Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 03/05/2015 02:45 PM, Petr Spacek wrote: On 26.2.2015 16:59, Martin Basti wrote: On 26/02/15 12:47, Petr Spacek wrote: On 11.2.2015 14:10, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4657#comment:13 Patch attached. -- Martin Basti freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Feb 2015 14:05:46 +0100 Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 --- ipapython/ipap11helper/p11helper.c | 72 -- 1 file changed, 69 insertions(+), 3 deletions(-) diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -53,6 +53,22 @@ // TODO #define CKA_COPYABLE (0x0017) +#define CKG_MGF1_SHA1 (0x0001) + +#define CKZ_DATA_SPECIFIED(0x0001) + +struct ck_rsa_pkcs_oaep_params { + CK_MECHANISM_TYPE hash_alg; + unsigned long mgf; + unsigned long source; + void *source_data; + unsigned long source_data_len; +}; + +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; + + CK_BBOOL true = CK_TRUE; CK_BBOOL false = CK_FALSE; @@ -118,6 +134,17 @@ CK_BBOOL* bool; } PyObj2Bool_mapping_t; /** + * Constants + */ +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = { +.hash_alg = CKM_SHA_1, +.mgf = CKG_MGF1_SHA1, +.source = CKZ_DATA_SPECIFIED, +.source_data = NULL, +.source_data_len = 0 +}; + +/** * ipap11helper Exceptions */ static PyObject *ipap11helperException; //parent class for all exceptions @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds) CK_BYTE_PTR wrapped_key = NULL; CK_ULONG wrapped_key_len = 0; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS; /* currently we don't support parameter in mechanism */ static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL }; //TODO check long overflow //TODO export method if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key, -&object_wrapping_key, &wrapping_mech_type)) { +&object_wrapping_key, &wrapping_mech.mechanism)) { return NULL; } -wrapping_mech.mechanism = wrapping_mech_type; + +// fill mech parameters +switch(wrapping_mech.mechanism){ +case CKM_RSA_PKCS: +case CKM_AES_KEY_WRAP: +case CKM_AES_KEY_WRAP_PAD: +//default params +break; + +case CKM_RSA_PKCS_OAEP: +/* Use the same configuration as openSSL + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS; + wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS); +break; + +default: +PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism"); +return NULL; +} rv = self->p11->C_WrapKey(self->session, &wrapping_mech, object_wrapping_key, object_key, NULL, &wrapped_key_len); @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args, return NULL; } +switch(wrapping_mech.mechanism){ +case CKM_RSA_PKCS: +case CKM_AES_KEY_WRAP: +case CKM_AES_KEY_WRAP_PAD: +//default params +break; NACK. This switch is duplicate of the previous one. Please split it into an auxiliary function and call it twice. Thank you! Thanks. Updated patch attached. Pushed to master, ipa-4-1. ACK, it works for me. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 26.2.2015 16:59, Martin Basti wrote: > On 26/02/15 12:47, Petr Spacek wrote: >> On 11.2.2015 14:10, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/4657#comment:13 >>> >>> Patch attached. >>> >>> -- >>> Martin Basti >>> >>> >>> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch >>> >>> >>> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 11 Feb 2015 14:05:46 +0100 >>> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism >>> >>> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 >>> --- >>> ipapython/ipap11helper/p11helper.c | 72 >>> -- >>> 1 file changed, 69 insertions(+), 3 deletions(-) >>> >>> diff --git a/ipapython/ipap11helper/p11helper.c >>> b/ipapython/ipap11helper/p11helper.c >>> index >>> 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7 >>> 100644 >>> --- a/ipapython/ipap11helper/p11helper.c >>> +++ b/ipapython/ipap11helper/p11helper.c >>> @@ -53,6 +53,22 @@ >>> // TODO >>> #define CKA_COPYABLE (0x0017) >>> +#define CKG_MGF1_SHA1 (0x0001) >>> + >>> +#define CKZ_DATA_SPECIFIED(0x0001) >>> + >>> +struct ck_rsa_pkcs_oaep_params { >>> + CK_MECHANISM_TYPE hash_alg; >>> + unsigned long mgf; >>> + unsigned long source; >>> + void *source_data; >>> + unsigned long source_data_len; >>> +}; >>> + >>> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; >>> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; >>> + >>> + >>> CK_BBOOL true = CK_TRUE; >>> CK_BBOOL false = CK_FALSE; >>> @@ -118,6 +134,17 @@ CK_BBOOL* bool; >>> } PyObj2Bool_mapping_t; >>> /** >>> + * Constants >>> + */ >>> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = { >>> +.hash_alg = CKM_SHA_1, >>> +.mgf = CKG_MGF1_SHA1, >>> +.source = CKZ_DATA_SPECIFIED, >>> +.source_data = NULL, >>> +.source_data_len = 0 >>> +}; >>> + >>> +/** >>>* ipap11helper Exceptions >>>*/ >>> static PyObject *ipap11helperException; //parent class for all exceptions >>> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, >>> PyObject *args, PyObject *kwds) >>> CK_BYTE_PTR wrapped_key = NULL; >>> CK_ULONG wrapped_key_len = 0; >>> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; >>> -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS; >>> /* currently we don't support parameter in mechanism */ >>> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", >>> NULL }; >>> //TODO check long overflow >>> //TODO export method >>> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, >>> &object_key, >>> -&object_wrapping_key, &wrapping_mech_type)) { >>> +&object_wrapping_key, &wrapping_mech.mechanism)) { >>> return NULL; >>> } >>> -wrapping_mech.mechanism = wrapping_mech_type; >>> + >>> +// fill mech parameters >>> +switch(wrapping_mech.mechanism){ >>> +case CKM_RSA_PKCS: >>> +case CKM_AES_KEY_WRAP: >>> +case CKM_AES_KEY_WRAP_PAD: >>> +//default params >>> +break; >>> + >>> +case CKM_RSA_PKCS_OAEP: >>> +/* Use the same configuration as openSSL >>> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html >>> + */ >>> + wrapping_mech.pParameter = (void*) >>> &CONST_RSA_PKCS_OAEP_PARAMS; >>> + wrapping_mech.ulParameterLen = >>> sizeof(CONST_RSA_PKCS_OAEP_PARAMS); >>> +break; >>> + >>> +default: >>> +PyErr_SetString(ipap11helperError, "Unsupported wrapping >>> mechanism"); >>> +return NULL; >>> +} >>> rv = self->p11->C_WrapKey(self->session, &wrapping_mech, >>> object_wrapping_key, object_key, NULL, &wrapped_key_len); >>> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* >>> self, PyObject *args, >>> return NULL; >>> } >>> +switch(wrapping_mech.mechanism){ >>> +case CKM_RSA_PKCS: >>> +case CKM_AES_KEY_WRAP: >>> +case CKM_AES_KEY_WRAP_PAD: >>> +//default params >>> +break; >> NACK. This switch is duplicate of the previous one. Please split it into an >> auxiliary function and call it twice. >> >> Thank you! >> > Thanks. Updated patch attached. ACK, it works for me. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 26/02/15 12:47, Petr Spacek wrote: On 11.2.2015 14:10, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4657#comment:13 Patch attached. -- Martin Basti freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Feb 2015 14:05:46 +0100 Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 --- ipapython/ipap11helper/p11helper.c | 72 -- 1 file changed, 69 insertions(+), 3 deletions(-) diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -53,6 +53,22 @@ // TODO #define CKA_COPYABLE (0x0017) +#define CKG_MGF1_SHA1 (0x0001) + +#define CKZ_DATA_SPECIFIED(0x0001) + +struct ck_rsa_pkcs_oaep_params { + CK_MECHANISM_TYPE hash_alg; + unsigned long mgf; + unsigned long source; + void *source_data; + unsigned long source_data_len; +}; + +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; + + CK_BBOOL true = CK_TRUE; CK_BBOOL false = CK_FALSE; @@ -118,6 +134,17 @@ CK_BBOOL* bool; } PyObj2Bool_mapping_t; /** + * Constants + */ +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = { +.hash_alg = CKM_SHA_1, +.mgf = CKG_MGF1_SHA1, +.source = CKZ_DATA_SPECIFIED, +.source_data = NULL, +.source_data_len = 0 +}; + +/** * ipap11helper Exceptions */ static PyObject *ipap11helperException; //parent class for all exceptions @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds) CK_BYTE_PTR wrapped_key = NULL; CK_ULONG wrapped_key_len = 0; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS; /* currently we don't support parameter in mechanism */ static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL }; //TODO check long overflow //TODO export method if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key, -&object_wrapping_key, &wrapping_mech_type)) { +&object_wrapping_key, &wrapping_mech.mechanism)) { return NULL; } -wrapping_mech.mechanism = wrapping_mech_type; + +// fill mech parameters +switch(wrapping_mech.mechanism){ +case CKM_RSA_PKCS: +case CKM_AES_KEY_WRAP: +case CKM_AES_KEY_WRAP_PAD: +//default params +break; + +case CKM_RSA_PKCS_OAEP: +/* Use the same configuration as openSSL + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS; + wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS); +break; + +default: +PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism"); +return NULL; +} rv = self->p11->C_WrapKey(self->session, &wrapping_mech, object_wrapping_key, object_key, NULL, &wrapped_key_len); @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args, return NULL; } +switch(wrapping_mech.mechanism){ +case CKM_RSA_PKCS: +case CKM_AES_KEY_WRAP: +case CKM_AES_KEY_WRAP_PAD: +//default params +break; NACK. This switch is duplicate of the previous one. Please split it into an auxiliary function and call it twice. Thank you! Thanks. Updated patch attached. -- Martin Basti From e10fab710c7fd820fd05f5c1990df5b02eb28862 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 11 Feb 2015 14:05:46 +0100 Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 --- ipapython/ipap11helper/p11helper.c | 76 -- 1 file changed, 73 insertions(+), 3 deletions(-) diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index 9172e720d69aab82ab55a41b43b16145dad730f8..9a7b3ce56b4a40c23c461e40a8e1ded28a2d7c49 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -56,6 +56,22 @@ // TODO #define CKA_COPYABLE (0x0017) +#define CKG_MGF1_SHA1 (0x0001) + +#define CKZ_DATA_SPECIFIED(0x0001) + +struct ck_rsa_pkcs_oaep_params { + CK_MECHANISM_TYPE hash_alg; + unsigned long mgf; + unsigned long source; + void *source_data; + unsigned long source_data_len; +
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 11.2.2015 14:10, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/4657#comment:13 > > Patch attached. > > -- > Martin Basti > > > freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch > > > From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 11 Feb 2015 14:05:46 +0100 > Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism > > Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13 > --- > ipapython/ipap11helper/p11helper.c | 72 > -- > 1 file changed, 69 insertions(+), 3 deletions(-) > > diff --git a/ipapython/ipap11helper/p11helper.c > b/ipapython/ipap11helper/p11helper.c > index > 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7 > 100644 > --- a/ipapython/ipap11helper/p11helper.c > +++ b/ipapython/ipap11helper/p11helper.c > @@ -53,6 +53,22 @@ > // TODO > #define CKA_COPYABLE (0x0017) > > +#define CKG_MGF1_SHA1 (0x0001) > + > +#define CKZ_DATA_SPECIFIED(0x0001) > + > +struct ck_rsa_pkcs_oaep_params { > + CK_MECHANISM_TYPE hash_alg; > + unsigned long mgf; > + unsigned long source; > + void *source_data; > + unsigned long source_data_len; > +}; > + > +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; > +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; > + > + > CK_BBOOL true = CK_TRUE; > CK_BBOOL false = CK_FALSE; > > @@ -118,6 +134,17 @@ CK_BBOOL* bool; > } PyObj2Bool_mapping_t; > > /** > + * Constants > + */ > +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = { > +.hash_alg = CKM_SHA_1, > +.mgf = CKG_MGF1_SHA1, > +.source = CKZ_DATA_SPECIFIED, > +.source_data = NULL, > +.source_data_len = 0 > +}; > + > +/** > * ipap11helper Exceptions > */ > static PyObject *ipap11helperException; //parent class for all exceptions > @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, > PyObject *args, PyObject *kwds) > CK_BYTE_PTR wrapped_key = NULL; > CK_ULONG wrapped_key_len = 0; > CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; > -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS; > /* currently we don't support parameter in mechanism */ > > static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL }; > //TODO check long overflow > //TODO export method > if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key, > -&object_wrapping_key, &wrapping_mech_type)) { > +&object_wrapping_key, &wrapping_mech.mechanism)) { > return NULL; > } > -wrapping_mech.mechanism = wrapping_mech_type; > + > +// fill mech parameters > +switch(wrapping_mech.mechanism){ > +case CKM_RSA_PKCS: > +case CKM_AES_KEY_WRAP: > +case CKM_AES_KEY_WRAP_PAD: > +//default params > +break; > + > +case CKM_RSA_PKCS_OAEP: > +/* Use the same configuration as openSSL > + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html > + */ > + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS; > + wrapping_mech.ulParameterLen = > sizeof(CONST_RSA_PKCS_OAEP_PARAMS); > +break; > + > +default: > +PyErr_SetString(ipap11helperError, "Unsupported wrapping > mechanism"); > +return NULL; > +} > > rv = self->p11->C_WrapKey(self->session, &wrapping_mech, > object_wrapping_key, object_key, NULL, &wrapped_key_len); > @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, > PyObject *args, > return NULL; > } > > +switch(wrapping_mech.mechanism){ > +case CKM_RSA_PKCS: > +case CKM_AES_KEY_WRAP: > +case CKM_AES_KEY_WRAP_PAD: > +//default params > +break; NACK. This switch is duplicate of the previous one. Please split it into an auxiliary function and call it twice. Thank you! -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel