|
||||||
|
ykpiv_rc ykpiv_sign_data2(ykpiv_state *state, const unsigned char *sign_in,
|
||||||
|
size_t in_len, unsigned char *sign_out, size_t *out_len,
|
||||||
|
unsigned char algorithm, unsigned char key, int padding); // Allow not to add padding
|
||||||
ykpiv_rc ykpiv_decipher_data(ykpiv_state *state, const unsigned char *enc_in,
|
ykpiv_rc ykpiv_decipher_data(ykpiv_state *state, const unsigned char *enc_in,
|
||||||
size_t in_len, unsigned char *enc_out, size_t *out_len,
|
size_t in_len, unsigned char *enc_out, size_t *out_len,
|
||||||
unsigned char algorithm, unsigned char key);
|
unsigned char algorithm, unsigned char key);
|
||||||
|
|||||||
@@ -53,4 +53,5 @@ YKPIV_0.2.0
|
|||||||
global:
|
global:
|
||||||
ykpiv_decipher_data;
|
ykpiv_decipher_data;
|
||||||
ykpiv_connect2;
|
ykpiv_connect2;
|
||||||
|
ykpiv_sign_data2;
|
||||||
} YKPIV_0.1.0;
|
} YKPIV_0.1.0;
|
||||||
|
|||||||
+5
-1
@@ -85,14 +85,18 @@ CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m) {
|
|||||||
return CK_FALSE;
|
return CK_FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
CK_RV do_sign_padding(CK_MECHANISM_PTR m, CK_BYTE_PTR in, CK_ULONG in_len,
|
CK_RV apply_sign_mechanism(CK_MECHANISM_PTR m, CK_BYTE_PTR in, CK_ULONG in_len,
|
||||||
CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len) {
|
CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len) {
|
||||||
switch (m->mechanism) {
|
switch (m->mechanism) {
|
||||||
case CKM_RSA_PKCS:
|
case CKM_RSA_PKCS:
|
||||||
return do_pkcs_t1(in, in_len, out, out_len, key_len);
|
return do_pkcs_t1(in, in_len, out, out_len, key_len);
|
||||||
|
|
||||||
case CKM_RSA_PKCS_PSS:
|
case CKM_RSA_PKCS_PSS:
|
||||||
|
return CKR_FUNCTION_FAILED;
|
||||||
|
|
||||||
case CKM_RSA_X_509:
|
case CKM_RSA_X_509:
|
||||||
|
return CKR_OK;
|
||||||
|
|
||||||
case CKM_SHA1_RSA_PKCS:
|
case CKM_SHA1_RSA_PKCS:
|
||||||
case CKM_SHA256_RSA_PKCS:
|
case CKM_SHA256_RSA_PKCS:
|
||||||
case CKM_SHA384_RSA_PKCS:
|
case CKM_SHA384_RSA_PKCS:
|
||||||
|
|||||||
+1
-1
@@ -7,7 +7,7 @@
|
|||||||
CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
|
CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
|
||||||
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m);
|
CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m);
|
||||||
|
|
||||||
CK_RV do_sign_padding(CK_MECHANISM_PTR m, CK_BYTE_PTR in, CK_ULONG in_len,
|
CK_RV apply_sign_mechanism(CK_MECHANISM_PTR m, CK_BYTE_PTR in, CK_ULONG in_len,
|
||||||
CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len);
|
CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -130,7 +130,7 @@ CK_RV free_key(EVP_PKEY *key) {
|
|||||||
CK_RV do_pkcs_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len) {
|
CK_RV do_pkcs_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG out_len, CK_ULONG key_len) {
|
||||||
fprintf(stderr, "Apply padding to %lu bytes and get %lu\n", in_len, key_len);
|
fprintf(stderr, "Apply padding to %lu bytes and get %lu\n", in_len, key_len);
|
||||||
|
|
||||||
// TODO: rand must be seeded first
|
// TODO: rand must be seeded first (should be automatic)
|
||||||
if (out_len < key_len)
|
if (out_len < key_len)
|
||||||
CKR_BUFFER_TOO_SMALL;
|
CKR_BUFFER_TOO_SMALL;
|
||||||
|
|
||||||
|
|||||||
+13
-17
@@ -814,7 +814,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)(
|
|||||||
)
|
)
|
||||||
{
|
{
|
||||||
DIN;
|
DIN;
|
||||||
CK_RV rv;
|
CK_ULONG i;
|
||||||
|
CK_RV rv, rv_final;
|
||||||
|
|
||||||
if (piv_state == NULL) {
|
if (piv_state == NULL) {
|
||||||
DBG(("libykpiv is not initialized or already finalized"));
|
DBG(("libykpiv is not initialized or already finalized"));
|
||||||
@@ -835,24 +836,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)(
|
|||||||
if (find_obj.active != CK_TRUE)
|
if (find_obj.active != CK_TRUE)
|
||||||
return CKR_OPERATION_NOT_INITIALIZED;
|
return CKR_OPERATION_NOT_INITIALIZED;
|
||||||
|
|
||||||
if (pTemplate[0].pValue == NULL_PTR) {
|
rv_final = CKR_OK;
|
||||||
DBG(("Just get size"));
|
for (i = 0; i < ulCount; i++) {
|
||||||
rv = get_attribute(&session, hObject, pTemplate);
|
|
||||||
|
|
||||||
|
rv = get_attribute(&session, hObject, pTemplate + i);
|
||||||
|
|
||||||
|
// TODO: this function has some complex cases for return vlaue. Make sure to check them.
|
||||||
if (rv != CKR_OK) {
|
if (rv != CKR_OK) {
|
||||||
DBG(("Unable to get size for attribute %lu of object %lu", pTemplate->type, hObject));
|
DBG(("Unable to get attribute %lu of object %lu", (pTemplate + i)->type, hObject));
|
||||||
|
rv_final = rv;
|
||||||
}
|
}
|
||||||
DOUT;
|
|
||||||
return CKR_OK;
|
|
||||||
}
|
}
|
||||||
DBG(("Trying to get %lu attribute(s) for object %lu", ulCount, hObject));
|
|
||||||
DBG(("Type: 0x%lx Value: %lu Len: %lu", pTemplate[0].type, *((CK_ULONG_PTR)pTemplate[0].pValue), pTemplate[0].ulValueLen));
|
|
||||||
// TODO: here for i in ulCount (get all the attributes)
|
|
||||||
|
|
||||||
return get_attribute(&session, hObject, pTemplate);
|
|
||||||
|
|
||||||
DOUT;
|
DOUT;
|
||||||
return CKR_OK;
|
return rv_final;
|
||||||
}
|
}
|
||||||
|
|
||||||
CK_DEFINE_FUNCTION(CK_RV, C_SetAttributeValue)(
|
CK_DEFINE_FUNCTION(CK_RV, C_SetAttributeValue)(
|
||||||
@@ -1339,10 +1336,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
|
|||||||
DBG(("Sending %lu bytes to sign", ulDataLen));
|
DBG(("Sending %lu bytes to sign", ulDataLen));
|
||||||
dump_hex(pData, ulDataLen, stderr, CK_TRUE);
|
dump_hex(pData, ulDataLen, stderr, CK_TRUE);
|
||||||
|
|
||||||
/* if (do_sign_padding(&sign_info.mechanism, pData, ulDataLen, buf, buf_len, 2048 / 8) != CKR_OK) {
|
if (apply_sign_mechanism(&sign_info.mechanism, pData, ulDataLen, buf, buf_len, 2048 / 8) != CKR_OK) {
|
||||||
DBG(("Unable to apply padding scheme"));
|
DBG(("Unable to apply padding scheme"));
|
||||||
return CKR_FUNCTION_FAILED;
|
return CKR_FUNCTION_FAILED;
|
||||||
}*/
|
}
|
||||||
memcpy(buf, pData, ulDataLen); // ykpiv does padding already
|
memcpy(buf, pData, ulDataLen); // ykpiv does padding already
|
||||||
//dump_hex(buf, 256, stderr, CK_TRUE);
|
//dump_hex(buf, 256, stderr, CK_TRUE);
|
||||||
//*pulSignatureLen = 256;
|
//*pulSignatureLen = 256;
|
||||||
@@ -1353,8 +1350,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
|
|||||||
}
|
}
|
||||||
DBG(("Got %lu bytes back", *pulSignatureLen));
|
DBG(("Got %lu bytes back", *pulSignatureLen));
|
||||||
dump_hex(pSignature, *pulSignatureLen, stderr, CK_TRUE);
|
dump_hex(pSignature, *pulSignatureLen, stderr, CK_TRUE);
|
||||||
/* memcpy(pSignature, sig_buf, sig_len_out);
|
|
||||||
*pulSignatureLen = sig_len_out;*/
|
|
||||||
DOUT;
|
DOUT;
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user