From 4604dac3a7aeb7f85b81c6b14cef8daf4e9af714 Mon Sep 17 00:00:00 2001 From: Andreas Schwier Date: Thu, 29 Aug 2013 11:18:44 +0200 Subject: [PATCH 1/5] sc-hsm: Fixed memory checking and removed warning --- src/libopensc/card-sc-hsm.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c index e25a5503..ea9bf324 100644 --- a/src/libopensc/card-sc-hsm.c +++ b/src/libopensc/card-sc-hsm.c @@ -607,9 +607,10 @@ static int sc_hsm_get_serialnr(sc_card_t *card, sc_serial_number_t *serial) } serial->len = strlen(priv->serialno); - /* FIXME the length to copy should be dependant on the size of - * serial->value *and* priv->serialno */ - strncpy(serial->value, priv->serialno, sizeof(serial->value)); + if (serial->len > sizeof(serial->value)) + serial->len = sizeof(serial->value); + + memcpy(serial->value, priv->serialno, serial->len); LOG_FUNC_RETURN(card->ctx, SC_SUCCESS); } From 633c98e9ee39b61494ad04f28f14c8ef5e687095 Mon Sep 17 00:00:00 2001 From: Andreas Schwier Date: Wed, 23 Oct 2013 20:59:46 +0200 Subject: [PATCH 2/5] sc-hsm: Removed compiler warning --- src/pkcs15init/pkcs15-sc-hsm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c index 0508f0c5..060c8249 100644 --- a/src/pkcs15init/pkcs15-sc-hsm.c +++ b/src/pkcs15init/pkcs15-sc-hsm.c @@ -265,7 +265,7 @@ static int sc_hsm_encode_gakp_ec(struct sc_pkcs15_card *p15card, sc_cvc_t *cvc, struct sc_pkcs15_ec_parameters *ecparams = (struct sc_pkcs15_ec_parameters *)key_info->params.data; struct ec_curve *curve = NULL; u8 *curveoid; - int curveoidlen, r; + int curveoidlen; LOG_FUNC_CALLED(p15card->card->ctx); @@ -277,7 +277,7 @@ static int sc_hsm_encode_gakp_ec(struct sc_pkcs15_card *p15card, sc_cvc_t *cvc, curveoidlen = *curveoid++; - r = sc_hsm_get_curve(p15card, &curve, curveoid, curveoidlen); + sc_hsm_get_curve(p15card, &curve, curveoid, curveoidlen); cvc->primeOrModuluslen = curve->prime.len; cvc->primeOrModulus = malloc(cvc->primeOrModuluslen); From 3a6e7ba95934116c681dd2c41b6ed90e3b64980e Mon Sep 17 00:00:00 2001 From: Andreas Schwier Date: Fri, 15 Nov 2013 11:38:51 +0100 Subject: [PATCH 3/5] pkcs15: Changed encoding for EC public keys in PuKDF to SPKI rather than ECPoint, preserving domain parameter --- src/libopensc/pkcs15-algo.c | 22 ++++-- src/libopensc/pkcs15-pubkey.c | 130 +++++++++++++++++++++++++++++---- src/libopensc/pkcs15.h | 2 + src/pkcs15init/pkcs15-lib.c | 3 +- src/pkcs15init/pkcs15-sc-hsm.c | 1 + 5 files changed, 136 insertions(+), 22 deletions(-) diff --git a/src/libopensc/pkcs15-algo.c b/src/libopensc/pkcs15-algo.c index 6f43435f..ce06f4e6 100644 --- a/src/libopensc/pkcs15-algo.c +++ b/src/libopensc/pkcs15-algo.c @@ -315,13 +315,23 @@ static int asn1_encode_ec_params(sc_context_t *ctx, void *params, u8 **buf, size_t *buflen, int depth) { - int r; - /* TODO: -DEE EC paramameters are DER so is there anything to do? */ - /* I have not needed this yet */ - sc_debug(ctx, SC_LOG_DEBUG_ASN1, "DEE - asn1_encode_ec_params"); - r = SC_ERROR_NOT_IMPLEMENTED; + struct sc_ec_params * ecp = (struct sc_ec_params *) params; - return r; + /* Only handle named curves. They may be absent too */ + sc_debug(ctx, SC_LOG_DEBUG_ASN1, "DEE - asn1_encode_ec_params"); + *buf = NULL; + *buflen = 0; + if (ecp && ecp->type == 1 && ecp->der) { /* named curve */ + *buf = malloc(ecp->der_len); + if (*buf == NULL) + return SC_ERROR_OUT_OF_MEMORY; + + memcpy(*buf, ecp->der, ecp->der_len); + *buflen = ecp->der_len; + } else + sc_debug(ctx, SC_LOG_DEBUG_ASN1, "DEE - Not named curve"); + + return 0; } static void diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c index 834a6262..8371141e 100644 --- a/src/libopensc/pkcs15-pubkey.c +++ b/src/libopensc/pkcs15-pubkey.c @@ -669,6 +669,58 @@ sc_pkcs15_encode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, return SC_ERROR_NOT_SUPPORTED; } + +static const struct sc_asn1_entry c_asn1_spki_key_items[] = { + { "algorithm", SC_ASN1_ALGORITHM_ID, SC_ASN1_CONS| SC_ASN1_TAG_SEQUENCE, 0, NULL, NULL}, + { "key", SC_ASN1_BIT_STRING_NI, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } +}; + +static const struct sc_asn1_entry c_asn1_spki_key[] = { + { "publicKey", SC_ASN1_STRUCT, SC_ASN1_CONS | SC_ASN1_TAG_SEQUENCE, 0, NULL, NULL}, + { NULL, 0, 0, 0, NULL, NULL } +}; + + +int +sc_pkcs15_encode_pubkey_ec_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey, + u8 **buf, size_t *len) +{ + int r; + struct sc_asn1_entry asn1_spki_key[2], + asn1_spki_key_items[3]; + size_t key_len; + + key_len = pubkey->u.ec.ecpointQ.len * 8; + + sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key); + sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items); + sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1); + sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1); + sc_format_asn1_entry(asn1_spki_key_items + 1, pubkey->u.ec.ecpointQ.value, &key_len, 1); + + r = sc_asn1_encode(ctx, asn1_spki_key, buf, len); + + return r; +} + + +/* + * Encode public key in a format that preserves key parameter + * + * EC key are encoded as Subject Public Key Info per RFC5280 + */ +int +sc_pkcs15_encode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, + u8 **buf, size_t *len) +{ + if (key->algorithm != SC_ALGORITHM_EC) + return sc_pkcs15_encode_pubkey(ctx, key, buf, len); + else + return sc_pkcs15_encode_pubkey_ec_spki(ctx, key, buf, len); +} + + int sc_pkcs15_decode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, const u8 *buf, size_t len) @@ -681,10 +733,29 @@ sc_pkcs15_decode_pubkey(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, return sc_pkcs15_decode_pubkey_gostr3410(ctx, &key->u.gostr3410, buf, len); if (key->algorithm == SC_ALGORITHM_EC) return sc_pkcs15_decode_pubkey_ec(ctx, &key->u.ec, buf, len); + sc_log(ctx, "Decoding of public key type %u not supported", key->algorithm); return SC_ERROR_NOT_SUPPORTED; } + +int sc_pkcs15_copy_pubkey_from_spki_object(sc_context_t *ctx, const u8 *buf, size_t buflen,sc_pkcs15_pubkey_t *pubkey); + +int +sc_pkcs15_decode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, + const u8 *buf, size_t len) +{ + if ((key->algorithm == SC_ALGORITHM_EC) && (*buf == 0x30)) { + // Decode EC Public Key from SPKI + return sc_pkcs15_copy_pubkey_from_spki_object(ctx, buf, len, key); + } else { + key->data.value = (u8 *)buf; + key->data.len = len; + return sc_pkcs15_decode_pubkey(ctx, key, buf, len); + } +} + + /* * Read public key. */ @@ -723,6 +794,7 @@ sc_pkcs15_read_pubkey(struct sc_pkcs15_card *p15card, const struct sc_pkcs15_obj sc_log(ctx, "Content (%p, %i)", obj->content.value, obj->content.len); if (obj->content.value && obj->content.len) { /* public key data is present as 'direct' value of pkcs#15 object */ + /* For EC keys this can be either ECPoint or SPKI */ data = calloc(1, obj->content.len); if (!data) LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); @@ -731,7 +803,7 @@ sc_pkcs15_read_pubkey(struct sc_pkcs15_card *p15card, const struct sc_pkcs15_obj } else if (p15card->card->ops->read_public_key) { r = p15card->card->ops->read_public_key(p15card->card, algorithm, - &info->path, info->key_reference, info->modulus_length, + (struct sc_path *)&info->path, info->key_reference, info->modulus_length, &data, &len); LOG_TEST_RET(ctx, r, "Card specific 'read-public' procedure failed."); } @@ -739,7 +811,7 @@ sc_pkcs15_read_pubkey(struct sc_pkcs15_card *p15card, const struct sc_pkcs15_obj r = sc_pkcs15_read_file(p15card, &info->path, &data, &len); LOG_TEST_RET(ctx, r, "Failed to read public key file."); } - else { + else { LOG_TEST_RET(ctx, SC_ERROR_NOT_IMPLEMENTED, "No way to get public key"); } @@ -751,10 +823,9 @@ sc_pkcs15_read_pubkey(struct sc_pkcs15_card *p15card, const struct sc_pkcs15_obj free(data); LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY); } + pubkey->algorithm = algorithm; - pubkey->data.value = data; - pubkey->data.len = len; - if (sc_pkcs15_decode_pubkey(ctx, pubkey, data, len)) { + if (sc_pkcs15_decode_pubkey_with_param(ctx, pubkey, data, len)) { free(data); free(pubkey); LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ASN1_OBJECT); @@ -1051,7 +1122,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey, break; } - /* Now decode what every is in pk as it depends on the key algorthim */ + /* Now decode what ever is in pk as it depends on the key algorithm */ r = sc_pkcs15_decode_pubkey(ctx, pubkey, pubkey->data.value, pubkey->data.len); if (r < 0) @@ -1067,11 +1138,30 @@ err: if (pk.value) free(pk.value); - LOG_TEST_RET(ctx, r, "ASN.1 parsing of subjectPubkeyInfo failed"); + LOG_TEST_RET(ctx, r, "ASN.1 parsing of subjectPubkeyInfo failed"); LOG_FUNC_RETURN(ctx, r); } +int +sc_pkcs15_pubkey_from_spki_object(sc_context_t *ctx, const u8 *buf, size_t buflen, + sc_pkcs15_pubkey_t ** outpubkey) +{ + int r; + sc_pkcs15_pubkey_t * pubkey = NULL; + struct sc_asn1_entry asn1_spki[] = { + { "PublicKeyInfo",SC_ASN1_CALLBACK, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, sc_pkcs15_pubkey_from_spki, &pubkey}, + { NULL, 0, 0, 0, NULL, NULL } }; + + *outpubkey = NULL; + + r = sc_asn1_decode(ctx, asn1_spki, buf, buflen, NULL, NULL); + + *outpubkey = pubkey; + return r; +} + + int sc_pkcs15_pubkey_from_spki_filename(sc_context_t *ctx, char * filename, sc_pkcs15_pubkey_t ** outpubkey) @@ -1079,25 +1169,36 @@ sc_pkcs15_pubkey_from_spki_filename(sc_context_t *ctx, char * filename, int r; u8 * buf = NULL; size_t buflen = 0; - sc_pkcs15_pubkey_t * pubkey = NULL; - struct sc_asn1_entry asn1_spki[] = { - { "PublicKeyInfo",SC_ASN1_CALLBACK, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, sc_pkcs15_pubkey_from_spki, &pubkey}, - { NULL, 0, 0, 0, NULL, NULL } }; - *outpubkey = NULL; r = sc_pkcs15_read_der_file(ctx, filename, &buf, &buflen); if (r < 0) return r; - r = sc_asn1_decode(ctx, asn1_spki, buf, buflen, NULL, NULL); + r = sc_pkcs15_pubkey_from_spki_object(ctx, buf, buflen, outpubkey); if (buf) free(buf); - *outpubkey = pubkey; + return r; } +int +sc_pkcs15_copy_pubkey_from_spki_object(sc_context_t *ctx, const u8 *buf, size_t buflen, sc_pkcs15_pubkey_t *pubkey) +{ + int r; + sc_pkcs15_pubkey_t *outpubkey = NULL; + + r = sc_pkcs15_pubkey_from_spki_object(ctx, buf, buflen, &outpubkey); + if (r < 0) + return r; + + sc_pkcs15_erase_pubkey(pubkey); + *pubkey = *outpubkey; + return 0; +} + + static struct ec_curve_info { const char *name; const char *oid_str; @@ -1311,4 +1412,3 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key) return SC_ERROR_NOT_IMPLEMENTED; #endif } - diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h index 05b4f269..b05c50fc 100644 --- a/src/libopensc/pkcs15.h +++ b/src/libopensc/pkcs15.h @@ -690,6 +690,8 @@ int sc_pkcs15_decode_pubkey(struct sc_context *, struct sc_pkcs15_pubkey *, const u8 *, size_t); int sc_pkcs15_encode_pubkey(struct sc_context *, struct sc_pkcs15_pubkey *, u8 **, size_t *); +int sc_pkcs15_encode_pubkey_with_param(struct sc_context *, + struct sc_pkcs15_pubkey *, u8 **, size_t *); void sc_pkcs15_erase_pubkey(struct sc_pkcs15_pubkey *); void sc_pkcs15_free_pubkey(struct sc_pkcs15_pubkey *); int sc_pkcs15_pubkey_from_prvkey(struct sc_context *, struct sc_pkcs15_prkey *, diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c index b2f12b20..bfb45154 100644 --- a/src/pkcs15init/pkcs15-lib.c +++ b/src/pkcs15init/pkcs15-lib.c @@ -1551,7 +1551,8 @@ sc_pkcs15init_store_public_key(struct sc_pkcs15_card *p15card, key_info->id = keyargs->id; /* DER encode public key components */ - r = sc_pkcs15_encode_pubkey(p15card->card->ctx, &key, &object->content.value, &object->content.len); + /* EC key are encoded as SPKI to preserve domain parameter */ + r = sc_pkcs15_encode_pubkey_with_param(p15card->card->ctx, &key, &object->content.value, &object->content.len); LOG_TEST_RET(ctx, r, "Encode public key error"); /* Now create key file and store key */ diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c index 060c8249..69d0c83e 100644 --- a/src/pkcs15init/pkcs15-sc-hsm.c +++ b/src/pkcs15init/pkcs15-sc-hsm.c @@ -381,6 +381,7 @@ static int sc_hsm_decode_gakp_ec(struct sc_pkcs15_card *p15card, ecp->der_len = ecparams->der.len; memcpy(ecp->der, ecparams->der.value, ecp->der_len); + ecp->type = 1; // Named curve pubkey->alg_id = (struct sc_algorithm_id *)calloc(1, sizeof(struct sc_algorithm_id)); if (!pubkey->alg_id) { From 09e5a9fa7f09e3cbab72189b8f2eedaaacc24d01 Mon Sep 17 00:00:00 2001 From: Andreas Schwier Date: Thu, 5 Dec 2013 14:26:49 +0100 Subject: [PATCH 4/5] pkcs11: Fixed typo --- src/libopensc/pkcs15-pubkey.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c index 8371141e..b6ca988a 100644 --- a/src/libopensc/pkcs15-pubkey.c +++ b/src/libopensc/pkcs15-pubkey.c @@ -1122,7 +1122,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey, break; } - /* Now decode what ever is in pk as it depends on the key algorithm */ + /* Now decode whatever is in pk as it depends on the key algorithm */ r = sc_pkcs15_decode_pubkey(ctx, pubkey, pubkey->data.value, pubkey->data.len); if (r < 0) From d4be8ec747ae2f665f1b95e13f1210ed10fcaf12 Mon Sep 17 00:00:00 2001 From: Andreas Schwier Date: Fri, 6 Dec 2013 09:23:57 +0100 Subject: [PATCH 5/5] sc_pkcs15_encode_pubkey_as_spki replaces sc_pkcs15_encode_pubkey_with_param. The name implies what the format of the returned value, a SPKI. The support for spki as a pkcs15 format of a pubkey, is extended to work for any algorithm not just EC pubkeys. PKCS#15 appears to allow this. sc_pkcs15_decode_pubkey_with_param will look for a SPKI and attempt to use it for any algorithm, including RSA. (RSA is the null case, as there are no algorithm parameters.) sc_pkcs15_encode_pubkey_as_spki is exported from libopensc. pkcs15-piv.c will use sc_pkcs15_encode_pubkey_as_spki to load public keys as SPKI for RSA and EC. The pubkey->data is never a SPKI, it is the DER encoding of the pubkey without the parameters. If an spki is needed, use the sc_pkcs15_encode_pubkey_as_spki to get the DER encoding of the spki. As in the previous set of patches, pkcs15-tool.c will output both sc_pkcs15_decode_pubkey_with_param and its internal. This was left for testing, and the pubkey_pem_encode should be deleted --- src/libopensc/libopensc.exports | 1 + src/libopensc/pkcs15-piv.c | 8 +- src/libopensc/pkcs15-pubkey.c | 305 +++++++++++++++++--------------- src/libopensc/pkcs15.h | 2 +- src/pkcs15init/pkcs15-lib.c | 2 +- src/pkcs15init/pkcs15-sc-hsm.c | 8 + src/tools/pkcs15-tool.c | 14 ++ 7 files changed, 196 insertions(+), 144 deletions(-) diff --git a/src/libopensc/libopensc.exports b/src/libopensc/libopensc.exports index b3059289..c61ede46 100644 --- a/src/libopensc/libopensc.exports +++ b/src/libopensc/libopensc.exports @@ -163,6 +163,7 @@ sc_pkcs15_encode_pubkey_dsa sc_pkcs15_encode_pubkey_rsa sc_pkcs15_encode_pubkey_ec sc_pkcs15_encode_pubkey_gostr3410 +sc_pkcs15_encode_pubkey_as_spki sc_pkcs15_encode_pukdf_entry sc_pkcs15_encode_tokeninfo sc_pkcs15_encode_unusedspace diff --git a/src/libopensc/pkcs15-piv.c b/src/libopensc/pkcs15-piv.c index ff57fc3d..d4bb9d61 100644 --- a/src/libopensc/pkcs15-piv.c +++ b/src/libopensc/pkcs15-piv.c @@ -878,6 +878,10 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label); &p15_key); if (r < 0) continue; + + /* Lets also try another method. */ + sc_pkcs15_encode_pubkey_as_spki(card->ctx,p15_key, + &pubkey_obj.content.value, &pubkey_obj.content.len); /* Only get here if no cert, and the the above found the * pub key file (actually the SPKI version). This only @@ -911,7 +915,9 @@ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "DEE Adding pin %d label=%s",i, label); p15_key = NULL; } else if (ckis[i].pubkey_from_cert && ckis[i].pubkey_from_cert->data.value) { - sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data); + sc_pkcs15_encode_pubkey_as_spki(card->ctx,ckis[i].pubkey_from_cert, + &pubkey_obj.content.value, &pubkey_obj.content.len); +// sc_der_copy(&pubkey_obj.content, &ckis[i].pubkey_from_cert->data); pubkey_obj.emulated = ckis[i].pubkey_from_cert; } diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c index b6ca988a..b83d580d 100644 --- a/src/libopensc/pkcs15-pubkey.c +++ b/src/libopensc/pkcs15-pubkey.c @@ -36,124 +36,124 @@ #include #include #if OPENSSL_VERSION_NUMBER >= 0x10000000L - #ifndef OPENSSL_NO_EC - #include - #endif +#ifndef OPENSSL_NO_EC +#include +#endif #endif #endif #define C_ASN1_PKINFO_ATTR_SIZE 3 static const struct sc_asn1_entry c_asn1_pkinfo[C_ASN1_PKINFO_ATTR_SIZE] = { - { "algorithm", SC_ASN1_ALGORITHM_ID, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { "subjectPublicKey", SC_ASN1_BIT_STRING_NI, SC_ASN1_TAG_BIT_STRING, SC_ASN1_ALLOC, NULL, NULL}, - { NULL, 0, 0, 0, NULL, NULL } + { "algorithm", SC_ASN1_ALGORITHM_ID, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { "subjectPublicKey", SC_ASN1_BIT_STRING_NI, SC_ASN1_TAG_BIT_STRING, SC_ASN1_ALLOC, NULL, NULL}, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_COM_KEY_ATTR_SIZE 6 static const struct sc_asn1_entry c_asn1_com_key_attr[C_ASN1_COM_KEY_ATTR_SIZE] = { - { "iD", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, - { "usage", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, - { "native", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL }, - { "accessFlags", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, SC_ASN1_OPTIONAL, NULL, NULL }, - { "keyReference",SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "iD", SC_ASN1_PKCS15_ID, SC_ASN1_TAG_OCTET_STRING, 0, NULL, NULL }, + { "usage", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, 0, NULL, NULL }, + { "native", SC_ASN1_BOOLEAN, SC_ASN1_TAG_BOOLEAN, SC_ASN1_OPTIONAL, NULL, NULL }, + { "accessFlags", SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING, SC_ASN1_OPTIONAL, NULL, NULL }, + { "keyReference",SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_COM_PUBKEY_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_com_pubkey_attr[C_ASN1_COM_PUBKEY_ATTR_SIZE] = { - { "subjectName", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, - SC_ASN1_EMPTY_ALLOWED | SC_ASN1_ALLOC | SC_ASN1_OPTIONAL, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "subjectName", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, + SC_ASN1_EMPTY_ALLOWED | SC_ASN1_ALLOC | SC_ASN1_OPTIONAL, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_RSAKEY_VALUE_CHOICE_SIZE 3 static const struct sc_asn1_entry c_asn1_rsakey_value_choice[C_ASN1_RSAKEY_VALUE_CHOICE_SIZE] = { - { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_EMPTY_ALLOWED, NULL, NULL }, - { "direct", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL | SC_ASN1_ALLOC, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_EMPTY_ALLOWED, NULL, NULL }, + { "direct", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL | SC_ASN1_ALLOC, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_RSAKEY_ATTR_SIZE 4 static const struct sc_asn1_entry c_asn1_rsakey_attr[C_ASN1_RSAKEY_ATTR_SIZE] = { - { "value", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, - { "modulusLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, - { "keyInfo", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "value", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, + { "modulusLength", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, + { "keyInfo", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_ECKEY_VALUE_CHOICE_SIZE 3 static const struct sc_asn1_entry c_asn1_eckey_value_choice[C_ASN1_ECKEY_VALUE_CHOICE_SIZE] = { - { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_EMPTY_ALLOWED, NULL, NULL }, - { "direct", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL | SC_ASN1_ALLOC, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "path", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, SC_ASN1_EMPTY_ALLOWED, NULL, NULL }, + { "direct", SC_ASN1_OCTET_STRING, SC_ASN1_CTX | 0 | SC_ASN1_CONS, SC_ASN1_OPTIONAL | SC_ASN1_ALLOC, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_ECKEY_ATTR_SIZE 4 static const struct sc_asn1_entry c_asn1_eckey_attr[C_ASN1_ECKEY_ATTR_SIZE] = { - { "value", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, - { "fieldSize", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { "keyInfo", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "value", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, + { "fieldSize", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { "keyInfo", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_RSA_TYPE_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_rsa_type_attr[C_ASN1_RSA_TYPE_ATTR_SIZE] = { - { "publicRSAKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicRSAKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_EC_TYPE_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_ec_type_attr[C_ASN1_EC_TYPE_ATTR_SIZE] = { - { "publicECKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicECKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_DSAKEY_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_dsakey_attr[C_ASN1_DSAKEY_ATTR_SIZE] = { - { "value", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "value", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_DSA_TYPE_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_dsa_type_attr[C_ASN1_DSA_TYPE_ATTR_SIZE] = { - { "publicDSAKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicDSAKeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_GOST3410KEY_ATTR_SIZE 5 static const struct sc_asn1_entry c_asn1_gostr3410key_attr[C_ASN1_GOST3410KEY_ATTR_SIZE] = { - { "value", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { "params_r3410", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, - { "params_r3411", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { "params_28147", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "value", SC_ASN1_PATH, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { "params_r3410", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, 0, NULL, NULL }, + { "params_r3411", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { "params_28147", SC_ASN1_INTEGER, SC_ASN1_TAG_INTEGER, SC_ASN1_OPTIONAL, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_GOST3410_TYPE_ATTR_SIZE 2 static const struct sc_asn1_entry c_asn1_gostr3410_type_attr[C_ASN1_GOST3410_TYPE_ATTR_SIZE] = { - { "publicGOSTR3410KeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicGOSTR3410KeyAttributes", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_PUBKEY_CHOICE_SIZE 5 static const struct sc_asn1_entry c_asn1_pubkey_choice[C_ASN1_PUBKEY_CHOICE_SIZE] = { - { "publicRSAKey", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { "publicDSAKey", SC_ASN1_PKCS15_OBJECT, 2 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, - { "publicGOSTR3410Key", SC_ASN1_PKCS15_OBJECT, 4 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, - { "publicECKey", SC_ASN1_PKCS15_OBJECT, 0 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, -/*TODO: -DEE not clear EC is needed here as look like it is for pukdf */ - { NULL, 0, 0, 0, NULL, NULL } + { "publicRSAKey", SC_ASN1_PKCS15_OBJECT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { "publicDSAKey", SC_ASN1_PKCS15_OBJECT, 2 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, + { "publicGOSTR3410Key", SC_ASN1_PKCS15_OBJECT, 4 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, + { "publicECKey", SC_ASN1_PKCS15_OBJECT, 0 | SC_ASN1_CTX | SC_ASN1_CONS, 0, NULL, NULL }, + /*TODO: -DEE not clear EC is needed here as look like it is for pukdf */ + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_PUBKEY_SIZE 2 static const struct sc_asn1_entry c_asn1_pubkey[C_ASN1_PUBKEY_SIZE] = { - { "publicKey", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicKey", SC_ASN1_CHOICE, 0, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, - struct sc_pkcs15_object *obj, - const u8 ** buf, size_t *buflen) + struct sc_pkcs15_object *obj, + const u8 ** buf, size_t *buflen) { sc_context_t *ctx = p15card->card->ctx; struct sc_pkcs15_pubkey_info info; @@ -177,13 +177,13 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, struct sc_asn1_entry asn1_pubkey_choice[C_ASN1_PUBKEY_CHOICE_SIZE]; struct sc_asn1_entry asn1_pubkey[C_ASN1_PUBKEY_SIZE]; struct sc_asn1_pkcs15_object rsakey_obj = { obj, asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_rsa_type_attr }; + asn1_com_pubkey_attr, asn1_rsa_type_attr }; struct sc_asn1_pkcs15_object eckey_obj = { obj, asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_ec_type_attr }; + asn1_com_pubkey_attr, asn1_ec_type_attr }; struct sc_asn1_pkcs15_object dsakey_obj = { obj, asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_dsa_type_attr }; + asn1_com_pubkey_attr, asn1_dsa_type_attr }; struct sc_asn1_pkcs15_object gostr3410key_obj = { obj, asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_gostr3410_type_attr }; + asn1_com_pubkey_attr, asn1_gostr3410_type_attr }; sc_copy_asn1_entry(c_asn1_pubkey, asn1_pubkey); sc_copy_asn1_entry(c_asn1_pubkey_choice, asn1_pubkey_choice); @@ -287,7 +287,7 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, } sc_log(ctx, "PubKey path '%s'", sc_print_path(&info.path)); - /* OpenSC 0.11.4 and older encoded "keyReference" as a negative + /* OpenSC 0.11.4 and older encoded "keyReference" as a negative value. Fixed in 0.11.5 we need to add a hack, so old cards continue to work. */ if (info.key_reference < -1) @@ -304,8 +304,8 @@ int sc_pkcs15_decode_pukdf_entry(struct sc_pkcs15_card *p15card, } int sc_pkcs15_encode_pukdf_entry(sc_context_t *ctx, - const struct sc_pkcs15_object *obj, - u8 **buf, size_t *buflen) + const struct sc_pkcs15_object *obj, + u8 **buf, size_t *buflen) { struct sc_asn1_entry asn1_com_key_attr[C_ASN1_COM_KEY_ATTR_SIZE]; struct sc_asn1_entry asn1_com_pubkey_attr[C_ASN1_COM_PUBKEY_ATTR_SIZE]; @@ -323,19 +323,19 @@ int sc_pkcs15_encode_pukdf_entry(sc_context_t *ctx, struct sc_asn1_entry asn1_pubkey[C_ASN1_PUBKEY_SIZE]; struct sc_pkcs15_pubkey_info *pubkey = - (struct sc_pkcs15_pubkey_info *) obj->data; + (struct sc_pkcs15_pubkey_info *) obj->data; struct sc_asn1_pkcs15_object rsakey_obj = { (struct sc_pkcs15_object *) obj, - asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_rsa_type_attr }; + asn1_com_key_attr, + asn1_com_pubkey_attr, asn1_rsa_type_attr }; struct sc_asn1_pkcs15_object eckey_obj = { (struct sc_pkcs15_object *) obj, - asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_ec_type_attr }; + asn1_com_key_attr, + asn1_com_pubkey_attr, asn1_ec_type_attr }; struct sc_asn1_pkcs15_object dsakey_obj = { (struct sc_pkcs15_object *) obj, - asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_dsa_type_attr }; + asn1_com_key_attr, + asn1_com_pubkey_attr, asn1_dsa_type_attr }; struct sc_asn1_pkcs15_object gostr3410key_obj = { (struct sc_pkcs15_object *) obj, - asn1_com_key_attr, - asn1_com_pubkey_attr, asn1_gostr3410_type_attr }; + asn1_com_key_attr, + asn1_com_pubkey_attr, asn1_gostr3410_type_attr }; struct sc_pkcs15_keyinfo_gostparams *keyinfo_gostparams; int r; size_t af_len, usage_len; @@ -395,7 +395,7 @@ int sc_pkcs15_encode_pukdf_entry(sc_context_t *ctx, case SC_PKCS15_TYPE_PUBKEY_EC: /* MyEID is a PKCS15 card with ECC */ sc_format_asn1_entry(asn1_pubkey_choice + 3, &eckey_obj, NULL, 1); - + sc_format_asn1_entry(asn1_ec_type_attr + 0, asn1_eckey_attr, NULL, 1); if (pubkey->path.len || !obj->content.value) sc_format_asn1_entry(asn1_eckey_value_choice + 0, &pubkey->path, NULL, 1); @@ -403,7 +403,7 @@ int sc_pkcs15_encode_pukdf_entry(sc_context_t *ctx, sc_format_asn1_entry(asn1_eckey_value_choice + 1, obj->content.value, (void *)&obj->content.len, 1); sc_format_asn1_entry(asn1_eckey_attr + 0, asn1_eckey_value_choice, NULL, 1); sc_format_asn1_entry(asn1_eckey_attr + 1, &pubkey->field_length, NULL, 1); - + break; default: sc_log(ctx, "Unsupported public key type: %X", obj->type); @@ -437,36 +437,36 @@ int sc_pkcs15_encode_pukdf_entry(sc_context_t *ctx, #define C_ASN1_PUBLIC_KEY_SIZE 2 static struct sc_asn1_entry c_asn1_public_key[C_ASN1_PUBLIC_KEY_SIZE] = { - { "publicKeyCoefficients", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "publicKeyCoefficients", SC_ASN1_STRUCT, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_RSA_PUB_COEFFICIENTS_SIZE 3 static struct sc_asn1_entry c_asn1_rsa_pub_coefficients[C_ASN1_RSA_PUB_COEFFICIENTS_SIZE] = { - { "modulus", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { "exponent", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "modulus", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { "exponent", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_DSA_PUB_COEFFICIENTS_SIZE 5 static struct sc_asn1_entry c_asn1_dsa_pub_coefficients[C_ASN1_DSA_PUB_COEFFICIENTS_SIZE] = { - { "publicKey",SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { "paramP", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { "paramQ", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { "paramG", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL }, + { "publicKey",SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { "paramP", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { "paramQ", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { "paramG", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_INTEGER, SC_ASN1_ALLOC|SC_ASN1_UNSIGNED, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL }, }; #define C_ASN1_GOSTR3410_PUB_COEFFICIENTS_SIZE 2 static struct sc_asn1_entry c_asn1_gostr3410_pub_coefficients[C_ASN1_GOSTR3410_PUB_COEFFICIENTS_SIZE] = { - { "xy", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_ALLOC, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "xy", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_ALLOC, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; #define C_ASN1_EC_POINTQ_SIZE 2 static struct sc_asn1_entry c_asn1_ec_pointQ[C_ASN1_EC_POINTQ_SIZE] = { - { "ecpointQ", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_ALLOC, NULL, NULL }, - { NULL, 0, 0, 0, NULL, NULL } + { "ecpointQ", SC_ASN1_OCTET_STRING, SC_ASN1_TAG_OCTET_STRING, SC_ASN1_ALLOC, NULL, NULL }, + { NULL, 0, 0, 0, NULL, NULL } }; @@ -681,43 +681,64 @@ static const struct sc_asn1_entry c_asn1_spki_key[] = { { NULL, 0, 0, 0, NULL, NULL } }; +/* + * Encode a pubkey as a SPKI, useful for pkcs15-tool, and for PKCS#15 files. + */ int -sc_pkcs15_encode_pubkey_ec_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey, +sc_pkcs15_encode_pubkey_as_spki(sc_context_t *ctx, struct sc_pkcs15_pubkey *pubkey, u8 **buf, size_t *len) { int r; struct sc_asn1_entry asn1_spki_key[2], asn1_spki_key_items[3]; + struct sc_pkcs15_u8 pkey; size_t key_len; - key_len = pubkey->u.ec.ecpointQ.len * 8; + pkey.value = NULL; + pkey.len = 0; + + switch (pubkey->algorithm) { + case SC_ALGORITHM_EC: + /* + * most keys, but not EC have only one encoding. + * For a SPKI, the ecpoint is placed directly in the + * BIT STRING + */ + + key_len = pubkey->u.ec.ecpointQ.len * 8; + pkey.value = pubkey->u.ec.ecpointQ.value; + pkey.len = 0; /* flag as do not delete */ + /* TODO make sure algorithm params are available*/ + /* if not can we copy them from the u.ec */ + r = 0; + break; + case SC_ALGORITHM_GOSTR3410: + /* TODO is this needed? does it cause mem leak? */ + pubkey->alg_id->params = &pubkey->u.gostr3410.params; + r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len); + key_len = pkey.len * 8; + break; + default: + r = sc_pkcs15_encode_pubkey(ctx, pubkey, &pkey.value, &pkey.len); + key_len = pkey.len * 8; + break; + } - sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key); - sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items); - sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1); - sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1); - sc_format_asn1_entry(asn1_spki_key_items + 1, pubkey->u.ec.ecpointQ.value, &key_len, 1); + if (r == 0) { + sc_copy_asn1_entry(c_asn1_spki_key, asn1_spki_key); + sc_copy_asn1_entry(c_asn1_spki_key_items, asn1_spki_key_items); + sc_format_asn1_entry(asn1_spki_key + 0, asn1_spki_key_items, NULL, 1); + sc_format_asn1_entry(asn1_spki_key_items + 0, pubkey->alg_id, NULL, 1); + sc_format_asn1_entry(asn1_spki_key_items + 1, pkey.value, &key_len, 1); - r = sc_asn1_encode(ctx, asn1_spki_key, buf, len); + r = sc_asn1_encode(ctx, asn1_spki_key, buf, len); + } - return r; -} + if (pkey.len && pkey.value) + free(pkey.value); - -/* - * Encode public key in a format that preserves key parameter - * - * EC key are encoded as Subject Public Key Info per RFC5280 - */ -int -sc_pkcs15_encode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, - u8 **buf, size_t *len) -{ - if (key->algorithm != SC_ALGORITHM_EC) - return sc_pkcs15_encode_pubkey(ctx, key, buf, len); - else - return sc_pkcs15_encode_pubkey_ec_spki(ctx, key, buf, len); + return r; } @@ -745,8 +766,10 @@ int sc_pkcs15_decode_pubkey_with_param(sc_context_t *ctx, struct sc_pkcs15_pubkey *key, const u8 *buf, size_t len) { - if ((key->algorithm == SC_ALGORITHM_EC) && (*buf == 0x30)) { - // Decode EC Public Key from SPKI + /* We assume all algrothims allow SPKI which starts with a sequence*/ + + if (*buf == 0x30) { + /* Decode Public Key from SPKI */ return sc_pkcs15_copy_pubkey_from_spki_object(ctx, buf, len, key); } else { key->data.value = (u8 *)buf; @@ -1025,7 +1048,7 @@ sc_pkcs15_read_der_file(sc_context_t *ctx, char * filename, *buf = rbuf; rbuf = NULL; r = rbuflen; -out: + out: if (rbuf) free(rbuf); if (f > 0) @@ -1088,13 +1111,13 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey, * u.ec.params and get the field length too. */ if (pubkey->alg_id->params) { - struct sc_ec_params * ecp = (struct sc_ec_params *)pubkey->alg_id->params; - pubkey->u.ec.params.der.value = malloc(ecp->der_len); - if (pubkey->u.ec.params.der.value) { - memcpy(pubkey->u.ec.params.der.value, ecp->der, ecp->der_len); - pubkey->u.ec.params.der.len = ecp->der_len; - sc_pkcs15_fix_ec_parameters(ctx,&pubkey->u.ec.params); - } + struct sc_ec_params * ecp = (struct sc_ec_params *)pubkey->alg_id->params; + pubkey->u.ec.params.der.value = malloc(ecp->der_len); + if (pubkey->u.ec.params.der.value) { + memcpy(pubkey->u.ec.params.der.value, ecp->der, ecp->der_len); + pubkey->u.ec.params.der.len = ecp->der_len; + sc_pkcs15_fix_ec_parameters(ctx,&pubkey->u.ec.params); + } } /* * For most keys, the above ASN.1 parsing of a key works, but for EC keys, @@ -1105,7 +1128,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey, */ pk.len >>= 3; /* Assume it is multiple of 8 */ if (pubkey->u.ec.params.field_length == 0) - pubkey->u.ec.params.field_length = (pk.len - 1)/2 * 8; + pubkey->u.ec.params.field_length = (pk.len - 1)/2 * 8; sc_copy_asn1_entry(c_asn1_ec_pointQ, asn1_ec_pointQ); sc_format_asn1_entry(&asn1_ec_pointQ[0], pk.value, &pk.len, 1); @@ -1132,7 +1155,7 @@ sc_pkcs15_pubkey_from_spki(sc_context_t *ctx, sc_pkcs15_pubkey_t ** outpubkey, pubkey = NULL; return 0; -err: + err: if (pubkey) free(pubkey); if (pk.value) @@ -1150,8 +1173,8 @@ sc_pkcs15_pubkey_from_spki_object(sc_context_t *ctx, const u8 *buf, size_t bufle int r; sc_pkcs15_pubkey_t * pubkey = NULL; struct sc_asn1_entry asn1_spki[] = { - { "PublicKeyInfo",SC_ASN1_CALLBACK, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, sc_pkcs15_pubkey_from_spki, &pubkey}, - { NULL, 0, 0, 0, NULL, NULL } }; + { "PublicKeyInfo",SC_ASN1_CALLBACK, SC_ASN1_TAG_SEQUENCE | SC_ASN1_CONS, 0, sc_pkcs15_pubkey_from_spki, &pubkey}, + { NULL, 0, 0, 0, NULL, NULL } }; *outpubkey = NULL; @@ -1205,20 +1228,20 @@ static struct ec_curve_info { const char *oid_encoded; size_t size; } ec_curve_infos[] = { - {"secp192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, - {"prime192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, - {"ansiX9p192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, - {"prime256v1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, - {"secp256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, - {"ansiX9p256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, - {"secp384r1", "1.3.132.0.34", "06052B81040022", 384}, - {"prime384v1", "1.3.132.0.34", "06052B81040022", 384}, - {"ansiX9p384r1", "1.3.132.0.34", "06052B81040022", 384}, - {"brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3", "06092B2403030208010103", 192}, - {"brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5", "06092B2403030208010105", 224}, - {"brainpoolP256r1", "1.3.36.3.3.2.8.1.1.7", "06092B2403030208010107", 256}, - {"brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9", "06092B2403030208010109", 320}, - {NULL, NULL, NULL, 0}, + {"secp192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, + {"prime192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, + {"ansiX9p192r1", "1.2.840.10045.3.1.1", "06082A8648CE3D030101", 192}, + {"prime256v1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, + {"secp256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, + {"ansiX9p256r1", "1.2.840.10045.3.1.7", "06082A8648CE3D030107", 256}, + {"secp384r1", "1.3.132.0.34", "06052B81040022", 384}, + {"prime384v1", "1.3.132.0.34", "06052B81040022", 384}, + {"ansiX9p384r1", "1.3.132.0.34", "06052B81040022", 384}, + {"brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3", "06092B2403030208010103", 192}, + {"brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5", "06092B2403030208010105", 224}, + {"brainpoolP256r1", "1.3.36.3.3.2.8.1.1.7", "06092B2403030208010107", 256}, + {"brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9", "06092B2403030208010109", 320}, + {NULL, NULL, NULL, 0}, }; @@ -1310,7 +1333,7 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key) return SC_ERROR_INVALID_DATA; RSA_free(src); break; - } + } case EVP_PKEY_DSA: { struct sc_pkcs15_pubkey_dsa *dst = &pkcs15_key->u.dsa; DSA *src = EVP_PKEY_get1_DSA(pk); @@ -1322,7 +1345,7 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key) sc_pkcs15_convert_bignum(&dst->g, src->g); DSA_free(src); break; - } + } #if OPENSSL_VERSION_NUMBER >= 0x10000000L && !defined(OPENSSL_NO_EC) case NID_id_GostR3410_2001: { struct sc_pkcs15_pubkey_gostr3410 *dst = &pkcs15_key->u.gostr3410; @@ -1359,7 +1382,7 @@ sc_pkcs15_convert_pubkey(struct sc_pkcs15_pubkey *pkcs15_key, void *evp_key) if (r != 1) return SC_ERROR_INTERNAL; break; - } + } case EVP_PKEY_EC: { struct sc_pkcs15_pubkey_ec *dst = &pkcs15_key->u.ec; EC_KEY *src = NULL; diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h index b05c50fc..fff28bbf 100644 --- a/src/libopensc/pkcs15.h +++ b/src/libopensc/pkcs15.h @@ -690,7 +690,7 @@ int sc_pkcs15_decode_pubkey(struct sc_context *, struct sc_pkcs15_pubkey *, const u8 *, size_t); int sc_pkcs15_encode_pubkey(struct sc_context *, struct sc_pkcs15_pubkey *, u8 **, size_t *); -int sc_pkcs15_encode_pubkey_with_param(struct sc_context *, +int sc_pkcs15_encode_pubkey_as_spki(struct sc_context *, struct sc_pkcs15_pubkey *, u8 **, size_t *); void sc_pkcs15_erase_pubkey(struct sc_pkcs15_pubkey *); void sc_pkcs15_free_pubkey(struct sc_pkcs15_pubkey *); diff --git a/src/pkcs15init/pkcs15-lib.c b/src/pkcs15init/pkcs15-lib.c index bfb45154..7053398e 100644 --- a/src/pkcs15init/pkcs15-lib.c +++ b/src/pkcs15init/pkcs15-lib.c @@ -1552,7 +1552,7 @@ sc_pkcs15init_store_public_key(struct sc_pkcs15_card *p15card, /* DER encode public key components */ /* EC key are encoded as SPKI to preserve domain parameter */ - r = sc_pkcs15_encode_pubkey_with_param(p15card->card->ctx, &key, &object->content.value, &object->content.len); + r = sc_pkcs15_encode_pubkey_as_spki(p15card->card->ctx, &key, &object->content.value, &object->content.len); LOG_TEST_RET(ctx, r, "Encode public key error"); /* Now create key file and store key */ diff --git a/src/pkcs15init/pkcs15-sc-hsm.c b/src/pkcs15init/pkcs15-sc-hsm.c index 69d0c83e..c31af9d3 100644 --- a/src/pkcs15init/pkcs15-sc-hsm.c +++ b/src/pkcs15init/pkcs15-sc-hsm.c @@ -341,6 +341,14 @@ static int sc_hsm_decode_gakp_rsa(struct sc_pkcs15_card *p15card, } pubkey->algorithm = SC_ALGORITHM_RSA; + + pubkey->alg_id = (struct sc_algorithm_id *)calloc(1, sizeof(struct sc_algorithm_id)); + if (!pubkey->alg_id) { + LOG_FUNC_RETURN(p15card->card->ctx, SC_ERROR_OUT_OF_MEMORY); + } + + pubkey->alg_id->algorithm = SC_ALGORITHM_RSA; + pubkey->u.rsa.modulus.len = cvc->primeOrModuluslen; pubkey->u.rsa.modulus.data = malloc(pubkey->u.rsa.modulus.len); pubkey->u.rsa.exponent.len = sizeof(pubexp); diff --git a/src/tools/pkcs15-tool.c b/src/tools/pkcs15-tool.c index 4102d630..b32369da 100644 --- a/src/tools/pkcs15-tool.c +++ b/src/tools/pkcs15-tool.c @@ -639,6 +639,9 @@ static int read_public_key(void) sc_pkcs15_cert_t *cert = NULL; sc_pkcs15_der_t pem_key; + pem_key.value = NULL; + pem_key.len = 0; + id.len = SC_PKCS15_MAX_ID_SIZE; sc_pkcs15_hex_string_to_id(opt_pubkey, &id); @@ -674,6 +677,17 @@ static int read_public_key(void) return 1; } + fprintf(stderr, "Using sc_pkcs15_encode_pubkey_as_spki:\n"); + r = sc_pkcs15_encode_pubkey_as_spki(ctx, pubkey, &pem_key.value, &pem_key.len); + if (r < 0) { + fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r)); + r = 1; + } else { + r = print_pem_object("PUBLIC KEY", pem_key.value, pem_key.len); + free(pem_key.value); + } + + fprintf(stderr, "Using pubkey_pem_encode:\n"); r = pubkey_pem_encode(pubkey, &pubkey->data, &pem_key); if (r < 0) { fprintf(stderr, "Error encoding PEM key: %s\n", sc_strerror(r));