Hi all,
While trying to sign using some examples apps written in Java and C
using PKCS#11 and OpenSC, the verification always fails. Using the
command `pkcs11-tool -l -t`, which signs some random data, fails as
well.
After some tests, I have realized that whenever the signature buffer's
size is bigger than the exact signature length, fails on verification
procedure.
Regarding to PKCS#11 standard v2.20, section 11.2:
---->%----->%-----
If pBuf is not NULL_PTR, then *pulBufLen must contain the size in bytes
of the buffer pointed to by pBuf. If that buffer is large enough to hold
the cryptographic output produced from the input to the function, then
that cryptographic output is placed there, and CKR_OK is returned by the
function. If the buffer is not large enough, then CKR_BUFFER_TOO_SMALL
is returned. In either case, *pulBufLen is set to hold the exact number
of bytes needed to hold the cryptographic output produced from the input
to the function.
---->%----->%-----
So, according to it, OpenSC should return the exact number of bytes
needed. I attach a patch with the minimun code's modifications, that
I've tested and worked for me.
Could anyone test my patch and, if it is correct, apply it to OpenSC
code?
Best regards,
--
Albert Solana Berengué
[EMAIL PROTECTED]
C3PO, S.L.
http://www.c3po.es
C/Bertran, 113 - 08023 Barcelona
Tel. 93 417 99 55 - Fax. 93 253 12 80
Index: src/tools/pkcs15-crypt.c
===================================================================
--- src/tools/pkcs15-crypt.c (revision 2938)
+++ src/tools/pkcs15-crypt.c (working copy)
@@ -308,7 +308,7 @@
#endif
} else {
r = sc_pkcs15_compute_signature(p15card, obj, opt_crypt_flags,
- buf, c, out, len);
+ buf, c, out, &len);
}
if (r < 0) {
fprintf(stderr, "Compute signature failed: %s\n", sc_strerror(r));
Index: src/tools/opensc-explorer.c
===================================================================
--- src/tools/opensc-explorer.c (revision 2938)
+++ src/tools/opensc-explorer.c (working copy)
@@ -1234,7 +1234,7 @@
/* Perform the actual sign. */
r = sc_compute_signature(card, indata, indatalen,
- outdata, outdatalen);
+ outdata, &outdatalen);
if (r<0) {
printf("Signing failed: %s\n", sc_strerror (r));
return -1;
Index: src/pkcs11/framework-pkcs15.c
===================================================================
--- src/pkcs11/framework-pkcs15.c (revision 2938)
+++ src/pkcs11/framework-pkcs15.c (working copy)
@@ -1934,7 +1934,7 @@
pData,
ulDataLen,
pSignature,
- *pulDataLen);
+ (size_t *)pulDataLen);
/* Do we have to try a re-login and then try to sign again? */
if (rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
@@ -1942,7 +1942,7 @@
if (rv == 0)
rv = sc_pkcs15_compute_signature(fw_data->p15_card,
prkey->prv_p15obj, flags, pData, ulDataLen,
- pSignature, *pulDataLen);
+ pSignature, (size_t *)pulDataLen);
}
sc_unlock(ses->slot->card->card);
Index: src/signer/opensc-crypto.c
===================================================================
--- src/signer/opensc-crypto.c (revision 2938)
+++ src/signer/opensc-crypto.c (working copy)
@@ -150,9 +150,10 @@
goto err;
}
DBG(printf("PIN code received successfully.\n"));
+ *siglen = RSA_size(rsa);
r = sc_pkcs15_compute_signature(priv->p15card, key,
SC_ALGORITHM_RSA_HASH_SHA1 | SC_ALGORITHM_RSA_PAD_PKCS1,
- m, m_len, sigret, RSA_size(rsa));
+ m, m_len, sigret, siglen);
sc_unlock(priv->p15card->card);
if (r < 0) {
DBG(printf("sc_pkcs15_compute_signature() failed: %s", sc_strerror(r)));
Index: src/libopensc/iso7816.c
===================================================================
--- src/libopensc/iso7816.c (revision 2938)
+++ src/libopensc/iso7816.c (working copy)
@@ -741,7 +741,7 @@
static int iso7816_compute_signature(sc_card_t *card,
const u8 * data, size_t datalen,
- u8 * out, size_t outlen)
+ u8 * out, size_t * outlen)
{
int r;
sc_apdu_t apdu;
@@ -769,9 +769,10 @@
r = sc_transmit_apdu(card, &apdu);
SC_TEST_RET(card->ctx, r, "APDU transmit failed");
if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00) {
- size_t len = apdu.resplen > outlen ? outlen : apdu.resplen;
+ size_t len = apdu.resplen > *outlen ? *outlen : apdu.resplen;
memcpy(out, apdu.resp, len);
+ *outlen = len;
SC_FUNC_RETURN(card->ctx, 4, len);
}
SC_FUNC_RETURN(card->ctx, 4, sc_check_sw(card, apdu.sw1, apdu.sw2));
Index: src/libopensc/sec.c
===================================================================
--- src/libopensc/sec.c (revision 2938)
+++ src/libopensc/sec.c (working copy)
@@ -41,7 +41,7 @@
int sc_compute_signature(sc_card_t *card,
const u8 * data, size_t datalen,
- u8 * out, size_t outlen)
+ u8 * out, size_t * outlen)
{
int r;
Index: src/libopensc/pkcs15.h
===================================================================
--- src/libopensc/pkcs15.h (revision 2938)
+++ src/libopensc/pkcs15.h (working copy)
@@ -419,7 +419,7 @@
int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
const struct sc_pkcs15_object *prkey_obj,
unsigned long alg_flags, const u8 *in,
- size_t inlen, u8 *out, size_t outlen);
+ size_t inlen, u8 *out, size_t *outlen);
int sc_pkcs15_read_pubkey(struct sc_pkcs15_card *card,
const struct sc_pkcs15_object *obj,
Index: src/libopensc/pkcs15-sec.c
===================================================================
--- src/libopensc/pkcs15-sec.c (revision 2938)
+++ src/libopensc/pkcs15-sec.c (working copy)
@@ -148,7 +148,7 @@
int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
const struct sc_pkcs15_object *obj,
unsigned long flags, const u8 *in, size_t inlen,
- u8 *out, size_t outlen)
+ u8 *out, size_t *outlen)
{
int r;
sc_security_env_t senv;
Index: src/libopensc/opensc.h
===================================================================
--- src/libopensc/opensc.h (revision 2938)
+++ src/libopensc/opensc.h (working copy)
@@ -965,7 +965,7 @@
int sc_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
u8 * out, size_t outlen);
int sc_compute_signature(sc_card_t *card, const u8 * data,
- size_t data_len, u8 * out, size_t outlen);
+ size_t data_len, u8 * out, size_t * outlen);
int sc_verify(sc_card_t *card, unsigned int type, int ref, const u8 *buf,
size_t buflen, int *tries_left);
int sc_logout(sc_card_t *card);
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
