- Register only those mechanisms the card actually supports
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@783 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
0c16b3d887
commit
647d4bcdef
|
@ -1486,22 +1486,76 @@ cache_pin(void *p, int user, const void *pin, size_t len)
|
||||||
int
|
int
|
||||||
register_mechanisms(struct sc_pkcs11_card *p11card)
|
register_mechanisms(struct sc_pkcs11_card *p11card)
|
||||||
{
|
{
|
||||||
|
sc_card_t *card = p11card->card;
|
||||||
|
sc_algorithm_info_t *alg_info;
|
||||||
CK_MECHANISM_INFO mech_info;
|
CK_MECHANISM_INFO mech_info;
|
||||||
int rc;
|
sc_pkcs11_mechanism_type_t *mt;
|
||||||
|
unsigned int num;
|
||||||
|
int rc, flags = 0;
|
||||||
|
|
||||||
|
/* Register generic mechanisms */
|
||||||
|
sc_pkcs11_register_generic_mechanisms(p11card);
|
||||||
|
|
||||||
mech_info.flags = CKF_HW | CKF_SIGN | CKF_UNWRAP;
|
mech_info.flags = CKF_HW | CKF_SIGN | CKF_UNWRAP;
|
||||||
mech_info.ulMinKeySize = 512;
|
mech_info.ulMinKeySize = ~0;
|
||||||
mech_info.ulMaxKeySize = 2048;
|
mech_info.ulMaxKeySize = 0;
|
||||||
rc = sc_pkcs11_register_mechanism(p11card,
|
|
||||||
sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS, &mech_info, CKK_RSA, NULL));
|
|
||||||
if (rc != CKR_OK)
|
|
||||||
return rc;
|
|
||||||
rc = sc_pkcs11_register_mechanism(p11card,
|
|
||||||
sc_pkcs11_new_fw_mechanism(CKM_RSA_X_509, &mech_info, CKK_RSA, NULL));
|
|
||||||
if (rc != CKR_OK)
|
|
||||||
return rc;
|
|
||||||
|
|
||||||
/* Register generic mechanisms (e.g. digest mechanisms, software encryption/
|
/* For now, we just OR all the algorithm specific
|
||||||
* decryption stuff, and hash+sign algorithms */
|
* flags, based on the assumption that cards don't
|
||||||
return sc_pkcs11_register_generic_mechanisms(p11card);
|
* support different modes for different key sizes
|
||||||
|
*/
|
||||||
|
num = card->algorithm_count;
|
||||||
|
alg_info = card->algorithms;
|
||||||
|
while (num--) {
|
||||||
|
if (alg_info->algorithm != SC_ALGORITHM_RSA)
|
||||||
|
continue;
|
||||||
|
if (alg_info->key_length < mech_info.ulMinKeySize)
|
||||||
|
mech_info.ulMinKeySize = alg_info->key_length;
|
||||||
|
if (alg_info->key_length > mech_info.ulMaxKeySize)
|
||||||
|
mech_info.ulMaxKeySize = alg_info->key_length;
|
||||||
|
|
||||||
|
flags |= alg_info->flags;
|
||||||
|
alg_info++;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check if we support raw RSA */
|
||||||
|
if (flags & SC_ALGORITHM_RSA_RAW) {
|
||||||
|
mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_X_509,
|
||||||
|
&mech_info, CKK_RSA, NULL);
|
||||||
|
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check for PKCS1 */
|
||||||
|
if (flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||||
|
mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS,
|
||||||
|
&mech_info, CKK_RSA, NULL);
|
||||||
|
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||||
|
if (rc != CKR_OK)
|
||||||
|
return rc;
|
||||||
|
|
||||||
|
/* if the driver doesn't say what hashes it supports,
|
||||||
|
* claim we will do all of them */
|
||||||
|
if (!(flags & SC_ALGORITHM_RSA_HASHES))
|
||||||
|
flags |= SC_ALGORITHM_RSA_HASHES;
|
||||||
|
|
||||||
|
if (flags & SC_ALGORITHM_RSA_HASH_SHA1)
|
||||||
|
sc_pkcs11_register_sign_and_hash_mechanism(p11card,
|
||||||
|
CKM_SHA1_RSA_PKCS, CKM_SHA_1, mt);
|
||||||
|
if (flags & SC_ALGORITHM_RSA_HASH_MD5)
|
||||||
|
sc_pkcs11_register_sign_and_hash_mechanism(p11card,
|
||||||
|
CKM_MD5_RSA_PKCS, CKM_MD5, mt);
|
||||||
|
if (flags & SC_ALGORITHM_RSA_HASH_RIPEMD160)
|
||||||
|
sc_pkcs11_register_sign_and_hash_mechanism(p11card,
|
||||||
|
CKM_RIPEMD160_RSA_PKCS, CKM_RIPEMD160, mt);
|
||||||
|
#if 0
|
||||||
|
/* Does this correspond to any defined CKM_XXX value? */
|
||||||
|
if (flags & SC_ALGORITHM_RSA_HASH_MD5_SHA1)
|
||||||
|
sc_pkcs11_register_sign_and_hash_mechanism(p11card,
|
||||||
|
CKM_XXX_RSA_PKCS, CKM_XXX, mt);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
|
|
|
@ -414,48 +414,44 @@ sc_pkcs11_new_fw_mechanism(CK_MECHANISM_TYPE mech,
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Support for sign+hash
|
* Register generic mechanisms
|
||||||
*/
|
|
||||||
static struct hash_signature_info sig_hash_mechs[] = {
|
|
||||||
{ CKM_SHA1_RSA_PKCS, CKM_SHA_1, CKM_RSA_PKCS },
|
|
||||||
{ CKM_MD5_RSA_PKCS, CKM_MD5, CKM_RSA_PKCS },
|
|
||||||
{ CKM_RIPEMD160_RSA_PKCS, CKM_RIPEMD160, CKM_RSA_PKCS },
|
|
||||||
{ 0 }
|
|
||||||
};
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Register generic mechanisms, i.e.
|
|
||||||
* - software only algorithms such as digests
|
|
||||||
* - sign+hash mechanisms that use the card's
|
|
||||||
* signature ops and a generic digest mechanism
|
|
||||||
*/
|
*/
|
||||||
CK_RV
|
CK_RV
|
||||||
sc_pkcs11_register_generic_mechanisms(struct sc_pkcs11_card *p11card)
|
sc_pkcs11_register_generic_mechanisms(struct sc_pkcs11_card *p11card)
|
||||||
{
|
{
|
||||||
struct hash_signature_info *info;
|
|
||||||
|
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
sc_pkcs11_register_openssl_mechanisms(p11card);
|
sc_pkcs11_register_openssl_mechanisms(p11card);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
for (info = sig_hash_mechs; info->mech; info++) {
|
|
||||||
sc_pkcs11_mechanism_type_t *hash_type, *sign_type, *new_type;
|
|
||||||
|
|
||||||
hash_type = sc_pkcs11_find_mechanism(p11card, info->hash_mech, 0);
|
|
||||||
sign_type = sc_pkcs11_find_mechanism(p11card, info->sign_mech, CKF_SIGN);
|
|
||||||
if (!hash_type || !sign_type)
|
|
||||||
continue;
|
|
||||||
info->sign_type = sign_type;
|
|
||||||
info->hash_type = hash_type;
|
|
||||||
|
|
||||||
new_type = sc_pkcs11_new_fw_mechanism(info->mech,
|
|
||||||
&sign_type->mech_info,
|
|
||||||
sign_type->key_type,
|
|
||||||
info);
|
|
||||||
if (new_type)
|
|
||||||
sc_pkcs11_register_mechanism(p11card, new_type);
|
|
||||||
}
|
|
||||||
|
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Register a sign+hash algorithm derived from an algorithm supported
|
||||||
|
* by the token + a software hash mechanism
|
||||||
|
*/
|
||||||
|
CK_RV
|
||||||
|
sc_pkcs11_register_sign_and_hash_mechanism(struct sc_pkcs11_card *p11card,
|
||||||
|
CK_MECHANISM_TYPE mech,
|
||||||
|
CK_MECHANISM_TYPE hash_mech,
|
||||||
|
sc_pkcs11_mechanism_type_t *sign_type)
|
||||||
|
{
|
||||||
|
sc_pkcs11_mechanism_type_t *hash_type, *new_type;
|
||||||
|
struct hash_signature_info *info;
|
||||||
|
|
||||||
|
if (!(hash_type = sc_pkcs11_find_mechanism(p11card, hash_mech, CKF_DIGEST)))
|
||||||
|
return CKR_MECHANISM_INVALID;
|
||||||
|
|
||||||
|
info = (struct hash_signature_info *) calloc(1, sizeof(*info));
|
||||||
|
info->mech = mech;
|
||||||
|
info->sign_type = sign_type;
|
||||||
|
info->hash_type = hash_type;
|
||||||
|
info->sign_mech = sign_type->mech;
|
||||||
|
info->hash_mech = hash_mech;
|
||||||
|
|
||||||
|
new_type = sc_pkcs11_new_fw_mechanism(mech, &sign_type->mech_info,
|
||||||
|
sign_type->key_type, info);
|
||||||
|
if (new_type)
|
||||||
|
sc_pkcs11_register_mechanism(p11card, new_type);
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
|
|
@ -341,6 +341,9 @@ CK_RV sc_pkcs11_register_generic_mechanisms(struct sc_pkcs11_card *);
|
||||||
#ifdef HAVE_OPENSSL
|
#ifdef HAVE_OPENSSL
|
||||||
void sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *);
|
void sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *);
|
||||||
#endif
|
#endif
|
||||||
|
CK_RV sc_pkcs11_register_sign_and_hash_mechanism(struct sc_pkcs11_card *,
|
||||||
|
CK_MECHANISM_TYPE, CK_MECHANISM_TYPE,
|
||||||
|
sc_pkcs11_mechanism_type_t *);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue