-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: add GOSTR3410 keypair generation #997
Conversation
src/libopensc/pkcs15-pubkey.c
Outdated
@@ -1081,6 +1081,8 @@ sc_pkcs15_dup_pubkey(struct sc_context *ctx, struct sc_pkcs15_pubkey *key, struc | |||
pubkey->algorithm = key->algorithm; | |||
|
|||
if (key->alg_id) { | |||
if (key->algorithm == SC_ALGORITHM_GOSTR3410) | |||
key->alg_id->params = &(key->u.gostr3410.params); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please check whether we could improve initializing of the data structures instead?
src/pkcs11/framework-pkcs15.c
Outdated
keygen_args.prkey_args.key.algorithm = SC_ALGORITHM_GOSTR3410; | ||
pub_args.key.algorithm = SC_ALGORITHM_GOSTR3410; | ||
set_gost_params(&keygen_args.prkey_args.params.gost, &pub_args.params.gost, | ||
pPubTpl, ulPubCnt, pPrivTpl, ulPrivCnt); | ||
keybits = SC_PKCS15_GOSTR3410_KEYSIZE; | ||
memcpy(&keygen_args.prkey_args.key.u.gostr3410.params.key, kp, 8*sizeof(kp[0])); | ||
memcpy(&keygen_args.prkey_args.key.u.gostr3410.params.hash, hp, 8*sizeof(kp[0])); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
an int
is not guaranteed to have exactly 8 bytes.
src/tools/pkcs11-tool.c
Outdated
else if (!strcmp("B", p_param_set)) | ||
memcpy(gost_params, (CK_BYTE[]) {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x02}, PARAMS_SIZE); | ||
else if (!strcmp("C", p_param_set)) | ||
memcpy(gost_params, (CK_BYTE[]) {0x06, 0x07, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x23, 0x03}, PARAMS_SIZE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use magic values here; at least use a good name for them.
src/pkcs11/framework-pkcs15.c
Outdated
@@ -2741,11 +2741,17 @@ pkcs15_gen_keypair(struct sc_pkcs11_slot *slot, CK_MECHANISM_PTR pMechanism, | |||
goto kpgen_done; | |||
|
|||
if (keytype == CKK_GOSTR3410) { | |||
unsigned int kp[] = {1, 2, 643, 2, 2, 35, 1, (unsigned int)-1}; | |||
unsigned int hp[] = {1, 2, 643, 2, 2, 30, 1, (unsigned int)-1}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use a better name for your OIDs.
Why are they needed on the PKCS#11 level?
Please also check the CI errors |
Thanks for the review! |
Thanks for the update, please have a look at the CI error. |
I already checked new CI errors and they seem to be internal:
|
src/libopensc/pkcs15.c
Outdated
@@ -856,6 +856,19 @@ sc_pkcs15_card_clear(struct sc_pkcs15_card *p15card) | |||
} | |||
|
|||
|
|||
int sc_copy_gost_params(struct sc_pkcs15_gost_parameters *dst, struct sc_pkcs15_gost_parameters *src) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't you move this implementation to src/pkcs15init/pkcs15-lib.c
, which is the only place where this is used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you are right. Moved it.
2c2ecf3
to
49d876b
Compare
@frankmorgner , I've made changes to the code you mentioned, can you please check it out? |
can you be more specific? CI errors were fixed with 49d876b, but I think you didn't look at the length check. |
@frankmorgner , I think i don't understand what you mean by "length check". I thought I've fixed all the code you asked in the series of commits (and the last commit also passes CI checks). |
src/pkcs11/framework-pkcs15.c
Outdated
if (second_params) | ||
second_params->gostr3410 = gostr3410_param_oid[i].param; | ||
for (param_index = 0; param_index < nn; ++param_index) { | ||
if (!memcmp(gost_params_oid_from_template, gostr3410_param_oid[param_index].encoded_oid, len)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to check len != (sizeof gostr3410_param_oid[param_index].encoded_oid)
.
src/pkcs11/framework-pkcs15.c
Outdated
return CKR_ATTRIBUTE_VALUE_INVALID; | ||
|
||
for (hash_index = 0; hash_index < nn; ++hash_index) { | ||
if (!memcmp(gost_hash_params_oid_from_template, gostr3410_hash_param_oid[hash_index].encoded_oid, len)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you need to check len != (sizeof gostr3410_param_oid[param_index].encoded_oid)
.
sorry, I just realized that the comments were pending and I never finished the review... |
1c3fa52
to
9eaad42
Compare
Hello
Recently I found out that pkcs11-tool cannot generate keypairs of mechanism GOSTR3410 (although this mechanism is shown as supported in
pkcs11-tool -M
). This mechanism is a standard mechanism specified by laws in some countries, so I think it is important to make it work properly in OpenSC.This commit finishes implementing GOSTR3410 keypair generation feature; now pairs can be generated just like they are with other mechanisms.
Example of keypair generation using native OpenSC pkcs15 framework:
Example of keypair generation using another pkcs module:
I believe this commit will be useful. Looking forward for reviews and comments.
Regards, Konstantin Persidskiy