YKCS11: more elaborate solution for stripping DER encoding from ECDSA signatures.

It is possible to receive different padding length for r and s, where their length
is [-1, 1] wrt the component lenght. Take this into account.
This commit is contained in:
Alessio Di Mauro
2015-11-12 03:07:35 +01:00
parent 89e02dc669
commit a853902bcb
2 changed files with 45 additions and 10 deletions
+43 -11
View File
@@ -179,21 +179,53 @@ CK_BBOOL is_valid_key_id(CK_BYTE id) {
void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len) { void strip_DER_encoding_from_ECSIG(CK_BYTE_PTR data, CK_ULONG_PTR len) {
CK_BYTE_PTR ptr; CK_BYTE_PTR data_ptr;
CK_ULONG n_len; CK_ULONG sig_halflen;
CK_BYTE buf[128];
CK_BYTE_PTR buf_ptr;
CK_BYTE elem_len;
// Maximum DER length for P256 is 2 + 2 + 33 + 2 + 33 = 72 // Maximum DER length for P256 is 2 + 2 + 33 + 2 + 33 = 72
if (*len <= 72) if (*len <= 72)
n_len = 32; sig_halflen = 32;
else else
n_len = 48; sig_halflen = 48;
ptr = data + 4; memset(buf, 0, sizeof(buf));
if (*ptr == 0) data_ptr = data + 3;
ptr++; buf_ptr = buf;
// copy r
elem_len = *data_ptr;
if (elem_len == (sig_halflen - 1))
buf_ptr++; // One shorter, prepend a zero
else if (elem_len == (sig_halflen + 1)) {
data_ptr++; // One longer, skip a zero
elem_len--;
}
data_ptr++;
memcpy(buf_ptr, data_ptr, elem_len);
data_ptr += elem_len;
buf_ptr += elem_len;
data_ptr++;
// copy s
elem_len = *data_ptr;
if (elem_len == (sig_halflen - 1))
buf_ptr++; // One shorter, prepend a zero
else if (elem_len == (sig_halflen + 1)) {
data_ptr++; // One longer, skip a zero
elem_len --;
}
data_ptr++;
memcpy(buf_ptr, data_ptr, elem_len);
data_ptr += elem_len;
buf_ptr += elem_len;
*len = sig_halflen * 2;
memcpy(data, buf, *len);
memmove(data, ptr, n_len);
memmove(data+n_len, data + *len - n_len, n_len);
*len = n_len * 2;
} }
+3
View File
@@ -1783,6 +1783,9 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)(
return CKR_OK; return CKR_OK;
} }
fprintf(stderr, "MI HAI DATO %lu!!!!!!!!!!!!!!!!!!!!!\n", *pulSignatureLen);
DBG("Sending %lu bytes to sign", ulDataLen); DBG("Sending %lu bytes to sign", ulDataLen);
#if YKCS11_DBG == 1 #if YKCS11_DBG == 1
dump_hex(pData, ulDataLen, stderr, CK_TRUE); dump_hex(pData, ulDataLen, stderr, CK_TRUE);