[Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
Petr Spacek
pspacek at redhat.com
Thu Mar 5 13:45:35 UTC 2015
On 26.2.2015 16:59, Martin Basti wrote:
> On 26/02/15 12:47, Petr Spacek wrote:
>> On 11.2.2015 14:10, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>>
>>> Patch attached.
>>>
>>> --
>>> Martin Basti
>>>
>>>
>>> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
>>>
>>>
>>> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
>>> From: Martin Basti <mbasti at redhat.com>
>>> Date: Wed, 11 Feb 2015 14:05:46 +0100
>>> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
>>>
>>> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>> ---
>>> ipapython/ipap11helper/p11helper.c | 72
>>> ++++++++++++++++++++++++++++++++++++--
>>> 1 file changed, 69 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/ipapython/ipap11helper/p11helper.c
>>> b/ipapython/ipap11helper/p11helper.c
>>> index
>>> 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c4cccc1128b1c9e7
>>> 100644
>>> --- a/ipapython/ipap11helper/p11helper.c
>>> +++ b/ipapython/ipap11helper/p11helper.c
>>> @@ -53,6 +53,22 @@
>>> // TODO
>>> #define CKA_COPYABLE (0x0017)
>>> +#define CKG_MGF1_SHA1 (0x00000001)
>>> +
>>> +#define CKZ_DATA_SPECIFIED (0x00000001)
>>> +
>>> +struct ck_rsa_pkcs_oaep_params {
>>> + CK_MECHANISM_TYPE hash_alg;
>>> + unsigned long mgf;
>>> + unsigned long source;
>>> + void *source_data;
>>> + unsigned long source_data_len;
>>> +};
>>> +
>>> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
>>> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
>>> +
>>> +
>>> CK_BBOOL true = CK_TRUE;
>>> CK_BBOOL false = CK_FALSE;
>>> @@ -118,6 +134,17 @@ CK_BBOOL* bool;
>>> } PyObj2Bool_mapping_t;
>>> /**
>>> + * Constants
>>> + */
>>> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
>>> + .hash_alg = CKM_SHA_1,
>>> + .mgf = CKG_MGF1_SHA1,
>>> + .source = CKZ_DATA_SPECIFIED,
>>> + .source_data = NULL,
>>> + .source_data_len = 0
>>> +};
>>> +
>>> +/**
>>> * ipap11helper Exceptions
>>> */
>>> static PyObject *ipap11helperException; //parent class for all exceptions
>>> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
>>> PyObject *args, PyObject *kwds)
>>> CK_BYTE_PTR wrapped_key = NULL;
>>> CK_ULONG wrapped_key_len = 0;
>>> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
>>> - CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
>>> /* currently we don't support parameter in mechanism */
>>> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech",
>>> NULL };
>>> //TODO check long overflow
>>> //TODO export method
>>> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist,
>>> &object_key,
>>> - &object_wrapping_key, &wrapping_mech_type)) {
>>> + &object_wrapping_key, &wrapping_mech.mechanism)) {
>>> return NULL;
>>> }
>>> - wrapping_mech.mechanism = wrapping_mech_type;
>>> +
>>> + // fill mech parameters
>>> + switch(wrapping_mech.mechanism){
>>> + case CKM_RSA_PKCS:
>>> + case CKM_AES_KEY_WRAP:
>>> + case CKM_AES_KEY_WRAP_PAD:
>>> + //default params
>>> + break;
>>> +
>>> + case CKM_RSA_PKCS_OAEP:
>>> + /* Use the same configuration as openSSL
>>> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
>>> + */
>>> + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
>>> + wrapping_mech.ulParameterLen =
>>> sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
>>> + break;
>>> +
>>> + default:
>>> + PyErr_SetString(ipap11helperError, "Unsupported wrapping
>>> mechanism");
>>> + return NULL;
>>> + }
>>> rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
>>> object_wrapping_key, object_key, NULL, &wrapped_key_len);
>>> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper*
>>> self, PyObject *args,
>>> return NULL;
>>> }
>>> + switch(wrapping_mech.mechanism){
>>> + case CKM_RSA_PKCS:
>>> + case CKM_AES_KEY_WRAP:
>>> + case CKM_AES_KEY_WRAP_PAD:
>>> + //default params
>>> + break;
>> NACK. This switch is duplicate of the previous one. Please split it into an
>> auxiliary function and call it twice.
>>
>> Thank you!
>>
> Thanks. Updated patch attached.
ACK, it works for me.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list