mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-28 17:46:40 -04:00
Fix DH and ECDSA algorithms in PKCS#11 build
This commit is contained in:
Ondřej Surý
parent
919179b369
commit
fc496b2b5d
9 changed files with 25 additions and 29 deletions
|
|
@ -72,7 +72,6 @@
|
|||
#include <pk11/pk11.h>
|
||||
#include <pk11/result.h>
|
||||
#define WANT_DH_PRIMES
|
||||
#define WANT_ECC_CURVES
|
||||
#include <pk11/constants.h>
|
||||
#include <pkcs11/eddsa.h>
|
||||
|
||||
|
|
@ -432,8 +431,6 @@ main(int argc, char *argv[]) {
|
|||
#ifndef CKM_EDDSA_KEY_PAIR_GEN
|
||||
fprintf(stderr, "CKM_EDDSA_KEY_PAIR_GEN is not defined\n");
|
||||
usage();
|
||||
UNUSED(pk11_ecc_ed25519);
|
||||
UNUSED(pk11_ecc_ed448);
|
||||
#else
|
||||
op_type = OP_EDDSA;
|
||||
if (bits == 0)
|
||||
|
|
|
|||
6
configure
vendored
6
configure
vendored
|
|
@ -804,6 +804,7 @@ ISC_PLATFORM_GSSAPIHEADER
|
|||
ISC_PLATFORM_HAVEGSSAPI
|
||||
KRB5_CONFIG
|
||||
PKCS11_TOOLS
|
||||
PKCS11_TEST
|
||||
OPENSSL_LDFLAGS
|
||||
OPENSSL_LIBS
|
||||
OPENSSL_INCLUDES
|
||||
|
|
@ -16280,6 +16281,7 @@ esac
|
|||
|
||||
|
||||
PKCS11_TOOLS=
|
||||
PKCS11_TEST=
|
||||
#
|
||||
# was --enable-native-pkcs11 specified?
|
||||
#
|
||||
|
|
@ -16299,6 +16301,7 @@ case $enable_native_pkcs11 in #(
|
|||
$as_echo "no" >&6; } ;; #(
|
||||
yes) :
|
||||
PKCS11_TOOLS=pkcs11
|
||||
PKCS11_TEST=pkcs11
|
||||
CRYPTO=pkcs11
|
||||
if $use_threads; then :
|
||||
:
|
||||
|
|
@ -16318,12 +16321,13 @@ _ACEOF
|
|||
fi
|
||||
done
|
||||
|
||||
;; #(
|
||||
;; #(
|
||||
*) :
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
||||
case $CRYPTO in #(
|
||||
pkcs11) :
|
||||
|
||||
|
|
|
|||
|
|
@ -1243,6 +1243,7 @@ AS_CASE([$with_cc_alg],
|
|||
|
||||
|
||||
PKCS11_TOOLS=
|
||||
PKCS11_TEST=
|
||||
#
|
||||
# was --enable-native-pkcs11 specified?
|
||||
#
|
||||
|
|
@ -1255,13 +1256,15 @@ AC_MSG_CHECKING([for PKCS11 for Public-Key Cryptography])
|
|||
AS_CASE([$enable_native_pkcs11],
|
||||
[no],[AC_MSG_RESULT([no])],
|
||||
[yes],[PKCS11_TOOLS=pkcs11
|
||||
PKCS11_TEST=pkcs11
|
||||
CRYPTO=pkcs11
|
||||
AS_IF([$use_threads],
|
||||
[:],
|
||||
[AC_MSG_ERROR([PKCS11 requires threading support])])
|
||||
AC_MSG_RESULT([yes])
|
||||
AC_CHECK_FUNCS([getpassphrase])
|
||||
])
|
||||
])
|
||||
AC_SUBST([PKCS11_TEST])
|
||||
AC_SUBST([PKCS11_TOOLS])
|
||||
|
||||
AS_CASE([$CRYPTO],
|
||||
|
|
|
|||
|
|
@ -176,6 +176,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
|
|||
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
|
||||
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
|
||||
RETERR(dst__openssl_init(engine));
|
||||
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
|
||||
#if USE_OPENSSL
|
||||
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
|
||||
DST_ALG_RSAMD5));
|
||||
|
|
@ -189,7 +190,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
|
|||
DST_ALG_RSASHA512));
|
||||
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
|
||||
RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
|
||||
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
|
||||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#ifdef HAVE_OPENSSL_ED25519
|
||||
|
|
@ -209,10 +209,8 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
|
|||
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
|
||||
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
|
||||
RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
|
||||
#if HAVE_PKCS11_ECDSA
|
||||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
|
||||
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
|
||||
#endif
|
||||
#ifdef HAVE_PKCS11_ED25519
|
||||
RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -223,11 +223,11 @@ isc_result_t dst__hmacsha224_init(struct dst_func **funcp);
|
|||
isc_result_t dst__hmacsha256_init(struct dst_func **funcp);
|
||||
isc_result_t dst__hmacsha384_init(struct dst_func **funcp);
|
||||
isc_result_t dst__hmacsha512_init(struct dst_func **funcp);
|
||||
isc_result_t dst__openssldh_init(struct dst_func **funcp);
|
||||
#if USE_OPENSSL
|
||||
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
|
||||
unsigned char algorithm);
|
||||
isc_result_t dst__openssldsa_init(struct dst_func **funcp);
|
||||
isc_result_t dst__openssldh_init(struct dst_func **funcp);
|
||||
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
|
||||
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
|
||||
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
|
||||
|
|
@ -236,9 +236,7 @@ isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
|
|||
#if USE_PKCS11
|
||||
isc_result_t dst__pkcs11rsa_init(struct dst_func **funcp);
|
||||
isc_result_t dst__pkcs11dsa_init(struct dst_func **funcp);
|
||||
#ifdef HAVE_PKCS11_ECDSA
|
||||
isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
|
||||
isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -27,8 +27,6 @@
|
|||
|
||||
#include <config.h>
|
||||
|
||||
#if !USE_PKCS11
|
||||
|
||||
#include <pk11/site.h>
|
||||
|
||||
#include <ctype.h>
|
||||
|
|
@ -763,5 +761,3 @@ dst__openssldh_init(dst_func_t **funcp) {
|
|||
if (bn1536 != NULL) BN_free(bn1536);
|
||||
return (ISC_R_NOMEMORY);
|
||||
}
|
||||
|
||||
#endif /* !USE_PKCS11 */
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
#include <config.h>
|
||||
|
||||
#if USE_PKCS11 && HAVE_PKCS11_ECDSA
|
||||
#if USE_PKCS11
|
||||
|
||||
#include <isc/mem.h>
|
||||
#include <isc/safe.h>
|
||||
|
|
@ -30,7 +30,6 @@
|
|||
|
||||
#include <pk11/pk11.h>
|
||||
#include <pk11/internal.h>
|
||||
#define WANT_ECC_CURVES
|
||||
#include <pk11/constants.h>
|
||||
|
||||
#include <pkcs11/pkcs11.h>
|
||||
|
|
@ -95,8 +94,8 @@ pkcs11ecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
|
|||
if (ec->ontoken && (dctx->use == DO_SIGN))
|
||||
slotid = ec->slot;
|
||||
else
|
||||
slotid = pk11_get_best_token(OP_EC);
|
||||
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
|
||||
slotid = pk11_get_best_token(OP_ECDSA);
|
||||
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
|
||||
ec->reqlogon, NULL, slotid);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
|
@ -493,8 +492,8 @@ pkcs11ecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
|||
sizeof(*pk11_ctx));
|
||||
if (pk11_ctx == NULL)
|
||||
return (ISC_R_NOMEMORY);
|
||||
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
|
||||
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
|
||||
ISC_FALSE, NULL, pk11_get_best_token(OP_ECDSA));
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
||||
|
|
@ -852,7 +851,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
|||
memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
|
||||
attr->ulValueLen = pubattr->ulValueLen;
|
||||
|
||||
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
|
||||
ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
||||
|
|
@ -860,7 +859,7 @@ pkcs11ecdsa_fetch(dst_key_t *key, const char *engine, const char *label,
|
|||
sizeof(*pk11_ctx));
|
||||
if (pk11_ctx == NULL)
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
|
||||
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
|
||||
ec->reqlogon, NULL, ec->slot);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
|
@ -1065,7 +1064,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|||
attr[0].type = CKA_EC_PARAMS;
|
||||
attr[1].type = CKA_EC_POINT;
|
||||
|
||||
ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
|
||||
ret = pk11_parse_uri(ec, label, key->mctx, OP_ECDSA);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
||||
|
|
@ -1073,7 +1072,7 @@ pkcs11ecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|||
sizeof(*pk11_ctx));
|
||||
if (pk11_ctx == NULL)
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
|
||||
ret = pk11_get_session(pk11_ctx, OP_ECDSA, ISC_TRUE, ISC_FALSE,
|
||||
ec->reqlogon, NULL, ec->slot);
|
||||
if (ret != ISC_R_SUCCESS)
|
||||
goto err;
|
||||
|
|
@ -1187,4 +1186,4 @@ dst__pkcs11ecdsa_init(dst_func_t **funcp) {
|
|||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
#endif /* USE_PKCS11 && HAVE_PKCS11_ECDSA */
|
||||
#endif /* USE_PKCS11 */
|
||||
|
|
|
|||
|
|
@ -31,7 +31,6 @@
|
|||
|
||||
#include <pk11/pk11.h>
|
||||
#include <pk11/internal.h>
|
||||
#define WANT_ECC_CURVES
|
||||
#include <pk11/constants.h>
|
||||
|
||||
#include <pkcs11/pkcs11.h>
|
||||
|
|
|
|||
|
|
@ -18,20 +18,22 @@
|
|||
/*%
|
||||
* Static arrays of data used for key template initalization
|
||||
*/
|
||||
#ifdef WANT_ECC_CURVES
|
||||
static CK_BYTE pk11_ecc_prime256v1[] = {
|
||||
0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07
|
||||
};
|
||||
static CK_BYTE pk11_ecc_secp384r1[] = {
|
||||
0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
|
||||
};
|
||||
#if HAVE_PKCS11_ED25519
|
||||
static CK_BYTE pk11_ecc_ed25519[] = {
|
||||
0x06, 0x03, 0x2b, 0x65, 0x70
|
||||
};
|
||||
#endif /* HAVE_PKCS11_ED25519 */
|
||||
#if HAVE_PKCS11_ED448
|
||||
static CK_BYTE pk11_ecc_ed448[] = {
|
||||
0x06, 0x03, 0x2b, 0x65, 0x71
|
||||
};
|
||||
#endif
|
||||
#endif /* HAVE_PKCS11_ED448 */
|
||||
|
||||
#ifdef WANT_DH_PRIMES
|
||||
static CK_BYTE pk11_dh_bn2[] = { 2 };
|
||||
|
|
|
|||
Loading…
Reference in a new issue