Skip to content

Commit 636ab67

Browse files
author
z4yx
committed
fix 25519 importing
1 parent e1694fe commit 636ab67

File tree

2 files changed

+36
-19
lines changed

2 files changed

+36
-19
lines changed

src/key.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -126,10 +126,11 @@ int ck_parse_piv(ck_key_t *key, const uint8_t *buf, size_t buf_len) {
126126
DBG_MSG("too short\n");
127127
return KEY_ERR_LENGTH;
128128
}
129-
if (*p++ != 0x06) {
129+
if (*p < 0x06 || *p > 0x08) {
130130
DBG_MSG("invalid tag\n");
131131
return KEY_ERR_DATA;
132132
}
133+
p++;
133134
if (*p++ != PRIVATE_KEY_LENGTH[key->meta.type]) {
134135
DBG_MSG("invalid private key length\n");
135136
return KEY_ERR_LENGTH;

test-real/test-piv.sh

Lines changed: 34 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -166,24 +166,40 @@ test_PinBlock() {
166166
assertContains 'verify-pin' "$out" 'Successfully unblocked the pin code'
167167
}
168168

169-
test_P256KeyImport() {
170-
openssl ecparam -name prime256v1 -out $TEST_TMP_DIR/p256.pem
171-
openssl req -x509 -newkey ec:$TEST_TMP_DIR/p256.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"
172-
173-
for s in 9a 9c 9d 9e; do PIVImportKeyCert $s $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem; done
174-
YPT -a status
175-
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
176-
PIVSignDec 9d 1 d # 9d only do the ECDH
177-
}
178-
179-
test_P384KeyImport() {
180-
openssl ecparam -name secp384r1 -out $TEST_TMP_DIR/p384.pem
181-
openssl req -x509 -newkey ec:$TEST_TMP_DIR/p384.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"
182-
183-
for s in 9a 9c 9d 9e; do PIVImportKeyCert $s $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem; done
184-
YPT -a status
185-
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
186-
PIVSignDec 9d 1 d # 9d only do the ECDH
169+
test_ECKeyImport() {
170+
declare -A OPTS
171+
# [ECCP256]="-algorithm EC -pkeyopt ec_paramgen_curve:prime256v1" \
172+
# [ECCP384]="-algorithm EC -pkeyopt ec_paramgen_curve:secp384r1" \
173+
# [ED25519]="-algorithm ED25519" \
174+
OPTS=(\
175+
[X25519]="-algorithm X25519" \
176+
)
177+
for algo in ${!OPTS[@]}
178+
do
179+
# openssl ecparam -name $curve -out $TEST_TMP_DIR/$curve.pem
180+
# openssl req -x509 -newkey ec:$TEST_TMP_DIR/$curve.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"
181+
opt=${OPTS[${algo}]}
182+
openssl genpkey $opt -out $TEST_TMP_DIR/key.pem
183+
openssl req -x509 -key $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"
184+
185+
for s in 9a 9c 9d 9e; do
186+
if [[ $algo != X25519 ]]; then
187+
PIVImportKeyCert $s $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem;
188+
else
189+
openssl pkey -in $TEST_TMP_DIR/key.pem -pubout -out $TEST_TMP_DIR/pubkey-$s.pem
190+
fi
191+
done
192+
YPT -a status
193+
for s in 9a 9c 9d 9e; do
194+
if [[ $algo != X25519 ]]; then
195+
PIVSignDec $s 1 s $algo;
196+
fi
197+
if [[ $algo != ED25519 ]]; then
198+
PIVSignDec $s 1 d $algo;
199+
fi
200+
done
201+
# rm $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem
202+
done
187203
}
188204

189205
test_RSAKeyImport() {

0 commit comments

Comments
 (0)