fix buffer_length check for EdDSA in util_pkcs11.c #390
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value. see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189 EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
qpernil
approved these changes
Feb 16, 2024
|
Thank you for your contribution ! |
aveenismail
pushed a commit
that referenced
this pull request
May 16, 2024
Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value. see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189 EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
aveenismail
pushed a commit
that referenced
this pull request
May 30, 2024
Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value. see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189 EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
aveenismail
pushed a commit
that referenced
this pull request
Jun 3, 2024
Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value. see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189 EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191
qpernil
added a commit
that referenced
this pull request
Jun 19, 2024
* Use PKCS11 3.0 headers * Added files to be installed * Basic PKCS11 3.0 support * Make function lists static * Make function lists const * Refactored C_Login and C_LoginUser * Rebase fixes * Rebase changes * Support ed25519 * Fix attributes for ed25519 keys * ed25519 keys are considered 255 bits. Refactor getting CKA_EC_POINT slightly * pkc11 3.1 * fix buffer_length check for EdDSA in util_pkcs11.c (#390) Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value. see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189 EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191 * PKCS11: Rebase on current master * PKCS11: Fix include for older OSs. Githubactions: Fix OpenSSL installation on MacOS runners * PKCS11: Compile ED25519 code only when OpenSSL is higher than 1.0. Build: Fix Redhat and MacOS builds * PKCS11: Fix header inclusion in test * PKCS11: Update tests to use PKCS11_3 functionlist. Add test for PKCS11 interfaces * PKCS11: Remove unnecessary KDF definitions * PKCS11: Fix PKCS11 interfaces test * PKCS11_3: return CKR_PIN_INCORRECT when logging in with wrong password * Only C_GetInfo from 3.x function list returns 3.x cryptoki version * PKCS11_3: Use snprintf instead of sprintf * PKCS11_3: Fix allocation of arrays * More usage of snprintf --------- Co-authored-by: marcwillert <[email protected]> Co-authored-by: Aveen Ismail <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Having problems signing with EdDSA on YubiHSM2 via PKCS11. Getting an
pkcs11:p11prov_Sign:The size of plaintext input data to a cryptographic operation is invalid (Out of range):interface.gen.c:679:Error returned by C_Sign error
As I understand the PKCS11 v3.0 spec, the 1024 bit limit (note by "adma" in line 2228) applies only to "ECDSA without hashing" (CKM_ECDSA) as it only processes a hash value.
see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061189
EdDSA does not have this limit, so the size of "op_info->buffer" should be the limiting factor
see: https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/pkcs11-curr-v3.0-os.html#_Toc30061191