Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dev #111

Merged
merged 5 commits into from
Dec 23, 2024
Merged

Dev #111

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
636ab67
fix 25519 importing
Dec 19, 2024
aa0a466
fix ed25519 signing in PIV
z4yx Dec 20, 2024
1d369ad
X25519 key imported is little-endian
z4yx Dec 20, 2024
69d7f0b
test imported EC keys of PIV
z4yx Dec 20, 2024
98b4f70
add more restrict to tags in piv import
dangfan Dec 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion applets/piv/piv.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -655,7 +655,7 @@ static int piv_general_authenticate(const CAPDU *capdu, RAPDU *rapdu) {
len[IDX_CHALLENGE]);
memzero(DATA + pos[IDX_CHALLENGE], PRIVATE_KEY_LENGTH[key.meta.type] - len[IDX_CHALLENGE]);
}
int sig_len = ck_sign(&key, DATA + pos[IDX_CHALLENGE], PRIVATE_KEY_LENGTH[key.meta.type], RDATA + 4);
int sig_len = ck_sign(&key, DATA + pos[IDX_CHALLENGE], len[IDX_CHALLENGE], RDATA + 4);
if (sig_len < 0) {
ERR_MSG("Sign failed\n");
return -1;
Expand Down
6 changes: 5 additions & 1 deletion src/key.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,15 +126,19 @@ int ck_parse_piv(ck_key_t *key, const uint8_t *buf, size_t buf_len) {
DBG_MSG("too short\n");
return KEY_ERR_LENGTH;
}
if (*p++ != 0x06) {
if (*p != 0x06 && !(key->meta.type == ED25519 && *p == 0x07) && !(key->meta.type == X25519 && *p == 0x08)) {
DBG_MSG("invalid tag\n");
return KEY_ERR_DATA;
}
p++;
if (*p++ != PRIVATE_KEY_LENGTH[key->meta.type]) {
DBG_MSG("invalid private key length\n");
return KEY_ERR_LENGTH;
}
memcpy(key->ecc.pri, p, PRIVATE_KEY_LENGTH[key->meta.type]);
if (key->meta.type == X25519) {
swap_big_number_endian(key->ecc.pri); // Private key of x25519 is encoded in little endian
}
if (!ecc_verify_private_key(key->meta.type, &key->ecc)) {
memzero(key, sizeof(ck_key_t));
return KEY_ERR_DATA;
Expand Down
59 changes: 38 additions & 21 deletions test-real/test-piv.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,11 @@ PIVImportKeyCert() {
cert_pem="$3"
YPT -a import-key -s $key -i "$priv_pem"
assertEquals 'import-key' 0 $?
YPT -a import-certificate -s $key -i "$cert_pem"
assertEquals 'import-certificate' 0 $?
cp "$cert_pem" "$TEST_TMP_DIR/cert-$key.pem"
if [[ -f "$cert_pem" ]]; then
YPT -a import-certificate -s $key -i "$cert_pem"
assertEquals 'import-certificate' 0 $?
cp "$cert_pem" "$TEST_TMP_DIR/cert-$key.pem"
fi
}

PIVSignDec() {
Expand Down Expand Up @@ -166,24 +168,39 @@ test_PinBlock() {
assertContains 'verify-pin' "$out" 'Successfully unblocked the pin code'
}

test_P256KeyImport() {
openssl ecparam -name prime256v1 -out $TEST_TMP_DIR/p256.pem
openssl req -x509 -newkey ec:$TEST_TMP_DIR/p256.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"

for s in 9a 9c 9d 9e; do PIVImportKeyCert $s $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem; done
YPT -a status
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
PIVSignDec 9d 1 d # 9d only do the ECDH
}

test_P384KeyImport() {
openssl ecparam -name secp384r1 -out $TEST_TMP_DIR/p384.pem
openssl req -x509 -newkey ec:$TEST_TMP_DIR/p384.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"

for s in 9a 9c 9d 9e; do PIVImportKeyCert $s $TEST_TMP_DIR/key.pem $TEST_TMP_DIR/cert.pem; done
YPT -a status
for s in 9a 9c 9e; do PIVSignDec $s 1 s; done # 9a/9c/9e only do the ECDSA
PIVSignDec 9d 1 d # 9d only do the ECDH
test_ECKeyImport() {
declare -A OPTS
OPTS=(\
[ECCP256]="-algorithm EC -pkeyopt ec_paramgen_curve:prime256v1" \
[ECCP384]="-algorithm EC -pkeyopt ec_paramgen_curve:secp384r1" \
[ED25519]="-algorithm ED25519" \
[X25519]="-algorithm X25519" \
)
for algo in ${!OPTS[@]}
do
# openssl ecparam -name $curve -out $TEST_TMP_DIR/$curve.pem
# openssl req -x509 -newkey ec:$TEST_TMP_DIR/$curve.pem -keyout $TEST_TMP_DIR/key.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"
opt=${OPTS[${algo}]}
for s in 9a 9c 9d 9e; do
openssl genpkey $opt -out $TEST_TMP_DIR/key-$s.pem
# this command is expected to fail on X25519
openssl req -x509 -key $TEST_TMP_DIR/key-$s.pem -out $TEST_TMP_DIR/cert.pem -days 365 -nodes -subj "/CN=www.example.com"

PIVImportKeyCert $s $TEST_TMP_DIR/key-$s.pem $TEST_TMP_DIR/cert.pem
# pubkey-$s.pem is used by X25519
openssl pkey -in $TEST_TMP_DIR/key-$s.pem -pubout -out $TEST_TMP_DIR/pubkey-$s.pem
done
YPT -a status
for s in 9a 9c 9d 9e; do
if [[ $algo != X25519 ]]; then
PIVSignDec $s 1 s $algo;
fi
if [[ $algo != ED25519 ]]; then
PIVSignDec $s 1 d $algo;
fi
done
rm -f $TEST_TMP_DIR/cert.pem
done
}

test_RSAKeyImport() {
Expand Down
Loading