pkcs11 ECDSA verify need rs converted to sequence
The --signature-format openssl in pkcs11-tool does the correct operation to convert the OpenSSL formated signature to rs for PKCS11 This commit modifies pkcs11/openssl.c to convert back to sequence for EVP_VerifyFinal Without this mod the signature file was passed unmodified to PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard. On branch ECDSA-flags Changes to be committed: modified: openssl.c
This commit is contained in:
parent
285db1ef29
commit
521d420c42
|
@ -489,7 +489,22 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, unsigned int pubkey_len
|
|||
*/
|
||||
sc_log(context, "Trying to verify using EVP");
|
||||
if (md_ctx) {
|
||||
res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
|
||||
|
||||
if (EVP_PKEY_get0_EC_KEY(pkey)) {
|
||||
unsigned char *signat_tmp = NULL;
|
||||
size_t signat_len_tmp;
|
||||
int r;
|
||||
r = sc_asn1_sig_value_rs_to_sequence(NULL, signat,
|
||||
signat_len, &signat_tmp, &signat_len_tmp);
|
||||
if (r == 0) {
|
||||
res = EVP_VerifyFinal(md_ctx, signat_tmp, signat_len_tmp, pkey);
|
||||
} else {
|
||||
sc_log(context, "sc_asn1_sig_value_rs_to_sequence failed r:%d",r);
|
||||
res = -1;
|
||||
}
|
||||
free(signat_tmp);
|
||||
} else
|
||||
res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
|
||||
} else {
|
||||
res = -1;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue