https://fedorahosted.org/freeipa/ticket/4657#comment:13

Patch attached.

--
Martin Basti

From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 11 Feb 2015 14:05:46 +0100
Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism

Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
---
 ipapython/ipap11helper/p11helper.c | 72 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 69 insertions(+), 3 deletions(-)

diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c4cccc1128b1c9e7 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -53,6 +53,22 @@
 // TODO
 #define CKA_COPYABLE           (0x0017)
 
+#define CKG_MGF1_SHA1         (0x00000001)
+
+#define CKZ_DATA_SPECIFIED    (0x00000001)
+
+struct ck_rsa_pkcs_oaep_params {
+  CK_MECHANISM_TYPE hash_alg;
+  unsigned long mgf;
+  unsigned long source;
+  void *source_data;
+  unsigned long source_data_len;
+};
+
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+
 CK_BBOOL true = CK_TRUE;
 CK_BBOOL false = CK_FALSE;
 
@@ -118,6 +134,17 @@ CK_BBOOL* bool;
 } PyObj2Bool_mapping_t;
 
 /**
+ * Constants
+ */
+static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
+    .hash_alg = CKM_SHA_1,
+    .mgf = CKG_MGF1_SHA1,
+    .source = CKZ_DATA_SPECIFIED,
+    .source_data = NULL,
+    .source_data_len = 0
+};
+
+/**
  * ipap11helper Exceptions
  */
 static PyObject *ipap11helperException; //parent class for all exceptions
@@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds)
     CK_BYTE_PTR wrapped_key = NULL;
     CK_ULONG wrapped_key_len = 0;
     CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
-    CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
     /* currently we don't support parameter in mechanism */
 
     static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
     //TODO check long overflow
     //TODO export method
     if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
-            &object_wrapping_key, &wrapping_mech_type)) {
+            &object_wrapping_key, &wrapping_mech.mechanism)) {
         return NULL;
     }
-    wrapping_mech.mechanism = wrapping_mech_type;
+
+    // fill mech parameters
+    switch(wrapping_mech.mechanism){
+        case CKM_RSA_PKCS:
+        case CKM_AES_KEY_WRAP:
+        case CKM_AES_KEY_WRAP_PAD:
+            //default params
+        break;
+
+        case CKM_RSA_PKCS_OAEP:
+            /* Use the same configuration as openSSL
+             * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
+             */
+             wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
+             wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
+        break;
+
+        default:
+            PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism");
+            return NULL;
+    }
 
     rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
             object_wrapping_key, object_key, NULL, &wrapped_key_len);
@@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
         return NULL;
     }
 
+    switch(wrapping_mech.mechanism){
+        case CKM_RSA_PKCS:
+        case CKM_AES_KEY_WRAP:
+        case CKM_AES_KEY_WRAP_PAD:
+            //default params
+        break;
+
+        case CKM_RSA_PKCS_OAEP:
+            /* Use the same configuration as openSSL
+             * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
+             */
+             wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
+             wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
+        break;
+
+        default:
+            PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism");
+            return NULL;
+    }
+
     label = (unsigned char*) unicode_to_char_array(label_unicode,
             &label_length); //TODO verify signed/unsigned
 
-- 
2.1.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to