pkcs11: mark RSA PKCS#11 key which can do RSA-PSS

Also refuse to sign with RSA-PSS if the mechanism is not supported.

Relates #208

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 12 insertions, 1 deletions

diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 60786855a6..b6765fcec8 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -61,6 +61,8 @@
 
 struct gnutls_pkcs11_privkey_st {
 	gnutls_pk_algorithm_t pk_algorithm;
+	unsigned int rsa_pss_ok; /* if it is an RSA key, it can do RSA-PSS */
+
 	unsigned int flags;
 	struct p11_kit_uri *uinfo;
 	char *url;
@@ -354,9 +356,12 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs11_privkey_t key,
 	if (se->pk == GNUTLS_PK_RSA_PSS) {
 		const struct hash_mappings_st *map = hash_to_map(se->hash);
 
-		if (map == NULL)
+		if (unlikely(map == NULL))
 			return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 
+		if (unlikely(!key->rsa_pss_ok))
+			return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+
 		rsa_pss_params.hash_alg = map->phash;
 		rsa_pss_params.mgf = map->mgf_id;
 		rsa_pss_params.s_len = spki_params->salt_size;
@@ -590,6 +595,12 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
 		goto cleanup;
 	}
 
+	if (pkey->pk_algorithm == GNUTLS_PK_RSA) { /* determine whether it can do rsa-pss */
+		ret = gnutls_pkcs11_token_check_mechanism(url, CKM_RSA_PKCS_PSS, NULL, 0, 0);
+		if (ret != 0)
+			pkey->rsa_pss_ok = 1;
+	}
+
 	a[0].type = CKA_ALWAYS_AUTHENTICATE;
 	a[0].value = &reauth;
 	a[0].value_len = sizeof(reauth);