mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-20 18:30:59 +00:00
Merge pull request #1417 from AndrzejKurek/opaque-keys-ECDSA
Opaque keys ecdsa
This commit is contained in:
commit
c8328d01fb
|
@ -256,8 +256,8 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
|
||||||
*/
|
*/
|
||||||
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
||||||
size_t ssize, uint16_t byte_len,
|
size_t ssize, uint16_t byte_len,
|
||||||
unsigned char *buf, size_t bufsize,
|
unsigned char *buf, size_t* buflen,
|
||||||
size_t* buflen );
|
size_t bufsize );
|
||||||
/**
|
/**
|
||||||
* \brief Convert a signature from numbers to ASN.1
|
* \brief Convert a signature from numbers to ASN.1
|
||||||
*
|
*
|
||||||
|
@ -280,6 +280,29 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r,
|
||||||
const mbedtls_mpi *s, unsigned char *sig,
|
const mbedtls_mpi *s, unsigned char *sig,
|
||||||
size_t *slen, size_t ssize );
|
size_t *slen, size_t ssize );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Convert a signature from a raw representation to ASN.1
|
||||||
|
*
|
||||||
|
* \param r First number of the signature
|
||||||
|
* \param s Second number of the signature
|
||||||
|
* \param num_len Length of each number in bytes
|
||||||
|
* \param sig Buffer that will hold the signature
|
||||||
|
* \param slen Length of the signature written
|
||||||
|
* \param ssize Size of the sig buffer
|
||||||
|
*
|
||||||
|
* \note The size of the buffer \c ssize should be at least
|
||||||
|
* `MBEDTLS_ECDSA_MAX_SIG_LEN(grp->pbits)` bytes long if
|
||||||
|
* the signature was produced from curve \c grp,
|
||||||
|
* otherwise this function will return an error.
|
||||||
|
*
|
||||||
|
* \return 0 if successful,
|
||||||
|
* or a MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
int mbedtls_raw_ecdsa_signature_to_asn1(const unsigned char *r,
|
||||||
|
const unsigned char *s, uint16_t num_len,
|
||||||
|
unsigned char *sig, size_t *slen, size_t ssize );
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Read and verify an ECDSA signature
|
* \brief Read and verify an ECDSA signature
|
||||||
*
|
*
|
||||||
|
|
|
@ -513,7 +513,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
|
||||||
* The output is the group's OID wrapped as ASN.1.
|
* The output is the group's OID wrapped as ASN.1.
|
||||||
*
|
*
|
||||||
* \param grp ECP group used
|
* \param grp ECP group used
|
||||||
* \param buf Buffer to write to
|
* \param p Buffer to write to
|
||||||
* \param size Buffer size
|
* \param size Buffer size
|
||||||
*
|
*
|
||||||
* \return Number of bytes written to \c buf,
|
* \return Number of bytes written to \c buf,
|
||||||
|
|
|
@ -2,8 +2,9 @@
|
||||||
* \file pkcs11_client.h
|
* \file pkcs11_client.h
|
||||||
*
|
*
|
||||||
* \brief Generic wrapper for Cryptoki (PKCS#11) support
|
* \brief Generic wrapper for Cryptoki (PKCS#11) support
|
||||||
*
|
*/
|
||||||
* Copyright (C) 2017, ARM Limited, All Rights Reserved
|
/*
|
||||||
|
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
@ -46,12 +47,12 @@ extern "C" {
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_C)
|
#if defined(MBEDTLS_PK_C)
|
||||||
|
|
||||||
#define MBEDTLS_PK_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
|
#define MBEDTLS_PKCS11_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
|
||||||
#define MBEDTLS_PK_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
|
#define MBEDTLS_PKCS11_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
|
||||||
#define MBEDTLS_PK_FLAG_SIGN ( (uint32_t) 0x00000010 )
|
#define MBEDTLS_PKCS11_FLAG_SIGN ( (uint32_t) 0x00000010 )
|
||||||
#define MBEDTLS_PK_FLAG_VERIFY ( (uint32_t) 0x00000020 )
|
#define MBEDTLS_PKCS11_FLAG_VERIFY ( (uint32_t) 0x00000020 )
|
||||||
#define MBEDTLS_PK_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
|
#define MBEDTLS_PKCS11_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
|
||||||
#define MBEDTLS_PK_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
|
#define MBEDTLS_PKCS11_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
|
||||||
|
|
||||||
#include "pk.h"
|
#include "pk.h"
|
||||||
|
|
||||||
|
@ -69,12 +70,11 @@ extern "C" {
|
||||||
* \return 0 on success,
|
* \return 0 on success,
|
||||||
* or MBEDTLS_ERR_PK_XXX error code.
|
* or MBEDTLS_ERR_PK_XXX error code.
|
||||||
*
|
*
|
||||||
* \note The session and the key(s) must remain valid until the
|
* \note If any of the handles become invalid, then you may no
|
||||||
* PK context is closed with mbedtls_pk_free(). As an
|
* longer do anything with the pk object except call
|
||||||
* exception, it's ok to call mbedtls_pk_free() itself
|
* mbedtls_pk_free on it.
|
||||||
* even if the Cryptoki handles have become invalid.
|
|
||||||
*/
|
*/
|
||||||
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
|
||||||
CK_SESSION_HANDLE hSession,
|
CK_SESSION_HANDLE hSession,
|
||||||
CK_OBJECT_HANDLE hPublicKey,
|
CK_OBJECT_HANDLE hPublicKey,
|
||||||
CK_OBJECT_HANDLE hPrivateKey );
|
CK_OBJECT_HANDLE hPrivateKey );
|
||||||
|
@ -87,36 +87,42 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||||
* PKCS#11 token.
|
* PKCS#11 token.
|
||||||
*
|
*
|
||||||
* \param ctx PK context, which must contain a transparent pk
|
* \param ctx PK context, which must contain a transparent pk
|
||||||
* object (type \c MBEDTLS_PK_RSA,
|
* object (type #MBEDTLS_PK_RSA,
|
||||||
* \c MBEDTLS_PK_RSASSA_PSS, \c MBEDTLS_PK_ECKEY or
|
* #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or
|
||||||
* \c MBEDTLS_PK_ECDSA).
|
* #MBEDTLS_PK_ECDSA).
|
||||||
* \param flags Mask of \c MBEDTLS_PKCS11_FLAG_XXX and
|
* \param flags Mask of #MBEDTLS_PKCS11_FLAG_XXX and
|
||||||
* \c MBEDTLS_PK_FLAG_XXX, applying as follows:
|
* #MBEDTLS_PK_FLAG_XXX, applying as follows:
|
||||||
* - \c MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
|
* - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
|
||||||
* flag: if set, import as token object; if clear,
|
* flag: if set, import as token object; if clear,
|
||||||
* import as session object.
|
* import as session object.
|
||||||
* - \c MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
|
* - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
|
||||||
* \c CKA_EXTRACTABLE flag: if set, the key will be
|
* \c CKA_EXTRACTABLE flag: if set, the private key
|
||||||
* extractable at least in wrapped form; if clear,
|
* will be extractable at least in wrapped form; if
|
||||||
* the key will not be extractable at all.
|
* clear, the key will not be extractable at all.
|
||||||
* - \c MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
|
* - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
|
||||||
* \c CKA_SENSITIVE flag: if set, the key will be
|
* \c CKA_SENSITIVE flag: if set, the private key
|
||||||
* not be extractable in plain form; if clear, the
|
* will not be extractable in plain form; if clear,
|
||||||
* key will be extractable at least in wrapped form.
|
* the key will be extractable in plain form if
|
||||||
* - \c MBEDTLS_PK_FLAG_SIGN: if set, the private key
|
* #MBEDTLS_PK_FLAG_EXTRACTABLE is set.
|
||||||
|
* - #MBEDTLS_PK_FLAG_SIGN: if set, the private key
|
||||||
* will be authorized for signing.
|
* will be authorized for signing.
|
||||||
* - \c MBEDTLS_PK_FLAG_VERIFY: if set, the public key
|
* - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key
|
||||||
* will be authorized for verification.
|
* will be authorized for verification.
|
||||||
* - \c MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
|
* - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
|
||||||
* will be authorized for signing.
|
* will be authorized for decryption.
|
||||||
* - \c MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
|
* - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
|
||||||
* will be authorized for encryption.
|
* will be authorized for encryption.
|
||||||
*
|
*
|
||||||
* \param hSession Cryptoki session.
|
* \param hSession Cryptoki session. The session must remain valid as long
|
||||||
|
* as the PK object is in use.
|
||||||
* \param hPublicKey If non-null, on output, Cryptoki handle of the public
|
* \param hPublicKey If non-null, on output, Cryptoki handle of the public
|
||||||
* key. If null, the public key is not imported.
|
* key. This handle must remain valid as long as the PK
|
||||||
|
* object is in use. If null, the public key is not
|
||||||
|
* imported.
|
||||||
* \param hPrivateKey If non-null, on output, Cryptoki handle of the private
|
* \param hPrivateKey If non-null, on output, Cryptoki handle of the private
|
||||||
* key. If null, the private key is not imported.
|
* key. This handle must remain valid as long as the PK
|
||||||
|
* object is in use. If null, the private key is not
|
||||||
|
* imported.
|
||||||
*
|
*
|
||||||
* \return 0 on success,
|
* \return 0 on success,
|
||||||
* or MBEDTLS_ERR_PK_XXX error code.
|
* or MBEDTLS_ERR_PK_XXX error code.
|
||||||
|
@ -133,7 +139,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||||
* also failed, for example because the token was
|
* also failed, for example because the token was
|
||||||
* disconnected.
|
* disconnected.
|
||||||
*/
|
*/
|
||||||
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
CK_SESSION_HANDLE hSession,
|
CK_SESSION_HANDLE hSession,
|
||||||
CK_OBJECT_HANDLE *hPublicKey,
|
CK_OBJECT_HANDLE *hPublicKey,
|
||||||
|
|
143
library/ecdsa.c
143
library/ecdsa.c
|
@ -289,64 +289,73 @@ cleanup:
|
||||||
/*
|
/*
|
||||||
* Convert a signature to a raw concatenation of {r, s}
|
* Convert a signature to a raw concatenation of {r, s}
|
||||||
*/
|
*/
|
||||||
/*int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
|
||||||
size_t ssize, uint16_t byte_len,
|
|
||||||
unsigned char *buf, size_t* slen )*/
|
|
||||||
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
||||||
size_t ssize, uint16_t byte_len,
|
size_t ssize, uint16_t byte_len,
|
||||||
unsigned char *buf, size_t bufsize,
|
unsigned char *buf, size_t* buflen,
|
||||||
size_t* buflen )
|
size_t bufsize)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
unsigned char *p = (unsigned char *) sig;
|
unsigned char *p = (unsigned char *) sig;
|
||||||
|
unsigned char *buf_ptr;
|
||||||
const unsigned char *end = sig + ssize;
|
const unsigned char *end = sig + ssize;
|
||||||
size_t len;
|
size_t len, bytes_skipped;
|
||||||
mbedtls_mpi r, s;
|
|
||||||
|
|
||||||
if( 2 * byte_len > bufsize )
|
if( 2 * byte_len > bufsize )
|
||||||
{
|
{
|
||||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_mpi_init( &r );
|
|
||||||
mbedtls_mpi_init( &s );
|
|
||||||
|
|
||||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
{
|
{
|
||||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||||
goto cleanup;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( p + len != end )
|
if( p + len != end )
|
||||||
{
|
{
|
||||||
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
|
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
|
||||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
|
||||||
goto cleanup;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
|
/*
|
||||||
( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
|
* Step 1: write R
|
||||||
|
*/
|
||||||
|
buf_ptr = buf;
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
|
||||||
|
if( p[bytes_skipped] != 0 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
if( len - bytes_skipped > bufsize )
|
||||||
{
|
{
|
||||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||||
goto cleanup;
|
|
||||||
}
|
}
|
||||||
p = (unsigned char *) buf;
|
*buflen = len - bytes_skipped;
|
||||||
if( ( ret = mbedtls_mpi_write_binary(&r, p, byte_len) ) )
|
|
||||||
|
memmove(buf_ptr, &p[bytes_skipped], *buflen);
|
||||||
|
p += len;
|
||||||
|
buf_ptr += *buflen;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 2: write S
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
|
||||||
|
if( p[bytes_skipped] != 0 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
if( len - bytes_skipped + *buflen > bufsize )
|
||||||
{
|
{
|
||||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||||
goto cleanup;
|
|
||||||
}
|
}
|
||||||
p += byte_len;
|
|
||||||
if( ( ret = mbedtls_mpi_write_binary(&s, p, byte_len) ) )
|
*buflen += len - bytes_skipped;
|
||||||
{
|
memmove(buf_ptr, &p[bytes_skipped], len - bytes_skipped);
|
||||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
*buflen = 2*byte_len;
|
|
||||||
cleanup:
|
|
||||||
mbedtls_mpi_free( &r );
|
|
||||||
mbedtls_mpi_free( &s );
|
|
||||||
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
@ -375,6 +384,76 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int mbedtls_raw_ecdsa_signature_to_asn1( const unsigned char *r,
|
||||||
|
const unsigned char *s, uint16_t num_len,
|
||||||
|
unsigned char *sig, size_t *slen, size_t ssize )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char *p = sig + ssize;
|
||||||
|
size_t total_len = 0;
|
||||||
|
size_t padding_len = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 1: write S
|
||||||
|
*/
|
||||||
|
memmove( p - num_len, s, num_len );
|
||||||
|
p -= num_len;
|
||||||
|
total_len += num_len;
|
||||||
|
if( *p & 0x80 )
|
||||||
|
{
|
||||||
|
if( p - sig < 1 )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
*--p = 0x00;
|
||||||
|
padding_len += 1;
|
||||||
|
}
|
||||||
|
total_len += padding_len;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
|
||||||
|
num_len + padding_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||||
|
MBEDTLS_ASN1_INTEGER ) );
|
||||||
|
|
||||||
|
padding_len = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 2: write R
|
||||||
|
*/
|
||||||
|
memmove( p - num_len, r, num_len );
|
||||||
|
p -= num_len;
|
||||||
|
total_len += num_len;
|
||||||
|
if( *p & 0x80 )
|
||||||
|
{
|
||||||
|
if( p - sig < 1 )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
*--p = 0x00;
|
||||||
|
padding_len += 1;
|
||||||
|
}
|
||||||
|
total_len += padding_len;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
|
||||||
|
num_len + padding_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||||
|
MBEDTLS_ASN1_INTEGER ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 3: write rest of the data
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, total_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Step 4: move to the beginning of the buffer, zeroize the rest
|
||||||
|
*/
|
||||||
|
memmove( sig, p, total_len );
|
||||||
|
memset( sig + total_len, 0, ssize - total_len );
|
||||||
|
*slen = total_len;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Compute and write signature
|
* Compute and write signature
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/*
|
/*
|
||||||
* Generic wrapper for Cryptoki (PKCS#11) support
|
* Generic wrapper for Cryptoki (PKCS#11) support
|
||||||
*
|
*
|
||||||
* Copyright (C) 2017, ARM Limited, All Rights Reserved
|
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
@ -29,7 +29,6 @@
|
||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <pkcs11.h>
|
|
||||||
|
|
||||||
#include "mbedtls/pkcs11_client.h"
|
#include "mbedtls/pkcs11_client.h"
|
||||||
|
|
||||||
|
@ -144,7 +143,7 @@ static int pkcs11_sign( void *ctx_arg,
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
CK_MECHANISM mechanism = {0, NULL_PTR, 0};
|
CK_MECHANISM mechanism = {0, NULL_PTR, 0};
|
||||||
CK_ULONG ck_sig_len;
|
CK_ULONG ck_sig_len;
|
||||||
|
(void)(md_alg);
|
||||||
/* This function takes size_t arguments but the underlying layer
|
/* This function takes size_t arguments but the underlying layer
|
||||||
takes unsigned long. Either type may be smaller than the other.
|
takes unsigned long. Either type may be smaller than the other.
|
||||||
Legitimate values won't overflow either type but we still need
|
Legitimate values won't overflow either type but we still need
|
||||||
|
@ -180,7 +179,8 @@ static int pkcs11_sign( void *ctx_arg,
|
||||||
* each in the form of a big-endian byte sequence, with r and s
|
* each in the form of a big-endian byte sequence, with r and s
|
||||||
* having the same length as the base point.
|
* having the same length as the base point.
|
||||||
*
|
*
|
||||||
* A standard ECDSA signature is encoded in ASN.1:
|
* This library encodes ECDSA signatures in ASN.1 as documented
|
||||||
|
* for mbedtls_ecdsa_write_signature:
|
||||||
* SEQUENCE {
|
* SEQUENCE {
|
||||||
* r INTEGER,
|
* r INTEGER,
|
||||||
* s INTEGER
|
* s INTEGER
|
||||||
|
@ -191,9 +191,7 @@ static int pkcs11_sign( void *ctx_arg,
|
||||||
*/
|
*/
|
||||||
uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 );
|
uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 );
|
||||||
size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length );
|
size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length );
|
||||||
mbedtls_mpi r, s;
|
|
||||||
mbedtls_mpi_init( &r );
|
|
||||||
mbedtls_mpi_init( &s );
|
|
||||||
rv = CKR_OK;
|
rv = CKR_OK;
|
||||||
if( ck_sig_len != 2 * byte_len )
|
if( ck_sig_len != 2 * byte_len )
|
||||||
{
|
{
|
||||||
|
@ -201,22 +199,15 @@ static int pkcs11_sign( void *ctx_arg,
|
||||||
rv = CKR_GENERAL_ERROR;
|
rv = CKR_GENERAL_ERROR;
|
||||||
goto ecdsa_exit;
|
goto ecdsa_exit;
|
||||||
}
|
}
|
||||||
if( mbedtls_mpi_read_binary( &r, sig, byte_len ) != 0 ||
|
|
||||||
mbedtls_mpi_read_binary( &s, sig + byte_len, byte_len ) != 0 )
|
|
||||||
{
|
|
||||||
rv = CKR_HOST_MEMORY;
|
|
||||||
goto ecdsa_exit;
|
|
||||||
}
|
|
||||||
/* The signature buffer is guaranteed to have enough room for
|
/* The signature buffer is guaranteed to have enough room for
|
||||||
the encoded signature by the pk_sign interface. */
|
the encoded signature by the pk_sign interface. */
|
||||||
if( mbedtls_ecdsa_signature_to_asn1( &r, &s, sig, sig_len, sig_size ) != 0 )
|
if( mbedtls_raw_ecdsa_signature_to_asn1( sig, sig + byte_len, byte_len, sig, sig_len, sig_size ) != 0 )
|
||||||
{
|
{
|
||||||
rv = CKR_GENERAL_ERROR;
|
rv = CKR_GENERAL_ERROR;
|
||||||
goto ecdsa_exit;
|
goto ecdsa_exit;
|
||||||
}
|
}
|
||||||
ecdsa_exit:
|
ecdsa_exit:
|
||||||
mbedtls_mpi_free( &r );
|
|
||||||
mbedtls_mpi_free( &s );
|
|
||||||
if( rv != CKR_OK )
|
if( rv != CKR_OK )
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
@ -292,8 +283,8 @@ static int pkcs11_verify( void *ctx_arg,
|
||||||
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
|
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
|
||||||
}
|
}
|
||||||
if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len,
|
if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len,
|
||||||
decoded_sig, 2 * byte_len,
|
decoded_sig, &decoded_sig_len,
|
||||||
&decoded_sig_len ) != 0 )
|
2 * byte_len ) != 0 )
|
||||||
{
|
{
|
||||||
rv = CKR_GENERAL_ERROR;
|
rv = CKR_GENERAL_ERROR;
|
||||||
goto exit;
|
goto exit;
|
||||||
|
@ -315,7 +306,7 @@ exit:
|
||||||
static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
|
static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
|
||||||
MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11"
|
MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11"
|
||||||
, pkcs11_pk_get_bitlen
|
, pkcs11_pk_get_bitlen
|
||||||
, pkcs11_pk_can_do //can_do
|
, pkcs11_pk_can_do
|
||||||
, pkcs11_pk_signature_size
|
, pkcs11_pk_signature_size
|
||||||
, pkcs11_verify
|
, pkcs11_verify
|
||||||
, pkcs11_sign
|
, pkcs11_sign
|
||||||
|
@ -327,7 +318,7 @@ static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
|
||||||
, NULL //debug_func
|
, NULL //debug_func
|
||||||
);
|
);
|
||||||
|
|
||||||
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
|
||||||
CK_SESSION_HANDLE hSession,
|
CK_SESSION_HANDLE hSession,
|
||||||
CK_OBJECT_HANDLE hPublicKey,
|
CK_OBJECT_HANDLE hPublicKey,
|
||||||
CK_OBJECT_HANDLE hPrivateKey )
|
CK_OBJECT_HANDLE hPrivateKey )
|
||||||
|
@ -368,7 +359,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||||
case CKK_ECDSA:
|
case CKK_ECDSA:
|
||||||
can_do = MBEDTLS_PK_ECKEY;
|
can_do = MBEDTLS_PK_ECKEY;
|
||||||
{
|
{
|
||||||
unsigned char ecParams[16];
|
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||||
mbedtls_asn1_buf params_asn1;
|
mbedtls_asn1_buf params_asn1;
|
||||||
mbedtls_ecp_group_id grp_id;
|
mbedtls_ecp_group_id grp_id;
|
||||||
const mbedtls_ecp_curve_info *curve_info;
|
const mbedtls_ecp_curve_info *curve_info;
|
||||||
|
@ -416,18 +407,19 @@ static int mpi_to_ck( const mbedtls_mpi *mpi,
|
||||||
CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at,
|
CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at,
|
||||||
unsigned char **p, size_t len )
|
unsigned char **p, size_t len )
|
||||||
{
|
{
|
||||||
if( mbedtls_mpi_write_binary( mpi, *p, len ) != 0 )
|
int ret = mbedtls_mpi_write_binary( mpi, *p, len );
|
||||||
return( 0 );
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
attr->type = at;
|
attr->type = at;
|
||||||
attr->pValue = *p;
|
attr->pValue = *p;
|
||||||
attr->ulValueLen = len;
|
attr->ulValueLen = len;
|
||||||
*p += len;
|
*p += len;
|
||||||
return( 1 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#define MPI_TO_CK( mpi, attr, at, p, len ) \
|
#define MPI_TO_CK( mpi, attr, at, p, len ) \
|
||||||
do \
|
do \
|
||||||
{ \
|
{ \
|
||||||
if( !mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) ) \
|
if( mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) != 0) \
|
||||||
{ \
|
{ \
|
||||||
rv = CKR_ARGUMENTS_BAD; \
|
rv = CKR_ARGUMENTS_BAD; \
|
||||||
goto exit; \
|
goto exit; \
|
||||||
|
@ -436,9 +428,9 @@ static int mpi_to_ck( const mbedtls_mpi *mpi,
|
||||||
while( 0 )
|
while( 0 )
|
||||||
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */
|
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */
|
||||||
|
|
||||||
#define CK_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
|
#define MBEDTLS_PKCS11_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
|
||||||
|
|
||||||
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
|
||||||
uint32_t flags,
|
uint32_t flags,
|
||||||
CK_SESSION_HANDLE hSession,
|
CK_SESSION_HANDLE hSession,
|
||||||
CK_OBJECT_HANDLE *hPublicKey,
|
CK_OBJECT_HANDLE *hPublicKey,
|
||||||
|
@ -447,13 +439,13 @@ int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
||||||
CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
|
CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
|
||||||
CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
|
CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
|
||||||
CK_KEY_TYPE ck_key_type;
|
CK_KEY_TYPE ck_key_type;
|
||||||
CK_BBOOL ck_sensitive = CK_BOOL( flags & MBEDTLS_PK_FLAG_SENSITIVE );
|
CK_BBOOL ck_sensitive = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SENSITIVE );
|
||||||
CK_BBOOL ck_extractable = CK_BOOL( flags & MBEDTLS_PK_FLAG_EXTRACTABLE );
|
CK_BBOOL ck_extractable = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_EXTRACTABLE );
|
||||||
CK_BBOOL ck_sign = CK_BOOL( flags & MBEDTLS_PK_FLAG_SIGN );
|
CK_BBOOL ck_sign = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SIGN );
|
||||||
CK_BBOOL ck_verify = CK_BOOL( flags & MBEDTLS_PK_FLAG_VERIFY );
|
CK_BBOOL ck_verify = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_VERIFY );
|
||||||
CK_BBOOL ck_decrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_DECRYPT );
|
CK_BBOOL ck_decrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_DECRYPT );
|
||||||
CK_BBOOL ck_encrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_ENCRYPT );
|
CK_BBOOL ck_encrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_ENCRYPT );
|
||||||
CK_BBOOL ck_token = CK_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
|
CK_BBOOL ck_token = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
|
||||||
CK_ATTRIBUTE public_attributes[] = {
|
CK_ATTRIBUTE public_attributes[] = {
|
||||||
{CKA_CLASS, &cko_public_key, sizeof( cko_public_key )},
|
{CKA_CLASS, &cko_public_key, sizeof( cko_public_key )},
|
||||||
{CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )},
|
{CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )},
|
||||||
|
|
2
programs/.gitignore
vendored
2
programs/.gitignore
vendored
|
@ -49,7 +49,7 @@ test/ssl_cert_test
|
||||||
test/udp_proxy
|
test/udp_proxy
|
||||||
util/pem2der
|
util/pem2der
|
||||||
util/strerror
|
util/strerror
|
||||||
util/syslog2stderr.so
|
test/syslog2stderr.so
|
||||||
x509/cert_app
|
x509/cert_app
|
||||||
x509/cert_req
|
x509/cert_req
|
||||||
x509/crl_app
|
x509/crl_app
|
||||||
|
|
|
@ -278,14 +278,15 @@ x509/req_app$(EXEXT): x509/req_app.c $(DEP)
|
||||||
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
|
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
|
||||||
|
|
||||||
ifndef WINDOWS
|
ifndef WINDOWS
|
||||||
util/syslog2stderr.so: util/syslog2stderr.c
|
test/syslog2stderr.so: test/syslog2stderr.c
|
||||||
echo " CC util/syslog2stderr.c"
|
echo " CC test/syslog2stderr.c"
|
||||||
$(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl
|
$(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl
|
||||||
endif
|
endif
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
ifndef WINDOWS
|
ifndef WINDOWS
|
||||||
rm -f $(APPS)
|
rm -f $(APPS)
|
||||||
|
rm -f test/syslog2stderr.so
|
||||||
else
|
else
|
||||||
del /S /Q /F *.o *.exe
|
del /S /Q /F *.o *.exe
|
||||||
endif
|
endif
|
||||||
|
|
69
programs/test/syslog2stderr.c
Normal file
69
programs/test/syslog2stderr.c
Normal file
|
@ -0,0 +1,69 @@
|
||||||
|
/** \brief Syslog to stderr wrapper for Unix-like systems
|
||||||
|
*
|
||||||
|
* By dynamically linking this module into an executable, any message sent to the system logs
|
||||||
|
* via the POSIX or Linux API is instead redirected to standard error.
|
||||||
|
*
|
||||||
|
* Compile this program with `cc -fPID -shared -o syslog2stderr.so syslog2stderr.c -ldl`
|
||||||
|
* and load it dynamically when running `myprogram` with
|
||||||
|
* `LD_PRELOAD=/path/to/syslog2stderr.so myprogram`.
|
||||||
|
* On macOS, replace `LD_PRELOAD` by `DYLD_PRELOAD`.
|
||||||
|
*/
|
||||||
|
/**
|
||||||
|
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
|
||||||
|
|
||||||
|
void openlog( const char *ident, int option, int facility )
|
||||||
|
{
|
||||||
|
(void) ident;
|
||||||
|
(void) option;
|
||||||
|
(void) facility;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* POSIX API */
|
||||||
|
void syslog( int priority, const char *format, ... )
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
va_start( args, format );
|
||||||
|
vfprintf( stderr, format, args );
|
||||||
|
va_end( args );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Linux ABI
|
||||||
|
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
|
||||||
|
*/
|
||||||
|
void __syslog_chk( int priority, int flag, const char *format, ... )
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
(int) flag;
|
||||||
|
va_start( args, format );
|
||||||
|
vfprintf( stderr, format, args );
|
||||||
|
fputc( '\n', stderr );
|
||||||
|
va_end( args );
|
||||||
|
}
|
||||||
|
|
||||||
|
void closelog( void )
|
||||||
|
{
|
||||||
|
/* no-op */
|
||||||
|
}
|
|
@ -1,41 +0,0 @@
|
||||||
#include <dlfcn.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
|
|
||||||
|
|
||||||
void openlog( const char *ident, int option, int facility )
|
|
||||||
{
|
|
||||||
(void) ident;
|
|
||||||
(void) option;
|
|
||||||
(void) facility;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* POSIX API */
|
|
||||||
void syslog( int priority, const char *format, ... )
|
|
||||||
{
|
|
||||||
va_list args;
|
|
||||||
va_start( args, format );
|
|
||||||
vfprintf( stderr, format, args );
|
|
||||||
va_end( args );
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Linux ABI
|
|
||||||
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
|
|
||||||
*/
|
|
||||||
void __syslog_chk( int priority, int flag, const char *format, ... )
|
|
||||||
{
|
|
||||||
va_list args;
|
|
||||||
(int) flag;
|
|
||||||
va_start( args, format );
|
|
||||||
vfprintf( stderr, format, args );
|
|
||||||
fputc( '\n', stderr );
|
|
||||||
va_end( args );
|
|
||||||
}
|
|
||||||
|
|
||||||
void closelog( void )
|
|
||||||
{
|
|
||||||
/* no-op */
|
|
||||||
}
|
|
|
@ -14,14 +14,16 @@ elif [ -e ../../../library/aes.c ]; then
|
||||||
else
|
else
|
||||||
unset TOPDIR
|
unset TOPDIR
|
||||||
fi
|
fi
|
||||||
|
# The SoftHSM library sends error messages to the system logs. If possible, send
|
||||||
|
# the messages to standard error instead, by overloading the logging functions.
|
||||||
if [ -n "${TOPDIR+1}" ] &&
|
if [ -n "${TOPDIR+1}" ] &&
|
||||||
make -C "$TOPDIR/programs" util/syslog2stderr.so >/dev/null 2>&1
|
make -C "$TOPDIR/programs" test/syslog2stderr.so >/dev/null 2>&1
|
||||||
then
|
then
|
||||||
case $(uname) in
|
case $(uname) in
|
||||||
Darwin)
|
Darwin)
|
||||||
export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
|
export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
|
||||||
*)
|
*)
|
||||||
export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
|
export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -163,6 +163,7 @@ pk_opaque_fail_allocation:
|
||||||
PK opaque minimal
|
PK opaque minimal
|
||||||
pk_opaque_minimal:
|
pk_opaque_minimal:
|
||||||
|
|
||||||
PK opaque wrapper (RSA)
|
#PK opaque wrapper (RSA)
|
||||||
depends_on:MBEDTLS_RSA_C
|
#depends_on:MBEDTLS_RSA_C
|
||||||
pk_opaque_wrapper:
|
#pk_opaque_wrapper:
|
||||||
|
#
|
|
@ -1,19 +1,19 @@
|
||||||
PKCS#11 ECDSA import and sign
|
PKCS#11 ECDSA import and sign
|
||||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||||
pk_import_sign:"data_files/server3.key"
|
pk_import_sign:"data_files/server3.key"
|
||||||
|
|
||||||
PKCS#11 ECDSA generate and sign
|
PKCS#11 ECDSA generate and sign
|
||||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
pk_generate_sign:MBEDTLS_PK_ECDSA
|
pk_generate_sign:MBEDTLS_PK_ECDSA
|
||||||
|
|
||||||
PKCS#11 ECDSA import, sign and verify with Cryptoki
|
PKCS#11 ECDSA import, sign and verify with Cryptoki
|
||||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||||
pk_import_sign_verify:"data_files/server3.key"
|
pk_import_sign_verify:"data_files/server3.key"
|
||||||
|
|
||||||
PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki
|
PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki
|
||||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||||
pk_import_verify_signed:"data_files/server3.key"
|
pk_import_verify_signed:"data_files/server3.key"
|
||||||
|
|
||||||
PKCS#11 ECDSA verify a hardcoded signature with Cryptoki
|
PKCS#11 ECDSA verify a hardcoded signature with Cryptoki
|
||||||
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||||
pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0
|
pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0
|
||||||
|
|
|
@ -110,8 +110,7 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type,
|
||||||
{CKA_DECRYPT, &ck_true, sizeof( ck_true )},
|
{CKA_DECRYPT, &ck_true, sizeof( ck_true )},
|
||||||
{CKA_SIGN, &ck_true, sizeof( ck_true )},
|
{CKA_SIGN, &ck_true, sizeof( ck_true )},
|
||||||
};
|
};
|
||||||
CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS;
|
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||||
unsigned char ecParams[16];
|
|
||||||
size_t ecParams_length;
|
size_t ecParams_length;
|
||||||
|
|
||||||
switch( key_type )
|
switch( key_type )
|
||||||
|
@ -190,7 +189,7 @@ void pk_generate_sign( int key_type )
|
||||||
/* Prepare the mbed TLS contexts */
|
/* Prepare the mbed TLS contexts */
|
||||||
TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
|
TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
|
||||||
mbedtls_pk_info_from_type( key_type ) ) == 0 );
|
mbedtls_pk_info_from_type( key_type ) ) == 0 );
|
||||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||||
hSession,
|
hSession,
|
||||||
hPublicKey,
|
hPublicKey,
|
||||||
hPrivateKey ) == 0 );
|
hPrivateKey ) == 0 );
|
||||||
|
@ -201,8 +200,8 @@ void pk_generate_sign( int key_type )
|
||||||
#if defined(MBEDTLS_ECDSA_C)
|
#if defined(MBEDTLS_ECDSA_C)
|
||||||
case MBEDTLS_PK_ECDSA:
|
case MBEDTLS_PK_ECDSA:
|
||||||
{
|
{
|
||||||
unsigned char ecParams[16];
|
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||||
unsigned char ecPoint[128];
|
unsigned char ecPoint[MBEDTLS_ECP_MAX_PT_LEN];
|
||||||
CK_ATTRIBUTE public_attributes[] = {
|
CK_ATTRIBUTE public_attributes[] = {
|
||||||
{CKA_EC_PARAMS, ecParams, sizeof( ecParams )},
|
{CKA_EC_PARAMS, ecParams, sizeof( ecParams )},
|
||||||
{CKA_EC_POINT, ecPoint, sizeof( ecPoint )},
|
{CKA_EC_POINT, ecPoint, sizeof( ecPoint )},
|
||||||
|
@ -246,7 +245,7 @@ void pk_generate_sign( int key_type )
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Sign with the token and verify in software */
|
/* Sign with cryptoki and verify with mbed TLS */
|
||||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||||
hash_value, 32,
|
hash_value, 32,
|
||||||
sig_buffer, &sig_length,
|
sig_buffer, &sig_length,
|
||||||
|
@ -267,7 +266,7 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||||
void pk_import_sign( char *file )
|
void pk_import_sign( char *file )
|
||||||
{
|
{
|
||||||
mbedtls_pk_context pkcs11_ctx;
|
mbedtls_pk_context pkcs11_ctx;
|
||||||
|
@ -276,7 +275,7 @@ void pk_import_sign( char *file )
|
||||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||||
unsigned char sig_buffer[4096];
|
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||||
size_t sig_length = sizeof( sig_buffer );
|
size_t sig_length = sizeof( sig_buffer );
|
||||||
|
|
||||||
mbedtls_pk_init( &pkcs11_ctx );
|
mbedtls_pk_init( &pkcs11_ctx );
|
||||||
|
@ -289,20 +288,20 @@ void pk_import_sign( char *file )
|
||||||
hSession = pkcs11_init( );
|
hSession = pkcs11_init( );
|
||||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||||
MBEDTLS_PK_FLAG_SIGN |
|
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||||
MBEDTLS_PK_FLAG_VERIFY,
|
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||||
hSession,
|
hSession,
|
||||||
&hPublicKey,
|
&hPublicKey,
|
||||||
&hPrivateKey ) == 0 );
|
&hPrivateKey ) == 0 );
|
||||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||||
hSession,
|
hSession,
|
||||||
hPublicKey,
|
hPublicKey,
|
||||||
hPrivateKey ) == 0 );
|
hPrivateKey ) == 0 );
|
||||||
|
|
||||||
/* Sign with the token and verify in software */
|
/* Sign with cryptoki and verify with mbedTLS */
|
||||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||||
hash_value, 32,
|
hash_value, 32,
|
||||||
|
@ -324,7 +323,7 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||||
void pk_import_sign_verify( char *file )
|
void pk_import_sign_verify( char *file )
|
||||||
{
|
{
|
||||||
/* Sign with cryptoki, convert to mbedTLS format and save,
|
/* Sign with cryptoki, convert to mbedTLS format and save,
|
||||||
|
@ -336,7 +335,7 @@ void pk_import_sign_verify( char *file )
|
||||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||||
unsigned char sig_buffer[4096];
|
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||||
size_t sig_length = sizeof( sig_buffer );
|
size_t sig_length = sizeof( sig_buffer );
|
||||||
|
|
||||||
mbedtls_pk_init( &pkcs11_ctx );
|
mbedtls_pk_init( &pkcs11_ctx );
|
||||||
|
@ -349,20 +348,20 @@ void pk_import_sign_verify( char *file )
|
||||||
hSession = pkcs11_init( );
|
hSession = pkcs11_init( );
|
||||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||||
MBEDTLS_PK_FLAG_SIGN |
|
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||||
MBEDTLS_PK_FLAG_VERIFY,
|
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||||
hSession,
|
hSession,
|
||||||
&hPublicKey,
|
&hPublicKey,
|
||||||
&hPrivateKey ) == 0 );
|
&hPrivateKey ) == 0 );
|
||||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||||
hSession,
|
hSession,
|
||||||
hPublicKey,
|
hPublicKey,
|
||||||
hPrivateKey ) == 0 );
|
hPrivateKey ) == 0 );
|
||||||
|
|
||||||
/* Sign with the token and verify with cryptoki */
|
/* Sign with cryptoki and verify with cryptoki */
|
||||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||||
hash_value, 32,
|
hash_value, 32,
|
||||||
|
@ -384,7 +383,7 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||||
void pk_import_verify_signed( char *file )
|
void pk_import_verify_signed( char *file )
|
||||||
{
|
{
|
||||||
/* Sign with mbedTLS, verify by cryptoki with a conversion
|
/* Sign with mbedTLS, verify by cryptoki with a conversion
|
||||||
|
@ -395,7 +394,7 @@ void pk_import_verify_signed( char *file )
|
||||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||||
unsigned char sig_buffer[4096];
|
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||||
size_t sig_length = sizeof( sig_buffer );
|
size_t sig_length = sizeof( sig_buffer );
|
||||||
|
|
||||||
mbedtls_pk_init( &pkcs11_ctx );
|
mbedtls_pk_init( &pkcs11_ctx );
|
||||||
|
@ -408,19 +407,19 @@ void pk_import_verify_signed( char *file )
|
||||||
hSession = pkcs11_init( );
|
hSession = pkcs11_init( );
|
||||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||||
|
|
||||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||||
MBEDTLS_PK_FLAG_SIGN |
|
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||||
MBEDTLS_PK_FLAG_VERIFY,
|
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||||
hSession,
|
hSession,
|
||||||
&hPublicKey,
|
&hPublicKey,
|
||||||
NULL ) == 0 );
|
NULL ) == 0 );
|
||||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||||
hSession,
|
hSession,
|
||||||
hPublicKey,
|
hPublicKey,
|
||||||
CK_INVALID_HANDLE ) == 0 );
|
CK_INVALID_HANDLE ) == 0 );
|
||||||
|
|
||||||
/* Sign with the token and verify with cryptoki */
|
/* Sign with mbed TLS and verify with cryptoki */
|
||||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||||
TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256,
|
TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256,
|
||||||
hash_value, 32,
|
hash_value, 32,
|
||||||
|
@ -442,7 +441,7 @@ exit:
|
||||||
}
|
}
|
||||||
/* END_CASE */
|
/* END_CASE */
|
||||||
|
|
||||||
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */
|
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PK_C */
|
||||||
void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
|
void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
|
||||||
char *hash_str, char * sig_str, int ret )
|
char *hash_str, char * sig_str, int ret )
|
||||||
{
|
{
|
||||||
|
@ -477,14 +476,14 @@ void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
|
||||||
/* Initialize cryptoki and import the key into the token */
|
/* Initialize cryptoki and import the key into the token */
|
||||||
hSession = pkcs11_init( );
|
hSession = pkcs11_init( );
|
||||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||||
MBEDTLS_PK_FLAG_SIGN |
|
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||||
MBEDTLS_PK_FLAG_VERIFY,
|
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||||
hSession,
|
hSession,
|
||||||
&hPublicKey,
|
&hPublicKey,
|
||||||
NULL ) == 0 );
|
NULL ) == 0 );
|
||||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||||
hSession,
|
hSession,
|
||||||
hPublicKey,
|
hPublicKey,
|
||||||
CK_INVALID_HANDLE ) == 0 );
|
CK_INVALID_HANDLE ) == 0 );
|
||||||
|
|
Loading…
Reference in a new issue