Merge PR/113, fixup for PSS

This commit is contained in:
Alessio Di Mauro
2017-03-30 09:40:00 +02:00
6 changed files with 46 additions and 34 deletions
+2 -9
View File
@@ -262,7 +262,6 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
CK_RV rv; CK_RV rv;
int nid = NID_undef; int nid = NID_undef;
RSA *rsa;
CK_ULONG len; CK_ULONG len;
if (op_info->type != YKCS11_SIGN) if (op_info->type != YKCS11_SIGN)
@@ -282,14 +281,8 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) {
case CKM_RSA_PKCS_PSS: case CKM_RSA_PKCS_PSS:
// Compute padding for all PSS variants // Compute padding for all PSS variants
// TODO: digestinfo/paraminfo ? // TODO: digestinfo/paraminfo ?
rv = do_pkcs_pss(op_info->op.sign.key, op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
rv = do_encode_rsa_public_key(op_info->op.sign.key, op_info->op.sign.key_len, &rsa); do_free_rsa_public_key(op_info->op.sign.key);
if (rv != CKR_OK)
return CKR_FUNCTION_FAILED;
rv = do_pkcs_pss(rsa, op_info->buf, op_info->buf_len, nid, op_info->buf, &op_info->buf_len);
// TODO: does rsa have to be free'd ?
return rv; return rv;
+2
View File
@@ -50,4 +50,6 @@ typedef enum {
typedef EVP_MD_CTX ykcs11_md_ctx_t; typedef EVP_MD_CTX ykcs11_md_ctx_t;
//typedef EVP_PKEY ykcs11_evp_pkey_t; //typedef EVP_PKEY ykcs11_evp_pkey_t;
typedef RSA ykcs11_rsa_key_t;
#endif #endif
+24 -16
View File
@@ -467,18 +467,28 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
} }
CK_RV do_encode_rsa_public_key(CK_BYTE_PTR data, CK_ULONG len, RSA **key) { CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus,
CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen) {
const unsigned char *p = data; ykcs11_rsa_key_t *k;
if (modulus == NULL || exponent == NULL)
if (data == NULL)
return CKR_ARGUMENTS_BAD; return CKR_ARGUMENTS_BAD;
if ((*key = d2i_RSAPublicKey(NULL, &p, (long) len)) == NULL) if ((k = RSA_new()) == NULL)
return CKR_HOST_MEMORY;
if ((k->n = BN_bin2bn(modulus, mlen, NULL)) == NULL)
return CKR_FUNCTION_FAILED; return CKR_FUNCTION_FAILED;
return CKR_OK; if ((k->e = BN_bin2bn(exponent, elen, NULL)) == NULL)
return CKR_FUNCTION_FAILED;
*key = k;
return CKR_OK;
}
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key) {
RSA_free(key);
return CKR_OK;
} }
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
@@ -555,18 +565,15 @@ CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PT
} }
CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
CK_BYTE_PTR out, CK_ULONG_PTR out_len) { int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
unsigned char em[512]; // Max for this is ceil((|key_len_bits| - 1) / 8) unsigned char em[RSA_size(key)];
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
// TODO: rand must be seeded first (should be automatic) // TODO: rand must be seeded first (should be automatic)
if (*out_len < (CK_ULONG)RSA_size(key))
return CKR_BUFFER_TOO_SMALL;
DBG("Apply PSS padding to %lu bytes and get %d\n", in_len, RSA_size(key));
if (out != in) if (out != in)
memcpy(out, in, in_len); memcpy(out, in, in_len);
@@ -576,7 +583,8 @@ CK_RV do_pkcs_pss(RSA *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid,
return CKR_FUNCTION_FAILED; return CKR_FUNCTION_FAILED;
} }
*out_len = (CK_ULONG) RSA_size(key); memcpy(out, em, sizeof(em));
*out_len = (CK_ULONG) sizeof(em);
EVP_cleanup(); EVP_cleanup();
+3 -1
View File
@@ -53,11 +53,13 @@ CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key);
CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_encode_rsa_public_key(CK_BYTE_PTR data, CK_ULONG len, RSA **key);
CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len); CK_RV do_get_curve_parameters(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len);
CK_RV do_delete_pubk(EVP_PKEY **key); CK_RV do_delete_pubk(EVP_PKEY **key);
//CK_RV free_key(EVP_PKEY *key); //CK_RV free_key(EVP_PKEY *key);
CK_RV do_encode_rsa_public_key(ykcs11_rsa_key_t **key, CK_BYTE_PTR modulus, CK_ULONG mlen, CK_BYTE_PTR exponent, CK_ULONG elen);
CK_RV do_free_rsa_public_key(ykcs11_rsa_key_t *key);
CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len); CK_RV do_pkcs_1_t1(CK_BYTE_PTR in, CK_ULONG in_len, CK_BYTE_PTR out, CK_ULONG_PTR out_len, CK_ULONG key_len);
CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len); CK_RV do_pkcs_1_digest_info(CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
+14 -7
View File
@@ -38,6 +38,7 @@
#include "utils.h" #include "utils.h"
#include "mechanisms.h" #include "mechanisms.h"
#include "openssl_types.h" #include "openssl_types.h"
#include "openssl_utils.h"
#include "debug.h" #include "debug.h"
#include <stdbool.h> #include <stdbool.h>
@@ -1687,11 +1688,13 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)(
{ {
CK_KEY_TYPE type = 0; CK_KEY_TYPE type = 0;
CK_ULONG key_len = 0; CK_ULONG key_len = 0;
CK_BYTE exp[3];
CK_BYTE buf[1024]; CK_BYTE buf[1024];
CK_ATTRIBUTE template[] = { CK_ATTRIBUTE template[] = {
{CKA_KEY_TYPE, &type, sizeof(type)}, {CKA_KEY_TYPE, &type, sizeof(type)},
{CKA_MODULUS_BITS, &key_len, sizeof(key_len)}, {CKA_MODULUS_BITS, &key_len, sizeof(key_len)},
{CKA_MODULUS, NULL, 0}, {CKA_MODULUS, NULL, 0},
{CKA_PUBLIC_EXPONENT, exp, sizeof(exp)},
{CKA_EC_POINT, buf, sizeof(buf)}, {CKA_EC_POINT, buf, sizeof(buf)},
}; };
@@ -1754,18 +1757,22 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)(
// Also store the raw public key if the mechanism is PSS // Also store the raw public key if the mechanism is PSS
if (is_PSS_mechanism(pMechanism->mechanism)) { if (is_PSS_mechanism(pMechanism->mechanism)) {
op_info.op.sign.key = malloc(key_len); template[2].pValue = buf;
if (op_info.op.sign.key == NULL) template[2].ulValueLen = (key_len + 7) / 8 ;
return CKR_HOST_MEMORY;
template[2].pValue = op_info.op.sign.key;
template[2].ulValueLen = key_len;
if (get_attribute(&session, hKey, template + 2) != CKR_OK) { if (get_attribute(&session, hKey, template + 2) != CKR_OK) {
DBG("Unable to get public key"); DBG("Unable to get public key");
return CKR_KEY_HANDLE_INVALID; return CKR_KEY_HANDLE_INVALID;
} }
if (get_attribute(&session, hKey, template + 3) != CKR_OK) {
DBG("Unable to get public exponent");
return CKR_KEY_HANDLE_INVALID;
}
if (do_encode_rsa_public_key(&op_info.op.sign.key, buf, (key_len + 7) / 8, exp, sizeof(exp)) != CKR_OK) {
return CKR_FUNCTION_FAILED;
}
} }
else { else {
op_info.op.sign.key = NULL; op_info.op.sign.key = NULL;
@@ -1774,7 +1781,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)(
} }
else { else {
// ECDSA key // ECDSA key
if (get_attribute(&session, hKey, template + 3) != CKR_OK) { if (get_attribute(&session, hKey, template + 4) != CKR_OK) {
DBG("Unable to get key length"); DBG("Unable to get key length");
return CKR_KEY_HANDLE_INVALID; return CKR_KEY_HANDLE_INVALID;
} }
+1 -1
View File
@@ -75,7 +75,7 @@ typedef struct {
typedef struct { typedef struct {
ykcs11_md_ctx_t *md_ctx; // Digest context ykcs11_md_ctx_t *md_ctx; // Digest context
CK_BYTE_PTR key; // Raw public key (needed for PSS) ykcs11_rsa_key_t *key; // Raw public key (needed for PSS)
CK_BYTE algo; // Algo for ykpiv // TODO: infer this from the key length? CK_BYTE algo; // Algo for ykpiv // TODO: infer this from the key length?
CK_ULONG key_id; // Key id for ykpiv // TODO: make this a BYTE and store the id {0, 1, 2, 3} CK_ULONG key_id; // Key id for ykpiv // TODO: make this a BYTE and store the id {0, 1, 2, 3}
CK_ULONG key_len; // Length in bits CK_ULONG key_len; // Length in bits