feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes for PKCS #11 private key id and ECC

Browse Source
This commit is contained in:
Sean Parkinson
2019-02-25 11:17:56 +10:00
parent b037334732
commit 0e914d81dc
3 changed files with 58 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/internal.c
View File

@@ -17013,7 +17013,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
} }
/* Return the maximum signature length. */ /* Return the maximum signature length. */
*length = (word16)ssl->buffers.keySz; *length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
} }
} }
else if (ssl->buffers.keyType == ecc_dsa_sa_algo) { else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
@@ -17027,7 +17027,7 @@ int DecodePrivateKey(WOLFSSL *ssl, word16* length)
} }
/* Return the maximum signature length. */ /* Return the maximum signature length. */
*length = (word16)ssl->buffers.keySz; *length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
} }
} }
goto exit_dpk; goto exit_dpk;
@@ -25221,8 +25221,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ERROR_OUT(BUFFER_ERROR, exit_dcke); ERROR_OUT(BUFFER_ERROR, exit_dcke);
} }
ssl->arrays->preMasterSz = ENCRYPT_LEN;
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
if (ssl->ecdhCurveOID == ECC_X25519_OID) { if (ssl->ecdhCurveOID == ECC_X25519_OID) {
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
@@ -25254,6 +25252,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
} }
ssl->arrays->preMasterSz = CURVE25519_KEYSIZE;
ssl->peerX25519KeyPresent = 1; ssl->peerX25519KeyPresent = 1;
if (ret != 0) { if (ret != 0) {
@@ -25297,6 +25297,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke); ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
} }
ssl->arrays->preMasterSz = private_key->dp->size;
ssl->peerEccKeyPresent = 1; ssl->peerEccKeyPresent = 1;
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */

4
src/ssl.c
View File

@@ -11332,9 +11332,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->buffers.keyId = 1; ssl->buffers.keyId = 1;
ssl->buffers.keySz = (word32)keySz; ssl->buffers.keySz = (word32)keySz;
if (devId != INVALID_DEVID) if (devId != INVALID_DEVID)
ssl->buffers.keyId = devId; ssl->buffers.keyDevId = devId;
else else
ssl->buffers.keyId = ssl->devId; ssl->buffers.keyDevId = ssl->devId;
ret = WOLFSSL_SUCCESS; ret = WOLFSSL_SUCCESS;
} }

59
wolfcrypt/src/wc_pkcs11.c
View File

@@ -566,7 +566,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
aes->idLen); aes->idLen);
} }
if (ret == 0 && clear) if (ret == 0 && clear)
ForceZero(aes->devKey, 0, aes->keylen); ForceZero(aes->devKey, aes->keylen);
break; break;
} }
#endif #endif
@@ -583,7 +583,7 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key)
aes->idLen); aes->idLen);
} }
if (ret == 0 && clear) if (ret == 0 && clear)
ForceZero(aes->devKey, 0, aes->keylen); ForceZero(aes->devKey, aes->keylen);
break; break;
} }
#endif #endif
@@ -1635,6 +1635,43 @@ static int Pkcs11ECDSASig_Decode(const byte* in, word32 inSz, byte* sig,
return ret; return ret;
} }
/**
* Get the parameters from the private key on the device.
*
* @param session [in] Session object.
* @param privKey [in] PKCS #11 object handle of private key..
* @param key [in] Ecc key to set parameters against.
* @return WC_HW_E when a PKCS#11 library call fails.
* 0 on success.
*/
static int Pkcs11GetEccParams(Pkcs11Session* session, CK_OBJECT_HANDLE privKey,
ecc_key* key)
{
int ret = 0;
int curveId;
CK_RV rv;
byte oid[16];
CK_ATTRIBUTE template[] = {
{ CKA_EC_PARAMS, (CK_VOID_PTR)oid, sizeof(oid) }
};
rv = session->func->C_GetAttributeValue(session->handle, privKey, template,
1);
if (rv != CKR_OK)
ret = WC_HW_E;
if (ret == 0) {
/* PKCS #11 wraps the OID in ASN.1 */
curveId = wc_ecc_get_curve_id_from_oid(oid + 2,
template[0].ulValueLen - 2);
if (curveId == ECC_CURVE_INVALID)
ret = WC_HW_E;
}
if (ret == 0)
ret = wc_ecc_set_curve(key, 0, curveId);
return ret;
}
/** /**
* Performs the ECDSA signing operation. * Performs the ECDSA signing operation.
* *
@@ -1666,13 +1703,6 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
if (ret == 0) { if (ret == 0) {
WOLFSSL_MSG("PKCS#11: EC Signing Operation"); WOLFSSL_MSG("PKCS#11: EC Signing Operation");
sz = info->pk.eccsign.key->dp->size;
/* Maximum encoded size is two ordinates + 8 bytes of ASN.1. */
if (*info->pk.eccsign.outlen < sz * 2 + 8)
ret = BUFFER_E;
}
if (ret == 0) {
if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k))) if ((sessionKey = !mp_iszero(&info->pk.eccsign.key->k)))
ret = Pkcs11CreateEccPrivateKey(&privateKey, session, ret = Pkcs11CreateEccPrivateKey(&privateKey, session,
info->pk.eccsign.key, CKA_SIGN); info->pk.eccsign.key, CKA_SIGN);
@@ -1680,6 +1710,10 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC, ret = Pkcs11FindKeyById(&privateKey, CKO_PRIVATE_KEY, CKK_EC,
session, info->pk.eccsign.key->id, session, info->pk.eccsign.key->id,
info->pk.eccsign.key->idLen); info->pk.eccsign.key->idLen);
if (ret == 0 && info->pk.eccsign.key->dp == NULL) {
ret = Pkcs11GetEccParams(session, privateKey,
info->pk.eccsign.key);
}
} }
else { else {
ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session, ret = Pkcs11FindEccKey(&privateKey, CKO_PRIVATE_KEY, session,
@@ -1687,6 +1721,13 @@ static int Pkcs11ECDSA_Sign(Pkcs11Session* session, wc_CryptoInfo* info)
} }
} }
if (ret == 0) {
sz = info->pk.eccsign.key->dp->size;
/* Maximum encoded size is two ordinates + 8 bytes of ASN.1. */
if (*info->pk.eccsign.outlen < (word32)wc_ecc_sig_size_calc(sz))
ret = BUFFER_E;
}
if (ret == 0) { if (ret == 0) {
mech.mechanism = CKM_ECDSA; mech.mechanism = CKM_ECDSA;
mech.ulParameterLen = 0; mech.ulParameterLen = 0;