From: Tobias Brunner Date: Thu, 2 Jul 2015 13:58:01 +0000 (+0200) Subject: pkcs11: Fix encoding of RSA keys if unnecessarily zero prefixed X-Git-Tag: 5.3.3dr4~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2efc6181848b679a186f00963bfe02816f79d05;p=thirdparty%2Fstrongswan.git pkcs11: Fix encoding of RSA keys if unnecessarily zero prefixed Some tokens/libraries seem to prefix all numbers with zero bytes even if not necessary (e.g. the default exponent 0x010001). If we don't fix that, the fingerprints calculated based on the retrieved values will be incorrect. Even if the pkcs1 plugin can properly handle numbers that are not in two's complement since a81bd670b086 ("Added PUBKEY_RSA_MODULUS encoding type") we prefix them with zero if necessary as other encoders might expect them in two's complement. Fixes #1012. --- diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c index 6d5211657d..3847776101 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c @@ -439,12 +439,17 @@ static bool encode_rsa(private_pkcs11_public_key_t *this, attr[0].ulValueLen > 0 && attr[1].ulValueLen > 0) { chunk_t n, e; - n = chunk_create(attr[0].pValue, attr[0].ulValueLen); + /* some tokens/libraries add unnecessary 0x00 prefixes */ + n = chunk_skip_zero(chunk_create(attr[0].pValue, attr[0].ulValueLen)); if (n.ptr[0] & 0x80) - { /* add leading 0x00, encoders expect it already like this */ + { /* add leading 0x00, encoders might expect it in two's complement */ n = chunk_cata("cc", chunk_from_chars(0x00), n); } - e = chunk_create(attr[1].pValue, attr[1].ulValueLen); + e = chunk_skip_zero(chunk_create(attr[1].pValue, attr[1].ulValueLen)); + if (e.ptr[0] & 0x80) + { + e = chunk_cata("cc", chunk_from_chars(0x00), e); + } success = lib->encoding->encode(lib->encoding, type, cache, encoding, CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); }