[Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
Petr Spacek
pspacek at redhat.com
Thu Feb 26 11:47:59 UTC 2015
On 11.2.2015 14:10, Martin Basti wrote:
> https://fedorahosted.org/freeipa/ticket/4657#comment:13
>
> Patch attached.
>
> --
> Martin Basti
>
>
> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
>
>
> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
> From: Martin Basti <mbasti at redhat.com>
> Date: Wed, 11 Feb 2015 14:05:46 +0100
> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
>
> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
> ---
> ipapython/ipap11helper/p11helper.c | 72 ++++++++++++++++++++++++++++++++++++--
> 1 file changed, 69 insertions(+), 3 deletions(-)
>
> diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
> index 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c4cccc1128b1c9e7 100644
> --- a/ipapython/ipap11helper/p11helper.c
> +++ b/ipapython/ipap11helper/p11helper.c
> @@ -53,6 +53,22 @@
> // TODO
> #define CKA_COPYABLE (0x0017)
>
> +#define CKG_MGF1_SHA1 (0x00000001)
> +
> +#define CKZ_DATA_SPECIFIED (0x00000001)
> +
> +struct ck_rsa_pkcs_oaep_params {
> + CK_MECHANISM_TYPE hash_alg;
> + unsigned long mgf;
> + unsigned long source;
> + void *source_data;
> + unsigned long source_data_len;
> +};
> +
> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
> +
> +
> CK_BBOOL true = CK_TRUE;
> CK_BBOOL false = CK_FALSE;
>
> @@ -118,6 +134,17 @@ CK_BBOOL* bool;
> } PyObj2Bool_mapping_t;
>
> /**
> + * Constants
> + */
> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
> + .hash_alg = CKM_SHA_1,
> + .mgf = CKG_MGF1_SHA1,
> + .source = CKZ_DATA_SPECIFIED,
> + .source_data = NULL,
> + .source_data_len = 0
> +};
> +
> +/**
> * ipap11helper Exceptions
> */
> static PyObject *ipap11helperException; //parent class for all exceptions
> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds)
> CK_BYTE_PTR wrapped_key = NULL;
> CK_ULONG wrapped_key_len = 0;
> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
> - CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
> /* currently we don't support parameter in mechanism */
>
> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL };
> //TODO check long overflow
> //TODO export method
> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key,
> - &object_wrapping_key, &wrapping_mech_type)) {
> + &object_wrapping_key, &wrapping_mech.mechanism)) {
> return NULL;
> }
> - wrapping_mech.mechanism = wrapping_mech_type;
> +
> + // fill mech parameters
> + switch(wrapping_mech.mechanism){
> + case CKM_RSA_PKCS:
> + case CKM_AES_KEY_WRAP:
> + case CKM_AES_KEY_WRAP_PAD:
> + //default params
> + break;
> +
> + case CKM_RSA_PKCS_OAEP:
> + /* Use the same configuration as openSSL
> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
> + */
> + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
> + wrapping_mech.ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
> + break;
> +
> + default:
> + PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism");
> + return NULL;
> + }
>
> rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
> object_wrapping_key, object_key, NULL, &wrapped_key_len);
> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args,
> return NULL;
> }
>
> + switch(wrapping_mech.mechanism){
> + case CKM_RSA_PKCS:
> + case CKM_AES_KEY_WRAP:
> + case CKM_AES_KEY_WRAP_PAD:
> + //default params
> + break;
NACK. This switch is duplicate of the previous one. Please split it into an
auxiliary function and call it twice.
Thank you!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list