From e3acd1f027767678a373101cd606aa2f40a449fd Mon Sep 17 00:00:00 2001 From: Alessio Di Mauro Date: Thu, 6 Aug 2015 10:00:29 +0200 Subject: [PATCH] Fixed object attribute matching. Added ECDSA. --- ykcs11/mechanisms.c | 42 ++++++++++++++++++++++++++++++++++++------ ykcs11/mechanisms.h | 1 + ykcs11/ykcs11.c | 17 ++++++++--------- 3 files changed, 45 insertions(+), 15 deletions(-) diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c index e41fa35..4fd105c 100644 --- a/ykcs11/mechanisms.c +++ b/ykcs11/mechanisms.c @@ -102,6 +102,32 @@ CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m) { return CK_FALSE; } +CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m) { + + switch (m) { + case CKM_SHA1_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: + case CKM_SHA1_RSA_PKCS_PSS: + case CKM_SHA256_RSA_PKCS_PSS: + case CKM_SHA384_RSA_PKCS_PSS: + case CKM_SHA512_RSA_PKCS_PSS: + case CKM_ECDSA_SHA1: + case CKM_SHA_1: + case CKM_SHA256: + case CKM_SHA384: + case CKM_SHA512: + return CK_TRUE; + + default: + return CK_FALSE; + } + + // Not reached + return CK_FALSE; +} + CK_RV apply_sign_mechanism_init(op_info_t *op_info) { if (op_info->type != YKCS11_SIGN) @@ -138,7 +164,8 @@ CK_RV apply_sign_mechanism_init(op_info_t *op_info) { return do_md_init(YKCS11_SHA512, &op_info->op.sign.md_ctx); case CKM_ECDSA: - return CKR_FUNCTION_FAILED; // TODO: but no hash needed + // No hash required for this mechanism + return CKR_OK; default: return CKR_FUNCTION_FAILED; @@ -157,6 +184,7 @@ CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG i switch (op_info->mechanism.mechanism) { case CKM_RSA_PKCS: case CKM_RSA_PKCS_PSS: + case CKM_ECDSA: // Mechanism not suitable for multipart signatures return CKR_FUNCTION_FAILED; @@ -178,9 +206,6 @@ CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG i return CKR_OK; - case CKM_ECDSA: - return CKR_FUNCTION_FAILED; - default: return CKR_FUNCTION_FAILED; } @@ -251,9 +276,14 @@ CK_RV apply_sign_mechanism_finalize(op_info_t *op_info) { op_info->buf_len = sizeof(op_info->buf); return do_pkcs_1_t1(op_info->buf, len, op_info->buf, &op_info->buf_len, op_info->op.sign.key_len); - case CKM_ECDSA_SHA1: // TODO: + case CKM_ECDSA_SHA1: + // Finalize the hash + rv = do_md_finalize(op_info->op.sign.md_ctx, op_info->buf, &op_info->buf_len, &nid); + if (rv != CKR_OK) + return CKR_FUNCTION_FAILED; + case CKM_ECDSA: - return CKR_FUNCTION_FAILED; + return CKR_OK; default: return CKR_FUNCTION_FAILED; diff --git a/ykcs11/mechanisms.h b/ykcs11/mechanisms.h index b39a78e..1869774 100644 --- a/ykcs11/mechanisms.h +++ b/ykcs11/mechanisms.h @@ -6,6 +6,7 @@ CK_RV check_sign_mechanism(const ykcs11_session_t *s, CK_MECHANISM_PTR m); CK_BBOOL is_RSA_mechanism(CK_MECHANISM_TYPE m); CK_BBOOL is_PSS_mechanism(CK_MECHANISM_TYPE m); +CK_BBOOL is_hashed_mechanism(CK_MECHANISM_TYPE m); CK_RV apply_sign_mechanism_init(op_info_t *op_info); CK_RV apply_sign_mechanism_update(op_info_t *op_info, CK_BYTE_PTR in, CK_ULONG in_len); diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index e83fc38..f650769 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -927,6 +927,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( if (is_private_object(&session, find_obj.objects[i]) == CK_TRUE) { DBG(("Stripping away private object %u", find_obj.objects[i])); find_obj.objects[i] = OBJECT_INVALID; + total--; continue; } @@ -937,6 +938,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( DBG(("Removing object %u from the list", find_obj.objects[i])); find_obj.objects[i] = OBJECT_INVALID; // Object not matching, mark it total--; + break; } else DBG(("Keeping object %u in the list", find_obj.objects[i])); @@ -945,11 +947,6 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( DBG(("%lu object(s) left after attribute matching", total)); - // TODO: do it properly here, just a test now - //find_obj.objects = session.slot->token->objects + 3; - /*memmove(find_obj.objects, find_obj.objects + 12, sizeof(piv_obj_id_t) * (find_obj.num - 12)); - find_obj.num = 1;*/ - find_obj.active = CK_TRUE; DOUT; @@ -1358,10 +1355,12 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( DBG(("Sending %lu bytes to sign", ulDataLen)); dump_hex(pData, ulDataLen, stderr, CK_TRUE); - if (apply_sign_mechanism_update(&op_info, pData, ulDataLen) != CKR_OK) { - DBG(("Unable to perform signing operation step")); - return CKR_FUNCTION_FAILED; - } + if (is_hashed_mechanism(op_info.mechanism.mechanism) == CK_TRUE) { + if (apply_sign_mechanism_update(&op_info, pData, ulDataLen) != CKR_OK) { + DBG(("Unable to perform signing operation step")); + return CKR_FUNCTION_FAILED; + } + } if (apply_sign_mechanism_finalize(&op_info) != CKR_OK) { DBG(("Unable to finalize signing operation"));