DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism

Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This commit is contained in:
Martin Basti 2015-02-11 14:05:46 +01:00 committed by Tomas Babej
parent 5c3611481a
commit c411d6a908

View File

@ -56,6 +56,22 @@
// TODO
#define CKA_COPYABLE (0x0017)
#define CKG_MGF1_SHA1 (0x00000001)
#define CKZ_DATA_SPECIFIED (0x00000001)
struct ck_rsa_pkcs_oaep_params {
CK_MECHANISM_TYPE hash_alg;
unsigned long mgf;
unsigned long source;
void *source_data;
unsigned long source_data_len;
};
typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
CK_BBOOL true = CK_TRUE;
CK_BBOOL false = CK_FALSE;
@ -120,6 +136,17 @@ PyObject* py_obj;
CK_BBOOL* bool;
} PyObj2Bool_mapping_t;
/**
* Constants
*/
static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
.hash_alg = CKM_SHA_1,
.mgf = CKG_MGF1_SHA1,
.source = CKZ_DATA_SPECIFIED,
.source_data = NULL,
.source_data_len = 0
};
/**
* ipap11helper Exceptions
*/
@ -473,6 +500,42 @@ int _id_exists(P11_Helper* self, CK_BYTE_PTR id, CK_ULONG id_len,
return 0; /* Object not found*/
}
/*
* Function set default param values for wrapping mechanism
* :param mech_type: mechanism type
* :param mech: filled structure with params based on mech type
*
* :return: 1 if sucessfull, 0 if error (fill proper exception)
*
* Warning: do not dealloc param values, it is static variables
*/
int _set_wrapping_mech_parameters(CK_MECHANISM_TYPE mech_type,
CK_MECHANISM *mech){
switch(mech_type){
case CKM_RSA_PKCS:
case CKM_AES_KEY_WRAP:
case CKM_AES_KEY_WRAP_PAD:
mech->pParameter = NULL;
mech->ulParameterLen = 0;
break;
case CKM_RSA_PKCS_OAEP:
/* Use the same configuration as openSSL
* https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
*/
mech->pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
mech->ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
break;
default:
PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism");
return 0;
}
mech->mechanism = mech_type;
return 1;
}
/***********************************************************************
* P11_Helper object
*/
@ -1362,17 +1425,20 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds)
CK_BYTE_PTR wrapped_key = NULL;
CK_ULONG wrapped_key_len = 0;
CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
/* currently we don't support parameter in mechanism */
static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
//TODO check long overflow
//TODO export method
if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
&object_wrapping_key, &wrapping_mech_type)) {
&object_wrapping_key, &wrapping_mech.mechanism)) {
return NULL;
}
// fill mech parameters
if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){
return NULL;
}
wrapping_mech.mechanism = wrapping_mech_type;
rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
object_wrapping_key, object_key, NULL, &wrapped_key_len);
@ -1455,6 +1521,10 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
return NULL;
}
if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){
return NULL;
}
label = (unsigned char*) unicode_to_char_array(label_unicode,
&label_length); //TODO verify signed/unsigned