diff options
-rw-r--r-- | lib/freebl/ec.c | 5 | ||||
-rw-r--r-- | lib/softoken/pkcs11.c | 11 | ||||
-rwxr-xr-x[-rw-r--r--] | tests/chains/chains.sh | 0 |
3 files changed, 16 insertions, 0 deletions
diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c index ca53c1ae8..6af242dc1 100644 --- a/lib/freebl/ec.c +++ b/lib/freebl/ec.c @@ -870,6 +870,11 @@ cleanup: /* ** Checks the signature on the given digest using the key provided. +** +** The key argument must represent a valid EC public key (a point on +** the relevant curve). If it is not a valid point, then the behavior +** of this function is undefined. In cases where a public key might +** not be valid, use EC_ValidatePublicKey to check. */ SECStatus ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c index 6fa4e4ecc..f25ca502f 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c @@ -969,6 +969,17 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, } object->infoFree = (SFTKFree) nsslowkey_DestroyPublicKey; + // Check that an imported EC key is valid + if (key_type == CKK_EC) { + NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey*) object->objectInfo; + SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams, + &pubKey->u.ec.publicValue); + + if (rv != SECSuccess) { + return CKR_TEMPLATE_INCONSISTENT; + } + } + if (sftk_isTrue(object,CKA_TOKEN)) { SFTKSlot *slot = session->slot; SFTKDBHandle *certHandle = sftk_getCertDB(slot); diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh index b53d928cf..b53d928cf 100644..100755 --- a/tests/chains/chains.sh +++ b/tests/chains/chains.sh |