[pkg-opensc-commit] [opensc] 246/295: Add new attribute CKA_SPKI for CKO_PUBLIC_KEY

Eric Dorland eric at moszumanska.debian.org
Sat Jun 24 21:11:36 UTC 2017 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository opensc.

commit 404928367544c117922b771733148ad777111479
Author: Doug Engert <deengert at gmail.com>
Date:   Sat Apr 8 06:18:55 2017 -0500

    Add new attribute CKA_SPKI for CKO_PUBLIC_KEY
    
    CKA_SPKI is a vendor defined attribute to be used internally
    as input to to OpenSSL d2i_PUBKEY
    
     On branch verify-pubkey-as-spki-2
     Changes to be committed:
    	modified:   framework-pkcs15.c
    	modified:   mechanism.c
    	modified:   openssl.c
    	modified:   pkcs11-opensc.h
---
 src/pkcs11/framework-pkcs15.c | 11 ++++++++++-
 src/pkcs11/mechanism.c        | 13 ++++++++++---
 src/pkcs11/openssl.c          | 28 ++--------------------------
 src/pkcs11/pkcs11-opensc.h    |  2 ++
 4 files changed, 24 insertions(+), 30 deletions(-)

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index dba579a..e6ab357 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -3880,6 +3880,7 @@ pkcs15_pubkey_get_attribute(struct sc_pkcs11_session *session, void *object, CK_
 		case CKA_MODULUS:
 		case CKA_MODULUS_BITS:
 		case CKA_VALUE:
+		case CKA_SPKI:
 		case CKA_PUBLIC_EXPONENT:
 		case CKA_EC_PARAMS:
 		case CKA_EC_POINT:
@@ -3982,9 +3983,17 @@ pkcs15_pubkey_get_attribute(struct sc_pkcs11_session *session, void *object, CK_
 		return get_modulus_bits(pubkey->pub_data, attr);
 	case CKA_PUBLIC_EXPONENT:
 		return get_public_exponent(pubkey->pub_data, attr);
+	/* 
+	 * PKCS#11 does not define a CKA_VALUE for a CKO_PUBLIC_KEY.
+	 * OpenSC does, but it is not consistent it what it returns
+	 * Internally to do verify, with OpenSSL, we need a SPKI that
+	 * can be converted into a EVP_KEY with d2i_PUBKEY
+	 * CKA_SPKI is defined internally as a CKA_VENDOR_DFINED attribute.
+	 */
 	case CKA_VALUE:
+	case CKA_SPKI:
 
-		if (pubkey->pub_info && pubkey->pub_info->direct.raw.value && pubkey->pub_info->direct.raw.len)   {
+		if (attr->type != CKA_SPKI && pubkey->pub_info && pubkey->pub_info->direct.raw.value && pubkey->pub_info->direct.raw.len)   {
 			check_attribute_buffer(attr, pubkey->pub_info->direct.raw.len);
 			memcpy(attr->pValue, pubkey->pub_info->direct.raw.value, pubkey->pub_info->direct.raw.len);
 		}
diff --git a/src/pkcs11/mechanism.c b/src/pkcs11/mechanism.c
index 0ac4366..8b1d18f 100644
--- a/src/pkcs11/mechanism.c
+++ b/src/pkcs11/mechanism.c
@@ -686,7 +686,7 @@ sc_pkcs11_verify_final(sc_pkcs11_operation_t *operation,
 {
 	struct signature_data *data;
 	struct sc_pkcs11_object *key;
-	unsigned char *pubkey_value;
+	unsigned char *pubkey_value = NULL;
 	CK_KEY_TYPE key_type;
 	CK_BYTE params[9 /* GOST_PARAMS_OID_SIZE */] = { 0 };
 	CK_ATTRIBUTE attr = {CKA_VALUE, NULL, 0};
@@ -700,6 +700,14 @@ sc_pkcs11_verify_final(sc_pkcs11_operation_t *operation,
 		return CKR_ARGUMENTS_BAD;
 
 	key = data->key;
+	rv = key->ops->get_attribute(operation->session, key, &attr_key_type);
+	if (rv != CKR_OK)
+		return rv;
+
+	if (key_type != CKK_GOSTR3410)
+		attr.type = CKA_SPKI;
+		
+
 	rv = key->ops->get_attribute(operation->session, key, &attr);
 	if (rv != CKR_OK)
 		return rv;
@@ -713,8 +721,7 @@ sc_pkcs11_verify_final(sc_pkcs11_operation_t *operation,
 	if (rv != CKR_OK)
 		goto done;
 
-	rv = key->ops->get_attribute(operation->session, key, &attr_key_type);
-	if (rv == CKR_OK && key_type == CKK_GOSTR3410) {
+	if (key_type == CKK_GOSTR3410) {
 		rv = key->ops->get_attribute(operation->session, key, &attr_key_params);
 		if (rv != CKR_OK)
 			goto done;
diff --git a/src/pkcs11/openssl.c b/src/pkcs11/openssl.c
index 77ce28d..50b9b0a 100644
--- a/src/pkcs11/openssl.c
+++ b/src/pkcs11/openssl.c
@@ -406,8 +406,7 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, int pubkey_len,
 	int res;
 	CK_RV rv = CKR_GENERAL_ERROR;
 	EVP_PKEY *pkey = NULL;
-	const unsigned char *pubkey_tmp;
-	int is_spki = 0;
+	const unsigned char *pubkey_tmp = NULL;
 
 	if (mech == CKM_GOSTR3410)
 	{
@@ -428,31 +427,8 @@ CK_RV sc_pkcs11_verify_data(const unsigned char *pubkey, int pubkey_len,
 	 * We can use d2i_PUBKEY which works for SPKI and any key type. 
 	 */
 	pubkey_tmp = pubkey; /* pass in so pubkey pointer is not modified */
-	/* SPKI ASN.1 starts with SEQUENCE, SEQUENCE, OBJECT IDENTIFIER */
-	if (*pubkey_tmp++ == 0x30) {
-		if (*pubkey_tmp & 0x80)
-			pubkey_tmp += *pubkey_tmp & 0x7F;
-
-		pubkey_tmp++;
-		if (*pubkey_tmp++ == 0x30) {
-			if (*pubkey_tmp & 0x80)
-				pubkey_tmp += *pubkey_tmp & 0x7F;
-
-			pubkey_tmp += 1;
-			if (*pubkey_tmp == 0x06)
-				is_spki = 1;
-		}
-	}
 
-	pubkey_tmp = pubkey; /* pass in so pubkey pointer is not modified */
-
-	if (is_spki) {
-		pkey = d2i_PUBKEY(NULL, &pubkey_tmp, pubkey_len);
-	}else {
-		/* Assume it is RSA */
-		/* TODO support others  but GOST is done above, and EC always uses SPKI */
-		pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &pubkey_tmp, pubkey_len);
-	}
+	pkey = d2i_PUBKEY(NULL, &pubkey_tmp, pubkey_len);
 	if (pkey == NULL)
 		return CKR_GENERAL_ERROR;
 
diff --git a/src/pkcs11/pkcs11-opensc.h b/src/pkcs11/pkcs11-opensc.h
index d527219..33beb6a 100644
--- a/src/pkcs11/pkcs11-opensc.h
+++ b/src/pkcs11/pkcs11-opensc.h
@@ -9,4 +9,6 @@
  */
 #define CKA_OPENSC_NON_REPUDIATION      (CKA_VENDOR_DEFINED | 1UL)
 
+#define CKA_SPKI			(CKA_VENDOR_DEFINED | 2UL)
+
 #endif

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git

More information about the pkg-opensc-commit mailing list