diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-09 16:21:31 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-06-12 10:19:28 +0200 |
| commit | 99625724b0de1d13f9b42c35155f378e18698c3f (patch) | |
| tree | 060000f92d6705671fe8ed0e1d6c0f1b4b4a3ae5 | |
| parent | 02b17134d6dd93a6e4aa7d7b04bac1dc8cbe280e (diff) | |
| download | gnutls-99625724b0de1d13f9b42c35155f378e18698c3f.tar.gz | |
pkcs11: do not set leading zeros on integers
PKCS#11 defines integers as unsigned having most significant byte
first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by
some HSMs which do not accept an integer with a leading zero.
Resolves: #215
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
| -rw-r--r-- | lib/pkcs11_write.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c index 23a8521ed5..c8da7c094e 100644 --- a/lib/pkcs11_write.c +++ b/lib/pkcs11_write.c @@ -27,6 +27,7 @@ #include <pkcs11_int.h> #include "pkcs11x.h" #include <x509/common.h> +#include "pk.h" static const ck_bool_t tval = 1; static const ck_bool_t fval = 0; @@ -282,12 +283,16 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned * case GNUTLS_PK_RSA: { gnutls_datum_t m, e; - ret = gnutls_pubkey_export_rsa_raw(pubkey, &m, &e); + /* PKCS#11 defines integers as unsigned having most significant byte + * first, e.g., 32768 = 0x80 0x00. This is interpreted literraly by + * some HSMs which do not accept an integer with a leading zero */ + ret = gnutls_pubkey_export_rsa_raw2(pubkey, &m, &e, GNUTLS_EXPORT_FLAG_NO_LZ); if (ret < 0) { gnutls_assert(); return ret; } + a[*a_val].type = CKA_MODULUS; a[*a_val].value = m.data; a[*a_val].value_len = m.size; @@ -302,7 +307,7 @@ static int add_pubkey(gnutls_pubkey_t pubkey, struct ck_attribute *a, unsigned * case GNUTLS_PK_DSA: { gnutls_datum_t p, q, g, y; - ret = gnutls_pubkey_export_dsa_raw(pubkey, &p, &q, &g, &y); + ret = gnutls_pubkey_export_dsa_raw2(pubkey, &p, &q, &g, &y, GNUTLS_EXPORT_FLAG_NO_LZ); if (ret < 0) { gnutls_assert(); return ret; @@ -792,12 +797,9 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, case GNUTLS_PK_RSA: { - ret = - gnutls_x509_privkey_export_rsa_raw2(key, &m, - &e, &d, &p, - &q, &u, - &exp1, - &exp2); + ret = _gnutls_params_get_rsa_raw(&key->params, &m, &e, &d, &p, + &q, &u, &exp1, &exp2, + GNUTLS_EXPORT_FLAG_NO_LZ); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -849,9 +851,8 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, } case GNUTLS_PK_DSA: { - ret = - gnutls_x509_privkey_export_dsa_raw(key, &p, &q, - &g, &y, &x); + ret = _gnutls_params_get_dsa_raw(&key->params, &p, &q, &g, &y, &x, + GNUTLS_EXPORT_FLAG_NO_LZ); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -892,8 +893,8 @@ gnutls_pkcs11_copy_x509_privkey2(const char *token_url, } ret = - _gnutls_mpi_dprint_lz(key->params. - params[ECC_K], &x); + _gnutls_mpi_dprint(key->params. + params[ECC_K], &x); if (ret < 0) { gnutls_assert(); goto cleanup; |