From 521d420c4274cf4b6b97f80f8d56d38dee339ea4 Mon Sep 17 00:00:00 2001
From: Doug Engert <deengert@gmail.com>
Date: Tue, 22 Dec 2020 11:14:11 -0600
Subject: [PATCH] pkcs11 ECDSA verify need rs converted to sequence

The --signature-format openssl in pkcs11-tool does the correct
operation to convert the OpenSSL formated signature to rs for PKCS11

This commit modifies pkcs11/openssl.c to convert back to sequence
for EVP_VerifyFinal

Without this mod the signature file was passed unmodified to
PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard.

 On branch ECDSA-flags
 Changes to be committed:
	modified:   openssl.c
---
 src/pkcs11/openssl.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/pkcs11/openssl.c b/src/pkcs11/openssl.c
index e7d1fb4d..51d6e102 100644
--- a/src/pkcs11/openssl.c
+++ b/src/pkcs11/openssl.c
@@ -489,7 +489,22 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, unsigned int pubkey_len
 		 */
 		sc_log(context, "Trying to verify using EVP");
 		if (md_ctx) {
-			res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
+
+			if (EVP_PKEY_get0_EC_KEY(pkey)) {
+				unsigned char *signat_tmp = NULL;
+				size_t signat_len_tmp;
+				int r;
+				r = sc_asn1_sig_value_rs_to_sequence(NULL, signat,
+						signat_len, &signat_tmp, &signat_len_tmp);
+				if (r == 0) {
+					res = EVP_VerifyFinal(md_ctx, signat_tmp, signat_len_tmp, pkey);
+				} else {
+					sc_log(context, "sc_asn1_sig_value_rs_to_sequence failed r:%d",r);
+					res = -1;
+				}
+				free(signat_tmp);
+			} else 
+				res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey);
 		} else {
 			res = -1;
 		}