diff -up ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms ./src/coolkey/coolkey.cpp --- ./src/coolkey/coolkey.cpp.fail-on-bad-mechanisms 2016-06-16 14:36:05.934755563 -0700 +++ ./src/coolkey/coolkey.cpp 2016-06-16 14:36:05.945755372 -0700 @@ -77,7 +77,8 @@ rsaMechanismList[] = { static const MechInfo ecMechanismList[] = { - {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDSA_SHA1, {256, 521, CKF_HW | CKF_SIGN | CKF_EC_F_P}},{ CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} } + {CKM_ECDSA,{256,521,CKF_HW | CKF_SIGN | CKF_EC_F_P}}, + {CKM_ECDH1_DERIVE,{256, 521, CKF_HW | CKF_DERIVE | CKF_EC_F_P} } }; unsigned int numRSAMechanisms = sizeof(rsaMechanismList)/sizeof(MechInfo); diff -up ./src/coolkey/slot.cpp.fail-on-bad-mechanisms ./src/coolkey/slot.cpp --- ./src/coolkey/slot.cpp.fail-on-bad-mechanisms 2016-06-16 14:36:05.943755407 -0700 +++ ./src/coolkey/slot.cpp 2016-06-16 15:07:40.255882660 -0700 @@ -4185,11 +4185,30 @@ Slot::signInit(SessionHandleSuffix suffi { refreshTokenState(); SessionIter session = findSession(suffix); + PKCS11Object *key = getKeyFromHandle(hKey); if( session == sessions.end() ) { throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID); } + if (pMechanism == NULL) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + if (key->getKeyType() != Key::rsa) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + case CKM_ECDSA: + if (key->getKeyType() != Key::ecc) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } - session->signatureState.initialize(getKeyFromHandle(hKey)); + session->signatureState.initialize(key); } void @@ -4198,11 +4217,24 @@ Slot::decryptInit(SessionHandleSuffix su { refreshTokenState(); SessionIter session = findSession(suffix); + PKCS11Object *key = getKeyFromHandle(hKey); if( session == sessions.end() ) { throw PKCS11Exception(CKR_SESSION_HANDLE_INVALID); } + if (pMechanism == NULL) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + switch (pMechanism->mechanism) { + case CKM_RSA_PKCS: + if (key->getKeyType() != Key::rsa) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } - session->decryptionState.initialize(getKeyFromHandle(hKey)); + session->decryptionState.initialize(key); } /** @@ -5008,8 +5040,23 @@ Slot::derive(SessionHandleSuffix suffix, ECCKeyAgreementParams params(CryptParams::ECC_DEFAULT_KEY_SIZE); SessionIter session = findSession(suffix); + PKCS11Object *key=getKeyFromHandle(hBaseKey); - session->keyAgreementState.initialize(getKeyFromHandle(hBaseKey)); + if (pMechanism == NULL ) { + throw PKCS11Exception(CKR_ARGUMENTS_BAD); + } + + switch (pMechanism->mechanism) { + case CKM_ECDH1_DERIVE: + if (key->getKeyType() != Key::ecc) { + throw PKCS11Exception(CKR_KEY_TYPE_INCONSISTENT); + } + break; + default: + throw PKCS11Exception(CKR_MECHANISM_INVALID); + } + + session->keyAgreementState.initialize(key); deriveECC(suffix, pMechanism, hBaseKey, pTemplate, ulAttributeCount, phKey, params); @@ -5018,9 +5065,6 @@ Slot::derive(SessionHandleSuffix suffix, void Slot::deriveECC(SessionHandleSuffix suffix, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey, CryptParams& params) { - if (pMechanism == NULL ) { - throw PKCS11Exception(CKR_ARGUMENTS_BAD); - } CK_ECDH1_DERIVE_PARAMS *mechParams = NULL;