register EC mechanisms with flags independent of RSA flags
Prior to this commit, all hashes registered for RSA or other key types were registered for ECDSA as well. register ECDH mechanism only when supported by card ECDH should only be registered if the card driver sets the SC_ALGORITHM_ECDH_CDH_RAW flag. register software PKCS#1 (1.5) padding only when RAW RSA is supported by card If OpenSC supports PSS/OAEP padding or other padding mechanisms in future, and there would be a card that enforces hardware PSS/OAEP padding, the PKCS#1 v1.5 padding mechanism should not be registered.
This commit is contained in:
parent
37b6f0bbdf
commit
78e434da93
|
@ -4576,25 +4576,29 @@ static int register_ec_mechanisms(struct sc_pkcs11_card *p11card, int flags,
|
|||
mech_info.ulMinKeySize = min_key_size;
|
||||
mech_info.ulMaxKeySize = max_key_size;
|
||||
|
||||
if(flags & SC_ALGORITHM_ECDSA_HASH_NONE) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA, &mech_info, CKK_EC, NULL, NULL);
|
||||
if (!mt)
|
||||
return CKR_HOST_MEMORY;
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
|
||||
#if ENABLE_OPENSSL
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA_SHA1,
|
||||
&mech_info, CKK_EC, NULL, NULL);
|
||||
#ifdef ENABLE_OPENSSL
|
||||
if(flags & SC_ALGORITHM_ECDSA_HASH_SHA1) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_ECDSA_SHA1, &mech_info, CKK_EC, NULL, NULL);
|
||||
if (!mt)
|
||||
return CKR_HOST_MEMORY;
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* ADD ECDH mechanisms */
|
||||
/* The PIV uses curves where CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE produce the same results */
|
||||
if(flags & SC_ALGORITHM_ECDH_CDH_RAW) {
|
||||
mech_info.flags &= ~CKF_SIGN;
|
||||
mech_info.flags |= CKF_DERIVE;
|
||||
|
||||
|
@ -4611,6 +4615,7 @@ static int register_ec_mechanisms(struct sc_pkcs11_card *p11card, int flags,
|
|||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
|
||||
mech_info.flags = CKF_HW | CKF_GENERATE_KEY_PAIR;
|
||||
|
@ -4641,7 +4646,7 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
unsigned long ec_ext_flags;
|
||||
sc_pkcs11_mechanism_type_t *mt;
|
||||
unsigned int num;
|
||||
int rc, flags = 0;
|
||||
int rc, rsa_flags = 0, ec_flags = 0, gostr_flags = 0;
|
||||
|
||||
/* Register generic mechanisms */
|
||||
sc_pkcs11_register_generic_mechanisms(p11card);
|
||||
|
@ -4659,14 +4664,7 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
|
||||
/* For now, we just OR all the algorithm specific
|
||||
* flags, based on the assumption that cards don't
|
||||
* support different modes for different key sizes
|
||||
* But we need to do this by type of key as
|
||||
* each has different min/max and different flags.
|
||||
*
|
||||
* TODO: -DEE This code assumed RSA, but the GOST
|
||||
* and EC code was forced in. There should be a
|
||||
* routine for each key type.
|
||||
*/
|
||||
* support different modes for different key *sizes*. */
|
||||
num = card->algorithm_count;
|
||||
alg_info = card->algorithms;
|
||||
while (num--) {
|
||||
|
@ -4676,51 +4674,50 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
mech_info.ulMinKeySize = alg_info->key_length;
|
||||
if (alg_info->key_length > mech_info.ulMaxKeySize)
|
||||
mech_info.ulMaxKeySize = alg_info->key_length;
|
||||
flags |= alg_info->flags;
|
||||
rsa_flags |= alg_info->flags;
|
||||
break;
|
||||
case SC_ALGORITHM_EC:
|
||||
if (alg_info->key_length < ec_min_key_size)
|
||||
ec_min_key_size = alg_info->key_length;
|
||||
if (alg_info->key_length > ec_max_key_size)
|
||||
ec_max_key_size = alg_info->key_length;
|
||||
flags |= alg_info->flags;
|
||||
ec_flags |= alg_info->flags;
|
||||
ec_ext_flags |= alg_info->u._ec.ext_flags;
|
||||
break;
|
||||
case SC_ALGORITHM_GOSTR3410:
|
||||
flags |= alg_info->flags;
|
||||
gostr_flags |= alg_info->flags;
|
||||
break;
|
||||
}
|
||||
alg_info++;
|
||||
}
|
||||
|
||||
if (flags & SC_ALGORITHM_ECDSA_RAW) {
|
||||
rc = register_ec_mechanisms(p11card, flags, ec_ext_flags, ec_min_key_size, ec_max_key_size);
|
||||
if (ec_flags & SC_ALGORITHM_ECDSA_RAW) {
|
||||
rc = register_ec_mechanisms(p11card, ec_flags, ec_ext_flags, ec_min_key_size, ec_max_key_size);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (flags & (SC_ALGORITHM_GOSTR3410_RAW
|
||||
if (gostr_flags & (SC_ALGORITHM_GOSTR3410_RAW
|
||||
| SC_ALGORITHM_GOSTR3410_HASH_NONE
|
||||
| SC_ALGORITHM_GOSTR3410_HASH_GOSTR3411)) {
|
||||
if (flags & SC_ALGORITHM_GOSTR3410_RAW)
|
||||
flags |= SC_ALGORITHM_GOSTR3410_HASH_NONE;
|
||||
rc = register_gost_mechanisms(p11card, flags);
|
||||
if (gostr_flags & SC_ALGORITHM_GOSTR3410_RAW)
|
||||
gostr_flags |= SC_ALGORITHM_GOSTR3410_HASH_NONE;
|
||||
rc = register_gost_mechanisms(p11card, gostr_flags);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
|
||||
/* Check if we support raw RSA */
|
||||
if (flags & SC_ALGORITHM_RSA_RAW) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_RAW) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_X_509, &mech_info, CKK_RSA, NULL, NULL);
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
|
||||
}
|
||||
|
||||
/* We support PKCS1 padding in software */
|
||||
/* either the card supports it or OpenSC does */
|
||||
flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
|
||||
rsa_flags |= SC_ALGORITHM_RSA_PAD_PKCS1;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_OPENSSL
|
||||
/* all our software hashes are in OpenSSL */
|
||||
|
@ -4728,17 +4725,17 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
* help it a little, by adding all the OpenSSL hashes
|
||||
* that have PKCS#11 mechanisms.
|
||||
*/
|
||||
if (!(flags & SC_ALGORITHM_RSA_HASHES)) {
|
||||
flags |= SC_ALGORITHM_RSA_HASHES;
|
||||
if (!(rsa_flags & SC_ALGORITHM_RSA_HASHES)) {
|
||||
rsa_flags |= SC_ALGORITHM_RSA_HASHES;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x00908000L
|
||||
/* turn off hashes not in openssl 0.9.8 */
|
||||
flags &= ~(SC_ALGORITHM_RSA_HASH_SHA256 | SC_ALGORITHM_RSA_HASH_SHA384 | SC_ALGORITHM_RSA_HASH_SHA512 | SC_ALGORITHM_RSA_HASH_SHA224);
|
||||
rsa_flags &= ~(SC_ALGORITHM_RSA_HASH_SHA256 | SC_ALGORITHM_RSA_HASH_SHA384 | SC_ALGORITHM_RSA_HASH_SHA512 | SC_ALGORITHM_RSA_HASH_SHA224);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
/* No need to Check for PKCS1 We support it in software and turned it on above so always added it */
|
||||
if (flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS, &mech_info, CKK_RSA, NULL, NULL);
|
||||
rc = sc_pkcs11_register_mechanism(p11card, mt);
|
||||
if (rc != CKR_OK)
|
||||
|
@ -4749,32 +4746,32 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
/* All hashes are in OpenSSL
|
||||
* Either the card set the hashes or we helped it above */
|
||||
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA1_RSA_PKCS, CKM_SHA_1, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA256_RSA_PKCS, CKM_SHA256, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_SHA384) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA384) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA384_RSA_PKCS, CKM_SHA384, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_SHA512) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA512) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA512_RSA_PKCS, CKM_SHA512, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_MD5) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_MD5) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_MD5_RSA_PKCS, CKM_MD5, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
}
|
||||
if (flags & SC_ALGORITHM_RSA_HASH_RIPEMD160) {
|
||||
if (rsa_flags & SC_ALGORITHM_RSA_HASH_RIPEMD160) {
|
||||
rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_RIPEMD160_RSA_PKCS, CKM_RIPEMD160, mt);
|
||||
if (rc != CKR_OK)
|
||||
return rc;
|
||||
|
@ -4784,7 +4781,7 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
|
|||
|
||||
/* TODO support other padding mechanisms */
|
||||
|
||||
if (flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
|
||||
if (rsa_flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
|
||||
mech_info.flags = CKF_GENERATE_KEY_PAIR;
|
||||
mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS_KEY_PAIR_GEN, &mech_info, CKK_RSA, NULL, NULL);
|
||||
if (!mt)
|
||||
|
|
Loading…
Reference in New Issue