C_SignInit

Initializes a signature operation.

CK_DECLARE_FUNCTION( CK_RV, C_SignInit )( CK_SESSION_HANDLE hSession,
                                          CK_MECHANISM_PTR pMechanism,
                                          CK_OBJECT_HANDLE hKey )
{
    /* See explanation in prvCheckValidSessionAndModule for this exception. */
    /* coverity[misra_c_2012_rule_10_5_violation] */
    CK_BBOOL xIsPrivate = ( CK_BBOOL ) CK_TRUE;
    CK_OBJECT_HANDLE xPalHandle;
    CK_BYTE_PTR pxLabel = NULL;
    CK_ULONG xLabelLength = 0;
    mbedtls_pk_type_t xKeyType;
 
    P11Session_t * pxSession = prvSessionPointerFromHandle( hSession );
    CK_RV xResult = prvCheckValidSessionAndModule( pxSession );
    CK_BYTE_PTR pulKeyData = NULL;
    CK_ULONG ulKeyDataLength = 0;
    int32_t lMbedTLSResult = 0;
 
 
    if( NULL == pMechanism )
    {
        PKCS11_PRINT( ( "ERROR: Null signing mechanism provided. \r\n" ) );
        xResult = CKR_ARGUMENTS_BAD;
    }
 
    /* See explanation in prvCheckValidSessionAndModule for this exception. */
    /* coverity[misra_c_2012_rule_10_5_violation] */
    if( ( xResult == CKR_OK ) && ( prvOperationActive( pxSession ) == ( CK_BBOOL ) CK_TRUE ) )
    {
        xResult = CKR_OPERATION_ACTIVE;
    }
 
    /* Retrieve key value from storage. */
    if( xResult == CKR_OK )
    {
        prvFindObjectInListByHandle( hKey,
                                     &xPalHandle,
                                     &pxLabel,
                                     &xLabelLength );
 
        if( xPalHandle != CK_INVALID_HANDLE )
        {
            xResult = PKCS11_PAL_GetObjectValue( xPalHandle, &pulKeyData, &ulKeyDataLength, &xIsPrivate );
 
            if( xResult != CKR_OK )
            {
                PKCS11_PRINT( ( "ERROR: Unable to retrieve value of private key for signing %d. \r\n", xResult ) );
                xResult = CKR_KEY_HANDLE_INVALID;
            }
        }
    }
 
    /* Check that a private key was retrieved. */
    if( xResult == CKR_OK )
    {
        /* See explanation in prvCheckValidSessionAndModule for this exception. */
        /* coverity[misra_c_2012_rule_10_5_violation] */
        if( xIsPrivate != ( CK_BBOOL ) CK_TRUE )
        {
            PKCS11_PRINT( ( "ERROR: Sign operation attempted with public key. \r\n" ) );
            xResult = CKR_KEY_TYPE_INCONSISTENT;
        }
    }
 
    /* Convert the private key from storage format to mbedTLS usable format. */
    if( xResult == CKR_OK )
    {
        /* Grab the sign mutex.  This ensures that no signing operation
         * is underway on another thread where modification of key would lead to hard fault.*/
        if( pdTRUE == xSemaphoreTake( pxSession->xSignMutex, portMAX_DELAY ) )
        {
            /* Free the private key context if it exists.
             * TODO: Check if the key is the same as was used previously. */
            mbedtls_pk_free( &pxSession->xSignKey );
 
            mbedtls_pk_init( &pxSession->xSignKey );
            lMbedTLSResult = mbedtls_pk_parse_key( &pxSession->xSignKey, pulKeyData, ulKeyDataLength, NULL, 0 );
 
            if( lMbedTLSResult != 0 )
            {
                PKCS11_PRINT( ( "mbedTLS unable to parse private key for signing. %s : ",
                                mbedtlsHighLevelCodeOrDefault( lMbedTLSResult ) ) );
                PKCS11_PRINT( ( "%s \r\n",
                                mbedtlsLowLevelCodeOrDefault( lMbedTLSResult ) ) );
                xResult = CKR_KEY_HANDLE_INVALID;
            }
 
            ( void ) xSemaphoreGive( pxSession->xSignMutex );
 
            /* Key has been parsed into mbedTLS pk structure.
             * Free the memory allocated to copy the key out of flash. */
            PKCS11_PAL_GetObjectValueCleanup( pulKeyData, ulKeyDataLength );
        }
        else
        {
            xResult = CKR_CANT_LOCK;
        }
    }
 
    /* Check that the mechanism and key type are compatible, supported. */
    if( xResult == CKR_OK )
    {
        xKeyType = mbedtls_pk_get_type( &pxSession->xSignKey );
 
        if( pMechanism->mechanism == CKM_RSA_PKCS )
        {
            if( xKeyType != MBEDTLS_PK_RSA )
            {
                PKCS11_PRINT( ( "ERROR: Signing key type (%d) does not match RSA mechanism \r\n", xKeyType ) );
                xResult = CKR_KEY_TYPE_INCONSISTENT;
            }
        }
        else if( pMechanism->mechanism == CKM_ECDSA )
        {
            if( ( xKeyType != MBEDTLS_PK_ECDSA ) && ( xKeyType != MBEDTLS_PK_ECKEY ) )
            {
                PKCS11_PRINT( ( "ERROR: Signing key type (%d) does not match ECDSA mechanism \r\n", xKeyType ) );
                xResult = CKR_KEY_TYPE_INCONSISTENT;
            }
        }
        else
        {
            PKCS11_PRINT( ( "ERROR: Unsupported mechanism type %d \r\n", pMechanism->mechanism ) );
            xResult = CKR_MECHANISM_INVALID;
        }
    }
 
    if( xResult == CKR_OK )
    {
        pxSession->xOperationSignMechanism = pMechanism->mechanism;
    }
 
    return xResult;
}

See also

C_Sign() completes signatures initiated by C_SignInit().

Note

C_Sign() parameters are shared by a session. Calling C_SignInit() & C_Sign() with the same session across different tasks may lead to unexpected results.

Parameters

[in]	hSession	Handle of a valid PKCS #11 session.
[in]	pMechanism	Mechanism used to sign. This port supports the following mechanisms: CKM_RSA_PKCS for RSA signatures CKM_ECDSA for elliptic curve signatures Note that neither of these mechanisms perform hash operations.
[in]	hKey	The handle of the private key to be used for signature. Key must be compatible with the mechanism chosen by pMechanism.

Returns

CKR_OK if successful. Else, see PKCS #11 specification for more information.