diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c index 5b84b09..785431a 100644 --- a/ykcs11/mechanisms.c +++ b/ykcs11/mechanisms.c @@ -199,7 +199,7 @@ CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG i // Mechanism not suitable for multipart signatures return CKR_FUNCTION_FAILED; - case CKM_RSA_X_509: + case CKM_RSA_X_509: // TODO: shouldn't this be in the group above? return CKR_OK; case CKM_SHA1_RSA_PKCS: diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index a035474..a0e36f0 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -1319,8 +1319,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)( } // The buffer contains an uncompressed point of the form 04, len, 04, x, y + // Where len is the |x| + |y| + 1 bytes - op_info.op.sign.key_len = ((template[3].ulValueLen - 1) / 2) * 8; + op_info.op.sign.key_len = ((buf[1] - 1) / 2) * 8; if (op_info.op.sign.key_len == 256) op_info.op.sign.algo = YKPIV_ALGO_ECCP256; @@ -1385,7 +1386,6 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( DOUT; return CKR_OK; } - DBG(("Sending %lu bytes to sign", ulDataLen)); dump_hex(pData, ulDataLen, stderr, CK_TRUE); @@ -1396,13 +1396,34 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( return CKR_FUNCTION_FAILED; // TODO: every error in here must stop and clear the signing operation } } + else { + if (is_RSA_mechanism(op_info.mechanism.mechanism)) { + // RSA_X_509 + if (ulDataLen > (op_info.op.sign.key_len / 8)) { + DBG(("Data must be shorter than key length (%lu bits)", op_info.op.sign.key_len)); + return CKR_FUNCTION_FAILED; + } + } + else { + // ECDSA + if (ulDataLen > 128) { + // Specs say ECDSA only supports 1024 bit + DBG(("Meximum data length for ECDSA is 128 bytes")); + return CKR_FUNCTION_FAILED; + } + } + + op_info.buf_len = ulDataLen; + memcpy(op_info.buf, pData, ulDataLen); + } + if (apply_sign_mechanism_finalize(&op_info) != CKR_OK) { DBG(("Unable to finalize signing operation")); return CKR_FUNCTION_FAILED; } - DBG(("Using key %lx", op_info.op.sign.key_id)); // TODO: test what happens if there is no key on the card + DBG(("Using key %lx", op_info.op.sign.key_id)); DBG(("After padding and transformation there are %lu bytes", op_info.buf_len)); dump_hex(op_info.buf, op_info.buf_len, stderr, CK_TRUE);