2002-12-17 11:49:12 +00:00
|
|
|
/*
|
|
|
|
* OpenSSL helper functions, e.g. for implementing MD5 support
|
|
|
|
* et al
|
|
|
|
*
|
2015-10-05 12:06:23 +00:00
|
|
|
* Copyright (C) 2002 Olaf Kirch <okir@suse.de>
|
2017-03-14 21:47:13 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
2002-12-17 11:49:12 +00:00
|
|
|
*/
|
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "config.h"
|
2002-12-17 11:49:12 +00:00
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#ifdef ENABLE_OPENSSL /* empty file without openssl */
|
|
|
|
#include <string.h>
|
2016-01-06 14:40:59 +00:00
|
|
|
#include <openssl/bn.h>
|
2003-01-06 19:52:11 +00:00
|
|
|
#include <openssl/evp.h>
|
2003-02-03 12:20:24 +00:00
|
|
|
#include <openssl/rand.h>
|
2003-06-13 06:51:26 +00:00
|
|
|
#include <openssl/rsa.h>
|
2007-02-02 22:15:14 +00:00
|
|
|
#include <openssl/opensslv.h>
|
2018-05-31 17:06:17 +00:00
|
|
|
#include <openssl/x509.h>
|
2009-10-05 18:40:51 +00:00
|
|
|
#include <openssl/conf.h>
|
2010-05-13 21:57:28 +00:00
|
|
|
#include <openssl/opensslconf.h> /* for OPENSSL_NO_* */
|
2019-01-30 21:01:24 +00:00
|
|
|
#include "libopensc/sc-ossl-compat.h"
|
2009-10-23 18:16:59 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
|
|
|
#include <openssl/ec.h>
|
|
|
|
#endif /* OPENSSL_NO_EC */
|
2010-05-13 21:57:28 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
|
|
#include <openssl/engine.h>
|
|
|
|
#endif /* OPENSSL_NO_ENGINE */
|
2009-11-19 15:41:03 +00:00
|
|
|
#include <openssl/asn1.h>
|
2010-06-05 08:51:37 +00:00
|
|
|
#include <openssl/crypto.h>
|
2002-12-17 11:49:12 +00:00
|
|
|
|
2010-03-04 08:14:36 +00:00
|
|
|
#include "sc-pkcs11.h"
|
|
|
|
|
2002-12-17 11:49:12 +00:00
|
|
|
static CK_RV sc_pkcs11_openssl_md_init(sc_pkcs11_operation_t *);
|
|
|
|
static CK_RV sc_pkcs11_openssl_md_update(sc_pkcs11_operation_t *,
|
|
|
|
CK_BYTE_PTR, CK_ULONG);
|
|
|
|
static CK_RV sc_pkcs11_openssl_md_final(sc_pkcs11_operation_t *,
|
|
|
|
CK_BYTE_PTR, CK_ULONG_PTR);
|
|
|
|
static void sc_pkcs11_openssl_md_release(sc_pkcs11_operation_t *);
|
|
|
|
|
|
|
|
static sc_pkcs11_mechanism_type_t openssl_sha1_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_SHA_1,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2002-12-17 11:49:12 +00:00
|
|
|
};
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
static sc_pkcs11_mechanism_type_t openssl_sha224_mech = {
|
|
|
|
CKM_SHA224,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2018-10-01 12:27:09 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
|
|
|
};
|
|
|
|
|
2007-02-02 22:15:14 +00:00
|
|
|
static sc_pkcs11_mechanism_type_t openssl_sha256_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_SHA256,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2007-02-02 22:15:14 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static sc_pkcs11_mechanism_type_t openssl_sha384_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_SHA384,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2007-02-02 22:15:14 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static sc_pkcs11_mechanism_type_t openssl_sha512_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_SHA512,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2007-02-02 22:15:14 +00:00
|
|
|
};
|
|
|
|
|
2009-10-05 18:40:51 +00:00
|
|
|
static sc_pkcs11_mechanism_type_t openssl_gostr3411_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_GOSTR3411,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2009-10-05 18:40:51 +00:00
|
|
|
};
|
|
|
|
|
2002-12-17 11:49:12 +00:00
|
|
|
static sc_pkcs11_mechanism_type_t openssl_md5_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_MD5,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2002-12-17 11:49:12 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static sc_pkcs11_mechanism_type_t openssl_ripemd160_mech = {
|
2010-04-14 11:36:40 +00:00
|
|
|
CKM_RIPEMD160,
|
|
|
|
{ 0, 0, CKF_DIGEST },
|
|
|
|
0,
|
|
|
|
sizeof(struct sc_pkcs11_operation),
|
|
|
|
sc_pkcs11_openssl_md_release,
|
|
|
|
sc_pkcs11_openssl_md_init,
|
|
|
|
sc_pkcs11_openssl_md_update,
|
|
|
|
sc_pkcs11_openssl_md_final,
|
2012-05-22 15:18:00 +00:00
|
|
|
NULL, NULL, NULL, NULL, /* sign_* */
|
|
|
|
NULL, NULL, NULL, /* verif_* */
|
|
|
|
NULL, NULL, /* decrypt_* */
|
|
|
|
NULL, /* derive */
|
2017-09-22 12:03:31 +00:00
|
|
|
NULL, /* wrap */
|
|
|
|
NULL, /* unwrap */
|
2015-04-29 23:45:23 +00:00
|
|
|
NULL, /* mech_data */
|
|
|
|
NULL, /* free_mech_data */
|
2002-12-17 11:49:12 +00:00
|
|
|
};
|
|
|
|
|
2015-05-01 10:50:19 +00:00
|
|
|
static void * dup_mem(void *in, size_t in_len)
|
|
|
|
{
|
|
|
|
void *out = malloc(in_len);
|
|
|
|
if (out)
|
|
|
|
memcpy(out, in, in_len);
|
|
|
|
return out;
|
|
|
|
}
|
|
|
|
|
2002-12-17 11:49:12 +00:00
|
|
|
void
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *p11card)
|
2002-12-17 11:49:12 +00:00
|
|
|
{
|
2018-08-22 18:57:47 +00:00
|
|
|
#if !defined(OPENSSL_NO_ENGINE)
|
2010-06-05 08:51:37 +00:00
|
|
|
ENGINE *e;
|
2016-01-06 14:40:59 +00:00
|
|
|
/* crypto locking removed in 1.1 */
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
|
void (*locking_cb)(int, int, const char *, int);
|
2010-05-13 21:57:28 +00:00
|
|
|
|
2010-06-05 08:51:37 +00:00
|
|
|
locking_cb = CRYPTO_get_locking_callback();
|
|
|
|
if (locking_cb)
|
|
|
|
CRYPTO_set_locking_callback(NULL);
|
2016-01-06 14:40:59 +00:00
|
|
|
#endif
|
2010-06-05 08:51:37 +00:00
|
|
|
|
|
|
|
e = ENGINE_by_id("gost");
|
2010-06-04 22:23:47 +00:00
|
|
|
if (!e)
|
|
|
|
{
|
2016-09-26 12:54:58 +00:00
|
|
|
#if !defined(OPENSSL_NO_STATIC_ENGINE) && !defined(OPENSSL_NO_GOST) && !defined(LIBRESSL_VERSION_NUMBER)
|
2016-01-06 14:40:59 +00:00
|
|
|
|
|
|
|
/* ENGINE_load_gost removed in 1.1 */
|
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
2010-06-04 22:23:47 +00:00
|
|
|
ENGINE_load_gost();
|
2016-01-06 14:40:59 +00:00
|
|
|
#endif
|
2010-06-04 22:23:47 +00:00
|
|
|
e = ENGINE_by_id("gost");
|
2010-05-13 21:57:28 +00:00
|
|
|
#else
|
2010-06-04 22:23:47 +00:00
|
|
|
/* try to load dynamic gost engine */
|
|
|
|
e = ENGINE_by_id("dynamic");
|
|
|
|
if (!e) {
|
|
|
|
ENGINE_load_dynamic();
|
|
|
|
e = ENGINE_by_id("dynamic");
|
|
|
|
}
|
|
|
|
if (e && (!ENGINE_ctrl_cmd_string(e, "SO_PATH", "gost", 0) ||
|
|
|
|
!ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))) {
|
|
|
|
ENGINE_free(e);
|
|
|
|
e = NULL;
|
|
|
|
}
|
2010-05-13 21:57:28 +00:00
|
|
|
#endif /* !OPENSSL_NO_STATIC_ENGINE && !OPENSSL_NO_GOST */
|
2010-06-04 22:23:47 +00:00
|
|
|
}
|
2010-05-13 21:57:28 +00:00
|
|
|
if (e) {
|
|
|
|
ENGINE_set_default(e, ENGINE_METHOD_ALL);
|
|
|
|
ENGINE_free(e);
|
|
|
|
}
|
2010-06-05 08:51:37 +00:00
|
|
|
|
2016-01-06 14:40:59 +00:00
|
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
2010-06-05 08:51:37 +00:00
|
|
|
if (locking_cb)
|
|
|
|
CRYPTO_set_locking_callback(locking_cb);
|
2016-01-06 14:40:59 +00:00
|
|
|
#endif
|
2018-08-22 18:57:47 +00:00
|
|
|
#endif /* !defined(OPENSSL_NO_ENGINE) */
|
2010-05-13 21:57:28 +00:00
|
|
|
|
2002-12-17 11:49:12 +00:00
|
|
|
openssl_sha1_mech.mech_data = EVP_sha1();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_sha1_mech, sizeof openssl_sha1_mech));
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
openssl_sha224_mech.mech_data = EVP_sha224();
|
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_sha224_mech, sizeof openssl_sha224_mech));
|
2007-02-02 22:15:14 +00:00
|
|
|
openssl_sha256_mech.mech_data = EVP_sha256();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_sha256_mech, sizeof openssl_sha256_mech));
|
2007-02-02 22:15:14 +00:00
|
|
|
openssl_sha384_mech.mech_data = EVP_sha384();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_sha384_mech, sizeof openssl_sha384_mech));
|
2007-02-02 22:15:14 +00:00
|
|
|
openssl_sha512_mech.mech_data = EVP_sha512();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_sha512_mech, sizeof openssl_sha512_mech));
|
2002-12-17 11:49:12 +00:00
|
|
|
openssl_md5_mech.mech_data = EVP_md5();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_md5_mech, sizeof openssl_md5_mech));
|
2002-12-17 11:49:12 +00:00
|
|
|
openssl_ripemd160_mech.mech_data = EVP_ripemd160();
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_ripemd160_mech, sizeof openssl_ripemd160_mech));
|
2009-10-05 18:40:51 +00:00
|
|
|
openssl_gostr3411_mech.mech_data = EVP_get_digestbynid(NID_id_GostR3411_94);
|
2015-02-12 01:03:45 +00:00
|
|
|
sc_pkcs11_register_mechanism(p11card, dup_mem(&openssl_gostr3411_mech, sizeof openssl_gostr3411_mech));
|
2002-12-17 11:49:12 +00:00
|
|
|
}
|
|
|
|
|
2003-01-16 20:10:28 +00:00
|
|
|
|
2002-12-17 11:49:12 +00:00
|
|
|
/*
|
|
|
|
* Handle OpenSSL digest functions
|
|
|
|
*/
|
|
|
|
#define DIGEST_CTX(op) \
|
2019-01-25 19:57:00 +00:00
|
|
|
(op ? (EVP_MD_CTX *) (op)->priv_data : NULL)
|
2002-12-17 11:49:12 +00:00
|
|
|
|
2007-06-21 12:01:39 +00:00
|
|
|
static CK_RV sc_pkcs11_openssl_md_init(sc_pkcs11_operation_t *op)
|
2002-12-17 11:49:12 +00:00
|
|
|
{
|
|
|
|
sc_pkcs11_mechanism_type_t *mt;
|
|
|
|
EVP_MD_CTX *md_ctx;
|
|
|
|
EVP_MD *md;
|
|
|
|
|
|
|
|
if (!op || !(mt = op->type) || !(md = (EVP_MD *) mt->mech_data))
|
|
|
|
return CKR_ARGUMENTS_BAD;
|
|
|
|
|
2015-04-29 22:07:10 +00:00
|
|
|
if (!(md_ctx = EVP_MD_CTX_create()))
|
2002-12-17 11:49:12 +00:00
|
|
|
return CKR_HOST_MEMORY;
|
2019-01-25 19:57:00 +00:00
|
|
|
if (!EVP_DigestInit(md_ctx, md)) {
|
|
|
|
EVP_MD_CTX_destroy(md_ctx);
|
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
}
|
2002-12-17 11:49:12 +00:00
|
|
|
op->priv_data = md_ctx;
|
|
|
|
return CKR_OK;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:01:39 +00:00
|
|
|
static CK_RV sc_pkcs11_openssl_md_update(sc_pkcs11_operation_t *op,
|
2002-12-17 11:49:12 +00:00
|
|
|
CK_BYTE_PTR pData, CK_ULONG pDataLen)
|
|
|
|
{
|
2019-01-25 19:57:00 +00:00
|
|
|
EVP_MD_CTX *md_ctx = DIGEST_CTX(op);
|
|
|
|
if (!md_ctx)
|
|
|
|
return CKR_ARGUMENTS_BAD;
|
|
|
|
if (!EVP_DigestUpdate(md_ctx, pData, pDataLen))
|
|
|
|
return CKR_GENERAL_ERROR;
|
2002-12-17 11:49:12 +00:00
|
|
|
return CKR_OK;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:01:39 +00:00
|
|
|
static CK_RV sc_pkcs11_openssl_md_final(sc_pkcs11_operation_t *op,
|
2002-12-17 11:49:12 +00:00
|
|
|
CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen)
|
|
|
|
{
|
2011-01-03 16:20:19 +00:00
|
|
|
EVP_MD_CTX *md_ctx = DIGEST_CTX(op);
|
2002-12-17 11:49:12 +00:00
|
|
|
|
2019-01-25 19:57:00 +00:00
|
|
|
if (!md_ctx)
|
|
|
|
return CKR_ARGUMENTS_BAD;
|
2011-01-03 16:20:19 +00:00
|
|
|
if (*pulDigestLen < (unsigned) EVP_MD_CTX_size(md_ctx)) {
|
2017-03-14 19:02:30 +00:00
|
|
|
sc_log(context, "Provided buffer too small: %lu < %d",
|
|
|
|
*pulDigestLen, EVP_MD_CTX_size(md_ctx));
|
2002-12-17 11:49:12 +00:00
|
|
|
*pulDigestLen = EVP_MD_CTX_size(md_ctx);
|
|
|
|
return CKR_BUFFER_TOO_SMALL;
|
|
|
|
}
|
2019-01-25 19:57:00 +00:00
|
|
|
if (!EVP_DigestFinal(md_ctx, pDigest, (unsigned *) pulDigestLen))
|
|
|
|
return CKR_GENERAL_ERROR;
|
2002-12-17 11:49:12 +00:00
|
|
|
|
|
|
|
return CKR_OK;
|
|
|
|
}
|
|
|
|
|
2007-06-21 12:01:39 +00:00
|
|
|
static void sc_pkcs11_openssl_md_release(sc_pkcs11_operation_t *op)
|
2002-12-17 11:49:12 +00:00
|
|
|
{
|
2019-01-25 19:57:00 +00:00
|
|
|
if (op) {
|
|
|
|
EVP_MD_CTX *md_ctx = DIGEST_CTX(op);
|
|
|
|
if (md_ctx)
|
|
|
|
EVP_MD_CTX_destroy(md_ctx);
|
|
|
|
op->priv_data = NULL;
|
|
|
|
}
|
2002-12-17 11:49:12 +00:00
|
|
|
}
|
|
|
|
|
2018-08-22 18:57:47 +00:00
|
|
|
#if !defined(OPENSSL_NO_EC)
|
2009-10-05 18:40:51 +00:00
|
|
|
|
|
|
|
static void reverse(unsigned char *buf, size_t len)
|
|
|
|
{
|
|
|
|
unsigned char tmp;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < len / 2; ++i) {
|
|
|
|
tmp = buf[i];
|
|
|
|
buf[i] = buf[len - 1 - i];
|
|
|
|
buf[len - 1 - i] = tmp;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-10-31 12:10:12 +00:00
|
|
|
static CK_RV gostr3410_verify_data(const unsigned char *pubkey, unsigned int pubkey_len,
|
|
|
|
const unsigned char *params, unsigned int params_len,
|
|
|
|
unsigned char *data, unsigned int data_len,
|
|
|
|
unsigned char *signat, unsigned int signat_len)
|
2009-10-05 18:40:51 +00:00
|
|
|
{
|
|
|
|
EVP_PKEY *pkey;
|
2012-01-09 09:40:42 +00:00
|
|
|
EVP_PKEY_CTX *pkey_ctx = NULL;
|
2009-10-05 18:40:51 +00:00
|
|
|
EC_POINT *P;
|
|
|
|
BIGNUM *X, *Y;
|
2018-04-15 07:37:43 +00:00
|
|
|
ASN1_OCTET_STRING *octet = NULL;
|
2009-10-05 18:40:51 +00:00
|
|
|
const EC_GROUP *group = NULL;
|
|
|
|
char paramset[2] = "A";
|
|
|
|
int r = -1, ret_vrf = 0;
|
|
|
|
|
|
|
|
pkey = EVP_PKEY_new();
|
|
|
|
if (!pkey)
|
|
|
|
return CKR_HOST_MEMORY;
|
|
|
|
r = EVP_PKEY_set_type(pkey, NID_id_GostR3410_2001);
|
|
|
|
if (r == 1) {
|
|
|
|
pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
|
|
|
if (!pkey_ctx) {
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
return CKR_HOST_MEMORY;
|
|
|
|
}
|
|
|
|
/* FIXME: fully check params[] */
|
|
|
|
if (params_len > 0 && params[params_len - 1] >= 1 &&
|
|
|
|
params[params_len - 1] <= 3) {
|
|
|
|
paramset[0] += params[params_len - 1] - 1;
|
|
|
|
r = EVP_PKEY_CTX_ctrl_str(pkey_ctx, "paramset", paramset);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
r = -1;
|
|
|
|
if (r == 1)
|
|
|
|
r = EVP_PKEY_paramgen_init(pkey_ctx);
|
|
|
|
if (r == 1)
|
|
|
|
r = EVP_PKEY_paramgen(pkey_ctx, &pkey);
|
|
|
|
if (r == 1 && EVP_PKEY_get0(pkey) != NULL)
|
|
|
|
group = EC_KEY_get0_group(EVP_PKEY_get0(pkey));
|
|
|
|
r = -1;
|
2009-11-19 15:41:03 +00:00
|
|
|
if (group)
|
|
|
|
octet = d2i_ASN1_OCTET_STRING(NULL, &pubkey, (long)pubkey_len);
|
|
|
|
if (group && octet) {
|
|
|
|
reverse(octet->data, octet->length);
|
|
|
|
Y = BN_bin2bn(octet->data, octet->length / 2, NULL);
|
|
|
|
X = BN_bin2bn((const unsigned char*)octet->data +
|
|
|
|
octet->length / 2, octet->length / 2, NULL);
|
|
|
|
ASN1_OCTET_STRING_free(octet);
|
2009-10-05 18:40:51 +00:00
|
|
|
P = EC_POINT_new(group);
|
|
|
|
if (P && X && Y)
|
2019-01-30 21:01:24 +00:00
|
|
|
r = EC_POINT_set_affine_coordinates_GFp(group,
|
2009-10-05 18:40:51 +00:00
|
|
|
P, X, Y, NULL);
|
|
|
|
BN_free(X);
|
|
|
|
BN_free(Y);
|
|
|
|
if (r == 1 && EVP_PKEY_get0(pkey) && P)
|
|
|
|
r = EC_KEY_set_public_key(EVP_PKEY_get0(pkey), P);
|
|
|
|
EC_POINT_free(P);
|
|
|
|
}
|
|
|
|
if (r == 1) {
|
|
|
|
r = EVP_PKEY_verify_init(pkey_ctx);
|
|
|
|
reverse(data, data_len);
|
|
|
|
if (r == 1)
|
|
|
|
ret_vrf = EVP_PKEY_verify(pkey_ctx, signat, signat_len,
|
|
|
|
data, data_len);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EVP_PKEY_CTX_free(pkey_ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
if (r != 1)
|
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
return ret_vrf == 1 ? CKR_OK : CKR_SIGNATURE_INVALID;
|
|
|
|
}
|
2018-08-22 18:57:47 +00:00
|
|
|
#endif /* !defined(OPENSSL_NO_EC) */
|
2009-10-05 18:40:51 +00:00
|
|
|
|
2003-06-27 15:26:17 +00:00
|
|
|
/* If no hash function was used, finish with RSA_public_decrypt().
|
|
|
|
* If a hash function was used, we can make a big shortcut by
|
|
|
|
* finishing with EVP_VerifyFinal().
|
|
|
|
*/
|
2018-10-31 12:10:12 +00:00
|
|
|
CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, unsigned int pubkey_len,
|
|
|
|
const unsigned char *pubkey_params, unsigned int pubkey_params_len,
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
CK_MECHANISM_PTR mech, sc_pkcs11_operation_t *md,
|
2018-10-31 12:10:12 +00:00
|
|
|
unsigned char *data, unsigned int data_len,
|
|
|
|
unsigned char *signat, unsigned int signat_len)
|
2003-06-27 15:26:17 +00:00
|
|
|
{
|
|
|
|
int res;
|
|
|
|
CK_RV rv = CKR_GENERAL_ERROR;
|
2017-03-11 17:49:49 +00:00
|
|
|
EVP_PKEY *pkey = NULL;
|
2017-04-08 11:18:55 +00:00
|
|
|
const unsigned char *pubkey_tmp = NULL;
|
2003-06-27 15:26:17 +00:00
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
if (mech->mechanism == CKM_GOSTR3410)
|
2009-10-05 18:40:51 +00:00
|
|
|
{
|
2018-08-22 18:57:47 +00:00
|
|
|
#if !defined(OPENSSL_NO_EC)
|
2009-10-05 18:40:51 +00:00
|
|
|
return gostr3410_verify_data(pubkey, pubkey_len,
|
|
|
|
pubkey_params, pubkey_params_len,
|
|
|
|
data, data_len, signat, signat_len);
|
|
|
|
#else
|
2009-10-23 18:16:59 +00:00
|
|
|
(void)pubkey_params, (void)pubkey_params_len; /* no warning */
|
2009-10-05 18:40:51 +00:00
|
|
|
return CKR_FUNCTION_NOT_SUPPORTED;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2017-03-11 17:49:49 +00:00
|
|
|
/*
|
|
|
|
* PKCS#11 does not define CKA_VALUE for public keys, and different cards
|
|
|
|
* return either the raw or spki versions as defined in PKCS#15
|
|
|
|
* And we need to support more then just RSA.
|
|
|
|
* We can use d2i_PUBKEY which works for SPKI and any key type.
|
|
|
|
*/
|
|
|
|
pubkey_tmp = pubkey; /* pass in so pubkey pointer is not modified */
|
|
|
|
|
2017-04-08 11:18:55 +00:00
|
|
|
pkey = d2i_PUBKEY(NULL, &pubkey_tmp, pubkey_len);
|
2003-06-27 15:26:17 +00:00
|
|
|
if (pkey == NULL)
|
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
if (md != NULL && (mech->mechanism == CKM_SHA1_RSA_PKCS
|
2018-10-17 21:07:20 +00:00
|
|
|
|| mech->mechanism == CKM_MD5_RSA_PKCS
|
|
|
|
|| mech->mechanism == CKM_RIPEMD160_RSA_PKCS
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
|| mech->mechanism == CKM_SHA224_RSA_PKCS
|
|
|
|
|| mech->mechanism == CKM_SHA256_RSA_PKCS
|
|
|
|
|| mech->mechanism == CKM_SHA384_RSA_PKCS
|
2020-12-21 18:02:28 +00:00
|
|
|
|| mech->mechanism == CKM_SHA512_RSA_PKCS
|
|
|
|
|| mech->mechanism == CKM_ECDSA_SHA1
|
|
|
|
|| mech->mechanism == CKM_ECDSA_SHA224
|
|
|
|
|| mech->mechanism == CKM_ECDSA_SHA256
|
|
|
|
|| mech->mechanism == CKM_ECDSA_SHA384
|
|
|
|
|| mech->mechanism == CKM_ECDSA_SHA512
|
|
|
|
)) {
|
2003-06-27 15:26:17 +00:00
|
|
|
EVP_MD_CTX *md_ctx = DIGEST_CTX(md);
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
/* This does not really use the data argument, but the data
|
|
|
|
* are already collected in the md_ctx
|
|
|
|
*/
|
|
|
|
sc_log(context, "Trying to verify using EVP");
|
2019-01-25 19:57:00 +00:00
|
|
|
if (md_ctx) {
|
2020-12-22 17:14:11 +00:00
|
|
|
|
|
|
|
if (EVP_PKEY_get0_EC_KEY(pkey)) {
|
|
|
|
unsigned char *signat_tmp = NULL;
|
|
|
|
size_t signat_len_tmp;
|
|
|
|
int r;
|
|
|
|
r = sc_asn1_sig_value_rs_to_sequence(NULL, signat,
|
|
|
|
signat_len, &signat_tmp, &signat_len_tmp);
|
|
|
|
if (r == 0) {
|
|
|
|
res = EVP_VerifyFinal(md_ctx, signat_tmp, signat_len_tmp, pkey);
|
|
|
|
} else {
|
|
|
|
sc_log(context, "sc_asn1_sig_value_rs_to_sequence failed r:%d",r);
|
|
|
|
res = -1;
|
|
|
|
}
|
|
|
|
free(signat_tmp);
|
|
|
|
} else
|
|
|
|
res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
|
2019-01-25 19:57:00 +00:00
|
|
|
} else {
|
|
|
|
res = -1;
|
|
|
|
}
|
2003-06-27 15:26:17 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
if (res == 1)
|
|
|
|
return CKR_OK;
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
else if (res == 0) {
|
|
|
|
sc_log(context, "EVP_VerifyFinal(): Signature invalid");
|
2003-06-27 15:26:17 +00:00
|
|
|
return CKR_SIGNATURE_INVALID;
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
} else {
|
2012-05-12 22:27:38 +00:00
|
|
|
sc_log(context, "EVP_VerifyFinal() returned %d\n", res);
|
2003-06-27 15:26:17 +00:00
|
|
|
return CKR_GENERAL_ERROR;
|
2003-07-17 22:53:48 +00:00
|
|
|
}
|
2021-01-27 09:19:02 +00:00
|
|
|
} else if (md == NULL && mech->mechanism == CKM_ECDSA) {
|
|
|
|
size_t signat_len_tmp;
|
|
|
|
unsigned char *signat_tmp = NULL;
|
|
|
|
EVP_PKEY_CTX *ctx;
|
2021-05-24 09:24:51 +00:00
|
|
|
const EC_KEY *eckey;
|
2021-01-27 09:19:02 +00:00
|
|
|
int r;
|
|
|
|
|
|
|
|
sc_log(context, "Trying to verify using EVP");
|
|
|
|
|
|
|
|
res = 0;
|
|
|
|
r = sc_asn1_sig_value_rs_to_sequence(NULL, signat, signat_len,
|
|
|
|
&signat_tmp, &signat_len_tmp);
|
|
|
|
eckey = EVP_PKEY_get0_EC_KEY(pkey);
|
|
|
|
ctx = EVP_PKEY_CTX_new(pkey, NULL);
|
|
|
|
if (r == 0 && eckey && ctx && 1 == EVP_PKEY_verify_init(ctx))
|
|
|
|
res = EVP_PKEY_verify(ctx, signat_tmp, signat_len_tmp, data, data_len);
|
|
|
|
|
|
|
|
EVP_PKEY_CTX_free(ctx);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
free(signat_tmp);
|
|
|
|
|
|
|
|
if (res == 1)
|
|
|
|
return CKR_OK;
|
|
|
|
else if (res == 0)
|
|
|
|
return CKR_SIGNATURE_INVALID;
|
|
|
|
else
|
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
} else {
|
2003-06-27 15:26:17 +00:00
|
|
|
RSA *rsa;
|
|
|
|
unsigned char *rsa_out = NULL, pad;
|
|
|
|
int rsa_outlen = 0;
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
sc_log(context, "Trying to verify using low-level API");
|
|
|
|
switch (mech->mechanism) {
|
2003-06-27 15:26:17 +00:00
|
|
|
case CKM_RSA_PKCS:
|
2018-10-17 21:07:20 +00:00
|
|
|
case CKM_MD5_RSA_PKCS:
|
|
|
|
case CKM_RIPEMD160_RSA_PKCS:
|
2003-06-27 15:26:17 +00:00
|
|
|
pad = RSA_PKCS1_PADDING;
|
|
|
|
break;
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
case CKM_RSA_X_509:
|
|
|
|
pad = RSA_NO_PADDING;
|
|
|
|
break;
|
|
|
|
case CKM_RSA_PKCS_PSS:
|
|
|
|
case CKM_SHA1_RSA_PKCS_PSS:
|
|
|
|
case CKM_SHA224_RSA_PKCS_PSS:
|
|
|
|
case CKM_SHA256_RSA_PKCS_PSS:
|
|
|
|
case CKM_SHA384_RSA_PKCS_PSS:
|
|
|
|
case CKM_SHA512_RSA_PKCS_PSS:
|
|
|
|
pad = RSA_NO_PADDING;
|
|
|
|
break;
|
|
|
|
default:
|
2009-11-01 14:11:41 +00:00
|
|
|
EVP_PKEY_free(pkey);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
return CKR_ARGUMENTS_BAD;
|
|
|
|
}
|
2003-06-27 15:26:17 +00:00
|
|
|
|
|
|
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
|
|
EVP_PKEY_free(pkey);
|
|
|
|
if (rsa == NULL)
|
|
|
|
return CKR_DEVICE_MEMORY;
|
|
|
|
|
2013-03-15 20:12:25 +00:00
|
|
|
rsa_out = calloc(1, RSA_size(rsa));
|
2003-06-27 15:26:17 +00:00
|
|
|
if (rsa_out == NULL) {
|
2009-11-01 14:11:41 +00:00
|
|
|
RSA_free(rsa);
|
2003-06-27 15:26:17 +00:00
|
|
|
return CKR_DEVICE_MEMORY;
|
|
|
|
}
|
2012-04-02 22:00:56 +00:00
|
|
|
|
2003-06-27 15:26:17 +00:00
|
|
|
rsa_outlen = RSA_public_decrypt(signat_len, signat, rsa_out, rsa, pad);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
if (rsa_outlen <= 0) {
|
2018-09-27 14:13:13 +00:00
|
|
|
RSA_free(rsa);
|
2003-06-27 15:26:17 +00:00
|
|
|
free(rsa_out);
|
2012-05-12 22:27:38 +00:00
|
|
|
sc_log(context, "RSA_public_decrypt() returned %d\n", rsa_outlen);
|
2003-06-27 15:26:17 +00:00
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
}
|
|
|
|
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
/* For PSS mechanisms we can not simply compare the "decrypted"
|
|
|
|
* data -- we need to verify the PSS padding is valid
|
|
|
|
*/
|
|
|
|
if (mech->mechanism == CKM_RSA_PKCS_PSS ||
|
|
|
|
mech->mechanism == CKM_SHA1_RSA_PKCS_PSS ||
|
|
|
|
mech->mechanism == CKM_SHA224_RSA_PKCS_PSS ||
|
|
|
|
mech->mechanism == CKM_SHA256_RSA_PKCS_PSS ||
|
|
|
|
mech->mechanism == CKM_SHA384_RSA_PKCS_PSS ||
|
|
|
|
mech->mechanism == CKM_SHA512_RSA_PKCS_PSS) {
|
|
|
|
CK_RSA_PKCS_PSS_PARAMS* param = NULL;
|
|
|
|
const EVP_MD *mgf_md, *pss_md;
|
|
|
|
unsigned char digest[EVP_MAX_MD_SIZE];
|
|
|
|
|
|
|
|
if (mech->pParameter == NULL) {
|
2018-09-27 14:13:13 +00:00
|
|
|
RSA_free(rsa);
|
|
|
|
free(rsa_out);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
sc_log(context, "PSS mechanism requires parameter");
|
|
|
|
return CKR_MECHANISM_PARAM_INVALID;
|
|
|
|
}
|
|
|
|
|
|
|
|
param = (CK_RSA_PKCS_PSS_PARAMS*)mech->pParameter;
|
|
|
|
switch (param->mgf) {
|
|
|
|
case CKG_MGF1_SHA1:
|
|
|
|
mgf_md = EVP_sha1();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA224:
|
|
|
|
mgf_md = EVP_sha224();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA256:
|
|
|
|
mgf_md = EVP_sha256();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA384:
|
|
|
|
mgf_md = EVP_sha384();
|
|
|
|
break;
|
|
|
|
case CKG_MGF1_SHA512:
|
|
|
|
mgf_md = EVP_sha512();
|
|
|
|
break;
|
|
|
|
default:
|
2018-09-27 14:13:13 +00:00
|
|
|
RSA_free(rsa);
|
|
|
|
free(rsa_out);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
return CKR_MECHANISM_PARAM_INVALID;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (param->hashAlg) {
|
|
|
|
case CKM_SHA_1:
|
|
|
|
pss_md = EVP_sha1();
|
|
|
|
break;
|
|
|
|
case CKM_SHA224:
|
|
|
|
pss_md = EVP_sha224();
|
|
|
|
break;
|
|
|
|
case CKM_SHA256:
|
|
|
|
pss_md = EVP_sha256();
|
|
|
|
break;
|
|
|
|
case CKM_SHA384:
|
|
|
|
pss_md = EVP_sha384();
|
|
|
|
break;
|
|
|
|
case CKM_SHA512:
|
|
|
|
pss_md = EVP_sha512();
|
|
|
|
break;
|
|
|
|
default:
|
2018-09-27 14:13:13 +00:00
|
|
|
RSA_free(rsa);
|
|
|
|
free(rsa_out);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
return CKR_MECHANISM_PARAM_INVALID;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* for the mechanisms with hash algorithm, the data
|
|
|
|
* is already added to the hash buffer, so we need
|
|
|
|
* to finish the hash operation here
|
|
|
|
*/
|
|
|
|
if (mech->mechanism != CKM_RSA_PKCS_PSS) {
|
|
|
|
EVP_MD_CTX *md_ctx = DIGEST_CTX(md);
|
|
|
|
unsigned char *tmp = digest;
|
|
|
|
unsigned int tmp_len;
|
|
|
|
|
2019-01-25 19:57:00 +00:00
|
|
|
if (!md_ctx || !EVP_DigestFinal(md_ctx, tmp, &tmp_len)) {
|
|
|
|
RSA_free(rsa);
|
|
|
|
free(rsa_out);
|
|
|
|
return CKR_GENERAL_ERROR;
|
|
|
|
}
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
data = tmp;
|
|
|
|
data_len = tmp_len;
|
|
|
|
}
|
|
|
|
rv = CKR_SIGNATURE_INVALID;
|
2018-10-31 12:10:12 +00:00
|
|
|
if (data_len == (unsigned int) EVP_MD_size(pss_md)
|
|
|
|
&& RSA_verify_PKCS1_PSS_mgf1(rsa, data, pss_md, mgf_md,
|
|
|
|
rsa_out, EVP_MD_size(pss_md)/*sLen*/) == 1)
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
rv = CKR_OK;
|
|
|
|
RSA_free(rsa);
|
2018-09-27 14:13:13 +00:00
|
|
|
free(rsa_out);
|
Add support for PSS padding to RSA signatures
A card driver may declare support for computing the padding on the card,
or else the padding will be applied locally in padding.c. All five
PKCS11 PSS mechanisms are supported, for signature and verification.
There are a few limits on what we choose to support, in particular I
don't see a need for arbitrary combinations of MGF hash, data hash, and
salt length, so I've restricted it (for the user's benefit) to the only
cases that really matter, where salt_len = hash_len and the same hash is
used for the MGF and data hashing.
------------------------------------------------------------------------
Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against
current OpenSC master, to actually work with existing PIV cards:
* extended of missing mechanisms (SHA224, possibility to select MGF1)
* compatibility with OpenSSL 1.1+
* Removed the ANSI padding
* Formatting cleanup, error checking
Based on the original work from
https://github.com/NWilson/OpenSC/commit/42f3199e66
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2015-08-25 11:45:27 +00:00
|
|
|
sc_log(context, "Returning %lu", rv);
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
RSA_free(rsa);
|
|
|
|
|
2018-10-31 12:10:12 +00:00
|
|
|
if ((unsigned int) rsa_outlen == data_len && memcmp(rsa_out, data, data_len) == 0)
|
2003-06-27 15:26:17 +00:00
|
|
|
rv = CKR_OK;
|
|
|
|
else
|
|
|
|
rv = CKR_SIGNATURE_INVALID;
|
|
|
|
|
|
|
|
free(rsa_out);
|
|
|
|
}
|
|
|
|
|
|
|
|
return rv;
|
|
|
|
}
|
2002-12-17 11:49:12 +00:00
|
|
|
#endif
|