giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ECDSA-SHA1: Apply SHA1 to input data before PSO compute signature. 

CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way.
We need to use sc_pkcs11_register_sign_and_hash_mechanism ()
for CKM_ECDSA_SHA1.

This fix  also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c

Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512)

CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
This commit is contained in:
Peter Popovec 2020-12-10 08:45:43 +01:00 committed by Frank Morgner
parent 5f16ffae84
commit 6049cb926c
4 changed files with 45 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.travis.yml
View File

@ -323,6 +323,7 @@ script:
./OsEID-tool EC-CREATE-KEYS; ./OsEID-tool EC-CREATE-KEYS;
./OsEID-tool EC-UPLOAD-KEYS; ./OsEID-tool EC-UPLOAD-KEYS;
./OsEID-tool EC-SIGN-TEST; ./OsEID-tool EC-SIGN-TEST;
./OsEID-tool EC-SIGN-PKCS11-TEST;
./OsEID-tool EC-ECDH-TEST; ./OsEID-tool EC-ECDH-TEST;
kill -9 $PID; kill -9 $PID;

2
src/libopensc/card-myeid.c
View File

@ -246,6 +246,8 @@ static int myeid_init(struct sc_card *card)
flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN; flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN;
flags |= SC_ALGORITHM_ECDSA_HASH_NONE | SC_ALGORITHM_ECDSA_HASH_SHA1; flags |= SC_ALGORITHM_ECDSA_HASH_NONE | SC_ALGORITHM_ECDSA_HASH_SHA1;
flags |= SC_ALGORITHM_ECDSA_HASH_SHA224 | SC_ALGORITHM_ECDSA_HASH_SHA256;
flags |= SC_ALGORITHM_ECDSA_HASH_SHA384 | SC_ALGORITHM_ECDSA_HASH_SHA512;
ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES; ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
for (i=0; ec_curves[i].curve_name != NULL; i++) { for (i=0; ec_curves[i].curve_name != NULL; i++) {

2
src/libopensc/pkcs15-sec.c
View File

@ -697,7 +697,7 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
* truncation is done by the token. * truncation is done by the token.
*/ */
else if (senv.algorithm == SC_ALGORITHM_EC && else if (senv.algorithm == SC_ALGORITHM_EC &&
(flags & SC_ALGORITHM_ECDSA_HASH_NONE) != 0) { (flags & SC_ALGORITHM_ECDSA_HASHES)) {
inlen = MIN(inlen, (prkey->field_length+7)/8); inlen = MIN(inlen, (prkey->field_length+7)/8);
} }

51
src/pkcs11/framework-pkcs15.c
View File

@ -4119,6 +4119,18 @@ pkcs15_prkey_sign(struct sc_pkcs11_session *session, void *obj,
case CKM_ECDSA_SHA1: case CKM_ECDSA_SHA1:
flags = SC_ALGORITHM_ECDSA_HASH_SHA1; flags = SC_ALGORITHM_ECDSA_HASH_SHA1;
break; break;
case CKM_ECDSA_SHA224:
flags = SC_ALGORITHM_ECDSA_HASH_SHA224;
break;
case CKM_ECDSA_SHA256:
flags = SC_ALGORITHM_ECDSA_HASH_SHA256;
break;
case CKM_ECDSA_SHA384:
flags = SC_ALGORITHM_ECDSA_HASH_SHA384;
break;
case CKM_ECDSA_SHA512:
flags = SC_ALGORITHM_ECDSA_HASH_SHA512;
break;
default: default:
sc_log(context, "DEE - need EC for %lu", pMechanism->mechanism); sc_log(context, "DEE - need EC for %lu", pMechanism->mechanism);
return CKR_MECHANISM_INVALID; return CKR_MECHANISM_INVALID;
@ -5642,26 +5654,45 @@ static CK_RV register_ec_mechanisms(struct sc_pkcs11_card *p11card, int flags,
mech_info.ulMinKeySize = min_key_size; mech_info.ulMinKeySize = min_key_size;
mech_info.ulMaxKeySize = max_key_size; mech_info.ulMaxKeySize = max_key_size;
if(flags & SC_ALGORITHM_ECDSA_HASH_NONE) { if (flags & SC_ALGORITHM_ECDSA_RAW) {
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA, &mech_info, CKK_EC, NULL, NULL); mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA, &mech_info, CKK_EC, NULL, NULL);
if (!mt) if (!mt)
return CKR_HOST_MEMORY; return CKR_HOST_MEMORY;
rc = sc_pkcs11_register_mechanism(p11card, mt); rc = sc_pkcs11_register_mechanism(p11card, mt);
if (rc != CKR_OK) if (rc != CKR_OK)
return rc; return rc;
}
#ifdef ENABLE_OPENSSL #ifdef ENABLE_OPENSSL
if(flags & SC_ALGORITHM_ECDSA_HASH_SHA1) { /* Hashing is always done in openssl, if the card driver requests hashes, we enable them here. */
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA_SHA1, &mech_info, CKK_EC, NULL, NULL);
if (!mt) if (flags & SC_ALGORITHM_ECDSA_HASH_SHA1) {
return CKR_HOST_MEMORY; rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA1, CKM_SHA_1, mt);
rc = sc_pkcs11_register_mechanism(p11card, mt); if (rc != CKR_OK)
if (rc != CKR_OK) return rc;
return rc; }
} if (flags & SC_ALGORITHM_ECDSA_HASH_SHA224) {
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA224, CKM_SHA224, mt);
if (rc != CKR_OK)
return rc;
}
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA256) {
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA256, CKM_SHA256, mt);
if (rc != CKR_OK)
return rc;
}
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA384) {
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA384, CKM_SHA384, mt);
if (rc != CKR_OK)
return rc;
}
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA512) {
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA512, CKM_SHA512, mt);
if (rc != CKR_OK)
return rc;
}
#endif #endif
}
/* ADD ECDH mechanisms */ /* ADD ECDH mechanisms */
/* The PIV uses curves where CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE produce the same results */ /* The PIV uses curves where CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE produce the same results */
if(flags & SC_ALGORITHM_ECDH_CDH_RAW) { if(flags & SC_ALGORITHM_ECDH_CDH_RAW) {