From 8eb56730582f9f8d0d6f26fab1f17968035b7a94 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 8 Oct 2019 15:43:40 +0200 Subject: [PATCH 01/10] Check keyformat for RSA only inside if RSA key is to be imported --- src/libopensc/card-openpgp.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index b8cdd452..16c557d5 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -3160,23 +3160,23 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info) LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS, "Invalid key ID; must be 1, 2, or 3"); - /* we just support standard key format */ - switch (key_info->u.rsa.keyformat) { - case SC_OPENPGP_KEYFORMAT_RSA_STD: - case SC_OPENPGP_KEYFORMAT_RSA_STDN: - break; - - case SC_OPENPGP_KEYFORMAT_RSA_CRT: - case SC_OPENPGP_KEYFORMAT_RSA_CRTN: - LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED); - - default: - LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); - } - /* set algorithm attributes */ /* RSA */ if (key_info->algorithm == SC_OPENPGP_KEYALGO_RSA){ + /* we just support standard key format */ + switch (key_info->u.rsa.keyformat) { + case SC_OPENPGP_KEYFORMAT_RSA_STD: + case SC_OPENPGP_KEYFORMAT_RSA_STDN: + break; + + case SC_OPENPGP_KEYFORMAT_RSA_CRT: + case SC_OPENPGP_KEYFORMAT_RSA_CRTN: + LOG_FUNC_RETURN(card->ctx, SC_ERROR_NOT_SUPPORTED); + + default: + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); + } + /* we only support exponent of maximum 32 bits */ if (key_info->u.rsa.e_len > SC_OPENPGP_MAX_EXP_BITS) { sc_log(card->ctx, From ca5b3977d8a7bae2b8a964e3871c5c0f468646c0 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 8 Oct 2019 17:11:00 +0200 Subject: [PATCH 02/10] Fix ecc oid handling while storing existing keys --- src/libopensc/card-openpgp.c | 2 ++ src/libopensc/cardctl.h | 2 ++ src/pkcs15init/pkcs15-openpgp.c | 11 +++++++++++ 3 files changed, 15 insertions(+) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index 16c557d5..54a62135 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -3207,6 +3207,8 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info) if (key_info->u.ec.ecpoint && key_info->u.ec.ecpoint_len){ pubkey.u.ec.ecpoint = key_info->u.ec.ecpoint; pubkey.u.ec.ecpoint_len = key_info->u.ec.ecpoint_len; + pubkey.u.ec.oid = key_info->u.ec.oid; + pubkey.u.ec.oid_len = key_info->u.ec.oid_len; } else LOG_FUNC_RETURN(card->ctx,SC_ERROR_INVALID_ARGUMENTS); diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h index ac196925..dedbc2df 100644 --- a/src/libopensc/cardctl.h +++ b/src/libopensc/cardctl.h @@ -995,6 +995,8 @@ typedef struct sc_cardctl_openpgp_keystore_info { size_t privateD_len; u8 *ecpoint; size_t ecpoint_len; + struct sc_object_id oid; + u8 oid_len; } ec; } u; time_t creationtime; diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c index dfd4b8b8..5f301602 100644 --- a/src/pkcs15init/pkcs15-openpgp.c +++ b/src/pkcs15init/pkcs15-openpgp.c @@ -119,6 +119,7 @@ static int openpgp_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card, sc_pkcs15_prkey_info_t *kinfo = (sc_pkcs15_prkey_info_t *) obj->data; sc_cardctl_openpgp_keystore_info_t key_info; int r; + unsigned int i; LOG_FUNC_CALLED(card->ctx); @@ -152,6 +153,16 @@ static int openpgp_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card, key_info.u.ec.privateD_len = key->u.ec.privateD.len; key_info.u.ec.ecpoint = key->u.ec.ecpointQ.value; key_info.u.ec.ecpoint_len = key->u.ec.ecpointQ.len; + /* extract oid the way we need to import it to OpenPGP Card */ + if (key->u.ec.params.der.len > 2) + key_info.u.ec.oid_len = key->u.ec.params.der.value[1]; + else + LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS); + + for (i=0; (i < key_info.u.ec.oid_len) && (i+2 < key->u.ec.params.der.len); i++){ + key_info.u.ec.oid.value[i] = key->u.ec.params.der.value[i+2]; + } + key_info.u.ec.oid.value[key_info.u.ec.oid_len] = -1; r = sc_card_ctl(card, SC_CARDCTL_OPENPGP_STORE_KEY, &key_info); break; default: From 606fae5a8ec45679ea87e07346cd7bee20ee5058 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 9 Oct 2019 15:02:36 +0200 Subject: [PATCH 03/10] Use ecpointQ for better code readability --- src/libopensc/card-openpgp.c | 10 +++++----- src/libopensc/cardctl.h | 4 ++-- src/pkcs15init/pkcs15-openpgp.c | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index 54a62135..8b68e8b2 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -3056,8 +3056,8 @@ pgp_build_extended_header_list(sc_card_t *card, sc_cardctl_openpgp_keystore_info /* TODO ECC import with public key, if necessary as denoted in algorithm caps*/ /* validate */ - if ((key_info->u.ec.ecpoint == NULL || key_info->u.ec.ecpoint_len == 0)){ - sc_log(ctx, "Error: ecpoint required!"); + if ((key_info->u.ec.ecpointQ == NULL || key_info->u.ec.ecpointQ_len == 0)){ + sc_log(ctx, "Error: ecpointQ required!"); LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS); } @@ -3204,9 +3204,9 @@ pgp_store_key(sc_card_t *card, sc_cardctl_openpgp_keystore_info_t *key_info) memset(&pubkey, 0, sizeof(pubkey)); pubkey.key_id = key_info->key_id; pubkey.algorithm = key_info->algorithm; - if (key_info->u.ec.ecpoint && key_info->u.ec.ecpoint_len){ - pubkey.u.ec.ecpoint = key_info->u.ec.ecpoint; - pubkey.u.ec.ecpoint_len = key_info->u.ec.ecpoint_len; + if (key_info->u.ec.ecpointQ && key_info->u.ec.ecpointQ_len){ + pubkey.u.ec.ecpoint = key_info->u.ec.ecpointQ; + pubkey.u.ec.ecpoint_len = key_info->u.ec.ecpointQ_len; pubkey.u.ec.oid = key_info->u.ec.oid; pubkey.u.ec.oid_len = key_info->u.ec.oid_len; } diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h index dedbc2df..9bce594b 100644 --- a/src/libopensc/cardctl.h +++ b/src/libopensc/cardctl.h @@ -993,8 +993,8 @@ typedef struct sc_cardctl_openpgp_keystore_info { struct { u8 *privateD; size_t privateD_len; - u8 *ecpoint; - size_t ecpoint_len; + u8 *ecpointQ; + size_t ecpointQ_len; struct sc_object_id oid; u8 oid_len; } ec; diff --git a/src/pkcs15init/pkcs15-openpgp.c b/src/pkcs15init/pkcs15-openpgp.c index 5f301602..3740e2bb 100644 --- a/src/pkcs15init/pkcs15-openpgp.c +++ b/src/pkcs15init/pkcs15-openpgp.c @@ -151,8 +151,8 @@ static int openpgp_store_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card, key_info.key_id = kinfo->id.value[0]; key_info.u.ec.privateD = key->u.ec.privateD.data; key_info.u.ec.privateD_len = key->u.ec.privateD.len; - key_info.u.ec.ecpoint = key->u.ec.ecpointQ.value; - key_info.u.ec.ecpoint_len = key->u.ec.ecpointQ.len; + key_info.u.ec.ecpointQ = key->u.ec.ecpointQ.value; + key_info.u.ec.ecpointQ_len = key->u.ec.ecpointQ.len; /* extract oid the way we need to import it to OpenPGP Card */ if (key->u.ec.params.der.len > 2) key_info.u.ec.oid_len = key->u.ec.params.der.value[1]; From c695a4e35f0c50f491a12e2627cfb124a9876c80 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Wed, 9 Oct 2019 17:18:21 +0200 Subject: [PATCH 04/10] Add support for pubkey import if announced in algorithm attributes --- src/libopensc/card-openpgp.c | 24 +++++++++++++++++++++--- src/libopensc/cardctl.h | 7 ++++++- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index 8b68e8b2..c6b5b7a6 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -719,10 +719,20 @@ pgp_parse_algo_attr_blob(const pgp_blob_t *blob, sc_cardctl_openpgp_keygen_info_ /* SC_OPENPGP_KEYALGO_ECDH || SC_OPENPGP_KEYALGO_ECDSA */ key_info->algorithm = blob->data[0]; + /* last byte is only set if pubkey import is supported, empty otherwise*/ + if (blob->data[blob->len] == SC_OPENPGP_KEYFORMAT_EC_STDPUB){ + key_info->u.ec.oid_len = blob->len - 2; + key_info->u.ec.keyformat = SC_OPENPGP_KEYFORMAT_EC_STDPUB; + } + else { + key_info->u.ec.oid_len = blob->len - 1; + key_info->u.ec.keyformat = SC_OPENPGP_KEYFORMAT_EC_STD; + } + sc_init_oid(&oid); /* Create copy of oid from blob */ - for (j=0; j < (blob->len-1); j++) { - oid.value[j] = blob->data[j+1]; /* ignore first byte of blob (algo ID) */ + for (j=0; j < key_info->u.ec.oid_len; j++) { + oid.value[j] = blob->data[j+1]; /* ignore first byte (algo ID) */ } /* compare with list of supported ec_curves */ @@ -733,6 +743,7 @@ pgp_parse_algo_attr_blob(const pgp_blob_t *blob, sc_cardctl_openpgp_keygen_info_ break; } } + break; default: return SC_ERROR_NOT_IMPLEMENTED; @@ -3053,7 +3064,14 @@ pgp_build_extended_header_list(sc_card_t *card, sc_cardctl_openpgp_keystore_info componentnames[0] = "private key"; comp_to_add = 1; - /* TODO ECC import with public key, if necessary as denoted in algorithm caps*/ + /* import public key as well */ + if (key_info->u.ec.keyformat == SC_OPENPGP_KEYFORMAT_EC_STDPUB){ + components[1] = key_info->u.ec.ecpointQ; + componentlens[1] = key_info->u.ec.ecpointQ_len; + componenttags[1] = 0x99; + componentnames[1] = "public key"; + comp_to_add = 2; + } /* validate */ if ((key_info->u.ec.ecpointQ == NULL || key_info->u.ec.ecpointQ_len == 0)){ diff --git a/src/libopensc/cardctl.h b/src/libopensc/cardctl.h index 9bce594b..4b76391f 100644 --- a/src/libopensc/cardctl.h +++ b/src/libopensc/cardctl.h @@ -952,6 +952,9 @@ typedef struct sc_cardctl_piv_genkey_info_st { #define SC_OPENPGP_KEYFORMAT_RSA_CRT 2 #define SC_OPENPGP_KEYFORMAT_RSA_CRTN 3 +#define SC_OPENPGP_KEYFORMAT_EC_STD 0 +#define SC_OPENPGP_KEYFORMAT_EC_STDPUB 0xFF + #define SC_OPENPGP_MAX_EXP_BITS 0x20 /* maximum exponent length supported in bits */ typedef struct sc_cardctl_openpgp_keygen_info { @@ -959,13 +962,14 @@ typedef struct sc_cardctl_openpgp_keygen_info { u8 algorithm; /* SC_OPENPGP_KEYALGO_... */ union { struct { + u8 keyformat; /* SC_OPENPGP_KEYFORMAT_RSA_... */ u8 *modulus; /* New-generated pubkey info responded from the card */ size_t modulus_len; /* Length of modulus in bit */ u8 *exponent; size_t exponent_len; /* Length of exponent in bit */ - u8 keyformat; /* SC_OPENPGP_KEYFORMAT_RSA_... */ } rsa; struct { + u8 keyformat; /* SC_OPENPGP_KEYFORMAT_EC_... */ u8 *ecpoint; size_t ecpoint_len; struct sc_object_id oid; @@ -991,6 +995,7 @@ typedef struct sc_cardctl_openpgp_keystore_info { size_t n_len; } rsa; struct { + u8 keyformat; /* SC_OPENPGP_KEYFORMAT_EC_... */ u8 *privateD; size_t privateD_len; u8 *ecpointQ; From 0ba44cbec66ca2d47eac05c50aab0d3529e4ba24 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 19 Mar 2020 13:31:31 +0100 Subject: [PATCH 05/10] Add length checking --- src/libopensc/card-openpgp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index d044a225..0b0aa945 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -606,17 +606,23 @@ pgp_parse_algo_attr_blob(const pgp_blob_t *blob, sc_cardctl_openpgp_keygen_info_ key_info->algorithm = blob->data[0]; /* last byte is only set if pubkey import is supported, empty otherwise*/ - if (blob->data[blob->len] == SC_OPENPGP_KEYFORMAT_EC_STDPUB){ + if (blob->data[blob->len-1] == SC_OPENPGP_KEYFORMAT_EC_STDPUB){ + if (blob->len < 3) + return SC_ERROR_INCORRECT_PARAMETERS; key_info->u.ec.oid_len = blob->len - 2; key_info->u.ec.keyformat = SC_OPENPGP_KEYFORMAT_EC_STDPUB; } else { + if (blob->len < 2) + return SC_ERROR_INCORRECT_PARAMETERS; key_info->u.ec.oid_len = blob->len - 1; key_info->u.ec.keyformat = SC_OPENPGP_KEYFORMAT_EC_STD; } - sc_init_oid(&oid); /* Create copy of oid from blob */ + if (blob->len < 2) + return SC_ERROR_INCORRECT_PARAMETERS; + sc_init_oid(&oid); for (j=0; j < (blob->len-1) && j < SC_MAX_OBJECT_ID_OCTETS; j++) { oid.value[j] = blob->data[j+1]; /* ignore first byte of blob (algo ID) */ } From 1e7e6e11a482f5b2c5fcbab38376e4453578f4b0 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 19 Mar 2020 13:33:12 +0100 Subject: [PATCH 06/10] Add key import of ecc key to openpgp Travis tests --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 23d5c7e3..c85c93b8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -248,6 +248,8 @@ script: opensc-tool -n; openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2; pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048; + openssl ecparam -genkey -name "brainpoolP384r1" -out myec.key.pem; + pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myec.key.pem --auth-id 3 --verify-pin --id 3; pkcs11-tool -l -t -p 123456; killall java; From b2d082f4aac4110e6ba1a3fdd156955d5150b8d9 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 19 Mar 2020 14:51:18 +0100 Subject: [PATCH 07/10] Use curve that is supported by trusty OpenSSL package --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c85c93b8..1c55dc3a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -248,7 +248,7 @@ script: opensc-tool -n; openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2; pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048; - openssl ecparam -genkey -name "brainpoolP384r1" -out myec.key.pem; + openssl ecparam -genkey -name "secp384r1" -out myec.key.pem; pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myec.key.pem --auth-id 3 --verify-pin --id 3; pkcs11-tool -l -t -p 123456; killall java; From f4d28a18b96d39926e11ae75e0a2f2e47789f190 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Thu, 19 Mar 2020 15:21:55 +0100 Subject: [PATCH 08/10] Add pin to command --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 1c55dc3a..b1000d99 100644 --- a/.travis.yml +++ b/.travis.yml @@ -249,7 +249,7 @@ script: openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2; pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048; openssl ecparam -genkey -name "secp384r1" -out myec.key.pem; - pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myec.key.pem --auth-id 3 --verify-pin --id 3; + pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 3 --store-private-key myec.key.pem; pkcs11-tool -l -t -p 123456; killall java; From 396aabcb7b578b6b7fcacd21f8f22af1c012fac6 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 24 Mar 2020 12:07:29 +0100 Subject: [PATCH 09/10] ykneo-openpgp does not support ecc keys yet --- .travis.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index b1000d99..23d5c7e3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -248,8 +248,6 @@ script: opensc-tool -n; openpgp-tool --verify CHV3 --pin 12345678 --gen-key 2; pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 2 --generate-key rsa/2048; - openssl ecparam -genkey -name "secp384r1" -out myec.key.pem; - pkcs15-init --verify --auth-id 3 --pin 12345678 --delete-objects privkey,pubkey --id 3 --store-private-key myec.key.pem; pkcs11-tool -l -t -p 123456; killall java; From 7ba89620bf8c4757b5f6bec2921e7eac7991ccf1 Mon Sep 17 00:00:00 2001 From: alex-nitrokey Date: Tue, 24 Mar 2020 12:09:06 +0100 Subject: [PATCH 10/10] refactoring: get rid of oid_binary in ec_tables --- src/libopensc/card-openpgp.c | 48 ++++++++++++++---------------------- src/libopensc/card-openpgp.h | 1 - 2 files changed, 19 insertions(+), 30 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index 0b0aa945..e830677c 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -88,31 +88,21 @@ static struct sc_card_driver pgp_drv = { static pgp_ec_curves_t ec_curves[] = { - {{{1, 2, 840, 10045, 3, 1, 7, -1}}, 256, - {{0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, -1}}}, /* ansiX9p256r1 */ - {{{1, 3, 132, 0, 34, -1}}, 384, - {{0x2b, 0x81, 0x04, 0x00, 0x22, -1}}}, /* ansiX9p384r1 */ - {{{1, 3, 132, 0, 35, -1}}, 521, - {{0x2b, 0x81, 0x04, 0x00, 0x23, -1}}}, /* ansiX9p521r1 */ - {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 7, -1}}, 256, - {{0x2b, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07, -1}}}, /* brainpoolP256r1 */ - {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 11, -1}}, 384, - {{0x2b, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0b, -1}}}, /* brainpoolP384r1 */ - {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 13, -1}}, 512, - {{0x2b, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0d, -1}}}, /* brainpoolP512r1 */ - {{{-1}}, 0, {{0x0}}} /* This entry must not be touched. */ + {{{1, 2, 840, 10045, 3, 1, 7, -1}}, 256}, /* ansiX9p256r1 */ + {{{1, 3, 132, 0, 34, -1}}, 384}, /* ansiX9p384r1 */ + {{{1, 3, 132, 0, 35, -1}}, 521}, /* ansiX9p521r1 */ + {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 7, -1}}, 256}, /* brainpoolP256r1 */ + {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 11, -1}}, 384}, /* brainpoolP384r1 */ + {{{1, 3, 36, 3, 3, 2, 8, 1, 1, 13, -1}}, 512}, /* brainpoolP512r1 */ + {{{-1}}, 0} /* This entry must not be touched. */ }; static pgp_ec_curves_t ec_curves_gnuk[] = { - {{{1, 2, 840, 10045, 3, 1, 7, -1}}, 256, - {{0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, -1}}}, /* ansiX9p256r1 */ - {{{1, 3, 132, 0, 10, -1}}, 256, - {{0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A, -1}}}, /* secp256k1 */ - /*{{{1, 3, 6, 1, 4, 1, 3029, 1, 5, 1, -1}}, 256, - {{0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x97, 0x55, 0x01, 0x05, 0x01, -1}}}, //cv25519 - {{{1, 3, 6, 1, 4, 1, 11591, 15, 1, -1}}, 256, - {{0x09, 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01, -1}}}, // ed25519 */ - {{{-1}}, 0, {{0x0}}} /* This entry must not be touched. */ + {{{1, 2, 840, 10045, 3, 1, 7, -1}}, 256}, /* ansiX9p256r1 */ + {{{1, 3, 132, 0, 10, -1}}, 256}, /* secp256k1 */ + /*{{{1, 3, 6, 1, 4, 1, 3029, 1, 5, 1, -1}}, 256}, //cv25519 + {{{1, 3, 6, 1, 4, 1, 11591, 15, 1, -1}}, 256}, // ed25519 */ + {{{-1}}, 0} /* This entry must not be touched. */ }; @@ -578,7 +568,7 @@ static int pgp_parse_algo_attr_blob(const pgp_blob_t *blob, sc_cardctl_openpgp_keygen_info_t *key_info) { struct sc_object_id oid; - unsigned int j; + unsigned int j, r; if (blob == NULL || blob->data == NULL || blob->len == 0 || blob->id < 0x00c1 || blob->id > 0x00c3 || key_info == NULL) @@ -620,16 +610,16 @@ pgp_parse_algo_attr_blob(const pgp_blob_t *blob, sc_cardctl_openpgp_keygen_info_ } /* Create copy of oid from blob */ - if (blob->len < 2) - return SC_ERROR_INCORRECT_PARAMETERS; sc_init_oid(&oid); - for (j=0; j < (blob->len-1) && j < SC_MAX_OBJECT_ID_OCTETS; j++) { - oid.value[j] = blob->data[j+1]; /* ignore first byte of blob (algo ID) */ - } + r = sc_asn1_decode_object_id(&blob->data[1], key_info->u.ec.oid_len, &oid); + /* decoding failed, return sc_asn1_decode_object_id error code */ + if (r > 0){ + return r; + } /* compare with list of supported ec_curves */ for (j=0; ec_curves[j].oid.value[0] >= 0; j++){ - if (sc_compare_oid(&ec_curves[j].oid_binary, &oid)){ + if (sc_compare_oid(&ec_curves[j].oid, &oid)){ key_info->u.ec.oid = ec_curves[j].oid; key_info->u.ec.key_length = ec_curves[j].size; break; diff --git a/src/libopensc/card-openpgp.h b/src/libopensc/card-openpgp.h index 9f3dea11..00c2f90a 100644 --- a/src/libopensc/card-openpgp.h +++ b/src/libopensc/card-openpgp.h @@ -163,7 +163,6 @@ typedef struct pgp_blob { typedef struct _pgp_ec_curves { struct sc_object_id oid; size_t size; - struct sc_object_id oid_binary; } pgp_ec_curves_t;