Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix handling of bits in PKCS11 imports #546

Merged
merged 1 commit into from Oct 21, 2021
Merged

Fix handling of bits in PKCS11 imports #546

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 0 additions & 2 deletions e2e_tests/tests/per_provider/normal_tests/import_key.rs
View file
Open in desktop
Expand Up @@ -313,7 +313,6 @@ fn check_format_import3() -> Result<()> {
Ok(())
}

#[cfg(not(feature = "pkcs11-provider"))]
#[test]
fn check_format_import_ecc() -> Result<()> {
// If the bits field of the key attributes is zero, the operation should still work.
Expand Down Expand Up @@ -354,7 +353,6 @@ fn check_format_import_ecc() -> Result<()> {
Ok(())
}

#[cfg(not(feature = "pkcs11-provider"))]
#[test]
fn check_format_import_ecc2() -> Result<()> {
// If the bits field of the key attributes is different that the size of the key parsed
Expand Down
22 changes: 22 additions & 0 deletions src/providers/pkcs11/key_management.rs
View file
Open in desktop
Expand Up @@ -185,6 +185,10 @@ impl Provider {
error!("The configuration of this provider does not allow it to generate keys that can be exported.");
return Err(ResponseStatus::PsaErrorNotPermitted);
}
if op.data.expose_secret().is_empty() {
error!("Key data is empty");
return Err(ResponseStatus::PsaErrorInvalidArgument);
}

let key_triple = KeyTriple::new(app_name, ProviderId::Pkcs11, key_name);
self.key_info_store.does_not_exist(&key_triple)?;
Expand Down Expand Up @@ -306,6 +310,24 @@ impl Provider {
}
_ => (),
}

// For the format of ECC public keys, see:
// https://parallaxsecond.github.io/parsec-book/parsec_client/operations/psa_export_public_key.html#description
let key_len = ((key_data.len() - 1) / 2) * 8;
let bits = if bits == 0 { key_len } else { bits };
if bits != key_len {
if crate::utils::GlobalConfig::log_error_details() {
error!(
"`bits` field of key attributes (value: {}) must be either 0 or equal to half the size of the key in `data` (value: {}) for Weierstrass curves.",
bits,
key_len
);
} else {
error!("`bits` field of key attributes must be either 0 or equal to half the size of the key in `data` for Weierstrass curves.");
}
return Err(ResponseStatus::PsaErrorInvalidArgument);
}

// The format expected by PKCS11 is an ASN.1 OctetString containing the
// data that the PSA Crypto interface specifies.
// See ECPoint in [SEC1](https://www.secg.org/sec1-v2.pdf). PKCS11 mandates using
Expand Down