From deb6ed705086b2d9f8b9623e79c1cde42d56e883 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 20 Nov 2018 15:14:43 +0100 Subject: [PATCH] Unbreak signautures and verifications with RSA-PSS --- opensc-0.19.0-rsa-pss.patch | 77 +++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/opensc-0.19.0-rsa-pss.patch b/opensc-0.19.0-rsa-pss.patch index f1439d7..0854dfe 100644 --- a/opensc-0.19.0-rsa-pss.patch +++ b/opensc-0.19.0-rsa-pss.patch @@ -2179,3 +2179,80 @@ index 75c92b651..f0e2263b8 100644 } /* this is no longer part of the MGF1, but actually +From e5d8395a7b8e5d6d1493d893c31fac321f45433a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 20 Nov 2018 09:29:53 +0100 +Subject: [PATCH] pkcs11-tool: Unbreak signature and verification in + pkcs11-tool + +--- + src/tools/pkcs11-tool.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index df4a0ef3..ff1c00ac 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -1758,6 +1758,9 @@ parse_pss_params(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key, + pss_params->hashAlg = CKM_SHA512; + pss_params->mgf = CKG_MGF1_SHA512; + break; ++ ++ default: /* The non-RSA-PSS algorithms do not need any parameters */ ++ return 0; + } + + /* One of RSA-PSS mechanisms above: They need parameters */ +@@ -1820,8 +1823,6 @@ static void sign_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session, + memset(&mech, 0, sizeof(mech)); + mech.mechanism = opt_mechanism; + hashlen = parse_pss_params(session, key, &mech, &pss_params); +- if (hashlen == 0) +- util_fatal("Invalid RSA-PSS parameters"); + + if (opt_input == NULL) + fd = 0; +@@ -1832,11 +1833,10 @@ static void sign_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session, + if (r < 0) + util_fatal("Cannot read from %s: %m", opt_input); + +- if (opt_mechanism == CKM_RSA_PKCS_PSS) { +- if ((unsigned long)r != hashlen) +- util_fatal("For %s mechanism, message size (got %d bytes) " +- "must be equal to specified digest length (%lu)\n", +- p11_mechanism_to_name(opt_mechanism), r, hashlen); ++ if (opt_mechanism == CKM_RSA_PKCS_PSS && (unsigned long)r != hashlen) { ++ util_fatal("For %s mechanism, message size (got %d bytes) " ++ "must be equal to specified digest length (%lu)\n", ++ p11_mechanism_to_name(opt_mechanism), r, hashlen); + } + + rv = CKR_CANCEL; +@@ -1927,8 +1927,6 @@ static void verify_signature(CK_SLOT_ID slot, CK_SESSION_HANDLE session, + memset(&mech, 0, sizeof(mech)); + mech.mechanism = opt_mechanism; + hashlen = parse_pss_params(session, key, &mech, &pss_params); +- if (hashlen == 0) +- util_fatal("Invalid RSA-PSS parameters"); + + /* Open a signature file */ + if (opt_signature_file == NULL) +@@ -1952,11 +1950,10 @@ static void verify_signature(CK_SLOT_ID slot, CK_SESSION_HANDLE session, + if (r < 0) + util_fatal("Cannot read from %s: %m", opt_input); + +- if (opt_mechanism == CKM_RSA_PKCS_PSS) { +- if ((unsigned long)r != hashlen) +- util_fatal("For %s mechanism, message size (got %d bytes)" +- " must be equal to specified digest length (%lu)\n", +- p11_mechanism_to_name(opt_mechanism), r, hashlen); ++ if (opt_mechanism == CKM_RSA_PKCS_PSS && (unsigned long)r != hashlen) { ++ util_fatal("For %s mechanism, message size (got %d bytes)" ++ " must be equal to specified digest length (%lu)\n", ++ p11_mechanism_to_name(opt_mechanism), r, hashlen); + } + + rv = CKR_CANCEL; +-- +2.19.1 +