Implement RSA PSS for GoID / SmartCard-HSM

src/libopensc/card-sc-hsm.c

@@ -984,6 +984,8 @@ static int sc_hsm_set_security_env(sc_card_t *card,
 			} else {
 				priv->algorithm = ALGO_RSA_PKCS1;
 			}
+		} else if (env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PSS) {
+			priv->algorithm = ALGO_RSA_PSS;
 		} else {
 			if (env->operation == SC_SEC_OPERATION_DECIPHER) {
 				priv->algorithm = ALGO_RSA_DECRYPT;
@@ -1607,7 +1609,7 @@ static int sc_hsm_init(struct sc_card *card)
 		card->drv_data = priv;
 	}
 
-	flags = SC_ALGORITHM_RSA_RAW|SC_ALGORITHM_ONBOARD_KEY_GEN;
+	flags = SC_ALGORITHM_RSA_RAW|SC_ALGORITHM_RSA_PAD_PSS|SC_ALGORITHM_ONBOARD_KEY_GEN;
 
 	_sc_card_add_rsa_alg(card, 1024, flags, 0);
 	_sc_card_add_rsa_alg(card, 1536, flags, 0);

src/libopensc/card-sc-hsm.h

@@ -38,6 +38,7 @@
 #define ALGO_RSA_PKCS1_SHA1		0x31		/* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
 #define ALGO_RSA_PKCS1_SHA256	0x33		/* RSA signature with SHA-256 hash and PKCS#1 V1.5 padding */
 
+#define ALGO_RSA_PSS			0x40		/* RSA signature with external hash and PKCS#1 PSS padding*/
 #define ALGO_RSA_PSS_SHA1		0x41		/* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
 #define ALGO_RSA_PSS_SHA256		0x43		/* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
 

src/libopensc/opensc.h

@@ -91,34 +91,35 @@ extern "C" {
 #define SC_ALGORITHM_ONBOARD_KEY_GEN	0x80000000
 /* need usage = either sign or decrypt. keys with both? decrypt, emulate sign */
 #define SC_ALGORITHM_NEED_USAGE		0x40000000
-#define SC_ALGORITHM_SPECIFIC_FLAGS	0x0001FFFF
+#define SC_ALGORITHM_SPECIFIC_FLAGS	0x001FFFFF
 
 #define SC_ALGORITHM_RSA_RAW		0x00000001
 /* If the card is willing to produce a cryptogram padded with the following
  * methods, set these flags accordingly. */
-#define SC_ALGORITHM_RSA_PADS		0x0000000E
+#define SC_ALGORITHM_RSA_PADS		0x0000001E
 #define SC_ALGORITHM_RSA_PAD_NONE	0x00000000
 #define SC_ALGORITHM_RSA_PAD_PKCS1	0x00000002
 #define SC_ALGORITHM_RSA_PAD_ANSI	0x00000004
 #define SC_ALGORITHM_RSA_PAD_ISO9796	0x00000008
+#define SC_ALGORITHM_RSA_PAD_PSS	0x00000010
 
 /* If the card is willing to produce a cryptogram with the following
  * hash values, set these flags accordingly. */
-#define SC_ALGORITHM_RSA_HASH_NONE	0x00000010
-#define SC_ALGORITHM_RSA_HASH_SHA1	0x00000020
-#define SC_ALGORITHM_RSA_HASH_MD5	0x00000040
-#define SC_ALGORITHM_RSA_HASH_MD5_SHA1	0x00000080
-#define SC_ALGORITHM_RSA_HASH_RIPEMD160	0x00000100
-#define SC_ALGORITHM_RSA_HASH_SHA256	0x00000200
-#define SC_ALGORITHM_RSA_HASH_SHA384	0x00000400
-#define SC_ALGORITHM_RSA_HASH_SHA512	0x00000800
-#define SC_ALGORITHM_RSA_HASH_SHA224	0x00001000
-#define SC_ALGORITHM_RSA_HASHES		0x00001FE0
+#define SC_ALGORITHM_RSA_HASH_NONE	0x00000100
+#define SC_ALGORITHM_RSA_HASH_SHA1	0x00000200
+#define SC_ALGORITHM_RSA_HASH_MD5	0x00000400
+#define SC_ALGORITHM_RSA_HASH_MD5_SHA1	0x00000800
+#define SC_ALGORITHM_RSA_HASH_RIPEMD160	0x00001000
+#define SC_ALGORITHM_RSA_HASH_SHA256	0x00002000
+#define SC_ALGORITHM_RSA_HASH_SHA384	0x00004000
+#define SC_ALGORITHM_RSA_HASH_SHA512	0x00008000
+#define SC_ALGORITHM_RSA_HASH_SHA224	0x00010000
+#define SC_ALGORITHM_RSA_HASHES		0x0001FE00
 
-#define SC_ALGORITHM_GOSTR3410_RAW		0x00002000
-#define SC_ALGORITHM_GOSTR3410_HASH_NONE	0x00004000
-#define SC_ALGORITHM_GOSTR3410_HASH_GOSTR3411	0x00008000
-#define SC_ALGORITHM_GOSTR3410_HASHES		0x00008000
+#define SC_ALGORITHM_GOSTR3410_RAW		0x00020000
+#define SC_ALGORITHM_GOSTR3410_HASH_NONE	0x00040000
+#define SC_ALGORITHM_GOSTR3410_HASH_GOSTR3411	0x00080000
+#define SC_ALGORITHM_GOSTR3410_HASHES		0x00080000
 /*TODO: -DEE Should the above be 0x0000E000 */
 /* Or should the HASH_NONE be 0x00000010  and HASHES be 0x00008010 */
 
@@ -126,8 +127,8 @@ extern "C" {
 /* TODO: -DEE Will overload RSA_HASHES with EC_HASHES */
 /* Not clear if these need their own bits or not */
 /* The PIV card does not support and hashes */
-#define SC_ALGORITHM_ECDSA_RAW		0x00010000
-#define SC_ALGORITHM_ECDH_CDH_RAW	0x00020000
+#define SC_ALGORITHM_ECDSA_RAW		0x00100000
+#define SC_ALGORITHM_ECDH_CDH_RAW	0x00200000
 #define SC_ALGORITHM_ECDSA_HASH_NONE		SC_ALGORITHM_RSA_HASH_NONE
 #define SC_ALGORITHM_ECDSA_HASH_SHA1		SC_ALGORITHM_RSA_HASH_SHA1
 #define SC_ALGORITHM_ECDSA_HASH_SHA224		SC_ALGORITHM_RSA_HASH_SHA224

src/libopensc/padding.c

@@ -310,6 +310,11 @@ int sc_get_encoding_flags(sc_context_t *ctx,
 
 		*sflags |= (caps & SC_ALGORITHM_RAW_MASK); /* adds in the one raw type */
 		*pflags = 0;
+	} else if (iflags & SC_ALGORITHM_RSA_PAD_PSS) {
+		if (caps & SC_ALGORITHM_RSA_PAD_PSS)
+			*sflags |= SC_ALGORITHM_RSA_PAD_PSS;
+		else
+			*pflags |= SC_ALGORITHM_RSA_PAD_PSS;
 	} else {
 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unsupported algorithm");
 	}

src/libopensc/pkcs15-sec.c

@@ -420,12 +420,16 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
 
 	/* add the padding bytes (if necessary) */
 	if (pad_flags != 0) {
-		size_t tmplen = sizeof(buf);
+		if (flags & SC_ALGORITHM_RSA_PAD_PSS) {
+			// TODO PSS padding
+		} else {
+			size_t tmplen = sizeof(buf);
 
-		r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen, modlen);
-		SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");
+			r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen, modlen);
+			SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");
 
-		inlen = tmplen;
+			inlen = tmplen;
+		}
 	}
 	else if ( senv.algorithm == SC_ALGORITHM_RSA &&
 			(flags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {

src/pkcs11/framework-pkcs15.c

@@ -3728,6 +3728,15 @@ pkcs15_prkey_sign(struct sc_pkcs11_session *session, void *obj,
 	case CKM_SHA512_RSA_PKCS:
 		flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA512;
 		break;
+	case CKM_RSA_PKCS_PSS:
+		flags = SC_ALGORITHM_RSA_PAD_PSS | SC_ALGORITHM_RSA_HASH_NONE;
+		break;
+	case CKM_SHA1_RSA_PKCS_PSS:
+		flags = SC_ALGORITHM_RSA_PAD_PSS | SC_ALGORITHM_RSA_HASH_SHA1;
+		break;
+	case CKM_SHA256_RSA_PKCS_PSS:
+		flags = SC_ALGORITHM_RSA_PAD_PSS | SC_ALGORITHM_RSA_HASH_SHA256;
+		break;
 	case CKM_RIPEMD160_RSA_PKCS:
 		flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_RIPEMD160;
 		break;
@@ -4995,6 +5004,24 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
 
 	/* TODO support other padding mechanisms */
 
+	if (rsa_flags & SC_ALGORITHM_RSA_PAD_PSS) {
+		mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS_PSS, &mech_info, CKK_RSA, NULL, NULL);
+		rc = sc_pkcs11_register_mechanism(p11card, mt);
+		if (rc != CKR_OK)
+			return rc;
+
+		if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
+			rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA1_RSA_PKCS_PSS, CKM_SHA_1, mt);
+			if (rc != CKR_OK)
+				return rc;
+		}
+		if (rsa_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
+			rc = sc_pkcs11_register_sign_and_hash_mechanism(p11card, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA256, mt);
+			if (rc != CKR_OK)
+				return rc;
+		}
+	}
+
 	if (rsa_flags & SC_ALGORITHM_ONBOARD_KEY_GEN) {
 		mech_info.flags = CKF_GENERATE_KEY_PAIR;
 		mt = sc_pkcs11_new_fw_mechanism(CKM_RSA_PKCS_KEY_PAIR_GEN, &mech_info, CKK_RSA, NULL, NULL);

src/tools/opensc-tool.c

@@ -591,6 +591,7 @@ static int list_algorithms(void)
 	const id2str_t rsa_flag_names[] = {
 		{ SC_ALGORITHM_RSA_PAD_PKCS1,      "pkcs1"     },
 		{ SC_ALGORITHM_RSA_PAD_ANSI,       "ansi"      },
+		{ SC_ALGORITHM_RSA_PAD_PSS,        "pss"       },
 		{ SC_ALGORITHM_RSA_PAD_ISO9796,    "iso9796"   },
 		{ SC_ALGORITHM_RSA_HASH_SHA1,      "sha1"      },
 		{ SC_ALGORITHM_RSA_HASH_MD5,       "MD5"       },