pkcs11: Properly encode EC_POINTs created on a token

Some tokens might not fail when creating EC public keys in the incorrect format, but they will later not be able to use them to verify signatures. References #872.
2015-03-05 16:17:36 +01:00 · 2015-03-05 16:17:36 +01:00 · 8c9a0b5fb5
parent 4aab3153a4
commit 8c9a0b5fb5
1 changed files with 8 additions and 5 deletions
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
 * Hochschule fuer Technik Rapperswil
 *
 * Copyright (C) 2010 Martin Willi
@ -135,6 +135,7 @@ static const asn1Object_t pkinfoObjects[] = {
 /**
 * Extract the DER encoded Parameters and ECPoint from the given DER encoded
 * subjectPublicKeyInfo.
+ * Memory for ecpoint is allocated.
 */
 static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
 								   chunk_t *ecpoint, size_t *keylen)
@ -173,7 +174,9 @@ static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
 				{	/* skip initial bit string octet defining 0 unused bits */
 					object = chunk_skip(object, 1);
 				}
-				*ecpoint = object;
+				/* the correct way to encode an EC_POINT in PKCS#11 is as
+				 * ASN.1 octet string */
+				*ecpoint = asn1_wrap(ASN1_OCTET_STRING, "c", object);
 				break;
 			}
 		}
@ -776,11 +779,11 @@ pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
 		if (parse_ecdsa_public_key(blob, &ecparams, &ecpoint, &keylen))
 		{
 			this = find_ecdsa_key(ecparams, ecpoint, keylen);
-			if (this)
+			if (!this)
 			{
-				return &this->public;
+				this = create_ecdsa_key(ecparams, ecpoint, keylen);
 			}
-			this = create_ecdsa_key(ecparams, ecpoint, keylen);
+			chunk_free(&ecpoint);
 			if (this)
 			{
 				return &this->public;