forked from wolfSSL/wolfssl
Merge pull request #2116 from SparkiDev/pkcs11_id_fix_1
Fixes for PKCS #11 private key id and ECC
This commit is contained in:
toddouska
GitHub
@ -17013,7 +17013,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
|
||||
}
|
||||
|
||||
/* Return the maximum signature length. */
|
||||
*length = (word16)ssl->buffers.keySz;
|
||||
*length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
|
||||
}
|
||||
}
|
||||
else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
|
||||
@ -17027,7 +17027,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
|
||||
}
|
||||
|
||||
/* Return the maximum signature length. */
|
||||
*length = (word16)ssl->buffers.keySz;
|
||||
*length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
|
||||
}
|
||||
}
|
||||
goto exit_dpk;
|
||||
@ -25221,8 +25221,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ERROR_OUT(BUFFER_ERROR, exit_dcke);
|
||||
}
|
||||
|
||||
ssl->arrays->preMasterSz = ENCRYPT_LEN;
|
||||
|
||||
#ifdef HAVE_CURVE25519
|
||||
if (ssl->ecdhCurveOID == ECC_X25519_OID) {
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
@ -25254,6 +25252,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
|
||||
}
|
||||
|
||||
ssl->arrays->preMasterSz = CURVE25519_KEYSIZE;
|
||||
|
||||
ssl->peerX25519KeyPresent = 1;
|
||||
|
||||
if (ret != 0) {
|
||||
@ -25297,6 +25297,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
|
||||
}
|
||||
|
||||
ssl->arrays->preMasterSz = private_key->dp->size;
|
||||
|
||||
ssl->peerEccKeyPresent = 1;
|
||||
#endif /* HAVE_ECC */
|
||||
|
||||
|
||||
@ -11332,9 +11332,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
ssl->buffers.keyId = 1;
|
||||
ssl->buffers.keySz = (word32)keySz;
|
||||
if (devId != INVALID_DEVID)
|
||||
ssl->buffers.keyId = devId;
|
||||
ssl->buffers.keyDevId = devId;
|
||||
else
|
||||
ssl->buffers.keyId = ssl->devId;
|
||||
ssl->buffers.keyDevId = ssl->devId;
|
||||
|
||||
ret = WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
@ -566,7 +566,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
|
||||
aes->idLen);
|
||||
}
|
||||
if (ret == 0 && clear)
|
||||
ForceZero(aes->devKey, 0, aes->keylen);
|
||||
ForceZero(aes->devKey, aes->keylen);
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
@ -583,7 +583,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
|
||||
aes->idLen);
|
||||
}
|
||||
if (ret == 0 && clear)
|
||||
ForceZero(aes->devKey, 0, aes->keylen);
|
||||
ForceZero(aes->devKey, aes->keylen);
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
@ -1635,6 +1635,43 @@ static int Pkcs11ECDSASig_Decode(const byte* in, word32 inSz, byte* sig,
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the parameters from the private key on the device.
|
||||
*
|
||||
* @param session [in] Session object.
|
||||
* @param privKey [in] PKCS #11 object handle of private key..
|
||||
* @param key [in] Ecc key to set parameters against.
|
||||
* @return WC_HW_E when a PKCS#11 library call fails.
|
||||
* 0 on success.
|
||||
*/
|
||||
static int Pkcs11GetEccParams(Pkcs11Session* session, CK_OBJECT_HANDLE privKey,
|
||||
ecc_key* key)
|
||||
{
|
||||
int ret = 0;
|
||||
int curveId;
|
||||
CK_RV rv;
|
||||
byte oid[16];
|
||||
CK_ATTRIBUTE template[] = {
|
||||
{ CKA_EC_PARAMS, (CK_VOID_PTR)oid, sizeof(oid) }
|
||||
};
|
||||
|
||||
rv = session->func->C_GetAttributeValue(session->handle, privKey, template,
|
||||
1);
|
||||
if (rv != CKR_OK)
|
||||
ret = WC_HW_E;
|
||||
if (ret == 0) {
|
||||
/* PKCS #11 wraps the OID in ASN.1 */
|
||||
curveId = wc_ecc_get_curve_id_from_oid(oid + 2,
|
||||
template[0].ulValueLen - 2);
|
||||
if (curveId == ECC_CURVE_INVALID)
|
||||
ret = WC_HW_E;
|
||||
}
|
||||
if (ret == 0)
|
||||
ret = wc_ecc_set_curve(key, 0, curveId);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Performs the ECDSA signing operation.
|
||||
*
|
||||
@ -1666,13 +1703,6 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
|
||||
if (ret == 0) {
|
||||
WOLFSSL_MSG("PKCS#11: EC Signing Operation");
|
||||
|
||||
sz = info->pk.eccsign.key->dp->size;
|
||||
/* Maximum encoded size is two ordinates + 8 bytes of ASN.1. */
|
||||
if (*info->pk.eccsign.outlen < sz * 2 + 8)
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k)))
|
||||
ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
|
||||
info->pk.eccsign.key, CKA_SIGN);
|
||||
@ -1680,6 +1710,10 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
|
||||
ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
|
||||
session, info->pk.eccsign.key->id,
|
||||
info->pk.eccsign.key->idLen);
|
||||
if (ret == 0 && info->pk.eccsign.key->dp == NULL) {
|
||||
ret = Pkcs11GetEccParams(session, privateKey,
|
||||
info->pk.eccsign.key);
|
||||
}
|
||||
}
|
||||
else {
|
||||
ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session,
|
||||
@ -1687,6 +1721,13 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
|
||||
}
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
sz = info->pk.eccsign.key->dp->size;
|
||||
/* Maximum encoded size is two ordinates + 8 bytes of ASN.1. */
|
||||
if (*info->pk.eccsign.outlen < (word32)wc_ecc_sig_size_calc(sz))
|
||||
ret = BUFFER_E;
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
mech.mechanism = CKM_ECDSA;
|
||||
mech.ulParameterLen = 0;
|
||||
|
||||
Reference in New Issue
Block a user