-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SafeNet HSM: Write EC public key fails using OCTET STRING contents instead of full OCTET STRING DER #1285
Comments
The object is created if we use the full OCTET STRING (with TAG and LENGTH). Manually creating the object using pkcs#11 The following hex string (OCTET STRING contents) fails:
but adding the ASN.1 TAG and LENGTH works
|
Ok - so not really a bug. CentOS packaging does not define EC_POINT_NO_ASN1_OCTET_STRING, so it sends the content bytes instead of the full DER bytes. The part that affects safenet is in pkcs11-tool.c:2204:
|
Problem Description
pkcs11-tool --write of EC Public Key fails because it uses the content bytes of ECPoint OCTET STRING instead of the ASN.1 DER encoding of OCTET STRING(two byes longer).
This is with SafeNet HSM libCryptoki2_64.so; not sure who has interpreted the standard correctly here.
Proposed Resolution
ECPoint is OCTET STRING so does that mean we use the content octets or the full ASN.1 encoding?
Instead of using the content bytes of EC_POINT use the full ASN.1 DER encoding include TAG and LENGTH
Steps to reproduce
public.zip
Logs
The text was updated successfully, but these errors were encountered: