-
Type:
New Feature
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: SoftHSM 1.x develop
-
Fix Version/s: None
-
Component/s: PKCS#11 Interface
-
Labels:None
-
Environment:
SoftHSMv2, taken from svn (http://svn.opendnssec.org/trunk/softHSMv2).
Tested on Fedora 17 x86_64 with Botan 1.10.3 (aka stable) and OpenSSL
(recompiled recent version).
Add HMAC, EC keys, DSA generation, ECDSA, DH (including secret derivation),
partial/unfinished ECDH. Update include file to PKCS#11 2.30 (not complete,
BTW as far as I know 2.30 is not yet published). Fix some g++ warnings.
I worked from http://svn.opendnssec.org/trunk/softHSMv2 so it is for
version >= 2, you'll have to attribute it to 2.0.0 or 2.1.0.
Important notes about EC keys and ECDSA:
- there is a bug to fix in Botan (sent to Botan team)
- many Linuxes (including Fedora) provide no EC support in system OpenSSL
So I strongly suggest to make the support of EC optional in configure
(putting the relevant files in src/lib/crypto/Makefile under an automake
conditional, and adding a #ifdef in crypto factories for instance).
The attached diff is against last svn update (status says 6930 but
log says 6911).
PS: Botan bug (from the message I sent to Botan team):
in src/ec_group/ec_group.cpp EC_Group::DER_encode() finished by:
else if(form == EC_DOMPAR_ENC_OID)
return DER_Encoder().encode(get_oid()).get_contents();
(in 1.10.3, 1.11.1 uses get_contents_unlocked() but should share the issue)
The problem is get_oid() returns the EC_Group OID in its std::string
form (here "1.2.840.10045.3.1.7") and .encode() believes it is a
BigInt.
A trivial fix is to add a OID() around get_oid(), BTW it is what
the gost_3410 code does.