corePKCS11  v3.2.0
PKCS #11 Cryptoki Library
C_VerifyInit

Initializes a verification operation.

CK_DECLARE_FUNCTION( CK_RV, C_VerifyInit )( CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey )
{
P11Session_t * pxSession;
CK_RV xResult = CKR_OK;
CK_OBJECT_HANDLE xPalHandle = CK_INVALID_HANDLE;
CK_BYTE_PTR pxLabel = NULL;
CK_ULONG xLabelLength = 0;
CK_BYTE_PTR pucKeyData = NULL;
CK_ULONG ulKeyDataLength = 0;
/* See explanation in prvCheckValidSessionAndModule for this exception. */
/* coverity[misra_c_2012_rule_10_5_violation] */
CK_BBOOL xIsPrivate = ( CK_BBOOL ) CK_TRUE;
pxSession = prvSessionPointerFromHandle( hSession );
xResult = prvCheckValidSessionAndModule( pxSession );
if( NULL == pMechanism )
{
LogError( ( "Failed to initialize verify operation. Null verification "
"mechanism provided." ) );
xResult = CKR_ARGUMENTS_BAD;
}
/* See explanation in prvCheckValidSessionAndModule for this exception. */
/* coverity[misra_c_2012_rule_10_5_violation] */
if( ( xResult == CKR_OK ) && ( prvOperationActive( pxSession ) == ( CK_BBOOL ) CK_TRUE ) )
{
LogError( ( "Failed to initialize verify operation. An operation was "
"already active." ) );
xResult = CKR_OPERATION_ACTIVE;
}
if( xResult == CKR_OK )
{
prvFindObjectInListByHandle( hKey,
&xPalHandle,
&pxLabel,
&xLabelLength );
if( xPalHandle != CK_INVALID_HANDLE )
{
xResult = PKCS11_PAL_GetObjectValue( xPalHandle, &pucKeyData, &ulKeyDataLength, &xIsPrivate );
if( xResult != CKR_OK )
{
LogError( ( "Failed to initialize verify operation. Unable to "
"retrieve value of public key for verification 0x%0lX.",
( unsigned long int ) xResult ) );
xResult = CKR_KEY_HANDLE_INVALID;
}
}
else
{
LogError( ( "Failed to initialize verify operation. Couldn't find "
"a valid PKCS #11 PAL Handle." ) );
xResult = CKR_KEY_HANDLE_INVALID;
}
}
/* Retrieve key value from storage. */
if( xResult == CKR_OK )
{
/* Mutex is used to protect the verification keys and contexts. */
if( 0 == mbedtls_mutex_lock( &pxSession->xVerifyMutex ) )
{
switch( pMechanism->mechanism )
{
case CKM_RSA_X_509:
case CKM_ECDSA:
/* See explanation in prvCheckValidSessionAndModule for this exception. */
/* coverity[misra_c_2012_rule_10_5_violation] */
if( xIsPrivate != ( CK_BBOOL ) CK_FALSE )
{
LogError( ( "Failed to initialize verify operation. Verify "
"operation attempted with private key." ) );
xResult = CKR_KEY_TYPE_INCONSISTENT;
}
else if( ( pxSession->xVerifyKeyHandle == CK_INVALID_HANDLE ) || ( pxSession->xVerifyKeyHandle != hKey ) )
{
xResult = prvVerifyInitEC_RSAKeys( pxSession, pMechanism, hKey, pucKeyData, ulKeyDataLength );
}
else
{
/* The correct credentials are already Initialized. */
}
break;
case CKM_SHA256_HMAC:
if( ( pxSession->xHMACKeyHandle == CK_INVALID_HANDLE ) || ( pxSession->xHMACKeyHandle != hKey ) )
{
xResult = prvVerifyInitSHA256HMAC( pxSession, hKey, pucKeyData, ulKeyDataLength );
}
break;
case CKM_AES_CMAC:
if( ( pxSession->xCMACKeyHandle == CK_INVALID_HANDLE ) || ( pxSession->xCMACKeyHandle != hKey ) )
{
xResult = prvVerifyInitAESCMAC( pxSession, hKey, pucKeyData, ulKeyDataLength );
}
break;
default:
LogError( ( "Failed to initialize verify operation. Received "
"an unknown or invalid mechanism." ) );
xResult = CKR_MECHANISM_INVALID;
break;
}
( void ) mbedtls_mutex_unlock( &pxSession->xVerifyMutex );
}
else
{
LogError( ( "Verify operation failed. Could not take verify mutex." ) );
xResult = CKR_CANT_LOCK;
}
}
if( xPalHandle != CK_INVALID_HANDLE )
{
PKCS11_PAL_GetObjectValueCleanup( pucKeyData, ulKeyDataLength );
}
if( xResult == CKR_OK )
{
LogDebug( ( "Verify mechanism set to 0x%0lX.", ( unsigned long int ) pMechanism->mechanism ) );
pxSession->xOperationVerifyMechanism = pMechanism->mechanism;
}
return xResult;
}
See also
C_Verify() completes verifications initiated by C_VerifyInit().
Note
C_Verify() parameters are shared by a session. Calling C_VerifyInit() & C_Verify() with the same session across different tasks may lead to unexpected results.
Parameters
[in]hSessionHandle of a valid PKCS #11 session.
[in]pMechanismMechanism used to verify signature. This port supports the following mechanisms:
  • CKM_RSA_X_509 for RSA verifications
  • CKM_ECDSA for elliptic curve verifications
[in]hKeyThe handle of the public key to be used for verification. Key must be compatible with the mechanism chosen by pxMechanism.
Returns
CKR_OK if successful.
P11Session_t::xOperationVerifyMechanism
CK_MECHANISM_TYPE xOperationVerifyMechanism
The mechanism of verify operation in progress. Set during C_VerifyInit.
Definition: core_pkcs11_mbedtls.c:292
prvVerifyInitAESCMAC
static CK_RV prvVerifyInitAESCMAC(P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
Helper function for initializing a verify operation for AES-CMAC.
Definition: core_pkcs11_mbedtls.c:4489
P11Session_t::xVerifyMutex
mbedtls_threading_mutex_t xVerifyMutex
Protects the verification key from being modified while in use.
Definition: core_pkcs11_mbedtls.c:293
prvFindObjectInListByHandle
static void prvFindObjectInListByHandle(CK_OBJECT_HANDLE xAppHandle, CK_OBJECT_HANDLE_PTR pxPalHandle, CK_BYTE_PTR *ppcLabel, CK_ULONG_PTR pxLabelLength)
Looks up a PKCS #11 object's label and PAL handle given an application handle.
Definition: core_pkcs11_mbedtls.c:1070
PKCS11_PAL_GetObjectValueCleanup
void PKCS11_PAL_GetObjectValueCleanup(CK_BYTE_PTR pucData, CK_ULONG ulDataSize)
Cleanup after PKCS11_GetObjectValue().
PKCS11_PAL_GetObjectValue
CK_RV PKCS11_PAL_GetObjectValue(CK_OBJECT_HANDLE xHandle, CK_BYTE_PTR *ppucData, CK_ULONG_PTR pulDataSize, CK_BBOOL *pIsPrivate)
Gets the value of an object in storage, by handle.
LogDebug
#define LogDebug(message)
Macro that is called in the corePKCS11 library for logging "Debug" level messages.
Definition: core_pkcs11_config_defaults.h:375
P11Session_t::xVerifyKeyHandle
CK_OBJECT_HANDLE xVerifyKeyHandle
Object handle to the verification key.
Definition: core_pkcs11_mbedtls.c:294
C_VerifyInit
CK_RV C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
Initializes a verification operation.
Definition: core_pkcs11_mbedtls.c:4613
prvOperationActive
static CK_BBOOL prvOperationActive(const P11Session_t *pxSession)
Determines if an operation is in progress.
Definition: core_pkcs11_mbedtls.c:385
prvCheckValidSessionAndModule
static CK_RV prvCheckValidSessionAndModule(const P11Session_t *pxSession)
Helper to check if the current session is initialized and valid.
Definition: core_pkcs11_mbedtls.c:323
prvVerifyInitEC_RSAKeys
static CK_RV prvVerifyInitEC_RSAKeys(P11Session_t *pxSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
Helper function for initializing a verify operation for an EC or RSA key.
Definition: core_pkcs11_mbedtls.c:4523
CK_DECLARE_FUNCTION
#define CK_DECLARE_FUNCTION(returnType, name)
Macro for defining a PKCS #11 functions.
Definition: core_pkcs11.h:75
prvSessionPointerFromHandle
static P11Session_t * prvSessionPointerFromHandle(CK_SESSION_HANDLE xSession)
Maps an opaque caller session handle into its internal state structure.
Definition: core_pkcs11_mbedtls.c:365
P11Session_t::xHMACKeyHandle
CK_OBJECT_HANDLE xHMACKeyHandle
Object handle to the HMAC key.
Definition: core_pkcs11_mbedtls.c:301
P11Session_t
Session structure.
Definition: core_pkcs11_mbedtls.c:286
prvVerifyInitSHA256HMAC
static CK_RV prvVerifyInitSHA256HMAC(P11Session_t *pxSession, CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pucKeyData, CK_ULONG ulKeyDataLength)
Helper function for initializing a verify operation for SHA256-HMAC.
Definition: core_pkcs11_mbedtls.c:4467
LogError
#define LogError(message)
Macro that is called in the corePKCS11 library for logging "Error" level messages.
Definition: core_pkcs11_config_defaults.h:315
P11Session_t::xCMACKeyHandle
CK_OBJECT_HANDLE xCMACKeyHandle
Object handle to the CMAC key.
Definition: core_pkcs11_mbedtls.c:303