ECDSA-SHA1: Apply SHA1 to input data before PSO compute signature. #2187
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way. We need to use sc_pkcs11_register_sign_and_hash_mechanism () for CKM_ECDSA_SHA1. This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512) CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
|
This fix interferes with the functions of the epass2003 driver. Please do not merge until a better solution is found - discusion in #2181. |
dengert
added a commit
to dengert/OpenSC
that referenced
this pull request
Dec 21, 2020
This PR is based on discussion with @popovec in OpenSC#2181 and OpenSC#2187 which was cherry-picked as 5e53008 This has been tested with PIV, MyEID and Smartcard-HSM. with ECDSA keys. The main fixes include : - Setting "flags" in card drivers - added code to sc_pkcs15-compute-signature for handle ECDSA with hashes - code in framework-pkcs15.c Signatures made by pkcs11-tool -sigm verify with openssl but pkcs11-tool --verify does not work with ECDSA but does with RSA I suspect it has to do with: and some then creating the wrong PKCS11 mechanisms It should work with the epass2003 which does hashes in the driver.
frankmorgner
pushed a commit
that referenced
this pull request
Jan 24, 2021
This PR is based on discussion with @popovec in #2181 and #2187 which was cherry-picked as 5e53008 This has been tested with PIV, MyEID and Smartcard-HSM. with ECDSA keys. The main fixes include : - Setting "flags" in card drivers - added code to sc_pkcs15-compute-signature for handle ECDSA with hashes - code in framework-pkcs15.c Signatures made by pkcs11-tool -sigm verify with openssl but pkcs11-tool --verify does not work with ECDSA but does with RSA I suspect it has to do with: and some then creating the wrong PKCS11 mechanisms It should work with the epass2003 which does hashes in the driver.
|
thanks for the feedback! closed with #2190 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CKM_ECDSA and CKM_ECDSA_SHA1 cannot be registered in the same way.
We need to use sc_pkcs11_register_sign_and_hash_mechanism ()
for CKM_ECDSA_SHA1.
This fix also enables more ECDSA-SHAxxx mechanisms in framework-pkcs15.c
Tested: MyEID 4.0.1 (secp256r1 with SHA1, SHA224, SHA256, SHA384, SHA512)
CI tests (Travis + OsEID) for ECDSA-SHAxxx mechanisms are also enabled.
Fixes #2181
Checklist