mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-22 12:55:38 +01:00
Merge pull request #1417 from AndrzejKurek/opaque-keys-ECDSA
Opaque keys ecdsa
This commit is contained in:
commit
c8328d01fb
@ -256,8 +256,8 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
|
||||
*/
|
||||
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
||||
size_t ssize, uint16_t byte_len,
|
||||
unsigned char *buf, size_t bufsize,
|
||||
size_t* buflen );
|
||||
unsigned char *buf, size_t* buflen,
|
||||
size_t bufsize );
|
||||
/**
|
||||
* \brief Convert a signature from numbers to ASN.1
|
||||
*
|
||||
@ -280,6 +280,29 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r,
|
||||
const mbedtls_mpi *s, unsigned char *sig,
|
||||
size_t *slen, size_t ssize );
|
||||
|
||||
/**
|
||||
* \brief Convert a signature from a raw representation to ASN.1
|
||||
*
|
||||
* \param r First number of the signature
|
||||
* \param s Second number of the signature
|
||||
* \param num_len Length of each number in bytes
|
||||
* \param sig Buffer that will hold the signature
|
||||
* \param slen Length of the signature written
|
||||
* \param ssize Size of the sig buffer
|
||||
*
|
||||
* \note The size of the buffer \c ssize should be at least
|
||||
* `MBEDTLS_ECDSA_MAX_SIG_LEN(grp->pbits)` bytes long if
|
||||
* the signature was produced from curve \c grp,
|
||||
* otherwise this function will return an error.
|
||||
*
|
||||
* \return 0 if successful,
|
||||
* or a MBEDTLS_ERR_MPI_XXX or MBEDTLS_ERR_ASN1_XXX error code
|
||||
*
|
||||
*/
|
||||
int mbedtls_raw_ecdsa_signature_to_asn1(const unsigned char *r,
|
||||
const unsigned char *s, uint16_t num_len,
|
||||
unsigned char *sig, size_t *slen, size_t ssize );
|
||||
|
||||
/**
|
||||
* \brief Read and verify an ECDSA signature
|
||||
*
|
||||
|
@ -513,7 +513,7 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp, size_t *olen,
|
||||
* The output is the group's OID wrapped as ASN.1.
|
||||
*
|
||||
* \param grp ECP group used
|
||||
* \param buf Buffer to write to
|
||||
* \param p Buffer to write to
|
||||
* \param size Buffer size
|
||||
*
|
||||
* \return Number of bytes written to \c buf,
|
||||
|
@ -2,8 +2,9 @@
|
||||
* \file pkcs11_client.h
|
||||
*
|
||||
* \brief Generic wrapper for Cryptoki (PKCS#11) support
|
||||
*
|
||||
* Copyright (C) 2017, ARM Limited, All Rights Reserved
|
||||
*/
|
||||
/*
|
||||
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
@ -46,12 +47,12 @@ extern "C" {
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
|
||||
#define MBEDTLS_PK_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
|
||||
#define MBEDTLS_PK_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
|
||||
#define MBEDTLS_PK_FLAG_SIGN ( (uint32_t) 0x00000010 )
|
||||
#define MBEDTLS_PK_FLAG_VERIFY ( (uint32_t) 0x00000020 )
|
||||
#define MBEDTLS_PK_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
|
||||
#define MBEDTLS_PK_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
|
||||
#define MBEDTLS_PKCS11_FLAG_SENSITIVE ( (uint32_t) 0x00000001 )
|
||||
#define MBEDTLS_PKCS11_FLAG_EXTRACTABLE ( (uint32_t) 0x00000002 )
|
||||
#define MBEDTLS_PKCS11_FLAG_SIGN ( (uint32_t) 0x00000010 )
|
||||
#define MBEDTLS_PKCS11_FLAG_VERIFY ( (uint32_t) 0x00000020 )
|
||||
#define MBEDTLS_PKCS11_FLAG_DECRYPT ( (uint32_t) 0x00000040 )
|
||||
#define MBEDTLS_PKCS11_FLAG_ENCRYPT ( (uint32_t) 0x00000080 )
|
||||
|
||||
#include "pk.h"
|
||||
|
||||
@ -69,12 +70,11 @@ extern "C" {
|
||||
* \return 0 on success,
|
||||
* or MBEDTLS_ERR_PK_XXX error code.
|
||||
*
|
||||
* \note The session and the key(s) must remain valid until the
|
||||
* PK context is closed with mbedtls_pk_free(). As an
|
||||
* exception, it's ok to call mbedtls_pk_free() itself
|
||||
* even if the Cryptoki handles have become invalid.
|
||||
* \note If any of the handles become invalid, then you may no
|
||||
* longer do anything with the pk object except call
|
||||
* mbedtls_pk_free on it.
|
||||
*/
|
||||
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||
int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
|
||||
CK_SESSION_HANDLE hSession,
|
||||
CK_OBJECT_HANDLE hPublicKey,
|
||||
CK_OBJECT_HANDLE hPrivateKey );
|
||||
@ -87,36 +87,42 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||
* PKCS#11 token.
|
||||
*
|
||||
* \param ctx PK context, which must contain a transparent pk
|
||||
* object (type \c MBEDTLS_PK_RSA,
|
||||
* \c MBEDTLS_PK_RSASSA_PSS, \c MBEDTLS_PK_ECKEY or
|
||||
* \c MBEDTLS_PK_ECDSA).
|
||||
* \param flags Mask of \c MBEDTLS_PKCS11_FLAG_XXX and
|
||||
* \c MBEDTLS_PK_FLAG_XXX, applying as follows:
|
||||
* - \c MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
|
||||
* object (type #MBEDTLS_PK_RSA,
|
||||
* #MBEDTLS_PK_RSASSA_PSS, #MBEDTLS_PK_ECKEY or
|
||||
* #MBEDTLS_PK_ECDSA).
|
||||
* \param flags Mask of #MBEDTLS_PKCS11_FLAG_XXX and
|
||||
* #MBEDTLS_PK_FLAG_XXX, applying as follows:
|
||||
* - #MBEDTLS_PKCS11_FLAG_TOKEN: PKCS#11 \c CKA_TOKEN
|
||||
* flag: if set, import as token object; if clear,
|
||||
* import as session object.
|
||||
* - \c MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
|
||||
* \c CKA_EXTRACTABLE flag: if set, the key will be
|
||||
* extractable at least in wrapped form; if clear,
|
||||
* the key will not be extractable at all.
|
||||
* - \c MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
|
||||
* \c CKA_SENSITIVE flag: if set, the key will be
|
||||
* not be extractable in plain form; if clear, the
|
||||
* key will be extractable at least in wrapped form.
|
||||
* - \c MBEDTLS_PK_FLAG_SIGN: if set, the private key
|
||||
* - #MBEDTLS_PK_FLAG_EXTRACTABLE: PKCS#11
|
||||
* \c CKA_EXTRACTABLE flag: if set, the private key
|
||||
* will be extractable at least in wrapped form; if
|
||||
* clear, the key will not be extractable at all.
|
||||
* - #MBEDTLS_PK_FLAG_SENSITIVE: PKCS#11
|
||||
* \c CKA_SENSITIVE flag: if set, the private key
|
||||
* will not be extractable in plain form; if clear,
|
||||
* the key will be extractable in plain form if
|
||||
* #MBEDTLS_PK_FLAG_EXTRACTABLE is set.
|
||||
* - #MBEDTLS_PK_FLAG_SIGN: if set, the private key
|
||||
* will be authorized for signing.
|
||||
* - \c MBEDTLS_PK_FLAG_VERIFY: if set, the public key
|
||||
* - #MBEDTLS_PK_FLAG_VERIFY: if set, the public key
|
||||
* will be authorized for verification.
|
||||
* - \c MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
|
||||
* will be authorized for signing.
|
||||
* - \c MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
|
||||
* - #MBEDTLS_PK_FLAG_DECRYPT: if set, the private key
|
||||
* will be authorized for decryption.
|
||||
* - #MBEDTLS_PK_FLAG_ENCRYPT: if set, the public key
|
||||
* will be authorized for encryption.
|
||||
*
|
||||
* \param hSession Cryptoki session.
|
||||
* \param hSession Cryptoki session. The session must remain valid as long
|
||||
* as the PK object is in use.
|
||||
* \param hPublicKey If non-null, on output, Cryptoki handle of the public
|
||||
* key. If null, the public key is not imported.
|
||||
* key. This handle must remain valid as long as the PK
|
||||
* object is in use. If null, the public key is not
|
||||
* imported.
|
||||
* \param hPrivateKey If non-null, on output, Cryptoki handle of the private
|
||||
* key. If null, the private key is not imported.
|
||||
* key. This handle must remain valid as long as the PK
|
||||
* object is in use. If null, the private key is not
|
||||
* imported.
|
||||
*
|
||||
* \return 0 on success,
|
||||
* or MBEDTLS_ERR_PK_XXX error code.
|
||||
@ -133,7 +139,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||
* also failed, for example because the token was
|
||||
* disconnected.
|
||||
*/
|
||||
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
||||
int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
|
||||
uint32_t flags,
|
||||
CK_SESSION_HANDLE hSession,
|
||||
CK_OBJECT_HANDLE *hPublicKey,
|
||||
|
153
library/ecdsa.c
153
library/ecdsa.c
@ -289,66 +289,75 @@ cleanup:
|
||||
/*
|
||||
* Convert a signature to a raw concatenation of {r, s}
|
||||
*/
|
||||
/*int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
||||
size_t ssize, uint16_t byte_len,
|
||||
unsigned char *buf, size_t* slen )*/
|
||||
int mbedtls_ecdsa_signature_to_raw( const unsigned char *sig,
|
||||
size_t ssize, uint16_t byte_len,
|
||||
unsigned char *buf, size_t bufsize,
|
||||
size_t* buflen )
|
||||
unsigned char *buf, size_t* buflen,
|
||||
size_t bufsize)
|
||||
{
|
||||
int ret;
|
||||
unsigned char *p = (unsigned char *) sig;
|
||||
unsigned char *buf_ptr;
|
||||
const unsigned char *end = sig + ssize;
|
||||
size_t len;
|
||||
mbedtls_mpi r, s;
|
||||
size_t len, bytes_skipped;
|
||||
|
||||
if( 2 * byte_len > bufsize )
|
||||
{
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
return (MBEDTLS_ERR_ECP_BAD_INPUT_DATA);
|
||||
}
|
||||
|
||||
mbedtls_mpi_init( &r );
|
||||
mbedtls_mpi_init( &s );
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
return ret;
|
||||
}
|
||||
|
||||
if( p + len != end )
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &r ) ) != 0 ||
|
||||
( ret = mbedtls_asn1_get_mpi( &p, end, &s ) ) != 0 )
|
||||
{
|
||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
p = (unsigned char *) buf;
|
||||
if( ( ret = mbedtls_mpi_write_binary(&r, p, byte_len) ) )
|
||||
{
|
||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
p += byte_len;
|
||||
if( ( ret = mbedtls_mpi_write_binary(&s, p, byte_len) ) )
|
||||
{
|
||||
ret += MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
*buflen = 2*byte_len;
|
||||
cleanup:
|
||||
mbedtls_mpi_free( &r );
|
||||
mbedtls_mpi_free( &s );
|
||||
/*
|
||||
* Step 1: write R
|
||||
*/
|
||||
buf_ptr = buf;
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
return( ret );
|
||||
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
|
||||
if( p[bytes_skipped] != 0 )
|
||||
break;
|
||||
|
||||
if( len - bytes_skipped > bufsize )
|
||||
{
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
}
|
||||
*buflen = len - bytes_skipped;
|
||||
|
||||
memmove(buf_ptr, &p[bytes_skipped], *buflen);
|
||||
p += len;
|
||||
buf_ptr += *buflen;
|
||||
|
||||
/*
|
||||
* Step 2: write S
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
for( bytes_skipped = 0; bytes_skipped < len; bytes_skipped++ )
|
||||
if( p[bytes_skipped] != 0 )
|
||||
break;
|
||||
|
||||
if( len - bytes_skipped + *buflen > bufsize )
|
||||
{
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
*buflen += len - bytes_skipped;
|
||||
memmove(buf_ptr, &p[bytes_skipped], len - bytes_skipped);
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -372,6 +381,76 @@ int mbedtls_ecdsa_signature_to_asn1( const mbedtls_mpi *r, const mbedtls_mpi *s,
|
||||
memset( sig + len, 0, ssize - len );
|
||||
*slen = len;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_raw_ecdsa_signature_to_asn1( const unsigned char *r,
|
||||
const unsigned char *s, uint16_t num_len,
|
||||
unsigned char *sig, size_t *slen, size_t ssize )
|
||||
{
|
||||
int ret;
|
||||
unsigned char *p = sig + ssize;
|
||||
size_t total_len = 0;
|
||||
size_t padding_len = 0;
|
||||
|
||||
/*
|
||||
* Step 1: write S
|
||||
*/
|
||||
memmove( p - num_len, s, num_len );
|
||||
p -= num_len;
|
||||
total_len += num_len;
|
||||
if( *p & 0x80 )
|
||||
{
|
||||
if( p - sig < 1 )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
*--p = 0x00;
|
||||
padding_len += 1;
|
||||
}
|
||||
total_len += padding_len;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
|
||||
num_len + padding_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||
MBEDTLS_ASN1_INTEGER ) );
|
||||
|
||||
padding_len = 0;
|
||||
|
||||
/*
|
||||
* Step 2: write R
|
||||
*/
|
||||
memmove( p - num_len, r, num_len );
|
||||
p -= num_len;
|
||||
total_len += num_len;
|
||||
if( *p & 0x80 )
|
||||
{
|
||||
if( p - sig < 1 )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
*--p = 0x00;
|
||||
padding_len += 1;
|
||||
}
|
||||
total_len += padding_len;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig,
|
||||
num_len + padding_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||
MBEDTLS_ASN1_INTEGER ) );
|
||||
|
||||
/*
|
||||
* Step 3: write rest of the data
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_len( &p, sig, total_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( total_len, mbedtls_asn1_write_tag( &p, sig,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
/*
|
||||
* Step 4: move to the beginning of the buffer, zeroize the rest
|
||||
*/
|
||||
memmove( sig, p, total_len );
|
||||
memset( sig + total_len, 0, ssize - total_len );
|
||||
*slen = total_len;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Generic wrapper for Cryptoki (PKCS#11) support
|
||||
*
|
||||
* Copyright (C) 2017, ARM Limited, All Rights Reserved
|
||||
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
@ -29,7 +29,6 @@
|
||||
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
#include <pkcs11.h>
|
||||
|
||||
#include "mbedtls/pkcs11_client.h"
|
||||
|
||||
@ -144,7 +143,7 @@ static int pkcs11_sign( void *ctx_arg,
|
||||
CK_RV rv;
|
||||
CK_MECHANISM mechanism = {0, NULL_PTR, 0};
|
||||
CK_ULONG ck_sig_len;
|
||||
|
||||
(void)(md_alg);
|
||||
/* This function takes size_t arguments but the underlying layer
|
||||
takes unsigned long. Either type may be smaller than the other.
|
||||
Legitimate values won't overflow either type but we still need
|
||||
@ -180,7 +179,8 @@ static int pkcs11_sign( void *ctx_arg,
|
||||
* each in the form of a big-endian byte sequence, with r and s
|
||||
* having the same length as the base point.
|
||||
*
|
||||
* A standard ECDSA signature is encoded in ASN.1:
|
||||
* This library encodes ECDSA signatures in ASN.1 as documented
|
||||
* for mbedtls_ecdsa_write_signature:
|
||||
* SEQUENCE {
|
||||
* r INTEGER,
|
||||
* s INTEGER
|
||||
@ -191,9 +191,7 @@ static int pkcs11_sign( void *ctx_arg,
|
||||
*/
|
||||
uint16_t byte_len = ( ( ctx->bit_length + 7 ) / 8 );
|
||||
size_t sig_size = MBEDTLS_ECDSA_MAX_SIG_LEN( ctx->bit_length );
|
||||
mbedtls_mpi r, s;
|
||||
mbedtls_mpi_init( &r );
|
||||
mbedtls_mpi_init( &s );
|
||||
|
||||
rv = CKR_OK;
|
||||
if( ck_sig_len != 2 * byte_len )
|
||||
{
|
||||
@ -201,22 +199,15 @@ static int pkcs11_sign( void *ctx_arg,
|
||||
rv = CKR_GENERAL_ERROR;
|
||||
goto ecdsa_exit;
|
||||
}
|
||||
if( mbedtls_mpi_read_binary( &r, sig, byte_len ) != 0 ||
|
||||
mbedtls_mpi_read_binary( &s, sig + byte_len, byte_len ) != 0 )
|
||||
{
|
||||
rv = CKR_HOST_MEMORY;
|
||||
goto ecdsa_exit;
|
||||
}
|
||||
|
||||
/* The signature buffer is guaranteed to have enough room for
|
||||
the encoded signature by the pk_sign interface. */
|
||||
if( mbedtls_ecdsa_signature_to_asn1( &r, &s, sig, sig_len, sig_size ) != 0 )
|
||||
if( mbedtls_raw_ecdsa_signature_to_asn1( sig, sig + byte_len, byte_len, sig, sig_len, sig_size ) != 0 )
|
||||
{
|
||||
rv = CKR_GENERAL_ERROR;
|
||||
goto ecdsa_exit;
|
||||
}
|
||||
ecdsa_exit:
|
||||
mbedtls_mpi_free( &r );
|
||||
mbedtls_mpi_free( &s );
|
||||
if( rv != CKR_OK )
|
||||
goto exit;
|
||||
}
|
||||
@ -292,8 +283,8 @@ static int pkcs11_verify( void *ctx_arg,
|
||||
return( MBEDTLS_ERR_PK_ALLOC_FAILED );
|
||||
}
|
||||
if( mbedtls_ecdsa_signature_to_raw( sig, sig_len, byte_len,
|
||||
decoded_sig, 2 * byte_len,
|
||||
&decoded_sig_len ) != 0 )
|
||||
decoded_sig, &decoded_sig_len,
|
||||
2 * byte_len ) != 0 )
|
||||
{
|
||||
rv = CKR_GENERAL_ERROR;
|
||||
goto exit;
|
||||
@ -315,7 +306,7 @@ exit:
|
||||
static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
|
||||
MBEDTLS_PK_OPAQUE_INFO_1( "pkcs11"
|
||||
, pkcs11_pk_get_bitlen
|
||||
, pkcs11_pk_can_do //can_do
|
||||
, pkcs11_pk_can_do
|
||||
, pkcs11_pk_signature_size
|
||||
, pkcs11_verify
|
||||
, pkcs11_sign
|
||||
@ -327,7 +318,7 @@ static const mbedtls_pk_info_t mbedtls_pk_pkcs11_info =
|
||||
, NULL //debug_func
|
||||
);
|
||||
|
||||
int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||
int mbedtls_pkcs11_setup_pk( mbedtls_pk_context *ctx,
|
||||
CK_SESSION_HANDLE hSession,
|
||||
CK_OBJECT_HANDLE hPublicKey,
|
||||
CK_OBJECT_HANDLE hPrivateKey )
|
||||
@ -368,7 +359,7 @@ int mbedtls_pk_setup_pkcs11( mbedtls_pk_context *ctx,
|
||||
case CKK_ECDSA:
|
||||
can_do = MBEDTLS_PK_ECKEY;
|
||||
{
|
||||
unsigned char ecParams[16];
|
||||
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||
mbedtls_asn1_buf params_asn1;
|
||||
mbedtls_ecp_group_id grp_id;
|
||||
const mbedtls_ecp_curve_info *curve_info;
|
||||
@ -416,29 +407,30 @@ static int mpi_to_ck( const mbedtls_mpi *mpi,
|
||||
CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE at,
|
||||
unsigned char **p, size_t len )
|
||||
{
|
||||
if( mbedtls_mpi_write_binary( mpi, *p, len ) != 0 )
|
||||
return( 0 );
|
||||
int ret = mbedtls_mpi_write_binary( mpi, *p, len );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
attr->type = at;
|
||||
attr->pValue = *p;
|
||||
attr->ulValueLen = len;
|
||||
*p += len;
|
||||
return( 1 );
|
||||
return( 0 );
|
||||
}
|
||||
#define MPI_TO_CK( mpi, attr, at, p, len ) \
|
||||
do \
|
||||
{ \
|
||||
if( !mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) ) \
|
||||
{ \
|
||||
rv = CKR_ARGUMENTS_BAD; \
|
||||
goto exit; \
|
||||
} \
|
||||
} \
|
||||
#define MPI_TO_CK( mpi, attr, at, p, len ) \
|
||||
do \
|
||||
{ \
|
||||
if( mpi_to_ck( ( mpi ), ( attr ), ( at ), ( p ), ( len ) ) != 0) \
|
||||
{ \
|
||||
rv = CKR_ARGUMENTS_BAD; \
|
||||
goto exit; \
|
||||
} \
|
||||
} \
|
||||
while( 0 )
|
||||
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) */
|
||||
|
||||
#define CK_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
|
||||
#define MBEDTLS_PKCS11_BOOL( x ) ( ( x ) ? CK_TRUE : CK_FALSE )
|
||||
|
||||
int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
||||
int mbedtls_pkcs11_import_pk( const mbedtls_pk_context *ctx,
|
||||
uint32_t flags,
|
||||
CK_SESSION_HANDLE hSession,
|
||||
CK_OBJECT_HANDLE *hPublicKey,
|
||||
@ -447,13 +439,13 @@ int mbedtls_pk_import_to_pkcs11( const mbedtls_pk_context *ctx,
|
||||
CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
|
||||
CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
|
||||
CK_KEY_TYPE ck_key_type;
|
||||
CK_BBOOL ck_sensitive = CK_BOOL( flags & MBEDTLS_PK_FLAG_SENSITIVE );
|
||||
CK_BBOOL ck_extractable = CK_BOOL( flags & MBEDTLS_PK_FLAG_EXTRACTABLE );
|
||||
CK_BBOOL ck_sign = CK_BOOL( flags & MBEDTLS_PK_FLAG_SIGN );
|
||||
CK_BBOOL ck_verify = CK_BOOL( flags & MBEDTLS_PK_FLAG_VERIFY );
|
||||
CK_BBOOL ck_decrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_DECRYPT );
|
||||
CK_BBOOL ck_encrypt = CK_BOOL( flags & MBEDTLS_PK_FLAG_ENCRYPT );
|
||||
CK_BBOOL ck_token = CK_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
|
||||
CK_BBOOL ck_sensitive = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SENSITIVE );
|
||||
CK_BBOOL ck_extractable = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_EXTRACTABLE );
|
||||
CK_BBOOL ck_sign = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_SIGN );
|
||||
CK_BBOOL ck_verify = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_VERIFY );
|
||||
CK_BBOOL ck_decrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_DECRYPT );
|
||||
CK_BBOOL ck_encrypt = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_ENCRYPT );
|
||||
CK_BBOOL ck_token = MBEDTLS_PKCS11_BOOL( flags & MBEDTLS_PKCS11_FLAG_TOKEN );
|
||||
CK_ATTRIBUTE public_attributes[] = {
|
||||
{CKA_CLASS, &cko_public_key, sizeof( cko_public_key )},
|
||||
{CKA_KEY_TYPE, &ck_key_type, sizeof( ck_key_type )},
|
||||
|
2
programs/.gitignore
vendored
2
programs/.gitignore
vendored
@ -49,7 +49,7 @@ test/ssl_cert_test
|
||||
test/udp_proxy
|
||||
util/pem2der
|
||||
util/strerror
|
||||
util/syslog2stderr.so
|
||||
test/syslog2stderr.so
|
||||
x509/cert_app
|
||||
x509/cert_req
|
||||
x509/crl_app
|
||||
|
@ -278,14 +278,15 @@ x509/req_app$(EXEXT): x509/req_app.c $(DEP)
|
||||
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) x509/req_app.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
|
||||
|
||||
ifndef WINDOWS
|
||||
util/syslog2stderr.so: util/syslog2stderr.c
|
||||
echo " CC util/syslog2stderr.c"
|
||||
test/syslog2stderr.so: test/syslog2stderr.c
|
||||
echo " CC test/syslog2stderr.c"
|
||||
$(CC) $(CFLAGS) -fPIC -shared -o $@ $< -ldl
|
||||
endif
|
||||
|
||||
clean:
|
||||
ifndef WINDOWS
|
||||
rm -f $(APPS)
|
||||
rm -f test/syslog2stderr.so
|
||||
else
|
||||
del /S /Q /F *.o *.exe
|
||||
endif
|
||||
|
69
programs/test/syslog2stderr.c
Normal file
69
programs/test/syslog2stderr.c
Normal file
@ -0,0 +1,69 @@
|
||||
/** \brief Syslog to stderr wrapper for Unix-like systems
|
||||
*
|
||||
* By dynamically linking this module into an executable, any message sent to the system logs
|
||||
* via the POSIX or Linux API is instead redirected to standard error.
|
||||
*
|
||||
* Compile this program with `cc -fPID -shared -o syslog2stderr.so syslog2stderr.c -ldl`
|
||||
* and load it dynamically when running `myprogram` with
|
||||
* `LD_PRELOAD=/path/to/syslog2stderr.so myprogram`.
|
||||
* On macOS, replace `LD_PRELOAD` by `DYLD_PRELOAD`.
|
||||
*/
|
||||
/**
|
||||
* Copyright (C) 2017-2018, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
#include <dlfcn.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
|
||||
|
||||
void openlog( const char *ident, int option, int facility )
|
||||
{
|
||||
(void) ident;
|
||||
(void) option;
|
||||
(void) facility;
|
||||
}
|
||||
|
||||
/* POSIX API */
|
||||
void syslog( int priority, const char *format, ... )
|
||||
{
|
||||
va_list args;
|
||||
va_start( args, format );
|
||||
vfprintf( stderr, format, args );
|
||||
va_end( args );
|
||||
}
|
||||
|
||||
/* Linux ABI
|
||||
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
|
||||
*/
|
||||
void __syslog_chk( int priority, int flag, const char *format, ... )
|
||||
{
|
||||
va_list args;
|
||||
(int) flag;
|
||||
va_start( args, format );
|
||||
vfprintf( stderr, format, args );
|
||||
fputc( '\n', stderr );
|
||||
va_end( args );
|
||||
}
|
||||
|
||||
void closelog( void )
|
||||
{
|
||||
/* no-op */
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
#include <dlfcn.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
|
||||
|
||||
void openlog( const char *ident, int option, int facility )
|
||||
{
|
||||
(void) ident;
|
||||
(void) option;
|
||||
(void) facility;
|
||||
}
|
||||
|
||||
/* POSIX API */
|
||||
void syslog( int priority, const char *format, ... )
|
||||
{
|
||||
va_list args;
|
||||
va_start( args, format );
|
||||
vfprintf( stderr, format, args );
|
||||
va_end( args );
|
||||
}
|
||||
|
||||
/* Linux ABI
|
||||
* http://refspecs.linux-foundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libc---syslog-chk-1.html
|
||||
*/
|
||||
void __syslog_chk( int priority, int flag, const char *format, ... )
|
||||
{
|
||||
va_list args;
|
||||
(int) flag;
|
||||
va_start( args, format );
|
||||
vfprintf( stderr, format, args );
|
||||
fputc( '\n', stderr );
|
||||
va_end( args );
|
||||
}
|
||||
|
||||
void closelog( void )
|
||||
{
|
||||
/* no-op */
|
||||
}
|
@ -14,14 +14,16 @@ elif [ -e ../../../library/aes.c ]; then
|
||||
else
|
||||
unset TOPDIR
|
||||
fi
|
||||
# The SoftHSM library sends error messages to the system logs. If possible, send
|
||||
# the messages to standard error instead, by overloading the logging functions.
|
||||
if [ -n "${TOPDIR+1}" ] &&
|
||||
make -C "$TOPDIR/programs" util/syslog2stderr.so >/dev/null 2>&1
|
||||
make -C "$TOPDIR/programs" test/syslog2stderr.so >/dev/null 2>&1
|
||||
then
|
||||
case $(uname) in
|
||||
Darwin)
|
||||
export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
|
||||
export DYLD_PRELOAD="${DYLD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
|
||||
*)
|
||||
export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/util/syslog2stderr.so";;
|
||||
export LD_PRELOAD="${LD_PRELOAD-}:$TOPDIR/programs/test/syslog2stderr.so";;
|
||||
esac
|
||||
fi
|
||||
|
||||
|
@ -163,6 +163,7 @@ pk_opaque_fail_allocation:
|
||||
PK opaque minimal
|
||||
pk_opaque_minimal:
|
||||
|
||||
PK opaque wrapper (RSA)
|
||||
depends_on:MBEDTLS_RSA_C
|
||||
pk_opaque_wrapper:
|
||||
#PK opaque wrapper (RSA)
|
||||
#depends_on:MBEDTLS_RSA_C
|
||||
#pk_opaque_wrapper:
|
||||
#
|
@ -1,19 +1,19 @@
|
||||
PKCS#11 ECDSA import and sign
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
pk_import_sign:"data_files/server3.key"
|
||||
|
||||
PKCS#11 ECDSA generate and sign
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
pk_generate_sign:MBEDTLS_PK_ECDSA
|
||||
|
||||
PKCS#11 ECDSA import, sign and verify with Cryptoki
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
pk_import_sign_verify:"data_files/server3.key"
|
||||
|
||||
PKCS#11 ECDSA import, sign with MbedTLS and verify with Cryptoki
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||
depends_on:MBEDTLS_PK_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
pk_import_verify_signed:"data_files/server3.key"
|
||||
|
||||
PKCS#11 ECDSA verify a hardcoded signature with Cryptoki
|
||||
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
|
||||
depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_PK_C:MBEDTLS_ECDSA_C
|
||||
pk_ecdsa_hardcoded_verify:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP192R1:"046FDD3028FA94A863CD4F78DBFF8B3AA561FC6D9CCBBCA88E0AE6FA437F5415F957542D0717FF8B84562DAE99872EF841":"546869732073686F756C64206265207468652068617368206F662061206D6573736167652E00":"30350218185B2A7FB5CD9C9A8488B119B68B47D6EC833509CE9FA1FF021900FB7D259A744A2348BD45D241A39DC915B81CC2084100FA24":0
|
||||
|
@ -110,8 +110,7 @@ static CK_RV pkcs11_generate_key( mbedtls_pk_type_t key_type,
|
||||
{CKA_DECRYPT, &ck_true, sizeof( ck_true )},
|
||||
{CKA_SIGN, &ck_true, sizeof( ck_true )},
|
||||
};
|
||||
CK_ULONG ck_rsa_key_size = RSA_KEY_SIZE_BITS;
|
||||
unsigned char ecParams[16];
|
||||
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||
size_t ecParams_length;
|
||||
|
||||
switch( key_type )
|
||||
@ -190,7 +189,7 @@ void pk_generate_sign( int key_type )
|
||||
/* Prepare the mbed TLS contexts */
|
||||
TEST_ASSERT( mbedtls_pk_setup( &transparent_ctx,
|
||||
mbedtls_pk_info_from_type( key_type ) ) == 0 );
|
||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
||||
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||
hSession,
|
||||
hPublicKey,
|
||||
hPrivateKey ) == 0 );
|
||||
@ -201,8 +200,8 @@ void pk_generate_sign( int key_type )
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
case MBEDTLS_PK_ECDSA:
|
||||
{
|
||||
unsigned char ecParams[16];
|
||||
unsigned char ecPoint[128];
|
||||
unsigned char ecParams[MBEDTLS_OID_EC_GRP_MAX_SIZE];
|
||||
unsigned char ecPoint[MBEDTLS_ECP_MAX_PT_LEN];
|
||||
CK_ATTRIBUTE public_attributes[] = {
|
||||
{CKA_EC_PARAMS, ecParams, sizeof( ecParams )},
|
||||
{CKA_EC_POINT, ecPoint, sizeof( ecPoint )},
|
||||
@ -246,7 +245,7 @@ void pk_generate_sign( int key_type )
|
||||
break;
|
||||
}
|
||||
|
||||
/* Sign with the token and verify in software */
|
||||
/* Sign with cryptoki and verify with mbed TLS */
|
||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||
hash_value, 32,
|
||||
sig_buffer, &sig_length,
|
||||
@ -267,7 +266,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||
void pk_import_sign( char *file )
|
||||
{
|
||||
mbedtls_pk_context pkcs11_ctx;
|
||||
@ -276,7 +275,7 @@ void pk_import_sign( char *file )
|
||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||
unsigned char sig_buffer[4096];
|
||||
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||
size_t sig_length = sizeof( sig_buffer );
|
||||
|
||||
mbedtls_pk_init( &pkcs11_ctx );
|
||||
@ -289,20 +288,20 @@ void pk_import_sign( char *file )
|
||||
hSession = pkcs11_init( );
|
||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||
|
||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
||||
MBEDTLS_PK_FLAG_SIGN |
|
||||
MBEDTLS_PK_FLAG_VERIFY,
|
||||
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||
hSession,
|
||||
&hPublicKey,
|
||||
&hPrivateKey ) == 0 );
|
||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
||||
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||
hSession,
|
||||
hPublicKey,
|
||||
hPrivateKey ) == 0 );
|
||||
|
||||
/* Sign with the token and verify in software */
|
||||
/* Sign with cryptoki and verify with mbedTLS */
|
||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||
hash_value, 32,
|
||||
@ -324,7 +323,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||
void pk_import_sign_verify( char *file )
|
||||
{
|
||||
/* Sign with cryptoki, convert to mbedTLS format and save,
|
||||
@ -336,7 +335,7 @@ void pk_import_sign_verify( char *file )
|
||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||
unsigned char sig_buffer[4096];
|
||||
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||
size_t sig_length = sizeof( sig_buffer );
|
||||
|
||||
mbedtls_pk_init( &pkcs11_ctx );
|
||||
@ -349,20 +348,20 @@ void pk_import_sign_verify( char *file )
|
||||
hSession = pkcs11_init( );
|
||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||
|
||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
||||
MBEDTLS_PK_FLAG_SIGN |
|
||||
MBEDTLS_PK_FLAG_VERIFY,
|
||||
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||
hSession,
|
||||
&hPublicKey,
|
||||
&hPrivateKey ) == 0 );
|
||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( hPrivateKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
||||
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||
hSession,
|
||||
hPublicKey,
|
||||
hPrivateKey ) == 0 );
|
||||
|
||||
/* Sign with the token and verify with cryptoki */
|
||||
/* Sign with cryptoki and verify with cryptoki */
|
||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||
TEST_ASSERT( mbedtls_pk_sign( &pkcs11_ctx, MBEDTLS_MD_SHA256,
|
||||
hash_value, 32,
|
||||
@ -384,7 +383,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_PK_C:MBEDTLS_SHA256_C:MBEDTLS_FS_IO:MBEDTLS_PK_PARSE_C */
|
||||
void pk_import_verify_signed( char *file )
|
||||
{
|
||||
/* Sign with mbedTLS, verify by cryptoki with a conversion
|
||||
@ -395,7 +394,7 @@ void pk_import_verify_signed( char *file )
|
||||
CK_OBJECT_HANDLE hPublicKey = CK_INVALID_HANDLE;
|
||||
CK_OBJECT_HANDLE hPrivateKey = CK_INVALID_HANDLE;
|
||||
unsigned char hash_value[32] = "Fake hash, it doesn't matter....";
|
||||
unsigned char sig_buffer[4096];
|
||||
unsigned char sig_buffer[MBEDTLS_MPI_MAX_SIZE];
|
||||
size_t sig_length = sizeof( sig_buffer );
|
||||
|
||||
mbedtls_pk_init( &pkcs11_ctx );
|
||||
@ -408,19 +407,19 @@ void pk_import_verify_signed( char *file )
|
||||
hSession = pkcs11_init( );
|
||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||
|
||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
||||
MBEDTLS_PK_FLAG_SIGN |
|
||||
MBEDTLS_PK_FLAG_VERIFY,
|
||||
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||
hSession,
|
||||
&hPublicKey,
|
||||
NULL ) == 0 );
|
||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
||||
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||
hSession,
|
||||
hPublicKey,
|
||||
CK_INVALID_HANDLE ) == 0 );
|
||||
|
||||
/* Sign with the token and verify with cryptoki */
|
||||
/* Sign with mbed TLS and verify with cryptoki */
|
||||
TEST_ASSERT( sizeof( sig_buffer ) >= mbedtls_pk_signature_size( &pkcs11_ctx ) );
|
||||
TEST_ASSERT( mbedtls_pk_sign( &transparent_ctx, MBEDTLS_MD_SHA256,
|
||||
hash_value, 32,
|
||||
@ -442,7 +441,7 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C */
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_ECDSA_C:MBEDTLS_PK_C */
|
||||
void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
|
||||
char *hash_str, char * sig_str, int ret )
|
||||
{
|
||||
@ -477,14 +476,14 @@ void pk_ecdsa_hardcoded_verify( int type, int id, char *key_str,
|
||||
/* Initialize cryptoki and import the key into the token */
|
||||
hSession = pkcs11_init( );
|
||||
TEST_ASSERT( hSession != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( mbedtls_pk_import_to_pkcs11( &transparent_ctx,
|
||||
MBEDTLS_PK_FLAG_SIGN |
|
||||
MBEDTLS_PK_FLAG_VERIFY,
|
||||
TEST_ASSERT( mbedtls_pkcs11_import_pk ( &transparent_ctx,
|
||||
MBEDTLS_PKCS11_FLAG_SIGN |
|
||||
MBEDTLS_PKCS11_FLAG_VERIFY,
|
||||
hSession,
|
||||
&hPublicKey,
|
||||
NULL ) == 0 );
|
||||
TEST_ASSERT( hPublicKey != CK_INVALID_HANDLE );
|
||||
TEST_ASSERT( mbedtls_pk_setup_pkcs11( &pkcs11_ctx,
|
||||
TEST_ASSERT( mbedtls_pkcs11_setup_pk( &pkcs11_ctx,
|
||||
hSession,
|
||||
hPublicKey,
|
||||
CK_INVALID_HANDLE ) == 0 );
|
||||
|
Loading…
Reference in New Issue
Block a user