rpms/softhsm
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Updated to latest upstream release

Browse Source
This commit is contained in:
Simo Sorce 2018-10-29 11:09:40 -04:00
parent 07855fe38d
commit 9d2db655b8
5 changed files with 7 additions and 545 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -16,3 +16,4 @@
/softhsm-2.3.0.tar.gz.sig
/softhsm-2.4.0.tar.gz
/softhsm-2.4.0.tar.gz.sig
/softhsm-2.5.0.tar.gz

72
softhsm-2.3.0-reset-mutex-callbacks.patch
View File

@ -1,72 +0,0 @@
From 16f994e7944a917fa81c8db11c56c594f4e78b40 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 31 Jul 2018 14:59:03 +0300
Subject: [PATCH] Reset mutex callbacks to the default version when finished
If a PKCS11 API caller provided own mutex handling callbacks,
we need to ensure they aren't used after C_Finalize is called
and SoftHSM instance is recycled.
Inability to do so may lead to a situation where callbacks might
be provided by a different dynamically loaded object which is removed
after C_Finalize() call. Thus, callback pointers become invalid and
calling them leads to crashes.
Fixes: https://github.com/opendnssec/SoftHSMv2/issues/408
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/lib/SoftHSM.cpp | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
index ee94d3f..e4cc044 100644
--- a/src/lib/SoftHSM.cpp
+++ b/src/lib/SoftHSM.cpp
@@ -314,6 +314,15 @@ static CK_ATTRIBUTE bsAttribute(CK_ATTRIBUTE_TYPE type, const ByteString &value)
/*****************************************************************************
Implementation of SoftHSM class specific functions
*****************************************************************************/
+static void resetMutexFactoryCallbacks()
+{
+ // Reset MutexFactory callbacks to our versions
+ MutexFactory::i()->setCreateMutex(OSCreateMutex);
+ MutexFactory::i()->setDestroyMutex(OSDestroyMutex);
+ MutexFactory::i()->setLockMutex(OSLockMutex);
+ MutexFactory::i()->setUnlockMutex(OSUnlockMutex);
+}
+
// Return the one-and-only instance
SoftHSM* SoftHSM::i()
@@ -342,6 +351,7 @@ SoftHSM::SoftHSM()
slotManager = NULL;
sessionManager = NULL;
handleManager = NULL;
+ resetMutexFactoryCallbacks();
}
// Destructor
@@ -352,6 +362,7 @@ SoftHSM::~SoftHSM()
if (slotManager != NULL) delete slotManager;
if (objectStore != NULL) delete objectStore;
if (sessionObjectStore != NULL) delete sessionObjectStore;
+ resetMutexFactoryCallbacks();
}
/*****************************************************************************
@@ -402,10 +413,7 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs)
if (args->flags & CKF_OS_LOCKING_OK)
{
// Use our own mutex functions.
- MutexFactory::i()->setCreateMutex(OSCreateMutex);
- MutexFactory::i()->setDestroyMutex(OSDestroyMutex);
- MutexFactory::i()->setLockMutex(OSLockMutex);
- MutexFactory::i()->setUnlockMutex(OSUnlockMutex);
+ resetMutexFactoryCallbacks();
MutexFactory::i()->enable();
}
else
--
2.17.1

465
softhsm-2.3.0-rsa-pss.patch
View File

@ -1,465 +0,0 @@
From e12d04b256f1c856003ae88c5c3bfe07ce332fa7 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 24 Jul 2017 13:52:59 +0200
Subject: [PATCH] Added support for CKM_RSA_PKCS_PSS
This mechanism is the most likely to be used by higher level
software utilizing RSA-PSS as it is in par with CKM_RSA_PKCS
and does not require to provide the whole data to be hashed.
---
src/lib/SoftHSM.cpp | 112 +++++++++++++++++++++
src/lib/crypto/AsymmetricAlgorithm.h | 1 +
src/lib/crypto/OSSLRSA.cpp | 190 +++++++++++++++++++++++++++++++++++
src/lib/test/SignVerifyTests.cpp | 47 +++++++++
src/lib/test/SignVerifyTests.h | 1 +
5 files changed, 351 insertions(+)
diff --git a/src/lib/SoftHSM.cpp b/src/lib/SoftHSM.cpp
index ee94d3f7..f2a8f594 100644
--- a/src/lib/SoftHSM.cpp
+++ b/src/lib/SoftHSM.cpp
@@ -640,6 +640,10 @@ CK_RV SoftHSM::C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMech
#ifdef HAVE_AES_KEY_WRAP_PAD
nrSupportedMechanisms += 1;
#endif
+#ifdef WITH_OPENSSL
+ nrSupportedMechanisms += 1; // CKM_RSA_PKCS_PSS
+#endif
+
CK_MECHANISM_TYPE supportedMechanisms[] =
{
#ifndef WITH_FIPS
@@ -670,6 +674,9 @@ CK_RV SoftHSM::C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMech
CKM_SHA256_RSA_PKCS,
CKM_SHA384_RSA_PKCS,
CKM_SHA512_RSA_PKCS,
+#ifdef WITH_OPENSSL
+ CKM_RSA_PKCS_PSS,
+#endif
CKM_SHA1_RSA_PKCS_PSS,
CKM_SHA224_RSA_PKCS_PSS,
CKM_SHA256_RSA_PKCS_PSS,
@@ -924,6 +931,9 @@ CK_RV SoftHSM::C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
+#ifdef WITH_OPENSSL
+ case CKM_RSA_PKCS_PSS:
+#endif
case CKM_SHA1_RSA_PKCS_PSS:
case CKM_SHA224_RSA_PKCS_PSS:
case CKM_SHA256_RSA_PKCS_PSS:
@@ -3749,6 +3759,58 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
bAllowMultiPartOp = true;
isRSA = true;
break;
+ case CKM_RSA_PKCS_PSS:
+ if (pMechanism->pParameter == NULL_PTR ||
+ pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS))
+ {
+ ERROR_MSG("Invalid RSA-PSS parameters");
+ return CKR_ARGUMENTS_BAD;
+ }
+ mechanism = AsymMech::RSA_PKCS_PSS;
+ unsigned long allowedMgf;
+
+ switch(CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+ case CKM_SHA_1:
+ pssParam.hashAlg = HashAlgo::SHA1;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA1;
+ allowedMgf = CKG_MGF1_SHA1;
+ break;
+ case CKM_SHA224:
+ pssParam.hashAlg = HashAlgo::SHA224;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA224;
+ allowedMgf = CKG_MGF1_SHA224;
+ break;
+ case CKM_SHA256:
+ pssParam.hashAlg = HashAlgo::SHA256;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA256;
+ allowedMgf = CKG_MGF1_SHA256;
+ break;
+ case CKM_SHA384:
+ pssParam.hashAlg = HashAlgo::SHA384;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA384;
+ allowedMgf = CKG_MGF1_SHA384;
+ break;
+ case CKM_SHA512:
+ pssParam.hashAlg = HashAlgo::SHA512;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA512;
+ allowedMgf = CKG_MGF1_SHA512;
+ break;
+ default:
+ ERROR_MSG("Invalid RSA-PSS hash");
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ if (CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->mgf != allowedMgf) {
+ ERROR_MSG("Hash and MGF don't match");
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pssParam.sLen = CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->sLen;
+ param = &pssParam;
+ paramLen = sizeof(pssParam);
+ bAllowMultiPartOp = false;
+ isRSA = true;
+ break;
case CKM_SHA1_RSA_PKCS_PSS:
if (pMechanism->pParameter == NULL_PTR ||
pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
@@ -4593,6 +4655,56 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
bAllowMultiPartOp = true;
isRSA = true;
break;
+ case CKM_RSA_PKCS_PSS:
+ if (pMechanism->pParameter == NULL_PTR ||
+ pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS))
+ {
+ ERROR_MSG("Invalid parameters");
+ return CKR_ARGUMENTS_BAD;
+ }
+ mechanism = AsymMech::RSA_PKCS_PSS;
+
+ unsigned long expectedMgf;
+ switch(CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->hashAlg) {
+ case CKM_SHA_1:
+ pssParam.hashAlg = HashAlgo::SHA1;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA1;
+ expectedMgf = CKG_MGF1_SHA1;
+ break;
+ case CKM_SHA224:
+ pssParam.hashAlg = HashAlgo::SHA224;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA224;
+ expectedMgf = CKG_MGF1_SHA224;
+ break;
+ case CKM_SHA256:
+ pssParam.hashAlg = HashAlgo::SHA256;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA256;
+ expectedMgf = CKG_MGF1_SHA256;
+ break;
+ case CKM_SHA384:
+ pssParam.hashAlg = HashAlgo::SHA384;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA384;
+ expectedMgf = CKG_MGF1_SHA384;
+ break;
+ case CKM_SHA512:
+ pssParam.hashAlg = HashAlgo::SHA512;
+ pssParam.mgf = AsymRSAMGF::MGF1_SHA512;
+ expectedMgf = CKG_MGF1_SHA512;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ if (CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->mgf != expectedMgf) {
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ pssParam.sLen = CK_RSA_PKCS_PSS_PARAMS_PTR(pMechanism->pParameter)->sLen;
+ param = &pssParam;
+ paramLen = sizeof(pssParam);
+ bAllowMultiPartOp = false;
+ isRSA = true;
+ break;
case CKM_SHA1_RSA_PKCS_PSS:
if (pMechanism->pParameter == NULL_PTR ||
pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
diff --git a/src/lib/crypto/AsymmetricAlgorithm.h b/src/lib/crypto/AsymmetricAlgorithm.h
index 54ac78d5..ca0d8400 100644
--- a/src/lib/crypto/AsymmetricAlgorithm.h
+++ b/src/lib/crypto/AsymmetricAlgorithm.h
@@ -70,6 +70,7 @@ struct AsymMech
RSA_SHA256_PKCS,
RSA_SHA384_PKCS,
RSA_SHA512_PKCS,
+ RSA_PKCS_PSS,
RSA_SHA1_PKCS_PSS,
RSA_SHA224_PKCS_PSS,
RSA_SHA256_PKCS_PSS,
diff --git a/src/lib/crypto/OSSLRSA.cpp b/src/lib/crypto/OSSLRSA.cpp
index 91b6466c..1e5638a0 100644
--- a/src/lib/crypto/OSSLRSA.cpp
+++ b/src/lib/crypto/OSSLRSA.cpp
@@ -121,6 +121,112 @@ bool OSSLRSA::sign(PrivateKey* privateKey, const ByteString& dataToSign,
return true;
}
+ else if (mechanism == AsymMech::RSA_PKCS_PSS)
+ {
+ const RSA_PKCS_PSS_PARAMS *pssParam = (RSA_PKCS_PSS_PARAMS*)param;
+
+ // Separate implementation for RSA PKCS #1 signing without hash computation
+
+ // Check if the private key is the right type
+ if (!privateKey->isOfType(OSSLRSAPrivateKey::type))
+ {
+ ERROR_MSG("Invalid key type supplied");
+
+ return false;
+ }
+
+ if (pssParam == NULL || paramLen != sizeof(RSA_PKCS_PSS_PARAMS))
+ {
+ ERROR_MSG("Invalid parameters supplied");
+
+ return false;
+ }
+
+ size_t allowedLen;
+ const EVP_MD* hash = NULL;
+
+ switch (pssParam->hashAlg)
+ {
+ case HashAlgo::SHA1:
+ hash = EVP_sha1();
+ allowedLen = 20;
+ break;
+ case HashAlgo::SHA224:
+ hash = EVP_sha224();
+ allowedLen = 28;
+ break;
+ case HashAlgo::SHA256:
+ hash = EVP_sha256();
+ allowedLen = 32;
+ break;
+ case HashAlgo::SHA384:
+ hash = EVP_sha384();
+ allowedLen = 48;
+ break;
+ case HashAlgo::SHA512:
+ hash = EVP_sha512();
+ allowedLen = 64;
+ break;
+ default:
+ return false;
+ }
+
+ OSSLRSAPrivateKey* osslKey = (OSSLRSAPrivateKey*) privateKey;
+
+ RSA* rsa = osslKey->getOSSLKey();
+
+ if (dataToSign.size() != allowedLen)
+ {
+ ERROR_MSG("Data to sign does not match expected (%d) for RSA PSS", (int)allowedLen);
+
+ return false;
+ }
+
+ size_t sLen = pssParam->sLen;
+ if (sLen > ((privateKey->getBitLength()+6)/8-2-allowedLen))
+ {
+ ERROR_MSG("sLen (%lu) is too large for current key size (%lu)",
+ (unsigned long)sLen, privateKey->getBitLength());
+ return false;
+ }
+
+ ByteString em;
+ em.resize(osslKey->getN().size());
+
+ int status = RSA_padding_add_PKCS1_PSS_mgf1(rsa, &em[0], (unsigned char*) dataToSign.const_byte_str(), hash, hash, pssParam->sLen);
+ if (!status)
+ {
+ ERROR_MSG("Error in RSA PSS padding generation");
+
+ return false;
+ }
+
+
+ if (!RSA_blinding_on(rsa, NULL))
+ {
+ ERROR_MSG("Failed to turn on blinding for OpenSSL RSA key");
+
+ return false;
+ }
+
+ // Perform the signature operation
+ signature.resize(osslKey->getN().size());
+
+ int sigLen = RSA_private_encrypt(osslKey->getN().size(), &em[0], &signature[0], rsa, RSA_NO_PADDING);
+
+ RSA_blinding_off(rsa);
+
+ if (sigLen == -1)
+ {
+ ERROR_MSG("An error occurred while performing the RSA-PSS signature");
+
+ return false;
+ }
+
+ signature.resize(sigLen);
+
+ return true;
+ }
else if (mechanism == AsymMech::RSA)
{
// Separate implementation for raw RSA signing
@@ -607,6 +713,90 @@ bool OSSLRSA::verify(PublicKey* publicKey, const ByteString& originalData,
return (originalData == recoveredData);
}
+ else if (mechanism == AsymMech::RSA_PKCS_PSS)
+ {
+ const RSA_PKCS_PSS_PARAMS *pssParam = (RSA_PKCS_PSS_PARAMS*)param;
+
+ if (pssParam == NULL || paramLen != sizeof(RSA_PKCS_PSS_PARAMS))
+ {
+ ERROR_MSG("Invalid parameters supplied");
+
+ return false;
+ }
+
+ // Check if the public key is the right type
+ if (!publicKey->isOfType(OSSLRSAPublicKey::type))
+ {
+ ERROR_MSG("Invalid key type supplied");
+
+ return false;
+ }
+
+ // Perform the RSA public key operation
+ OSSLRSAPublicKey* osslKey = (OSSLRSAPublicKey*) publicKey;
+
+ ByteString recoveredData;
+
+ recoveredData.resize(osslKey->getN().size());
+
+ RSA* rsa = osslKey->getOSSLKey();
+
+ int retLen = RSA_public_decrypt(signature.size(), (unsigned char*) signature.const_byte_str(), &recoveredData[0], rsa, RSA_NO_PADDING);
+
+ if (retLen == -1)
+ {
+ ERROR_MSG("Public key operation failed");
+
+ return false;
+ }
+
+ recoveredData.resize(retLen);
+
+ size_t allowedLen;
+ const EVP_MD* hash = NULL;
+
+ switch (pssParam->hashAlg)
+ {
+ case HashAlgo::SHA1:
+ hash = EVP_sha1();
+ allowedLen = 20;
+ break;
+ case HashAlgo::SHA224:
+ hash = EVP_sha224();
+ allowedLen = 28;
+ break;
+ case HashAlgo::SHA256:
+ hash = EVP_sha256();
+ allowedLen = 32;
+ break;
+ case HashAlgo::SHA384:
+ hash = EVP_sha384();
+ allowedLen = 48;
+ break;
+ case HashAlgo::SHA512:
+ hash = EVP_sha512();
+ allowedLen = 64;
+ break;
+ default:
+ return false;
+ }
+
+ if (originalData.size() != allowedLen) {
+ return false;
+ }
+
+ size_t sLen = pssParam->sLen;
+ if (sLen > ((osslKey->getBitLength()+6)/8-2-allowedLen))
+ {
+ ERROR_MSG("sLen (%lu) is too large for current key size (%lu)",
+ (unsigned long)sLen, osslKey->getBitLength());
+ return false;
+ }
+
+ int status = RSA_verify_PKCS1_PSS_mgf1(rsa, (unsigned char*)originalData.const_byte_str(), hash, hash, (unsigned char*) recoveredData.const_byte_str(), pssParam->sLen);
+
+ return (status == 1);
+ }
else if (mechanism == AsymMech::RSA)
{
// Specific implementation for raw RSA verifiction; originalData is assumed to contain the
diff --git a/src/lib/test/SignVerifyTests.cpp b/src/lib/test/SignVerifyTests.cpp
index 4536d7aa..46ebfb61 100644
--- a/src/lib/test/SignVerifyTests.cpp
+++ b/src/lib/test/SignVerifyTests.cpp
@@ -195,6 +195,44 @@ void SignVerifyTests::signVerifySingle(CK_MECHANISM_TYPE mechanismType, CK_SESSI
CPPUNIT_ASSERT(rv==CKR_SIGNATURE_INVALID);
}
+void SignVerifyTests::signVerifySingleData(size_t dataSize, CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey, CK_VOID_PTR param /* = NULL_PTR */, CK_ULONG paramLen /* = 0 */)
+{
+ CK_RV rv;
+ CK_MECHANISM mechanism = { mechanismType, param, paramLen };
+ CK_BYTE *data = (CK_BYTE*)malloc(dataSize);
+ CK_BYTE signature[1024];
+ CK_ULONG ulSignatureLen = 0;
+ unsigned i;
+
+ CPPUNIT_ASSERT(data != NULL);
+
+ for (i=0;i<dataSize;i++)
+ data[i] = i;
+
+ rv = CRYPTOKI_F_PTR( C_SignInit(hSession,&mechanism,hPrivateKey) );
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ ulSignatureLen = sizeof(signature);
+ rv = CRYPTOKI_F_PTR( C_Sign(hSession,data,dataSize,signature,&ulSignatureLen) );
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ rv = CRYPTOKI_F_PTR( C_VerifyInit(hSession,&mechanism,hPublicKey) );
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ rv = CRYPTOKI_F_PTR( C_Verify(hSession,data,dataSize,signature,ulSignatureLen) );
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ // verify again, but now change the input that is being signed.
+ rv = CRYPTOKI_F_PTR( C_VerifyInit(hSession,&mechanism,hPublicKey) );
+ CPPUNIT_ASSERT(rv==CKR_OK);
+
+ data[0] = 0xff;
+ rv = CRYPTOKI_F_PTR( C_Verify(hSession,data,dataSize,signature,ulSignatureLen) );
+ CPPUNIT_ASSERT(rv==CKR_SIGNATURE_INVALID);
+
+ free(data);
+}
+
void SignVerifyTests::signVerifyMulti(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey, CK_VOID_PTR param /* = NULL_PTR */, CK_ULONG paramLen /* = 0 */)
{
CK_RV rv;
@@ -287,6 +325,15 @@ void SignVerifyTests::testRsaSignVerify()
signVerifyMulti(CKM_SHA256_RSA_PKCS, hSessionRO, hPuk,hPrk);
signVerifyMulti(CKM_SHA384_RSA_PKCS, hSessionRO, hPuk,hPrk);
signVerifyMulti(CKM_SHA512_RSA_PKCS, hSessionRO, hPuk,hPrk);
+
+#ifdef WITH_OPENSSL
+ signVerifySingleData(20, CKM_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[0], sizeof(params[0]));
+ signVerifySingleData(28, CKM_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[1], sizeof(params[1]));
+ signVerifySingleData(32, CKM_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[2], sizeof(params[2]));
+ signVerifySingleData(48, CKM_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[3], sizeof(params[3]));
+ signVerifySingleData(64, CKM_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[4], sizeof(params[4]));
+#endif
+
signVerifyMulti(CKM_SHA1_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[0], sizeof(params[0]));
signVerifyMulti(CKM_SHA224_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[1], sizeof(params[1]));
signVerifyMulti(CKM_SHA256_RSA_PKCS_PSS, hSessionRO, hPuk,hPrk, &params[2], sizeof(params[2]));
diff --git a/src/lib/test/SignVerifyTests.h b/src/lib/test/SignVerifyTests.h
index dc645ef6..0fa6a145 100644
--- a/src/lib/test/SignVerifyTests.h
+++ b/src/lib/test/SignVerifyTests.h
@@ -61,6 +61,7 @@ class SignVerifyTests : public TestsBase
CK_RV generateEC(const char* curve, CK_SESSION_HANDLE hSession, CK_BBOOL bTokenPuk, CK_BBOOL bPrivatePuk, CK_BBOOL bTokenPrk, CK_BBOOL bPrivatePrk, CK_OBJECT_HANDLE &hPuk, CK_OBJECT_HANDLE &hPrk);
#endif
void signVerifySingle(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey, CK_VOID_PTR param = NULL_PTR, CK_ULONG paramLen = 0);
+ void signVerifySingleData(size_t dataSize, CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey, CK_VOID_PTR param = NULL_PTR, CK_ULONG paramLen = 0);
void signVerifyMulti(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hPublicKey, CK_OBJECT_HANDLE hPrivateKey, CK_VOID_PTR param = NULL_PTR, CK_ULONG paramLen = 0);
CK_RV generateKey(CK_SESSION_HANDLE hSession, CK_KEY_TYPE keyType, CK_BBOOL bToken, CK_BBOOL bPrivate, CK_OBJECT_HANDLE &hKey);
void hmacSignVerify(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);

11
softhsm.spec
View File

@ -2,15 +2,13 @@
Summary: Software version of a PKCS#11 Hardware Security Module
Name: softhsm
Version: 2.4.0
Version: 2.5.0
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
License: BSD
Url: http://www.opendnssec.org/
Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
Patch1: softhsm-2.3.0-reset-mutex-callbacks.patch
Group: Applications/System
BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
BuildRequires: gcc-c++, pkgconfig, p11-kit-devel, nss-devel
@ -43,8 +41,6 @@ The devel package contains the libsofthsm include files
%prep
%setup -q -n %{name}-%{version}%{?prever}
%patch1 -p1
%if 0%{?prever:1}
autoreconf -fiv
%endif
@ -57,7 +53,7 @@ sed -i 's:^full_libdir=":#full_libdir=":g' configure.ac
sed -i "s:libdir)/@PACKAGE@:libdir):" Makefile.in
%build
%configure --libdir=%{_libdir}/pkcs11 --with-openssl=%{_prefix} --enable-ecc --disable-gost \
%configure --libdir=%{_libdir}/pkcs11 --with-openssl=%{_prefix} --enable-ecc --enable-eddsa --disable-gost \
--with-migrate --enable-visibility --with-p11-kit=%{_datadir}/p11-kit/modules/
make %{?_smp_mflags}
@ -116,6 +112,9 @@ if [ -f /var/softhsm/slot0.db ]; then
fi
%changelog
* Mon Oct 29 2018 Simo Sorce <simo@redhat.com> - 2.5.0-1
- Updated to latest upstream release
* Sat Aug 11 2018 Nikos Mavrogiannopoulos <nmav@redhat.com> - 2.4.0-1
- Updated to latest upstream release

3
sources
View File

@ -1,2 +1 @@
SHA512 (softhsm-2.4.0.tar.gz) = f14f65de32206500f708523ee88d8d5e3d1fd40175f1a9cd24c7760c829e2de9dbcb05453022df8186836c49a57e4eae7f2e75ce6a5346a426114f4d610a8a84
SHA512 (softhsm-2.4.0.tar.gz.sig) = a8f616e2a5ab7fdb09c0d2a850bda833be889aea0aa1e5e2bcb0012351dcf3c870e496918ba16bb0bb942bb13350ff1030b25feab29914d07897b39c30526624
SHA512 (softhsm-2.5.0.tar.gz) = a1e686729196dc25591eb3da57c2c8ea8494ed274ba711842b2dcae696f477a202acda13a975b8fb1eb68e8e44a79e839dbbc6ba500cab02ad13072c660752d9