Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 03/05/2015 02:45 PM, Petr Spacek wrote:
On 26.2.2015 16:59, Martin Basti wrote:
On 26/02/15 12:47, Petr Spacek wrote:
On 11.2.2015 14:10, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/4657#comment:13
Patch attached.
--
Martin Basti
freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 11 Feb 2015 14:05:46 +0100
Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
---
ipapython/ipap11helper/p11helper.c | 72
--
1 file changed, 69 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipap11helper/p11helper.c
b/ipapython/ipap11helper/p11helper.c
index
4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7
100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -53,6 +53,22 @@
// TODO
#define CKA_COPYABLE (0x0017)
+#define CKG_MGF1_SHA1 (0x0001)
+
+#define CKZ_DATA_SPECIFIED(0x0001)
+
+struct ck_rsa_pkcs_oaep_params {
+ CK_MECHANISM_TYPE hash_alg;
+ unsigned long mgf;
+ unsigned long source;
+ void *source_data;
+ unsigned long source_data_len;
+};
+
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+
CK_BBOOL true = CK_TRUE;
CK_BBOOL false = CK_FALSE;
@@ -118,6 +134,17 @@ CK_BBOOL* bool;
} PyObj2Bool_mapping_t;
/**
+ * Constants
+ */
+static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
+.hash_alg = CKM_SHA_1,
+.mgf = CKG_MGF1_SHA1,
+.source = CKZ_DATA_SPECIFIED,
+.source_data = NULL,
+.source_data_len = 0
+};
+
+/**
* ipap11helper Exceptions
*/
static PyObject *ipap11helperException; //parent class for all exceptions
@@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
PyObject *args, PyObject *kwds)
CK_BYTE_PTR wrapped_key = NULL;
CK_ULONG wrapped_key_len = 0;
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
-CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
/* currently we don't support parameter in mechanism */
static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech",
NULL };
//TODO check long overflow
//TODO export method
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist,
&object_key,
-&object_wrapping_key, &wrapping_mech_type)) {
+&object_wrapping_key, &wrapping_mech.mechanism)) {
return NULL;
}
-wrapping_mech.mechanism = wrapping_mech_type;
+
+// fill mech parameters
+switch(wrapping_mech.mechanism){
+case CKM_RSA_PKCS:
+case CKM_AES_KEY_WRAP:
+case CKM_AES_KEY_WRAP_PAD:
+//default params
+break;
+
+case CKM_RSA_PKCS_OAEP:
+/* Use the same configuration as openSSL
+ * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
+ */
+ wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
+ wrapping_mech.ulParameterLen =
sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
+break;
+
+default:
+PyErr_SetString(ipap11helperError, "Unsupported wrapping
mechanism");
+return NULL;
+}
rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
object_wrapping_key, object_key, NULL, &wrapped_key_len);
@@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper*
self, PyObject *args,
return NULL;
}
+switch(wrapping_mech.mechanism){
+case CKM_RSA_PKCS:
+case CKM_AES_KEY_WRAP:
+case CKM_AES_KEY_WRAP_PAD:
+//default params
+break;
NACK. This switch is duplicate of the previous one. Please split it into an
auxiliary function and call it twice.
Thank you!
Thanks. Updated patch attached.
Pushed to master, ipa-4-1.
ACK, it works for me.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 26.2.2015 16:59, Martin Basti wrote:
> On 26/02/15 12:47, Petr Spacek wrote:
>> On 11.2.2015 14:10, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>>
>>> Patch attached.
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
>>>
>>>
>>> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
>>> From: Martin Basti
>>> Date: Wed, 11 Feb 2015 14:05:46 +0100
>>> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
>>>
>>> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>> ---
>>> ipapython/ipap11helper/p11helper.c | 72
>>> --
>>> 1 file changed, 69 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/ipapython/ipap11helper/p11helper.c
>>> b/ipapython/ipap11helper/p11helper.c
>>> index
>>> 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7
>>> 100644
>>> --- a/ipapython/ipap11helper/p11helper.c
>>> +++ b/ipapython/ipap11helper/p11helper.c
>>> @@ -53,6 +53,22 @@
>>> // TODO
>>> #define CKA_COPYABLE (0x0017)
>>> +#define CKG_MGF1_SHA1 (0x0001)
>>> +
>>> +#define CKZ_DATA_SPECIFIED(0x0001)
>>> +
>>> +struct ck_rsa_pkcs_oaep_params {
>>> + CK_MECHANISM_TYPE hash_alg;
>>> + unsigned long mgf;
>>> + unsigned long source;
>>> + void *source_data;
>>> + unsigned long source_data_len;
>>> +};
>>> +
>>> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
>>> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
>>> +
>>> +
>>> CK_BBOOL true = CK_TRUE;
>>> CK_BBOOL false = CK_FALSE;
>>> @@ -118,6 +134,17 @@ CK_BBOOL* bool;
>>> } PyObj2Bool_mapping_t;
>>> /**
>>> + * Constants
>>> + */
>>> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
>>> +.hash_alg = CKM_SHA_1,
>>> +.mgf = CKG_MGF1_SHA1,
>>> +.source = CKZ_DATA_SPECIFIED,
>>> +.source_data = NULL,
>>> +.source_data_len = 0
>>> +};
>>> +
>>> +/**
>>>* ipap11helper Exceptions
>>>*/
>>> static PyObject *ipap11helperException; //parent class for all exceptions
>>> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
>>> PyObject *args, PyObject *kwds)
>>> CK_BYTE_PTR wrapped_key = NULL;
>>> CK_ULONG wrapped_key_len = 0;
>>> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
>>> -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
>>> /* currently we don't support parameter in mechanism */
>>> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech",
>>> NULL };
>>> //TODO check long overflow
>>> //TODO export method
>>> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist,
>>> &object_key,
>>> -&object_wrapping_key, &wrapping_mech_type)) {
>>> +&object_wrapping_key, &wrapping_mech.mechanism)) {
>>> return NULL;
>>> }
>>> -wrapping_mech.mechanism = wrapping_mech_type;
>>> +
>>> +// fill mech parameters
>>> +switch(wrapping_mech.mechanism){
>>> +case CKM_RSA_PKCS:
>>> +case CKM_AES_KEY_WRAP:
>>> +case CKM_AES_KEY_WRAP_PAD:
>>> +//default params
>>> +break;
>>> +
>>> +case CKM_RSA_PKCS_OAEP:
>>> +/* Use the same configuration as openSSL
>>> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
>>> + */
>>> + wrapping_mech.pParameter = (void*)
>>> &CONST_RSA_PKCS_OAEP_PARAMS;
>>> + wrapping_mech.ulParameterLen =
>>> sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
>>> +break;
>>> +
>>> +default:
>>> +PyErr_SetString(ipap11helperError, "Unsupported wrapping
>>> mechanism");
>>> +return NULL;
>>> +}
>>> rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
>>> object_wrapping_key, object_key, NULL, &wrapped_key_len);
>>> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper*
>>> self, PyObject *args,
>>> return NULL;
>>> }
>>> +switch(wrapping_mech.mechanism){
>>> +case CKM_RSA_PKCS:
>>> +case CKM_AES_KEY_WRAP:
>>> +case CKM_AES_KEY_WRAP_PAD:
>>> +//default params
>>> +break;
>> NACK. This switch is duplicate of the previous one. Please split it into an
>> auxiliary function and call it twice.
>>
>> Thank you!
>>
> Thanks. Updated patch attached.
ACK, it works for me.
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 26/02/15 12:47, Petr Spacek wrote:
On 11.2.2015 14:10, Martin Basti wrote:
https://fedorahosted.org/freeipa/ticket/4657#comment:13
Patch attached.
--
Martin Basti
freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 11 Feb 2015 14:05:46 +0100
Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
---
ipapython/ipap11helper/p11helper.c | 72 --
1 file changed, 69 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipap11helper/p11helper.c
b/ipapython/ipap11helper/p11helper.c
index
4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7
100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -53,6 +53,22 @@
// TODO
#define CKA_COPYABLE (0x0017)
+#define CKG_MGF1_SHA1 (0x0001)
+
+#define CKZ_DATA_SPECIFIED(0x0001)
+
+struct ck_rsa_pkcs_oaep_params {
+ CK_MECHANISM_TYPE hash_alg;
+ unsigned long mgf;
+ unsigned long source;
+ void *source_data;
+ unsigned long source_data_len;
+};
+
+typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+
CK_BBOOL true = CK_TRUE;
CK_BBOOL false = CK_FALSE;
@@ -118,6 +134,17 @@ CK_BBOOL* bool;
} PyObj2Bool_mapping_t;
/**
+ * Constants
+ */
+static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
+.hash_alg = CKM_SHA_1,
+.mgf = CKG_MGF1_SHA1,
+.source = CKZ_DATA_SPECIFIED,
+.source_data = NULL,
+.source_data_len = 0
+};
+
+/**
* ipap11helper Exceptions
*/
static PyObject *ipap11helperException; //parent class for all exceptions
@@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
PyObject *args, PyObject *kwds)
CK_BYTE_PTR wrapped_key = NULL;
CK_ULONG wrapped_key_len = 0;
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
-CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
/* currently we don't support parameter in mechanism */
static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
//TODO check long overflow
//TODO export method
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
-&object_wrapping_key, &wrapping_mech_type)) {
+&object_wrapping_key, &wrapping_mech.mechanism)) {
return NULL;
}
-wrapping_mech.mechanism = wrapping_mech_type;
+
+// fill mech parameters
+switch(wrapping_mech.mechanism){
+case CKM_RSA_PKCS:
+case CKM_AES_KEY_WRAP:
+case CKM_AES_KEY_WRAP_PAD:
+//default params
+break;
+
+case CKM_RSA_PKCS_OAEP:
+/* Use the same configuration as openSSL
+ * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
+ */
+ wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
+ wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
+break;
+
+default:
+PyErr_SetString(ipap11helperError, "Unsupported wrapping
mechanism");
+return NULL;
+}
rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
object_wrapping_key, object_key, NULL, &wrapped_key_len);
@@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self,
PyObject *args,
return NULL;
}
+switch(wrapping_mech.mechanism){
+case CKM_RSA_PKCS:
+case CKM_AES_KEY_WRAP:
+case CKM_AES_KEY_WRAP_PAD:
+//default params
+break;
NACK. This switch is duplicate of the previous one. Please split it into an
auxiliary function and call it twice.
Thank you!
Thanks. Updated patch attached.
--
Martin Basti
From e10fab710c7fd820fd05f5c1990df5b02eb28862 Mon Sep 17 00:00:00 2001
From: Martin Basti
Date: Wed, 11 Feb 2015 14:05:46 +0100
Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
---
ipapython/ipap11helper/p11helper.c | 76 --
1 file changed, 73 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 9172e720d69aab82ab55a41b43b16145dad730f8..9a7b3ce56b4a40c23c461e40a8e1ded28a2d7c49 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -56,6 +56,22 @@
// TODO
#define CKA_COPYABLE (0x0017)
+#define CKG_MGF1_SHA1 (0x0001)
+
+#define CKZ_DATA_SPECIFIED(0x0001)
+
+struct ck_rsa_pkcs_oaep_params {
+ CK_MECHANISM_TYPE hash_alg;
+ unsigned long mgf;
+ unsigned long source;
+ void *source_data;
+ unsigned long source_data_len;
+
Re: [Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
On 11.2.2015 14:10, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/4657#comment:13
>
> Patch attached.
>
> --
> Martin Basti
>
>
> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
>
>
> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
> From: Martin Basti
> Date: Wed, 11 Feb 2015 14:05:46 +0100
> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
>
> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
> ---
> ipapython/ipap11helper/p11helper.c | 72
> --
> 1 file changed, 69 insertions(+), 3 deletions(-)
>
> diff --git a/ipapython/ipap11helper/p11helper.c
> b/ipapython/ipap11helper/p11helper.c
> index
> 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c41128b1c9e7
> 100644
> --- a/ipapython/ipap11helper/p11helper.c
> +++ b/ipapython/ipap11helper/p11helper.c
> @@ -53,6 +53,22 @@
> // TODO
> #define CKA_COPYABLE (0x0017)
>
> +#define CKG_MGF1_SHA1 (0x0001)
> +
> +#define CKZ_DATA_SPECIFIED(0x0001)
> +
> +struct ck_rsa_pkcs_oaep_params {
> + CK_MECHANISM_TYPE hash_alg;
> + unsigned long mgf;
> + unsigned long source;
> + void *source_data;
> + unsigned long source_data_len;
> +};
> +
> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
> +
> +
> CK_BBOOL true = CK_TRUE;
> CK_BBOOL false = CK_FALSE;
>
> @@ -118,6 +134,17 @@ CK_BBOOL* bool;
> } PyObj2Bool_mapping_t;
>
> /**
> + * Constants
> + */
> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
> +.hash_alg = CKM_SHA_1,
> +.mgf = CKG_MGF1_SHA1,
> +.source = CKZ_DATA_SPECIFIED,
> +.source_data = NULL,
> +.source_data_len = 0
> +};
> +
> +/**
> * ipap11helper Exceptions
> */
> static PyObject *ipap11helperException; //parent class for all exceptions
> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
> PyObject *args, PyObject *kwds)
> CK_BYTE_PTR wrapped_key = NULL;
> CK_ULONG wrapped_key_len = 0;
> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
> -CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
> /* currently we don't support parameter in mechanism */
>
> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
> //TODO check long overflow
> //TODO export method
> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
> -&object_wrapping_key, &wrapping_mech_type)) {
> +&object_wrapping_key, &wrapping_mech.mechanism)) {
> return NULL;
> }
> -wrapping_mech.mechanism = wrapping_mech_type;
> +
> +// fill mech parameters
> +switch(wrapping_mech.mechanism){
> +case CKM_RSA_PKCS:
> +case CKM_AES_KEY_WRAP:
> +case CKM_AES_KEY_WRAP_PAD:
> +//default params
> +break;
> +
> +case CKM_RSA_PKCS_OAEP:
> +/* Use the same configuration as openSSL
> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
> + */
> + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
> + wrapping_mech.ulParameterLen =
> sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
> +break;
> +
> +default:
> +PyErr_SetString(ipap11helperError, "Unsupported wrapping
> mechanism");
> +return NULL;
> +}
>
> rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
> object_wrapping_key, object_key, NULL, &wrapped_key_len);
> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self,
> PyObject *args,
> return NULL;
> }
>
> +switch(wrapping_mech.mechanism){
> +case CKM_RSA_PKCS:
> +case CKM_AES_KEY_WRAP:
> +case CKM_AES_KEY_WRAP_PAD:
> +//default params
> +break;
NACK. This switch is duplicate of the previous one. Please split it into an
auxiliary function and call it twice.
Thank you!
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
