giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pkcs11 ECDSA verify need rs converted to sequence 

The --signature-format openssl in pkcs11-tool does the correct
operation to convert the OpenSSL formated signature to rs for PKCS11

This commit modifies pkcs11/openssl.c to convert back to sequence
for EVP_VerifyFinal

Without this mod the signature file was passed unmodified to
PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard.

 On branch ECDSA-flags
 Changes to be committed:
	modified:   openssl.c
This commit is contained in:
Doug Engert 2020-12-22 11:14:11 -06:00 committed by Frank Morgner
parent 285db1ef29
commit 521d420c42
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/pkcs11/openssl.c
View File

@ -489,7 +489,22 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, unsigned int pubkey_len
*/
sc_log(context, "Trying to verify using EVP");
if (md_ctx) {
res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
if (EVP_PKEY_get0_EC_KEY(pkey)) {
unsigned char *signat_tmp = NULL;
size_t signat_len_tmp;
int r;
r = sc_asn1_sig_value_rs_to_sequence(NULL, signat,
signat_len, &signat_tmp, &signat_len_tmp);
if (r == 0) {
res = EVP_VerifyFinal(md_ctx, signat_tmp, signat_len_tmp, pkey);
} else {
sc_log(context, "sc_asn1_sig_value_rs_to_sequence failed r:%d",r);
res = -1;
}
free(signat_tmp);
} else
res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
} else {
res = -1;
}