Michał Skalski
2016-09-29 22:41:46 UTC
Hello
Attached patch allowing use of PKCS#11 smartcards/tokens which don't
support signing-with-hashing mechanisms.
By default only plain CKM_RSA_PKCS (and if supported by token also
CKM_ECDSA) mechanism is now used, hashing is done using external
hasher.
Old behaviour can be restored using
charon.plugins.pkcs11.use_sign_hasher option.
Code may need tweaking. One possibility is to enable this behaviour
based on supported mechanisms returned by the token, but it seems
unnecessary, as all PKCS#11 tokens supporting signatures with hashing
support also non-hashing version of signature.
Patch should be applied to the master branch.
Comments and suggestions are welcome.
MichaÅ Skalski
Attached patch allowing use of PKCS#11 smartcards/tokens which don't
support signing-with-hashing mechanisms.
By default only plain CKM_RSA_PKCS (and if supported by token also
CKM_ECDSA) mechanism is now used, hashing is done using external
hasher.
Old behaviour can be restored using
charon.plugins.pkcs11.use_sign_hasher option.
Code may need tweaking. One possibility is to enable this behaviour
based on supported mechanisms returned by the token, but it seems
unnecessary, as all PKCS#11 tokens supporting signatures with hashing
support also non-hashing version of signature.
Patch should be applied to the master branch.
Comments and suggestions are welcome.
MichaÅ Skalski