[pkg-opensc-commit] [pkcs11-helper] 230/253: openssl: add ecdsa support
Eric Dorland
eric at moszumanska.debian.org
Fri Jan 6 23:39:23 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository pkcs11-helper.
commit 084da7012e3cef8f8cad22216e72f301854e3307
Author: Alon Bar-Lev <alon.barlev at gmail.com>
Date: Sun Sep 15 00:28:55 2013 +0300
openssl: add ecdsa support
Tested-By: Sanaullah <sanaullah82 at gmail.com>
Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
---
ChangeLog | 1 +
configure.ac | 52 +++++++++++++
lib/pkcs11h-openssl.c | 207 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 260 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index 8e1da42..325ce14 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,7 @@ $Id$
* openssl: support generic pkey.
* openssl: add dsa support.
+ * openssl: add ecdsa support, thanks for Sanaullah for testing.
2012-02-29 - Version 1.10
diff --git a/configure.ac b/configure.ac
index ba7be15..2ea1030 100644
--- a/configure.ac
+++ b/configure.ac
@@ -293,6 +293,58 @@ if test "${have_openssl}" = "no"; then
PKG_CHECK_MODULES([OPENSSL], [openssl >= 0.9.7], [have_openssl="yes"], [have_openssl="no"])
fi
+if test "${have_openssl}" = "yes"; then
+ old_LIBS="${LIBS}"
+ LIBS="${LIBS} ${OPENSSL_LIBS}"
+ AC_CHECK_FUNC(
+ [ECDSA_METHOD_new],
+ [
+ openssl_ec="yes"
+ AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
+ ],
+ [
+ openssl_ec="hack"
+ old_CFLAGS="${CFLAGS}"
+ old_CPPFLAGS="${CPPFLAGS}"
+ CPPFLAGS="${CPPFLAGS} -I."
+ CFLAGS="${CFLAGS} ${OPENSSL_CFLAGS}"
+ AC_CHECK_HEADER(
+ [ecs_locl.h],
+ [
+ AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC], [1], [Enable openssl EC])
+ AC_DEFINE([ENABLE_PKCS11H_OPENSSL_EC_HACK], [1], [Enable openssl EC])
+ AC_DEFINE_UNQUOTED(
+ [ECDSA_METHOD_new(ecdsa)],
+ [(ECDSA_METHOD *)memmove(malloc(sizeof(ECDSA_METHOD)), ecdsa, sizeof(ECDSA_METHOD))],
+ [emulation],
+ )
+ AC_DEFINE_UNQUOTED(
+ [ECDSA_METHOD_free(ecdsa)],
+ [free(ecdsa)],
+ [emulation],
+ )
+ AC_DEFINE_UNQUOTED(
+ [ECDSA_METHOD_set_name(ecdsa, n)],
+ [ecdsa->name = n],
+ [emulation],
+ )
+ AC_DEFINE_UNQUOTED(
+ [ECDSA_METHOD_set_sign(ecdsa, s)],
+ [ecdsa->ecdsa_do_sign = s],
+ [emulation],
+ )
+ ],
+ [openssl_ec="none"]
+ )
+ CPPFLAGS="${old_CPPFLAGS}"
+ CFLAGS="${old_CFLAGS}"
+ ],
+ )
+ LIBS="${old_LIBS}"
+ AC_MSG_CHECKING([for OpenSSL ec support])
+ AC_MSG_RESULT([${openssl_ec}])
+fi
+
PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"])
PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"])
diff --git a/lib/pkcs11h-openssl.c b/lib/pkcs11h-openssl.c
index 4f4978f..1936705 100644
--- a/lib/pkcs11h-openssl.c
+++ b/lib/pkcs11h-openssl.c
@@ -57,6 +57,13 @@
#include "_pkcs11h-core.h"
#include "_pkcs11h-mem.h"
+#if !defined(OPENSSL_NO_EC) && defined(ENABLE_PKCS11H_OPENSSL_EC)
+#define __ENABLE_EC
+#ifdef ENABLE_PKCS11H_OPENSSL_EC_HACK
+#include <ecs_locl.h>
+#endif
+#endif
+
#if OPENSSL_VERSION_NUMBER < 0x00907000L
#if !defined(RSA_PKCS1_PADDING_SIZE)
#define RSA_PKCS1_PADDING_SIZE 11
@@ -89,6 +96,10 @@ static struct {
DSA_METHOD dsa;
int dsa_index;
#endif
+#ifdef __ENABLE_EC
+ ECDSA_METHOD *ecdsa;
+ int ecdsa_index;
+#endif
} __openssl_methods;
static
@@ -585,6 +596,174 @@ cleanup:
#endif
+#ifdef __ENABLE_EC
+
+static
+pkcs11h_certificate_t
+__pkcs11h_openssl_ecdsa_get_pkcs11h_certificate (
+ IN EC_KEY *ec
+) {
+ pkcs11h_openssl_session_t session = NULL;
+
+ _PKCS11H_ASSERT (ec!=NULL);
+
+ session = (pkcs11h_openssl_session_t)ECDSA_get_ex_data (ec, __openssl_methods.ecdsa_index);
+
+ _PKCS11H_ASSERT (session!=NULL);
+ _PKCS11H_ASSERT (session->certificate!=NULL);
+
+ return session->certificate;
+}
+
+static
+ECDSA_SIG *
+__pkcs11h_openssl_ecdsa_do_sign(
+ IN const unsigned char *dgst,
+ IN int dlen,
+ IN const BIGNUM *inv,
+ IN const BIGNUM *r,
+ OUT EC_KEY *ec
+) {
+ pkcs11h_certificate_t certificate = __pkcs11h_openssl_ecdsa_get_pkcs11h_certificate (ec);
+ unsigned char *sigbuf = NULL;
+ size_t siglen;
+ ECDSA_SIG *sig = NULL;
+ ECDSA_SIG *ret = NULL;
+ CK_RV rv = CKR_FUNCTION_FAILED;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_ecdsa_do_sign - entered dgst=%p, dlen=%d, inv=%p, r=%p, ec=%p",
+ (void *)dgst,
+ dlen,
+ (void *)inv,
+ (void *)r,
+ (void *)ec
+ );
+
+ _PKCS11H_ASSERT (dgst!=NULL);
+ _PKCS11H_ASSERT (inv==NULL);
+ _PKCS11H_ASSERT (r==NULL);
+ _PKCS11H_ASSERT (ec!=NULL);
+ _PKCS11H_ASSERT (certificate!=NULL);
+
+ if (
+ (rv = pkcs11h_certificate_signAny (
+ certificate,
+ CKM_ECDSA,
+ dgst,
+ (size_t)dlen,
+ NULL,
+ &siglen
+ )) != CKR_OK
+ ) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
+
+ if ((rv = _pkcs11h_mem_malloc ((void *)&sigbuf, siglen)) != CKR_OK) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot cannot allocate signature buffer");
+ goto cleanup;
+ }
+
+ if (
+ (rv = pkcs11h_certificate_signAny (
+ certificate,
+ CKM_ECDSA,
+ dgst,
+ (size_t)dlen,
+ sigbuf,
+ &siglen
+ )) != CKR_OK
+ ) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
+
+ if ((sig = ECDSA_SIG_new ()) == NULL) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot allocate ECDSA_SIG");
+ goto cleanup;
+ }
+
+ if (BN_bin2bn (&sigbuf[0], siglen/2, sig->r) == NULL) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot convert ecdsa r");
+ goto cleanup;
+ }
+
+ if (BN_bin2bn (&sigbuf[siglen/2], siglen/2, sig->s) == NULL) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot convert ecdsa s");
+ goto cleanup;
+ }
+
+ ret = sig;
+ sig = NULL;
+
+cleanup:
+
+ if (sigbuf != NULL) {
+ _pkcs11h_mem_free ((void *)&sigbuf);
+ }
+
+ if (sig != NULL) {
+ ECDSA_SIG_free (sig);
+ sig = NULL;
+ }
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_ecdsa_do_sign - return sig=%p",
+ (void *)sig
+ );
+
+ return ret;
+}
+
+static
+PKCS11H_BOOL
+__pkcs11h_openssl_session_setECDSA(
+ IN const pkcs11h_openssl_session_t openssl_session,
+ IN EVP_PKEY * evp
+) {
+ PKCS11H_BOOL ret = FALSE;
+ EC_KEY *ec = NULL;
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_session_setECDSA - entered openssl_session=%p, evp=%p",
+ (void *)openssl_session,
+ (void *)evp
+ );
+
+ if (
+ (ec = EVP_PKEY_get1_EC_KEY (evp)) == NULL
+ ) {
+ _PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get EC key");
+ goto cleanup;
+ }
+
+ ECDSA_set_method (ec, __openssl_methods.ecdsa);
+ ECDSA_set_ex_data (ec, __openssl_methods.ecdsa_index, openssl_session);
+
+ ret = TRUE;
+
+cleanup:
+
+ if (ec != NULL) {
+ EC_KEY_free (ec);
+ ec = NULL;
+ }
+
+ _PKCS11H_DEBUG (
+ PKCS11H_LOG_DEBUG2,
+ "PKCS#11: __pkcs11h_openssl_session_setECDSA - return ret=%d",
+ ret
+ );
+
+ return ret;
+}
+
+#endif
+
PKCS11H_BOOL
_pkcs11h_openssl_initialize (void) {
_PKCS11H_DEBUG (
@@ -617,6 +796,21 @@ _pkcs11h_openssl_initialize (void) {
__pkcs11h_openssl_ex_data_free
);
#endif
+#ifdef __ENABLE_EC
+ if (__openssl_methods.ecdsa != NULL) {
+ ECDSA_METHOD_free(__openssl_methods.ecdsa);
+ }
+ __openssl_methods.ecdsa = ECDSA_METHOD_new ((ECDSA_METHOD *)ECDSA_get_default_method ());
+ ECDSA_METHOD_set_name(__openssl_methods.ecdsa, "pkcs11h");
+ ECDSA_METHOD_set_sign(__openssl_methods.ecdsa, __pkcs11h_openssl_ecdsa_do_sign);
+ __openssl_methods.ecdsa_index = ECDSA_get_ex_new_index (
+ 0,
+ "pkcs11h",
+ NULL,
+ __pkcs11h_openssl_ex_data_dup,
+ __pkcs11h_openssl_ex_data_free
+ );
+#endif
_PKCS11H_DEBUG (
PKCS11H_LOG_DEBUG2,
"PKCS#11: _pkcs11h_openssl_initialize - return"
@@ -630,6 +824,12 @@ _pkcs11h_openssl_terminate (void) {
PKCS11H_LOG_DEBUG2,
"PKCS#11: _pkcs11h_openssl_terminate"
);
+#ifdef __ENABLE_EC
+ if (__openssl_methods.ecdsa != NULL) {
+ ECDSA_METHOD_free(__openssl_methods.ecdsa);
+ __openssl_methods.ecdsa = NULL;
+ }
+#endif
return TRUE;
}
@@ -946,6 +1146,13 @@ pkcs11h_openssl_session_getEVP (
}
}
#endif
+#ifdef __ENABLE_EC
+ else if (evp->type == EVP_PKEY_EC) {
+ if (!__pkcs11h_openssl_session_setECDSA(openssl_session, evp)) {
+ goto cleanup;
+ }
+ }
+#endif
else {
_PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm %d", evp->type);
goto cleanup;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git
More information about the pkg-opensc-commit
mailing list