Added support for CKU_CONTEXT_SPECIFIC.

This commit is contained in:
Alessio Di Mauro
2015-09-08 18:00:48 +02:00
parent 984a124508
commit 99ebfdf37c
6 changed files with 70 additions and 13 deletions
+13
View File
@@ -244,6 +244,7 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
case CKM_SHA512_RSA_PKCS_PSS:
// Finalize the hash
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
@@ -275,6 +276,7 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
case CKM_SHA512_RSA_PKCS:
// Finalize the hash add digest info
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
@@ -295,6 +297,7 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
case CKM_ECDSA_SHA256:
// Finalize the hash
rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid);
op_info->op.sign.md_ctx = NULL;
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
@@ -306,6 +309,16 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
}
}
CK_RV sign_mechanism_cleanup(op_info_t *op_info) {
if (op_info->op.sign.md_ctx != NULL) {
do_md_cleanup(op_info->op.sign.md_ctx);
op_info->op.sign.md_ctx = NULL;
}
return CKR_OK;
}
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m) {
CK_ULONG i;
+1
View File
@@ -11,6 +11,7 @@ CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m);
CK_RV apply_sign_mechanism_init(op_info_t *op_info);
CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len);
CK_RV apply_sign_mechanism_finalize(op_info_t *op_info);
CK_RV sign_mechanism_cleanup(op_info_t *op_info);
CK_RV check_generation_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m);
CK_RV check_pubkey_template(op_info_t *op_info, CK_ATTRIBUTE_PTR templ, CK_ULONG n); // TODO: Move to objects.c
+7
View File
@@ -557,3 +557,10 @@ CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len
return CKR_OK;
}
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx) {
EVP_MD_CTX_destroy((EVP_MD_CTX *) ctx);
return CKR_OK;
}
+1
View File
@@ -32,5 +32,6 @@ CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid,
CK_RV do_md_init(hash_t hash, ykcs11_md_ctx_t **ctx);
CK_RV do_md_update(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR in, CK_ULONG in_len);
CK_RV do_md_finalize(ykcs11_md_ctx_t *ctx, CK_BYTE_PTR out, CK_ULONG_PTR out_len, int *nid);
CK_RV do_md_cleanup(ykcs11_md_ctx_t *ctx);
#endif
+44 -12
View File
@@ -147,7 +147,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)(
)
{
DIN;
int i;
CK_ULONG i;
int j;
if (piv_state == NULL) {
@@ -765,6 +765,16 @@ CK_DEFINE_FUNCTION(CK_RV, C_Login)(
break;
case CKU_CONTEXT_SPECIFIC:
if (op_info.type == YKCS11_NOOP) {
DBG(("No operation in progress. Context specific user is forbidden."));
return CKR_USER_TYPE_INVALID;
}
if (op_info.type == YKCS11_SIGN) {
return C_Login(hSession, CKU_USER, pPin, ulPinLen);
}
else
return C_Login(hSession, CKU_SO, pPin, ulPinLen);
default:
return CKR_USER_TYPE_INVALID;
}
@@ -1627,13 +1637,16 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
{
DIN;
ykpiv_rc piv_rv;
CK_RV rv;
if (op_info.type != YKCS11_SIGN) {
DBG(("Signature operation not initialized"));
return CKR_OPERATION_NOT_INITIALIZED;
rv = CKR_OPERATION_NOT_INITIALIZED;
goto sign_out;
}
// TODO: check other conditions
ykpiv_rc r; // TODO: delete this ?
if (pSignature == NULL_PTR) {
// Just return the size of the signature
@@ -1650,7 +1663,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
if (is_hashed_mechanism(op_info.mechanism.mechanism) == CK_TRUE) {
if (apply_sign_mechanism_update(&op_info, pData, ulDataLen) != CKR_OK) {
DBG(("Unable to perform signing operation step"));
return CKR_FUNCTION_FAILED; // TODO: every error in here must stop and clear the signing operation
rv = CKR_FUNCTION_FAILED; // TODO: every error in here must stop and clear the signing operation
goto sign_out;
}
}
else {
@@ -1658,7 +1672,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
// RSA_X_509
if (ulDataLen > (op_info.op.sign.key_len / 8)) {
DBG(("Data must be shorter than key length (%lu bits)", op_info.op.sign.key_len));
return CKR_FUNCTION_FAILED;
rv = CKR_FUNCTION_FAILED;
goto sign_out;
}
}
else {
@@ -1666,7 +1681,8 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
if (ulDataLen > 128) {
// Specs say ECDSA only supports 1024 bit
DBG(("Meximum data length for ECDSA is 128 bytes"));
return CKR_FUNCTION_FAILED;
rv = CKR_FUNCTION_FAILED;
goto sign_out;
}
}
@@ -1674,10 +1690,10 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
memcpy(op_info.buf, pData, ulDataLen);
}
if (apply_sign_mechanism_finalize(&op_info) != CKR_OK) {
DBG(("Unable to finalize signing operation"));
return CKR_FUNCTION_FAILED;
rv = CKR_FUNCTION_FAILED;
goto sign_out;
}
DBG(("Using key %lx", op_info.op.sign.key_id));
@@ -1685,10 +1701,20 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
dump_hex(op_info.buf, op_info.buf_len, stderr, CK_TRUE);
*pulSignatureLen = sizeof(op_info.buf);
if ((r = ykpiv_sign_data2(piv_state, op_info.buf, op_info.buf_len, pSignature, pulSignatureLen, op_info.op.sign.algo, op_info.op.sign.key_id, 0)) != YKPIV_OK) {
DBG(("Sign error, %s", ykpiv_strerror(r)));
return CKR_FUNCTION_FAILED;
piv_rv = ykpiv_sign_data2(piv_state, op_info.buf, op_info.buf_len, pSignature, pulSignatureLen, op_info.op.sign.algo, op_info.op.sign.key_id, 0);
if (piv_rv != YKPIV_OK) {
if (piv_rv == YKPIV_AUTHENTICATION_ERROR) {
DBG(("Operation requires authentication or touch"));
rv = CKR_USER_NOT_LOGGED_IN;
goto sign_out;
}
else {
DBG(("Sign error, %s", ykpiv_strerror(piv_rv)));
rv = CKR_FUNCTION_FAILED;
goto sign_out;
}
}
DBG(("Got %lu bytes back", *pulSignatureLen));
dump_hex(pSignature, *pulSignatureLen, stderr, CK_TRUE);
@@ -1703,8 +1729,14 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
op_info.type = YKCS11_NOOP; // TODO: anything to clear here?
rv = CKR_OK;
sign_out:
op_info.type = YKCS11_NOOP;
sign_mechanism_cleanup(&op_info);
DOUT;
return CKR_OK;
return rv;
}
CK_DEFINE_FUNCTION(CK_RV, C_SignUpdate)(