diff --git a/lib/yubihsm.c b/lib/yubihsm.c index 096ee574..d1fd9165 100644 --- a/lib/yubihsm.c +++ b/lib/yubihsm.c @@ -2900,6 +2900,12 @@ do_rsa_wrap(yh_cmd cmd, return YHR_INVALID_PARAMETERS; } + if (oaep_label_len != 20 && oaep_label_len != 32 && oaep_label_len != 48 && + oaep_label_len != 64) { + DBG_ERR("Wrong digest length. %s", yh_strerror(YHR_INVALID_PARAMETERS)); + return YHR_INVALID_PARAMETERS; + } + #pragma pack(push, 1) union { struct { diff --git a/resources/tests/bash/test_wrapkey.sh b/resources/tests/bash/test_wrapkey.sh index d66d0278..b41f0250 100755 --- a/resources/tests/bash/test_wrapkey.sh +++ b/resources/tests/bash/test_wrapkey.sh @@ -290,9 +290,9 @@ for k in ${RSA_KEYSIZE[@]}; do rm data.enc echo "=== Wrap and unwrap AES key material with generated RSA wrap key" - test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --out rsawrapped.key" " Export wrapped AES key material" + test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key --oaep rsa-oaep-sha384 --mgf1 mgf1-sha1 --out rsawrapped.key" " Export wrapped AES key material" test "$BIN -p password -a delete-object -i $aeskey -t symmetric-key" " Delete AES key" - test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key -A aes128 -c exportable-under-wrap,decrypt-cbc,encrypt-cbc --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --in rsawrapped.key" " Import wrapped AES key material" + test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $keyid -i $aeskey -t symmetric-key -A aes128 -c exportable-under-wrap,decrypt-cbc,encrypt-cbc --oaep rsa-oaep-sha384 --mgf1 mgf1-sha1 --in rsawrapped.key" " Import wrapped AES key material" info=$($BIN -p password -a get-object-info -i $aeskey -t symmetric-key 2> /dev/null) seq_aes=$((seq_aes+1)) cmp_str_content "$info" "sequence: $seq_aes" "Sequence" @@ -337,9 +337,9 @@ for k in ${RSA_KEYSIZE[@]}; do rm rsawrapped.object echo "=== Wrap and unwrap EC key material with imported RSA wrap key" - test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --out rsawrapped.key" " Export wrapped EC key material" + test "$BIN -p password -a get-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key --oaep rsa-oaep-sha512 --mgf1 mgf1-sha512 --out rsawrapped.key" " Export wrapped EC key material" test "$BIN -p password -a delete-object -i $eckey -t asymmetric-key" " Delete EC key" - test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key -A ecp224 -c exportable-under-wrap,sign-ecdsa --oaep rsa-oaep-sha1 --mgf1 mgf1-sha384 --in rsawrapped.key" " Import wrapped EC key material" + test "$BIN -p password -a put-rsa-wrapped-key --wrap-id $import_keyid -i $eckey -t asymmetric-key -A ecp224 -c exportable-under-wrap,sign-ecdsa --oaep rsa-oaep-sha512 --mgf1 mgf1-sha512 --in rsawrapped.key" " Import wrapped EC key material" info=$($BIN -p password -a get-object-info -i $eckey -t asymmetric-key 2> /dev/null) seq_ec=$((seq_ec+1)) cmp_str_content "$info" "sequence: $seq_ec" "Sequence"