Some comments, see below...
> --- a/usr/lib/pkcs11/soft_stdll/soft_specific.c
> +++ b/usr/lib/pkcs11/soft_stdll/soft_specific.c
> @@ -822,7 +822,7 @@ os_specific_rsa_keygen(TEMPLATE *publ_tmpl, TEMPLATE
> *priv_tmpl)
> RSA *rsa;
> BIGNUM *bignum;
> CK_BYTE *ssl_ptr;
> - unsigned long three = 3;
> + void *e = NULL;
>
> flag = template_attribute_find( publ_tmpl, CKA_MODULUS_BITS, &attr );
> if (!flag){
> @@ -831,22 +831,46 @@ os_specific_rsa_keygen(TEMPLATE *publ_tmpl, TEMPLATE
> *priv_tmpl)
> }
> mod_bits = *(CK_ULONG *)attr->pValue;
>
> + if (mod_bits < 512 || mod_bits > 4096) {
> + st_err_log(19, __FILE__, __LINE__);
> + return CKR_KEY_SIZE_RANGE;
> + }
> +
> flag = template_attribute_find( publ_tmpl, CKA_PUBLIC_EXPONENT,
> &publ_exp );
> if (!flag){
> st_err_log(48, __FILE__, __LINE__);
> return CKR_TEMPLATE_INCOMPLETE;
> }
>
> -
> - // we don't support less than 1024 bit keys in the sw
> - if (mod_bits < 512 || mod_bits > 4096) {
> + // Sanity check of public exponent length.
> + if (publ_exp->ulValueLen > sizeof(CK_ULONG)) {
Please use sizeof(unsigned long) here
The restriction here is really about OpenSSL only supporting 'unsigned
long' as a public exponent. We might know that CK_ULONG is the same as
unsigned long, but that's not obligatory and who knows if this is still
true elsewhere (or in the future)?
> st_err_log(19, __FILE__, __LINE__);
> return CKR_KEY_SIZE_RANGE;
> }
>
> - // Because of a limition of OpenSSL, this token only supports
> - // 3 as an exponent in RSA key generation
> - rsa = RSA_generate_key(mod_bits, three, NULL, NULL);
> + e = calloc(1, sizeof(CK_ULONG));
Same thing. sizeof(unsigned long).
> + if (e == NULL) {
> + st_err_log(1, __FILE__, __LINE__);
> + return CKR_HOST_MEMORY;
> + }
> +
> +#ifndef __BYTE_ORDER
> +#error "Architecture endianness is not defined."
> +#endif
> +
> +#if __BYTE_ORDER == __LITTLE_ENDIAN
> + memcpy(e, publ_exp->pValue, publ_exp->ulValueLen);
> +
> +#else
> + memcpy(e + (sizeof(CK_ULONG) - publ_exp->ulValueLen), publ_exp->pValue,
> publ_exp->ulValueLen);
... sizeof(unsigned long)
> +
> +#endif
> +
> + rsa = RSA_generate_key(mod_bits, *(unsigned long *)e, NULL, NULL);
> +
> + free(e);
> + e = NULL;
> +
> if (rsa == NULL) {
> st_err_log(4, __FILE__, __LINE__);
> return CKR_FUNCTION_FAILED;
Thanks!
-Klaus
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Opencryptoki-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opencryptoki-tech
