Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.6:Update
tpm2-pkcs11
tpm2-pkcs11-ssl-compile-against-OSSL-3.0.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tpm2-pkcs11-ssl-compile-against-OSSL-3.0.patch of Package tpm2-pkcs11
From 1dbcec3b83380ab7d701a2b0d81b8cff02ffeaf8 Mon Sep 17 00:00:00 2001 From: William Roberts <william.c.roberts@intel.com> Date: Fri, 3 Sep 2021 11:24:40 -0500 Subject: [PATCH] ssl: compile against OSSL 3.0 Compile against OpenSSL. This moves functions non-deprecated things if possible and ignores deprecation warnings when not. Padding manipulation routines seem to have been marked deprecated in OSSL 3.0, so we need to figure out a porting strategy here. Fixes: #686 Signed-off-by: William Roberts <william.c.roberts@intel.com> Index: tpm2-pkcs11-1.6.0/src/lib/backend_esysdb.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/backend_esysdb.c +++ tpm2-pkcs11-1.6.0/src/lib/backend_esysdb.c @@ -3,6 +3,7 @@ #include "config.h" #include "backend_esysdb.h" #include "db.h" +#include "ssl_util.h" #include "tpm.h" CK_RV backend_esysdb_init(void) { @@ -308,7 +309,7 @@ CK_RV backend_esysdb_token_unseal_wrappi } twist sealsalt = user ? sealobj->userauthsalt : sealobj->soauthsalt; - twist sealobjauth = utils_hash_pass(tpin, sealsalt); + twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); if (!sealobjauth) { rv = CKR_HOST_MEMORY; goto error; @@ -372,7 +373,7 @@ CK_RV backend_esysdb_token_changeauth(to */ twist oldsalt = !user ? tok->esysdb.sealobject.soauthsalt : tok->esysdb.sealobject.userauthsalt; - twist oldauth = utils_hash_pass(toldpin, oldsalt); + twist oldauth = ssl_util_hash_pass(toldpin, oldsalt); if (!oldauth) { goto out; } Index: tpm2-pkcs11-1.6.0/src/lib/backend_fapi.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/backend_fapi.c +++ tpm2-pkcs11-1.6.0/src/lib/backend_fapi.c @@ -10,6 +10,7 @@ #include "backend_fapi.h" #include "emitter.h" #include "parser.h" +#include "ssl_util.h" #include "utils.h" #ifdef HAVE_FAPI @@ -773,7 +774,7 @@ CK_RV backend_fapi_token_unseal_wrapping } twist sealsalt = user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt; - twist sealobjauth = utils_hash_pass(tpin, sealsalt); + twist sealobjauth = ssl_util_hash_pass(tpin, sealsalt); if (!sealobjauth) { rv = CKR_HOST_MEMORY; goto error; @@ -869,7 +870,7 @@ CK_RV backend_fapi_token_changeauth(toke } rv = CKR_GENERAL_ERROR; - oldauth = utils_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); + oldauth = ssl_util_hash_pass(toldpin, user ? tok->fapi.userauthsalt : tok->fapi.soauthsalt); if (!oldauth) { goto out; } Index: tpm2-pkcs11-1.6.0/src/lib/encrypt.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/encrypt.c +++ tpm2-pkcs11-1.6.0/src/lib/encrypt.c @@ -59,7 +59,7 @@ void encrypt_op_data_free(encrypt_op_dat CK_RV sw_encrypt_data_init(mdetail *mdtl, CK_MECHANISM *mechanism, tobject *tobj, sw_encrypt_data **enc_data) { EVP_PKEY *pkey = NULL; - CK_RV rv = ssl_util_tobject_to_evp(&pkey, tobj); + CK_RV rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); if (rv != CKR_OK) { return rv; } Index: tpm2-pkcs11-1.6.0/src/lib/mech.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/mech.c +++ tpm2-pkcs11-1.6.0/src/lib/mech.c @@ -654,7 +654,7 @@ CK_RV ecc_keygen_validator(mdetail *m, C } int nid = 0; - CK_RV rv = ec_params_to_nid(a, &nid); + CK_RV rv = ssl_util_params_to_nid(a, &nid); if (rv != CKR_OK) { return rv; } @@ -818,11 +818,11 @@ CK_RV rsa_pkcs_synthesizer(mdetail *mdtl } /* Apply the PKCS1.5 padding */ - int rc = RSA_padding_add_PKCS1_type_1(outbuf, padded_len, - inbuf, inlen); - if (!rc) { + CK_RV rv = ssl_util_add_PKCS1_TYPE_1(inbuf, inlen, + outbuf, padded_len); + if (rv != CKR_OK) { LOGE("Applying RSA padding failed"); - return CKR_GENERAL_ERROR; + return rv; } *outlen = padded_len; @@ -854,22 +854,21 @@ CK_RV rsa_pkcs_unsynthesizer(mdetail *md size_t key_bytes = *keybits / 8; unsigned char buf[4096]; - int rc = RSA_padding_check_PKCS1_type_2(buf, sizeof(buf), - inbuf, inlen, - key_bytes); - if (rc < 0) { + CK_ULONG buflen = sizeof(buf); + CK_RV rv = ssl_util_check_PKCS1_TYPE_2(inbuf, inlen, key_bytes, + buf, &buflen); + if (rv != CKR_OK) { LOGE("Could not recover CKM_RSA_PKCS Padding"); - return CKR_GENERAL_ERROR; + return rv; } - /* cannot be < 0 because of check above */ - if (!outbuf || (unsigned)rc > *outlen) { - *outlen = rc; + if (!outbuf || buflen > *outlen) { + *outlen = buflen; return outbuf ? CKR_BUFFER_TOO_SMALL : CKR_OK; } - *outlen = rc; - memcpy(outbuf, buf, rc); + *outlen = buflen; + memcpy(outbuf, buf, buflen); return CKR_OK; } @@ -905,50 +904,21 @@ CK_RV rsa_pss_synthesizer(mdetail *mdtl, return CKR_GENERAL_ERROR; } - CK_ATTRIBUTE_PTR exp_attr = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); - if (!exp_attr) { - LOGE("Signing key has no CKA_PUBLIC_EXPONENT"); - return CKR_GENERAL_ERROR; - } - if (modulus_attr->ulValueLen > *outlen) { LOGE("Output buffer is too small, got: %lu, required at least %lu", *outlen, modulus_attr->ulValueLen); return CKR_GENERAL_ERROR; } - BIGNUM *e = BN_bin2bn(exp_attr->pValue, exp_attr->ulValueLen, NULL); - if (!e) { - LOGE("Could not convert exponent to bignum"); - return CKR_GENERAL_ERROR; - } - - BIGNUM *n = BN_bin2bn(modulus_attr->pValue, modulus_attr->ulValueLen, NULL); - if (!n) { - LOGE("Could not convert modulus to bignum"); - BN_free(e); - return CKR_GENERAL_ERROR; - } - - RSA *rsa = RSA_new(); - if (!rsa) { - LOGE("oom"); - return CKR_HOST_MEMORY; - } - - int rc = RSA_set0_key(rsa, n, e, NULL); - if (!rc) { - LOGE("Could not set modulus and exponent to OSSL RSA key"); - BN_free(n); - BN_free(e); - RSA_free(rsa); - return CKR_GENERAL_ERROR; + EVP_PKEY *pkey = NULL; + rv = ssl_util_attrs_to_evp(attrs, &pkey); + if (rv != CKR_OK) { + return rv; } - rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, - inbuf, md, -1); - RSA_free(rsa); - if (!rc) { + rv = ssl_util_add_PKCS1_PSS(pkey, inbuf, md, outbuf); + EVP_PKEY_free(pkey); + if (rv != CKR_OK) { LOGE("Applying RSA padding failed"); return CKR_GENERAL_ERROR; } Index: tpm2-pkcs11-1.6.0/src/lib/object.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/object.c +++ tpm2-pkcs11-1.6.0/src/lib/object.c @@ -15,6 +15,7 @@ #include "object.h" #include "pkcs11.h" #include "session_ctx.h" +#include "ssl_util.h" #include "token.h" #include "utils.h" @@ -120,7 +121,7 @@ CK_RV tobject_get_max_buf_size(tobject * } int nid = 0; - CK_RV rv = ec_params_to_nid(a, &nid); + CK_RV rv = ssl_util_params_to_nid(a, &nid); if (rv != CKR_OK) { return rv; } Index: tpm2-pkcs11-1.6.0/src/lib/sign.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/sign.c +++ tpm2-pkcs11-1.6.0/src/lib/sign.c @@ -74,7 +74,7 @@ static sign_opdata *sign_opdata_new(mdet } EVP_PKEY *pkey = NULL; - rv = ssl_util_tobject_to_evp(&pkey, tobj); + rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); if (rv != CKR_OK) { return NULL; } Index: tpm2-pkcs11-1.6.0/src/lib/ssl_util.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/ssl_util.c +++ tpm2-pkcs11-1.6.0/src/lib/ssl_util.c @@ -10,6 +10,7 @@ #include <openssl/rsa.h> #include <openssl/sha.h> +#include "attrs.h" #include "log.h" #include "pkcs11.h" #include "ssl_util.h" @@ -19,194 +20,291 @@ #include <openssl/evperr.h> #endif -#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) +#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) +#include <openssl/core_names.h> +#endif /* - * Pre openssl 1.1 doesn't have EC_POINT_point2buf, so use EC_POINT_point2oct to - * create an API compatible version of it. + * TODO Port these routines + * Deprecated function block to port + * + * There are no padding routine replacements in OSSL 3.0. + * - per Matt Caswell (maintainer) on mailing list. + * Signature verification can likely be done with EVP Verify interface. */ -size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, - point_conversion_form_t form, - unsigned char **pbuf, BN_CTX *ctx) { - - /* Get the required buffer length */ - size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, NULL); - if (!len) { - return 0; - } +#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +#endif - /* allocate it */ - unsigned char *buf = OPENSSL_malloc(len); - if (!buf) { - return 0; - } +CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, + const CK_BYTE_PTR inbuf, const EVP_MD *md, + CK_BYTE_PTR outbuf) { - /* convert it */ - len = EC_POINT_point2oct(group, point, form, buf, len, ctx); - if (!len) { - OPENSSL_free(buf); - return 0; + RSA *rsa = (RSA *)EVP_PKEY_get0_RSA(pkey); + if (!rsa) { + return CKR_GENERAL_ERROR; } - *pbuf = buf; - return len; -} + int rc = RSA_padding_add_PKCS1_PSS(rsa, outbuf, + inbuf, md, -1); -size_t OBJ_length(const ASN1_OBJECT *obj) { + return rc == 1 ? CKR_OK : CKR_GENERAL_ERROR; +} - if (!obj) { - return 0; - } +CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, + CK_BYTE_PTR outbuf, CK_ULONG outbuflen) { - return obj->length; + return RSA_padding_add_PKCS1_type_1(outbuf, outbuflen, + inbuf, inlen) == 1 ? CKR_OK : CKR_GENERAL_ERROR; } -const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj) { +CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, + CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen) { - if (!obj) { - return NULL; + int rc = RSA_padding_check_PKCS1_type_2(outbuf, *outbuflen, + inbuf, inlen, rsa_len); + if (rc < 0) { + return CKR_GENERAL_ERROR; } - return obj->data; + /* cannot be negative due to check above */ + *outbuflen = rc; + return CKR_OK; } -const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) { - return ASN1_STRING_data((ASN1_STRING *)x); -} +#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) +#pragma GCC diagnostic pop +#endif + +#if defined(LIB_TPM2_OPENSSL_OPENSSL_POST300) +#include <openssl/core_names.h> +#include <openssl/param_build.h> +static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { + + CK_RV rv = CKR_GENERAL_ERROR; -int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *bld = NULL; + EVP_PKEY_CTX *evp_ctx = NULL; - if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) { - return 0; + BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL); + if (!e) { + SSL_UTIL_LOGE("BN_bin2bn for e"); + return rv; } - if (n != NULL) { - BN_free(r->n); - r->n = n; + BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL); + if (!n) { + SSL_UTIL_LOGE("BN_bin2bn for n"); + goto out; } - if (e != NULL) { - BN_free(r->e); - r->e = e; + bld = OSSL_PARAM_BLD_new(); + if (!bld) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_new"); + goto out; } - if (d != NULL) { - BN_free(r->d); - r->d = d; + if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e) != 1) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_push_BN(OSSL_PKEY_PARAM_RSA_E)"); + goto out; } - return 1; -} + if (OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n) != 1) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_push_BN(OSSL_PKEY_PARAM_RSA_N)"); + goto out; + } -int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { + params = OSSL_PARAM_BLD_to_param(bld); + if (!params) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_to_param"); + goto out; + } - if (!r || !s) { - return 0; + /* convert params to EVP key */ + evp_ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); + if (!evp_ctx) { + SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); + goto out; } - BN_free(sig->r); - BN_free(sig->s); + int rc = EVP_PKEY_fromdata_init(evp_ctx); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_PKEY_fromdata_init"); + goto out; + } - sig->r = r; - sig->s = s; + rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_PKEY_fromdata"); + EVP_PKEY_CTX_free(evp_ctx); + goto out; + } - return 1; -} + rv = CKR_OK; -EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey) { - if (pkey->type != EVP_PKEY_EC) { - return NULL; - } +out: + EVP_PKEY_CTX_free(evp_ctx); + BN_free(n); + BN_free(e); + OSSL_PARAM_BLD_free(bld); + OSSL_PARAM_free(params); - return pkey->pkey.ec; + return rv; } -#endif -static CK_RV convert_pubkey_RSA(RSA **outkey, attr_list *attrs) { +static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { - RSA *rsa = NULL; - BIGNUM *e = NULL, *n = NULL; + CK_RV rv = CKR_GENERAL_ERROR; - CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); - if (!exp) { - LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); - return CKR_GENERAL_ERROR; - } + EVP_PKEY_CTX *evp_ctx = NULL; + OSSL_PARAM *params = NULL; + OSSL_PARAM_BLD *bld = NULL; - CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); - if (!mod) { - LOGE("RSA Object must have attribute CKA_MODULUS"); - return CKR_GENERAL_ERROR; + /* + * The simplest way I have found to deal with this is to convert the ASN1 object in + * the ecparams attribute (was done previously with d2i_ECParameters) is to a nid and + * then take the int nid and convert it to a friendly name like prime256v1. + * EVP_PKEY_fromdata can handle group by name. + * + * Per the spec this is "DER-encoding of an ANSI X9.62 Parameters value". + */ + int curve_id = 0; + CK_RV rc = ssl_util_params_to_nid(ecparams, &curve_id); + if (rc != CKR_OK) { + LOGE("Could not get nid from params"); + return rc; } - rsa = RSA_new(); - if (!rsa) { - SSL_UTIL_LOGE("Failed to allocate OpenSSL RSA structure"); - goto error; + /* Per the spec CKA_EC_POINT attribute is the "DER-encoding of ANSI X9.62 ECPoint value Q */ + const unsigned char *x = ecpoint->pValue; + ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); + if (!os) { + SSL_UTIL_LOGE("d2i_ASN1_OCTET_STRING: %s"); + return rv; } - e = BN_bin2bn(exp->pValue, exp->ulValueLen, NULL); - if (!e) { - SSL_UTIL_LOGE("Failed to convert exponent to SSL internal format"); - goto error; + bld = OSSL_PARAM_BLD_new(); + if (!bld) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_new"); + goto out; } - n = BN_bin2bn(mod->pValue, mod->ulValueLen, NULL); - if (!n) { - SSL_UTIL_LOGE("Failed to convert modulus to SSL internal format"); - goto error; + if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, + (char *)OBJ_nid2sn(curve_id), 0) != 1) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_push_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME)"); + goto out; } - if (!RSA_set0_key(rsa, n, e, NULL)) { - SSL_UTIL_LOGE("Failed to set RSA modulus and exponent components"); - RSA_free(rsa); - BN_free(e); - BN_free(n); - goto error; + if (OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, + os->data, os->length) != 1) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_push_octet_string(OSSL_PKEY_PARAM_PUB_KEY)"); + goto out; } - *outkey = rsa; + params = OSSL_PARAM_BLD_to_param(bld); + if (!params) { + SSL_UTIL_LOGE("OSSL_PARAM_BLD_to_param"); + goto out; + } - return CKR_OK; + /* convert params to EVP key */ + evp_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL); + if (!evp_ctx) { + SSL_UTIL_LOGE("EVP_PKEY_CTX_new_id"); + goto out; + } -error: - RSA_free(rsa); - if (e) { - BN_free(e); + int ossl_rc = EVP_PKEY_fromdata_init(evp_ctx); + if (ossl_rc != 1) { + SSL_UTIL_LOGE("EVP_PKEY_fromdata_init: %s"); + goto out; } - if (n) { - BN_free(n); + + ossl_rc = EVP_PKEY_fromdata(evp_ctx, out_pkey, EVP_PKEY_PUBLIC_KEY, params); + if (ossl_rc != 1) { + SSL_UTIL_LOGE("EVP_PKEY_fromdata"); + goto out; } - return CKR_GENERAL_ERROR; +out: + OPENSSL_free(os); + OSSL_PARAM_BLD_free(bld); + OSSL_PARAM_free(params); + EVP_PKEY_CTX_free(evp_ctx); + + return CKR_OK; } -static CK_RV convert_pubkey_ECC(EC_KEY **outkey, attr_list *attrs) { +#else - EC_KEY *key = EC_KEY_new(); - if (!key) { +static CK_RV get_RSA_evp_pubkey(CK_ATTRIBUTE_PTR e_attr, CK_ATTRIBUTE_PTR n_attr, EVP_PKEY **out_pkey) { + + BIGNUM *e = BN_bin2bn(e_attr->pValue, e_attr->ulValueLen, NULL); + if (!e) { + LOGE("Could not convert exponent to bignum"); + return CKR_GENERAL_ERROR; + } + + BIGNUM *n = BN_bin2bn(n_attr->pValue, n_attr->ulValueLen, NULL); + if (!n) { + LOGE("Could not convert modulus to bignum"); + BN_free(e); + return CKR_GENERAL_ERROR; + } + + RSA *rsa = RSA_new(); + if (!rsa) { LOGE("oom"); return CKR_HOST_MEMORY; } - CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); - if (!ecparams) { - LOGE("ECC Key must have attribute CKA_EC_PARAMS"); + int rc = RSA_set0_key(rsa, n, e, NULL); + if (!rc) { + LOGE("Could not set modulus and exponent to OSSL RSA key"); + BN_free(n); + BN_free(e); + RSA_free(rsa); + return CKR_GENERAL_ERROR; + } + + /* assigned to RSA key */ + n = e = NULL; + + EVP_PKEY *pkey = EVP_PKEY_new(); + if (!pkey) { + SSL_UTIL_LOGE("EVP_PKEY_new"); + RSA_free(rsa); return CKR_GENERAL_ERROR; } - CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); - if (!ecpoint) { - LOGE("ECC Key must have attribute CKA_EC_POINT"); + rc = EVP_PKEY_assign_RSA(pkey, rsa); + if (rc != 1) { + RSA_free(rsa); + EVP_PKEY_free(pkey); return CKR_GENERAL_ERROR; } + *out_pkey = pkey; + + return CKR_OK; +} + +static CK_RV get_EC_evp_pubkey(CK_ATTRIBUTE_PTR ecparams, CK_ATTRIBUTE_PTR ecpoint, EVP_PKEY **out_pkey) { + + EC_KEY *ecc = EC_KEY_new(); + if (!ecc) { + LOGE("oom"); + return CKR_HOST_MEMORY; + } + /* set params */ const unsigned char *x = ecparams->pValue; - EC_KEY *k = d2i_ECParameters(&key, &x, ecparams->ulValueLen); + EC_KEY *k = d2i_ECParameters(&ecc, &x, ecparams->ulValueLen); if (!k) { SSL_UTIL_LOGE("Could not update key with EC Parameters"); - EC_KEY_free(key); + EC_KEY_free(ecc); return CKR_GENERAL_ERROR; } @@ -215,22 +313,38 @@ static CK_RV convert_pubkey_ECC(EC_KEY * ASN1_OCTET_STRING *os = d2i_ASN1_OCTET_STRING(NULL, &x, ecpoint->ulValueLen); if (os) { x = os->data; - k = o2i_ECPublicKey(&key, &x, os->length); + k = o2i_ECPublicKey(&ecc, &x, os->length); ASN1_STRING_free(os); if (!k) { SSL_UTIL_LOGE("Could not update key with EC Points"); - EC_KEY_free(key); + EC_KEY_free(ecc); return CKR_GENERAL_ERROR; } } - *outkey = key; + EVP_PKEY *pkey = EVP_PKEY_new(); + if (!pkey) { + SSL_UTIL_LOGE("EVP_PKEY_new"); + EC_KEY_free(ecc); + return CKR_GENERAL_ERROR; + } + + int rc = EVP_PKEY_assign_EC_KEY(pkey, ecc); + if (!rc) { + SSL_UTIL_LOGE("Could not set pkey with ec key"); + EC_KEY_free(ecc); + EVP_PKEY_free(pkey); + return CKR_GENERAL_ERROR; + } + + *out_pkey = pkey; return CKR_OK; } +#endif -CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj) { +CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey) { - CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(obj->attrs, CKA_KEY_TYPE); + CK_ATTRIBUTE_PTR a = attr_get_attribute_by_type(attrs, CKA_KEY_TYPE); if (!a) { LOGE("Expected object to have attribute CKA_KEY_TYPE"); return CKR_KEY_TYPE_INCONSISTENT; @@ -243,44 +357,52 @@ CK_RV ssl_util_tobject_to_evp(EVP_PKEY * return rv; } - EVP_PKEY *pkey = EVP_PKEY_new(); - if (!pkey) { - LOGE("oom"); - return CKR_HOST_MEMORY; - } + EVP_PKEY *pkey = NULL; if (key_type == CKK_EC) { - EC_KEY *e = NULL; - rv = convert_pubkey_ECC(&e, obj->attrs); - if (rv != CKR_OK) { - return rv; + + CK_ATTRIBUTE_PTR ecparams = attr_get_attribute_by_type(attrs, CKA_EC_PARAMS); + if (!ecparams) { + LOGE("ECC Key must have attribute CKA_EC_PARAMS"); + return CKR_GENERAL_ERROR; } - int rc = EVP_PKEY_assign_EC_KEY(pkey, e); - if (!rc) { - SSL_UTIL_LOGE("Could not set pkey with ec key"); - EC_KEY_free(e); - EVP_PKEY_free(pkey); + + CK_ATTRIBUTE_PTR ecpoint = attr_get_attribute_by_type(attrs, CKA_EC_POINT); + if (!ecpoint) { + LOGE("ECC Key must have attribute CKA_EC_POINT"); return CKR_GENERAL_ERROR; } - } else if (key_type == CKK_RSA) { - RSA *r = NULL; - rv = convert_pubkey_RSA(&r, obj->attrs); + + rv = get_EC_evp_pubkey(ecparams, ecpoint, &pkey); if (rv != CKR_OK) { return rv; } - int rc = EVP_PKEY_assign_RSA(pkey, r); - if (!rc) { - SSL_UTIL_LOGE("Could not set pkey with rsa key"); - RSA_free(r); - EVP_PKEY_free(pkey); + + } else if (key_type == CKK_RSA) { + + CK_ATTRIBUTE_PTR exp = attr_get_attribute_by_type(attrs, CKA_PUBLIC_EXPONENT); + if (!exp) { + LOGE("RSA Object must have attribute CKA_PUBLIC_EXPONENT"); + return CKR_GENERAL_ERROR; + } + + CK_ATTRIBUTE_PTR mod = attr_get_attribute_by_type(attrs, CKA_MODULUS); + if (!mod) { + LOGE("RSA Object must have attribute CKA_MODULUS"); return CKR_GENERAL_ERROR; } + + rv = get_RSA_evp_pubkey(exp, mod, &pkey); + if (rv != CKR_OK) { + return rv; + } + } else { LOGE("Invalid CKA_KEY_TYPE, got: %lu", key_type); - EVP_PKEY_free(pkey); return CKR_KEY_TYPE_INCONSISTENT; } + assert(pkey); *outpkey = pkey; return CKR_OK; @@ -396,10 +518,12 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK } } - rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); - if (!rc) { - SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); - goto error; + if (md) { + rc = EVP_PKEY_CTX_set_signature_md(pkey_ctx, md); + if (!rc) { + SSL_UTIL_LOGE("EVP_PKEY_CTX_set_signature_md failed"); + goto error; + } } *outpkey_ctx = pkey_ctx; @@ -411,21 +535,12 @@ error: return CKR_GENERAL_ERROR; } -static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, - int padding, const EVP_MD *md, - CK_BYTE_PTR digest, CK_ULONG digest_len, - CK_BYTE_PTR signature, CK_ULONG signature_len) { +static CK_RV sig_verify(EVP_PKEY_CTX *ctx, + const unsigned char *sig, size_t siglen, + const unsigned char *tbs, size_t tbslen) { CK_RV rv = CKR_GENERAL_ERROR; - - EVP_PKEY_CTX *pkey_ctx = NULL; - rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, - EVP_PKEY_verify_init, &pkey_ctx); - if (rv != CKR_OK) { - return rv; - } - - int rc = EVP_PKEY_verify(pkey_ctx, signature, signature_len, digest, digest_len); + int rc = EVP_PKEY_verify(ctx, sig, siglen, tbs, tbslen); if (rc < 0) { SSL_UTIL_LOGE("EVP_PKEY_verify failed"); } else if (rc == 1) { @@ -434,11 +549,11 @@ static CK_RV do_sig_verify_rsa(EVP_PKEY rv = CKR_SIGNATURE_INVALID; } - EVP_PKEY_CTX_free(pkey_ctx); return rv; } -static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, ECDSA_SIG **outsig) { +static CK_RV create_ecdsa_sig(CK_BYTE_PTR sig, CK_ULONG siglen, + unsigned char **outbuf, size_t *outlen) { if (siglen & 1) { LOGE("Expected ECDSA signature length to be even, got : %lu", @@ -477,21 +592,48 @@ static CK_RV create_ecdsa_sig(CK_BYTE_PT return CKR_GENERAL_ERROR; } - *outsig = ossl_sig; + int sig_len =i2d_ECDSA_SIG(ossl_sig, NULL); + if (sig_len <= 0) { + if (rc < 0) { + SSL_UTIL_LOGE("ECDSA_do_verify failed"); + } else { + LOGE("Expected length to be greater than 0"); + } + ECDSA_SIG_free(ossl_sig); + return CKR_GENERAL_ERROR; + } + + unsigned char *buf = calloc(1, sig_len); + if (!buf) { + LOGE("oom"); + ECDSA_SIG_free(ossl_sig); + return CKR_HOST_MEMORY; + } + + unsigned char *p = buf; + int sig_len2 = i2d_ECDSA_SIG(ossl_sig, &p); + if (sig_len2 < 0) { + SSL_UTIL_LOGE("ECDSA_do_verify failed"); + ECDSA_SIG_free(ossl_sig); + free(buf); + return CKR_GENERAL_ERROR; + } + + assert(sig_len == sig_len2); + + ECDSA_SIG_free(ossl_sig); + + *outbuf = buf; + *outlen = sig_len; return CKR_OK; } static CK_RV do_sig_verify_ec(EVP_PKEY *pkey, + const EVP_MD *md, CK_BYTE_PTR digest, CK_ULONG digest_len, CK_BYTE_PTR signature, CK_ULONG signature_len) { - EC_KEY *eckey = EVP_PKEY_get0_EC_KEY(pkey); - if (!eckey) { - LOGE("Expected EC Key"); - return CKR_GENERAL_ERROR; - } - /* * OpenSSL expects ASN1 framed signatures, PKCS11 does flat * R + S signatures, so convert it to ASN1 framing. @@ -499,21 +641,47 @@ static CK_RV do_sig_verify_ec(EVP_PKEY * * https://github.com/tpm2-software/tpm2-pkcs11/issues/277 * For details. */ - ECDSA_SIG *ossl_sig = NULL; - CK_RV rv = create_ecdsa_sig(signature, signature_len, &ossl_sig); + unsigned char *buf = NULL; + size_t buflen = 0; + CK_RV rv = create_ecdsa_sig(signature, signature_len, &buf, &buflen); if (rv != CKR_OK) { return rv; } - int rc = ECDSA_do_verify(digest, digest_len, ossl_sig, eckey); - if (rc < 0) { - ECDSA_SIG_free(ossl_sig); - SSL_UTIL_LOGE("ECDSA_do_verify failed"); - return CKR_GENERAL_ERROR; + EVP_PKEY_CTX *pkey_ctx = NULL; + rv = ssl_util_setup_evp_pkey_ctx(pkey, 0, md, + EVP_PKEY_verify_init, &pkey_ctx); + if (rv != CKR_OK) { + free(buf); + return rv; } - ECDSA_SIG_free(ossl_sig); - return rc == 1 ? CKR_OK : CKR_SIGNATURE_INVALID; + rv = sig_verify(pkey_ctx, buf, buflen, digest, digest_len); + + EVP_PKEY_CTX_free(pkey_ctx); + free(buf); + + return rv; +} + +static CK_RV do_sig_verify_rsa(EVP_PKEY *pkey, + int padding, const EVP_MD *md, + CK_BYTE_PTR digest, CK_ULONG digest_len, + CK_BYTE_PTR signature, CK_ULONG signature_len) { + + CK_RV rv = CKR_GENERAL_ERROR; + + EVP_PKEY_CTX *pkey_ctx = NULL; + rv = ssl_util_setup_evp_pkey_ctx(pkey, padding, md, + EVP_PKEY_verify_init, &pkey_ctx); + if (rv != CKR_OK) { + return rv; + } + + rv = sig_verify(pkey_ctx, signature, signature_len, digest, digest_len); + + EVP_PKEY_CTX_free(pkey_ctx); + return rv; } CK_RV ssl_util_sig_verify(EVP_PKEY *pkey, @@ -528,7 +696,7 @@ CK_RV ssl_util_sig_verify(EVP_PKEY *pkey digest, digest_len, signature, signature_len); case EVP_PKEY_EC: - return do_sig_verify_ec(pkey, digest, digest_len, + return do_sig_verify_ec(pkey, md, digest, digest_len, signature, signature_len); default: LOGE("Unknown PKEY type, got: %d", type); @@ -567,3 +735,65 @@ CK_RV ssl_util_verify_recover(EVP_PKEY * EVP_PKEY_CTX_free(pkey_ctx); return rv; } + +twist ssl_util_hash_pass(const twist pin, const twist salt) { + + + twist out = NULL; + unsigned char md[SHA256_DIGEST_LENGTH]; + + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + if (!ctx) { + SSL_UTIL_LOGE("EVP_MD_CTX_new"); + return NULL; + } + + int rc = EVP_DigestInit(ctx, EVP_sha256()); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_DigestInit"); + goto error; + } + + rc = EVP_DigestUpdate(ctx, pin, twist_len(pin)); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_DigestUpdate"); + goto error; + } + + rc = EVP_DigestUpdate(ctx, salt, twist_len(salt)); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_DigestUpdate"); + goto error; + } + + unsigned int len = sizeof(md); + rc = EVP_DigestFinal(ctx, md, &len); + if (rc != 1) { + SSL_UTIL_LOGE("EVP_DigestFinal"); + goto error; + } + + /* truncate the password to 32 characters */ + out = twist_hex_new((char *)md, sizeof(md)/2); + +error: + EVP_MD_CTX_free(ctx); + + return out; +} + +CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { + + const unsigned char *p = ecparams->pValue; + + ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); + if (!a) { + LOGE("Unknown CKA_EC_PARAMS value"); + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + *nid = OBJ_obj2nid(a); + ASN1_OBJECT_free(a); + + return CKR_OK; +} Index: tpm2-pkcs11-1.6.0/src/lib/ssl_util.h =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/ssl_util.h +++ tpm2-pkcs11-1.6.0/src/lib/ssl_util.h @@ -11,8 +11,8 @@ #include "pkcs11.h" +#include "attrs.h" #include "log.h" -#include "object.h" #include "twist.h" #if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ @@ -22,6 +22,10 @@ #define LIB_TPM2_OPENSSL_OPENSSL_POST111 0x1010100f #endif +#if (OPENSSL_VERSION_NUMBER >= 0x30000000) /* OpenSSL 3.0.0 */ +#define LIB_TPM2_OPENSSL_OPENSSL_POST300 0x1010100f +#endif + /* OpenSSL Backwards Compat APIs */ #if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) #include <string.h> @@ -58,7 +62,7 @@ static inline void *OPENSSL_memdup(const #define SSL_UTIL_LOGE(m) LOGE("%s: %s", m, ERR_error_string(ERR_get_error(), NULL)); -CK_RV ssl_util_tobject_to_evp(EVP_PKEY **outpkey, tobject *obj); +CK_RV ssl_util_attrs_to_evp(attr_list *attrs, EVP_PKEY **outpkey); CK_RV ssl_util_encrypt(EVP_PKEY *pkey, int padding, twist label, const EVP_MD *md, @@ -82,4 +86,27 @@ CK_RV ssl_util_setup_evp_pkey_ctx(EVP_PK fn_EVP_PKEY_init init_fn, EVP_PKEY_CTX **outpkey_ctx); +CK_RV ssl_util_add_PKCS1_PSS(EVP_PKEY *pkey, + const CK_BYTE_PTR inbuf, const EVP_MD *md, + CK_BYTE_PTR outbuf); + +CK_RV ssl_util_add_PKCS1_TYPE_1(const CK_BYTE_PTR inbuf, CK_ULONG inlen, + CK_BYTE_PTR outbuf, CK_ULONG outbuflen); + +CK_RV ssl_util_check_PKCS1_TYPE_2(const CK_BYTE_PTR inbuf, CK_ULONG inlen, CK_ULONG rsa_len, + CK_BYTE_PTR outbuf, CK_ULONG_PTR outbuflen); + +twist ssl_util_hash_pass(const twist pin, const twist salt); + +/** + * Given an attribute of CKA_EC_PARAMS returns the nid value. + * @param ecparams + * The DER X9.62 parameters value + * @param nid + * The nid to set + * @return + * CKR_OK on success. + */ +CK_RV ssl_util_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); + #endif /* SRC_LIB_SSL_UTIL_H_ */ Index: tpm2-pkcs11-1.6.0/src/lib/tpm.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/tpm.c +++ tpm2-pkcs11-1.6.0/src/lib/tpm.c @@ -2730,7 +2730,7 @@ static CK_RV handle_ecparams(CK_ATTRIBUT tpm_key_data *keydat = (tpm_key_data *)udata; int nid = 0; - CK_RV rv = ec_params_to_nid(attr, &nid); + CK_RV rv = ssl_util_params_to_nid(attr, &nid); if (rv != CKR_OK) { return rv; } @@ -3082,7 +3082,7 @@ static EC_POINT *tpm_pub_to_ossl_pub(EC_ goto out; } - int rc = EC_POINT_set_affine_coordinates_GFp(group, + int rc = EC_POINT_set_affine_coordinates(group, pub_key_point_tmp, bn_x, bn_y, @@ -4198,7 +4198,7 @@ CK_RV tpm_get_pss_sig_state(tpm_ctx *tct goto out; } - rv = ssl_util_tobject_to_evp(&pkey, tobj); + rv = ssl_util_attrs_to_evp(tobj->attrs, &pkey); if (rv != CKR_OK) { goto out; } Index: tpm2-pkcs11-1.6.0/src/lib/utils.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/utils.c +++ tpm2-pkcs11-1.6.0/src/lib/utils.c @@ -7,6 +7,7 @@ #include <openssl/sha.h> #include "log.h" +#include "ssl_util.h" #include "token.h" #include "utils.h" @@ -45,7 +46,7 @@ CK_RV utils_setup_new_object_auth(twist pin_to_use = newpin; } - *newauthhex = utils_hash_pass(pin_to_use, salt_to_use); + *newauthhex = ssl_util_hash_pass(pin_to_use, salt_to_use); if (!*newauthhex) { goto out; } @@ -328,22 +329,6 @@ out: } -twist utils_hash_pass(const twist pin, const twist salt) { - - - unsigned char md[SHA256_DIGEST_LENGTH]; - - SHA256_CTX sha256; - SHA256_Init(&sha256); - - SHA256_Update(&sha256, pin, twist_len(pin)); - SHA256_Update(&sha256, salt, twist_len(salt)); - SHA256_Final(md, &sha256); - - /* truncate the password to 32 characters */ - return twist_hex_new((char *)md, sizeof(md)/2); -} - size_t utils_get_halg_size(CK_MECHANISM_TYPE mttype) { switch(mttype) { @@ -438,22 +423,6 @@ CK_RV utils_ctx_wrap_objauth(twist wrapp return CKR_OK; } - -CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid) { - - const unsigned char *p = ecparams->pValue; - - ASN1_OBJECT *a = d2i_ASN1_OBJECT(NULL, &p, ecparams->ulValueLen); - if (!a) { - LOGE("Unknown CKA_EC_PARAMS value"); - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - *nid = OBJ_obj2nid(a); - ASN1_OBJECT_free(a); - - return CKR_OK; -} CK_RV apply_pkcs7_pad(const CK_BYTE_PTR in, CK_ULONG inlen, CK_BYTE_PTR out, CK_ULONG_PTR outlen) { Index: tpm2-pkcs11-1.6.0/src/lib/utils.h =================================================================== --- tpm2-pkcs11-1.6.0.orig/src/lib/utils.h +++ tpm2-pkcs11-1.6.0/src/lib/utils.h @@ -44,8 +44,6 @@ static inline void str_padded_copy(CK_UT memcpy(dst, src, strnlen((char *)(src), dst_len)); } -twist utils_hash_pass(const twist pin, const twist salt); - twist aes256_gcm_decrypt(const twist key, const twist objauth); twist aes256_gcm_encrypt(twist keybin, twist plaintextbin); @@ -76,17 +74,6 @@ CK_RV utils_ctx_unwrap_objauth(twist wra CK_RV utils_ctx_wrap_objauth(twist wrappingkey, twist objauth, twist *wrapped_auth); /** - * Given an attribute of CKA_EC_PARAMS returns the nid value. - * @param ecparams - * The DER X9.62 parameters value - * @param nid - * The nid to set - * @return - * CKR_OK on success. - */ -CK_RV ec_params_to_nid(CK_ATTRIBUTE_PTR ecparams, int *nid); - -/** * Removes a PKCS7 padding on a 16 byte block. * @param in * The PKCS5 padded input. Index: tpm2-pkcs11-1.6.0/test/integration/pkcs-sign-verify.int.c =================================================================== --- tpm2-pkcs11-1.6.0.orig/test/integration/pkcs-sign-verify.int.c +++ tpm2-pkcs11-1.6.0/test/integration/pkcs-sign-verify.int.c @@ -888,70 +888,13 @@ static void test_double_sign_final_call_ assert_int_equal(rv, CKR_OK); } -static CK_ATTRIBUTE_PTR get_attr(CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { - - CK_ULONG i; - for (i=0; i < attr_len; i++) { - CK_ATTRIBUTE_PTR a = &attrs[i]; - if (a->type == type) { - return a; - } - } - - return NULL; -} - -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) /* OpenSSL 1.1.0 */ -#define LIB_TPM2_OPENSSL_OPENSSL_PRE11 -#endif - -RSA *template_to_rsa_pub_key(CK_ATTRIBUTE_PTR attrs, CK_ULONG attr_len) { - - RSA *ssl_rsa_key = NULL; - BIGNUM *e = NULL, *n = NULL; - - /* get the exponent */ - CK_ATTRIBUTE_PTR a = get_attr(CKA_PUBLIC_EXPONENT, attrs, attr_len); - assert_non_null(a); - - e = BN_bin2bn((void*)a->pValue, a->ulValueLen, NULL); - assert_non_null(e); - - /* get the modulus */ - a = get_attr(CKA_MODULUS, attrs, attr_len); - assert_non_null(a); - - n = BN_bin2bn(a->pValue, a->ulValueLen, - NULL); - assert_non_null(n); - - ssl_rsa_key = RSA_new(); - assert_non_null(ssl_rsa_key); - -#if defined(LIB_TPM2_OPENSSL_OPENSSL_PRE11) - ssl_rsa_key->e = e; - ssl_rsa_key->n = n; -#else - int rc = RSA_set0_key(ssl_rsa_key, n, e, NULL); - assert_int_equal(rc, 1); -#endif - - return ssl_rsa_key; -} - -static void verify(RSA *pub, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { - - EVP_PKEY *pkey = EVP_PKEY_new(); - assert_non_null(pkey); - - int rc = EVP_PKEY_set1_RSA(pkey, pub); - assert_int_equal(rc, 1); +static void verify(EVP_PKEY *pkey, CK_BYTE_PTR msg, CK_ULONG msg_len, CK_BYTE_PTR sig, CK_ULONG sig_len) { EVP_MD_CTX *ctx = EVP_MD_CTX_create(); const EVP_MD* md = EVP_get_digestbyname("SHA256"); assert_non_null(md); - rc = EVP_DigestInit_ex(ctx, md, NULL); + int rc = EVP_DigestInit_ex(ctx, md, NULL); assert_int_equal(rc, 1); rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey); @@ -963,7 +906,6 @@ static void verify(RSA *pub, CK_BYTE_PTR rc = EVP_DigestVerifyFinal(ctx, sig, sig_len); assert_int_equal(rc, 1); - EVP_PKEY_free(pkey); EVP_MD_CTX_destroy(ctx); } @@ -997,20 +939,38 @@ static void test_sign_verify_public(void assert_int_equal(siglen, 256); /* build an OSSL RSA key from parts */ - CK_BYTE _tmp_bufs[2][1024]; + CK_BYTE _tmp_bufs[3][1024]; CK_ATTRIBUTE attrs[] = { - { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, - { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[1] }, + { .type = CKA_KEY_TYPE, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[0] }, + { .type = CKA_PUBLIC_EXPONENT, .ulValueLen = sizeof(_tmp_bufs[0]), .pValue = &_tmp_bufs[1] }, + { .type = CKA_MODULUS, .ulValueLen = sizeof(_tmp_bufs[1]), .pValue = &_tmp_bufs[2] }, }; rv = C_GetAttributeValue(session, pub_handle, attrs, ARRAY_LEN(attrs)); assert_int_equal(rv, CKR_OK); - RSA *r = template_to_rsa_pub_key(attrs, ARRAY_LEN(attrs)); - assert_non_null(r); + CK_KEY_TYPE key_type = CKA_KEY_TYPE_BAD; + rv = attr_CK_KEY_TYPE(&attrs[0], &key_type); + assert_int_equal(rv, CKR_OK); + + EVP_PKEY *pkey = NULL; + attr_list *l = attr_list_new(); + + bool res = attr_list_add_int(l, CKA_KEY_TYPE, key_type); + assert_true(res); - verify(r, msg, sizeof(msg) - 1, sig, siglen); - RSA_free(r); + res = attr_list_add_buf(l, attrs[1].type, attrs[1].pValue, attrs[1].ulValueLen); + assert_true(res); + + res = attr_list_add_buf(l, attrs[2].type, attrs[2].pValue, attrs[2].ulValueLen); + assert_true(res); + + rv = ssl_util_attrs_to_evp(l, &pkey); + assert_int_equal(rv, CKR_OK); + attr_list_free(l); + + verify(pkey, msg, sizeof(msg) - 1, sig, siglen); + EVP_PKEY_free(pkey); } static void test_sign_verify_context_specific_good(void **state) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor