Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EVP_PKEY_verify doesn't work with generated EVP_PKEY #480

Open
latal-1 opened this issue Nov 26, 2024 · 1 comment · May be fixed by #479
Open

EVP_PKEY_verify doesn't work with generated EVP_PKEY #480

latal-1 opened this issue Nov 26, 2024 · 1 comment · May be fixed by #479

Comments

@latal-1
Copy link

latal-1 commented Nov 26, 2024

Describe the bug

EVP_PKEY_verify returns error when using with generated EVP_PKEY

To Reproduce

EVP_PKEY* keyPair;
EVP_PKEY_CTX *ctx;
unsigned char* data = ...;
size_t dataLen = ...;
unsigned char* signature;
size_t signatureLen;

ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
EVP_PKEY_keygen_init(ctx);
EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024);
EVP_PKEY_generate(ctx, keyPair);

ctx = EVP_PKEY_CTX_new_from_pkey(NULL, keyPair, "provider=pkcs11");
EVP_PKEY_sign_init(ctx);
EVP_PKEY_sign(ctx, signature, &signatureLen, data, dataLen); // or make C_Sign routine instead

ctx = EVP_PKEY_CTX_new_from_pkey(NULL, keyPair, "provider=pkcs11");
EVP_PKEY_verify_init(ctx);
EVP_PKEY_verify(ctx, signature, signatureLen, data, dataLen); // ERROR

Additional context

Generated EVP_PKEY contains only P11PROV_OBJ private key

@latal-1 latal-1 linked a pull request Nov 26, 2024 that will close this issue
10 tasks
@simo5
Copy link
Member

simo5 commented Nov 26, 2024

Thanks, this calls for retaining at time of creation, liked to the private key, a public key object.

One way could be to add a "linked" attribute as part of the P11PROV_OBJ that simply is a pointer to the corresponding generated public key object. The other way would be to always use indirection via a "key-pair" structure that always point to two objects (a public and a private one. Either of these options have good and bad sides, but the latter would probably be a lot more invasive to handle.

One tricky part is to ensure memory consistency on releasing of objects, but that can be handled somewhat easily via ref counting we already have for these objects.

The other issue is making sure that everywhere in the code we get the right object without having to special case each call. A getter pattern that requires the key type might be used to deal with the indirection as needed automatically, but will be a somewhat invasive patch to do this right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants