Activated ECDSA for SmartCard-HSM
Fixed issues in pkcs11-tool/test_signature is card has RSA and ECDSA keys Fixed bug in sc_pkcs11_signature_size that returns the wrong ECDSA signature size
This commit is contained in:
Andreas Schwier
Viktor Tarasov
parent
4ff917bd25
commit
f678b68650
|
|
@ -164,17 +164,17 @@ static int sc_hsm_set_security_env(sc_card_t *card,
|
|||
|
||||
switch(env->algorithm) {
|
||||
case SC_ALGORITHM_RSA:
|
||||
// if (env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||
// if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
||||
// priv->algorithm = ALGO_RSA_PKCS1_SHA1;
|
||||
// } else if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
||||
// priv->algorithm = ALGO_RSA_PKCS1_SHA256;
|
||||
// } else {
|
||||
// LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
|
||||
// }
|
||||
// } else {
|
||||
if (env->algorithm_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
|
||||
if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA1) {
|
||||
priv->algorithm = ALGO_RSA_PKCS1_SHA1;
|
||||
} else if (env->algorithm_flags & SC_ALGORITHM_RSA_HASH_SHA256) {
|
||||
priv->algorithm = ALGO_RSA_PKCS1_SHA256;
|
||||
} else {
|
||||
priv->algorithm = ALGO_RSA_PKCS1;
|
||||
}
|
||||
} else {
|
||||
priv->algorithm = ALGO_RSA_RAW;
|
||||
// }
|
||||
}
|
||||
break;
|
||||
case SC_ALGORITHM_EC:
|
||||
if (env->algorithm_flags & SC_ALGORITHM_ECDSA_HASH_NONE) {
|
||||
|
|
@ -193,6 +193,7 @@ static int sc_hsm_set_security_env(sc_card_t *card,
|
|||
break;
|
||||
default:
|
||||
LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_ARGUMENTS);
|
||||
break;
|
||||
}
|
||||
LOG_FUNC_RETURN(card->ctx, SC_SUCCESS);
|
||||
}
|
||||
|
|
@ -285,6 +286,7 @@ static int sc_hsm_init(struct sc_card *card)
|
|||
card->drv_data = priv;
|
||||
|
||||
flags = SC_ALGORITHM_RSA_RAW;
|
||||
// flags = SC_ALGORITHM_RSA_RAW|
|
||||
// SC_ALGORITHM_RSA_PAD_PKCS1|
|
||||
// SC_ALGORITHM_RSA_HASH_SHA1|
|
||||
// SC_ALGORITHM_RSA_HASH_SHA256;
|
||||
|
|
@ -293,18 +295,11 @@ static int sc_hsm_init(struct sc_card *card)
|
|||
_sc_card_add_rsa_alg(card, 1536, flags, 0);
|
||||
_sc_card_add_rsa_alg(card, 2048, flags, 0);
|
||||
|
||||
#if 0
|
||||
flags = SC_ALGORITHM_ECDSA_RAW|
|
||||
SC_ALGORITHM_ECDSA_HASH_NONE|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA1|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA224|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA256;
|
||||
#endif
|
||||
|
||||
flags = SC_ALGORITHM_ECDSA_HASH_NONE|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA1|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA224|
|
||||
SC_ALGORITHM_ECDSA_HASH_SHA256;
|
||||
|
||||
ext_flags = SC_ALGORITHM_EXT_EC_F_P|
|
||||
SC_ALGORITHM_EXT_EC_ECPARAMETERS|
|
||||
|
|
|
|||
|
|
@ -23,20 +23,21 @@
|
|||
|
||||
#define MAX_EXT_APDU_LENGTH 1014
|
||||
|
||||
#define KEY_PREFIX 0xCC /* Hi byte in file identifier for key objects */
|
||||
#define PRKD_PREFIX 0xC4 /* Hi byte in file identifier for PRKD objects */
|
||||
#define KEY_PREFIX 0xCC /* Hi byte in file identifier for key objects */
|
||||
#define PRKD_PREFIX 0xC4 /* Hi byte in file identifier for PRKD objects */
|
||||
#define EE_CERTIFICATE_PREFIX 0xCE /* Hi byte in file identifier for EE certificates */
|
||||
|
||||
#define ALGO_RSA_RAW 0x20 /* RSA signature with external padding */
|
||||
#define ALGO_RSA_PKCS1_SHA1 0x31 /* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
|
||||
#define ALGO_RSA_RAW 0x20 /* RSA signature with external padding */
|
||||
#define ALGO_RSA_PKCS1 0x30 /* RSA signature with DigestInfo input and PKCS#1 V1.5 padding */
|
||||
#define ALGO_RSA_PKCS1_SHA1 0x31 /* RSA signature with SHA-1 hash and PKCS#1 V1.5 padding */
|
||||
#define ALGO_RSA_PKCS1_SHA256 0x33 /* RSA signature with SHA-256 hash and PKCS#1 V1.5 padding */
|
||||
|
||||
#define ALGO_RSA_PSS_SHA1 0x41 /* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
|
||||
#define ALGO_RSA_PSS_SHA256 0x43 /* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
|
||||
#define ALGO_RSA_PSS_SHA1 0x41 /* RSA signature with SHA-1 hash and PKCS#1 PSS padding */
|
||||
#define ALGO_RSA_PSS_SHA256 0x43 /* RSA signature with SHA-256 hash and PKCS#1 PSS padding */
|
||||
|
||||
#define ALGO_EC_RAW 0x70 /* ECDSA signature with hash input */
|
||||
#define ALGO_EC_SHA1 0x71 /* ECDSA signature with SHA-1 hash */
|
||||
#define ALGO_EC_SHA224 0x72 /* ECDSA signature with SHA-224 hash */
|
||||
#define ALGO_EC_SHA256 0x73 /* ECDSA signature with SHA-256 hash */
|
||||
#define ALGO_EC_RAW 0x70 /* ECDSA signature with hash input */
|
||||
#define ALGO_EC_SHA1 0x71 /* ECDSA signature with SHA-1 hash */
|
||||
#define ALGO_EC_SHA224 0x72 /* ECDSA signature with SHA-224 hash */
|
||||
#define ALGO_EC_SHA256 0x73 /* ECDSA signature with SHA-256 hash */
|
||||
|
||||
#endif /* SC_HSM_H_ */
|
||||
|
|
|
|||
|
|
@ -472,7 +472,7 @@ sc_pkcs11_signature_size(sc_pkcs11_operation_t *operation, CK_ULONG_PTR pLength)
|
|||
case CKK_EC:
|
||||
/* TODO: -DEE we should use something other then CKA_MODULUS_BITS... */
|
||||
rv = key->ops->get_attribute(operation->session, key, &attr);
|
||||
*pLength = ((*pLength + 7)/8) * 2 ; /* 2*nLen in bytes */
|
||||
*pLength = ((*pLength + 7)/8) * 2 + 8; /* 2*nLen in bytes plus SEQUENCE and 2 INTEGER tags plus leading '00' for signed integer */
|
||||
break;
|
||||
case CKK_GOSTR3410:
|
||||
rv = key->ops->get_attribute(operation->session, key, &attr);
|
||||
|
|
|
|||
|
|
@ -3341,6 +3341,14 @@ static int test_signature(CK_SESSION_HANDLE sess)
|
|||
return errors;
|
||||
}
|
||||
|
||||
// ASC: The firstMechType mechanism is broken for cards that support multiple
|
||||
// key types. find_mechanism always selects ECDSA, leading to a failure later.
|
||||
// This hack ensures that ECDSA is never selected as firstMechType
|
||||
|
||||
if (firstMechType == CKM_ECDSA) {
|
||||
firstMechType = CKM_RSA_X_509;
|
||||
}
|
||||
|
||||
printf("Signatures (currently only RSA signatures)\n");
|
||||
for (j = 0; find_object(sess, CKO_PRIVATE_KEY, &privKeyObject, NULL, 0, j); j++) {
|
||||
printf(" testing key %ld ", j);
|
||||
|
|
|
|||
Loading…
Reference in New Issue