diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-09 08:06:33 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-12 10:02:47 +0200 |
commit | 6396315812b77b37271e25f98381e3b1fa316428 (patch) | |
tree | 1b1d22cfc7019a1c59733b1c50dcfdab25e715cc | |
parent | 3f995d6791dc7f70ea7a2d369532ca15133ec41d (diff) | |
download | gnutls-6396315812b77b37271e25f98381e3b1fa316428.tar.gz |
pkcs11: do not set leading zeros when writing integersgnutls_3_5_x_pkcs11_leading_zeros_fix
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/pkcs11_write.c | 43 |
1 files changed, 41 insertions, 2 deletions
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 23a8521ed5..5577747136 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -271,6 +271,19 @@ static void clean_pubkey(struct ck_attribute *a, unsigned a_val) } } +static void skip_leading_zeros(gnutls_datum_t *d) +{ + unsigned nr = 0; + + while(nr < d->size && d->data[nr] == 0) + nr++; + if (nr > 0) { + d->size -= nr; + if (d->size > 0) + memmove(d->data, &d->data[nr], d->size); + } +} + static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned *a_val) { gnutls_pk_algorithm_t pk; @@ -288,6 +301,12 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned * return ret; } + /* PKCS#11 defines integers as unsigned having most significant byte + * first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by + * some HSMs which do not accept an integer with a leading zero */ + skip_leading_zeros(&m); + skip_leading_zeros(&e); + a[*a_val].type = CKA_MODULUS; a[*a_val].value = m.data; a[*a_val].value_len = m.size; @@ -308,6 +327,11 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned * return ret; } + skip_leading_zeros(&p); + skip_leading_zeros(&q); + skip_leading_zeros(&g); + skip_leading_zeros(&y); + a[*a_val].type = CKA_PRIME; a[*a_val].value = p.data; a[*a_val].value_len = p.size; @@ -805,6 +829,15 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, type = CKK_RSA; + skip_leading_zeros(&m); + skip_leading_zeros(&e); + skip_leading_zeros(&d); + skip_leading_zeros(&p); + skip_leading_zeros(&q); + skip_leading_zeros(&u); + skip_leading_zeros(&exp1); + skip_leading_zeros(&exp2); + a[a_val].type = CKA_MODULUS; a[a_val].value = m.data; a[a_val].value_len = m.size; @@ -859,6 +892,12 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, type = CKK_DSA; + skip_leading_zeros(&p); + skip_leading_zeros(&q); + skip_leading_zeros(&g); + skip_leading_zeros(&y); + skip_leading_zeros(&x); + a[a_val].type = CKA_PRIME; a[a_val].value = p.data; a[a_val].value_len = p.size; @@ -892,8 +931,8 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, } ret = - _gnutls_mpi_dprint_lz(key->params. - params[ECC_K], &x); + _gnutls_mpi_dprint(key->params. + params[ECC_K], &x); if (ret < 0) { gnutls_assert(); goto cleanup; |