From 3345ef8b1a7ad719dbd3a0f26697c6bc4bd884b1 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 14 Sep 2015 17:14:57 -0400
Subject: Debug PKCS #11 ECDSA signature and verification.

---
 pkcs11.c         | 24 +++++++++++-------------
 py11/__init__.py | 17 +++++++++++++++++
 2 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/pkcs11.c b/pkcs11.c
index 88ad883..2f6fcde 100644
--- a/pkcs11.c
+++ b/pkcs11.c
@@ -3502,22 +3502,20 @@ CK_RV C_Digest(CK_SESSION_HANDLE hSession,
   if (rv == CKR_BUFFER_TOO_SMALL)
     lose(CKR_BUFFER_TOO_SMALL);
 
-  {
-    uint8_t statebuf[session->digest_descriptor->hash_state_length];
-    hal_hash_state_t *state = NULL;
+  if ((rv = digest_update(session->digest_descriptor, &session->digest_state,
+                          pData, ulDataLen)) != CKR_OK)
+    goto fail;
 
-    if (!hal_check(hal_hash_initialize(session->digest_descriptor,
-                                       &state, statebuf, sizeof(statebuf)))     ||
-        !hal_check(hal_hash_update(state, pData, ulDataLen))                    ||
-        !hal_check(hal_hash_finalize(state, pDigest, *pulDigestLen)))
-      lose(CKR_FUNCTION_FAILED);
-  }
+  if (!hal_check(hal_hash_finalize(session->digest_state, pDigest, *pulDigestLen)))
+    lose(CKR_FUNCTION_FAILED);
 
   rv = CKR_OK;                  /* Fall through */
 
  fail:
-  if (session != NULL)
+  if (session != NULL) {
+    hal_hash_cleanup(&session->digest_state);
     session->digest_descriptor = NULL;
+  }
   mutex_unlock_return_with_rv(rv, p11_global_mutex);
 }
 
@@ -3719,7 +3717,7 @@ CK_RV C_Sign(CK_SESSION_HANDLE hSession,
   if (session->sign_digest_state != NULL)
     lose(CKR_OPERATION_ACTIVE);
 
-  if (session->sign_digest_descriptor != NULL &&
+  if (session->sign_digest_descriptor != NULL && pSignature != NULL &&
       (rv = digest_update(session->sign_digest_descriptor,
                           &session->sign_digest_state, pData, ulDataLen)) != CKR_OK)
     goto fail;
@@ -3780,8 +3778,8 @@ CK_RV C_VerifyInit(CK_SESSION_HANDLE hSession,
 
   if (!p11_attribute_get_ulong(hKey, CKA_CLASS,    &key_class)  ||
       !p11_attribute_get_ulong(hKey, CKA_KEY_TYPE, &key_type)   ||
-      !p11_attribute_get_bbool(hKey, CKA_SIGN,     &key_verify) ||
-      key_class != CKO_PRIVATE_KEY)
+      !p11_attribute_get_bbool(hKey, CKA_VERIFY,   &key_verify) ||
+      key_class != CKO_PUBLIC_KEY)
     lose(CKR_KEY_HANDLE_INVALID);
 
   if (!key_verify)
diff --git a/py11/__init__.py b/py11/__init__.py
index da0c946..204c897 100644
--- a/py11/__init__.py
+++ b/py11/__init__.py
@@ -98,6 +98,23 @@ class PKCS11 (object):
                               byref(public_handle), byref(private_handle))
     return public_handle.value, private_handle.value
 
+  def C_SignInit(self, session, mechanism_type, private_key):
+    mechanism = CK_MECHANISM(mechanism_type, None, 0)
+    self.so.C_SignInit(session, byref(mechanism), private_key)
+
+  def C_Sign(self, session, data):
+    n = CK_ULONG()
+    self.so.C_Sign(session, data, len(data), None, byref(n))
+    sig = create_string_buffer(n.value)
+    self.so.C_Sign(session, data, len(data), sig, byref(n))
+    return sig.raw
+
+  def C_VerifyInit(self, session, mechanism_type, public_key):
+    mechanism = CK_MECHANISM(mechanism_type, None, 0)
+    self.so.C_VerifyInit(session, byref(mechanism), public_key)
+
+  def C_Verify(self, session, data, signature):
+    self.so.C_Verify(session, data, len(data), signature, len(signature))
 
 __all__ = ["PKCS11"]
 __all__.extend(name for name in globals()
-- 
cgit v1.2.3