diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index a354070c1..b616abc38 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -104,41 +104,44 @@ METHOD(private_key_t, get_keysize, int, * See header. */ CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme, + key_type_t type, size_t keylen, hash_algorithm_t *hash) { static struct { signature_scheme_t scheme; CK_MECHANISM mechanism; + key_type_t type; + size_t keylen; hash_algorithm_t hash; } mappings[] = { {SIGN_RSA_EMSA_PKCS1_NULL, {CKM_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_RSA_EMSA_PKCS1_SHA1, {CKM_SHA1_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_RSA_EMSA_PKCS1_SHA256, {CKM_SHA256_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_RSA_EMSA_PKCS1_SHA384, {CKM_SHA384_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_RSA_EMSA_PKCS1_SHA512, {CKM_SHA512_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_RSA_EMSA_PKCS1_MD5, {CKM_MD5_RSA_PKCS, NULL, 0}, - HASH_UNKNOWN}, + KEY_RSA, 0, HASH_UNKNOWN}, {SIGN_ECDSA_WITH_NULL, {CKM_ECDSA, NULL, 0}, - HASH_UNKNOWN}, + KEY_ECDSA, 0, HASH_UNKNOWN}, {SIGN_ECDSA_WITH_SHA1_DER, {CKM_ECDSA_SHA1, NULL, 0}, - HASH_UNKNOWN}, + KEY_ECDSA, 0, HASH_UNKNOWN}, {SIGN_ECDSA_WITH_SHA256_DER, {CKM_ECDSA, NULL, 0}, - HASH_SHA256}, + KEY_ECDSA, 0, HASH_SHA256}, {SIGN_ECDSA_WITH_SHA384_DER, {CKM_ECDSA, NULL, 0}, - HASH_SHA384}, + KEY_ECDSA, 0, HASH_SHA384}, {SIGN_ECDSA_WITH_SHA512_DER, {CKM_ECDSA, NULL, 0}, - HASH_SHA512}, + KEY_ECDSA, 0, HASH_SHA512}, {SIGN_ECDSA_256, {CKM_ECDSA, NULL, 0}, - HASH_SHA256}, + KEY_ECDSA, 256, HASH_SHA256}, {SIGN_ECDSA_384, {CKM_ECDSA, NULL, 0}, - HASH_SHA384}, + KEY_ECDSA, 384, HASH_SHA384}, {SIGN_ECDSA_521, {CKM_ECDSA, NULL, 0}, - HASH_SHA512}, + KEY_ECDSA, 521, HASH_SHA512}, }; int i; @@ -146,6 +149,11 @@ CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme, { if (mappings[i].scheme == scheme) { + size_t len = mappings[i].keylen; + if (mappings[i].type != type || (len && keylen != len)) + { + return NULL; + } if (hash) { *hash = mappings[i].hash; @@ -229,7 +237,8 @@ METHOD(private_key_t, sign, bool, hash_algorithm_t hash_alg; chunk_t hash = chunk_empty; - mechanism = pkcs11_signature_scheme_to_mech(scheme, &hash_alg); + mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, + get_keysize(this), &hash_alg); if (!mechanism) { DBG1(DBG_LIB, "signature scheme %N not supported", diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h index 1e4ec3068..53cd0f15f 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.h @@ -56,10 +56,15 @@ pkcs11_private_key_t *pkcs11_private_key_connect(key_type_t type, va_list args); /** * Get the Cryptoki mechanism for a signature scheme. * + * Verifies that the given key is usable for this scheme. + * * @param scheme signature scheme + * @param type key type + * @param keylen key lenght in bits * @param hash hash algorithm to apply first (HASH_UNKNOWN if none) */ CK_MECHANISM_PTR pkcs11_signature_scheme_to_mech(signature_scheme_t scheme, + key_type_t type, size_t keylen, hash_algorithm_t *hash); /** diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 2a3a511a5..d49a03856 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -207,7 +207,8 @@ METHOD(public_key_t, verify, bool, hash_algorithm_t hash_alg; chunk_t hash = chunk_empty; - mechanism = pkcs11_signature_scheme_to_mech(scheme, &hash_alg); + mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k, + &hash_alg); if (!mechanism) { DBG1(DBG_LIB, "signature scheme %N not supported",