From 7551e49fed3c4473bb488dea8fd9000d6f03c181 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 18 Oct 2018 17:29:43 +1000 Subject: [PATCH] Improvements for PKCS#11 library --- wolfcrypt/src/ecc.c | 39 +++++++++++++++++++++++++++++++ wolfcrypt/src/rsa.c | 19 ++++++++++++++++ wolfcrypt/src/wc_pkcs11.c | 48 +++++++++++++++++++++++++++------------ wolfssl/wolfcrypt/ecc.h | 2 ++ 4 files changed, 94 insertions(+), 14 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index e9f83b14c..cbd7c72e4 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -3291,6 +3291,34 @@ int wc_ecc_get_curve_id_from_params(int fieldSize, return ecc_sets[idx].id; } +/* Returns the curve id that corresponds to a given OID, + * as listed in ecc_sets[] of ecc.c. + * + * oid OID, from ecc_sets[].name in ecc.c + * len OID len, from ecc_sets[].name in ecc.c + * return curve id, from ecc_sets[] on success, negative on error + */ +int wc_ecc_get_curve_id_from_oid(const byte* oid, word32 len) +{ + int curve_idx; + + if (oid == NULL) + return BAD_FUNC_ARG; + + for (curve_idx = 0; ecc_sets[curve_idx].size != 0; curve_idx++) { + if (ecc_sets[curve_idx].oid && ecc_sets[curve_idx].oidSz == len && + XMEMCMP(ecc_sets[curve_idx].oid, oid, len) == 0) { + break; + } + } + if (ecc_sets[curve_idx].size == 0) { + WOLFSSL_MSG("ecc_set curve name not found"); + return ECC_CURVE_INVALID; + } + + return ecc_sets[curve_idx].id; +} + #ifdef WOLFSSL_ASYNC_CRYPT static WC_INLINE int wc_ecc_alloc_mpint(ecc_key* key, mp_int** mp) @@ -4003,6 +4031,17 @@ int wc_ecc_make_key_ex(WC_RNG* rng, int keysize, ecc_key* key, int curve_id) #endif /* WOLFSSL_SP_MATH */ } +#ifdef HAVE_WOLF_BIGINT + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->k, &key->k.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(key->pubkey.x, &key->pubkey.x->raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(key->pubkey.y, &key->pubkey.y->raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(key->pubkey.z, &key->pubkey.z->raw); +#endif + #endif /* WOLFSSL_ATECC508A */ return err; diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index c451b9a61..af1cc5b05 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -3109,6 +3109,25 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) if (err == MP_OKAY) key->type = RSA_PRIVATE; +#ifdef HAVE_WOLF_BIGINT + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->n, &key->n.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->e, &key->e.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->d, &key->d.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->p, &key->p.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->q, &key->q.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->dP, &key->dP.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->dQ, &key->dQ.raw); + if (err == MP_OKAY) + err = wc_mp_to_bigint(&key->u, &key->u.raw); +#endif + mp_clear(&tmp1); mp_clear(&tmp2); mp_clear(&tmp3); diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index f35b88693..e0a52a884 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -84,8 +84,10 @@ int wc_Pkcs11_Initialize(Pkcs11Dev* dev, const char* library) if (ret == 0) { dev->dlHandle = dlopen(library, RTLD_NOW | RTLD_LOCAL); - if (dev->dlHandle == NULL) + if (dev->dlHandle == NULL) { + WOLFSSL_MSG(dlerror()); ret = BAD_PATH_ERROR; + } } if (ret == 0) { @@ -148,10 +150,10 @@ void wc_Pkcs11_Finalize(Pkcs11Dev* dev) int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, const char* tokenName, const unsigned char* userPin, int userPinSz) { - int ret = 0; - CK_RV rv; - CK_SLOT_ID slot; - CK_ULONG slotCnt = 1; + int ret = 0; + CK_RV rv; + CK_SLOT_ID* slot = NULL; + CK_ULONG slotCnt = 0; if (token == NULL || dev == NULL || tokenName == NULL) ret = BAD_FUNC_ARG; @@ -159,14 +161,25 @@ int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, if (ret == 0) { if (slotId < 0) { /* Use first available slot with a token. */ - rv = dev->func->C_GetSlotList(CK_TRUE, &slot, &slotCnt); + rv = dev->func->C_GetSlotList(CK_TRUE, NULL, &slotCnt); if (rv != CKR_OK) ret = WC_HW_E; + if (ret == 0) { + slot = XMALLOC(slotCnt * sizeof(*slot), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (slot == NULL) + ret = MEMORY_E; + } + if (ret == 0) { + rv = dev->func->C_GetSlotList(CK_TRUE, slot, &slotCnt); + if (rv != CKR_OK) + ret = WC_HW_E; + } if (ret == 0) { if (slotCnt > 0) - slotId = (int)slot; + slotId = (int)slot[0]; else - ret = -1; + ret = WC_HW_E; } } } @@ -178,6 +191,9 @@ int wc_Pkcs11Token_Init(Pkcs11Token* token, Pkcs11Dev* dev, int slotId, token->userPinSz = (CK_ULONG)userPinSz; } + if (slot != NULL) + XFREE(slot, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; } @@ -947,6 +963,7 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) { CKA_VERIFY, &ckTrue, sizeof(ckTrue) }, { CKA_PUBLIC_EXPONENT, &pub_exp, sizeof(pub_exp) } }; + int pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl); CK_ATTRIBUTE privKeyTmpl[] = { {CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, {CKA_SIGN, &ckTrue, sizeof(ckTrue) }, @@ -979,8 +996,9 @@ static int Pkcs11RsaKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = NULL; rv = session->func->C_GenerateKeyPair(session->handle, &mech, - pubKeyTmpl, 4, privKeyTmpl, - privTmplCnt, &pubKey, &privKey); + pubKeyTmpl, pubTmplCnt, + privKeyTmpl, privTmplCnt, + &pubKey, &privKey); if (rv != CKR_OK) ret = -1; } @@ -1216,7 +1234,7 @@ static int Pkcs11GetEccPublicKey(ecc_key* key, Pkcs11Session* session, * @return WC_HW_E when a PKCS#11 library call fails. * 0 on success. */ -static int Pkcs11EC_KeyGen(Pkcs11Session* session, wc_CryptoInfo* info) +static int Pkcs11EcKeyGen(Pkcs11Session* session, wc_CryptoInfo* info) { int ret = 0; ecc_key* key = info->pk.eckg.key; @@ -1229,6 +1247,7 @@ static int Pkcs11EC_KeyGen(Pkcs11Session* session, wc_CryptoInfo* info) { CKA_ENCRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_VERIFY, &ckTrue, sizeof(ckTrue) }, }; + int pubTmplCnt = sizeof(pubKeyTmpl)/sizeof(*pubKeyTmpl); CK_ATTRIBUTE privKeyTmpl[] = { { CKA_DECRYPT, &ckTrue, sizeof(ckTrue) }, { CKA_SIGN, &ckTrue, sizeof(ckTrue) }, @@ -1255,8 +1274,9 @@ static int Pkcs11EC_KeyGen(Pkcs11Session* session, wc_CryptoInfo* info) mech.pParameter = NULL; rv = session->func->C_GenerateKeyPair(session->handle, &mech, - pubKeyTmpl, 2, privKeyTmpl, - privTmplCnt, &pubKey, &privKey); + pubKeyTmpl, pubTmplCnt, + privKeyTmpl, privTmplCnt, + &pubKey, &privKey); if (rv != CKR_OK) ret = -1; } @@ -1931,7 +1951,7 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) #endif #ifdef HAVE_ECC case WC_PK_TYPE_EC_KEYGEN: - ret = Pkcs11EC_KeyGen(&session, info); + ret = Pkcs11EcKeyGen(&session, info); break; case WC_PK_TYPE_ECDH: ret = Pkcs11ECDH(&session, info); diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index af83d575e..21bf637ec 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -501,6 +501,8 @@ int wc_ecc_get_curve_id_from_params(int fieldSize, const byte* Bf, word32 BfSz, const byte* order, word32 orderSz, const byte* Gx, word32 GxSz, const byte* Gy, word32 GySz, int cofactor); +WOLFSSL_API +int wc_ecc_get_curve_id_from_oid(const byte* oid, word32 len); WOLFSSL_API ecc_point* wc_ecc_new_point(void);