openpgp: Set reasonable usage for (X)EdDSA keys
This commit is contained in:
parent
e7d390f9dd
commit
32ec1f92b9
|
@ -2194,7 +2194,7 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
|
|||
default:
|
||||
/* From PKCS #11 point of view, we should be able to use
|
||||
* curve25519 to do digital signature, but it is not how it
|
||||
* is used in OpenGPG so we will not allow it here */
|
||||
* is used in OpenPGP so we will not allow it here */
|
||||
LOG_TEST_RET(card->ctx, SC_ERROR_INVALID_ARGUMENTS,
|
||||
"invalid key reference");
|
||||
}
|
||||
|
|
|
@ -309,6 +309,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
/* TODO Store the OID from cxdata + 1 ?? */
|
||||
/* assuming Ed25519 as it is the only supported now */
|
||||
prkey_info.field_length = 255;
|
||||
/* Filter out invalid usage: ED does not support anything but sign */
|
||||
prkey_info.usage &= PGP_SIG_PRKEY_USAGE;
|
||||
r = sc_pkcs15emu_add_eddsa_prkey(p15card, &prkey_obj, &prkey_info);
|
||||
break;
|
||||
case SC_OPENPGP_KEYALGO_ECDH:
|
||||
|
@ -320,6 +322,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
oid.value[k] = cxdata[k+1]; /* ignore first byte of blob (algo ID) */
|
||||
}
|
||||
if (sc_compare_oid(&oid, &curve25519_binary_oid)) {
|
||||
/* This can do only DERIVE */
|
||||
prkey_info.usage = SC_PKCS15_PRKEY_USAGE_DERIVE;
|
||||
prkey_info.field_length = 255;
|
||||
r = sc_pkcs15emu_add_xeddsa_prkey(p15card, &prkey_obj, &prkey_info);
|
||||
break;
|
||||
|
@ -327,6 +331,9 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
/* fall through */
|
||||
case SC_OPENPGP_KEYALGO_ECDSA:
|
||||
/* TODO Store the OID from cxdata + 1 ?? */
|
||||
/* EC keys can do derive, but not really encrypt */
|
||||
prkey_info.usage |= SC_PKCS15_PRKEY_USAGE_DERIVE;
|
||||
prkey_info.usage &= ~PGP_ENC_PRKEY_USAGE;
|
||||
r = sc_pkcs15emu_add_ec_prkey(p15card, &prkey_obj, &prkey_info);
|
||||
break;
|
||||
case SC_OPENPGP_KEYALGO_RSA:
|
||||
|
@ -388,6 +395,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
/* TODO Store the OID from cxdata + 1 ?? */
|
||||
/* assuming Ed25519 as it is the only supported now */
|
||||
pubkey_info.field_length = 255;
|
||||
/* Filter out invalid usage: ED does not support anything but sign */
|
||||
pubkey_info.usage &= PGP_SIG_PUBKEY_USAGE;
|
||||
r = sc_pkcs15emu_add_eddsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
|
||||
break;
|
||||
case SC_OPENPGP_KEYALGO_ECDH:
|
||||
|
@ -399,6 +408,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
oid.value[k] = cxdata[k+1]; /* ignore first byte of blob (algo ID) */
|
||||
}
|
||||
if (sc_compare_oid(&oid, &curve25519_binary_oid)) {
|
||||
/* XXX What can this key do? */
|
||||
pubkey_info.usage = 0;
|
||||
pubkey_info.field_length = 255;
|
||||
r = sc_pkcs15emu_add_xeddsa_pubkey(p15card, &pubkey_obj, &pubkey_info);
|
||||
break;
|
||||
|
@ -406,6 +417,8 @@ sc_pkcs15emu_openpgp_init(sc_pkcs15_card_t *p15card)
|
|||
/* fall through */
|
||||
case SC_OPENPGP_KEYALGO_ECDSA:
|
||||
/* TODO Store the OID from cxdata + 1 ?? */
|
||||
/* EC keys can not do encrypt */
|
||||
pubkey_info.usage &= ~PGP_ENC_PUBKEY_USAGE;
|
||||
r = sc_pkcs15emu_add_ec_pubkey(p15card, &pubkey_obj, &pubkey_info);
|
||||
break;
|
||||
case SC_OPENPGP_KEYALGO_RSA:
|
||||
|
|
Loading…
Reference in New Issue