Skip to content

Commit

Permalink
fix buffer_length check for EdDSA in util_pkcs11.c (#390)
Browse files Browse the repository at this point in the history
Having problems signing with EdDSA on YubiHSM2 via PKCS11.
Getting an 
pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign
error

As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value.

see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189

EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor

see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
  • Loading branch information
marcwillert authored and aveenismail committed May 16, 2024
1 parent 6e5a70d commit 332dfb7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkcs11/util_pkcs11.c
Original file line number Diff line number Diff line change
Expand Up @@ -2776,7 +2776,6 @@ CK_RV apply_sign_mechanism_update(yubihsm_pkcs11_op_info *op_info,
break;

case CKM_ECDSA:
case CKM_EDDSA:
if (op_info->buffer_length + in_len > 128) {
// NOTE(adma): Specs say ECDSA only supports data up to 1024 bit
return CKR_DATA_LEN_RANGE;
Expand All @@ -2791,6 +2790,7 @@ CK_RV apply_sign_mechanism_update(yubihsm_pkcs11_op_info *op_info,
case CKM_SHA256_HMAC:
case CKM_SHA384_HMAC:
case CKM_SHA512_HMAC:
case CKM_EDDSA:
if (op_info->buffer_length + in_len > sizeof(op_info->buffer)) {
return CKR_DATA_LEN_RANGE;
}
Expand Down

0 comments on commit 332dfb7

Please sign in to comment.