pkcs15: more of the debug messages
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@5228 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
d174edf1d2
commit
a067bf35a3
|
@ -178,12 +178,14 @@ static int sc_pkcs1_add_digest_info_prefix(unsigned int algorithm,
|
||||||
const u8 *hdr = digest_info_prefix[i].hdr;
|
const u8 *hdr = digest_info_prefix[i].hdr;
|
||||||
size_t hdr_len = digest_info_prefix[i].hdr_len,
|
size_t hdr_len = digest_info_prefix[i].hdr_len,
|
||||||
hash_len = digest_info_prefix[i].hash_len;
|
hash_len = digest_info_prefix[i].hash_len;
|
||||||
if (in_len != hash_len ||
|
|
||||||
*out_len < (hdr_len + hash_len))
|
if (in_len != hash_len || *out_len < (hdr_len + hash_len))
|
||||||
return SC_ERROR_INTERNAL;
|
return SC_ERROR_INTERNAL;
|
||||||
|
|
||||||
memmove(out + hdr_len, in, hash_len);
|
memmove(out + hdr_len, in, hash_len);
|
||||||
memmove(out, hdr, hdr_len);
|
memmove(out, hdr, hdr_len);
|
||||||
*out_len = hdr_len + hash_len;
|
*out_len = hdr_len + hash_len;
|
||||||
|
|
||||||
return SC_SUCCESS;
|
return SC_SUCCESS;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -222,25 +224,27 @@ int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,
|
||||||
int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,
|
int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,
|
||||||
const u8 *in, size_t in_len, u8 *out, size_t *out_len, size_t mod_len)
|
const u8 *in, size_t in_len, u8 *out, size_t *out_len, size_t mod_len)
|
||||||
{
|
{
|
||||||
int i;
|
int rv, i;
|
||||||
size_t tmp_len = *out_len;
|
size_t tmp_len = *out_len;
|
||||||
const u8 *tmp = in;
|
const u8 *tmp = in;
|
||||||
unsigned int hash_algo, pad_algo;
|
unsigned int hash_algo, pad_algo;
|
||||||
|
|
||||||
|
LOG_FUNC_CALLED(ctx);
|
||||||
|
|
||||||
hash_algo = flags & (SC_ALGORITHM_RSA_HASHES | SC_ALGORITHM_RSA_HASH_NONE);
|
hash_algo = flags & (SC_ALGORITHM_RSA_HASHES | SC_ALGORITHM_RSA_HASH_NONE);
|
||||||
pad_algo = flags & SC_ALGORITHM_RSA_PADS;
|
pad_algo = flags & SC_ALGORITHM_RSA_PADS;
|
||||||
|
sc_log(ctx, "hash algorithm 0x%X, pad algorithm 0x%X", hash_algo, pad_algo);
|
||||||
|
|
||||||
if (hash_algo != SC_ALGORITHM_RSA_HASH_NONE) {
|
if (hash_algo != SC_ALGORITHM_RSA_HASH_NONE) {
|
||||||
i = sc_pkcs1_add_digest_info_prefix(hash_algo, in, in_len,
|
i = sc_pkcs1_add_digest_info_prefix(hash_algo, in, in_len, out, &tmp_len);
|
||||||
out, &tmp_len);
|
|
||||||
if (i != SC_SUCCESS) {
|
if (i != SC_SUCCESS) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Unable to add digest info 0x%x",
|
sc_log(ctx, "Unable to add digest info 0x%x", hash_algo);
|
||||||
hash_algo);
|
LOG_FUNC_RETURN(ctx, i);
|
||||||
return i;
|
|
||||||
}
|
}
|
||||||
tmp = out;
|
tmp = out;
|
||||||
} else
|
} else {
|
||||||
tmp_len = in_len;
|
tmp_len = in_len;
|
||||||
|
}
|
||||||
|
|
||||||
switch(pad_algo) {
|
switch(pad_algo) {
|
||||||
case SC_ALGORITHM_RSA_PAD_NONE:
|
case SC_ALGORITHM_RSA_PAD_NONE:
|
||||||
|
@ -248,15 +252,15 @@ int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,
|
||||||
if (out != tmp)
|
if (out != tmp)
|
||||||
memcpy(out, tmp, tmp_len);
|
memcpy(out, tmp, tmp_len);
|
||||||
*out_len = tmp_len;
|
*out_len = tmp_len;
|
||||||
return SC_SUCCESS;
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
||||||
case SC_ALGORITHM_RSA_PAD_PKCS1:
|
case SC_ALGORITHM_RSA_PAD_PKCS1:
|
||||||
/* add pkcs1 bt01 padding */
|
/* add pkcs1 bt01 padding */
|
||||||
return sc_pkcs1_add_01_padding(tmp, tmp_len, out, out_len,
|
rv = sc_pkcs1_add_01_padding(tmp, tmp_len, out, out_len, mod_len);
|
||||||
mod_len);
|
LOG_FUNC_RETURN(ctx, rv);
|
||||||
default:
|
default:
|
||||||
/* currently only pkcs1 padding is supported */
|
/* currently only pkcs1 padding is supported */
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Unsupported padding algorithm 0x%x", pad_algo);
|
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Unsupported padding algorithm 0x%x", pad_algo);
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -266,9 +270,11 @@ int sc_get_encoding_flags(sc_context_t *ctx,
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
|
LOG_FUNC_CALLED(ctx);
|
||||||
if (pflags == NULL || sflags == NULL)
|
if (pflags == NULL || sflags == NULL)
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);
|
||||||
|
|
||||||
|
sc_log(ctx, "iFlags 0x%X, card capabilities 0x%X", iflags, caps);
|
||||||
for (i = 0; digest_info_prefix[i].algorithm != 0; i++) {
|
for (i = 0; digest_info_prefix[i].algorithm != 0; i++) {
|
||||||
if (iflags & digest_info_prefix[i].algorithm) {
|
if (iflags & digest_info_prefix[i].algorithm) {
|
||||||
if (digest_info_prefix[i].algorithm != SC_ALGORITHM_RSA_HASH_NONE &&
|
if (digest_info_prefix[i].algorithm != SC_ALGORITHM_RSA_HASH_NONE &&
|
||||||
|
@ -288,16 +294,15 @@ int sc_get_encoding_flags(sc_context_t *ctx,
|
||||||
} else if ((iflags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {
|
} else if ((iflags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {
|
||||||
|
|
||||||
/* Work with RSA, EC and maybe GOSTR? */
|
/* Work with RSA, EC and maybe GOSTR? */
|
||||||
if (!(caps & SC_ALGORITHM_RAW_MASK)) {
|
if (!(caps & SC_ALGORITHM_RAW_MASK))
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "raw encryption is not supported");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "raw encryption is not supported");
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
|
||||||
*sflags |= (caps & SC_ALGORITHM_RAW_MASK); /* adds in the one raw type */
|
*sflags |= (caps & SC_ALGORITHM_RAW_MASK); /* adds in the one raw type */
|
||||||
*pflags = 0;
|
*pflags = 0;
|
||||||
} else {
|
} else {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "unsupported algorithm");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unsupported algorithm");
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return SC_SUCCESS;
|
sc_log(ctx, "pad flags 0x%X, secure algorithm flags 0x%X", pflags, sflags);
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
|
@ -35,11 +35,14 @@ static int select_key_file(struct sc_pkcs15_card *p15card,
|
||||||
const struct sc_pkcs15_prkey_info *prkey,
|
const struct sc_pkcs15_prkey_info *prkey,
|
||||||
sc_security_env_t *senv)
|
sc_security_env_t *senv)
|
||||||
{
|
{
|
||||||
|
sc_context_t *ctx = p15card->card->ctx;
|
||||||
sc_path_t path, file_id;
|
sc_path_t path, file_id;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
LOG_FUNC_CALLED(ctx);
|
||||||
|
|
||||||
if (prkey->path.len < 2)
|
if (prkey->path.len < 2)
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "invalid private key path");
|
||||||
|
|
||||||
memset(&path, 0, sizeof(sc_path_t));
|
memset(&path, 0, sizeof(sc_path_t));
|
||||||
memset(&file_id, 0, sizeof(sc_path_t));
|
memset(&file_id, 0, sizeof(sc_path_t));
|
||||||
|
@ -60,9 +63,9 @@ static int select_key_file(struct sc_pkcs15_card *p15card,
|
||||||
senv->file_ref = file_id;
|
senv->file_ref = file_id;
|
||||||
senv->flags |= SC_SEC_ENV_FILE_REF_PRESENT;
|
senv->flags |= SC_SEC_ENV_FILE_REF_PRESENT;
|
||||||
r = sc_select_file(p15card->card, &path, NULL);
|
r = sc_select_file(p15card->card, &path, NULL);
|
||||||
SC_TEST_RET(p15card->card->ctx, SC_LOG_DEBUG_NORMAL, r, "sc_select_file() failed");
|
LOG_TEST_RET(ctx, r, "sc_select_file() failed");
|
||||||
|
|
||||||
return 0;
|
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
|
@ -70,14 +73,14 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
unsigned long flags,
|
unsigned long flags,
|
||||||
const u8 * in, size_t inlen, u8 *out, size_t outlen)
|
const u8 * in, size_t inlen, u8 *out, size_t outlen)
|
||||||
{
|
{
|
||||||
|
sc_context_t *ctx = p15card->card->ctx;
|
||||||
int r;
|
int r;
|
||||||
sc_algorithm_info_t *alg_info;
|
sc_algorithm_info_t *alg_info;
|
||||||
sc_security_env_t senv;
|
sc_security_env_t senv;
|
||||||
sc_context_t *ctx = p15card->card->ctx;
|
|
||||||
const struct sc_pkcs15_prkey_info *prkey = (const struct sc_pkcs15_prkey_info *) obj->data;
|
const struct sc_pkcs15_prkey_info *prkey = (const struct sc_pkcs15_prkey_info *) obj->data;
|
||||||
unsigned long pad_flags = 0, sec_flags = 0;
|
unsigned long pad_flags = 0, sec_flags = 0;
|
||||||
|
|
||||||
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);
|
LOG_FUNC_CALLED(ctx);
|
||||||
|
|
||||||
memset(&senv, 0, sizeof(senv));
|
memset(&senv, 0, sizeof(senv));
|
||||||
|
|
||||||
|
@ -87,21 +90,17 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
|
|
||||||
/* If the key is not native, we can't operate with it. */
|
/* If the key is not native, we can't operate with it. */
|
||||||
if (!prkey->native)
|
if (!prkey->native)
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "This key is not native, cannot operate with it");
|
||||||
|
|
||||||
if (!(prkey->usage & (SC_PKCS15_PRKEY_USAGE_DECRYPT|SC_PKCS15_PRKEY_USAGE_UNWRAP))) {
|
if (!(prkey->usage & (SC_PKCS15_PRKEY_USAGE_DECRYPT|SC_PKCS15_PRKEY_USAGE_UNWRAP)))
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "This key cannot be used for decryption\n");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "This key cannot be used for decryption");
|
||||||
return SC_ERROR_NOT_ALLOWED;
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (obj->type) {
|
switch (obj->type) {
|
||||||
case SC_PKCS15_TYPE_PRKEY_RSA:
|
case SC_PKCS15_TYPE_PRKEY_RSA:
|
||||||
alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
|
alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
|
||||||
if (alg_info == NULL) {
|
if (alg_info == NULL) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
|
sc_log(ctx, "Card does not support RSA with key length %d", prkey->modulus_length);
|
||||||
"Card does not support RSA with key length %d\n",
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
prkey->modulus_length);
|
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
senv.algorithm = SC_ALGORITHM_RSA;
|
senv.algorithm = SC_ALGORITHM_RSA;
|
||||||
break;
|
break;
|
||||||
|
@ -109,22 +108,18 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
|
case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
|
||||||
alg_info = sc_card_find_gostr3410_alg(p15card->card, prkey->modulus_length);
|
alg_info = sc_card_find_gostr3410_alg(p15card->card, prkey->modulus_length);
|
||||||
if (alg_info == NULL) {
|
if (alg_info == NULL) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
|
sc_log(ctx, "Card does not support GOSTR3410 with key length %d", prkey->modulus_length);
|
||||||
"Card does not support GOSTR3410 with key length %d\n",
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
prkey->modulus_length);
|
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
senv.algorithm = SC_ALGORITHM_GOSTR3410;
|
senv.algorithm = SC_ALGORITHM_GOSTR3410;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Key type not supported\n");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED,"Key type not supported");
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
r = sc_get_encoding_flags(ctx, flags, alg_info->flags, &pad_flags, &sec_flags);
|
r = sc_get_encoding_flags(ctx, flags, alg_info->flags, &pad_flags, &sec_flags);
|
||||||
if (r != SC_SUCCESS)
|
LOG_TEST_RET(ctx, r, "cannot encode security operation flags");
|
||||||
return r;
|
|
||||||
|
|
||||||
senv.algorithm_flags = sec_flags;
|
senv.algorithm_flags = sec_flags;
|
||||||
senv.operation = SC_SEC_OPERATION_DECIPHER;
|
senv.operation = SC_SEC_OPERATION_DECIPHER;
|
||||||
|
@ -138,21 +133,21 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
||||||
|
|
||||||
r = sc_lock(p15card->card);
|
r = sc_lock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_lock() failed");
|
LOG_TEST_RET(ctx, r, "sc_lock() failed");
|
||||||
|
|
||||||
if (prkey->path.len != 0)
|
if (prkey->path.len != 0)
|
||||||
{
|
{
|
||||||
r = select_key_file(p15card, prkey, &senv);
|
r = select_key_file(p15card, prkey, &senv);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL,r,"Unable to select private key file");
|
LOG_TEST_RET(ctx, r,"Unable to select private key file");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
r = sc_set_security_env(p15card->card, &senv, 0);
|
r = sc_set_security_env(p15card->card, &senv, 0);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_set_security_env() failed");
|
LOG_TEST_RET(ctx, r, "sc_set_security_env() failed");
|
||||||
}
|
}
|
||||||
r = sc_decipher(p15card->card, in, inlen, out, outlen);
|
r = sc_decipher(p15card->card, in, inlen, out, outlen);
|
||||||
if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
|
if (r == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
|
||||||
|
@ -160,16 +155,16 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
|
||||||
r = sc_decipher(p15card->card, in, inlen, out, outlen);
|
r = sc_decipher(p15card->card, in, inlen, out, outlen);
|
||||||
}
|
}
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_decipher() failed");
|
LOG_TEST_RET(ctx, r, "sc_decipher() failed");
|
||||||
|
|
||||||
/* Strip any padding */
|
/* Strip any padding */
|
||||||
if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||||
size_t s = r;
|
size_t s = r;
|
||||||
r = sc_pkcs1_strip_02_padding(out, s, out, &s);
|
r = sc_pkcs1_strip_02_padding(out, s, out, &s);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Invalid PKCS#1 padding");
|
LOG_TEST_RET(ctx, r, "Invalid PKCS#1 padding");
|
||||||
}
|
}
|
||||||
|
|
||||||
return r;
|
LOG_FUNC_RETURN(ctx, r);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* copied from pkcs15-cardos.c */
|
/* copied from pkcs15-cardos.c */
|
||||||
|
@ -183,16 +178,17 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
unsigned long flags, const u8 *in, size_t inlen,
|
unsigned long flags, const u8 *in, size_t inlen,
|
||||||
u8 *out, size_t outlen)
|
u8 *out, size_t outlen)
|
||||||
{
|
{
|
||||||
|
sc_context_t *ctx = p15card->card->ctx;
|
||||||
int r;
|
int r;
|
||||||
sc_security_env_t senv;
|
sc_security_env_t senv;
|
||||||
sc_context_t *ctx = p15card->card->ctx;
|
|
||||||
sc_algorithm_info_t *alg_info;
|
sc_algorithm_info_t *alg_info;
|
||||||
const struct sc_pkcs15_prkey_info *prkey = (const struct sc_pkcs15_prkey_info *) obj->data;
|
const struct sc_pkcs15_prkey_info *prkey = (const struct sc_pkcs15_prkey_info *) obj->data;
|
||||||
u8 buf[512], *tmp;
|
u8 buf[512], *tmp;
|
||||||
size_t modlen;
|
size_t modlen;
|
||||||
unsigned long pad_flags = 0, sec_flags = 0;
|
unsigned long pad_flags = 0, sec_flags = 0;
|
||||||
|
|
||||||
SC_FUNC_CALLED(ctx, SC_LOG_DEBUG_VERBOSE);
|
LOG_FUNC_CALLED(ctx);
|
||||||
|
sc_log(ctx, "security operation flags 0x%X", flags);
|
||||||
|
|
||||||
memset(&senv, 0, sizeof(senv));
|
memset(&senv, 0, sizeof(senv));
|
||||||
|
|
||||||
|
@ -200,30 +196,24 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
* it can get value of card specific 'AlgorithmInfo::algRef'. */
|
* it can get value of card specific 'AlgorithmInfo::algRef'. */
|
||||||
memcpy(&senv.supported_algos, &p15card->tokeninfo->supported_algos, sizeof(senv.supported_algos));
|
memcpy(&senv.supported_algos, &p15card->tokeninfo->supported_algos, sizeof(senv.supported_algos));
|
||||||
|
|
||||||
if ((obj->type & SC_PKCS15_TYPE_CLASS_MASK) != SC_PKCS15_TYPE_PRKEY) {
|
if ((obj->type & SC_PKCS15_TYPE_CLASS_MASK) != SC_PKCS15_TYPE_PRKEY)
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "This is not a private key\n");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "This is not a private key");
|
||||||
return SC_ERROR_NOT_ALLOWED;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If the key is not native, we can't operate with it. */
|
/* If the key is not native, we can't operate with it. */
|
||||||
if (!prkey->native)
|
if (!prkey->native)
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "This key is not native, cannot operate with it");
|
||||||
|
|
||||||
if (!(prkey->usage & (SC_PKCS15_PRKEY_USAGE_SIGN|SC_PKCS15_PRKEY_USAGE_SIGNRECOVER|
|
if (!(prkey->usage & (SC_PKCS15_PRKEY_USAGE_SIGN|SC_PKCS15_PRKEY_USAGE_SIGNRECOVER|
|
||||||
SC_PKCS15_PRKEY_USAGE_NONREPUDIATION))) {
|
SC_PKCS15_PRKEY_USAGE_NONREPUDIATION)))
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "This key cannot be used for signing\n");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "This key cannot be used for signing");
|
||||||
return SC_ERROR_NOT_ALLOWED;
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (obj->type) {
|
switch (obj->type) {
|
||||||
case SC_PKCS15_TYPE_PRKEY_RSA:
|
case SC_PKCS15_TYPE_PRKEY_RSA:
|
||||||
modlen = prkey->modulus_length / 8;
|
modlen = prkey->modulus_length / 8;
|
||||||
alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
|
alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
|
||||||
if (alg_info == NULL) {
|
if (alg_info == NULL) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
|
sc_log(ctx, "Card does not support RSA with key length %d", prkey->modulus_length);
|
||||||
"Card does not support RSA with key length %d\n",
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
prkey->modulus_length);
|
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
||||||
senv.algorithm = SC_ALGORITHM_RSA;
|
senv.algorithm = SC_ALGORITHM_RSA;
|
||||||
|
@ -233,10 +223,8 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
modlen = (prkey->modulus_length + 7) / 8 * 2;
|
modlen = (prkey->modulus_length + 7) / 8 * 2;
|
||||||
alg_info = sc_card_find_gostr3410_alg(p15card->card, prkey->modulus_length);
|
alg_info = sc_card_find_gostr3410_alg(p15card->card, prkey->modulus_length);
|
||||||
if (alg_info == NULL) {
|
if (alg_info == NULL) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
|
sc_log(ctx, "Card does not support GOSTR3410 with key length %d", prkey->modulus_length);
|
||||||
"Card does not support GOSTR3410 with key length %d\n",
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
prkey->modulus_length);
|
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
||||||
senv.algorithm = SC_ALGORITHM_GOSTR3410;
|
senv.algorithm = SC_ALGORITHM_GOSTR3410;
|
||||||
|
@ -246,10 +234,8 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
modlen = ((prkey->field_length +7) / 8) * 2; /* 2*nLen */
|
modlen = ((prkey->field_length +7) / 8) * 2; /* 2*nLen */
|
||||||
alg_info = sc_card_find_ec_alg(p15card->card, prkey->field_length);
|
alg_info = sc_card_find_ec_alg(p15card->card, prkey->field_length);
|
||||||
if (alg_info == NULL) {
|
if (alg_info == NULL) {
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL,
|
sc_log(ctx, "Card does not support EC with field_size %d", prkey->field_length);
|
||||||
"Card does not support EC with field_size %d\n",
|
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);
|
||||||
prkey->field_length);
|
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
senv.algorithm = SC_ALGORITHM_EC;
|
senv.algorithm = SC_ALGORITHM_EC;
|
||||||
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
senv.flags |= SC_SEC_ENV_ALG_PRESENT;
|
||||||
|
@ -259,13 +245,13 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
break;
|
break;
|
||||||
/* add other crypto types here */
|
/* add other crypto types here */
|
||||||
default:
|
default:
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Key type not supported\n");
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "Key type not supported");
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Probably never happens, but better make sure */
|
/* Probably never happens, but better make sure */
|
||||||
if (inlen > sizeof(buf) || outlen < modlen)
|
if (inlen > sizeof(buf) || outlen < modlen)
|
||||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
|
||||||
|
|
||||||
memcpy(buf, in, inlen);
|
memcpy(buf, in, inlen);
|
||||||
tmp = buf;
|
tmp = buf;
|
||||||
|
|
||||||
|
@ -277,18 +263,18 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
key is for signing and decryption, we need to emulate signing */
|
key is for signing and decryption, we need to emulate signing */
|
||||||
/* TODO: -DEE assume only RSA keys will ever use _NEED_USAGE */
|
/* TODO: -DEE assume only RSA keys will ever use _NEED_USAGE */
|
||||||
|
|
||||||
|
sc_log(ctx, "supported algorithm flags 0x%X, private key usage 0x%X", alg_info->flags, prkey->usage);
|
||||||
if ((alg_info->flags & SC_ALGORITHM_NEED_USAGE) &&
|
if ((alg_info->flags & SC_ALGORITHM_NEED_USAGE) &&
|
||||||
((prkey->usage & USAGE_ANY_SIGN) &&
|
((prkey->usage & USAGE_ANY_SIGN) &&
|
||||||
(prkey->usage & USAGE_ANY_DECIPHER)) ) {
|
(prkey->usage & USAGE_ANY_DECIPHER)) ) {
|
||||||
size_t tmplen = sizeof(buf);
|
size_t tmplen = sizeof(buf);
|
||||||
if (flags & SC_ALGORITHM_RSA_RAW) {
|
if (flags & SC_ALGORITHM_RSA_RAW) {
|
||||||
return sc_pkcs15_decipher(p15card, obj,flags,
|
r = sc_pkcs15_decipher(p15card, obj,flags, in, inlen, out, outlen);
|
||||||
in, inlen, out, outlen);
|
LOG_FUNC_RETURN(ctx, r);
|
||||||
}
|
|
||||||
if (modlen > tmplen) {
|
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Buffer too small, needs recompile!\n");
|
|
||||||
return SC_ERROR_NOT_ALLOWED;
|
|
||||||
}
|
}
|
||||||
|
if (modlen > tmplen)
|
||||||
|
LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "Buffer too small, needs recompile!");
|
||||||
|
|
||||||
r = sc_pkcs1_encode(ctx, flags, in, inlen, buf, &tmplen, modlen);
|
r = sc_pkcs1_encode(ctx, flags, in, inlen, buf, &tmplen, modlen);
|
||||||
|
|
||||||
/* no padding needed - already done */
|
/* no padding needed - already done */
|
||||||
|
@ -296,10 +282,10 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
/* instead use raw rsa */
|
/* instead use raw rsa */
|
||||||
flags |= SC_ALGORITHM_RSA_RAW;
|
flags |= SC_ALGORITHM_RSA_RAW;
|
||||||
|
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");
|
LOG_TEST_RET(ctx, r, "Unable to add padding");
|
||||||
r = sc_pkcs15_decipher(p15card, obj,flags, buf, modlen,
|
|
||||||
out, outlen);
|
r = sc_pkcs15_decipher(p15card, obj,flags, buf, modlen, out, outlen);
|
||||||
return r;
|
LOG_FUNC_RETURN(ctx, r);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -309,10 +295,11 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
!(alg_info->flags & (SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_HASH_NONE))) {
|
!(alg_info->flags & (SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_HASH_NONE))) {
|
||||||
unsigned int algo;
|
unsigned int algo;
|
||||||
size_t tmplen = sizeof(buf);
|
size_t tmplen = sizeof(buf);
|
||||||
|
|
||||||
r = sc_pkcs1_strip_digest_info_prefix(&algo, tmp, inlen, tmp, &tmplen);
|
r = sc_pkcs1_strip_digest_info_prefix(&algo, tmp, inlen, tmp, &tmplen);
|
||||||
if (r != SC_SUCCESS || algo == SC_ALGORITHM_RSA_HASH_NONE) {
|
if (r != SC_SUCCESS || algo == SC_ALGORITHM_RSA_HASH_NONE) {
|
||||||
sc_mem_clear(buf, sizeof(buf));
|
sc_mem_clear(buf, sizeof(buf));
|
||||||
return SC_ERROR_INVALID_DATA;
|
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
|
||||||
}
|
}
|
||||||
flags &= ~SC_ALGORITHM_RSA_HASH_NONE;
|
flags &= ~SC_ALGORITHM_RSA_HASH_NONE;
|
||||||
flags |= algo;
|
flags |= algo;
|
||||||
|
@ -322,19 +309,21 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
r = sc_get_encoding_flags(ctx, flags, alg_info->flags, &pad_flags, &sec_flags);
|
r = sc_get_encoding_flags(ctx, flags, alg_info->flags, &pad_flags, &sec_flags);
|
||||||
if (r != SC_SUCCESS) {
|
if (r != SC_SUCCESS) {
|
||||||
sc_mem_clear(buf, sizeof(buf));
|
sc_mem_clear(buf, sizeof(buf));
|
||||||
return r;
|
LOG_FUNC_RETURN(ctx, r);
|
||||||
}
|
}
|
||||||
senv.algorithm_flags = sec_flags;
|
senv.algorithm_flags = sec_flags;
|
||||||
|
|
||||||
sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "DEE flags:0x%8.8x alg_info->flags:0x%8.8x pad:0x%8.8x sec:0x%8.8x",
|
sc_log(ctx, "DEE flags:0x%8.8x alg_info->flags:0x%8.8x pad:0x%8.8x sec:0x%8.8x",
|
||||||
flags, alg_info->flags, pad_flags, sec_flags);
|
flags, alg_info->flags, pad_flags, sec_flags);
|
||||||
|
|
||||||
|
|
||||||
/* add the padding bytes (if necessary) */
|
/* add the padding bytes (if necessary) */
|
||||||
if (pad_flags != 0) {
|
if (pad_flags != 0) {
|
||||||
size_t tmplen = sizeof(buf);
|
size_t tmplen = sizeof(buf);
|
||||||
|
|
||||||
r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen, modlen);
|
r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen, modlen);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");
|
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");
|
||||||
|
|
||||||
inlen = tmplen;
|
inlen = tmplen;
|
||||||
} else if ( senv.algorithm == SC_ALGORITHM_RSA &&
|
} else if ( senv.algorithm == SC_ALGORITHM_RSA &&
|
||||||
(flags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {
|
(flags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {
|
||||||
|
@ -357,20 +346,20 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
}
|
}
|
||||||
|
|
||||||
r = sc_lock(p15card->card);
|
r = sc_lock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_lock() failed");
|
LOG_TEST_RET(ctx, r, "sc_lock() failed");
|
||||||
|
|
||||||
if (prkey->path.len != 0) {
|
if (prkey->path.len != 0) {
|
||||||
r = select_key_file(p15card, prkey, &senv);
|
r = select_key_file(p15card, prkey, &senv);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL,r,"Unable to select private key file");
|
LOG_TEST_RET(ctx, r,"Unable to select private key file");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
r = sc_set_security_env(p15card->card, &senv, 0);
|
r = sc_set_security_env(p15card->card, &senv, 0);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_set_security_env() failed");
|
LOG_TEST_RET(ctx, r, "sc_set_security_env() failed");
|
||||||
}
|
}
|
||||||
|
|
||||||
r = sc_compute_signature(p15card->card, tmp, inlen, out, outlen);
|
r = sc_compute_signature(p15card->card, tmp, inlen, out, outlen);
|
||||||
|
@ -380,7 +369,7 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
|
||||||
}
|
}
|
||||||
sc_mem_clear(buf, sizeof(buf));
|
sc_mem_clear(buf, sizeof(buf));
|
||||||
sc_unlock(p15card->card);
|
sc_unlock(p15card->card);
|
||||||
SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "sc_compute_signature() failed");
|
LOG_TEST_RET(ctx, r, "sc_compute_signature() failed");
|
||||||
|
|
||||||
return r;
|
LOG_FUNC_RETURN(ctx, r);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue