diff --git a/.travis.yml b/.travis.yml index 0c8647d2..fe0cf804 100644 --- a/.travis.yml +++ b/.travis.yml @@ -323,6 +323,7 @@ script: ./OsEID-tool EC-CREATE-KEYS; ./OsEID-tool EC-UPLOAD-KEYS; ./OsEID-tool EC-SIGN-TEST; + ./OsEID-tool EC-SIGN-PKCS11-TEST; ./OsEID-tool EC-ECDH-TEST; kill -9 $PID; diff --git a/src/libopensc/card-myeid.c b/src/libopensc/card-myeid.c index 70e47adc..cdec99cc 100644 --- a/src/libopensc/card-myeid.c +++ b/src/libopensc/card-myeid.c @@ -246,6 +246,8 @@ static int myeid_init(struct sc_card *card) flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN; flags |= SC_ALGORITHM_ECDSA_HASH_NONE | SC_ALGORITHM_ECDSA_HASH_SHA1; + flags |= SC_ALGORITHM_ECDSA_HASH_SHA224 | SC_ALGORITHM_ECDSA_HASH_SHA256; + flags |= SC_ALGORITHM_ECDSA_HASH_SHA384 | SC_ALGORITHM_ECDSA_HASH_SHA512; ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES; for (i=0; ec_curves[i].curve_name != NULL; i++) { diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c index ae33d5ee..397e9296 100644 --- a/src/libopensc/pkcs15-sec.c +++ b/src/libopensc/pkcs15-sec.c @@ -697,7 +697,7 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card, * truncation is done by the token. */ else if (senv.algorithm == SC_ALGORITHM_EC && - (flags & SC_ALGORITHM_ECDSA_HASH_NONE) != 0) { + (flags & SC_ALGORITHM_ECDSA_HASHES)) { inlen = MIN(inlen, (prkey->field_length+7)/8); } diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c index 2fcfa617..7fdc888d 100644 --- a/src/pkcs11/framework-pkcs15.c +++ b/src/pkcs11/framework-pkcs15.c @@ -4119,6 +4119,18 @@ pkcs15_prkey_sign(struct sc_pkcs11_session *session, void *obj, case CKM_ECDSA_SHA1: flags = SC_ALGORITHM_ECDSA_HASH_SHA1; break; + case CKM_ECDSA_SHA224: + flags = SC_ALGORITHM_ECDSA_HASH_SHA224; + break; + case CKM_ECDSA_SHA256: + flags = SC_ALGORITHM_ECDSA_HASH_SHA256; + break; + case CKM_ECDSA_SHA384: + flags = SC_ALGORITHM_ECDSA_HASH_SHA384; + break; + case CKM_ECDSA_SHA512: + flags = SC_ALGORITHM_ECDSA_HASH_SHA512; + break; default: sc_log(context, "DEE - need EC for %lu", pMechanism->mechanism); return CKR_MECHANISM_INVALID; @@ -5642,26 +5654,45 @@ static CK_RV register_ec_mechanisms(struct sc_pkcs11_card *p11card, int flags, mech_info.ulMinKeySize = min_key_size; mech_info.ulMaxKeySize = max_key_size; - if(flags & SC_ALGORITHM_ECDSA_HASH_NONE) { + if (flags & SC_ALGORITHM_ECDSA_RAW) { mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA, &mech_info, CKK_EC, NULL, NULL); if (!mt) return CKR_HOST_MEMORY; rc = sc_pkcs11_register_mechanism(p11card, mt); if (rc != CKR_OK) return rc; - } #ifdef ENABLE_OPENSSL - if(flags & SC_ALGORITHM_ECDSA_HASH_SHA1) { - mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA_SHA1, &mech_info, CKK_EC, NULL, NULL); - if (!mt) - return CKR_HOST_MEMORY; - rc = sc_pkcs11_register_mechanism(p11card, mt); - if (rc != CKR_OK) - return rc; - } + /* Hashing is always done in openssl, if the card driver requests hashes, we enable them here. */ + + if (flags & SC_ALGORITHM_ECDSA_HASH_SHA1) { + rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA1, CKM_SHA_1, mt); + if (rc != CKR_OK) + return rc; + } + if (flags & SC_ALGORITHM_ECDSA_HASH_SHA224) { + rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA224, CKM_SHA224, mt); + if (rc != CKR_OK) + return rc; + } + if (flags & SC_ALGORITHM_ECDSA_HASH_SHA256) { + rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA256, CKM_SHA256, mt); + if (rc != CKR_OK) + return rc; + } + if (flags & SC_ALGORITHM_ECDSA_HASH_SHA384) { + rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA384, CKM_SHA384, mt); + if (rc != CKR_OK) + return rc; + } + if (flags & SC_ALGORITHM_ECDSA_HASH_SHA512) { + rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA512, CKM_SHA512, mt); + if (rc != CKR_OK) + return rc; + } #endif + } /* ADD ECDH mechanisms */ /* The PIV uses curves where CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE produce the same results */ if(flags & SC_ALGORITHM_ECDH_CDH_RAW) {