void DigestTests::testDigestKey()
{
CK_RV rv;
CK_SESSION_HANDLE hSession = CK_INVALID_HANDLE;
CK_MECHANISM mechanism = {
CKM_SHA512, NULL_PTR, 0
};
CK_BYTE data[] = {"Text to digest"};
// Just make sure that we finalize any previous tests
CRYPTOKI_F_PTR( C_Finalize(NULL_PTR) );
rv = CRYPTOKI_F_PTR( C_DigestKey(hSession, (CK_OBJECT_HANDLE)123UL) );
CPPUNIT_ASSERT(rv == CKR_CRYPTOKI_NOT_INITIALIZED);
rv = CRYPTOKI_F_PTR( C_Initialize(NULL_PTR) );
CPPUNIT_ASSERT(rv == CKR_OK);
rv = CRYPTOKI_F_PTR( C_OpenSession(m_initializedTokenSlotID, CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &hSession) );
CPPUNIT_ASSERT(rv == CKR_OK);
// Create the generic secret key to digest
CK_BBOOL bFalse = CK_FALSE;
CK_BBOOL bTrue = CK_TRUE;
CK_OBJECT_CLASS secretClass = CKO_SECRET_KEY;
CK_KEY_TYPE genKeyType = CKK_GENERIC_SECRET;
CK_ATTRIBUTE attribs[] = {
{ CKA_CLASS, &secretClass, sizeof(secretClass) },
{ CKA_KEY_TYPE, &genKeyType, sizeof(genKeyType) },
{ CKA_TOKEN, &bFalse, sizeof(bFalse) },
{ CKA_PRIVATE, &bFalse, sizeof(bFalse) },
{ CKA_EXTRACTABLE, &bTrue, sizeof(bTrue) },
{ CKA_SENSITIVE, &bFalse, sizeof(bFalse) },
{ CKA_VALUE, data, sizeof(data) - 1 }
};
CK_OBJECT_HANDLE hKey;
hKey = CK_INVALID_HANDLE;
rv = CRYPTOKI_F_PTR( C_CreateObject(hSession, attribs, sizeof(attribs)/sizeof(CK_ATTRIBUTE), &hKey) );
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hKey != CK_INVALID_HANDLE);
rv = CRYPTOKI_F_PTR( C_DigestKey(CK_INVALID_HANDLE, hKey) );
CPPUNIT_ASSERT(rv == CKR_SESSION_HANDLE_INVALID);
rv = CRYPTOKI_F_PTR( C_DigestKey(hSession, hKey) );
CPPUNIT_ASSERT(rv == CKR_OPERATION_NOT_INITIALIZED);
rv = CRYPTOKI_F_PTR( C_DigestInit(hSession, &mechanism) );
CPPUNIT_ASSERT(rv == CKR_OK);
rv = CRYPTOKI_F_PTR( C_DigestKey(hSession, CK_INVALID_HANDLE) );
CPPUNIT_ASSERT(rv == CKR_KEY_HANDLE_INVALID);
rv = CRYPTOKI_F_PTR( C_DigestKey(hSession, hKey) );
CPPUNIT_ASSERT(rv == CKR_OK);
}
/*
* Store certificate
*/
int
PKCS11_store_certificate(PKCS11_TOKEN * token, X509 * x509, char *label,
unsigned char *id, size_t id_len,
PKCS11_CERT ** ret_cert)
{
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_CTX *ctx = TOKEN2CTX(token);
CK_SESSION_HANDLE session;
CK_OBJECT_HANDLE object;
CK_ATTRIBUTE attrs[32];
unsigned int n = 0;
int rv;
/* First, make sure we have a session */
if (!PRIVSLOT(slot)->haveSession && PKCS11_open_session(slot, 1))
return -1;
session = PRIVSLOT(slot)->session;
/* Now build the template */
pkcs11_addattr_int(attrs + n++, CKA_CLASS, CKO_CERTIFICATE);
pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE);
pkcs11_addattr_int(attrs + n++, CKA_CERTIFICATE_TYPE, CKC_X_509);
pkcs11_addattr_obj(attrs + n++, CKA_VALUE, (pkcs11_i2d_fn) i2d_X509, x509);
if (label)
pkcs11_addattr_s(attrs + n++, CKA_LABEL, label);
if (id && id_len)
pkcs11_addattr(attrs + n++, CKA_ID, id, id_len);
/* Now call the pkcs11 module to create the object */
rv = CRYPTOKI_call(ctx, C_CreateObject(session, attrs, n, &object));
/* Zap all memory allocated when building the template */
pkcs11_zap_attrs(attrs, n);
CRYPTOKI_checkerr(PKCS11_F_PKCS11_STORE_CERTIFICATE, rv);
/* Gobble the key object */
return pkcs11_init_cert(ctx, token, session, object, ret_cert);
}
void SymmetricAlgorithmTests::aesWrapUnwrap(CK_MECHANISM_TYPE mechanismType, CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
{
CK_MECHANISM mechanism = { mechanismType, NULL_PTR, 0 };
CK_BBOOL bFalse = CK_FALSE;
CK_BBOOL bTrue = CK_TRUE;
CK_OBJECT_CLASS secretClass = CKO_SECRET_KEY;
CK_KEY_TYPE genKeyType = CKK_GENERIC_SECRET;
CK_BYTE keyPtr[128];
CK_ULONG keyLen =
mechanismType == CKM_AES_KEY_WRAP_PAD ? 125UL : 128UL;
CK_ATTRIBUTE attribs[] = {
{ CKA_EXTRACTABLE, &bFalse, sizeof(bFalse) },
{ CKA_CLASS, &secretClass, sizeof(secretClass) },
{ CKA_KEY_TYPE, &genKeyType, sizeof(genKeyType) },
{ CKA_TOKEN, &bFalse, sizeof(bFalse) },
{ CKA_PRIVATE, &bTrue, sizeof(bTrue) },
{ CKA_SENSITIVE, &bTrue, sizeof(bTrue) }, // Wrapping is allowed even on sensitive objects
{ CKA_VALUE, keyPtr, keyLen }
};
CK_OBJECT_HANDLE hSecret;
CK_RV rv;
rv = C_GenerateRandom(hSession, keyPtr, keyLen);
CPPUNIT_ASSERT(rv == CKR_OK);
hSecret = CK_INVALID_HANDLE;
rv = C_CreateObject(hSession, attribs, sizeof(attribs)/sizeof(CK_ATTRIBUTE), &hSecret);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hSecret != CK_INVALID_HANDLE);
CK_BYTE_PTR wrappedPtr = NULL_PTR;
CK_ULONG wrappedLen = 0UL;
CK_ULONG zero = 0UL;
CK_ULONG rndKeyLen = keyLen;
if (mechanismType == CKM_AES_KEY_WRAP_PAD)
rndKeyLen = (keyLen + 7) & ~7;
rv = C_WrapKey(hSession, &mechanism, hKey, hSecret, wrappedPtr, &wrappedLen);
CPPUNIT_ASSERT(rv == CKR_KEY_UNEXTRACTABLE);
rv = C_DestroyObject(hSession, hSecret);
CPPUNIT_ASSERT(rv == CKR_OK);
attribs[0].pValue = &bTrue;
hSecret = CK_INVALID_HANDLE;
rv = C_CreateObject(hSession, attribs, sizeof(attribs)/sizeof(CK_ATTRIBUTE), &hSecret);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hSecret != CK_INVALID_HANDLE);
// Estimate wrapped length
rv = C_WrapKey(hSession, &mechanism, hKey, hSecret, wrappedPtr, &wrappedLen);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(wrappedLen == rndKeyLen + 8);
wrappedPtr = (CK_BYTE_PTR) malloc(wrappedLen);
CPPUNIT_ASSERT(wrappedPtr != NULL_PTR);
rv = C_WrapKey(hSession, &mechanism, hKey, hSecret, wrappedPtr, &wrappedLen);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(wrappedLen == rndKeyLen + 8);
// This should always fail because wrapped data have to be longer than 0 bytes
zero = 0;
rv = C_WrapKey(hSession, &mechanism, hKey, hSecret, wrappedPtr, &zero);
CPPUNIT_ASSERT(rv == CKR_BUFFER_TOO_SMALL);
CK_ATTRIBUTE nattribs[] = {
{ CKA_CLASS, &secretClass, sizeof(secretClass) },
{ CKA_KEY_TYPE, &genKeyType, sizeof(genKeyType) },
{ CKA_TOKEN, &bFalse, sizeof(bFalse) },
{ CKA_PRIVATE, &bTrue, sizeof(bTrue) },
{ CKA_ENCRYPT, &bFalse, sizeof(bFalse) },
{ CKA_DECRYPT, &bTrue, sizeof(bTrue) },
{ CKA_SIGN, &bFalse,sizeof(bFalse) },
{ CKA_VERIFY, &bTrue, sizeof(bTrue) }
};
CK_OBJECT_HANDLE hNew;
hNew = CK_INVALID_HANDLE;
rv = C_UnwrapKey(hSession, &mechanism, hKey, wrappedPtr, wrappedLen, nattribs, sizeof(nattribs)/sizeof(CK_ATTRIBUTE), &hNew);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hNew != CK_INVALID_HANDLE);
free(wrappedPtr);
wrappedPtr = NULL_PTR;
rv = C_DestroyObject(hSession, hSecret);
CPPUNIT_ASSERT(rv == CKR_OK);
#ifdef HAVE_AES_KEY_WRAP_PAD
if (mechanismType != CKM_AES_KEY_WRAP_PAD) return;
CK_OBJECT_HANDLE hRsa;
hRsa = CK_INVALID_HANDLE;
rv = generateRsaPrivateKey(hSession, CK_TRUE, CK_TRUE, hRsa);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hRsa != CK_INVALID_HANDLE);
CK_OBJECT_CLASS privateClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE rsaKeyType = CKK_RSA;
CK_BYTE_PTR p2Ptr = NULL_PTR;
CK_ULONG p2Len = 0UL;
CK_ATTRIBUTE rsaAttribs[] = {
{ CKA_CLASS, &privateClass, sizeof(privateClass) },
{ CKA_KEY_TYPE, &rsaKeyType, sizeof(rsaKeyType) },
{ CKA_PRIME_2, NULL_PTR, 0UL }
};
rv = C_GetAttributeValue(hSession, hRsa, rsaAttribs, sizeof(rsaAttribs)/sizeof(CK_ATTRIBUTE));
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(rsaAttribs[0].ulValueLen == sizeof(CK_OBJECT_CLASS));
CPPUNIT_ASSERT(*(CK_OBJECT_CLASS*)rsaAttribs[0].pValue == CKO_PRIVATE_KEY);
CPPUNIT_ASSERT(rsaAttribs[1].ulValueLen == sizeof(CK_KEY_TYPE));
CPPUNIT_ASSERT(*(CK_KEY_TYPE*)rsaAttribs[1].pValue == CKK_RSA);
p2Len = rsaAttribs[2].ulValueLen;
p2Ptr = (CK_BYTE_PTR) malloc(2 * p2Len);
CPPUNIT_ASSERT(p2Ptr != NULL_PTR);
rsaAttribs[2].pValue = p2Ptr;
rsaAttribs[2].ulValueLen = p2Len;
rv = C_GetAttributeValue(hSession, hRsa, rsaAttribs, sizeof(rsaAttribs)/sizeof(CK_ATTRIBUTE));
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(rsaAttribs[2].ulValueLen == p2Len);
rv = C_WrapKey(hSession, &mechanism, hKey, hRsa, wrappedPtr, &wrappedLen);
CPPUNIT_ASSERT(rv == CKR_OK);
wrappedPtr = (CK_BYTE_PTR) malloc(wrappedLen);
CPPUNIT_ASSERT(wrappedPtr != NULL_PTR);
rv = C_WrapKey(hSession, &mechanism, hKey, hRsa, wrappedPtr, &wrappedLen);
CPPUNIT_ASSERT(rv == CKR_OK);
rv = C_DestroyObject(hSession, hRsa);
CPPUNIT_ASSERT(rv == CKR_OK);
CK_ATTRIBUTE nRsaAttribs[] = {
{ CKA_CLASS, &privateClass, sizeof(privateClass) },
{ CKA_KEY_TYPE, &rsaKeyType, sizeof(rsaKeyType) },
{ CKA_TOKEN, &bFalse, sizeof(bFalse) },
{ CKA_PRIVATE, &bTrue, sizeof(bTrue) },
{ CKA_DECRYPT, &bTrue, sizeof(bTrue) },
{ CKA_SIGN, &bFalse,sizeof(bFalse) },
{ CKA_UNWRAP, &bTrue, sizeof(bTrue) },
{ CKA_SENSITIVE, &bFalse, sizeof(bFalse) },
{ CKA_EXTRACTABLE, &bTrue, sizeof(bTrue) }
};
hRsa = CK_INVALID_HANDLE;
rv = C_UnwrapKey(hSession, &mechanism, hKey, wrappedPtr, wrappedLen, nRsaAttribs, sizeof(nRsaAttribs)/sizeof(CK_ATTRIBUTE), &hRsa);
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(hRsa != CK_INVALID_HANDLE);
rsaAttribs[2].pValue = p2Ptr + p2Len;
rv = C_GetAttributeValue(hSession, hRsa, rsaAttribs, sizeof(rsaAttribs)/sizeof(CK_ATTRIBUTE));
CPPUNIT_ASSERT(rv == CKR_OK);
CPPUNIT_ASSERT(rsaAttribs[0].ulValueLen == sizeof(CK_OBJECT_CLASS));
CPPUNIT_ASSERT(*(CK_OBJECT_CLASS*)rsaAttribs[0].pValue == CKO_PRIVATE_KEY);
CPPUNIT_ASSERT(rsaAttribs[1].ulValueLen == sizeof(CK_KEY_TYPE));
CPPUNIT_ASSERT(*(CK_KEY_TYPE*)rsaAttribs[1].pValue == CKK_RSA);
CPPUNIT_ASSERT(rsaAttribs[2].ulValueLen == p2Len);
CPPUNIT_ASSERT(memcmp(p2Ptr, p2Ptr + p2Len, p2Len) == 0);
free(wrappedPtr);
free(p2Ptr);
rv = C_DestroyObject(hSession, hRsa);
CPPUNIT_ASSERT(rv == CKR_OK);
#endif
}
/*
* Store private key
*/
static int pkcs11_store_key(PKCS11_TOKEN *token, EVP_PKEY *pk,
unsigned int type, char *label, unsigned char *id, size_t id_len,
PKCS11_KEY ** ret_key)
{
PKCS11_SLOT *slot = TOKEN2SLOT(token);
PKCS11_CTX *ctx = TOKEN2CTX(token);
PKCS11_SLOT_private *spriv = PRIVSLOT(slot);
CK_OBJECT_HANDLE object;
CK_ATTRIBUTE attrs[32];
unsigned int n = 0;
int rv;
const BIGNUM *rsa_n, *rsa_e, *rsa_d, *rsa_p, *rsa_q;
/* First, make sure we have a session */
if (!spriv->haveSession && PKCS11_open_session(slot, 1))
return -1;
/* Now build the key attrs */
pkcs11_addattr_int(attrs + n++, CKA_CLASS, type);
if (label)
pkcs11_addattr_s(attrs + n++, CKA_LABEL, label);
if (id && id_len)
pkcs11_addattr(attrs + n++, CKA_ID, id, id_len);
pkcs11_addattr_bool(attrs + n++, CKA_TOKEN, TRUE);
if (type == CKO_PRIVATE_KEY) {
pkcs11_addattr_bool(attrs + n++, CKA_PRIVATE, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_SENSITIVE, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_DECRYPT, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_SIGN, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_UNWRAP, TRUE);
} else { /* CKO_PUBLIC_KEY */
pkcs11_addattr_bool(attrs + n++, CKA_ENCRYPT, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_VERIFY, TRUE);
pkcs11_addattr_bool(attrs + n++, CKA_WRAP, TRUE);
}
#if OPENSSL_VERSION_NUMBER >= 0x10100003L
if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA) {
RSA *rsa = EVP_PKEY_get1_RSA(pk);
#else
if (pk->type == EVP_PKEY_RSA) {
RSA *rsa = pk->pkey.rsa;
#endif
pkcs11_addattr_int(attrs + n++, CKA_KEY_TYPE, CKK_RSA);
#if OPENSSL_VERSION_NUMBER >= 0x10100005L
RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d);
RSA_get0_factors(rsa, &rsa_p, &rsa_q);
#else
rsa_n=rsa->n;
rsa_e=rsa->e;
rsa_d=rsa->d;
rsa_p=rsa->p;
rsa_q=rsa->q;
#endif
pkcs11_addattr_bn(attrs + n++, CKA_MODULUS, rsa_n);
pkcs11_addattr_bn(attrs + n++, CKA_PUBLIC_EXPONENT, rsa_e);
if (type == CKO_PRIVATE_KEY) {
pkcs11_addattr_bn(attrs + n++, CKA_PRIVATE_EXPONENT, rsa_d);
pkcs11_addattr_bn(attrs + n++, CKA_PRIME_1, rsa_p);
pkcs11_addattr_bn(attrs + n++, CKA_PRIME_2, rsa_q);
}
} else {
pkcs11_zap_attrs(attrs, n);
PKCS11err(type == CKO_PRIVATE_KEY ?
PKCS11_F_PKCS11_STORE_PRIVATE_KEY :
PKCS11_F_PKCS11_STORE_PUBLIC_KEY,
PKCS11_NOT_SUPPORTED);
return -1;
}
/* Now call the pkcs11 module to create the object */
rv = CRYPTOKI_call(ctx, C_CreateObject(spriv->session, attrs, n, &object));
/* Zap all memory allocated when building the template */
pkcs11_zap_attrs(attrs, n);
CRYPTOKI_checkerr(PKCS11_F_PKCS11_STORE_PRIVATE_KEY, rv);
/* Gobble the key object */
return pkcs11_init_key(ctx, token, spriv->session, object, type, ret_key);
}
/*
* Get the key type
*/
int pkcs11_get_key_type(PKCS11_KEY *key)
{
PKCS11_KEY_private *kpriv = PRIVKEY(key);
return kpriv->ops->type;
}
FLAG ECCTest_out()
{
CK_RV rv = 0;
CK_SLOT_ID SlotId = 0;
CK_SESSION_HANDLE hSession = 0;
CK_OBJECT_HANDLE hECCPubKey = 0;
CK_OBJECT_HANDLE hECCPriKey = 0;
CK_BBOOL isTrue = TRUE;
CK_ULONG ECCPubKeyClass = CKO_PUBLIC_KEY;
CK_ULONG ECCPriKeyClass = CKO_PRIVATE_KEY;
CK_BYTE Id[] = "MY_ECC_KEY";
CK_ATTRIBUTE ECCPubKey[] = {
{CKA_CLASS, &ECCPubKeyClass, sizeof(ECCPubKeyClass)},
{CKA_ID, &Id, strlen(Id)},
{CKA_TOKEN, &isTrue, sizeof(isTrue)}
};
CK_ATTRIBUTE ECCPriKey[] = {
{CKA_CLASS, &ECCPriKeyClass, sizeof(ECCPriKeyClass)},
{CKA_ID, &Id, strlen(Id)},
{CKA_TOKEN, &isTrue, sizeof(isTrue)}
};
CK_ATTRIBUTE CreateECCPubKey[] = {
{CKA_CLASS, NULL_PTR, 0},
{CKA_MODULUS_BITS, NULL_PTR, 0},
{CKA_ID, NULL_PTR, 0},
{CKA_EC_POINT, NULL_PTR, 0}
};
CK_ATTRIBUTE CreateECCPriKey[] = {
{CKA_CLASS, NULL_PTR, 0},
{CKA_ID, NULL_PTR, 0},
{CKA_MODULUS_BITS, NULL_PTR, 0},
{CKA_VALUE, NULL_PTR, 0}
};
CK_MECHANISM ECCGenKey = {CKM_ECDSA_KEY_PAIR_GEN, NULL_PTR, 0};
CK_MECHANISM mECCEncrypt = {CKM_ECDSA_PKCS, NULL_PTR, 0};
CK_BYTE indata[160] = {0x00};
CK_BYTE outdata[300] = {0x00};
CK_BYTE temp[300] = {0x00};
CK_ULONG outlength = 0;
CK_ULONG templength = 0;
printf("ECC Outside Encrypt and Decrypt!\n");
rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
C_Login(hSession, CKU_SO, "11111111", 8);
#endif
rv = C_GenerateKeyPair(hSession, &ECCGenKey, ECCPubKey, 3, ECCPriKey, 3, &hECCPubKey, &hECCPriKey);
rv = C_CloseSession(hSession);
rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
C_Login(hSession, CKU_SO, "11111111", 8);
#endif
rv = C_GetAttributeValue(hSession, hECCPubKey, CreateECCPubKey, 4);
if (rv == 0)
{
CreateECCPubKey[0].pValue = malloc(CreateECCPubKey[0].ulValueLen);
if (CreateECCPubKey[0].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
return -1;
}
CreateECCPubKey[1].pValue = malloc(CreateECCPubKey[1].ulValueLen);
if (CreateECCPubKey[1].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPubKey, 1);
return -1;
}
CreateECCPubKey[2].pValue = malloc(CreateECCPubKey[2].ulValueLen);
if (CreateECCPubKey[2].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPubKey, 2);
return -1;
}
CreateECCPubKey[3].pValue = malloc(CreateECCPubKey[3].ulValueLen);
if (CreateECCPubKey[3].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPubKey, 3);
return -1;
}
rv = C_GetAttributeValue(hSession, hECCPubKey, CreateECCPubKey, 4);
rv = C_DestroyObject(hSession, hECCPubKey);
rv = C_CreateObject(hSession, CreateECCPubKey, 4, &hECCPubKey);
}
FreeAttribute(CreateECCPubKey, 4);
memset(indata, 0x33, 110);
memset(outdata, 0x00, 300);
memset(temp, 0x00, 300);
rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
rv = C_Encrypt(hSession, indata, 110, outdata, &outlength);
rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 4);
if (rv == 0)
{
CreateECCPriKey[0].pValue = malloc(CreateECCPriKey[0].ulValueLen);
if (CreateECCPriKey[0].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
return -1;
}
CreateECCPriKey[1].pValue = malloc(CreateECCPriKey[1].ulValueLen);
if (CreateECCPriKey[1].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPriKey, 1);
return -1;
}
CreateECCPriKey[2].pValue = malloc(CreateECCPriKey[2].ulValueLen);
if (CreateECCPriKey[2].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPriKey, 2);
return -1;
}
CreateECCPriKey[3].pValue = malloc(CreateECCPriKey[3].ulValueLen);
if (CreateECCPriKey[3].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPriKey, 3);
return -1;
}
rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 4);
rv = C_DestroyObject(hSession, hECCPriKey);
rv = C_CreateObject(hSession, CreateECCPriKey, 4, &hECCPriKey);
}
FreeAttribute(CreateECCPriKey, 4);
rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
#ifdef DEVICE_KEY
C_Logout(hSession);
#endif
rv = C_CloseSession(hSession);
if (memcmp(indata, temp, 110) == 0 && templength == 110)
{
printf("OK ECC OUT!\n");
}
else
{
printf("ERROR ECC OUT!\n");
}
return 0;
}
FLAG ECCTest_in()
{
CK_RV rv = 0;
CK_SLOT_ID SlotId = 0;
CK_SESSION_HANDLE hSession = 0;
CK_ULONG ECCPubKeyClass = CKO_PUBLIC_KEY;
CK_ULONG ECCPriKeyClass = CKO_PRIVATE_KEY;
CK_BYTE ECCPubLabel[] = "ECC_PUBLIC_KEY_7";
CK_BYTE ECCPriLabel[] = "ECC_PRIVATE_KEY_7";
CK_BBOOL isFalse = TRUE;
#if 0 /* CKA_LABEL TEST*/
CK_ATTRUBUTE ECCKeyLabel = {
CAK_LABEL,//type
ECCPub//value
//value_len
};
#endif /* END CAK_LABEL TEST*/
CK_ATTRIBUTE ECCPubKey[] = {
{CKA_CLASS, &ECCPubKeyClass, sizeof(ECCPubKeyClass)},
{CKA_LABEL, &ECCPubLabel, sizeof(ECCPubLabel)},
{CKA_TOKEN, &isFalse, sizeof(isFalse)}
};
CK_ATTRIBUTE ECCPriKey[] = {
{CKA_CLASS, &ECCPriKeyClass, sizeof(ECCPriKeyClass)},
{CKA_LABEL, &ECCPriLabel, sizeof(ECCPriLabel)},
{CKA_TOKEN, &isFalse, sizeof(isFalse)}
};
CK_ATTRIBUTE CreateECCPriKey[] = {
{CKA_CLASS, NULL_PTR, 0},
{CKA_MODULUS_BITS, NULL_PTR, 0},
{CKA_VALUE, NULL_PTR, 0}
};
CK_MECHANISM ECCGenKey = {CKM_ECDSA_KEY_PAIR_GEN, NULL_PTR, 0};
CK_MECHANISM mECCEncrypt = {CKM_ECDSA_PKCS, NULL_PTR, 0};
CK_OBJECT_HANDLE hECCPubKey = 0;
CK_OBJECT_HANDLE hECCPriKey = 0;
CK_BYTE indata[160] = {0x00};
CK_BYTE outdata[300] = {0x00};
CK_BYTE temp[300] = {0x00};
CK_ULONG outlength = 0;
CK_ULONG templength = 0;
memset(indata, 0x31, 40);
memset(outdata, 0x00, 300);
memset(temp, 0x00, 300);
printf("ECC Inside Encrypt and Decrypt!\n");
rv = C_OpenSession(SlotId, CKF_SERIAL_SESSION|CKF_RW_SESSION, NULL_PTR, NULL, &hSession);
#ifdef DEVICE_KEY
C_Login(hSession, CKU_SO, "11111111", 8);
#endif
rv = C_GenerateKeyPair(hSession, &ECCGenKey, ECCPubKey, 3, ECCPriKey, 3, &hECCPubKey, &hECCPriKey);
rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
rv = C_Encrypt(hSession, indata, 40, outdata, &outlength);
rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
if (memcmp(indata, temp, 40) == 0 && templength == 40)
{
printf("OK ECC IN!\n");
}
else
{
printf("ERROR ECC IN!\n");
}
printf("ECC Crossing Encrypt and Decrypt!\n");
memset(indata, 0x33, 110);
memset(outdata, 0x00, 300);
memset(temp, 0x00, 300);
rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 3);
if (rv == 0)
{
CreateECCPriKey[0].pValue = malloc(CreateECCPriKey[0].ulValueLen);
if (CreateECCPriKey[0].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
return -1;
}
CreateECCPriKey[1].pValue = malloc(CreateECCPriKey[1].ulValueLen);
if (CreateECCPriKey[1].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPriKey, 1);
return -1;
}
CreateECCPriKey[2].pValue = malloc(CreateECCPriKey[2].ulValueLen);
if (CreateECCPriKey[2].pValue == NULL)
{
printf("ECCTest_out->malloc ERROR!\n");
FreeAttribute(CreateECCPriKey, 2);
return -1;
}
rv = C_GetAttributeValue(hSession, hECCPriKey, CreateECCPriKey, 3);
rv = C_CreateObject(hSession, CreateECCPriKey, 3, &hECCPriKey);
}
FreeAttribute(CreateECCPriKey, 3);
rv = C_EncryptInit(hSession, &mECCEncrypt, hECCPubKey);
rv = C_Encrypt(hSession, indata, 110, outdata, &outlength);
rv = C_DecryptInit(hSession, &mECCEncrypt, hECCPriKey);
rv = C_Decrypt(hSession, outdata, outlength, temp, &templength);
if (memcmp(indata, temp, 110) == 0 && templength == 110)
{
printf("OK ECC Crossing!\n");
}
else
{
printf("ERROR ECC Crossing!\n");
}
#ifdef DEVICE_KEY
C_Logout(hSession);
#endif
C_CloseSession(hSession);
return 0;
}
static int updateCertificate( INOUT PKCS11_INFO *pkcs11Info,
IN_HANDLE const CRYPT_HANDLE iCryptHandle,
const BOOLEAN isLeafCert )
{
static const CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
static const CK_CERTIFICATE_TYPE certType = CKC_X_509;
static const CK_BBOOL bTrue = TRUE;
CK_DATE startDate, endDate;
CK_ATTRIBUTE certTemplate[] = {
{ CKA_CLASS, ( CK_VOID_PTR ) &certClass, sizeof( CK_OBJECT_CLASS ) },
{ CKA_CERTIFICATE_TYPE, ( CK_VOID_PTR ) &certType, sizeof( CK_CERTIFICATE_TYPE ) },
{ CKA_TOKEN, ( CK_VOID_PTR ) &bTrue, sizeof( CK_BBOOL ) },
{ CKA_ID, NULL_PTR, 0 },
{ CKA_SUBJECT, NULL_PTR, 0 },
{ CKA_ISSUER, NULL_PTR, 0 },
{ CKA_SERIAL_NUMBER, NULL_PTR, 0 },
{ CKA_VALUE, NULL_PTR, 0 },
/* Optional fields, filled in if required and the driver supports this */
{ CKA_NONE, NULL_PTR, 0 }, /* 8 */
{ CKA_NONE, NULL_PTR, 0 }, /* 9 */
{ CKA_NONE, NULL_PTR, 0 }, /* 10 */
{ CKA_NONE, NULL_PTR, 0 }, /* 11 */
};
CK_OBJECT_HANDLE hObject;
CK_RV status;
MESSAGE_DATA msgData;
DYNBUF subjectDB, iAndSDB, certDB;
BYTE keyID[ CRYPT_MAX_HASHSIZE + 8 ];
BOOLEAN hasURL = FALSE;
time_t theTime;
char label[ CRYPT_MAX_TEXTSIZE + 8 ], uri[ MAX_URL_SIZE + 8 ];
int templateCount = 8, cryptStatus;
assert( isWritePtr( pkcs11Info, sizeof( PKCS11_INFO ) ) );
REQUIRES( isHandleRangeValid( iCryptHandle ) );
/* Get the keyID from the certificate */
setMessageData( &msgData, keyID, CRYPT_MAX_HASHSIZE );
cryptStatus = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_IATTRIBUTE_KEYID );
if( cryptStatusError( cryptStatus ) )
return( CRYPT_ARGERROR_NUM1 );
certTemplate[ 3 ].pValue = msgData.data;
certTemplate[ 3 ].ulValueLen = msgData.length;
/* If it's a leaf certificate, use the keyID to locate the corresponding
public or private key object. This is used as a check to ensure that
the certificate corresponds to a key in the device. In theory this
would allow us to read the label from the key so that we can reuse it
for the certificate, but there doesn't seem to be any good reason for
this and it could lead to problems with multiple certificates with the
same labels so we don't do it */
if( isLeafCert )
{
static const CK_OBJECT_CLASS privkeyClass = CKO_PRIVATE_KEY;
static const CK_OBJECT_CLASS pubkeyClass = CKO_PUBLIC_KEY;
CK_ATTRIBUTE keyTemplate[] = {
{ CKA_CLASS, ( CK_VOID_PTR ) &privkeyClass, sizeof( CK_OBJECT_CLASS ) },
{ CKA_ID, NULL_PTR, 0 }
};
keyTemplate[ 1 ].pValue = certTemplate[ 3 ].pValue;
keyTemplate[ 1 ].ulValueLen = certTemplate[ 3 ].ulValueLen;
cryptStatus = findObject( pkcs11Info, &hObject, keyTemplate, 2 );
if( cryptStatusError( cryptStatus ) )
{
/* Couldn't find a private key with this ID, try for a public key */
keyTemplate[ 0 ].pValue = ( CK_VOID_PTR ) &pubkeyClass;
cryptStatus = findObject( pkcs11Info, &hObject, keyTemplate, 2 );
}
if( cryptStatusError( cryptStatus ) )
return( CRYPT_ARGERROR_NUM1 );
}
/* Get the validFrom and validTo dates. These aren't currently used for
anything, but could be used in the future to handle superceded
certificates in the same way that it's done for PKCS #15 keysets */
setMessageData( &msgData, &theTime, sizeof( time_t ) );
cryptStatus = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_CERTINFO_VALIDFROM );
if( cryptStatusOK( cryptStatus ) )
{
convertDate( &startDate, theTime );
setMessageData( &msgData, &theTime, sizeof( time_t ) );
cryptStatus = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_CERTINFO_VALIDTO );
}
if( cryptStatusError( cryptStatus ) )
return( cryptStatus );
convertDate( &endDate, theTime );
/* Get the subjectName and issuerAndSerialNumber from the certificate */
cryptStatus = dynCreate( &subjectDB, iCryptHandle,
CRYPT_IATTRIBUTE_SUBJECT );
if( cryptStatusError( cryptStatus ) )
return( cryptStatus );
cryptStatus = dynCreate( &iAndSDB, iCryptHandle,
CRYPT_IATTRIBUTE_ISSUERANDSERIALNUMBER );
if( cryptStatusError( cryptStatus ) )
{
dynDestroy( &subjectDB );
return( cryptStatus );
}
certTemplate[ 4 ].pValue = dynData( subjectDB );
certTemplate[ 4 ].ulValueLen = dynLength( subjectDB );
cryptStatus = addIAndSToTemplate( &certTemplate[ 5 ], dynData( iAndSDB ),
dynLength( iAndSDB ) );
if( cryptStatusError( cryptStatus ) )
{
dynDestroy( &subjectDB );
dynDestroy( &iAndSDB );
return( cryptStatus );
}
/* Get the certificate data */
cryptStatus = dynCreateCert( &certDB, iCryptHandle,
CRYPT_CERTFORMAT_CERTIFICATE );
if( cryptStatusError( cryptStatus ) )
{
dynDestroy( &subjectDB );
dynDestroy( &iAndSDB );
return( cryptStatus );
}
certTemplate[ 7 ].pValue = dynData( certDB );
certTemplate[ 7 ].ulValueLen = dynLength( certDB );
/* Get the certificate holder name (label) from the certificate if
available */
setMessageData( &msgData, label, CRYPT_MAX_TEXTSIZE );
cryptStatus = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_IATTRIBUTE_HOLDERNAME );
if( cryptStatusOK( cryptStatus ) )
{
/* We've found a holder name, use it as the certificate object
label */
addTemplateValue( certTemplate[ templateCount ],
CKA_LABEL, msgData.data, msgData.length );
templateCount++;
}
/* Add the certificate dates. These have to be located between the
label and the URI so that we can selectively back out the attributes
that don't work for this driver, see the comments further down for
more details */
addTemplateValue( certTemplate[ templateCount ],
CKA_START_DATE, ( CK_VOID_PTR ) &startDate, sizeof( CK_DATE ) );
templateCount++;
addTemplateValue( certTemplate[ templateCount ],
CKA_END_DATE, ( CK_VOID_PTR ) &endDate, sizeof( CK_DATE ) );
templateCount++;
/* Get the URI from the certificate if available */
setMessageData( &msgData, uri, MAX_URL_SIZE );
cryptStatus = krnlSendMessage( iCryptHandle, IMESSAGE_GETATTRIBUTE_S,
&msgData, CRYPT_IATTRIBUTE_HOLDERURI );
if( cryptStatusOK( cryptStatus ) )
{
/* We've found a holder URI, use it as the certificate object URL */
addTemplateValue( certTemplate[ templateCount ],
CKA_URL, msgData.data, msgData.length );
templateCount++;
hasURL = TRUE;
}
/* Reset the status value, which may contain error values due to not
finding various object attributes above */
cryptStatus = CRYPT_OK;
/* We've finally got everything available, try and update the device with
the certificate data. In theory we should also set CKA_PRIVATE = FALSE
but the Dallas iButton driver doesn't allow this so we have to rely on
drivers doing the right thing with the default setting */
status = C_CreateObject( pkcs11Info->hSession,
( CK_ATTRIBUTE_PTR ) certTemplate, templateCount,
&hObject );
if( hasURL && ( status == CKR_TEMPLATE_INCONSISTENT || \
status == CKR_ATTRIBUTE_TYPE_INVALID ) )
{
/* Support for the PKCS #11 v2.20 attribute CKA_URL is pretty hit-
and-miss, some drivers from ca.2000 support it but others from
ca.2007 still don't so if we get a CKR_ATTRIBUTE_TYPE_INVALID
return code we try again without the CKA_URL */
templateCount--;
status = C_CreateObject( pkcs11Info->hSession,
( CK_ATTRIBUTE_PTR ) certTemplate,
templateCount, &hObject );
}
if( status == CKR_TEMPLATE_INCONSISTENT || \
status == CKR_ATTRIBUTE_TYPE_INVALID )
{
/* Even support for dates is hit-and-miss so if we're still getting
CKR_ATTRIBUTE_TYPE_INVALID we try again without the
CKA_START_DATE/CKA_END_DATE */
templateCount -= 2;
status = C_CreateObject( pkcs11Info->hSession,
( CK_ATTRIBUTE_PTR ) certTemplate,
templateCount, &hObject );
}
if( status != CKR_OK )
cryptStatus = pkcs11MapError( status, CRYPT_ERROR_FAILED );
/* Clean up */
dynDestroy( &subjectDB );
dynDestroy( &iAndSDB );
dynDestroy( &certDB );
return( cryptStatus );
}
BOOL UpdateValidationX509::ValidateUpdate( MFUpdate* pUpdate, UINT8* pValidation, INT32 validationLen )
{
CK_MECHANISM_TYPE mechs[] = { CKM_RSA_PKCS };
CK_SLOT_ID slotID;
CK_SESSION_HANDLE session;
CK_OBJECT_CLASS ckoCert = CKO_CERTIFICATE;
CK_OBJECT_HANDLE hCACert;
CK_MECHANISM_TYPE sha1Mech = CKM_SHA_1;
CK_MECHANISM mech = { CKM_RSA_PKCS, &sha1Mech, sizeof(sha1Mech) };
BOOL retVal = FALSE;
UINT8* caCert;
UINT32 certLen = 0;
if(g_DebuggerPortSslConfig.GetCertificateAuthority == NULL)
{
return FALSE;
}
g_DebuggerPortSslConfig.GetCertificateAuthority( &caCert, &certLen );
CK_ATTRIBUTE attribs[] =
{
{ CKA_CLASS , &ckoCert, sizeof(ckoCert) },
{ CKA_VALUE , caCert , certLen }
};
if(pUpdate->Providers->Storage == NULL) return FALSE;
if(certLen == 0 || caCert == NULL ) return FALSE;
if(pValidation == NULL ) return FALSE;
C_Initialize(NULL);
slotID = Cryptoki_FindSlot(NULL, mechs, ARRAYSIZE(mechs)); if(CK_SLOT_ID_INVALID == slotID) return FALSE;
if(CKR_OK == C_OpenSession(slotID, CKF_SERIAL_SESSION, NULL, NULL, &session) && (CK_SESSION_HANDLE_INVALID != session))
{
if(CKR_OK == C_CreateObject(session, attribs, ARRAYSIZE(attribs), &hCACert) && hCACert != CK_OBJECT_HANDLE_INVALID)
{
if(CKR_OK == C_VerifyInit(session, &mech, hCACert))
{
UINT8 buff[512];
INT32 len = sizeof(buff);
INT32 updateSize = pUpdate->Header.UpdateSize;
INT32 offset = 0;
while(offset < updateSize)
{
if((offset + len) > updateSize)
{
len = updateSize - offset;
}
if(!pUpdate->Providers->Storage->Read(pUpdate->StorageHandle, offset, buff, len)) break;
C_VerifyUpdate(session, buff, len);
offset += len;
}
retVal = CKR_OK == C_VerifyFinal(session, pValidation, (CK_ULONG)validationLen);
}
C_DestroyObject(session, hCACert);
}
C_CloseSession(session);
}
return retVal;
}
/*
* Convert an SPKI data record to PKCS#11
* public key object.
*/
static KMF_RETURN
PKCS_CreatePublicKey(
const KMF_X509_SPKI *pKey,
CK_SESSION_HANDLE ckSession,
CK_OBJECT_HANDLE *pckPublicKey)
{
KMF_RETURN mrReturn = KMF_OK;
CK_RV ckRv;
CK_ATTRIBUTE ckTemplate[MAX_PUBLIC_KEY_TEMPLATES];
CK_ULONG ckNumTemplates = 0;
/* Common object attributes */
CK_OBJECT_CLASS ckObjClass = CKO_PUBLIC_KEY;
CK_BBOOL ckToken = 0;
CK_BBOOL ckPrivate = 0;
/* Common key attributes */
CK_KEY_TYPE ckKeyType;
CK_BBOOL ckDerive = CK_FALSE;
/* Common public key attributes */
CK_BBOOL ckEncrypt = 1;
CK_BBOOL ckVerify = 1;
CK_BBOOL ckVerifyRecover = CK_FALSE;
CK_BBOOL ckWrap = CK_FALSE;
/* Key part array */
KMF_DATA KeyParts[KMF_MAX_PUBLIC_KEY_PARTS];
uint32_t i, uNumKeyParts = KMF_MAX_PUBLIC_KEY_PARTS;
KMF_ALGORITHM_INDEX AlgorithmId;
/* Parse the keyblob */
(void) memset(KeyParts, 0, sizeof (KeyParts));
AlgorithmId = x509_algoid_to_algid(
(KMF_OID *)&pKey->algorithm.algorithm);
if (AlgorithmId == KMF_ALGID_NONE)
return (KMF_ERR_BAD_ALGORITHM);
mrReturn = ExtractSPKIData(pKey, AlgorithmId, KeyParts, &uNumKeyParts);
if (mrReturn != KMF_OK)
return (mrReturn);
/* Fill in the common object attributes */
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_CLASS, (CK_BYTE *)&ckObjClass,
sizeof (ckObjClass)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_TOKEN, (CK_BYTE *)&ckToken,
sizeof (ckToken)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_PRIVATE, (CK_BYTE *)&ckPrivate,
sizeof (ckPrivate))) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
/* Fill in the common key attributes */
if (get_pk11_data(AlgorithmId, &ckKeyType, NULL, NULL, 0)) {
goto cleanup;
}
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_KEY_TYPE, (CK_BYTE *)&ckKeyType,
sizeof (ckKeyType)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_DERIVE, (CK_BYTE *)&ckDerive,
sizeof (ckDerive))) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
/* Add common public key attributes */
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_ENCRYPT, (CK_BYTE *)&ckEncrypt,
sizeof (ckEncrypt)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_VERIFY, (CK_BYTE *)&ckVerify,
sizeof (ckVerify)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_VERIFY_RECOVER,
(CK_BYTE *)&ckVerifyRecover, sizeof (ckVerifyRecover)) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_WRAP, (CK_BYTE *)&ckWrap,
sizeof (ckWrap))) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
/* Add algorithm specific attributes */
switch (ckKeyType) {
case CKK_RSA:
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_MODULUS,
(CK_BYTE *)KeyParts[KMF_RSA_MODULUS].Data,
(CK_ULONG)KeyParts[KMF_RSA_MODULUS].Length) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_PUBLIC_EXPONENT,
(CK_BYTE *)KeyParts[KMF_RSA_PUBLIC_EXPONENT].Data,
(CK_ULONG)KeyParts[KMF_RSA_PUBLIC_EXPONENT].Length)) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
break;
case CKK_DSA:
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_PRIME,
(CK_BYTE *)KeyParts[KMF_DSA_PRIME].Data,
(CK_ULONG)KeyParts[KMF_DSA_PRIME].Length) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_SUBPRIME,
(CK_BYTE *)KeyParts[KMF_DSA_SUB_PRIME].Data,
(CK_ULONG)KeyParts[KMF_DSA_SUB_PRIME].Length) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_BASE,
(CK_BYTE *)KeyParts[KMF_DSA_BASE].Data,
(CK_ULONG)KeyParts[KMF_DSA_BASE].Length) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_VALUE,
(CK_BYTE *)KeyParts[KMF_DSA_PUBLIC_VALUE].Data,
(CK_ULONG)KeyParts[KMF_DSA_PUBLIC_VALUE].Length)) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
break;
case CKK_EC:
if (!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_EC_POINT,
(CK_BYTE *)KeyParts[KMF_ECDSA_POINT].Data,
(CK_ULONG)KeyParts[KMF_ECDSA_POINT].Length) ||
!PKCS_AddTemplate(ckTemplate, &ckNumTemplates,
MAX_PUBLIC_KEY_TEMPLATES, CKA_EC_PARAMS,
(CK_BYTE *)KeyParts[KMF_ECDSA_PARAMS].Data,
(CK_ULONG)KeyParts[KMF_ECDSA_PARAMS].Length)) {
mrReturn = KMF_ERR_INTERNAL;
goto cleanup;
}
break;
default:
mrReturn = KMF_ERR_BAD_PARAMETER;
}
if (mrReturn == KMF_OK) {
/* Instantiate the object */
ckRv = C_CreateObject(ckSession, ckTemplate,
ckNumTemplates, pckPublicKey);
if (ckRv != CKR_OK)
mrReturn = KMF_ERR_INTERNAL;
}
cleanup:
for (i = 0; i < uNumKeyParts; i++) {
kmf_free_data(&KeyParts[i]);
}
return (mrReturn);
}
