diff options
| author | Jack Lloyd <[email protected]> | 2016-11-04 10:51:30 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-11-04 10:51:30 -0400 |
| commit | 19ac22af33d8e185d30e6c84299b8b86d7b0fa3f (patch) | |
| tree | f1721fbf17621315544f9f85360c24c7bd515650 /src | |
| parent | 0b820c330a62aaa3a715b7b7d00276f886cd4a0f (diff) | |
Fix PKCS11 test error
Previously PKCS11_ECDSA_PrivateKey::check_key failed because no
verification is possible using this key type (does not derive from
public key). Split keypair consistency to allow two key arguments.
ECDSA keypair consistency disabled in the tests still, because
SoftHSMv2 gives mechanism invalid errors. I think this is a SoftHSMv2
issue with the signature mechanism.
Remove no longer used Key_Type typedefs (need to be removed everywhere).
GH #712
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/prov/pkcs11/info.txt | 2 | ||||
| -rw-r--r-- | src/lib/prov/pkcs11/p11_ecdsa.cpp | 8 | ||||
| -rw-r--r-- | src/lib/pubkey/keypair/keypair.cpp | 19 | ||||
| -rw-r--r-- | src/lib/pubkey/keypair/keypair.h | 44 | ||||
| -rw-r--r-- | src/tests/test_pkcs11_high_level.cpp | 15 |
5 files changed, 66 insertions, 22 deletions
diff --git a/src/lib/prov/pkcs11/info.txt b/src/lib/prov/pkcs11/info.txt index 2715c7cda..e5a471b25 100644 --- a/src/lib/prov/pkcs11/info.txt +++ b/src/lib/prov/pkcs11/info.txt @@ -45,4 +45,4 @@ p11_rsa.cpp p11_session.cpp p11_slot.cpp p11_x509.cpp -</source>
\ No newline at end of file +</source> diff --git a/src/lib/prov/pkcs11/p11_ecdsa.cpp b/src/lib/prov/pkcs11/p11_ecdsa.cpp index dede8bd6c..44f116f88 100644 --- a/src/lib/prov/pkcs11/p11_ecdsa.cpp +++ b/src/lib/prov/pkcs11/p11_ecdsa.cpp @@ -30,13 +30,13 @@ bool PKCS11_ECDSA_PrivateKey::check_key(RandomNumberGenerator& rng, bool strong) return false; } - if(!strong) { return true; } - return KeyPair::signature_consistency_check(rng, *this, "EMSA1(SHA-1)"); + ECDSA_PublicKey pubkey(domain(), public_point()); + return KeyPair::signature_consistency_check(rng, *this, pubkey, "EMSA1(SHA-256)"); } ECDSA_PrivateKey PKCS11_ECDSA_PrivateKey::export_key() const @@ -57,8 +57,6 @@ namespace { class PKCS11_ECDSA_Signature_Operation : public PK_Ops::Signature { public: - typedef PKCS11_EC_PrivateKey Key_Type; - PKCS11_ECDSA_Signature_Operation(const PKCS11_EC_PrivateKey& key, const std::string& emsa) : PK_Ops::Signature(), m_key(key), m_order(key.domain().get_order()), m_mechanism(MechanismWrapper::create_ecdsa_mechanism(emsa)) {} @@ -124,8 +122,6 @@ class PKCS11_ECDSA_Signature_Operation : public PK_Ops::Signature class PKCS11_ECDSA_Verification_Operation : public PK_Ops::Verification { public: - typedef PKCS11_EC_PublicKey Key_Type; - PKCS11_ECDSA_Verification_Operation(const PKCS11_EC_PublicKey& key, const std::string& emsa) : PK_Ops::Verification(), m_key(key), m_order(key.domain().get_order()), m_mechanism(MechanismWrapper::create_ecdsa_mechanism(emsa)) {} diff --git a/src/lib/pubkey/keypair/keypair.cpp b/src/lib/pubkey/keypair/keypair.cpp index 2efd40b6e..5667bde4a 100644 --- a/src/lib/pubkey/keypair/keypair.cpp +++ b/src/lib/pubkey/keypair/keypair.cpp @@ -16,11 +16,12 @@ namespace KeyPair { * Check an encryption key pair for consistency */ bool encryption_consistency_check(RandomNumberGenerator& rng, - const Private_Key& key, + const Private_Key& private_key, + const Public_Key& public_key, const std::string& padding) { - PK_Encryptor_EME encryptor(key, rng, padding); - PK_Decryptor_EME decryptor(key, rng, padding); + PK_Encryptor_EME encryptor(public_key, rng, padding); + PK_Decryptor_EME decryptor(private_key, rng, padding); /* Weird corner case, if the key is too small to encrypt anything at @@ -45,13 +46,15 @@ bool encryption_consistency_check(RandomNumberGenerator& rng, * Check a signature key pair for consistency */ bool signature_consistency_check(RandomNumberGenerator& rng, - const Private_Key& key, + const Private_Key& private_key, + const Public_Key& public_key, const std::string& padding) { - PK_Signer signer(key, rng, padding); - PK_Verifier verifier(key, padding); + PK_Signer signer(private_key, rng, padding); + PK_Verifier verifier(public_key, padding); - std::vector<byte> message = unlock(rng.random_vec(16)); + std::vector<byte> message(32); + rng.randomize(message.data(), message.size()); std::vector<byte> signature; @@ -68,7 +71,7 @@ bool signature_consistency_check(RandomNumberGenerator& rng, return false; // Now try to check a corrupt signature, ensure it does not succeed - ++message[0]; + ++signature[0]; if(verifier.verify_message(message, signature)) return false; diff --git a/src/lib/pubkey/keypair/keypair.h b/src/lib/pubkey/keypair/keypair.h index 7fcde3216..894749583 100644 --- a/src/lib/pubkey/keypair/keypair.h +++ b/src/lib/pubkey/keypair/keypair.h @@ -18,28 +18,64 @@ namespace KeyPair { * Tests whether the key is consistent for encryption; whether * encrypting and then decrypting gives to the original plaintext. * @param rng the rng to use -* @param key the key to test +* @param private_key the key to test +* @param public_key the key to test * @param padding the encryption padding method to use * @return true if consistent otherwise false */ BOTAN_DLL bool encryption_consistency_check(RandomNumberGenerator& rng, - const Private_Key& key, + const Private_Key& private_key, + const Public_Key& public_key, const std::string& padding); /** * Tests whether the key is consistent for signatures; whether a * signature can be created and then verified * @param rng the rng to use -* @param key the key to test +* @param private_key the key to test +* @param public_key the key to test * @param padding the signature padding method to use * @return true if consistent otherwise false */ BOTAN_DLL bool signature_consistency_check(RandomNumberGenerator& rng, - const Private_Key& key, + const Private_Key& private_key, + const Public_Key& public_key, const std::string& padding); +/** +* Tests whether the key is consistent for encryption; whether +* encrypting and then decrypting gives to the original plaintext. +* @param rng the rng to use +* @param key the key to test +* @param padding the encryption padding method to use +* @return true if consistent otherwise false +*/ +inline bool +encryption_consistency_check(RandomNumberGenerator& rng, + const Private_Key& key, + const std::string& padding) + { + return encryption_consistency_check(rng, key, key, padding); + } + +/** +* Tests whether the key is consistent for signatures; whether a +* signature can be created and then verified +* @param rng the rng to use +* @param key the key to test +* @param padding the signature padding method to use +* @return true if consistent otherwise false +*/ +inline bool +signature_consistency_check(RandomNumberGenerator& rng, + const Private_Key& key, + const std::string& padding) + { + return signature_consistency_check(rng, key, key, padding); + } + } } diff --git a/src/tests/test_pkcs11_high_level.cpp b/src/tests/test_pkcs11_high_level.cpp index b91cf6ca0..7b4be9e08 100644 --- a/src/tests/test_pkcs11_high_level.cpp +++ b/src/tests/test_pkcs11_high_level.cpp @@ -602,7 +602,7 @@ Test::Result test_rsa_privkey_import() // create private key RSA_PrivateKey priv_key(Test::rng(), 2048); - result.confirm("Key self test OK", priv_key.check_key(Test::rng(), 2048)); + result.confirm("Key self test OK", priv_key.check_key(Test::rng(), true)); // import to card RSA_PrivateKeyImportProperties props(priv_key.get_n(), priv_key.get_d()); @@ -620,6 +620,7 @@ Test::Result test_rsa_privkey_import() PKCS11_RSA_PrivateKey pk(test_session.session(), props); result.test_success("RSA private key import was successful"); + result.confirm("PK self test OK", pk.check_key(Test::rng(), true)); pk.destroy(); return result; @@ -651,10 +652,11 @@ Test::Result test_rsa_privkey_export() props.set_sensitive(false); PKCS11_RSA_PrivateKey pk(test_session.session(), props); + result.confirm("Check PK11 key", pk.check_key(Test::rng(), true)); RSA_PrivateKey exported = pk.export_key(); result.test_success("RSA private key export was successful"); - result.test_eq("pkcs8 private key", pk.pkcs8_private_key(), priv_key.pkcs8_private_key()); + result.confirm("Check exported key", exported.check_key(Test::rng(), true)); pk.destroy(); return result; @@ -677,6 +679,7 @@ Test::Result test_rsa_pubkey_import() PKCS11_RSA_PublicKey pk(test_session.session(), props); result.test_success("RSA public key import was successful"); + result.confirm("Check PK11 key", pk.check_key(Test::rng(), true)); pk.destroy(); @@ -878,8 +881,9 @@ Test::Result test_ecdsa_privkey_import() props.set_label(label); PKCS11_ECDSA_PrivateKey pk(test_session.session(), props); - result.confirm("P11 key self test OK", pk.check_key(Test::rng(), true)); result.test_success("ECDSA private key import was successful"); + pk.set_public_point(priv_key.public_point()); + result.confirm("P11 key self test OK", pk.check_key(Test::rng(), false)); pk.destroy(); return result; @@ -895,6 +899,7 @@ Test::Result test_ecdsa_privkey_export() ECDSA_PrivateKey priv_key(Test::rng(), EC_Group("secp256r1")); priv_key.set_parameter_encoding(EC_Group_Encoding::EC_DOMPAR_ENC_OID); + result.confirm("Check ECDSA key", priv_key.check_key(Test::rng(), true)); // import to card EC_PrivateKeyImportProperties props(priv_key.DER_domain(), priv_key.private_value()); props.set_token(true); @@ -907,9 +912,13 @@ Test::Result test_ecdsa_privkey_export() props.set_label(label); PKCS11_ECDSA_PrivateKey pk(test_session.session(), props); + pk.set_public_point(priv_key.public_point()); + result.confirm("Check PK11 key", pk.check_key(Test::rng(), false)); ECDSA_PrivateKey exported = pk.export_key(); result.test_success("ECDSA private key export was successful"); + result.confirm("Check exported key valid", exported.check_key(Test::rng(), true)); + result.test_eq("Check exported key contents", exported.pkcs8_private_key(), priv_key.pkcs8_private_key()); pk.destroy(); return result; |