ECDSA-SHA1: Apply SHA1 to input data before PSO compute signature.
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way. We need to use sc_pkcs11_register_sign_and_hash_mechanism () for CKM_ECDSA_SHA1. This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512) CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
This commit is contained in:
parent
5f16ffae84
commit
6049cb926c
@ -323,6 +323,7 @@ script:
|
||||
./OsEID-tool EC-CREATE-KEYS;
|
||||
./OsEID-tool EC-UPLOAD-KEYS;
|
||||
./OsEID-tool EC-SIGN-TEST;
|
||||
./OsEID-tool EC-SIGN-PKCS11-TEST;
|
||||
./OsEID-tool EC-ECDH-TEST;
|
||||
kill -9 $PID;
|
||||
|
||||
|
@ -246,6 +246,8 @@ static int myeid_init(struct sc_card *card)
|
||||
|
||||
flags = SC_ALGORITHM_ECDSA_RAW | SC_ALGORITHM_ECDH_CDH_RAW | SC_ALGORITHM_ONBOARD_KEY_GEN;
|
||||
flags |= SC_ALGORITHM_ECDSA_HASH_NONE | SC_ALGORITHM_ECDSA_HASH_SHA1;
|
||||
flags |= SC_ALGORITHM_ECDSA_HASH_SHA224 | SC_ALGORITHM_ECDSA_HASH_SHA256;
|
||||
flags |= SC_ALGORITHM_ECDSA_HASH_SHA384 | SC_ALGORITHM_ECDSA_HASH_SHA512;
|
||||
ext_flags = SC_ALGORITHM_EXT_EC_NAMEDCURVE | SC_ALGORITHM_EXT_EC_UNCOMPRESES;
|
||||
|
||||
for (i=0; ec_curves[i].curve_name != NULL; i++) {
|
||||
|
@ -697,7 +697,7 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||
* truncation is done by the token.
|
||||
*/
|
||||
else if (senv.algorithm == SC_ALGORITHM_EC &&
|
||||
(flags & SC_ALGORITHM_ECDSA_HASH_NONE) != 0) {
|
||||
(flags & SC_ALGORITHM_ECDSA_HASHES)) {
|
||||
inlen = MIN(inlen, (prkey->field_length+7)/8);
|
||||
}
|
||||
|
||||
|
@ -4119,6 +4119,18 @@ pkcs15_prkey_sign(struct sc_pkcs11_session *session, void *obj,
|
||||
case CKM_ECDSA_SHA1:
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_SHA1;
|
||||
break;
|
||||
case CKM_ECDSA_SHA224:
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_SHA224;
|
||||
break;
|
||||
case CKM_ECDSA_SHA256:
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_SHA256;
|
||||
break;
|
||||
case CKM_ECDSA_SHA384:
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_SHA384;
|
||||
break;
|
||||
case CKM_ECDSA_SHA512:
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_SHA512;
|
||||
break;
|
||||
default:
|
||||
sc_log(context, "DEE - need EC for %lu", pMechanism->mechanism);
|
||||
return CKR_MECHANISM_INVALID;
|
||||
@ -5642,26 +5654,45 @@ static CK_RV register_ec_mechanisms(struct sc_pkcs11_card *p11card, int flags,
|
||||
mech_info.ulMinKeySize = min_key_size;
|
||||
mech_info.ulMaxKeySize = max_key_size;
|
||||
|
||||
if(flags & SC_ALGORITHM_ECDSA_HASH_NONE) {
|
||||
if (flags & SC_ALGORITHM_ECDSA_RAW) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA, &mech_info, CKK_EC, NULL, NULL);
|
||||
if (!mt)
|
||||
return CKR_HOST_MEMORY;
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_OPENSSL
|
||||
if(flags & SC_ALGORITHM_ECDSA_HASH_SHA1) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA_SHA1, &mech_info, CKK_EC, NULL, NULL);
|
||||
if (!mt)
|
||||
return CKR_HOST_MEMORY;
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
/* Hashing is always done in openssl, if the card driver requests hashes, we enable them here. */
|
||||
|
||||
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA1) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA1, CKM_SHA_1, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA224) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA224, CKM_SHA224, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA256) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA256, CKM_SHA256, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA384) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA384, CKM_SHA384, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_ECDSA_HASH_SHA512) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_ECDSA_SHA512, CKM_SHA512, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
}
|
||||
/* ADD ECDH mechanisms */
|
||||
/* The PIV uses curves where CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE produce the same results */
|
||||
if(flags & SC_ALGORITHM_ECDH_CDH_RAW) {
|
||||
|
Loading…
Reference in New Issue
Block a user