YKCS11: Increase sign buffer size (Yubico#473)

YKCS11: Increase sign buffer size
wfrisch · Feb 12, 2024 · 5b7f25c · 5b7f25c
1 parent d64ec8e
commit 5b7f25c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/resources/scripts/opensc_tests.sh b/resources/scripts/opensc_tests.sh
@@ -20,13 +20,17 @@ pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801
 pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801020304050607080102030405060708 --keypairgen --id 2 --key-type EC:prime256v1
 pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801020304050607080102030405060708 --keypairgen --id 3 --key-type rsa:1024
 pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801020304050607080102030405060708 --keypairgen --id 4 --key-type rsa:2048
+pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801020304050607080102030405060708 --keypairgen --id 5 --key-type rsa:3072
+pkcs11-tool --module $MODULE --login --login-type so --so-pin 010203040506070801020304050607080102030405060708 --keypairgen --id 6 --key-type rsa:4096
 
 echo "******************* Signing Tests ********************* "
 echo "this is test data" > data.txt
 pkcs11-tool --module $MODULE --sign --pin 123456 --id 1 -m ECDSA-SHA1 --signature-format openssl -i data.txt -o data.sig
 pkcs11-tool --module $MODULE --sign --pin 123456 --id 2 -m ECDSA-SHA1 --signature-format openssl -i data.txt -o data.sig
 pkcs11-tool --module $MODULE --sign --pin 123456 --id 3 -i data.txt -o data.sig
 pkcs11-tool --module $MODULE --sign --pin 123456 --id 4 -i data.txt -o data.sig
+pkcs11-tool --module $MODULE --sign --pin 123456 --id 5 -i data.txt -o data.sig
+pkcs11-tool --module $MODULE --sign --pin 123456 --id 6 -i data.txt -o data.sig
 rm data.txt
 rm data.sig
 
@@ -41,6 +45,14 @@ pkcs11-tool --module $MODULE --read-object --type cert --id 4 -o 9e_cert.crt
 openssl x509 -inform DER -outform PEM -in 9e_cert.crt -out 9e_cert.pem
 openssl x509 -in 9e_cert.pem -pubkey -noout > 9e_pubkey.pem
 
+pkcs11-tool --module $MODULE --read-object --type cert --id 5 -o 5_cert.crt
+openssl x509 -inform DER -outform PEM -in 5_cert.crt -out 5_cert.pem
+openssl x509 -in 5_cert.pem -pubkey -noout > 5_pubkey.pem
+
+pkcs11-tool --module $MODULE --read-object --type cert --id 6 -o 6_cert.crt
+openssl x509 -inform DER -outform PEM -in 6_cert.crt -out 6_cert.pem
+openssl x509 -in 6_cert.pem -pubkey -noout > 6_pubkey.pem
+
 openssl rsautl -encrypt -oaep -inkey 9d_pubkey.pem -pubin -in data.txt -out data.oaep
 pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 3 -m RSA-PKCS-OAEP -i data.oaep
 rm data.oaep
@@ -49,8 +61,18 @@ openssl rsautl -encrypt -oaep -inkey 9e_pubkey.pem -pubin -in data.txt -out data
 pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 4 -m RSA-PKCS-OAEP -i data.oaep
 rm data.oaep
 
+openssl rsautl -encrypt -oaep -inkey 5_pubkey.pem -pubin -in data.txt -out data.oaep
+pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 5 -m RSA-PKCS-OAEP -i data.oaep
+rm data.oaep
+
+openssl rsautl -encrypt -oaep -inkey 6_pubkey.pem -pubin -in data.txt -out data.oaep
+pkcs11-tool --module $MODULE --decrypt --pin 123456 --id 6 -m RSA-PKCS-OAEP -i data.oaep
+rm data.oaep
+
 rm 9d_cert.crt 9d_cert.pem 9d_pubkey.pem
 rm 9e_cert.crt 9e_cert.pem 9e_pubkey.pem
+rm 5_cert.crt 5_cert.pem 5_pubkey.pem
+rm 6_cert.crt 6_cert.pem 6_pubkey.pem
 
 rm data.txt
 echo "******************* Testing RSA Tests ********************* "

diff --git a/ykcs11/mechanisms.c b/ykcs11/mechanisms.c
@@ -292,7 +292,7 @@ CK_RV sign_mechanism_final(ykcs11_session_t *session, CK_BYTE_PTR sig, CK_ULONG_
   }
 
   // Sign with PIV
-  unsigned char sigbuf[256] = {0};
+  unsigned char sigbuf[512] = {0};
   size_t siglen = sizeof(sigbuf);
   ykpiv_rc rcc = ykpiv_sign_data(session->slot->piv_state, session->op_info.buf, session->op_info.buf_len, sigbuf, &siglen, session->op_info.op.sign.algorithm, session->op_info.op.sign.piv_key);
   if(rcc == YKPIV_OK) {

diff --git a/ykcs11/objects.c b/ykcs11/objects.c
@@ -2171,7 +2171,7 @@ CK_RV check_create_rsa_key(CK_ATTRIBUTE_PTR templ, CK_ULONG n, CK_BYTE_PTR id,
     return CKR_TEMPLATE_INCOMPLETE;
   }
 
-  if (*p_len != 64 && *p_len != 128) {
+  if (*p_len != 64 && *p_len != 128 && *p_len != 192 && *p_len != 256) {
     DBG("Invalid RSA component lengths");
     return CKR_ATTRIBUTE_VALUE_INVALID;
   }