giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added C_DecryptInit() and C_Decrypt() for RSA keys 

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1485 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
sth 2003-10-01 06:51:49 +00:00
parent 7730dc1199
commit ebca5c681c
5 changed files with 333 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/pkcs11/framework-pkcs15.c
View File

@ -1800,21 +1800,20 @@ CK_RV pkcs15_prkey_sign(struct sc_pkcs11_session *ses, void *obj,
}
static CK_RV
pkcs15_prkey_unwrap(struct sc_pkcs11_session *ses, void *obj,
pkcs15_prkey_decrypt(struct sc_pkcs11_session *ses, void *obj,
CK_MECHANISM_PTR pMechanism,
CK_BYTE_PTR pData, CK_ULONG ulDataLen,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
void **result)
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
{
struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *) ses->slot->card->fw_data;
struct pkcs15_prkey_object *prkey;
struct pkcs15_slot_data *data = slot_data(ses->slot->fw_data);
u8 unwrapped_key[256];
int rv;
u8 decrypted[256];
int buff_too_small, rv;
sc_debug(context, "Initiating key unwrap.\n");
sc_debug(context, "Initiating unwrap/decryption.\n");
/* See which of the alternative keys supports unwrap */
/* See which of the alternative keys supports unwrap/decrypt */
prkey = (struct pkcs15_prkey_object *) obj;
while (prkey
&& !(prkey->prv_info->usage
@ -1824,14 +1823,13 @@ pkcs15_prkey_unwrap(struct sc_pkcs11_session *ses, void *obj,
if (prkey == NULL)
return CKR_KEY_FUNCTION_NOT_PERMITTED;
if (pMechanism->mechanism != CKM_RSA_PKCS)
return CKR_MECHANISM_INVALID;
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj,
SC_ALGORITHM_RSA_PAD_PKCS1,
pData, ulDataLen,
unwrapped_key, sizeof(unwrapped_key));
pEncryptedData, ulEncryptedDataLen,
decrypted, sizeof(decrypted));
/* Do we have to try a re-login and then try to decrypt again? */
if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
@ -1845,18 +1843,45 @@ pkcs15_prkey_unwrap(struct sc_pkcs11_session *ses, void *obj,
if (rv == 0)
rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj,
SC_ALGORITHM_RSA_PAD_PKCS1,
pData, ulDataLen,
unwrapped_key, sizeof(unwrapped_key));
pEncryptedData, ulEncryptedDataLen,
decrypted, sizeof(decrypted));
sc_unlock(ses->slot->card->card);
}
sc_debug(context, "Key unwrap complete. Result %d.\n", rv);
sc_debug(context, "Key unwrap/decryption complete. Result %d.\n", rv);
if (rv < 0)
return sc_to_cryptoki_error(rv, ses->slot->card->reader);
buff_too_small = (*pulDataLen < rv);
*pulDataLen = rv;
if (pData == NULL_PTR)
return CKR_OK;
if (buff_too_small)
return CKR_BUFFER_TOO_SMALL;
memcpy(pData, decrypted, *pulDataLen);
return CKR_OK;
}
static CK_RV
pkcs15_prkey_unwrap(struct sc_pkcs11_session *ses, void *obj,
CK_MECHANISM_PTR pMechanism,
CK_BYTE_PTR pData, CK_ULONG ulDataLen,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
void **result)
{
u8 unwrapped_key[256];
int key_len = sizeof(unwrapped_key), rv;
rv = pkcs15_prkey_decrypt(ses, obj, pMechanism, pData, ulDataLen,
unwrapped_key, &key_len);
if (rv < 0)
return sc_to_cryptoki_error(rv, ses->slot->card->reader);
return sc_pkcs11_create_secret_key(ses,
unwrapped_key, rv,
unwrapped_key, key_len,
pTemplate, ulAttributeCount,
(struct sc_pkcs11_object **) result);
}
@ -1869,7 +1894,8 @@ struct sc_pkcs11_object_ops pkcs15_prkey_ops = {
NULL,
NULL,
pkcs15_prkey_sign,
pkcs15_prkey_unwrap
pkcs15_prkey_unwrap,
pkcs15_prkey_decrypt
};
/*
@ -2188,7 +2214,7 @@ register_mechanisms(struct sc_pkcs11_card *p11card)
/* Register generic mechanisms */
sc_pkcs11_register_generic_mechanisms(p11card);
mech_info.flags = CKF_HW | CKF_SIGN | CKF_UNWRAP;
mech_info.flags = CKF_HW | CKF_SIGN | CKF_UNWRAP | CKF_DECRYPT;
#ifdef HAVE_OPENSSL
mech_info.flags |= CKF_VERIFY;
#endif

102
src/pkcs11/mechanism.c
View File

@ -17,7 +17,7 @@ struct hash_signature_info {
sc_pkcs11_mechanism_type_t *sign_type;
};
/* Also used for verification data */
/* Also used for verification and decryption data */
struct signature_data {
struct sc_pkcs11_object *key;
struct hash_signature_info *info;
@ -638,6 +638,102 @@ done:
}
#endif
/*
* Initialize a decryption context. When we get here, we know
* the key object is capable of decrypting _something_
*/sc_pkcs11_decr_init(struct sc_pkcs11_session *session,
CK_MECHANISM_PTR pMechanism,
struct sc_pkcs11_object *key,
CK_MECHANISM_TYPE key_type)
{
struct sc_pkcs11_card *p11card;
sc_pkcs11_operation_t *operation;
sc_pkcs11_mechanism_type_t *mt;
int rv;
if (!session || !session->slot
|| !(p11card = session->slot->card))
return CKR_ARGUMENTS_BAD;
/* See if we support this mechanism type */
mt = sc_pkcs11_find_mechanism(p11card, pMechanism->mechanism, CKF_DECRYPT);
if (mt == NULL)
return CKR_MECHANISM_INVALID;
/* See if compatible with key type */
if (mt->key_type != key_type)
return CKR_KEY_TYPE_INCONSISTENT;
rv = session_start_operation(session, SC_PKCS11_OPERATION_DECRYPT, mt, &operation);
if (rv != CKR_OK)
return rv;
memcpy(&operation->mechanism, pMechanism, sizeof(CK_MECHANISM));
rv = mt->decrypt_init(operation, key);
if (rv != CKR_OK)
session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
return rv;
}
CK_RV
sc_pkcs11_decr(struct sc_pkcs11_session *session,
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
{
sc_pkcs11_operation_t *op;
int rv;
rv = session_get_operation(session, SC_PKCS11_OPERATION_DECRYPT, &op);
if (rv != CKR_OK)
return rv;
rv = op->type->decrypt(op, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
done:
if (rv != CKR_BUFFER_TOO_SMALL && pData != NULL)
session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
return rv;
}
/*
* Initialize a signature operation
*/
static CK_RV
sc_pkcs11_decrypt_init(sc_pkcs11_operation_t *operation,
struct sc_pkcs11_object *key)
{
struct signature_data *data;
if (!(data = (struct signature_data *) calloc(1, sizeof(*data))))
return CKR_HOST_MEMORY;
data->key = key;
operation->priv_data = data;
return CKR_OK;
}
sc_pkcs11_decrypt(sc_pkcs11_operation_t *operation,
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
{
struct signature_data *data;
struct sc_pkcs11_object *key;
int rv;
data = (struct signature_data*) operation->priv_data;
key = data->key;
return key->ops->decrypt(operation->session,
key, &operation->mechanism,
pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
}
/*
* Create new mechanism type for a mechanism supported by
* the card
@ -675,6 +771,10 @@ sc_pkcs11_new_fw_mechanism(CK_MECHANISM_TYPE mech,
if (pInfo->flags & CKF_UNWRAP) {
/* ... */
}
if (pInfo->flags & CKF_DECRYPT) {
mt->decrypt_init = sc_pkcs11_decrypt_init;
mt->decrypt = sc_pkcs11_decrypt;
}
return mt;
}

62
src/pkcs11/pkcs11-object.c
View File

@ -523,7 +523,6 @@ CK_RV C_Sign(CK_SESSION_HANDLE hSession, /* the session's handle */
out: sc_debug(context, "Signing result was %d\n", rv);
sc_pkcs11_unlock();
return rv;
}
CK_RV C_SignUpdate(CK_SESSION_HANDLE hSession, /* the session's handle */
@ -679,7 +678,48 @@ CK_RV C_DecryptInit(CK_SESSION_HANDLE hSession, /* the session's handle */
CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
CK_OBJECT_HANDLE hKey) /* handle of the decryption key */
{
return CKR_FUNCTION_NOT_SUPPORTED;
CK_BBOOL can_decrypt;
CK_KEY_TYPE key_type;
CK_ATTRIBUTE decrypt_attribute = { CKA_DECRYPT, &can_decrypt, sizeof(can_decrypt) };
CK_ATTRIBUTE key_type_attr = { CKA_KEY_TYPE, &key_type, sizeof(key_type) };
struct sc_pkcs11_session *session;
struct sc_pkcs11_object *object;
int rv;
rv = sc_pkcs11_lock();
if (rv != CKR_OK)
return rv;
rv = pool_find(&session_pool, hSession, (void**) &session);
if (rv != CKR_OK)
goto out;
rv = pool_find(&session->slot->object_pool, hKey, (void**) &object);
if (rv != CKR_OK)
goto out;
if (object->ops->decrypt == NULL_PTR) {
rv = CKR_KEY_TYPE_INCONSISTENT;
goto out;
}
rv = object->ops->get_attribute(session, object, &decrypt_attribute);
if (rv != CKR_OK || !can_decrypt) {
rv = CKR_KEY_TYPE_INCONSISTENT;
goto out;
}
rv = object->ops->get_attribute(session, object, &key_type_attr);
if (rv != CKR_OK) {
rv = CKR_KEY_TYPE_INCONSISTENT;
goto out;
}
rv = sc_pkcs11_decr_init(session, pMechanism, object, key_type);
out: sc_debug(context, "Decrypt initialization returns %d\n", rv);
sc_pkcs11_unlock();
return rv;
}
CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, /* the session's handle */
@ -688,7 +728,23 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSession, /* the session's handle */
CK_BYTE_PTR pData, /* receives decrypted output */
CK_ULONG_PTR pulDataLen) /* receives decrypted byte count */
{
return CKR_FUNCTION_NOT_SUPPORTED;
int rv;
struct sc_pkcs11_session *session;
rv = sc_pkcs11_lock();
if (rv != CKR_OK)
return rv;
rv = pool_find(&session_pool, hSession, (void**) &session);
if (rv != CKR_OK)
goto out;
rv = sc_pkcs11_decr(session, pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
out: sc_debug(context, "Decryption result was %d\n", rv);
sc_pkcs11_unlock();
return rv;
}
CK_RV C_DecryptUpdate(CK_SESSION_HANDLE hSession, /* the session's handle */

16
src/pkcs11/sc-pkcs11.h
View File

@ -104,12 +104,20 @@ struct sc_pkcs11_object_ops {
CK_RV (*get_size)(struct sc_pkcs11_session *, void *);
/* Cryptographic methods */
CK_RV (*sign)(struct sc_pkcs11_session *, void *, CK_MECHANISM_PTR pMechanism, CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulDataLen);
CK_RV (*sign)(struct sc_pkcs11_session *, void *,
CK_MECHANISM_PTR,
CK_BYTE_PTR pData, CK_ULONG ulDataLen,
CK_BYTE_PTR pSignature, CK_ULONG_PTR pulDataLen);
CK_RV (*unwrap_key)(struct sc_pkcs11_session *, void *,
CK_MECHANISM_PTR,
CK_BYTE_PTR pData, CK_ULONG ulDataLen,
CK_ATTRIBUTE_PTR, CK_ULONG,
void **);
CK_RV (*decrypt)(struct sc_pkcs11_session *, void *,
CK_MECHANISM_PTR,
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen);
/* Others to be added when implemented */
};
@ -224,6 +232,7 @@ enum {
SC_PKCS11_OPERATION_SIGN,
SC_PKCS11_OPERATION_VERIFY,
SC_PKCS11_OPERATION_DIGEST,
SC_PKCS11_OPERATION_DECRYPT,
SC_PKCS11_OPERATION_MAX
};
@ -260,6 +269,11 @@ struct sc_pkcs11_mechanism_type {
CK_RV (*verif_final)(sc_pkcs11_operation_t *,
CK_BYTE_PTR, CK_ULONG);
#endif
CK_RV (*decrypt_init)(sc_pkcs11_operation_t *,
struct sc_pkcs11_object *);
CK_RV (*decrypt)(sc_pkcs11_operation_t *,
CK_BYTE_PTR, CK_ULONG,
CK_BYTE_PTR, CK_ULONG_PTR);
/* mechanism specific data */
const void * mech_data;
};

116
src/tools/pkcs11-tool.c
View File

@ -1955,7 +1955,7 @@ wrap_unwrap(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
EVP_SealInit(&seal_ctx, algo,
&key, &key_len,
iv, &pkey, 1);
/* Encrypt something */
len = sizeof(ciphered);
EVP_SealUpdate(&seal_ctx, ciphered, &len, (const unsigned char *) "hello world", 11);
@ -1965,6 +1965,8 @@ wrap_unwrap(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
EVP_SealFinal(&seal_ctx, ciphered + ciphered_len, &len);
ciphered_len += len;
EVP_PKEY_free(pkey);
mech.mechanism = CKM_RSA_PKCS;
rv = p11->C_UnwrapKey(session, &mech, privKeyObject,
key, key_len,
@ -2072,6 +2074,116 @@ test_unwrap(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
return errors;
}
#ifdef HAVE_OPENSSL
static int
encrypt_decrypt(CK_SLOT_ID slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE privKeyObject)
{
EVP_PKEY *pkey;
EVP_CIPHER_CTX encrypt_ctx;
unsigned char orig_data[] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', '\0'};
unsigned char encrypted[512], data[512];
CK_MECHANISM mech;
int encrypted_len, data_len, r;
CK_RV rv;
pkey = get_public_key(session, privKeyObject);
if (pkey == NULL) {
printf(" Encryption of test data failed, returning\n");
return 0;
}
if (EVP_PKEY_size(pkey) > sizeof(encrypted)) {
printf(" \"encrypted\" buf in pkcs11-tool too small\n");
EVP_PKEY_free(pkey);
return 0;
}
encrypted_len = EVP_PKEY_encrypt(encrypted, orig_data, sizeof(orig_data), pkey);
EVP_PKEY_free(pkey);
if (encrypted_len <= 0) {
printf(" Encryption failed, returning\n");
return 0;
}
mech.mechanism = CKM_RSA_PKCS;
rv = p11->C_DecryptInit(session, &mech, privKeyObject);
if (rv == CKR_MECHANISM_INVALID) {
printf(" Mechanism CKM_RSA_PKCS not supported\n");
return 0;
}
if (rv != CKR_OK)
p11_fatal("C_DecryptInit", rv);
data_len = encrypted_len;
rv = p11->C_Decrypt(session, encrypted, encrypted_len, data, &data_len);
if (rv != CKR_OK)
p11_fatal("C_DecryptInit", rv);
if (data_len != sizeof(orig_data) || memcmp(orig_data, data, data_len)) {
printf(" resulting cleartext doesn't match input\n");
return 1;
}
printf(" CKM_RSA_PKCS: OK\n");
return 0;
}
#endif
/*
* Test decryption functions
*/
static int
test_decrypt(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
{
int errors = 0;
CK_RV rv;
CK_OBJECT_HANDLE privKeyObject;
CK_SESSION_HANDLE sess;
CK_MECHANISM_TYPE firstMechType;
CK_SESSION_INFO sessionInfo;
CK_ULONG j;
char *label;
rv = p11->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL, &sess);
if (rv != CKR_OK)
p11_fatal("C_OpenSession", rv);
rv = p11->C_GetSessionInfo(sess, &sessionInfo);
if (rv != CKR_OK)
p11_fatal("C_OpenSession", rv);
if ((sessionInfo.state & CKS_RO_USER_FUNCTIONS) == 0) {
printf("Decryption: not logged in, skipping decryption tests\n");
return errors;
}
firstMechType = find_mechanism(slot, CKF_DECRYPT | CKF_HW, 0);
if (firstMechType == NO_MECHANISM) {
printf("Decrypt: not implemented\n");
return errors;
}
printf("Decryption (RSA)\n");
for (j = 0; find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j); j++) {
printf(" testing key %ld ", j);
if ((label = getLABEL(sess, privKeyObject, NULL)) != NULL) {
printf("(%s) ", label);
free(label);
}
if (!getUNWRAP(sess, privKeyObject)) {
printf(" -- can't be used to decrypt, skipping\n");
continue;
}
printf("\n");
#ifndef HAVE_OPENSSL
printf("No OpenSSL support, unable to validate decryption\n");
#else
errors += encrypt_decrypt(slot, sess, privKeyObject);
#endif
}
return errors;
}
static int
test_random(CK_SLOT_ID slot)
{
@ -2183,6 +2295,8 @@ p11_test(CK_SLOT_ID slot, CK_SESSION_HANDLE session)
errors += test_unwrap(slot, session);
errors += test_decrypt(slot, session);
errors += test_card_detection(0);
errors += test_card_detection(1);