YKCS11: Fix handling 25519 curve keys

.github/workflows/macos_release.yml

@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
+          - os: macos-14-large
             arch: amd
           - os: macos-latest-xlarge
             arch: arm

.github/workflows/windows_build.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install prerequisites
         run: |
@@ -21,13 +21,13 @@ jobs:
           set -x
           ./resources/make_src_dist.sh
           cd ..
-          mkdir artifact
-          mv $GITHUB_WORKSPACE/yubico-piv-tool-.tar.gz artifact/
+          mkdir $GITHUB_WORKSPACE/artifact
+          mv $GITHUB_WORKSPACE/yubico-piv-tool-.tar.gz $GITHUB_WORKSPACE/artifact/
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-src
-          path: ../artifact
+          path: artifact
 
   build:
     name: Build and Test on Windows
@@ -52,14 +52,13 @@ jobs:
 
     steps:
       - name: Download source from source work
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-.tar.gz
 
       - name: install prerequisites
@@ -81,11 +80,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build with YKCS11_DBG is set
@@ -97,11 +96,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DYKCS11_DBG=3 ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build only library (no CLI and no ykcs11)
@@ -113,11 +112,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DBUILD_ONLY_LIB=ON ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
       - name: Build only dynamic libaries
@@ -129,11 +128,11 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           rm -r build; mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows -DBUILD_STATIC_LIB=OFF ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug
 
   build_no_zlib:
@@ -159,14 +158,13 @@ jobs:
 
     steps:
       - name: Download source from source work
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-.tar.gz
 
       - name: install prerequisites
@@ -187,9 +185,9 @@ jobs:
           $env:Path ="C:\vcpkg\packages\openssl_$env:ARCH-windows;$env:Path"
           $env:include ="C:\vcpkg\packages\openssl_$env:ARCH-windows/include;$env:include"
 
-          cd yubico-piv-tool-src/yubico-piv-tool-
+          cd yubico-piv-tool-
           mkdir build; cd build
           cmake -A $env:ARCH_CMAKE -DVERBOSE_CMAKE=ON -DBACKEND=winscard -DENABLE_CERT_COMPRESS=OFF -DGETOPT_LIB_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/lib -DGETOPT_INCLUDE_DIR=C:/vcpkg/packages/getopt-win32_$env:ARCH-windows/include -DCHECK_PATH=C:/vcpkg/packages/check_$env:ARCH-windows ..
           cmake --build . -v
-          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-\build\ykcs11\Debug"
+          $env:Path +=";C:/vcpkg/packages/check_$env:ARCH-windows/bin;C:/vcpkg/packages/openssl_$env:ARCH-windows/bin;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\lib\Debug;$env:GITHUB_WORKSPACE\yubico-piv-tool-\build\ykcs11\Debug"
           ctest.exe -C Debug

.github/workflows/windows_release.yml

@@ -15,7 +15,7 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install prerequisites
         run: |
@@ -27,13 +27,13 @@ jobs:
 
           ./resources/make_src_dist.sh $RELEASE_VERSION
           cd ..
-          mkdir artifact
-          mv $GITHUB_WORKSPACE/yubico-piv-tool-$RELEASE_VERSION.tar.gz artifact/
+          mkdir $GITHUB_WORKSPACE/artifact
+          mv $GITHUB_WORKSPACE/yubico-piv-tool-$RELEASE_VERSION.tar.gz $GITHUB_WORKSPACE/artifact/
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-src
-          path: ../artifact
+          path: artifact
 
   job_2:
     name: Build Windows x86
@@ -43,20 +43,19 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: Download source from job_1
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-$env:RELEASE_VERSION.tar.gz
 
       - name: Make release binaries
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
 
           cd $PIVTOOL_SRC_DIR/resources/win
           ./make_release_binaries.ps1 $env:RELEASE_VERSION Win32 C:/vcpkg
@@ -71,7 +70,7 @@ jobs:
       - name: Create Windows Installer
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
           $MERGEDPATH = Get-ChildItem "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Redist\MSVC\v143\MergeModules\Microsoft_VC143_CRT_x86.msm"
 
           cd $PIVTOOL_SRC_DIR/resources/win
@@ -81,12 +80,12 @@ jobs:
       - name: Install yubico-piv-tool
         run: |
           Set-PSDebug -Trace 1
-          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
+          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
           msiexec /i yubico-piv-tool-$env:RELEASE_VERSION-x86.msi /quiet /log $env:GITHUB_WORKSPACE/artifact/log_x86.txt
           Start-Sleep -s 5
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-win32
           path: artifact
@@ -99,20 +98,19 @@ jobs:
       RELEASE_VERSION: 2.6.0
     steps:
       - name: Download source from job_1
-        uses: actions/download-artifact@v1
+        uses: actions/download-artifact@v4
         with:
           name: yubico-piv-tool-src
 
       - name: Extract source
         run: |
           Set-PSDebug -Trace 1
-          cd yubico-piv-tool-src
           tar xf yubico-piv-tool-$env:RELEASE_VERSION.tar.gz
 
       - name: Make release binaries
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
 
           cd $PIVTOOL_SRC_DIR/resources/win
           ./make_release_binaries.ps1 $env:RELEASE_VERSION x64 C:/vcpkg
@@ -127,7 +125,7 @@ jobs:
       - name: Create Windows Installer for x64 architecture
         run: |
           Set-PSDebug -Trace 1
-          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION"
+          $PIVTOOL_SRC_DIR="$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION"
           $MERGEDPATH = Get-ChildItem "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Redist\MSVC\v143\MergeModules\Microsoft_VC143_CRT_x64.msm"
 
           cd $PIVTOOL_SRC_DIR/resources/win
@@ -137,11 +135,11 @@ jobs:
       - name: Install yubico-piv-tool
         run: |
           Set-PSDebug -Trace 1
-          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-src\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
+          cd "$env:GITHUB_WORKSPACE\yubico-piv-tool-$env:RELEASE_VERSION\resources\win"
           msiexec /i yubico-piv-tool-$env:RELEASE_VERSION-x64.msi /quiet
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@v4
         with:
           name: yubico-piv-tool-win64
           path: artifact

common/util.c

@@ -382,8 +382,10 @@ int get_slot_hex(enum enum_slot slot_enum) {
   return slot;
 }
 
-bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) {
-  return BN_bn2binpad(bn, in_ptr, element_len) == element_len;
+bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int *element_len) {
+  if(BN_num_bytes(bn) > *element_len) return false;
+  *element_len = BN_bn2bin(bn, in_ptr);
+  return true;
 }
 
 bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
@@ -612,26 +614,27 @@ int SSH_write_X509(FILE *fp, X509 *x) {
 
   switch (EVP_PKEY_base_id(pkey)) {
   case EVP_PKEY_RSA: {
-    RSA *rsa;
+    const RSA *rsa;
     unsigned char n[256] = {0};
     const BIGNUM *bn_n;
 
     char rsa_id[] = "\x00\x00\x00\x07ssh-rsa";
     char rsa_f4[] = "\x00\x00\x00\x03\x01\x00\x01";
 
-    rsa = EVP_PKEY_get1_RSA(pkey);
+    rsa = EVP_PKEY_get0_RSA(pkey);
     if(rsa == NULL) {
       break;
     }
     RSA_get0_key(rsa, &bn_n, NULL, NULL);
 
-    if (!set_component(n, bn_n, RSA_size(rsa))) {
+    int len = RSA_size(rsa);
+    if (!set_component(n, bn_n, &len)) {
       break;
     }
 
-    uint32_t bytes = BN_num_bytes(bn_n);
+    uint32_t bytes = len;
     char len_buf[5] = {0};
-    int len = 4;
+    len = 4;
 
     len_buf[0] = (bytes >> 24) & 0x000000ff;
     len_buf[1] = (bytes << 16) & 0x000000ff;
@@ -668,7 +671,7 @@ int SSH_write_X509(FILE *fp, X509 *x) {
       BIO_free_all(b64);
       break;
     }
-    if(BIO_write(b64, n, RSA_size(rsa)) <= 0) {
+    if(BIO_write(b64, n, bytes) <= 0) {
       fprintf(stderr, "Failed to write RSA n component\n");
       BIO_free_all(b64);
       break;

common/util.h

@@ -54,7 +54,7 @@ X509_NAME *parse_name(const char*);
 unsigned char get_algorithm(EVP_PKEY*);
 FILE *open_file(const char *file_name, enum file_mode mode);
 int get_slot_hex(enum enum_slot slot_enum);
-bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len);
+bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int *element_len);
 bool prepare_rsa_signature(const unsigned char*, unsigned int, unsigned char*,
     unsigned int*, int);
 bool read_pw(const char*, char*, size_t, int, int);

lib/tests/api.c

@@ -324,14 +324,15 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     EVP_PKEY *private_key = NULL;
     BIO *bio = NULL;
     RSA *rsa_private_key = NULL;
-    unsigned char e[4] = {0};
+    unsigned char e[3] = {0};
     unsigned char p[256] = {0};
     unsigned char q[256] = {0};
     unsigned char dmp1[256] = {0};
     unsigned char dmq1[256] = {0};
     unsigned char iqmp[256] = {0};
     int element_len = 256;
     const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
+    int e_len, p_len, q_len, dmp1_len, dmq1_len, iqmp_len;
 
     bio = BIO_new_mem_buf(private_key_pem, strlen(private_key_pem));
     private_key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
@@ -342,22 +343,28 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL);
     RSA_get0_factors(rsa_private_key, &bn_p, &bn_q);
     RSA_get0_crt_params(rsa_private_key, &bn_dmp1, &bn_dmq1, &bn_iqmp);
-    ck_assert(set_component(e, bn_e, 3));
-    ck_assert(set_component(p, bn_p, element_len));
-    ck_assert(set_component(q, bn_q, element_len));
-    ck_assert(set_component(dmp1, bn_dmp1, element_len));
-    ck_assert(set_component(dmq1, bn_dmq1, element_len));
-    ck_assert(set_component(iqmp, bn_iqmp, element_len));
+    e_len = sizeof(e);
+    ck_assert(set_component(e, bn_e, &e_len));
+    p_len = element_len;
+    ck_assert(set_component(p, bn_p, &p_len));
+    q_len = element_len;
+    ck_assert(set_component(q, bn_q, &q_len));
+    dmp1_len = element_len;
+    ck_assert(set_component(dmp1, bn_dmp1, &dmp1_len));
+    dmq1_len = element_len;
+    ck_assert(set_component(dmq1, bn_dmq1, &dmq1_len));
+    iqmp_len = element_len;
+    ck_assert(set_component(iqmp, bn_iqmp, &iqmp_len));
 
     // Try wrong algorithm, fail.
     res = ykpiv_import_private_key(g_state,
                                    slot,
                                    YKPIV_ALGO_RSA1024,
-                                   p, element_len,
-                                   q, element_len,
-                                   dmp1, element_len,
-                                   dmq1, element_len,
-                                   iqmp, element_len,
+                                   p, p_len,
+                                   q, q_len,
+                                   dmp1, dmp1_len,
+                                   dmq1, dmq1_len,
+                                   iqmp, iqmp_len,
                                    NULL, 0,
                                    pp, tp);
     ck_assert_int_eq(res, YKPIV_ALGORITHM_ERROR);
@@ -366,11 +373,11 @@ static void import_key(unsigned char slot, unsigned char pin_policy) {
     res = ykpiv_import_private_key(g_state,
                                    slot,
                                    YKPIV_ALGO_RSA4096,
-                                   p, element_len,
-                                   q, element_len,
-                                   dmp1, element_len,
-                                   dmq1, element_len,
-                                   iqmp, element_len,
+                                   p, p_len,
+                                   q, q_len,
+                                   dmp1, dmp1_len,
+                                   dmq1, dmq1_len,
+                                   iqmp, iqmp_len,
                                    NULL, 0,
                                    pp, tp);
     ck_assert_int_eq(res, YKPIV_OK);