On 12/8/2010 6:36 AM, Aleksey Samsonov wrote:
> Hello,
>
> 2010/11/30 Douglas E. Engert<[email protected]>:
>> On 11/29/2010 4:36 AM, Aleksey Samsonov wrote:
>>> After fix it, I have fail in my tests with GOSTR (PKCS#11 C_Sign).
>>> Unfortunately, I don't have logs now.
>>
>> One thing to look at:
>>
>> In pkcs15-sec.c in sc_pkcs15_compute_signature in the old code there
>> is no mention of GOSTR3410, so I assumed it was RSA only. The old code
>> had:
>>
>>
>> - alg_info = sc_card_find_rsa_alg(p15card->card, prkey->modulus_length);
>> - if (alg_info == NULL) {
>> - sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Card does not support RSA with
>> key length %d\n", prkey->modulus_length);
>> - return SC_ERROR_NOT_SUPPORTED;
>> - senv.algorithm = SC_ALGORITHM_RSA;
>>
>> If you card could support both RSA and GOSTR3410 (and card-rtecp.c
>> supports both with keylength = 256) it might have passed the old test,
>> and ignored the fact that senv.algorithm = SC_ALGORITHM_RSA.
>>
>> The new code does a switch(obj->type) and I only added RSA and EC.
>> So adding something like:
>>
>> + case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
>> + modlen = prkey->modulus_length / 8;
>> + alg_info = sc_card_find_gostr3410_alg(p15card->card,
>> prkey->modulus_length);
>> (A sc_card_find_gostr3410_alg routine is needed for this to work.)
>> +
>> + if (alg_info == NULL) {
>> + sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Card does not support
>> GOSTR3410 key length %d\n", prkey->modulus_length);
>> + return SC_ERROR_NOT_SUPPORTED;
>> + }
>> + senv.flags |= SC_SEC_ENV_ALG_PRESENT;
>> + senv.algorithm = SC_ALGORITHM_RGOST3410;
>> + break;
>>
>>>
>>> I need a few days for detail review.
>
> Sorry for the delay with answer. Thanks for the detail.
> My tests are work with simple diff(I'm going to commit late in the evening):
>
> diff --git a/src/pkcs11/mechanism.c b/src/pkcs11/mechanism.c
> --- a/src/pkcs11/mechanism.c 2010-12-08 15:24:09.040752899 +0300
> +++ b/src/pkcs11/mechanism.c 2010-12-08 15:27:17.294754645 +0300
> @@ -460,7 +460,7 @@
> case CKK_GOSTR3410:
> rv =
> key->ops->get_attribute(operation->session, key,&attr);
> if (rv == CKR_OK)
> - *pLength *= 2;
> + *pLength = (*pLength + 7) / 8 * 2;
> break;
> default:
> rv = CKR_MECHANISM_INVALID;
>
>
Great for now. But in SVN pkcs15-sec.c:188,189:
187 switch (obj->type) {
188 /* FIXME -DEE GOSTR is misusing the sc_card_find_rsa_alg */
189 case SC_PKCS15_TYPE_PRKEY_GOSTR3410:
190 case SC_PKCS15_TYPE_PRKEY_RSA:
191 modlen = prkey->modulus_length / 8;
192 alg_info = sc_card_find_rsa_alg(p15card->card, prkey
This should be fixed sometime, as the GOSTR code is depending on
the RSA alg_info. But GOSTR should have sc_card_find_gostr_alg
and _sc_card_add_gostr_alg routines. In card-rtecp.c there are calls
to _sc_card_add_rsa_alg for 256, 512, 768, (look way to weak for RSA)
It look like they were added because pkcs15-sec.c:192 is only looking
at RSA. So in pkcs15-sec.c above, it is looking at the alg_info created
by the call at card-rtecp.c:73 _sc_card_add_rsa_alg(card, 256, flags, 0);
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
