sc_pkcs15_encode_pubkey_as_spki replaces sc_pkcs15_encode_pubkey_with_param.
The name implies what the format of the returned value, a SPKI. The support for spki as a pkcs15 format of a pubkey, is extended to work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this. sc_pkcs15_decode_pubkey_with_param will look for a SPKI and attempt to use it for any algorithm, including RSA. (RSA is the null case, as there are no algorithm parameters.) sc_pkcs15_encode_pubkey_as_spki is exported from libopensc. pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys as SPKI for RSA and EC. The pubkey->data is never a SPKI, it is the DER encoding of the pubkey without the parameters. If an spki is needed, use the sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki. As in the previous set of patches, pkcs15-tool.c will output both sc_pkcs15_decode_pubkey_with_param and its internal. This was left for testing, and the pubkey_pem_encode should be deleted
This commit is contained in:
parent
09e5a9fa7f
commit
d4be8ec747
|
@ -163,6 +163,7 @@ sc_pkcs15_encode_pubkey_dsa
|
||||||
sc_pkcs15_encode_pubkey_rsa
|
sc_pkcs15_encode_pubkey_rsa
|
||||||
sc_pkcs15_encode_pubkey_ec
|
sc_pkcs15_encode_pubkey_ec
|
||||||
sc_pkcs15_encode_pubkey_gostr3410
|
sc_pkcs15_encode_pubkey_gostr3410
|
||||||
|
sc_pkcs15_encode_pubkey_as_spki
|
||||||
sc_pkcs15_encode_pukdf_entry
|
sc_pkcs15_encode_pukdf_entry
|
||||||
sc_pkcs15_encode_tokeninfo
|
sc_pkcs15_encode_tokeninfo
|
||||||
sc_pkcs15_encode_unusedspace
|
sc_pkcs15_encode_unusedspace
|
||||||
|
|
|
@ -879,6 +879,10 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
/* Lets also try another method. */
|
||||||
|
sc_pkcs15_encode_pubkey_as_spki(card->ctx,p15_key,
|
||||||
|
&pubkey_obj.content.value, &pubkey_obj.content.len);
|
||||||
|
|
||||||
/* Only get here if no cert, and the the above found the
|
/* Only get here if no cert, and the the above found the
|
||||||
* pub key file (actually the SPKI version). This only
|
* pub key file (actually the SPKI version). This only
|
||||||
* happens when trying initializing a card and have set
|
* happens when trying initializing a card and have set
|
||||||
|
@ -911,7 +915,9 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label);
|
||||||
p15_key = NULL;
|
p15_key = NULL;
|
||||||
}
|
}
|
||||||
else if (ckis[i].pubkey_from_cert && ckis[i].pubkey_from_cert->data.value) {
|
else if (ckis[i].pubkey_from_cert && ckis[i].pubkey_from_cert->data.value) {
|
||||||
sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data);
|
sc_pkcs15_encode_pubkey_as_spki(card->ctx,ckis[i].pubkey_from_cert,
|
||||||
|
&pubkey_obj.content.value, &pubkey_obj.content.len);
|
||||||
|
// sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data);
|
||||||
pubkey_obj.emulated = ckis[i].pubkey_from_cert;
|
pubkey_obj.emulated = ckis[i].pubkey_from_cert;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -36,9 +36,9 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
#include <openssl/ec.h>
|
#include <openssl/ec.h>
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -141,7 +141,7 @@ static const struct sc_asn1_entry c_asn1_pubkey_choice[C_ASN1_PUBKEY_CHOICE_SIZE
|
||||||
{ "publicDSAKey", SC_ASN1_PKCS15_OBJECT, 2 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
{ "publicDSAKey", SC_ASN1_PKCS15_OBJECT, 2 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
||||||
{ "publicGOSTR3410Key", SC_ASN1_PKCS15_OBJECT, 4 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
{ "publicGOSTR3410Key", SC_ASN1_PKCS15_OBJECT, 4 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
||||||
{ "publicECKey", SC_ASN1_PKCS15_OBJECT, 0 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
{ "publicECKey", SC_ASN1_PKCS15_OBJECT, 0 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL },
|
||||||
/*TODO: -DEE not clear EC is needed here as look like it is for pukdf */
|
/*TODO: -DEE not clear EC is needed here as look like it is for pukdf */
|
||||||
{ NULL, 0, 0, 0, NULL, NULL }
|
{ NULL, 0, 0, 0, NULL, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -681,46 +681,67 @@ static const struct sc_asn1_entry c_asn1_spki_key[] = {
|
||||||
{ NULL, 0, 0, 0, NULL, NULL }
|
{ NULL, 0, 0, 0, NULL, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Encode a pubkey as a SPKI, useful for pkcs15-tool, and for PKCS#15 files.
|
||||||
|
*/
|
||||||
|
|
||||||
int
|
int
|
||||||
sc_pkcs15_encode_pubkey_ec_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey,
|
sc_pkcs15_encode_pubkey_as_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey,
|
||||||
u8 **buf, size_t *len)
|
u8 **buf, size_t *len)
|
||||||
{
|
{
|
||||||
int r;
|
int r;
|
||||||
struct sc_asn1_entry asn1_spki_key[2],
|
struct sc_asn1_entry asn1_spki_key[2],
|
||||||
asn1_spki_key_items[3];
|
asn1_spki_key_items[3];
|
||||||
|
struct sc_pkcs15_u8 pkey;
|
||||||
size_t key_len;
|
size_t key_len;
|
||||||
|
|
||||||
key_len = pubkey->u.ec.ecpointQ.len * 8;
|
pkey.value = NULL;
|
||||||
|
pkey.len = 0;
|
||||||
|
|
||||||
|
switch (pubkey->algorithm) {
|
||||||
|
case SC_ALGORITHM_EC:
|
||||||
|
/*
|
||||||
|
* most keys, but not EC have only one encoding.
|
||||||
|
* For a SPKI, the ecpoint is placed directly in the
|
||||||
|
* BIT STRING
|
||||||
|
*/
|
||||||
|
|
||||||
|
key_len = pubkey->u.ec.ecpointQ.len * 8;
|
||||||
|
pkey.value = pubkey->u.ec.ecpointQ.value;
|
||||||
|
pkey.len = 0; /* flag as do not delete */
|
||||||
|
/* TODO make sure algorithm params are available*/
|
||||||
|
/* if not can we copy them from the u.ec */
|
||||||
|
r = 0;
|
||||||
|
break;
|
||||||
|
case SC_ALGORITHM_GOSTR3410:
|
||||||
|
/* TODO is this needed? does it cause mem leak? */
|
||||||
|
pubkey->alg_id->params = &pubkey->u.gostr3410.params;
|
||||||
|
r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
|
||||||
|
key_len = pkey.len * 8;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len);
|
||||||
|
key_len = pkey.len * 8;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (r == 0) {
|
||||||
sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key);
|
sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key);
|
||||||
sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items);
|
sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items);
|
||||||
sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1);
|
sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1);
|
||||||
sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1);
|
sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1);
|
||||||
sc_format_asn1_entry(asn1_spki_key_items + 1, pubkey->u.ec.ecpointQ.value, &key_len, 1);
|
sc_format_asn1_entry(asn1_spki_key_items + 1, pkey.value, &key_len, 1);
|
||||||
|
|
||||||
r = sc_asn1_encode(ctx, asn1_spki_key, buf, len);
|
r = sc_asn1_encode(ctx, asn1_spki_key, buf, len);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (pkey.len && pkey.value)
|
||||||
|
free(pkey.value);
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Encode public key in a format that preserves key parameter
|
|
||||||
*
|
|
||||||
* EC key are encoded as Subject Public Key Info per RFC5280
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
sc_pkcs15_encode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
|
|
||||||
u8 **buf, size_t *len)
|
|
||||||
{
|
|
||||||
if (key->algorithm != SC_ALGORITHM_EC)
|
|
||||||
return sc_pkcs15_encode_pubkey(ctx, key, buf, len);
|
|
||||||
else
|
|
||||||
return sc_pkcs15_encode_pubkey_ec_spki(ctx, key, buf, len);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
int
|
int
|
||||||
sc_pkcs15_decode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
|
sc_pkcs15_decode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
|
||||||
const u8 *buf, size_t len)
|
const u8 *buf, size_t len)
|
||||||
|
@ -745,8 +766,10 @@ int
|
||||||
sc_pkcs15_decode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
|
sc_pkcs15_decode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key,
|
||||||
const u8 *buf, size_t len)
|
const u8 *buf, size_t len)
|
||||||
{
|
{
|
||||||
if ((key->algorithm == SC_ALGORITHM_EC) && (*buf == 0x30)) {
|
/* We assume all algrothims allow SPKI which starts with a sequence*/
|
||||||
// Decode EC Public Key from SPKI
|
|
||||||
|
if (*buf == 0x30) {
|
||||||
|
/* Decode Public Key from SPKI */
|
||||||
return sc_pkcs15_copy_pubkey_from_spki_object(ctx, buf, len, key);
|
return sc_pkcs15_copy_pubkey_from_spki_object(ctx, buf, len, key);
|
||||||
} else {
|
} else {
|
||||||
key->data.value = (u8 *)buf;
|
key->data.value = (u8 *)buf;
|
||||||
|
@ -1025,7 +1048,7 @@ sc_pkcs15_read_der_file(sc_context_t *ctx, char * filename,
|
||||||
*buf = rbuf;
|
*buf = rbuf;
|
||||||
rbuf = NULL;
|
rbuf = NULL;
|
||||||
r = rbuflen;
|
r = rbuflen;
|
||||||
out:
|
out:
|
||||||
if (rbuf)
|
if (rbuf)
|
||||||
free(rbuf);
|
free(rbuf);
|
||||||
if (f > 0)
|
if (f > 0)
|
||||||
|
@ -1132,7 +1155,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey,
|
||||||
pubkey = NULL;
|
pubkey = NULL;
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err:
|
err:
|
||||||
if (pubkey)
|
if (pubkey)
|
||||||
free(pubkey);
|
free(pubkey);
|
||||||
if (pk.value)
|
if (pk.value)
|
||||||
|
|
|
@ -690,7 +690,7 @@ int sc_pkcs15_decode_pubkey(struct sc_context *,
|
||||||
struct sc_pkcs15_pubkey *, const u8 *, size_t);
|
struct sc_pkcs15_pubkey *, const u8 *, size_t);
|
||||||
int sc_pkcs15_encode_pubkey(struct sc_context *,
|
int sc_pkcs15_encode_pubkey(struct sc_context *,
|
||||||
struct sc_pkcs15_pubkey *, u8 **, size_t *);
|
struct sc_pkcs15_pubkey *, u8 **, size_t *);
|
||||||
int sc_pkcs15_encode_pubkey_with_param(struct sc_context *,
|
int sc_pkcs15_encode_pubkey_as_spki(struct sc_context *,
|
||||||
struct sc_pkcs15_pubkey *, u8 **, size_t *);
|
struct sc_pkcs15_pubkey *, u8 **, size_t *);
|
||||||
void sc_pkcs15_erase_pubkey(struct sc_pkcs15_pubkey *);
|
void sc_pkcs15_erase_pubkey(struct sc_pkcs15_pubkey *);
|
||||||
void sc_pkcs15_free_pubkey(struct sc_pkcs15_pubkey *);
|
void sc_pkcs15_free_pubkey(struct sc_pkcs15_pubkey *);
|
||||||
|
|
|
@ -1552,7 +1552,7 @@ sc_pkcs15init_store_public_key(struct sc_pkcs15_card *p15card,
|
||||||
|
|
||||||
/* DER encode public key components */
|
/* DER encode public key components */
|
||||||
/* EC key are encoded as SPKI to preserve domain parameter */
|
/* EC key are encoded as SPKI to preserve domain parameter */
|
||||||
r = sc_pkcs15_encode_pubkey_with_param(p15card->card->ctx, &key, &object->content.value, &object->content.len);
|
r = sc_pkcs15_encode_pubkey_as_spki(p15card->card->ctx, &key, &object->content.value, &object->content.len);
|
||||||
LOG_TEST_RET(ctx, r, "Encode public key error");
|
LOG_TEST_RET(ctx, r, "Encode public key error");
|
||||||
|
|
||||||
/* Now create key file and store key */
|
/* Now create key file and store key */
|
||||||
|
|
|
@ -341,6 +341,14 @@ static int sc_hsm_decode_gakp_rsa(struct sc_pkcs15_card *p15card,
|
||||||
}
|
}
|
||||||
|
|
||||||
pubkey->algorithm = SC_ALGORITHM_RSA;
|
pubkey->algorithm = SC_ALGORITHM_RSA;
|
||||||
|
|
||||||
|
pubkey->alg_id = (struct sc_algorithm_id *)calloc(1, sizeof(struct sc_algorithm_id));
|
||||||
|
if (!pubkey->alg_id) {
|
||||||
|
LOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_OUT_OF_MEMORY);
|
||||||
|
}
|
||||||
|
|
||||||
|
pubkey->alg_id->algorithm = SC_ALGORITHM_RSA;
|
||||||
|
|
||||||
pubkey->u.rsa.modulus.len = cvc->primeOrModuluslen;
|
pubkey->u.rsa.modulus.len = cvc->primeOrModuluslen;
|
||||||
pubkey->u.rsa.modulus.data = malloc(pubkey->u.rsa.modulus.len);
|
pubkey->u.rsa.modulus.data = malloc(pubkey->u.rsa.modulus.len);
|
||||||
pubkey->u.rsa.exponent.len = sizeof(pubexp);
|
pubkey->u.rsa.exponent.len = sizeof(pubexp);
|
||||||
|
|
|
@ -639,6 +639,9 @@ static int read_public_key(void)
|
||||||
sc_pkcs15_cert_t *cert = NULL;
|
sc_pkcs15_cert_t *cert = NULL;
|
||||||
sc_pkcs15_der_t pem_key;
|
sc_pkcs15_der_t pem_key;
|
||||||
|
|
||||||
|
pem_key.value = NULL;
|
||||||
|
pem_key.len = 0;
|
||||||
|
|
||||||
id.len = SC_PKCS15_MAX_ID_SIZE;
|
id.len = SC_PKCS15_MAX_ID_SIZE;
|
||||||
sc_pkcs15_hex_string_to_id(opt_pubkey, &id);
|
sc_pkcs15_hex_string_to_id(opt_pubkey, &id);
|
||||||
|
|
||||||
|
@ -674,6 +677,17 @@ static int read_public_key(void)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fprintf(stderr, "Using sc_pkcs15_encode_pubkey_as_spki:\n");
|
||||||
|
r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len);
|
||||||
|
if (r < 0) {
|
||||||
|
fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));
|
||||||
|
r = 1;
|
||||||
|
} else {
|
||||||
|
r = print_pem_object("PUBLIC KEY", pem_key.value, pem_key.len);
|
||||||
|
free(pem_key.value);
|
||||||
|
}
|
||||||
|
|
||||||
|
fprintf(stderr, "Using pubkey_pem_encode:\n");
|
||||||
r = pubkey_pem_encode(pubkey, &pubkey->data, &pem_key);
|
r = pubkey_pem_encode(pubkey, &pubkey->data, &pem_key);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));
|
fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));
|
||||||
|
|
Loading…
Reference in New Issue