From 521d420c4274cf4b6b97f80f8d56d38dee339ea4 Mon Sep 17 00:00:00 2001 From: Doug Engert Date: Tue, 22 Dec 2020 11:14:11 -0600 Subject: [PATCH] pkcs11 ECDSA verify need rs converted to sequence The --signature-format openssl in pkcs11-tool does the correct operation to convert the OpenSSL formated signature to rs for PKCS11 This commit modifies pkcs11/openssl.c to convert back to sequence for EVP_VerifyFinal Without this mod the signature file was passed unmodified to PKCS11, then to EVP_VerifyFinal but this violates PKCS11 standard. On branch ECDSA-flags Changes to be committed: modified: openssl.c --- src/pkcs11/openssl.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/pkcs11/openssl.c b/src/pkcs11/openssl.c index e7d1fb4d..51d6e102 100644 --- a/src/pkcs11/openssl.c +++ b/src/pkcs11/openssl.c @@ -489,7 +489,22 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, unsigned int pubkey_len */ sc_log(context, "Trying to verify using EVP"); if (md_ctx) { - res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey); + + if (EVP_PKEY_get0_EC_KEY(pkey)) { + unsigned char *signat_tmp = NULL; + size_t signat_len_tmp; + int r; + r = sc_asn1_sig_value_rs_to_sequence(NULL, signat, + signat_len, &signat_tmp, &signat_len_tmp); + if (r == 0) { + res = EVP_VerifyFinal(md_ctx, signat_tmp, signat_len_tmp, pkey); + } else { + sc_log(context, "sc_asn1_sig_value_rs_to_sequence failed r:%d",r); + res = -1; + } + free(signat_tmp); + } else + res = EVP_VerifyFinal(md_ctx, signat, signat_len, pkey); } else { res = -1; }