pkcs11-tool: add GOSTR3410 keypair generation #997
Conversation
src/libopensc/pkcs15-pubkey.c
Outdated
| @@ -1081,6 +1081,8 @@ sc_pkcs15_dup_pubkey(struct sc_context *ctx, struct sc_pkcs15_pubkey *key, struc | |||
| pubkey->algorithm = key->algorithm; | |||
|
|
|||
| if (key->alg_id) { | |||
| if (key->algorithm == SC_ALGORITHM_GOSTR3410) | |||
| key->alg_id->params = &(key->u.gostr3410.params); | |||
There was a problem hiding this comment.
Could you please check whether we could improve initializing of the data structures instead?
src/pkcs11/framework-pkcs15.c
Outdated
| keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_GOSTR3410; | ||
| pub_args.key.algorithm = SC_ALGORITHM_GOSTR3410; | ||
| set_gost_params(&keygen_args.prkey_args.params.gost, &pub_args.params.gost, | ||
| pPubTpl, ulPubCnt, pPrivTpl, ulPrivCnt); | ||
| keybits = SC_PKCS15_GOSTR3410_KEYSIZE; | ||
| memcpy(&keygen_args.prkey_args.key.u.gostr3410.params.key, kp, 8*sizeof(kp[0])); | ||
| memcpy(&keygen_args.prkey_args.key.u.gostr3410.params.hash, hp, 8*sizeof(kp[0])); |
There was a problem hiding this comment.
an int is not guaranteed to have exactly 8 bytes.
src/tools/pkcs11-tool.c
Outdated
| else if (!strcmp("B", p_param_set)) | ||
| memcpy(gost_params, (CK_BYTE[]) {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x02}, PARAMS_SIZE); | ||
| else if (!strcmp("C", p_param_set)) | ||
| memcpy(gost_params, (CK_BYTE[]) {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x03}, PARAMS_SIZE); |
There was a problem hiding this comment.
Please don't use magic values here; at least use a good name for them.
src/pkcs11/framework-pkcs15.c
Outdated
| @@ -2741,11 +2741,17 @@ pkcs15_gen_keypair(struct sc_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism, | |||
| goto kpgen_done; | |||
|
|
|||
| if (keytype == CKK_GOSTR3410) { | |||
| unsigned int kp[] = {1, 2, 643, 2, 2, 35, 1, (unsigned int)-1}; | |||
| unsigned int hp[] = {1, 2, 643, 2, 2, 30, 1, (unsigned int)-1}; | |||
There was a problem hiding this comment.
please use a better name for your OIDs.
Why are they needed on the PKCS#11 level?
|
Please also check the CI errors |
|
Thanks for the review! |
|
Thanks for the update, please have a look at the CI error. |
|
I already checked new CI errors and they seem to be internal:
|
src/libopensc/pkcs15.c
Outdated
| @@ -856,6 +856,19 @@ sc_pkcs15_card_clear(struct sc_pkcs15_card *p15card) | |||
| } | |||
|
|
|||
|
|
|||
| int sc_copy_gost_params(struct sc_pkcs15_gost_parameters *dst, struct sc_pkcs15_gost_parameters *src) | |||
There was a problem hiding this comment.
Why don't you move this implementation to src/pkcs15init/pkcs15-lib.c, which is the only place where this is used?
There was a problem hiding this comment.
Yes, you are right. Moved it.
konstantinpersidskiy
force-pushed
the
gostr3410_genkeypair
branch
from
2c2ecf3
to
49d876b
Compare
|
@frankmorgner , I've made changes to the code you mentioned, can you please check it out? |
|
can you be more specific? CI errors were fixed with 49d876b, but I think you didn't look at the length check. |
|
@frankmorgner , I think i don't understand what you mean by "length check". I thought I've fixed all the code you asked in the series of commits (and the last commit also passes CI checks). |
src/pkcs11/framework-pkcs15.c
Outdated
| if (second_params) | ||
| second_params->gostr3410 = gostr3410_param_oid[i].param; | ||
| for (param_index = 0; param_index < nn; ++param_index) { | ||
| if (!memcmp(gost_params_oid_from_template, gostr3410_param_oid[param_index].encoded_oid, len)) |
There was a problem hiding this comment.
I think you need to check len != (sizeof gostr3410_param_oid[param_index].encoded_oid).
src/pkcs11/framework-pkcs15.c
Outdated
| return CKR_ATTRIBUTE_VALUE_INVALID; | ||
|
|
||
| for (hash_index = 0; hash_index < nn; ++hash_index) { | ||
| if (!memcmp(gost_hash_params_oid_from_template, gostr3410_hash_param_oid[hash_index].encoded_oid, len)) |
There was a problem hiding this comment.
I think you need to check len != (sizeof gostr3410_param_oid[param_index].encoded_oid).
|
sorry, I just realized that the comments were pending and I never finished the review... |
konstantinpersidskiy
force-pushed
the
gostr3410_genkeypair
branch
from
1c3fa52
to
9eaad42
Compare
Hello
Recently I found out that pkcs11-tool cannot generate keypairs of mechanism GOSTR3410 (although this mechanism is shown as supported in
pkcs11-tool -M). This mechanism is a standard mechanism specified by laws in some countries, so I think it is important to make it work properly in OpenSC.This commit finishes implementing GOSTR3410 keypair generation feature; now pairs can be generated just like they are with other mechanisms.
Example of keypair generation using native OpenSC pkcs15 framework:
Example of keypair generation using another pkcs module:
I believe this commit will be useful. Looking forward for reviews and comments.
Regards, Konstantin Persidskiy