diff options
author | Martin Basti <mbasti@redhat.com> | 2015-02-11 14:05:46 +0100 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-03-06 10:54:21 +0100 |
commit | a178f586bd49e9c112af8287cb5ddd187e7f0b16 (patch) | |
tree | 2b03ad3f240ec910dc6433a695c579681d78e9cd /ipapython | |
parent | 6e00f7318230781debd9952c6f2a3d924f35688a (diff) | |
download | freeipa-a178f586bd49e9c112af8287cb5ddd187e7f0b16.tar.gz freeipa-a178f586bd49e9c112af8287cb5ddd187e7f0b16.tar.xz freeipa-a178f586bd49e9c112af8287cb5ddd187e7f0b16.zip |
DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/ipap11helper/p11helper.c | 76 |
1 files changed, 73 insertions, 3 deletions
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index 9172e720d..9a7b3ce56 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -56,6 +56,22 @@ // TODO #define CKA_COPYABLE (0x0017) +#define CKG_MGF1_SHA1 (0x00000001) + +#define CKZ_DATA_SPECIFIED (0x00000001) + +struct ck_rsa_pkcs_oaep_params { + CK_MECHANISM_TYPE hash_alg; + unsigned long mgf; + unsigned long source; + void *source_data; + unsigned long source_data_len; +}; + +typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; +typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; + + CK_BBOOL true = CK_TRUE; CK_BBOOL false = CK_FALSE; @@ -121,6 +137,17 @@ CK_BBOOL* bool; } PyObj2Bool_mapping_t; /** + * Constants + */ +static const CK_RSA_PKCS_OAEP_PARAMS CONST_RSA_PKCS_OAEP_PARAMS = { + .hash_alg = CKM_SHA_1, + .mgf = CKG_MGF1_SHA1, + .source = CKZ_DATA_SPECIFIED, + .source_data = NULL, + .source_data_len = 0 +}; + +/** * ipap11helper Exceptions */ static PyObject *ipap11helperException; //parent class for all exceptions @@ -473,6 +500,42 @@ int _id_exists(P11_Helper* self, CK_BYTE_PTR id, CK_ULONG id_len, return 0; /* Object not found*/ } +/* + * Function set default param values for wrapping mechanism + * :param mech_type: mechanism type + * :param mech: filled structure with params based on mech type + * + * :return: 1 if sucessfull, 0 if error (fill proper exception) + * + * Warning: do not dealloc param values, it is static variables + */ +int _set_wrapping_mech_parameters(CK_MECHANISM_TYPE mech_type, + CK_MECHANISM *mech){ + switch(mech_type){ + case CKM_RSA_PKCS: + case CKM_AES_KEY_WRAP: + case CKM_AES_KEY_WRAP_PAD: + mech->pParameter = NULL; + mech->ulParameterLen = 0; + break; + + case CKM_RSA_PKCS_OAEP: + /* Use the same configuration as openSSL + * https://www.openssl.org/docs/crypto/RSA_public_encrypt.html + */ + mech->pParameter = (void*) &CONST_RSA_PKCS_OAEP_PARAMS; + mech->ulParameterLen = sizeof(CONST_RSA_PKCS_OAEP_PARAMS); + break; + + default: + PyErr_SetString(ipap11helperError, "Unsupported wrapping mechanism"); + return 0; + } + mech->mechanism = mech_type; + return 1; +} + + /*********************************************************************** * P11_Helper object */ @@ -1362,17 +1425,20 @@ P11_Helper_export_wrapped_key(P11_Helper* self, PyObject *args, PyObject *kwds) CK_BYTE_PTR wrapped_key = NULL; CK_ULONG wrapped_key_len = 0; CK_MECHANISM wrapping_mech = { CKM_RSA_PKCS, NULL, 0 }; - CK_MECHANISM_TYPE wrapping_mech_type = CKM_RSA_PKCS; /* currently we don't support parameter in mechanism */ static char *kwlist[] = { "key", "wrapping_key", "wrapping_mech", NULL }; //TODO check long overflow //TODO export method if (!PyArg_ParseTupleAndKeywords(args, kwds, "kkk|", kwlist, &object_key, - &object_wrapping_key, &wrapping_mech_type)) { + &object_wrapping_key, &wrapping_mech.mechanism)) { + return NULL; + } + + // fill mech parameters + if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){ return NULL; } - wrapping_mech.mechanism = wrapping_mech_type; rv = self->p11->C_WrapKey(self->session, &wrapping_mech, object_wrapping_key, object_key, NULL, &wrapped_key_len); @@ -1455,6 +1521,10 @@ P11_Helper_import_wrapped_secret_key(P11_Helper* self, PyObject *args, return NULL; } + if (!_set_wrapping_mech_parameters(wrapping_mech.mechanism, &wrapping_mech)){ + return NULL; + } + label = (unsigned char*) unicode_to_char_array(label_unicode, &label_length); //TODO verify signed/unsigned |