Merge pull request #1417 from AndrzejKurek/opaque-keys-ECDSA

Opaque keys ecdsa
This commit is contained in:
AndrzejKurek 2018-03-01 15:41:18 +01:00 committed by GitHub
commit c8328d01fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 336 additions and 205 deletions

View File

@ -256,8 +256,8 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
*/ */
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig, int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
size_t ssize, uint16_t byte_len, size_t ssize, uint16_t byte_len,
unsigned char *buf, size_t bufsize, unsigned char *buf, size_t* buflen,
size_t* buflen ); size_t bufsize );
/** /**
* \brief Convert a signature from numbers to ASN.1 * \brief Convert a signature from numbers to ASN.1
* *
@ -280,6 +280,29 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r,
const mbedtls_mpi *s, unsigned char *sig, const mbedtls_mpi *s, unsigned char *sig,
size_t *slen, size_t ssize ); size_t *slen, size_t ssize );
/**
* \brief Convert a signature from a raw representation to ASN.1
*
* \param r First number of the signature
* \param s Second number of the signature
* \param num_len Length of each number in bytes
* \param sig Buffer that will hold the signature
* \param slen Length of the signature written
* \param ssize Size of the sig buffer
*
* \note The size of the buffer \c ssize should be at least
* `MBEDTLS_ECDSA_MAX_SIG_LEN(grp->pbits)` bytes long if
* the signature was produced from curve \c grp,
* otherwise this function will return an error.
*
* \return 0 if successful,
* or a MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code
*
*/
int mbedtls_raw_ecdsa_signature_to_asn1(const unsigned char *r,
const unsigned char *s, uint16_t num_len,
unsigned char *sig, size_t *slen, size_t ssize );
/** /**
* \brief Read and verify an ECDSA signature * \brief Read and verify an ECDSA signature
* *

View File

@ -513,7 +513,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
* The output is the group's OID wrapped as ASN.1. * The output is the group's OID wrapped as ASN.1.
* *
* \param grp ECP group used * \param grp ECP group used
* \param buf Buffer to write to * \param p Buffer to write to
* \param size Buffer size * \param size Buffer size
* *
* \return Number of bytes written to \c buf, * \return Number of bytes written to \c buf,

View File

@ -2,8 +2,9 @@
* \file pkcs11_client.h * \file pkcs11_client.h
* *
* \brief Generic wrapper for Cryptoki (PKCS#11) support * \brief Generic wrapper for Cryptoki (PKCS#11) support
* */
* Copyright (C) 2017, ARM Limited, All Rights Reserved /*
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
* Licensed under the Apache License, Version 2.0 (the "License"); you may * Licensed under the Apache License, Version 2.0 (the "License"); you may
@ -46,12 +47,12 @@ extern "C" {
#if defined(MBEDTLS_PK_C) #if defined(MBEDTLS_PK_C)
#define MBEDTLS_PK_FLAG_SENSITIVE ( (uint32_t) 0x00000001 ) #define MBEDTLS_PKCS11_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
#define MBEDTLS_PK_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 ) #define MBEDTLS_PKCS11_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
#define MBEDTLS_PK_FLAG_SIGN ( (uint32_t) 0x00000010 ) #define MBEDTLS_PKCS11_FLAG_SIGN ( (uint32_t) 0x00000010 )
#define MBEDTLS_PK_FLAG_VERIFY ( (uint32_t) 0x00000020 ) #define MBEDTLS_PKCS11_FLAG_VERIFY ( (uint32_t) 0x00000020 )
#define MBEDTLS_PK_FLAG_DECRYPT ( (uint32_t) 0x00000040 ) #define MBEDTLS_PKCS11_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
#define MBEDTLS_PK_FLAG_ENCRYPT ( (uint32_t) 0x00000080 ) #define MBEDTLS_PKCS11_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
#include "pk.h" #include "pk.h"
@ -69,12 +70,11 @@ extern "C" {
* \return 0 on success, * \return 0 on success,
* or MBEDTLS_ERR_PK_XXX error code. * or MBEDTLS_ERR_PK_XXX error code.
* *
* \note The session and the key(s) must remain valid until the * \note If any of the handles become invalid, then you may no
* PK context is closed with mbedtls_pk_free(). As an * longer do anything with the pk object except call
* exception, it's ok to call mbedtls_pk_free() itself * mbedtls_pk_free on it.
* even if the Cryptoki handles have become invalid.
*/ */
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
CK_SESSION_HANDLE hSession, CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPublicKey,
CK_OBJECT_HANDLE hPrivateKey ); CK_OBJECT_HANDLE hPrivateKey );
@ -87,36 +87,42 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
* PKCS#11 token. * PKCS#11 token.
* *
* \param ctx PK context, which must contain a transparent pk * \param ctx PK context, which must contain a transparent pk
* object (type \c MBEDTLS_PK_RSA, * object (type #MBEDTLS_PK_RSA,
* \c MBEDTLS_PK_RSASSA_PSS, \c MBEDTLS_PK_ECKEY or * #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or
* \c MBEDTLS_PK_ECDSA). * #MBEDTLS_PK_ECDSA).
* \param flags Mask of \c MBEDTLS_PKCS11_FLAG_XXX and * \param flags Mask of #MBEDTLS_PKCS11_FLAG_XXX and
* \c MBEDTLS_PK_FLAG_XXX, applying as follows: * #MBEDTLS_PK_FLAG_XXX, applying as follows:
* - \c MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN * - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
* flag: if set, import as token object; if clear, * flag: if set, import as token object; if clear,
* import as session object. * import as session object.
* - \c MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11 * - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
* \c CKA_EXTRACTABLE flag: if set, the key will be * \c CKA_EXTRACTABLE flag: if set, the private key
* extractable at least in wrapped form; if clear, * will be extractable at least in wrapped form; if
* the key will not be extractable at all. * clear, the key will not be extractable at all.
* - \c MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11 * - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
* \c CKA_SENSITIVE flag: if set, the key will be * \c CKA_SENSITIVE flag: if set, the private key
* not be extractable in plain form; if clear, the * will not be extractable in plain form; if clear,
* key will be extractable at least in wrapped form. * the key will be extractable in plain form if
* - \c MBEDTLS_PK_FLAG_SIGN: if set, the private key * #MBEDTLS_PK_FLAG_EXTRACTABLE is set.
* - #MBEDTLS_PK_FLAG_SIGN: if set, the private key
* will be authorized for signing. * will be authorized for signing.
* - \c MBEDTLS_PK_FLAG_VERIFY: if set, the public key * - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key
* will be authorized for verification. * will be authorized for verification.
* - \c MBEDTLS_PK_FLAG_DECRYPT: if set, the private key * - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
* will be authorized for signing. * will be authorized for decryption.
* - \c MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key * - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
* will be authorized for encryption. * will be authorized for encryption.
* *
* \param hSession Cryptoki session. * \param hSession Cryptoki session. The session must remain valid as long
* as the PK object is in use.
* \param hPublicKey If non-null, on output, Cryptoki handle of the public * \param hPublicKey If non-null, on output, Cryptoki handle of the public
* key. If null, the public key is not imported. * key. This handle must remain valid as long as the PK
* object is in use. If null, the public key is not
* imported.
* \param hPrivateKey If non-null, on output, Cryptoki handle of the private * \param hPrivateKey If non-null, on output, Cryptoki handle of the private
* key. If null, the private key is not imported. * key. This handle must remain valid as long as the PK
* object is in use. If null, the private key is not
* imported.
* *
* \return 0 on success, * \return 0 on success,
* or MBEDTLS_ERR_PK_XXX error code. * or MBEDTLS_ERR_PK_XXX error code.
@ -133,7 +139,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
* also failed, for example because the token was * also failed, for example because the token was
* disconnected. * disconnected.
*/ */
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx, int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
uint32_t flags, uint32_t flags,
CK_SESSION_HANDLE hSession, CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPublicKey,

View File

@ -289,64 +289,73 @@ cleanup:
/* /*
* Convert a signature to a raw concatenation of {r, s} * Convert a signature to a raw concatenation of {r, s}
*/ */
/*int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
size_t ssize, uint16_t byte_len,
unsigned char *buf, size_t* slen )*/
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig, int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
size_t ssize, uint16_t byte_len, size_t ssize, uint16_t byte_len,
unsigned char *buf, size_t bufsize, unsigned char *buf, size_t* buflen,
size_t* buflen ) size_t bufsize)
{ {
int ret; int ret;
unsigned char *p = (unsigned char *) sig; unsigned char *p = (unsigned char *) sig;
unsigned char *buf_ptr;
const unsigned char *end = sig + ssize; const unsigned char *end = sig + ssize;
size_t len; size_t len, bytes_skipped;
mbedtls_mpi r, s;
if( 2 * byte_len > bufsize ) if( 2 * byte_len > bufsize )
{ {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
} }
mbedtls_mpi_init( &r );
mbedtls_mpi_init( &s );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 ) MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{ {
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup; return ret;
} }
if( p + len != end ) if( p + len != end )
{ {
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA + return MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH; MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
goto cleanup;
} }
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 || /*
( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 ) * Step 1: write R
*/
buf_ptr = buf;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
return( ret );
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
if( p[bytes_skipped] != 0 )
break;
if( len - bytes_skipped > bufsize )
{ {
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
} }
p = (unsigned char *) buf; *buflen = len - bytes_skipped;
if( ( ret = mbedtls_mpi_write_binary(&r, p, byte_len) ) )
memmove(buf_ptr, &p[bytes_skipped], *buflen);
p += len;
buf_ptr += *buflen;
/*
* Step 2: write S
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
return( ret );
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
if( p[bytes_skipped] != 0 )
break;
if( len - bytes_skipped + *buflen > bufsize )
{ {
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA; return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
} }
p += byte_len;
if( ( ret = mbedtls_mpi_write_binary(&s, p, byte_len) ) ) *buflen += len - bytes_skipped;
{ memmove(buf_ptr, &p[bytes_skipped], len - bytes_skipped);
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
}
*buflen = 2*byte_len;
cleanup:
mbedtls_mpi_free( &r );
mbedtls_mpi_free( &s );
return( ret ); return( ret );
} }
@ -375,6 +384,76 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
return( 0 ); return( 0 );
} }
int mbedtls_raw_ecdsa_signature_to_asn1( const unsigned char *r,
const unsigned char *s, uint16_t num_len,
unsigned char *sig, size_t *slen, size_t ssize )
{
int ret;
unsigned char *p = sig + ssize;
size_t total_len = 0;
size_t padding_len = 0;
/*
* Step 1: write S
*/
memmove( p - num_len, s, num_len );
p -= num_len;
total_len += num_len;
if( *p & 0x80 )
{
if( p - sig < 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--p = 0x00;
padding_len += 1;
}
total_len += padding_len;
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
num_len + padding_len ) );
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
MBEDTLS_ASN1_INTEGER ) );
padding_len = 0;
/*
* Step 2: write R
*/
memmove( p - num_len, r, num_len );
p -= num_len;
total_len += num_len;
if( *p & 0x80 )
{
if( p - sig < 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
*--p = 0x00;
padding_len += 1;
}
total_len += padding_len;
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
num_len + padding_len ) );
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
MBEDTLS_ASN1_INTEGER ) );
/*
* Step 3: write rest of the data
*/
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, total_len ) );
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
/*
* Step 4: move to the beginning of the buffer, zeroize the rest
*/
memmove( sig, p, total_len );
memset( sig + total_len, 0, ssize - total_len );
*slen = total_len;
return( 0 );
}
/* /*
* Compute and write signature * Compute and write signature
*/ */

View File

@ -1,7 +1,7 @@
/* /*
* Generic wrapper for Cryptoki (PKCS#11) support * Generic wrapper for Cryptoki (PKCS#11) support
* *
* Copyright (C) 2017, ARM Limited, All Rights Reserved * Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
* Licensed under the Apache License, Version 2.0 (the "License"); you may * Licensed under the Apache License, Version 2.0 (the "License"); you may
@ -29,7 +29,6 @@
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
#include <pkcs11.h>
#include "mbedtls/pkcs11_client.h" #include "mbedtls/pkcs11_client.h"
@ -144,7 +143,7 @@ static int pkcs11_sign( void *ctx_arg,
CK_RV rv; CK_RV rv;
CK_MECHANISM mechanism = {0, NULL_PTR, 0}; CK_MECHANISM mechanism = {0, NULL_PTR, 0};
CK_ULONG ck_sig_len; CK_ULONG ck_sig_len;
(void)(md_alg);
/* This function takes size_t arguments but the underlying layer /* This function takes size_t arguments but the underlying layer
takes unsigned long. Either type may be smaller than the other. takes unsigned long. Either type may be smaller than the other.
Legitimate values won't overflow either type but we still need Legitimate values won't overflow either type but we still need
@ -180,7 +179,8 @@ static int pkcs11_sign( void *ctx_arg,
* each in the form of a big-endian byte sequence, with r and s * each in the form of a big-endian byte sequence, with r and s
* having the same length as the base point. * having the same length as the base point.
* *
* A standard ECDSA signature is encoded in ASN.1: * This library encodes ECDSA signatures in ASN.1 as documented
* for mbedtls_ecdsa_write_signature:
* SEQUENCE { * SEQUENCE {
* r INTEGER, * r INTEGER,
* s INTEGER * s INTEGER
@ -191,9 +191,7 @@ static int pkcs11_sign( void *ctx_arg,
*/ */
uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 ); uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 );
size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length ); size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length );
mbedtls_mpi r, s;
mbedtls_mpi_init( &r );
mbedtls_mpi_init( &s );
rv = CKR_OK; rv = CKR_OK;
if( ck_sig_len != 2 * byte_len ) if( ck_sig_len != 2 * byte_len )
{ {
@ -201,22 +199,15 @@ static int pkcs11_sign( void *ctx_arg,
rv = CKR_GENERAL_ERROR; rv = CKR_GENERAL_ERROR;
goto ecdsa_exit; goto ecdsa_exit;
} }
if( mbedtls_mpi_read_binary( &r, sig, byte_len ) != 0 ||
mbedtls_mpi_read_binary( &s, sig + byte_len, byte_len ) != 0 )
{
rv = CKR_HOST_MEMORY;
goto ecdsa_exit;
}
/* The signature buffer is guaranteed to have enough room for /* The signature buffer is guaranteed to have enough room for
the encoded signature by the pk_sign interface. */ the encoded signature by the pk_sign interface. */
if( mbedtls_ecdsa_signature_to_asn1( &r, &s, sig, sig_len, sig_size ) != 0 ) if( mbedtls_raw_ecdsa_signature_to_asn1( sig, sig + byte_len, byte_len, sig, sig_len, sig_size ) != 0 )
{ {
rv = CKR_GENERAL_ERROR; rv = CKR_GENERAL_ERROR;
goto ecdsa_exit; goto ecdsa_exit;
} }
ecdsa_exit: ecdsa_exit:
mbedtls_mpi_free( &r );
mbedtls_mpi_free( &s );
if( rv != CKR_OK ) if( rv != CKR_OK )
goto exit; goto exit;
} }
@ -292,8 +283,8 @@ static int pkcs11_verify( void *ctx_arg,
return( MBEDTLS_ERR_PK_ALLOC_FAILED ); return( MBEDTLS_ERR_PK_ALLOC_FAILED );
} }
if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len, if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len,
decoded_sig, 2 * byte_len, decoded_sig, &decoded_sig_len,
&decoded_sig_len ) != 0 ) 2 * byte_len ) != 0 )
{ {
rv = CKR_GENERAL_ERROR; rv = CKR_GENERAL_ERROR;
goto exit; goto exit;
@ -315,7 +306,7 @@ exit:
static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info = static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11" MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11"
, pkcs11_pk_get_bitlen , pkcs11_pk_get_bitlen
, pkcs11_pk_can_do //can_do , pkcs11_pk_can_do
, pkcs11_pk_signature_size , pkcs11_pk_signature_size
, pkcs11_verify , pkcs11_verify
, pkcs11_sign , pkcs11_sign
@ -327,7 +318,7 @@ static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
, NULL //debug_func , NULL //debug_func
); );
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx, int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
CK_SESSION_HANDLE hSession, CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPublicKey,
CK_OBJECT_HANDLE hPrivateKey ) CK_OBJECT_HANDLE hPrivateKey )
@ -368,7 +359,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
case CKK_ECDSA: case CKK_ECDSA:
can_do = MBEDTLS_PK_ECKEY; can_do = MBEDTLS_PK_ECKEY;
{ {
unsigned char ecParams[16]; unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
mbedtls_asn1_buf params_asn1; mbedtls_asn1_buf params_asn1;
mbedtls_ecp_group_id grp_id; mbedtls_ecp_group_id grp_id;
const mbedtls_ecp_curve_info *curve_info; const mbedtls_ecp_curve_info *curve_info;
@ -416,18 +407,19 @@ static int mpi_to_ck( const mbedtls_mpi *mpi,
CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at, CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at,
unsigned char **p, size_t len ) unsigned char **p, size_t len )
{ {
if( mbedtls_mpi_write_binary( mpi, *p, len ) != 0 ) int ret = mbedtls_mpi_write_binary( mpi, *p, len );
return( 0 ); if( ret != 0 )
return( ret );
attr->type = at; attr->type = at;
attr->pValue = *p; attr->pValue = *p;
attr->ulValueLen = len; attr->ulValueLen = len;
*p += len; *p += len;
return( 1 ); return( 0 );
} }
#define MPI_TO_CK( mpi, attr, at, p, len ) \ #define MPI_TO_CK( mpi, attr, at, p, len ) \
do \ do \
{ \ { \
if( !mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) ) \ if( mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) != 0) \
{ \ { \
rv = CKR_ARGUMENTS_BAD; \ rv = CKR_ARGUMENTS_BAD; \
goto exit; \ goto exit; \
@ -436,9 +428,9 @@ static int mpi_to_ck( const mbedtls_mpi *mpi,
while( 0 ) while( 0 )
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */ #endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */
#define CK_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE ) #define MBEDTLS_PKCS11_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx, int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
uint32_t flags, uint32_t flags,
CK_SESSION_HANDLE hSession, CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPublicKey,
@ -447,13 +439,13 @@ int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY; CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY; CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
CK_KEY_TYPE ck_key_type; CK_KEY_TYPE ck_key_type;
CK_BBOOL ck_sensitive = CK_BOOL( flags & MBEDTLS_PK_FLAG_SENSITIVE ); CK_BBOOL ck_sensitive = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SENSITIVE );
CK_BBOOL ck_extractable = CK_BOOL( flags & MBEDTLS_PK_FLAG_EXTRACTABLE ); CK_BBOOL ck_extractable = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_EXTRACTABLE );
CK_BBOOL ck_sign = CK_BOOL( flags & MBEDTLS_PK_FLAG_SIGN ); CK_BBOOL ck_sign = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SIGN );
CK_BBOOL ck_verify = CK_BOOL( flags & MBEDTLS_PK_FLAG_VERIFY ); CK_BBOOL ck_verify = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_VERIFY );
CK_BBOOL ck_decrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_DECRYPT ); CK_BBOOL ck_decrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_DECRYPT );
CK_BBOOL ck_encrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_ENCRYPT ); CK_BBOOL ck_encrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_ENCRYPT );
CK_BBOOL ck_token = CK_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN ); CK_BBOOL ck_token = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
CK_ATTRIBUTE public_attributes[] = { CK_ATTRIBUTE public_attributes[] = {
{CKA_CLASS, &cko_public_key, sizeof( cko_public_key )}, {CKA_CLASS, &cko_public_key, sizeof( cko_public_key )},
{CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )}, {CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )},

2
programs/.gitignore vendored
View File

@ -49,7 +49,7 @@ test/ssl_cert_test
test/udp_proxy test/udp_proxy
util/pem2der util/pem2der
util/strerror util/strerror
util/syslog2stderr.so test/syslog2stderr.so
x509/cert_app x509/cert_app
x509/cert_req x509/cert_req
x509/crl_app x509/crl_app

View File

@ -278,14 +278,15 @@ x509/req_app$(EXEXT): x509/req_app.c $(DEP)
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
ifndef WINDOWS ifndef WINDOWS
util/syslog2stderr.so: util/syslog2stderr.c test/syslog2stderr.so: test/syslog2stderr.c
echo " CC util/syslog2stderr.c" echo " CC test/syslog2stderr.c"
$(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl $(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl
endif endif
clean: clean:
ifndef WINDOWS ifndef WINDOWS
rm -f $(APPS) rm -f $(APPS)
rm -f test/syslog2stderr.so
else else
del /S /Q /F *.o *.exe del /S /Q /F *.o *.exe
endif endif

View File

@ -0,0 +1,69 @@
/** \brief Syslog to stderr wrapper for Unix-like systems
*
* By dynamically linking this module into an executable, any message sent to the system logs
* via the POSIX or Linux API is instead redirected to standard error.
*
* Compile this program with `cc -fPID -shared -o syslog2stderr.so syslog2stderr.c -ldl`
* and load it dynamically when running `myprogram` with
* `LD_PRELOAD=/path/to/syslog2stderr.so myprogram`.
* On macOS, replace `LD_PRELOAD` by `DYLD_PRELOAD`.
*/
/**
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#include <dlfcn.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
void openlog( const char *ident, int option, int facility )
{
(void) ident;
(void) option;
(void) facility;
}
/* POSIX API */
void syslog( int priority, const char *format, ... )
{
va_list args;
va_start( args, format );
vfprintf( stderr, format, args );
va_end( args );
}
/* Linux ABI
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
*/
void __syslog_chk( int priority, int flag, const char *format, ... )
{
va_list args;
(int) flag;
va_start( args, format );
vfprintf( stderr, format, args );
fputc( '\n', stderr );
va_end( args );
}
void closelog( void )
{
/* no-op */
}

View File

@ -1,41 +0,0 @@
#include <dlfcn.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
void openlog( const char *ident, int option, int facility )
{
(void) ident;
(void) option;
(void) facility;
}
/* POSIX API */
void syslog( int priority, const char *format, ... )
{
va_list args;
va_start( args, format );
vfprintf( stderr, format, args );
va_end( args );
}
/* Linux ABI
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
*/
void __syslog_chk( int priority, int flag, const char *format, ... )
{
va_list args;
(int) flag;
va_start( args, format );
vfprintf( stderr, format, args );
fputc( '\n', stderr );
va_end( args );
}
void closelog( void )
{
/* no-op */
}

View File

@ -14,14 +14,16 @@ elif [ -e ../../../library/aes.c ]; then
else else
unset TOPDIR unset TOPDIR
fi fi
# The SoftHSM library sends error messages to the system logs. If possible, send
# the messages to standard error instead, by overloading the logging functions.
if [ -n "${TOPDIR+1}" ] && if [ -n "${TOPDIR+1}" ] &&
make -C "$TOPDIR/programs" util/syslog2stderr.so >/dev/null 2>&1 make -C "$TOPDIR/programs" test/syslog2stderr.so >/dev/null 2>&1
then then
case $(uname) in case $(uname) in
Darwin) Darwin)
export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";; export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
*) *)
export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";; export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
esac esac
fi fi

View File

@ -163,6 +163,7 @@ pk_opaque_fail_allocation:
PK opaque minimal PK opaque minimal
pk_opaque_minimal: pk_opaque_minimal:
PK opaque wrapper (RSA) #PK opaque wrapper (RSA)
depends_on:MBEDTLS_RSA_C #depends_on:MBEDTLS_RSA_C
pk_opaque_wrapper: #pk_opaque_wrapper:
#

View File

@ -1,19 +1,19 @@
PKCS#11 ECDSA import and sign PKCS#11 ECDSA import and sign
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_sign:"data_files/server3.key" pk_import_sign:"data_files/server3.key"
PKCS#11 ECDSA generate and sign PKCS#11 ECDSA generate and sign
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_generate_sign:MBEDTLS_PK_ECDSA pk_generate_sign:MBEDTLS_PK_ECDSA
PKCS#11 ECDSA import, sign and verify with Cryptoki PKCS#11 ECDSA import, sign and verify with Cryptoki
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_sign_verify:"data_files/server3.key" pk_import_sign_verify:"data_files/server3.key"
PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_import_verify_signed:"data_files/server3.key" pk_import_verify_signed:"data_files/server3.key"
PKCS#11 ECDSA verify a hardcoded signature with Cryptoki PKCS#11 ECDSA verify a hardcoded signature with Cryptoki
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0 pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0

View File

@ -110,8 +110,7 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type,
{CKA_DECRYPT, &ck_true, sizeof( ck_true )}, {CKA_DECRYPT, &ck_true, sizeof( ck_true )},
{CKA_SIGN, &ck_true, sizeof( ck_true )}, {CKA_SIGN, &ck_true, sizeof( ck_true )},
}; };
CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS; unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
unsigned char ecParams[16];
size_t ecParams_length; size_t ecParams_length;
switch( key_type ) switch( key_type )
@ -190,7 +189,7 @@ void pk_generate_sign( int key_type )
/* Prepare the mbed TLS contexts */ /* Prepare the mbed TLS contexts */
TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx, TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
mbedtls_pk_info_from_type( key_type ) ) == 0 ); mbedtls_pk_info_from_type( key_type ) ) == 0 );
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession, hSession,
hPublicKey, hPublicKey,
hPrivateKey ) == 0 ); hPrivateKey ) == 0 );
@ -201,8 +200,8 @@ void pk_generate_sign( int key_type )
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_ECDSA_C)
case MBEDTLS_PK_ECDSA: case MBEDTLS_PK_ECDSA:
{ {
unsigned char ecParams[16]; unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
unsigned char ecPoint[128]; unsigned char ecPoint[MBEDTLS_ECP_MAX_PT_LEN];
CK_ATTRIBUTE public_attributes[] = { CK_ATTRIBUTE public_attributes[] = {
{CKA_EC_PARAMS, ecParams, sizeof( ecParams )}, {CKA_EC_PARAMS, ecParams, sizeof( ecParams )},
{CKA_EC_POINT, ecPoint, sizeof( ecPoint )}, {CKA_EC_POINT, ecPoint, sizeof( ecPoint )},
@ -246,7 +245,7 @@ void pk_generate_sign( int key_type )
break; break;
} }
/* Sign with the token and verify in software */ /* Sign with cryptoki and verify with mbed TLS */
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32, hash_value, 32,
sig_buffer, &sig_length, sig_buffer, &sig_length,
@ -267,7 +266,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ /* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_sign( char *file ) void pk_import_sign( char *file )
{ {
mbedtls_pk_context pkcs11_ctx; mbedtls_pk_context pkcs11_ctx;
@ -276,7 +275,7 @@ void pk_import_sign( char *file )
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
unsigned char sig_buffer[4096]; unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer ); size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx ); mbedtls_pk_init( &pkcs11_ctx );
@ -289,20 +288,20 @@ void pk_import_sign( char *file )
hSession = pkcs11_init( ); hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE ); TEST_ASSERT( hSession != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
MBEDTLS_PK_FLAG_SIGN | MBEDTLS_PKCS11_FLAG_SIGN |
MBEDTLS_PK_FLAG_VERIFY, MBEDTLS_PKCS11_FLAG_VERIFY,
hSession, hSession,
&hPublicKey, &hPublicKey,
&hPrivateKey ) == 0 ); &hPrivateKey ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession, hSession,
hPublicKey, hPublicKey,
hPrivateKey ) == 0 ); hPrivateKey ) == 0 );
/* Sign with the token and verify in software */ /* Sign with cryptoki and verify with mbedTLS */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32, hash_value, 32,
@ -324,7 +323,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ /* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_sign_verify( char *file ) void pk_import_sign_verify( char *file )
{ {
/* Sign with cryptoki, convert to mbedTLS format and save, /* Sign with cryptoki, convert to mbedTLS format and save,
@ -336,7 +335,7 @@ void pk_import_sign_verify( char *file )
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
unsigned char sig_buffer[4096]; unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer ); size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx ); mbedtls_pk_init( &pkcs11_ctx );
@ -349,20 +348,20 @@ void pk_import_sign_verify( char *file )
hSession = pkcs11_init( ); hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE ); TEST_ASSERT( hSession != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
MBEDTLS_PK_FLAG_SIGN | MBEDTLS_PKCS11_FLAG_SIGN |
MBEDTLS_PK_FLAG_VERIFY, MBEDTLS_PKCS11_FLAG_VERIFY,
hSession, hSession,
&hPublicKey, &hPublicKey,
&hPrivateKey ) == 0 ); &hPrivateKey ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession, hSession,
hPublicKey, hPublicKey,
hPrivateKey ) == 0 ); hPrivateKey ) == 0 );
/* Sign with the token and verify with cryptoki */ /* Sign with cryptoki and verify with cryptoki */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256, TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
hash_value, 32, hash_value, 32,
@ -384,7 +383,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */ /* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
void pk_import_verify_signed( char *file ) void pk_import_verify_signed( char *file )
{ {
/* Sign with mbedTLS, verify by cryptoki with a conversion /* Sign with mbedTLS, verify by cryptoki with a conversion
@ -395,7 +394,7 @@ void pk_import_verify_signed( char *file )
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE; CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
unsigned char hash_value[32] = "Fake hash, it doesn't matter...."; unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
unsigned char sig_buffer[4096]; unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
size_t sig_length = sizeof( sig_buffer ); size_t sig_length = sizeof( sig_buffer );
mbedtls_pk_init( &pkcs11_ctx ); mbedtls_pk_init( &pkcs11_ctx );
@ -408,19 +407,19 @@ void pk_import_verify_signed( char *file )
hSession = pkcs11_init( ); hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE ); TEST_ASSERT( hSession != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
MBEDTLS_PK_FLAG_SIGN | MBEDTLS_PKCS11_FLAG_SIGN |
MBEDTLS_PK_FLAG_VERIFY, MBEDTLS_PKCS11_FLAG_VERIFY,
hSession, hSession,
&hPublicKey, &hPublicKey,
NULL ) == 0 ); NULL ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession, hSession,
hPublicKey, hPublicKey,
CK_INVALID_HANDLE ) == 0 ); CK_INVALID_HANDLE ) == 0 );
/* Sign with the token and verify with cryptoki */ /* Sign with mbed TLS and verify with cryptoki */
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) ); TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256, TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256,
hash_value, 32, hash_value, 32,
@ -442,7 +441,7 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */ /* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PK_C */
void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str, void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
char *hash_str, char * sig_str, int ret ) char *hash_str, char * sig_str, int ret )
{ {
@ -477,14 +476,14 @@ void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
/* Initialize cryptoki and import the key into the token */ /* Initialize cryptoki and import the key into the token */
hSession = pkcs11_init( ); hSession = pkcs11_init( );
TEST_ASSERT( hSession != CK_INVALID_HANDLE ); TEST_ASSERT( hSession != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx, TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
MBEDTLS_PK_FLAG_SIGN | MBEDTLS_PKCS11_FLAG_SIGN |
MBEDTLS_PK_FLAG_VERIFY, MBEDTLS_PKCS11_FLAG_VERIFY,
hSession, hSession,
&hPublicKey, &hPublicKey,
NULL ) == 0 ); NULL ) == 0 );
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE ); TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx, TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
hSession, hSession,
hPublicKey, hPublicKey,
CK_INVALID_HANDLE ) == 0 ); CK_INVALID_HANDLE ) == 0 );