Skip to content

Commit

Permalink
Allow generated EVP_PKEY to be used to verify operation
Browse files Browse the repository at this point in the history
Previously generated EVP_PKEY could be used for operations that only
require a private key
  • Loading branch information
latal-1 committed Nov 25, 2024
1 parent 6dca0e0 commit becbf86
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 18 deletions.
24 changes: 20 additions & 4 deletions src/objects.c
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ struct p11prov_obj {
CK_OBJECT_HANDLE cached;
CK_BBOOL cka_copyable;
CK_BBOOL cka_token;
bool isGenerated;

P11PROV_URI *refresh_uri;

Expand Down Expand Up @@ -108,8 +109,8 @@ void p11prov_obj_pool_free(P11PROV_OBJ_POOL *pool)
}
OPENSSL_free(pool->objects);
(void)MUTEX_UNLOCK(pool);
/* ------------- LOCKED SECTION */ }
else {
/* ------------- LOCKED SECTION */
} else {
P11PROV_debug("Failed to lock object pool, leaking it!");
return;
}
Expand Down Expand Up @@ -269,6 +270,7 @@ P11PROV_OBJ *p11prov_obj_new(P11PROV_CTX *ctx, CK_SLOT_ID slotid,
obj->handle = handle;
obj->class = class;
obj->cached = CK_INVALID_HANDLE;
obj->isGenerated = false;

obj->refcnt = 1;

Expand Down Expand Up @@ -3111,6 +3113,7 @@ static CK_RV return_dup_key(P11PROV_OBJ *dst, P11PROV_OBJ *src)
dst->class = src->class;
dst->cka_copyable = src->cka_copyable;
dst->cka_token = src->cka_token;
dst->isGenerated = src->isGenerated;
dst->data.key = src->data.key;

dst->attrs = OPENSSL_zalloc(sizeof(CK_ATTRIBUTE) * src->numattrs);
Expand Down Expand Up @@ -3991,8 +3994,8 @@ CK_RV p11prov_merge_pub_attrs_into_priv(P11PROV_OBJ *pub_key,
CK_RV ret = CKR_OK;

if (!pub_key || !priv_key) {
P11PROV_debug(
"Empty keys. Cannot copy public key attributes into private key");
P11PROV_debug("Empty keys. Cannot copy public key attributes into "
"private key");
return CKR_ARGUMENTS_BAD;
}

Expand Down Expand Up @@ -4051,6 +4054,11 @@ CK_RV p11prov_merge_pub_attrs_into_priv(P11PROV_OBJ *pub_key,
return CKR_ARGUMENTS_BAD;
}

/* P11PROV_OBJ has only one handle (for generation is a private key handle),
* but user can use generated EVP_PKEY for verify or encrypt so
* necessary to signal that key has been generated to find the associated public key for the sign context */
priv_key->isGenerated = true;

return ret;

err:
Expand Down Expand Up @@ -4107,3 +4115,11 @@ P11PROV_OBJ *mock_pub_ec_key(P11PROV_CTX *ctx, CK_ATTRIBUTE_TYPE type,

return key;
}

P11PROV_OBJ *p11prov_obj_pub_from_generated(P11PROV_OBJ *obj)
{
if (obj == NULL || obj->isGenerated == false) {
return NULL;
}
return find_associated_obj(obj->ctx, obj, CKO_PUBLIC_KEY);
}
1 change: 1 addition & 0 deletions src/objects.h
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ int p11prov_obj_get_ed_pub_key(P11PROV_OBJ *obj, CK_ATTRIBUTE **pub);
CK_ATTRIBUTE *p11prov_obj_get_ec_public_raw(P11PROV_OBJ *key);
P11PROV_OBJ *mock_pub_ec_key(P11PROV_CTX *ctx, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *ec_params);
P11PROV_OBJ *p11prov_obj_pub_from_generated(P11PROV_OBJ *obj);

#define OBJ_CMP_KEY_TYPE 0x00
#define OBJ_CMP_KEY_PUBLIC 0x01
Expand Down
30 changes: 16 additions & 14 deletions src/signature.c
Original file line number Diff line number Diff line change
Expand Up @@ -686,20 +686,23 @@ static CK_RV p11prov_sig_op_init(void *ctx, void *provkey, CK_FLAGS operation,
return ret;
}

sigctx->key = p11prov_obj_ref(key);
if (sigctx->key == NULL) {
return CKR_KEY_NEEDED;
}
class = p11prov_obj_get_class(sigctx->key);
class = p11prov_obj_get_class(key);
switch (operation) {
case CKF_SIGN:
if (class != CKO_PRIVATE_KEY) {
return CKR_KEY_TYPE_INCONSISTENT;
}
sigctx->key = p11prov_obj_ref(key);
if (sigctx->key == NULL) {
return CKR_KEY_NEEDED;
}
break;
case CKF_VERIFY:
if (class != CKO_PUBLIC_KEY) {
return CKR_KEY_TYPE_INCONSISTENT;
sigctx->key = p11prov_obj_pub_from_generated(key);
if (sigctx->key == NULL) {
return CKR_KEY_TYPE_INCONSISTENT;
}
}
break;
default:
Expand All @@ -710,6 +713,7 @@ static CK_RV p11prov_sig_op_init(void *ctx, void *provkey, CK_FLAGS operation,
if (digest) {
ret = p11prov_digest_get_by_name(digest, &sigctx->digest);
if (ret != CKR_OK) {
p11prov_obj_free(sigctx->key);
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_DIGEST);
return ret;
}
Expand Down Expand Up @@ -1252,10 +1256,9 @@ static int p11prov_rsasig_digest_sign_final(void *ctx, unsigned char *sig,
/* the siglen might be uninitialized when called from openssl */
*siglen = 0;

P11PROV_debug(
"rsa digest sign final (ctx=%p, sig=%p, siglen=%zu, "
"sigsize=%zu)",
ctx, sig, *siglen, sigsize);
P11PROV_debug("rsa digest sign final (ctx=%p, sig=%p, siglen=%zu, "
"sigsize=%zu)",
ctx, sig, *siglen, sigsize);

if (sigctx == NULL) {
return RET_OSSL_ERR;
Expand Down Expand Up @@ -1903,10 +1906,9 @@ static int p11prov_ecdsa_digest_sign_final(void *ctx, unsigned char *sig,
/* the siglen might be uninitialized when called from openssl */
*siglen = 0;

P11PROV_debug(
"ecdsa digest sign final (ctx=%p, sig=%p, siglen=%zu, "
"sigsize=%zu)",
ctx, sig, *siglen, sigsize);
P11PROV_debug("ecdsa digest sign final (ctx=%p, sig=%p, siglen=%zu, "
"sigsize=%zu)",
ctx, sig, *siglen, sigsize);

if (sigctx == NULL) {
return RET_OSSL_ERR;
Expand Down

0 comments on commit becbf86

Please sign in to comment.