google
Support for EC keys, fix Attributes processing
This change adds proper handling for EC keys (addressing https://github.com/google/native-pkcs11/issues/303) as well as proper RSA parameters calculation.
NOTE: For instance, openssl expects that EC params (curve OID) and points are in specific uncompressed and padded format. In Go encoding EC_POINTS be like:
case C.CKA_EC_POINT:
encodedPoint, err := encodeECPoint(key.Curve, key.X, key.Y)
...
setValue(attr, unsafe.Pointer(&encodedPoint[0]), C.CK_ULONG(len(encodedPoint)))
func encodeECPoint(curve elliptic.Curve, x, y *big.Int) ([]byte, error) {
fieldSize := (curve.Params().BitSize + 7) / 8
xPadded := make([]byte, fieldSize)
yPadded := make([]byte, fieldSize)
copy(xPadded[fieldSize-len(x.Bytes()):], x.Bytes())
copy(yPadded[fieldSize-len(y.Bytes()):], y.Bytes())
ecPoint := append([]byte{0x04}, append(xPadded, yPadded...)...)
return asn1.Marshal(asn1.RawValue{
Tag: asn1.TagOctetString,
Bytes: ecPoint,
})
}
I faced this issue when implementing fake custom backend using regular PEM/DER files or passing signature produced by AWS KMS. Perhaps, as later improvement we can try to instantiate specific signature from DER bytes and then repack params into expected format. Now this is offloaded to the backend.
The changes were checked with my custom backend using RSA2048 and ECC NIST-P256 keys via OpenSSL.
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).
View this failed invocation of the CLA check for more information.
For the most up to date status, view the checks section at the bottom of the pull request.
![google-cla[bot] avatar](https://avatars.githubusercontent.com/in/42202?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for the PR! Just to set expectations, I probably won't have an opportunity to review and test until the new year.
