diff options
-rw-r--r-- | src/include/ckmc/ckmc-manager.h | 4 | ||||
-rw-r--r-- | src/manager/crypto/sw-backend/internals.cpp | 8 | ||||
-rw-r--r-- | src/manager/crypto/tz-backend/internals.cpp | 6 |
3 files changed, 15 insertions, 3 deletions
diff --git a/src/include/ckmc/ckmc-manager.h b/src/include/ckmc/ckmc-manager.h index 22a295ce..251052cb 100644 --- a/src/include/ckmc/ckmc-manager.h +++ b/src/include/ckmc/ckmc-manager.h @@ -607,7 +607,7 @@ int ckmc_create_key_aes(size_t size, const char *key_alias, ckmc_policy_s key_po * @param[in] private_key_alias The name of private key * @param[in] password The password used in decrypting a private key value * @param[in] message The message that is signed with a private key - * @param[in] hash The hash algorithm used in creating signature + * @param[in] hash The hash algorithm used in creating signature. CKMC_HASH_NONE is invalid for DSA & ECDSA * @param[in] padding The RSA padding algorithm used in creating signature \n * It is used only when the signature algorithm is RSA. If * @a padding is CKMC_NONE_PADDING you must use CKMC_HASH_NONE @@ -643,7 +643,7 @@ int ckmc_create_signature(const char *private_key_alias, const char *password, c * @param[in] password The password used in decrypting a public key value * @param[in] message The input on which the signature is created * @param[in] signature The signature that is verified with public key - * @param[in] hash The hash algorithm used in verifying signature + * @param[in] hash The hash algorithm used in verifying signature. CKMC_HASH_NONE is invalid for DSA & ECDSA * @param[in] padding The RSA padding algorithm used in verifying signature \n * It is used only when the signature algorithm is RSA. If * @a padding is CKMC_NONE_PADDING you must use CKMC_HASH_NONE diff --git a/src/manager/crypto/sw-backend/internals.cpp b/src/manager/crypto/sw-backend/internals.cpp index afa3c884..a5f2f9e9 100644 --- a/src/manager/crypto/sw-backend/internals.cpp +++ b/src/manager/crypto/sw-backend/internals.cpp @@ -817,6 +817,9 @@ RawBuffer signMessage(EVP_PKEY *privKey, const RawBuffer &message, const int rsa_padding) { + if (EVP_PKEY_type(privKey->type) != EVP_PKEY_RSA) + ThrowErr(Exc::Crypto::InputParam, "Only RSA supports no hash option"); + EvpPkeyCtxUPtr pctx(EVP_PKEY_CTX_new(privKey, NULL), EVP_PKEY_CTX_free); if (!pctx.get()) @@ -931,6 +934,9 @@ int verifyMessage(EVP_PKEY *pubKey, const RawBuffer &signature, const int rsa_padding) { + if (EVP_PKEY_type(pubKey->type) != EVP_PKEY_RSA) + ThrowErr(Exc::Crypto::InputParam, "Only RSA supports no hash option"); + EvpPkeyCtxUPtr pctx(EVP_PKEY_CTX_new(pubKey, NULL), EVP_PKEY_CTX_free); if (!pctx.get()) @@ -1048,4 +1054,4 @@ bool verifyBinaryData(DataType dataType, const RawBuffer &buffer) } // namespace Internals } // namespace SW } // namespace Crypto -} // namespace CKM
\ No newline at end of file +} // namespace CKM diff --git a/src/manager/crypto/tz-backend/internals.cpp b/src/manager/crypto/tz-backend/internals.cpp index 7b7b9be1..8aee58a8 100644 --- a/src/manager/crypto/tz-backend/internals.cpp +++ b/src/manager/crypto/tz-backend/internals.cpp @@ -533,6 +533,9 @@ RawBuffer sign(const RawBuffer &pkey, { AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE); HashAlgorithm hash = unpack<HashAlgorithm>(alg, ParamName::SV_HASH_ALGO); + if (algo != AlgoType::RSA_SV && hash == HashAlgorithm::NONE) + ThrowErr(Exc::Crypto::InputParam, "Only RSA supports no hash option"); + RawBuffer signature; TrustZoneContext::Instance().executeSign(getAlgType(algo), getHashType(hash), @@ -551,6 +554,9 @@ int verify(const RawBuffer &pkey, { AlgoType algo = unpack<AlgoType>(alg, ParamName::ALGO_TYPE); HashAlgorithm hash = unpack<HashAlgorithm>(alg, ParamName::SV_HASH_ALGO); + if (algo != AlgoType::RSA_SV && hash == HashAlgorithm::NONE) + ThrowErr(Exc::Crypto::InputParam, "Only RSA supports no hash option"); + return TrustZoneContext::Instance().executeVerify(getAlgType(algo), getHashType(hash), pkey, |