Print this page
first pass
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c
+++ new/usr/src/lib/pkcs11/pkcs11_softtoken/common/softRSA.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 */
25 25
26 26 #include <pthread.h>
27 27 #include <stdlib.h>
28 28 #include <string.h>
29 29 #include <strings.h>
30 30 #include <sys/types.h>
31 31 #include <security/cryptoki.h>
32 32 #include <cryptoutil.h>
33 33 #include "softGlobal.h"
34 34 #include "softSession.h"
35 35 #include "softObject.h"
36 36 #include "softOps.h"
37 37 #include "softRSA.h"
↓ open down ↓ |
37 lines elided |
↑ open up ↑ |
38 38 #include "softMAC.h"
39 39 #include "softCrypt.h"
40 40
41 41 CK_RV
42 42 soft_rsa_encrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
43 43 CK_BYTE_PTR out, int realpublic)
44 44 {
45 45
46 46 CK_RV rv = CKR_OK;
47 47
48 -/* EXPORT DELETE START */
49 -
50 48 uchar_t expo[MAX_KEY_ATTR_BUFLEN];
51 49 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
52 50 uint32_t expo_len = sizeof (expo);
53 51 uint32_t modulus_len = sizeof (modulus);
54 52 RSAbytekey k;
55 53
56 54 if (realpublic) {
57 55 rv = soft_get_public_value(key, CKA_PUBLIC_EXPONENT, expo,
58 56 &expo_len);
59 57 if (rv != CKR_OK) {
60 58 goto clean1;
61 59 }
62 60 } else {
63 61 rv = soft_get_private_value(key, CKA_PRIVATE_EXPONENT, expo,
64 62 &expo_len);
65 63 if (rv != CKR_OK) {
66 64 goto clean1;
67 65 }
68 66 }
69 67
70 68 rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
71 69 if (rv != CKR_OK) {
72 70 goto clean1;
73 71 }
74 72
↓ open down ↓ |
15 lines elided |
↑ open up ↑ |
75 73 k.modulus = modulus;
76 74 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
77 75 k.pubexpo = expo;
78 76 k.pubexpo_bytes = expo_len;
79 77 k.rfunc = NULL;
80 78
81 79 rv = rsa_encrypt(&k, in, in_len, out);
82 80
83 81 clean1:
84 82
85 -/* EXPORT DELETE END */
86 -
87 83 return (rv);
88 84 }
89 85
90 86
91 87 CK_RV
92 88 soft_rsa_decrypt(soft_object_t *key, CK_BYTE_PTR in, uint32_t in_len,
93 89 CK_BYTE_PTR out)
94 90 {
95 91
96 92 CK_RV rv = CKR_OK;
97 93
98 -/* EXPORT DELETE START */
99 -
100 94 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
101 95 uchar_t prime1[MAX_KEY_ATTR_BUFLEN];
102 96 uchar_t prime2[MAX_KEY_ATTR_BUFLEN];
103 97 uchar_t expo1[MAX_KEY_ATTR_BUFLEN];
104 98 uchar_t expo2[MAX_KEY_ATTR_BUFLEN];
105 99 uchar_t coef[MAX_KEY_ATTR_BUFLEN];
106 100 uint32_t modulus_len = sizeof (modulus);
107 101 uint32_t prime1_len = sizeof (prime1);
108 102 uint32_t prime2_len = sizeof (prime2);
109 103 uint32_t expo1_len = sizeof (expo1);
110 104 uint32_t expo2_len = sizeof (expo2);
111 105 uint32_t coef_len = sizeof (coef);
112 106 RSAbytekey k;
113 107
114 108 rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
115 109 if (rv != CKR_OK) {
116 110 goto clean1;
117 111 }
118 112
119 113 rv = soft_get_private_value(key, CKA_PRIME_1, prime1, &prime1_len);
120 114
121 115 if ((prime1_len == 0) && (rv == CKR_OK)) {
122 116 rv = soft_rsa_encrypt(key, in, in_len, out, 0);
123 117 goto clean1;
124 118 } else {
125 119 if (rv != CKR_OK)
126 120 goto clean1;
127 121 }
128 122
129 123 rv = soft_get_private_value(key, CKA_PRIME_2, prime2, &prime2_len);
130 124
131 125 if ((prime2_len == 0) && (rv == CKR_OK)) {
132 126 rv = soft_rsa_encrypt(key, in, in_len, out, 0);
133 127 goto clean1;
134 128 } else {
135 129 if (rv != CKR_OK)
136 130 goto clean1;
137 131 }
138 132
139 133 rv = soft_get_private_value(key, CKA_EXPONENT_1, expo1, &expo1_len);
140 134
141 135 if ((expo1_len == 0) && (rv == CKR_OK)) {
142 136 rv = soft_rsa_encrypt(key, in, in_len, out, 0);
143 137 goto clean1;
144 138 } else {
145 139 if (rv != CKR_OK)
146 140 goto clean1;
147 141 }
148 142
149 143 rv = soft_get_private_value(key, CKA_EXPONENT_2, expo2, &expo2_len);
150 144
151 145 if ((expo2_len == 0) && (rv == CKR_OK)) {
152 146 rv = soft_rsa_encrypt(key, in, in_len, out, 0);
153 147 goto clean1;
154 148 } else {
155 149 if (rv != CKR_OK)
156 150 goto clean1;
157 151 }
158 152
159 153 rv = soft_get_private_value(key, CKA_COEFFICIENT, coef, &coef_len);
160 154
161 155 if ((coef_len == 0) && (rv == CKR_OK)) {
162 156 rv = soft_rsa_encrypt(key, in, in_len, out, 0);
163 157 goto clean1;
164 158 } else {
165 159 if (rv != CKR_OK)
166 160 goto clean1;
167 161 }
168 162
169 163 k.modulus = modulus;
170 164 k.modulus_bits = CRYPTO_BYTES2BITS(modulus_len);
171 165 k.prime1 = prime1;
172 166 k.prime1_bytes = prime1_len;
173 167 k.prime2 = prime2;
174 168 k.prime2_bytes = prime2_len;
175 169 k.expo1 = expo1;
176 170 k.expo1_bytes = expo1_len;
↓ open down ↓ |
67 lines elided |
↑ open up ↑ |
177 171 k.expo2 = expo2;
178 172 k.expo2_bytes = expo2_len;
179 173 k.coeff = coef;
180 174 k.coeff_bytes = coef_len;
181 175 k.rfunc = NULL;
182 176
183 177 rv = rsa_decrypt(&k, in, in_len, out);
184 178
185 179 clean1:
186 180
187 -/* EXPORT DELETE END */
188 -
189 181 return (rv);
190 182 }
191 183
192 184 /*
193 185 * Allocate a RSA context for the active encryption or decryption operation.
194 186 * This function is called without the session lock held.
195 187 */
196 188 CK_RV
197 189 soft_rsa_crypt_init_common(soft_session_t *session_p,
198 190 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
199 191 boolean_t encrypt)
200 192 {
201 193
202 194 soft_rsa_ctx_t *rsa_ctx;
203 195 soft_object_t *tmp_key = NULL;
204 196 CK_RV rv;
205 197
206 198 rsa_ctx = calloc(1, sizeof (soft_rsa_ctx_t));
207 199 if (rsa_ctx == NULL) {
208 200 return (CKR_HOST_MEMORY);
209 201 }
210 202
211 203 /*
212 204 * Make a copy of the encryption or decryption key, and save it
213 205 * in the RSA crypto context since it will be used later for
214 206 * encryption/decryption. We don't want to hold any object reference
215 207 * on this original key while doing encryption/decryption.
216 208 */
217 209 (void) pthread_mutex_lock(&key_p->object_mutex);
218 210 rv = soft_copy_object(key_p, &tmp_key, SOFT_COPY_OBJ_ORIG_SH,
219 211 NULL);
220 212
221 213 if ((rv != CKR_OK) || (tmp_key == NULL)) {
222 214 /* Most likely we ran out of space. */
223 215 (void) pthread_mutex_unlock(&key_p->object_mutex);
224 216 free(rsa_ctx);
225 217 return (rv);
226 218 }
227 219
228 220 /* No need to hold the lock on the old object. */
229 221 (void) pthread_mutex_unlock(&key_p->object_mutex);
230 222 rsa_ctx->key = tmp_key;
231 223
232 224 (void) pthread_mutex_lock(&session_p->session_mutex);
233 225 if (encrypt) {
234 226 /* Called by C_EncryptInit. */
235 227 session_p->encrypt.context = rsa_ctx;
236 228 session_p->encrypt.mech.mechanism = pMechanism->mechanism;
237 229 } else {
238 230 /* Called by C_DecryptInit. */
239 231 session_p->decrypt.context = rsa_ctx;
240 232 session_p->decrypt.mech.mechanism = pMechanism->mechanism;
241 233 }
242 234 (void) pthread_mutex_unlock(&session_p->session_mutex);
243 235
244 236 return (CKR_OK);
245 237 }
246 238
247 239 CK_RV
248 240 soft_rsa_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData,
249 241 CK_ULONG ulDataLen, CK_BYTE_PTR pEncrypted,
250 242 CK_ULONG_PTR pulEncryptedLen, CK_MECHANISM_TYPE mechanism)
251 243 {
252 244
253 245 soft_rsa_ctx_t *rsa_ctx = session_p->encrypt.context;
254 246 soft_object_t *key = rsa_ctx->key;
255 247 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
256 248 uint32_t modulus_len = sizeof (modulus);
257 249 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
258 250 CK_BYTE cipher_data[MAX_RSA_KEYLENGTH_IN_BYTES];
259 251 CK_RV rv = CKR_OK;
260 252
261 253 rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
262 254 if (rv != CKR_OK) {
263 255 goto clean_exit;
264 256 }
265 257
266 258 if (pEncrypted == NULL) {
267 259 /*
268 260 * Application asks for the length of the output buffer
269 261 * to hold the ciphertext.
270 262 */
271 263 *pulEncryptedLen = modulus_len;
272 264 rv = CKR_OK;
273 265 goto clean1;
274 266 }
275 267
276 268 if (mechanism == CKM_RSA_PKCS) {
277 269 /*
278 270 * Input data length needs to be <=
279 271 * modulus length-MIN_PKCS1_PADLEN.
280 272 */
281 273 if (ulDataLen > ((CK_ULONG)modulus_len - MIN_PKCS1_PADLEN)) {
282 274 *pulEncryptedLen = modulus_len;
283 275 rv = CKR_DATA_LEN_RANGE;
284 276 goto clean_exit;
285 277 }
286 278 } else {
287 279 /* Input data length needs to be <= modulus length. */
288 280 if (ulDataLen > (CK_ULONG)modulus_len) {
289 281 *pulEncryptedLen = modulus_len;
290 282 rv = CKR_DATA_LEN_RANGE;
291 283 goto clean_exit;
292 284 }
293 285 }
294 286
295 287 /* Is the application-supplied buffer large enough? */
296 288 if (*pulEncryptedLen < (CK_ULONG)modulus_len) {
297 289 *pulEncryptedLen = modulus_len;
298 290 rv = CKR_BUFFER_TOO_SMALL;
299 291 goto clean1;
300 292 }
301 293
302 294 if (mechanism == CKM_RSA_PKCS) {
303 295 /*
304 296 * Add PKCS padding to the input data to format a block
305 297 * type "02" encryption block.
306 298 */
307 299 rv = pkcs1_encode(PKCS1_ENCRYPT, pData, ulDataLen, plain_data,
308 300 modulus_len);
309 301
310 302 if (rv != CKR_OK)
311 303 goto clean_exit;
312 304 } else {
313 305 /* Pad zeros for the leading bytes of the input data. */
314 306 (void) memset(plain_data, 0x0, modulus_len - ulDataLen);
315 307 (void) memcpy(&plain_data[modulus_len - ulDataLen], pData,
316 308 ulDataLen);
317 309 }
318 310
319 311 rv = soft_rsa_encrypt(key, plain_data, modulus_len, cipher_data, 1);
320 312 if (rv == CKR_OK) {
321 313 (void) memcpy(pEncrypted, cipher_data, modulus_len);
322 314 *pulEncryptedLen = modulus_len;
323 315 }
324 316
325 317 clean_exit:
326 318 (void) pthread_mutex_lock(&session_p->session_mutex);
327 319 free(session_p->encrypt.context);
328 320 session_p->encrypt.context = NULL;
329 321 (void) pthread_mutex_unlock(&session_p->session_mutex);
330 322 soft_cleanup_object(key);
331 323 free(key);
332 324 clean1:
333 325 return (rv);
334 326 }
335 327
336 328
337 329 CK_RV
338 330 soft_rsa_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted,
339 331 CK_ULONG ulEncryptedLen, CK_BYTE_PTR pData,
340 332 CK_ULONG_PTR pulDataLen, CK_MECHANISM_TYPE mechanism)
341 333 {
342 334
343 335 soft_rsa_ctx_t *rsa_ctx = session_p->decrypt.context;
344 336 soft_object_t *key = rsa_ctx->key;
345 337 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
346 338 uint32_t modulus_len = sizeof (modulus);
347 339 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
348 340 CK_RV rv = CKR_OK;
349 341
350 342 rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
351 343 if (rv != CKR_OK) {
352 344 goto clean_exit;
353 345 }
354 346
355 347 if (ulEncryptedLen != (CK_ULONG)modulus_len) {
356 348 rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
357 349 goto clean_exit;
358 350 }
359 351
360 352 if (pData == NULL) {
361 353 /*
362 354 * Application asks for the length of the output buffer
363 355 * to hold the recovered data.
364 356 */
365 357 *pulDataLen = modulus_len;
366 358 rv = CKR_OK;
367 359 goto clean1;
368 360 }
369 361
370 362 if (mechanism == CKM_RSA_X_509) {
371 363 if (*pulDataLen < (CK_ULONG)modulus_len) {
372 364 *pulDataLen = modulus_len;
373 365 rv = CKR_BUFFER_TOO_SMALL;
374 366 goto clean1;
375 367 }
376 368 }
377 369
378 370 rv = soft_rsa_decrypt(key, pEncrypted, modulus_len, plain_data);
379 371 if (rv != CKR_OK) {
380 372 goto clean_exit;
381 373 }
382 374
383 375 if (mechanism == CKM_RSA_PKCS) {
384 376 size_t plain_len = modulus_len;
385 377 size_t num_padding;
386 378
387 379 /* Strip off the PKCS block formatting data. */
388 380 rv = pkcs1_decode(PKCS1_DECRYPT, plain_data, &plain_len);
389 381 if (rv != CKR_OK)
390 382 goto clean_exit;
391 383
392 384 num_padding = modulus_len - plain_len;
393 385 if (ulEncryptedLen - num_padding > *pulDataLen) {
394 386 *pulDataLen = plain_len;
395 387 rv = CKR_BUFFER_TOO_SMALL;
396 388 goto clean1;
397 389 }
398 390
399 391 (void) memcpy(pData, &plain_data[num_padding], plain_len);
400 392 *pulDataLen = plain_len;
401 393 } else {
402 394 (void) memcpy(pData, plain_data, modulus_len);
403 395 *pulDataLen = modulus_len;
404 396 }
405 397
406 398 clean_exit:
407 399 (void) pthread_mutex_lock(&session_p->session_mutex);
408 400 free(session_p->decrypt.context);
409 401 session_p->decrypt.context = NULL;
410 402 (void) pthread_mutex_unlock(&session_p->session_mutex);
411 403 soft_cleanup_object(key);
412 404 free(key);
413 405
414 406 clean1:
415 407 return (rv);
416 408 }
417 409
418 410 /*
419 411 * Allocate a RSA context for the active sign or verify operation.
420 412 * This function is called without the session lock held.
421 413 */
422 414 CK_RV
423 415 soft_rsa_sign_verify_init_common(soft_session_t *session_p,
424 416 CK_MECHANISM_PTR pMechanism, soft_object_t *key_p,
425 417 boolean_t sign)
426 418 {
427 419 CK_RV rv = CKR_OK;
428 420 soft_rsa_ctx_t *rsa_ctx;
429 421 CK_MECHANISM digest_mech;
430 422 soft_object_t *tmp_key = NULL;
431 423
432 424 if (sign) {
433 425 if ((key_p->class != CKO_PRIVATE_KEY) ||
434 426 (key_p->key_type != CKK_RSA))
435 427 return (CKR_KEY_TYPE_INCONSISTENT);
436 428 } else {
437 429 if ((key_p->class != CKO_PUBLIC_KEY) ||
438 430 (key_p->key_type != CKK_RSA))
439 431 return (CKR_KEY_TYPE_INCONSISTENT);
440 432 }
441 433
442 434 switch (pMechanism->mechanism) {
443 435 case CKM_MD5_RSA_PKCS:
444 436 digest_mech.mechanism = CKM_MD5;
445 437 rv = soft_digest_init_internal(session_p, &digest_mech);
446 438 if (rv != CKR_OK)
447 439 return (rv);
448 440 break;
449 441
450 442 case CKM_SHA1_RSA_PKCS:
451 443 digest_mech.mechanism = CKM_SHA_1;
452 444 digest_mech.pParameter = pMechanism->pParameter;
453 445 digest_mech.ulParameterLen = pMechanism->ulParameterLen;
454 446 rv = soft_digest_init_internal(session_p, &digest_mech);
455 447 if (rv != CKR_OK)
456 448 return (rv);
457 449 break;
458 450
459 451 case CKM_SHA256_RSA_PKCS:
460 452 digest_mech.mechanism = CKM_SHA256;
461 453 rv = soft_digest_init_internal(session_p, &digest_mech);
462 454 if (rv != CKR_OK)
463 455 return (rv);
464 456 break;
465 457
466 458 case CKM_SHA384_RSA_PKCS:
467 459 digest_mech.mechanism = CKM_SHA384;
468 460 rv = soft_digest_init_internal(session_p, &digest_mech);
469 461 if (rv != CKR_OK)
470 462 return (rv);
471 463 break;
472 464
473 465 case CKM_SHA512_RSA_PKCS:
474 466 digest_mech.mechanism = CKM_SHA512;
475 467 rv = soft_digest_init_internal(session_p, &digest_mech);
476 468 if (rv != CKR_OK)
477 469 return (rv);
478 470 break;
479 471 }
480 472
481 473 rsa_ctx = malloc(sizeof (soft_rsa_ctx_t));
482 474
483 475 if (rsa_ctx == NULL) {
484 476 rv = CKR_HOST_MEMORY;
485 477 goto clean_exit;
486 478 }
487 479
488 480 (void) pthread_mutex_lock(&key_p->object_mutex);
489 481 rv = soft_copy_object(key_p, &tmp_key, SOFT_COPY_OBJ_ORIG_SH,
490 482 NULL);
491 483
492 484 if ((rv != CKR_OK) || (tmp_key == NULL)) {
493 485 /* Most likely we ran out of space. */
494 486 (void) pthread_mutex_unlock(&key_p->object_mutex);
495 487 free(rsa_ctx);
496 488 goto clean_exit;
497 489 }
498 490
499 491 /* No need to hold the lock on the old object. */
500 492 (void) pthread_mutex_unlock(&key_p->object_mutex);
501 493 rsa_ctx->key = tmp_key;
502 494
503 495 (void) pthread_mutex_lock(&session_p->session_mutex);
504 496
505 497 if (sign) {
506 498 session_p->sign.context = rsa_ctx;
507 499 session_p->sign.mech.mechanism = pMechanism->mechanism;
508 500 } else {
509 501 session_p->verify.context = rsa_ctx;
510 502 session_p->verify.mech.mechanism = pMechanism->mechanism;
511 503 }
512 504
513 505 (void) pthread_mutex_unlock(&session_p->session_mutex);
514 506
515 507 return (CKR_OK);
516 508
517 509 clean_exit:
518 510 (void) pthread_mutex_lock(&session_p->session_mutex);
519 511 if (session_p->digest.context != NULL) {
520 512 free(session_p->digest.context);
521 513 session_p->digest.context = NULL;
522 514 session_p->digest.flags = 0;
523 515 }
524 516 (void) pthread_mutex_unlock(&session_p->session_mutex);
525 517 return (rv);
526 518
527 519 }
528 520
529 521
530 522 CK_RV
531 523 soft_rsa_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData,
532 524 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
533 525 CK_ULONG_PTR pulSignedLen, CK_MECHANISM_TYPE mechanism)
534 526 {
535 527
536 528 CK_RV rv = CKR_OK;
537 529 soft_rsa_ctx_t *rsa_ctx = session_p->sign.context;
538 530 soft_object_t *key = rsa_ctx->key;
539 531 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
540 532 uint32_t modulus_len = sizeof (modulus);
541 533 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
542 534 CK_BYTE signed_data[MAX_RSA_KEYLENGTH_IN_BYTES];
543 535
544 536 rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
545 537 if (rv != CKR_OK) {
546 538 goto clean_exit;
547 539 }
548 540
549 541 if (pSigned == NULL) {
550 542 /* Application asks for the length of the output buffer. */
551 543 *pulSignedLen = modulus_len;
552 544 rv = CKR_OK;
553 545 goto clean1;
554 546 }
555 547
556 548 switch (mechanism) {
557 549
558 550 case CKM_RSA_PKCS:
559 551
560 552 /*
561 553 * Input data length needs to be <=
562 554 * modulus length-MIN_PKCS1_PADLEN.
563 555 */
564 556 if (ulDataLen > ((CK_ULONG)modulus_len - MIN_PKCS1_PADLEN)) {
565 557 *pulSignedLen = modulus_len;
566 558 rv = CKR_DATA_LEN_RANGE;
567 559 goto clean_exit;
568 560 }
569 561 break;
570 562
571 563 case CKM_RSA_X_509:
572 564
573 565 /* Input data length needs to be <= modulus length. */
574 566 if (ulDataLen > (CK_ULONG)modulus_len) {
575 567 *pulSignedLen = modulus_len;
576 568 rv = CKR_DATA_LEN_RANGE;
577 569 goto clean_exit;
578 570 }
579 571 break;
580 572 }
581 573
582 574 /* Is the application-supplied buffer large enough? */
583 575 if (*pulSignedLen < (CK_ULONG)modulus_len) {
584 576 *pulSignedLen = modulus_len;
585 577 rv = CKR_BUFFER_TOO_SMALL;
586 578 goto clean1;
587 579 }
588 580
589 581 switch (mechanism) {
590 582
591 583 case CKM_RSA_PKCS:
592 584 case CKM_MD5_RSA_PKCS:
593 585 case CKM_SHA1_RSA_PKCS:
594 586 case CKM_SHA256_RSA_PKCS:
595 587 case CKM_SHA384_RSA_PKCS:
596 588 case CKM_SHA512_RSA_PKCS:
597 589 /*
598 590 * Add PKCS padding to the input data to format a block
599 591 * type "01" encryption block.
600 592 */
601 593 rv = pkcs1_encode(PKCS1_SIGN, pData, ulDataLen, plain_data,
602 594 modulus_len);
603 595
604 596 if (rv != CKR_OK) {
605 597 goto clean_exit;
606 598 }
607 599 break;
608 600
609 601 case CKM_RSA_X_509:
610 602
611 603 /* Pad zeros for the leading bytes of the input data. */
612 604 (void) memset(plain_data, 0x0, modulus_len - ulDataLen);
613 605 (void) memcpy(&plain_data[modulus_len - ulDataLen], pData,
614 606 ulDataLen);
615 607 break;
616 608 }
617 609
618 610 /*
619 611 * Perform RSA encryption with the signer's RSA private key
620 612 * for signature process.
621 613 */
622 614 rv = soft_rsa_decrypt(key, plain_data, modulus_len, signed_data);
623 615
624 616 if (rv == CKR_OK) {
625 617 (void) memcpy(pSigned, signed_data, modulus_len);
626 618 *pulSignedLen = modulus_len;
627 619 }
628 620
629 621 clean_exit:
630 622 (void) pthread_mutex_lock(&session_p->session_mutex);
631 623 free(session_p->sign.context);
632 624 session_p->sign.context = NULL;
633 625 if (session_p->digest.context != NULL) {
634 626 free(session_p->digest.context);
635 627 session_p->digest.context = NULL;
636 628 session_p->digest.flags = 0;
637 629 }
638 630 (void) pthread_mutex_unlock(&session_p->session_mutex);
639 631 soft_cleanup_object(key);
640 632 free(key);
641 633
642 634 clean1:
643 635 return (rv);
644 636 }
645 637
646 638
647 639 CK_RV
648 640 soft_rsa_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
649 641 CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
650 642 CK_ULONG ulSignatureLen, CK_MECHANISM_TYPE mechanism)
651 643 {
652 644
653 645 CK_RV rv = CKR_OK;
654 646 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context;
655 647 soft_object_t *key = rsa_ctx->key;
656 648 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
657 649 uint32_t modulus_len = sizeof (modulus);
658 650 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
659 651
660 652 rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
661 653 if (rv != CKR_OK) {
662 654 goto clean_exit;
663 655 }
664 656
665 657 if (ulDataLen == 0) {
666 658 rv = CKR_DATA_LEN_RANGE;
667 659 goto clean_exit;
668 660 }
669 661
670 662 if (ulSignatureLen != (CK_ULONG)modulus_len) {
671 663 rv = CKR_SIGNATURE_LEN_RANGE;
672 664 goto clean_exit;
673 665 }
674 666
675 667 /*
676 668 * Perform RSA decryption with the signer's RSA public key
677 669 * for verification process.
678 670 */
679 671 rv = soft_rsa_encrypt(key, pSignature, modulus_len, plain_data, 1);
680 672 if (rv == CKR_OK) {
681 673 switch (mechanism) {
682 674
683 675 case CKM_RSA_PKCS:
684 676 case CKM_MD5_RSA_PKCS:
685 677 case CKM_SHA1_RSA_PKCS:
686 678 case CKM_SHA256_RSA_PKCS:
687 679 case CKM_SHA384_RSA_PKCS:
688 680 case CKM_SHA512_RSA_PKCS:
689 681 {
690 682 /*
691 683 * Strip off the encoded padding bytes in front of the
692 684 * recovered data, then compare the recovered data with
693 685 * the original data.
694 686 */
695 687 size_t data_len = modulus_len;
696 688
697 689 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
698 690 if (rv != CKR_OK) {
699 691 goto clean_exit;
700 692 }
701 693
702 694 if ((CK_ULONG)data_len != ulDataLen) {
703 695 rv = CKR_DATA_LEN_RANGE;
704 696 goto clean_exit;
705 697 } else if (memcmp(pData,
706 698 &plain_data[modulus_len - data_len],
707 699 ulDataLen) != 0) {
708 700 rv = CKR_SIGNATURE_INVALID;
709 701 goto clean_exit;
710 702 }
711 703 break;
712 704 }
713 705
714 706 case CKM_RSA_X_509:
715 707 /*
716 708 * Strip off the encoded padding bytes in front of the
717 709 * recovered plain_data, then compare the input data
718 710 * with the recovered data.
719 711 */
720 712 if (memcmp(pData,
721 713 plain_data + ulSignatureLen - ulDataLen,
722 714 ulDataLen) != 0) {
723 715 rv = CKR_SIGNATURE_INVALID;
724 716 goto clean_exit;
725 717 }
726 718 break;
727 719 }
728 720 }
729 721
730 722 if (rv == CKR_DATA_LEN_RANGE) {
731 723 if ((mechanism == CKM_MD5_RSA_PKCS) ||
732 724 (mechanism == CKM_SHA1_RSA_PKCS) ||
733 725 (mechanism == CKM_SHA256_RSA_PKCS) ||
734 726 (mechanism == CKM_SHA384_RSA_PKCS) ||
735 727 (mechanism == CKM_SHA512_RSA_PKCS))
736 728 rv = CKR_SIGNATURE_INVALID;
737 729 }
738 730
739 731 clean_exit:
740 732 (void) pthread_mutex_lock(&session_p->session_mutex);
741 733 free(session_p->verify.context);
742 734 session_p->verify.context = NULL;
743 735 if (session_p->digest.context != NULL) {
744 736 free(session_p->digest.context);
745 737 session_p->digest.context = NULL;
746 738 session_p->digest.flags = 0;
747 739 }
748 740 (void) pthread_mutex_unlock(&session_p->session_mutex);
749 741 soft_cleanup_object(key);
750 742 free(key);
751 743 return (rv);
752 744 }
753 745
754 746 CK_RV
755 747 soft_genRSAkey_set_attribute(soft_object_t *key, CK_ATTRIBUTE_TYPE type,
756 748 uchar_t *buf, uint32_t buflen, boolean_t public)
757 749 {
758 750 CK_RV rv = CKR_OK;
759 751 biginteger_t *dst = NULL;
760 752 biginteger_t src;
761 753
762 754 switch (type) {
763 755
764 756 case CKA_MODULUS:
765 757
766 758 if (public)
767 759 dst = OBJ_PUB_RSA_MOD(key);
768 760 else
769 761 dst = OBJ_PRI_RSA_MOD(key);
770 762 break;
771 763
772 764 case CKA_PUBLIC_EXPONENT:
773 765
774 766 if (public)
775 767 dst = OBJ_PUB_RSA_PUBEXPO(key);
776 768 else
777 769 dst = OBJ_PRI_RSA_PUBEXPO(key);
778 770 break;
779 771
780 772 case CKA_PRIVATE_EXPONENT:
781 773
782 774 dst = OBJ_PRI_RSA_PRIEXPO(key);
783 775 break;
784 776
785 777 case CKA_PRIME_1:
786 778
787 779 dst = OBJ_PRI_RSA_PRIME1(key);
788 780 break;
789 781
790 782 case CKA_PRIME_2:
791 783
792 784 dst = OBJ_PRI_RSA_PRIME2(key);
793 785 break;
794 786
795 787 case CKA_EXPONENT_1:
796 788
797 789 dst = OBJ_PRI_RSA_EXPO1(key);
798 790 break;
799 791
800 792 case CKA_EXPONENT_2:
801 793
802 794 dst = OBJ_PRI_RSA_EXPO2(key);
803 795 break;
804 796
805 797 case CKA_COEFFICIENT:
806 798
807 799 dst = OBJ_PRI_RSA_COEF(key);
808 800 break;
809 801 }
810 802
811 803 /* Note: no explanation found for why this is needed */
812 804 while (buf[0] == 0) { /* remove proceeding 0x00 */
813 805 buf++;
814 806 buflen--;
815 807 }
816 808
817 809 if ((rv = dup_bigint_attr(&src, buf, buflen)) != CKR_OK)
818 810 goto cleanexit;
819 811
820 812 /* Copy the attribute in the key object. */
821 813 copy_bigint_attr(&src, dst);
822 814
823 815 cleanexit:
824 816 return (rv);
825 817
826 818 }
827 819
828 820
829 821 CK_RV
830 822 soft_rsa_genkey_pair(soft_object_t *pubkey, soft_object_t *prikey)
831 823 {
832 824 CK_RV rv = CKR_OK;
833 825 CK_ATTRIBUTE template;
834 826 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
835 827 uint32_t modulus_len;
836 828 uchar_t pub_expo[MAX_KEY_ATTR_BUFLEN];
837 829 uint32_t pub_expo_len = sizeof (pub_expo);
838 830 uchar_t private_exponent[MAX_KEY_ATTR_BUFLEN];
839 831 uint32_t private_exponent_len = sizeof (private_exponent);
840 832 uchar_t prime1[MAX_KEY_ATTR_BUFLEN];
841 833 uint32_t prime1_len = sizeof (prime1);
842 834 uchar_t prime2[MAX_KEY_ATTR_BUFLEN];
843 835 uint32_t prime2_len = sizeof (prime2);
844 836 uchar_t exponent1[MAX_KEY_ATTR_BUFLEN];
845 837 uint32_t exponent1_len = sizeof (exponent1);
846 838 uchar_t exponent2[MAX_KEY_ATTR_BUFLEN];
847 839 uint32_t exponent2_len = sizeof (exponent2);
848 840 uchar_t coefficient[MAX_KEY_ATTR_BUFLEN];
849 841 uint32_t coefficient_len = sizeof (coefficient);
850 842 RSAbytekey k;
851 843
852 844 if ((pubkey == NULL) || (prikey == NULL)) {
853 845 return (CKR_ARGUMENTS_BAD);
854 846 }
855 847
856 848 template.pValue = malloc(sizeof (CK_ULONG));
857 849 if (template.pValue == NULL) {
858 850 return (CKR_HOST_MEMORY);
859 851 }
860 852 template.ulValueLen = sizeof (CK_ULONG);
861 853
862 854 rv = get_ulong_attr_from_object(OBJ_PUB_RSA_MOD_BITS(pubkey),
863 855 &template);
864 856 if (rv != CKR_OK) {
865 857 free(template.pValue);
866 858 goto clean0;
867 859 }
868 860
869 861 #ifdef __sparcv9
870 862 /* LINTED */
871 863 modulus_len = (uint32_t)(*((CK_ULONG *)(template.pValue)));
872 864 #else /* !__sparcv9 */
873 865 modulus_len = *((CK_ULONG *)(template.pValue));
874 866 #endif /* __sparcv9 */
875 867
876 868 free(template.pValue);
877 869
878 870 rv = soft_get_public_value(pubkey, CKA_PUBLIC_EXPONENT, pub_expo,
879 871 &pub_expo_len);
880 872 if (rv != CKR_OK) {
881 873 goto clean0;
882 874 }
883 875
884 876 /* Inputs to RSA key pair generation */
885 877 k.modulus_bits = modulus_len; /* save modulus len in bits */
886 878 modulus_len = CRYPTO_BITS2BYTES(modulus_len); /* convert to bytes */
887 879 k.modulus = modulus;
888 880 k.pubexpo = pub_expo;
889 881 k.pubexpo_bytes = pub_expo_len;
890 882 k.rfunc = (IS_TOKEN_OBJECT(pubkey) || IS_TOKEN_OBJECT(prikey)) ?
891 883 pkcs11_get_random : pkcs11_get_urandom;
892 884
893 885 /* Outputs from RSA key pair generation */
894 886 k.privexpo = private_exponent;
895 887 k.privexpo_bytes = private_exponent_len;
896 888 k.prime1 = prime1;
897 889 k.prime1_bytes = prime1_len;
898 890 k.prime2 = prime2;
899 891 k.prime2_bytes = prime2_len;
900 892 k.expo1 = exponent1;
901 893 k.expo1_bytes = exponent1_len;
902 894 k.expo2 = exponent2;
903 895 k.expo2_bytes = exponent2_len;
904 896 k.coeff = coefficient;
905 897 k.coeff_bytes = coefficient_len;
906 898
907 899 rv = rsa_genkey_pair(&k);
908 900
909 901 if (rv != CKR_OK) {
910 902 goto clean0;
911 903 }
912 904
913 905 /*
914 906 * Add modulus in public template, and add all eight key fields
915 907 * in private template.
916 908 */
917 909 if ((rv = soft_genRSAkey_set_attribute(pubkey, CKA_MODULUS,
918 910 modulus, CRYPTO_BITS2BYTES(k.modulus_bits), B_TRUE)) != CKR_OK) {
919 911 goto clean0;
920 912 }
921 913
922 914 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_MODULUS,
923 915 modulus, CRYPTO_BITS2BYTES(k.modulus_bits), B_FALSE)) != CKR_OK) {
924 916 goto clean0;
925 917 }
926 918
927 919 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_PRIVATE_EXPONENT,
928 920 private_exponent, k.privexpo_bytes, B_FALSE)) != CKR_OK) {
929 921 goto clean0;
930 922 }
931 923
932 924 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_PUBLIC_EXPONENT,
933 925 pub_expo, k.pubexpo_bytes, B_FALSE)) != CKR_OK) {
934 926 goto clean0;
935 927 }
936 928
937 929 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_PRIME_1,
938 930 prime1, k.prime1_bytes, B_FALSE)) != CKR_OK) {
939 931 goto clean0;
940 932 }
941 933
942 934 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_PRIME_2,
943 935 prime2, k.prime2_bytes, B_FALSE)) != CKR_OK) {
944 936 goto clean0;
945 937 }
946 938
947 939 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_EXPONENT_1,
948 940 exponent1, k.expo1_bytes, B_FALSE)) != CKR_OK) {
949 941 goto clean0;
950 942 }
951 943
952 944 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_EXPONENT_2,
953 945 exponent2, k.expo2_bytes, B_FALSE)) != CKR_OK) {
954 946 goto clean0;
955 947 }
956 948
957 949 if ((rv = soft_genRSAkey_set_attribute(prikey, CKA_COEFFICIENT,
958 950 coefficient, k.coeff_bytes, B_FALSE)) != CKR_OK) {
959 951 goto clean0;
960 952 }
961 953
962 954 clean0:
963 955 return (rv);
964 956 }
965 957
966 958
967 959 CK_ULONG
968 960 get_rsa_sha1_prefix(CK_MECHANISM_PTR mech, CK_BYTE_PTR *prefix) {
969 961 if (mech->pParameter == NULL) {
970 962 *prefix = (CK_BYTE *)SHA1_DER_PREFIX;
971 963 return (SHA1_DER_PREFIX_Len);
972 964 }
973 965
974 966 *prefix = (CK_BYTE *)SHA1_DER_PREFIX_OID;
975 967 return (SHA1_DER_PREFIX_OID_Len);
976 968 }
977 969
978 970 CK_RV
979 971 soft_rsa_digest_sign_common(soft_session_t *session_p, CK_BYTE_PTR pData,
980 972 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
981 973 CK_ULONG_PTR pulSignedLen, CK_MECHANISM_TYPE mechanism, boolean_t Final)
982 974 {
983 975
984 976 CK_RV rv = CKR_OK;
985 977 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space enough for all mechs */
986 978 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
987 979 /* space enough for all mechs */
988 980 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
989 981 CK_ULONG der_data_len;
990 982 soft_rsa_ctx_t *rsa_ctx = session_p->sign.context;
991 983 soft_object_t *key = rsa_ctx->key;
992 984 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
993 985 uint32_t modulus_len = sizeof (modulus);
994 986 CK_ULONG der_len;
995 987 CK_BYTE_PTR der_prefix;
996 988
997 989 rv = soft_get_private_value(key, CKA_MODULUS, modulus, &modulus_len);
998 990 if (rv != CKR_OK) {
999 991 (void) pthread_mutex_lock(&session_p->session_mutex);
1000 992 free(session_p->digest.context);
1001 993 session_p->digest.context = NULL;
1002 994 session_p->digest.flags = 0;
1003 995 (void) pthread_mutex_unlock(&session_p->session_mutex);
1004 996 soft_cleanup_object(key);
1005 997 free(key);
1006 998 goto clean1;
1007 999 }
1008 1000
1009 1001 /* Check arguments before performing message digest. */
1010 1002 if (pSigned == NULL) {
1011 1003 /* Application asks for the length of the output buffer. */
1012 1004 *pulSignedLen = modulus_len;
1013 1005 rv = CKR_OK;
1014 1006 goto clean1;
1015 1007 }
1016 1008
1017 1009 /* Is the application-supplied buffer large enough? */
1018 1010 if (*pulSignedLen < (CK_ULONG)modulus_len) {
1019 1011 *pulSignedLen = modulus_len;
1020 1012 rv = CKR_BUFFER_TOO_SMALL;
1021 1013 goto clean1;
1022 1014 }
1023 1015
1024 1016 if (Final) {
1025 1017 rv = soft_digest_final(session_p, hash, &hash_len);
1026 1018 } else {
1027 1019 rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len);
1028 1020 }
1029 1021
1030 1022 if (rv != CKR_OK) {
1031 1023 /* free the signature key */
1032 1024 soft_cleanup_object(key);
1033 1025 free(key);
1034 1026 goto clean_exit;
1035 1027 }
1036 1028
1037 1029 /*
1038 1030 * Prepare the DER encoding of the DigestInfo value by setting it to:
1039 1031 * <MECH>_DER_PREFIX || H
1040 1032 *
1041 1033 * See rsa_impl.c for more details.
1042 1034 */
1043 1035 switch (session_p->digest.mech.mechanism) {
1044 1036 case CKM_MD5:
1045 1037 (void) memcpy(der_data, MD5_DER_PREFIX, MD5_DER_PREFIX_Len);
1046 1038 (void) memcpy(der_data + MD5_DER_PREFIX_Len, hash, hash_len);
1047 1039 der_data_len = MD5_DER_PREFIX_Len + hash_len;
1048 1040 break;
1049 1041 case CKM_SHA_1:
1050 1042 der_len = get_rsa_sha1_prefix(&(session_p->digest.mech),
1051 1043 &der_prefix);
1052 1044 (void) memcpy(der_data, der_prefix, der_len);
1053 1045 (void) memcpy(der_data + der_len, hash, hash_len);
1054 1046 der_data_len = der_len + hash_len;
1055 1047 break;
1056 1048 case CKM_SHA256:
1057 1049 (void) memcpy(der_data, SHA256_DER_PREFIX,
1058 1050 SHA2_DER_PREFIX_Len);
1059 1051 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1060 1052 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1061 1053 break;
1062 1054 case CKM_SHA384:
1063 1055 (void) memcpy(der_data, SHA384_DER_PREFIX,
1064 1056 SHA2_DER_PREFIX_Len);
1065 1057 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1066 1058 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1067 1059 break;
1068 1060 case CKM_SHA512:
1069 1061 (void) memcpy(der_data, SHA512_DER_PREFIX,
1070 1062 SHA2_DER_PREFIX_Len);
1071 1063 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1072 1064 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1073 1065 break;
1074 1066 }
1075 1067
1076 1068 /*
1077 1069 * Now, we are ready to sign the DER_ENCODED data
1078 1070 * soft_rsa_sign_common() will free the signature key.
1079 1071 */
1080 1072 rv = soft_rsa_sign_common(session_p, der_data, der_data_len,
1081 1073 pSigned, pulSignedLen, mechanism);
1082 1074
1083 1075 clean_exit:
1084 1076 (void) pthread_mutex_lock(&session_p->session_mutex);
1085 1077 /* soft_digest_common() has freed the digest context */
1086 1078 session_p->digest.flags = 0;
1087 1079 (void) pthread_mutex_unlock(&session_p->session_mutex);
1088 1080
1089 1081 clean1:
1090 1082 return (rv);
1091 1083 }
1092 1084
1093 1085
1094 1086 CK_RV
1095 1087 soft_rsa_digest_verify_common(soft_session_t *session_p, CK_BYTE_PTR pData,
1096 1088 CK_ULONG ulDataLen, CK_BYTE_PTR pSigned,
1097 1089 CK_ULONG ulSignedLen, CK_MECHANISM_TYPE mechanism, boolean_t Final)
1098 1090 {
1099 1091
1100 1092 CK_RV rv = CKR_OK;
1101 1093 CK_BYTE hash[SHA512_DIGEST_LENGTH]; /* space for all mechs */
1102 1094 CK_ULONG hash_len = SHA512_DIGEST_LENGTH;
1103 1095 CK_BYTE der_data[SHA512_DIGEST_LENGTH + SHA2_DER_PREFIX_Len];
1104 1096 CK_ULONG der_data_len;
1105 1097 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context;
1106 1098 soft_object_t *key = rsa_ctx->key;
1107 1099 CK_ULONG der_len;
1108 1100 CK_BYTE_PTR der_prefix;
1109 1101
1110 1102 if (Final) {
1111 1103 rv = soft_digest_final(session_p, hash, &hash_len);
1112 1104 } else {
1113 1105 rv = soft_digest(session_p, pData, ulDataLen, hash, &hash_len);
1114 1106 }
1115 1107
1116 1108 if (rv != CKR_OK) {
1117 1109 /* free the verification key */
1118 1110 soft_cleanup_object(key);
1119 1111 free(key);
1120 1112 goto clean_exit;
1121 1113 }
1122 1114
1123 1115 /*
1124 1116 * Prepare the DER encoding of the DigestInfo value as follows:
1125 1117 * MD5: MD5_DER_PREFIX || H
1126 1118 * SHA-1: SHA1_DER_PREFIX || H
1127 1119 * SHA2: SHA2_DER_PREFIX || H
1128 1120 *
1129 1121 * See rsa_impl.c for more details.
1130 1122 */
1131 1123 switch (session_p->digest.mech.mechanism) {
1132 1124 case CKM_MD5:
1133 1125 (void) memcpy(der_data, MD5_DER_PREFIX, MD5_DER_PREFIX_Len);
1134 1126 (void) memcpy(der_data + MD5_DER_PREFIX_Len, hash, hash_len);
1135 1127 der_data_len = MD5_DER_PREFIX_Len + hash_len;
1136 1128 break;
1137 1129 case CKM_SHA_1:
1138 1130 der_len = get_rsa_sha1_prefix(&(session_p->digest.mech),
1139 1131 &der_prefix);
1140 1132 (void) memcpy(der_data, der_prefix, der_len);
1141 1133 (void) memcpy(der_data + der_len, hash, hash_len);
1142 1134 der_data_len = der_len + hash_len;
1143 1135 break;
1144 1136 case CKM_SHA256:
1145 1137 (void) memcpy(der_data, SHA256_DER_PREFIX,
1146 1138 SHA2_DER_PREFIX_Len);
1147 1139 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1148 1140 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1149 1141 break;
1150 1142 case CKM_SHA384:
1151 1143 (void) memcpy(der_data, SHA384_DER_PREFIX,
1152 1144 SHA2_DER_PREFIX_Len);
1153 1145 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1154 1146 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1155 1147 break;
1156 1148 case CKM_SHA512:
1157 1149 (void) memcpy(der_data, SHA512_DER_PREFIX,
1158 1150 SHA2_DER_PREFIX_Len);
1159 1151 (void) memcpy(der_data + SHA2_DER_PREFIX_Len, hash, hash_len);
1160 1152 der_data_len = SHA2_DER_PREFIX_Len + hash_len;
1161 1153 break;
1162 1154 }
1163 1155
1164 1156 /*
1165 1157 * Now, we are ready to verify the DER_ENCODED data using signature.
1166 1158 * soft_rsa_verify_common() will free the verification key.
1167 1159 */
1168 1160 rv = soft_rsa_verify_common(session_p, der_data, der_data_len,
1169 1161 pSigned, ulSignedLen, mechanism);
1170 1162
1171 1163 clean_exit:
1172 1164 (void) pthread_mutex_lock(&session_p->session_mutex);
1173 1165 /* soft_digest_common() has freed the digest context */
1174 1166 session_p->digest.flags = 0;
1175 1167 (void) pthread_mutex_unlock(&session_p->session_mutex);
1176 1168
1177 1169 return (rv);
1178 1170
1179 1171 }
1180 1172
1181 1173
1182 1174 CK_RV
1183 1175 soft_rsa_verify_recover(soft_session_t *session_p, CK_BYTE_PTR pSignature,
1184 1176 CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
1185 1177 {
1186 1178
1187 1179 CK_RV rv = CKR_OK;
1188 1180 soft_rsa_ctx_t *rsa_ctx = session_p->verify.context;
1189 1181 CK_MECHANISM_TYPE mechanism = session_p->verify.mech.mechanism;
1190 1182 soft_object_t *key = rsa_ctx->key;
1191 1183 uchar_t modulus[MAX_KEY_ATTR_BUFLEN];
1192 1184 uint32_t modulus_len = sizeof (modulus);
1193 1185 CK_BYTE plain_data[MAX_RSA_KEYLENGTH_IN_BYTES];
1194 1186
1195 1187 rv = soft_get_public_value(key, CKA_MODULUS, modulus, &modulus_len);
1196 1188 if (rv != CKR_OK) {
1197 1189 goto clean_exit;
1198 1190 }
1199 1191
1200 1192 if (ulSignatureLen != (CK_ULONG)modulus_len) {
1201 1193 rv = CKR_SIGNATURE_LEN_RANGE;
1202 1194 goto clean_exit;
1203 1195 }
1204 1196
1205 1197 /*
1206 1198 * Perform RSA decryption with the signer's RSA public key
1207 1199 * for verification process.
1208 1200 */
1209 1201 rv = soft_rsa_encrypt(key, pSignature, modulus_len, plain_data, 1);
1210 1202 if (rv == CKR_OK) {
1211 1203 switch (mechanism) {
1212 1204
1213 1205 case CKM_RSA_PKCS:
1214 1206 {
1215 1207 /*
1216 1208 * Strip off the encoded padding bytes in front of the
1217 1209 * recovered data.
1218 1210 */
1219 1211 size_t data_len = modulus_len;
1220 1212
1221 1213 rv = pkcs1_decode(PKCS1_VERIFY, plain_data, &data_len);
1222 1214 if (rv != CKR_OK) {
1223 1215 goto clean_exit;
1224 1216 }
1225 1217
1226 1218 /*
1227 1219 * If application asks for the length of the output
1228 1220 * buffer?
1229 1221 */
1230 1222 if (pData == NULL) {
1231 1223 *pulDataLen = data_len;
1232 1224 rv = CKR_OK;
1233 1225 goto clean1;
1234 1226 }
1235 1227
1236 1228 /* Is the application-supplied buffer large enough? */
1237 1229 if (*pulDataLen < (CK_ULONG)data_len) {
1238 1230 *pulDataLen = data_len;
1239 1231 rv = CKR_BUFFER_TOO_SMALL;
1240 1232 goto clean1;
1241 1233 }
1242 1234
1243 1235 (void) memcpy(pData,
1244 1236 &plain_data[modulus_len - data_len], data_len);
1245 1237 *pulDataLen = data_len;
1246 1238
1247 1239 break;
1248 1240 }
1249 1241
1250 1242 case CKM_RSA_X_509:
1251 1243 /*
1252 1244 * If application asks for the length of the output
1253 1245 * buffer?
1254 1246 */
1255 1247 if (pData == NULL) {
1256 1248 *pulDataLen = modulus_len;
1257 1249 rv = CKR_OK;
1258 1250 goto clean1;
1259 1251 }
1260 1252
1261 1253 /* Is the application-supplied buffer large enough? */
1262 1254 if (*pulDataLen < (CK_ULONG)modulus_len) {
1263 1255 *pulDataLen = modulus_len;
1264 1256 rv = CKR_BUFFER_TOO_SMALL;
1265 1257 goto clean1;
1266 1258 }
1267 1259
1268 1260 (void) memcpy(pData, plain_data, modulus_len);
1269 1261 *pulDataLen = modulus_len;
1270 1262
1271 1263 break;
1272 1264 }
1273 1265 }
1274 1266
1275 1267 clean_exit:
1276 1268 (void) pthread_mutex_lock(&session_p->session_mutex);
1277 1269 free(session_p->verify.context);
1278 1270 session_p->verify.context = NULL;
1279 1271 (void) pthread_mutex_unlock(&session_p->session_mutex);
1280 1272 soft_cleanup_object(key);
1281 1273 free(key);
1282 1274
1283 1275 clean1:
1284 1276 return (rv);
1285 1277 }
↓ open down ↓ |
1087 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX