Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement signing with ECDSA token #152

Merged
merged 1 commit into from
Sep 10, 2017
Merged

Implement signing with ECDSA token #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/crypto/Digest.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ string Digest::toEcUri(const string &uri)
*/
void Digest::update(const vector<unsigned char> &data)
{
update(&data[0], (unsigned int)data.size());
update(data.data(), (unsigned int)data.size());
}

/**
Expand Down
13 changes: 9 additions & 4 deletions src/crypto/PKCS11Signer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,13 @@ class PKCS11SignerPrivate

vector<CK_OBJECT_HANDLE> PKCS11SignerPrivate::findObject(CK_SESSION_HANDLE session, CK_OBJECT_CLASS cls) const
{
vector<CK_OBJECT_HANDLE> result;
CK_ATTRIBUTE attr = { CKA_CLASS, &cls, sizeof(cls) };
if(f->C_FindObjectsInit(session, &attr, 1) != CKR_OK)
return vector<CK_OBJECT_HANDLE>();
return result;

CK_ULONG count = 32;
vector<CK_OBJECT_HANDLE> result(count, 0);
result.resize(count);
CK_RV err = f->C_FindObjects(session, result.data(), CK_ULONG(result.size()), &count);
result.resize(err == CKR_OK ? count : 0);
f->C_FindObjectsFinal(session);
Expand Down Expand Up @@ -364,11 +365,15 @@ vector<unsigned char> PKCS11Signer::sign(const string &method, const vector<unsi
THROW("Could not get key that matches selected certificate.");

// Sign the digest.
CK_MECHANISM mech = { CKM_RSA_PKCS, 0, 0 };
CK_KEY_TYPE keyType = CKK_RSA;
CK_ATTRIBUTE attribute = { CKA_KEY_TYPE, &keyType, sizeof(keyType) };
d->f->C_GetAttributeValue(session, key[d->sign.cert], &attribute, 1);

CK_MECHANISM mech = { keyType == CKK_ECDSA ? CKM_ECDSA : CKM_RSA_PKCS, 0, 0 };
if(d->f->C_SignInit(session, &mech, key[d->sign.cert]) != CKR_OK)
THROW("Failed to sign digest");

vector<unsigned char> data = Digest::addDigestInfo(digest, method);
vector<unsigned char> data = keyType == CKK_RSA ? Digest::addDigestInfo(digest, method) : digest;
CK_ULONG size = 0;
if(d->f->C_Sign(session, data.data(), CK_ULONG(data.size()), 0, &size) != CKR_OK)
THROW("Failed to sign digest");
Expand Down
21 changes: 18 additions & 3 deletions src/crypto/WinSigner.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,11 +233,14 @@ vector<unsigned char> WinSigner::sign(const string &method, const vector<unsigne
else if(method == URI_RSA_SHA256) { padInfo.pszAlgId = NCRYPT_SHA256_ALGORITHM; alg = CALG_SHA_256; }
else if(method == URI_RSA_SHA384) { padInfo.pszAlgId = NCRYPT_SHA384_ALGORITHM; alg = CALG_SHA_384; }
else if(method == URI_RSA_SHA512) { padInfo.pszAlgId = NCRYPT_SHA512_ALGORITHM; alg = CALG_SHA_512; }
else if(method == URI_ECDSA_SHA224) {}
else if(method == URI_ECDSA_SHA256) {}
else if(method == URI_ECDSA_SHA384) {}
else if(method == URI_ECDSA_SHA512) {}
else THROW("Unsupported signature method");

SECURITY_STATUS err = 0;
DWORD size = 256;
vector<unsigned char> signature(size, 0);
vector<unsigned char> signature;
switch(d->spec)
{
case CERT_NCRYPT_KEY_SPEC:
Expand All @@ -250,6 +253,12 @@ vector<unsigned char> WinSigner::sign(const string &method, const vector<unsigne
break;
}

DWORD size = 0;
err = NCryptSignHash(d->key, &padInfo, PBYTE(digest.data()), DWORD(digest.size()),
nullptr, 0, &size, BCRYPT_PAD_PKCS1);
if(FAILED(err))
break;
signature.resize(size);
err = NCryptSignHash(d->key, &padInfo, PBYTE(digest.data()), DWORD(digest.size()),
signature.data(), DWORD(signature.size()), &size, BCRYPT_PAD_PKCS1);
break;
Expand All @@ -276,6 +285,13 @@ vector<unsigned char> WinSigner::sign(const string &method, const vector<unsigne
CryptDestroyHash(hash);
THROW("Failed to sign");
}
DWORD size = 0;
if(!CryptSignHashW(hash, AT_SIGNATURE, 0, 0, nullptr, &size)) {
err = LONG(GetLastError());
CryptDestroyHash(hash);
break;
}
signature.resize(size);
if(!CryptSignHashW(hash, AT_SIGNATURE, 0, 0, signature.data(), &size))
err = LONG(GetLastError());
std::reverse(signature.begin(), signature.end());
Expand All @@ -286,7 +302,6 @@ vector<unsigned char> WinSigner::sign(const string &method, const vector<unsigne
default:
THROW("Failed to sign");
}
signature.resize(size);

switch(err)
{
Expand Down