From 8e9056bb5b01d6a5ac4cd8ec84de10c3e6e5cd1e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 24 Oct 2024 10:35:11 +0200 Subject: [PATCH] signature: Use no-allowed-mechinisms quirk also during signature time Signed-off-by: Jakub Jelen --- src/signature.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/signature.c b/src/signature.c index 7c58166f..10465962 100644 --- a/src/signature.c +++ b/src/signature.c @@ -430,9 +430,25 @@ static CK_RSA_PKCS_MGF_TYPE p11prov_sig_map_mgf(const char *digest_name) static CK_RV p11prov_sig_pss_restrictions(P11PROV_SIG_CTX *sigctx, CK_MECHANISM *mechanism) { - CK_ATTRIBUTE *allowed_mechs = - p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS); + CK_BBOOL token_supports_allowed_mechs = CK_TRUE; + CK_ATTRIBUTE *allowed_mechs = NULL; + CK_RV ret; + + /* check if token supports CKA_ALLOWED_MECHANISMS at all */ + ret = p11prov_token_sup_attr( + sigctx->provctx, p11prov_obj_get_slotid(sigctx->key), GET_ATTR, + CKA_ALLOWED_MECHANISMS, &token_supports_allowed_mechs); + if (ret != CKR_OK) { + P11PROV_raise(sigctx->provctx, ret, + "Failed to probe CKA_ALLOWED_MECHANISMS quirk"); + return ret; + } + if (token_supports_allowed_mechs == CK_FALSE) { + /* Token does not support CKA_ALLOWED_MECHANISMS so there are no restrictions */ + return CKR_OK; + } + allowed_mechs = p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS); if (allowed_mechs) { CK_ATTRIBUTE_TYPE *mechs = (CK_ATTRIBUTE_TYPE *)allowed_mechs->pValue; int num_mechs = allowed_mechs->ulValueLen / sizeof(CK_MECHANISM_TYPE);