aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/plugins
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2011-11-02 20:25:39 +0100
committerTobias Brunner <tobias@strongswan.org>2011-11-02 20:27:55 +0100
commit5b85b94e27cd21fc79ef2e08e9256cde5dec7ff0 (patch)
treed24d6d4294b8de3a09b4b2ec7ca6448d36560c90 /src/libstrongswan/plugins
parent58d0a8d49bcf1fce3fb77bd2050c01ae896ad94a (diff)
downloadstrongswan-5b85b94e27cd21fc79ef2e08e9256cde5dec7ff0.tar.bz2
strongswan-5b85b94e27cd21fc79ef2e08e9256cde5dec7ff0.tar.xz
pkcs11: Make sure a key can be used for a given signature scheme.
Diffstat (limited to 'src/libstrongswan/plugins')
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c39
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h5
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c3
3 files changed, 31 insertions, 16 deletions
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index a354070c1..b616abc38 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -104,41 +104,44 @@ METHOD(private_key_t, get_keysize, int,
* See header.
*/
CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme,
+ key_type_t type, size_t keylen,
hash_algorithm_t *hash)
{
static struct {
signature_scheme_t scheme;
CK_MECHANISM mechanism;
+ key_type_t type;
+ size_t keylen;
hash_algorithm_t hash;
} mappings[] = {
{SIGN_RSA_EMSA_PKCS1_NULL, {CKM_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_RSA_EMSA_PKCS1_SHA1, {CKM_SHA1_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_RSA_EMSA_PKCS1_SHA256, {CKM_SHA256_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_RSA_EMSA_PKCS1_SHA384, {CKM_SHA384_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_RSA_EMSA_PKCS1_SHA512, {CKM_SHA512_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_RSA_EMSA_PKCS1_MD5, {CKM_MD5_RSA_PKCS, NULL, 0},
- HASH_UNKNOWN},
+ KEY_RSA, 0, HASH_UNKNOWN},
{SIGN_ECDSA_WITH_NULL, {CKM_ECDSA, NULL, 0},
- HASH_UNKNOWN},
+ KEY_ECDSA, 0, HASH_UNKNOWN},
{SIGN_ECDSA_WITH_SHA1_DER, {CKM_ECDSA_SHA1, NULL, 0},
- HASH_UNKNOWN},
+ KEY_ECDSA, 0, HASH_UNKNOWN},
{SIGN_ECDSA_WITH_SHA256_DER, {CKM_ECDSA, NULL, 0},
- HASH_SHA256},
+ KEY_ECDSA, 0, HASH_SHA256},
{SIGN_ECDSA_WITH_SHA384_DER, {CKM_ECDSA, NULL, 0},
- HASH_SHA384},
+ KEY_ECDSA, 0, HASH_SHA384},
{SIGN_ECDSA_WITH_SHA512_DER, {CKM_ECDSA, NULL, 0},
- HASH_SHA512},
+ KEY_ECDSA, 0, HASH_SHA512},
{SIGN_ECDSA_256, {CKM_ECDSA, NULL, 0},
- HASH_SHA256},
+ KEY_ECDSA, 256, HASH_SHA256},
{SIGN_ECDSA_384, {CKM_ECDSA, NULL, 0},
- HASH_SHA384},
+ KEY_ECDSA, 384, HASH_SHA384},
{SIGN_ECDSA_521, {CKM_ECDSA, NULL, 0},
- HASH_SHA512},
+ KEY_ECDSA, 521, HASH_SHA512},
};
int i;
@@ -146,6 +149,11 @@ CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme,
{
if (mappings[i].scheme == scheme)
{
+ size_t len = mappings[i].keylen;
+ if (mappings[i].type != type || (len && keylen != len))
+ {
+ return NULL;
+ }
if (hash)
{
*hash = mappings[i].hash;
@@ -229,7 +237,8 @@ METHOD(private_key_t, sign, bool,
hash_algorithm_t hash_alg;
chunk_t hash = chunk_empty;
- mechanism = pkcs11_signature_scheme_to_mech(scheme, &hash_alg);
+ mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type,
+ get_keysize(this), &hash_alg);
if (!mechanism)
{
DBG1(DBG_LIB, "signature scheme %N not supported",
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
index 1e4ec3068..53cd0f15f 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h
@@ -56,10 +56,15 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args);
/**
* Get the Cryptoki mechanism for a signature scheme.
*
+ * Verifies that the given key is usable for this scheme.
+ *
* @param scheme signature scheme
+ * @param type key type
+ * @param keylen key lenght in bits
* @param hash hash algorithm to apply first (HASH_UNKNOWN if none)
*/
CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme,
+ key_type_t type, size_t keylen,
hash_algorithm_t *hash);
/**
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index 2a3a511a5..d49a03856 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -207,7 +207,8 @@ METHOD(public_key_t, verify, bool,
hash_algorithm_t hash_alg;
chunk_t hash = chunk_empty;
- mechanism = pkcs11_signature_scheme_to_mech(scheme, &hash_alg);
+ mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k,
+ &hash_alg);
if (!mechanism)
{
DBG1(DBG_LIB, "signature scheme %N not supported",