Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable RSA-PSS signatures in pkcs11-tool #1146

Merged
merged 20 commits into from
Sep 21, 2017
Merged

Enable RSA-PSS signatures in pkcs11-tool #1146

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
a7a4e6c
Add missing SHA224 RSA algorithms
Jakuje Sep 6, 2017
811a6b9
Fix wrong replacement in pkcs11-tool manual page
Jakuje Sep 6, 2017
6d37b6c
Add MGF and PSS_PARAMS definitions in PKCS#11 header file
Jakuje Sep 6, 2017
89309a5
Inspect PSS signature parameters in pkcs11-spy
Jakuje Sep 6, 2017
1efb774
Enable RSA-PSS signatures in pkcs11-tool
Jakuje Sep 6, 2017
c2d8ee5
Added short names to RSA-PSS methods
Sep 7, 2017
ec8dd42
Change RSA-PSS salt length default to OpenSSL-compatible, aka digest …
Sep 7, 2017
aaecfdb
Fixed hashAlg but in pkcs11-tool for RSA-PSS
Sep 7, 2017
da9bae0
CHanged opt_salt to salt_len
mouse07410 Sep 8, 2017
7513ec2
Fixed type of salt length from unsigned long to long
mouse07410 Sep 9, 2017
cedbd3e
RSA-PSS: made sure special values for salt length from OpenSSL ("-1" …
mouse07410 Sep 9, 2017
0b7e5f0
Refactored dealing with salt length, and added input check
mouse07410 Sep 10, 2017
f2f53c1
Fix introduced incompatibility with C90 standard (declaration of vari…
mouse07410 Sep 11, 2017
ebd3ca2
Whitespace cleanup of mouse07410 commits
Jakuje Sep 11, 2017
55f0616
Add SHA-224 hash algorithm for RSA-PSS
Jakuje Sep 11, 2017
15659fb
Do not fallback to zero-length salt on unknown hash algorithms
Jakuje Sep 11, 2017
375e1c2
Add SHA224 definitions in pkcs11.h (for completenes)
Jakuje Sep 11, 2017
4450c2c
Reintroduce portable NORETURN indication for functions and use it to …
Jakuje Sep 13, 2017
e870706
Use default SHA-1 mechanisms, use --salt-len, improve wording of docu…
Jakuje Sep 15, 2017
63ae2f9
Check the mechanism type before dereferencing generic parameter
Jakuje Sep 18, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion doc/tools/pkcs11-tool.1.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@
<listitem><para>Hash some data.</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--hash-algorithm</option> <replaceable>mechanism</replaceable>
</term>
<listitem><para>Specify hash algorithm used with
RSA-PKCS-PSS signature. Default is SHA-1.</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--id</option> <replaceable>id</replaceable>,
Expand Down Expand Up @@ -116,7 +124,7 @@

<varlistentry>
<term>
<option>--key-type</option> <replacement>specification</replacement>
<option>--key-type</option> <replaceable>specification</replaceable>
</term>
<listitem><para>Specify the type and length of the key to create, for example rsa:1024 or EC:prime256v1.</para></listitem>
</varlistentry>
Expand Down Expand Up @@ -212,6 +220,17 @@
of mechanisms supported by your token.</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--mgf</option> <replaceable>function</replaceable>
</term>
<listitem><para>Use the specified Message Generation
Function (MGF) <replaceable>function</replaceable>
for RSA-PSS signatures. Supported arguments are MGF1-SHA1
to MGF1-SHA512 if supported by the driver.
The default is based on the hash selection.</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--module</option> <replaceable>mod</replaceable>
Expand Down Expand Up @@ -309,6 +328,17 @@
<listitem><para>Derive a secret key using another key and some data.</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--salt-len</option> <replaceable>bytes</replaceable>
</term>
<listitem><para>Specify how many bytes of salt should
be used in RSA-PSS signatures. Accepts two special values:
"-1" means salt length equals to digest length,
"-2" means use maximum permissible length.
Default is digest length (-1).</para></listitem>
</varlistentry>

<varlistentry>
<term>
<option>--slot</option> <replaceable>id</replaceable>
Expand Down
9 changes: 9 additions & 0 deletions src/pkcs11/pkcs11-display.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -521,6 +521,14 @@ static enum_specs ck_mec_s[] = {
{ CKM_VENDOR_DEFINED , "CKM_VENDOR_DEFINED " }
};

static enum_specs ck_mgf_s[] = {
{ CKG_MGF1_SHA1 , "CKG_MGF1_SHA1 " },
{ CKG_MGF1_SHA224, "CKG_MGF1_SHA224" },
{ CKG_MGF1_SHA256, "CKG_MGF1_SHA256" },
{ CKG_MGF1_SHA384, "CKG_MGF1_SHA384" },
{ CKG_MGF1_SHA512, "CKG_MGF1_SHA512" },
};

static enum_specs ck_err_s[] = {
{ CKR_OK, "CKR_OK" },
{ CKR_CANCEL, "CKR_CANCEL" },
Expand Down Expand Up @@ -630,6 +638,7 @@ enum_spec ck_types[] = {
{ KEY_T, ck_key_s, sizeof(ck_key_s) / SZ_SPECS, "CK_KEY_TYPE" },
{ CRT_T, ck_crt_s, sizeof(ck_crt_s) / SZ_SPECS, "CK_CERTIFICATE_TYPE" },
{ MEC_T, ck_mec_s, sizeof(ck_mec_s) / SZ_SPECS, "CK_MECHANISM_TYPE" },
{ MGF_T, ck_mgf_s, sizeof(ck_mgf_s) / SZ_SPECS, "CK_RSA_PKCS_MGF_TYPE"},
{ USR_T, ck_usr_s, sizeof(ck_usr_s) / SZ_SPECS, "CK_USER_TYPE" },
{ STA_T, ck_sta_s, sizeof(ck_sta_s) / SZ_SPECS, "CK_STATE" },
{ RV_T, ck_err_s, sizeof(ck_err_s) / SZ_SPECS, "CK_RV" },
Expand Down
1 change: 1 addition & 0 deletions src/pkcs11/pkcs11-display.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ enum ck_type{
KEY_T,
CRT_T,
MEC_T,
MGF_T,
USR_T,
STA_T,
RV_T
Expand Down
18 changes: 18 additions & 0 deletions src/pkcs11/pkcs11-spy.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -969,6 +969,24 @@ C_SignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HA
enter("C_SignInit");
spy_dump_ulong_in("hSession", hSession);
fprintf(spy_output, "pMechanism->type=%s\n", lookup_enum(MEC_T, pMechanism->mechanism));
switch (pMechanism->mechanism) {
case CKM_RSA_PKCS_PSS:
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
case CKM_SHA384_RSA_PKCS_PSS:
case CKM_SHA512_RSA_PKCS_PSS:
if (pMechanism->pParameter != NULL) {
CK_RSA_PKCS_PSS_PARAMS *param =
(CK_RSA_PKCS_PSS_PARAMS *) pMechanism->pParameter;
fprintf(spy_output, "pMechanism->pParameter->hashAlg=%s\n",
lookup_enum(MEC_T, param->hashAlg));
fprintf(spy_output, "pMechanism->pParameter->mgf=%s\n",
lookup_enum(MGF_T, param->mgf));
fprintf(spy_output, "pMechanism->pParameter->sLen=%lu\n",
param->sLen);
}
break;
}
spy_dump_ulong_in("hKey", hKey);
rv = po->C_SignInit(hSession, pMechanism, hKey);
return retne(rv);
Expand Down
24 changes: 24 additions & 0 deletions src/pkcs11/pkcs11.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,8 @@ extern "C" {

#define ck_mechanism_type_t CK_MECHANISM_TYPE

#define ck_rsa_pkcs_mgf_type_t CK_RSA_PKCS_MGF_TYPE

#define ck_mechanism _CK_MECHANISM
#define parameter pParameter
#define parameter_len ulParameterLen
Expand Down Expand Up @@ -478,6 +480,8 @@ struct ck_date

typedef unsigned long ck_mechanism_type_t;

typedef unsigned long int ck_rsa_pkcs_mgf_type_t;

#define CKM_RSA_PKCS_KEY_PAIR_GEN (0UL)
#define CKM_RSA_PKCS (1UL)
#define CKM_RSA_9796 (2UL)
Expand Down Expand Up @@ -508,6 +512,8 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_SHA256_RSA_PKCS_PSS (0x43UL)
#define CKM_SHA384_RSA_PKCS_PSS (0x44UL)
#define CKM_SHA512_RSA_PKCS_PSS (0x45UL)
#define CKM_SHA224_RSA_PKCS (0x46UL)
#define CKM_SHA224_RSA_PKCS_PSS (0x47UL)
#define CKM_RC2_KEY_GEN (0x100UL)
#define CKM_RC2_ECB (0x101UL)
#define CKM_RC2_CBC (0x102UL)
Expand Down Expand Up @@ -553,6 +559,9 @@ typedef unsigned long ck_mechanism_type_t;
#define CKM_SHA256 (0x250UL)
#define CKM_SHA256_HMAC (0x251UL)
#define CKM_SHA256_HMAC_GENERAL (0x252UL)
#define CKM_SHA224 (0x255UL)
#define CKM_SHA224_HMAC (0x256UL)
#define CKM_SHA224_HMAC_GENERAL (0x257UL)
#define CKM_SHA384 (0x260UL)
#define CKM_SHA384_HMAC (0x261UL)
#define CKM_SHA384_HMAC_GENERAL (0x262UL)
Expand Down Expand Up @@ -755,6 +764,17 @@ typedef struct CK_ECDH1_DERIVE_PARAMS {
unsigned char * pPublicData;
} CK_ECDH1_DERIVE_PARAMS;

typedef struct CK_RSA_PKCS_PSS_PARAMS {
ck_mechanism_type_t hashAlg;
unsigned long mgf;
unsigned long sLen;
} CK_RSA_PKCS_PSS_PARAMS;

#define CKG_MGF1_SHA1 (0x00000001UL)
#define CKG_MGF1_SHA224 (0x00000005UL)
#define CKG_MGF1_SHA256 (0x00000002UL)
#define CKG_MGF1_SHA384 (0x00000003UL)
#define CKG_MGF1_SHA512 (0x00000004UL)

typedef unsigned long ck_rv_t;

Expand Down Expand Up @@ -1292,6 +1312,8 @@ typedef struct ck_date *CK_DATE_PTR;

typedef ck_mechanism_type_t *CK_MECHANISM_TYPE_PTR;

typedef ck_rsa_pkcs_mgf_type_t *CK_RSA_PKCS_MGF_TYPE_PTR;

typedef struct ck_mechanism CK_MECHANISM;
typedef struct ck_mechanism *CK_MECHANISM_PTR;

Expand Down Expand Up @@ -1362,6 +1384,8 @@ typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;

#undef ck_mechanism_type_t

#undef ck_rsa_pkcs_mgf_type_t

#undef ck_mechanism
#undef parameter
#undef parameter_len
Expand Down
Loading