[Freeipa-devel] [PATCH 0190] DNSSEC: add support for CKM_RSA_PKCS_OAEP mechanism
Tomas Babej
tbabej at redhat.com
Fri Mar 6 09:56:44 UTC 2015
On 03/05/2015 02:45 PM, Petr Spacek wrote:
> On 26.2.2015 16:59, Martin Basti wrote:
>> On 26/02/15 12:47, Petr Spacek wrote:
>>> On 11.2.2015 14:10, Martin Basti wrote:
>>>> https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>>>
>>>> Patch attached.
>>>>
>>>> --
>>>> Martin Basti
>>>>
>>>>
>>>> freeipa-mbasti-0190-DNSSEC-add-support-for-CKM_RSA_PKCS_OAEP-mechanism.patch
>>>>
>>>>
>>>> From 4d698a5adaa94eb854c75bd9bcaf3093f31a11e5 Mon Sep 17 00:00:00 2001
>>>> From: Martin Basti <mbasti at redhat.com>
>>>> Date: Wed, 11 Feb 2015 14:05:46 +0100
>>>> Subject: [PATCH] DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
>>>>
>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
>>>> ---
>>>> ipapython/ipap11helper/p11helper.c | 72
>>>> ++++++++++++++++++++++++++++++++++++--
>>>> 1 file changed, 69 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/ipapython/ipap11helper/p11helper.c
>>>> b/ipapython/ipap11helper/p11helper.c
>>>> index
>>>> 4e0f262057b377124793f1e3091a8c9df4794164..c638bbe849f1bbddc8004bd1c4cccc1128b1c9e7
>>>> 100644
>>>> --- a/ipapython/ipap11helper/p11helper.c
>>>> +++ b/ipapython/ipap11helper/p11helper.c
>>>> @@ -53,6 +53,22 @@
>>>> // TODO
>>>> #define CKA_COPYABLE (0x0017)
>>>> +#define CKG_MGF1_SHA1 (0x00000001)
>>>> +
>>>> +#define CKZ_DATA_SPECIFIED (0x00000001)
>>>> +
>>>> +struct ck_rsa_pkcs_oaep_params {
>>>> + CK_MECHANISM_TYPE hash_alg;
>>>> + unsigned long mgf;
>>>> + unsigned long source;
>>>> + void *source_data;
>>>> + unsigned long source_data_len;
>>>> +};
>>>> +
>>>> +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
>>>> +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
>>>> +
>>>> +
>>>> CK_BBOOL true = CK_TRUE;
>>>> CK_BBOOL false = CK_FALSE;
>>>> @@ -118,6 +134,17 @@ CK_BBOOL* bool;
>>>> } PyObj2Bool_mapping_t;
>>>> /**
>>>> + * Constants
>>>> + */
>>>> +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = {
>>>> + .hash_alg = CKM_SHA_1,
>>>> + .mgf = CKG_MGF1_SHA1,
>>>> + .source = CKZ_DATA_SPECIFIED,
>>>> + .source_data = NULL,
>>>> + .source_data_len = 0
>>>> +};
>>>> +
>>>> +/**
>>>> * ipap11helper Exceptions
>>>> */
>>>> static PyObject *ipap11helperException; //parent class for all exceptions
>>>> @@ -1359,17 +1386,36 @@ P11_Helper_export_wrapped_key(P11_Helper* self,
>>>> PyObject *args, PyObject *kwds)
>>>> CK_BYTE_PTR wrapped_key = NULL;
>>>> CK_ULONG wrapped_key_len = 0;
>>>> CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 };
>>>> - CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS;
>>>> /* currently we don't support parameter in mechanism */
>>>> static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech",
>>>> NULL };
>>>> //TODO check long overflow
>>>> //TODO export method
>>>> if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist,
>>>> &object_key,
>>>> - &object_wrapping_key, &wrapping_mech_type)) {
>>>> + &object_wrapping_key, &wrapping_mech.mechanism)) {
>>>> return NULL;
>>>> }
>>>> - wrapping_mech.mechanism = wrapping_mech_type;
>>>> +
>>>> + // fill mech parameters
>>>> + switch(wrapping_mech.mechanism){
>>>> + case CKM_RSA_PKCS:
>>>> + case CKM_AES_KEY_WRAP:
>>>> + case CKM_AES_KEY_WRAP_PAD:
>>>> + //default params
>>>> + break;
>>>> +
>>>> + case CKM_RSA_PKCS_OAEP:
>>>> + /* Use the same configuration as openSSL
>>>> + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html
>>>> + */
>>>> + wrapping_mech.pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS;
>>>> + wrapping_mech.ulParameterLen =
>>>> sizeof(CONST_RSA_PKCS_OAEP_PARAMS);
>>>> + break;
>>>> +
>>>> + default:
>>>> + PyErr_SetString(ipap11helperError, "Unsupported wrapping
>>>> mechanism");
>>>> + return NULL;
>>>> + }
>>>> rv = self->p11->C_WrapKey(self->session, &wrapping_mech,
>>>> object_wrapping_key, object_key, NULL, &wrapped_key_len);
>>>> @@ -1452,6 +1498,26 @@ P11_Helper_import_wrapped_secret_key(P11_Helper*
>>>> self, PyObject *args,
>>>> return NULL;
>>>> }
>>>> + switch(wrapping_mech.mechanism){
>>>> + case CKM_RSA_PKCS:
>>>> + case CKM_AES_KEY_WRAP:
>>>> + case CKM_AES_KEY_WRAP_PAD:
>>>> + //default params
>>>> + break;
>>> NACK. This switch is duplicate of the previous one. Please split it into an
>>> auxiliary function and call it twice.
>>>
>>> Thank you!
>>>
>> Thanks. Updated patch attached.
Pushed to master, ipa-4-1.
> ACK, it works for me.
>
More information about the Freeipa-devel
mailing list