diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-07-28 09:21:59 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-08-04 13:54:42 +0200 |
commit | b05d57f6463e1f08c3fe14d4d2c1a556a68c0b47 (patch) | |
tree | c5d2a9672252d3fcbd30fc2b55d18a99fb098395 | |
parent | c63d58f962b0e2c3b522e49279516d713b3b5925 (diff) | |
download | gnutls-b05d57f6463e1f08c3fe14d4d2c1a556a68c0b47.tar.gz |
pkcs11: mark RSA PKCS#11 key which can do RSA-PSS
Also refuse to sign with RSA-PSS if the mechanism is not supported.
Relates #208
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/pkcs11_privkey.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c index 60786855a6..b6765fcec8 100644 --- a/lib/pkcs11_privkey.c +++ b/lib/pkcs11_privkey.c @@ -61,6 +61,8 @@ struct gnutls_pkcs11_privkey_st { gnutls_pk_algorithm_t pk_algorithm; + unsigned int rsa_pss_ok; /* if it is an RSA key, it can do RSA-PSS */ + unsigned int flags; struct p11_kit_uri *uinfo; char *url; @@ -354,9 +356,12 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs11_privkey_t key, if (se->pk == GNUTLS_PK_RSA_PSS) { const struct hash_mappings_st *map = hash_to_map(se->hash); - if (map == NULL) + if (unlikely(map == NULL)) return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM); + if (unlikely(!key->rsa_pss_ok)) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); + rsa_pss_params.hash_alg = map->phash; rsa_pss_params.mgf = map->mgf_id; rsa_pss_params.s_len = spki_params->salt_size; @@ -590,6 +595,12 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey, goto cleanup; } + if (pkey->pk_algorithm == GNUTLS_PK_RSA) { /* determine whether it can do rsa-pss */ + ret = gnutls_pkcs11_token_check_mechanism(url, CKM_RSA_PKCS_PSS, NULL, 0, 0); + if (ret != 0) + pkey->rsa_pss_ok = 1; + } + a[0].type = CKA_ALWAYS_AUTHENTICATE; a[0].value = &reauth; a[0].value_len = sizeof(reauth); |