?From b85c0706db871828f0bc4672571dd0b9c98dd835 Mon Sep 17 00:00:00 2001

From: Jakub Jelen <jjelen@redhat.com>

Date: Sun, 22 Jul 2018 16:23:54 +0200

Subject: [PATCH 1/5] doc: Fix the pkcs11-tool example

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---

 doc/tools/pkcs11-tool.1.xml | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml

index 37093f352..c609ec0e2 100644

--- a/doc/tools/pkcs11-tool.1.xml

+++ b/doc/tools/pkcs11-tool.1.xml

@@ -568,7 +568,7 @@

 			To read the certificate with ID <replaceable>KEY_ID</replaceable>

 			in DER format from smart card:

-				<programlisting>pkcs11-tool --read-object  --id KEY_ID --type cert --outfile cert.der</programlisting>

+				<programlisting>pkcs11-tool --read-object  --id KEY_ID --type cert --output-file cert.der</programlisting>

 			To convert the certificate in DER format to PEM format, use OpenSSL

 			tools:

From 5cc144111acb7b9982ddec7f7597a22c10c4d456 Mon Sep 17 00:00:00 2001

From: Jakub Jelen <jjelen@redhat.com>

Date: Fri, 14 Sep 2018 14:11:18 +0200

Subject: [PATCH 2/5] p11test: Add missing CKM_SHA224_RSA_PKCS_PSS

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---

 src/tests/p11test/p11test_case_common.c | 2 ++

 1 file changed, 2 insertions(+)

diff --git a/src/tests/p11test/p11test_case_common.c b/src/tests/p11test/p11test_case_common.c

index deb2a56fe..d44b0d8e3 100644

--- a/src/tests/p11test/p11test_case_common.c

+++ b/src/tests/p11test/p11test_case_common.c

@@ -587,6 +587,8 @@ const char *get_mechanism_name(int mech_id)

 			return "RSA_PKCS_PSS";

 		case CKM_SHA1_RSA_PKCS_PSS:

 			return "SHA1_RSA_PKCS_PSS";

+		case CKM_SHA224_RSA_PKCS_PSS:

+			return "SHA224_RSA_PKCS_PSS";

 		case CKM_SHA256_RSA_PKCS_PSS:

 			return "SHA256_RSA_PKCS_PSS";

 		case CKM_SHA384_RSA_PKCS_PSS:

From 5aa3dbcdd76af0197946252ff53a0636cb979ab3 Mon Sep 17 00:00:00 2001

From: Nicholas Wilson <nicholas.wilson@realvnc.com>

Date: Tue, 25 Aug 2015 12:45:27 +0100

Subject: [PATCH 3/5] Add support for PSS padding to RSA signatures

A card driver may declare support for computing the padding on the card,

or else the padding will be applied locally in padding.c.  All five

PKCS11 PSS mechanisms are supported, for signature and verification.

There are a few limits on what we choose to support, in particular I

don't see a need for arbitrary combinations of MGF hash, data hash, and

salt length, so I've restricted it (for the user's benefit) to the only

cases that really matter, where salt_len = hash_len and the same hash is

used for the MGF and data hashing.

------------------------------------------------------------------------

Reworked and extended in 2018 by Jakub Jelen <jjelen@redhat.com> against

current OpenSC master, to actually work with existing PIV cards:

 * extended of missing mechanisms (SHA224, possibility to select MGF1)

 * compatibility with OpenSSL 1.1+

 * Removed the ANSI padding

 * Formatting cleanup, error checking

Based on the original work from

https://github.com/NWilson/OpenSC/commit/42f3199e66

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---

 src/libopensc/card-atrust-acos.c |   2 +-

 src/libopensc/card-starcos.c     |   4 +-

 src/libopensc/internal.h         |   2 +-

 src/libopensc/opensc.h           |  74 +++++++--

 src/libopensc/padding.c          | 257 ++++++++++++++++++++++++++----

 src/libopensc/pkcs15-sec.c       |  33 ++--

 src/pkcs11/framework-pkcs15.c    | 265 +++++++++++++++++++++++--------

 src/pkcs11/mechanism.c           |  31 +++-

 src/pkcs11/openssl.c             | 151 ++++++++++++++++--

 src/pkcs11/pkcs11.h              |   3 +-

 src/pkcs11/sc-pkcs11.h           |   9 +-

 11 files changed, 674 insertions(+), 157 deletions(-)

diff --git a/src/libopensc/card-atrust-acos.c b/src/libopensc/card-atrust-acos.c

index fb0b296c8..05ef0f441 100644

--- a/src/libopensc/card-atrust-acos.c

+++ b/src/libopensc/card-atrust-acos.c

@@ -722,7 +722,7 @@ static int atrust_acos_compute_signature(struct sc_card *card,

 				flags = SC_ALGORITHM_RSA_HASH_NONE;

 			tmp_len = sizeof(sbuf);

 			r = sc_pkcs1_encode(card->ctx, flags, data, datalen,

-					sbuf, &tmp_len, sizeof(sbuf));

+					sbuf, &tmp_len, sizeof(sbuf)*8);

 			if (r < 0)

 				return r;

 		} else {

diff --git a/src/libopensc/card-starcos.c b/src/libopensc/card-starcos.c

index 7ad132dc1..799c6a680 100644

--- a/src/libopensc/card-starcos.c

+++ b/src/libopensc/card-starcos.c

@@ -1545,7 +1545,7 @@ static int starcos_compute_signature(sc_card_t *card,

 					flags = SC_ALGORITHM_RSA_HASH_NONE;

 				}

 				tmp_len = sizeof(sbuf);

-				r = sc_pkcs1_encode(card->ctx, flags, data, datalen, sbuf, &tmp_len, sizeof(sbuf));

+				r = sc_pkcs1_encode(card->ctx, flags, data, datalen, sbuf, &tmp_len, sizeof(sbuf)*8);

 				SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "sc_pkcs1_encode failed");

 			} else {

 				memcpy(sbuf, data, datalen);

@@ -1607,7 +1607,7 @@ static int starcos_compute_signature(sc_card_t *card,

 				flags = SC_ALGORITHM_RSA_HASH_NONE;

 			tmp_len = sizeof(sbuf);

 			r = sc_pkcs1_encode(card->ctx, flags, data, datalen,

-					sbuf, &tmp_len, sizeof(sbuf));

+					sbuf, &tmp_len, sizeof(sbuf)*8);

 			if (r < 0)

 				return r;

 		} else {

diff --git a/src/libopensc/internal.h b/src/libopensc/internal.h

index 9d6a77ffe..08d590f23 100644

--- a/src/libopensc/internal.h

+++ b/src/libopensc/internal.h

@@ -159,7 +159,7 @@ int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,

  * @return SC_SUCCESS on success and an error code otherwise

  */

 int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,

-		const u8 *in, size_t inlen, u8 *out, size_t *outlen, size_t modlen);

+		const u8 *in, size_t inlen, u8 *out, size_t *outlen, size_t mod_bits);

 /**

  * Get the necessary padding and sec. env. flags.

  * @param  ctx     IN  sc_contex_t object

diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h

index b9b960d8f..a4e87d5bf 100644

--- a/src/libopensc/opensc.h

+++ b/src/libopensc/opensc.h

@@ -93,19 +93,39 @@ extern "C" {

 #define SC_ALGORITHM_NEED_USAGE		0x40000000

 #define SC_ALGORITHM_SPECIFIC_FLAGS	0x001FFFFF

-#define SC_ALGORITHM_RSA_RAW		0x00000001

 /* If the card is willing to produce a cryptogram padded with the following

- * methods, set these flags accordingly. */

-#define SC_ALGORITHM_RSA_PADS		0x0000001E

-#define SC_ALGORITHM_RSA_PAD_NONE	0x00000000

-#define SC_ALGORITHM_RSA_PAD_PKCS1	0x00000002

+ * methods, set these flags accordingly.  These flags are exclusive: an RSA card

+ * must support at least one of them, and exactly one of them must be selected

+ * for a given operation. */

+#define SC_ALGORITHM_RSA_RAW		0x00000001

+#define SC_ALGORITHM_RSA_PADS		0x0000001F

+#define SC_ALGORITHM_RSA_PAD_NONE	0x00000001

+#define SC_ALGORITHM_RSA_PAD_PKCS1	0x00000002 /* PKCS#1 v1.5 padding */

 #define SC_ALGORITHM_RSA_PAD_ANSI	0x00000004

 #define SC_ALGORITHM_RSA_PAD_ISO9796	0x00000008

-#define SC_ALGORITHM_RSA_PAD_PSS	0x00000010

+#define SC_ALGORITHM_RSA_PAD_PSS	0x00000010 /* PKCS#1 v2.0 PSS */

 /* If the card is willing to produce a cryptogram with the following

- * hash values, set these flags accordingly. */

-#define SC_ALGORITHM_RSA_HASH_NONE	0x00000100

+ * hash values, set these flags accordingly.  The interpretation of the hash

+ * flags depends on the algorithm and padding chosen: for RSA, the hash flags

+ * determine how the padding is constructed and do not describe the first

+ * hash applied to the document before padding begins.

+ *

+ *   - For PAD_NONE, ANSI X9.31, (and ISO9796?), the hash value is therefore

+ *     ignored.  For ANSI X9.31, the input data must already have the hash

+ *     identifier byte appended (eg 0x33 for SHA-1).

+ *   - For PKCS1 (v1.5) the hash is recorded in the padding, and HASH_NONE is a

+ *     valid value, meaning that the hash's DigestInfo has already been

+ *     prepended to the data, otherwise the hash id is put on the front.

+ *   - For PSS (PKCS#1 v2.0) the hash is used to derive the padding from the

+ *     already-hashed message.

+ *

+ * In no case is the hash actually applied to the entire document.

+ *

+ * It's possible that the card may support different hashes for PKCS1 and PSS

+ * signatures; in this case the card driver has to pick the lowest-denominator

+ * when it sets these flags to indicate its capabilities. */

+#define SC_ALGORITHM_RSA_HASH_NONE	0x00000100 /* only applies to PKCS1 padding */

 #define SC_ALGORITHM_RSA_HASH_SHA1	0x00000200

 #define SC_ALGORITHM_RSA_HASH_MD5	0x00000400

 #define SC_ALGORITHM_RSA_HASH_MD5_SHA1	0x00000800

@@ -114,21 +134,39 @@ extern "C" {

 #define SC_ALGORITHM_RSA_HASH_SHA384	0x00004000

 #define SC_ALGORITHM_RSA_HASH_SHA512	0x00008000

 #define SC_ALGORITHM_RSA_HASH_SHA224	0x00010000

-#define SC_ALGORITHM_RSA_HASHES		0x0001FE00

-

+#define SC_ALGORITHM_RSA_HASHES		0x0001FF00

+

+/* This defines the hashes to be used with MGF1 in PSS padding */

+#define SC_ALGORITHM_MGF1_SHA1		0x00100000

+#define SC_ALGORITHM_MGF1_SHA256	0x00200000

+#define SC_ALGORITHM_MGF1_SHA384	0x00400000

+#define SC_ALGORITHM_MGF1_SHA512	0x00800000

+#define SC_ALGORITHM_MGF1_SHA224	0x01000000

+#define SC_ALGORITHM_MGF1_HASHES	0x01F00000

+

+/* These flags are exclusive: a GOST R34.10 card must support at least one or the

+ * other of the methods, and exactly one of them applies to any given operation.

+ * Note that the GOST R34.11 hash is actually applied to the data (ie if this

+ * algorithm is chosen the entire unhashed document is passed in). */

 #define SC_ALGORITHM_GOSTR3410_RAW		0x00020000

-#define SC_ALGORITHM_GOSTR3410_HASH_NONE	0x00040000

+#define SC_ALGORITHM_GOSTR3410_HASH_NONE	SC_ALGORITHM_GOSTR3410_RAW /*XXX*/

 #define SC_ALGORITHM_GOSTR3410_HASH_GOSTR3411	0x00080000

-#define SC_ALGORITHM_GOSTR3410_HASHES		0x00080000

-/*TODO: -DEE Should the above be 0x0000E000 */

-/* Or should the HASH_NONE be 0x00000010  and HASHES be 0x00008010 */

-

+#define SC_ALGORITHM_GOSTR3410_HASHES		0x000A0000

+/*TODO: -DEE Should the above be 0x000E0000 */

+/* Or should the HASH_NONE be 0x00000100  and HASHES be 0x00080010 */

+

+/* The ECDSA flags are exclusive, and exactly one of them applies to any given

+ * operation.  If ECDSA with a hash is specified, then the data passed in is

+ * the entire document, unhashed, and the hash is applied once to it before

+ * truncating and signing.  These flags are distinct from the RSA hash flags,

+ * which determine the hash ids the card is willing to put in RSA message

+ * padding. */

 /* May need more bits if card can do more hashes */

 /* TODO: -DEE Will overload RSA_HASHES with EC_HASHES */

 /* Not clear if these need their own bits or not */

 /* The PIV card does not support and hashes */

-#define SC_ALGORITHM_ECDSA_RAW		0x00100000

 #define SC_ALGORITHM_ECDH_CDH_RAW	0x00200000

+#define SC_ALGORITHM_ECDSA_RAW		0x00100000

 #define SC_ALGORITHM_ECDSA_HASH_NONE		SC_ALGORITHM_RSA_HASH_NONE

 #define SC_ALGORITHM_ECDSA_HASH_SHA1		SC_ALGORITHM_RSA_HASH_SHA1

 #define SC_ALGORITHM_ECDSA_HASH_SHA224		SC_ALGORITHM_RSA_HASH_SHA224

@@ -142,7 +180,9 @@ extern "C" {

 							SC_ALGORITHM_ECDSA_HASH_SHA512)

 /* define mask of all algorithms that can do raw */

-#define SC_ALGORITHM_RAW_MASK (SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_GOSTR3410_RAW | SC_ALGORITHM_ECDSA_RAW)

+#define SC_ALGORITHM_RAW_MASK (SC_ALGORITHM_RSA_RAW | \

+                               SC_ALGORITHM_GOSTR3410_RAW | \

+                               SC_ALGORITHM_ECDSA_RAW)

 /* extended algorithm bits for selected mechs */

 #define SC_ALGORITHM_EXT_EC_F_P          0x00000001

diff --git a/src/libopensc/padding.c b/src/libopensc/padding.c

index f544e5778..53a87c352 100644

--- a/src/libopensc/padding.c

+++ b/src/libopensc/padding.c

@@ -23,6 +23,12 @@

 #include "config.h"

 #endif

+#ifdef ENABLE_OPENSSL

+#include <openssl/evp.h>

+#include <openssl/rand.h>

+#include <openssl/sha.h>

+#endif

+

 #include <string.h>

 #include <stdlib.h>

@@ -231,22 +237,183 @@ int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,

 	return SC_ERROR_INTERNAL;

 }

+#ifdef ENABLE_OPENSSL

+

+static const EVP_MD* hash_flag2md(unsigned int hash)

+{

+	switch (hash & SC_ALGORITHM_RSA_HASHES) {

+	case SC_ALGORITHM_RSA_HASH_SHA1:

+		return EVP_sha1();

+	case SC_ALGORITHM_RSA_HASH_SHA224:

+		return EVP_sha224();

+	case SC_ALGORITHM_RSA_HASH_SHA256:

+		return EVP_sha256();

+	case SC_ALGORITHM_RSA_HASH_SHA384:

+		return EVP_sha384();

+	case SC_ALGORITHM_RSA_HASH_SHA512:

+		return EVP_sha512();

+	default:

+		return NULL;

+	}

+}

+

+static const EVP_MD* mgf1_flag2md(unsigned int mgf1)

+{

+	switch (mgf1 & SC_ALGORITHM_MGF1_HASHES) {

+	case SC_ALGORITHM_MGF1_SHA1:

+		return EVP_sha1();

+	case SC_ALGORITHM_MGF1_SHA224:

+		return EVP_sha224();

+	case SC_ALGORITHM_MGF1_SHA256:

+		return EVP_sha256();

+	case SC_ALGORITHM_MGF1_SHA384:

+		return EVP_sha384();

+	case SC_ALGORITHM_MGF1_SHA512:

+		return EVP_sha512();

+	default:

+		return NULL;

+	}

+}

+

+/* add PKCS#1 v2.0 PSS padding */

+static int sc_pkcs1_add_pss_padding(unsigned int hash, unsigned int mgf1_hash,

+    const u8 *in, size_t in_len, u8 *out, size_t *out_len, size_t mod_bits)

+{

+	/* hLen = sLen in our case */

+	int rv = SC_ERROR_INTERNAL, i, j, hlen, dblen, plen, round, mgf_rounds;

+	int mgf1_hlen;

+	const EVP_MD* md, *mgf1_md;

+	EVP_MD_CTX* ctx = NULL;

+	u8 buf[8];

+	u8 salt[EVP_MAX_MD_SIZE], mask[EVP_MAX_MD_SIZE];

+	size_t mod_length = (mod_bits + 7) / 8;

+

+	if (*out_len < mod_length)

+		return SC_ERROR_BUFFER_TOO_SMALL;

+

+	md = hash_flag2md(hash);

+	if (md == NULL)

+		return SC_ERROR_NOT_SUPPORTED;

+	hlen = EVP_MD_size(md);

+	dblen = mod_length - hlen - 1; /* emLen - hLen - 1 */

+	plen = mod_length - 2*hlen - 1;

+	if (in_len != (unsigned)hlen)

+		return SC_ERROR_INVALID_ARGUMENTS;

+	if (2 * (unsigned)hlen + 2 > mod_length)

+		/* RSA key too small for chosen hash (1296 bits or higher needed for

+		 * signing SHA-512 hashes) */

+		return SC_ERROR_NOT_SUPPORTED;

+

+	if (RAND_bytes(salt, hlen) != 1)

+		return SC_ERROR_INTERNAL;

+

+	/* Hash M' to create H */

+	if (!(ctx = EVP_MD_CTX_create()))

+		goto done;

+	memset(buf, 0x00, 8);

+	if (EVP_DigestInit_ex(ctx, md, NULL) != 1 ||

+	    EVP_DigestUpdate(ctx, buf, 8) != 1 ||

+	    EVP_DigestUpdate(ctx, in, hlen) != 1 || /* mHash */

+	    EVP_DigestUpdate(ctx, salt, hlen) != 1) {

+		goto done;

+	}

+

+	/* Construct padding2, salt, H, and BC in the output block */

+	/* DB = PS || 0x01 || salt */

+	memset(out, 0x00, plen - 1); /* emLen - sLen - hLen - 2 */

+	out[plen - 1] = 0x01;

+	memcpy(out + plen, salt, hlen);

+	if (EVP_DigestFinal_ex(ctx, out + dblen, NULL) != 1) { /* H */

+		goto done;

+	}

+	out[dblen + hlen] = 0xBC;

+	/* EM = DB* || H || 0xbc

+	 *  *the first part is masked later */

+

+	/* Construct the DB mask block by block and XOR it in. */

+	mgf1_md = mgf1_flag2md(mgf1_hash);

+	if (mgf1_md == NULL)

+		return SC_ERROR_NOT_SUPPORTED;

+	mgf1_hlen = EVP_MD_size(mgf1_md);

+

+	mgf_rounds = (dblen + mgf1_hlen - 1) / mgf1_hlen; /* round up */

+	for (round = 0; round < mgf_rounds; ++round) {

+		buf[0] = (round&0xFF000000U) >> 24;

+		buf[1] = (round&0x00FF0000U) >> 16;

+		buf[2] = (round&0x0000FF00U) >> 8;

+		buf[3] = (round&0x000000FFU);

+		if (EVP_DigestInit_ex(ctx, mgf1_md, NULL) != 1 ||

+		    EVP_DigestUpdate(ctx, out + dblen, hlen) != 1 || /* H (Z parameter of MGF1) */

+		    EVP_DigestUpdate(ctx, buf, 4) != 1 || /* C */

+		    EVP_DigestFinal_ex(ctx, mask, NULL)) {

+			goto done;

+		}

+		/* this is no longer part of the MGF1, but actually

+		 * XORing mask with DB to create maskedDB inplace */

+		for (i = round * mgf1_hlen, j = 0; i < dblen && j < mgf1_hlen; ++i, ++j) {

+			out[i] ^= mask[j];

+		}

+	}

+

+	/* Set leftmost N bits in leftmost octet in maskedDB to zero

+	 * to make sure the result is smaller than the modulus ( +1)

+	 */

+	out[0] &= (0xff >> (8 * mod_length - mod_bits + 1));

+

+	*out_len = mod_length;

+	rv = SC_SUCCESS;

+

+done:

+	OPENSSL_cleanse(salt, sizeof(salt));

+	OPENSSL_cleanse(mask, sizeof(mask));

+	if (ctx) {

+		EVP_MD_CTX_destroy(ctx);

+	}

+	return rv;

+}

+

+static int hash_len2algo(size_t hash_len)

+{

+	switch (hash_len) {

+	case SHA_DIGEST_LENGTH:

+		return SC_ALGORITHM_RSA_HASH_SHA1;

+	case SHA224_DIGEST_LENGTH:

+		return SC_ALGORITHM_RSA_HASH_SHA224;

+	case SHA256_DIGEST_LENGTH:

+		return SC_ALGORITHM_RSA_HASH_SHA256;

+	case SHA384_DIGEST_LENGTH:

+		return SC_ALGORITHM_RSA_HASH_SHA384;

+	case SHA512_DIGEST_LENGTH:

+		return SC_ALGORITHM_RSA_HASH_SHA512;

+	}

+	/* Should never happen -- the mechanism and data should be already

+	 * verified to match one of the above. If not, we will fail later

+	 */

+	return SC_ALGORITHM_RSA_HASH_NONE;

+}

+#endif

+

 /* general PKCS#1 encoding function */

 int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,

-	const u8 *in, size_t in_len, u8 *out, size_t *out_len, size_t mod_len)

+	const u8 *in, size_t in_len, u8 *out, size_t *out_len, size_t mod_bits)

 {

 	int    rv, i;

 	size_t tmp_len = *out_len;

 	const u8    *tmp = in;

 	unsigned int hash_algo, pad_algo;

+	size_t mod_len = (mod_bits + 7) / 8;

+#ifdef ENABLE_OPENSSL

+	unsigned int mgf1_hash;

+#endif

 	LOG_FUNC_CALLED(ctx);

-	hash_algo = flags & (SC_ALGORITHM_RSA_HASHES | SC_ALGORITHM_RSA_HASH_NONE);

+	hash_algo = flags & SC_ALGORITHM_RSA_HASHES;

 	pad_algo  = flags & SC_ALGORITHM_RSA_PADS;

 	sc_log(ctx, "hash algorithm 0x%X, pad algorithm 0x%X", hash_algo, pad_algo);

-	if (hash_algo != SC_ALGORITHM_RSA_HASH_NONE) {

+	if ((pad_algo == SC_ALGORITHM_RSA_PAD_PKCS1 || !pad_algo) &&

+	    hash_algo != SC_ALGORITHM_RSA_HASH_NONE) {

 		i = sc_pkcs1_add_digest_info_prefix(hash_algo, in, in_len, out, &tmp_len);

 		if (i != SC_SUCCESS) {

 			sc_log(ctx, "Unable to add digest info 0x%x", hash_algo);

@@ -268,10 +435,29 @@ int sc_pkcs1_encode(sc_context_t *ctx, unsigned long flags,

 		/* add pkcs1 bt01 padding */

 		rv = sc_pkcs1_add_01_padding(tmp, tmp_len, out, out_len, mod_len);

 		LOG_FUNC_RETURN(ctx, rv);

+	case SC_ALGORITHM_RSA_PAD_PSS:

+		/* add PSS padding */

+#ifdef ENABLE_OPENSSL

+		mgf1_hash = flags & SC_ALGORITHM_MGF1_HASHES;

+		if (hash_algo == SC_ALGORITHM_RSA_HASH_NONE) {

+			/* this is generic RSA_PKCS1_PSS mechanism with hash

+			 * already done outside of the module. The parameters

+			 * were already checked so we need to adjust the hash

+			 * algorithm to do the padding with the correct hash

+			 * function.

+			 */

+			hash_algo = hash_len2algo(tmp_len);

+		}

+		rv = sc_pkcs1_add_pss_padding(hash_algo, mgf1_hash,

+		    tmp, tmp_len, out, out_len, mod_bits);

+#else

+		rv = SC_ERROR_NOT_SUPPORTED;

+#endif

+		LOG_FUNC_RETURN(ctx, rv);

 	default:

-		/* currently only pkcs1 padding is supported */

-		sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Unsupported padding algorithm 0x%x", pad_algo);

-		LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_SUPPORTED);

+		/* We shouldn't be called with an unexpected padding type, we've already

+		 * returned SC_ERROR_NOT_SUPPORTED if the card can't be used. */

+		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);

 	}

 }

@@ -279,42 +465,45 @@ int sc_get_encoding_flags(sc_context_t *ctx,

 	unsigned long iflags, unsigned long caps,

 	unsigned long *pflags, unsigned long *sflags)

 {

-	size_t i;

-

 	LOG_FUNC_CALLED(ctx);

 	if (pflags == NULL || sflags == NULL)

 		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_ARGUMENTS);

 	sc_log(ctx, "iFlags 0x%lX, card capabilities 0x%lX", iflags, caps);

-	for (i = 0; digest_info_prefix[i].algorithm != 0; i++) {

-		if (iflags & digest_info_prefix[i].algorithm) {

-			if (digest_info_prefix[i].algorithm != SC_ALGORITHM_RSA_HASH_NONE &&

-			    caps & digest_info_prefix[i].algorithm)

-				*sflags |= digest_info_prefix[i].algorithm;

-			else

-				*pflags |= digest_info_prefix[i].algorithm;

-			break;

-		}

-	}

-	if (iflags & SC_ALGORITHM_RSA_PAD_PKCS1) {

-		if (caps & SC_ALGORITHM_RSA_PAD_PKCS1)

-			*sflags |= SC_ALGORITHM_RSA_PAD_PKCS1;

-		else

-			*pflags |= SC_ALGORITHM_RSA_PAD_PKCS1;

-	} else if ((iflags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {

-		

-		/* Work with RSA, EC and maybe GOSTR? */

-		if (!(caps & SC_ALGORITHM_RAW_MASK))

-			LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "raw encryption is not supported");

+	/* For ECDSA and GOSTR, we don't do any padding or hashing ourselves, the

+	 * card has to support the requested operation.  Similarly, for RSA with

+	 * raw padding (raw RSA) and ISO9796, we require the card to do it for us.

+	 * Finally, for PKCS1 (v1.5 and PSS) and ASNI X9.31 we can apply the padding

+	 * ourselves if the card supports raw RSA. */

-		*sflags |= (caps & SC_ALGORITHM_RAW_MASK); /* adds in the one raw type */

+	/* TODO: Could convert GOSTR3410_HASH_GOSTR3411 -> GOSTR3410_RAW and

+	 *       ECDSA_HASH_ -> ECDSA_RAW using OpenSSL (not much benefit though). */

+

+	if ((caps & iflags) == iflags) {

+		/* Card supports the signature operation we want to do, great, let's

+		 * go with it then. */

+		*sflags = iflags;

 		*pflags = 0;

-	} else if (iflags & SC_ALGORITHM_RSA_PAD_PSS) {

-		if (caps & SC_ALGORITHM_RSA_PAD_PSS)

-			*sflags |= SC_ALGORITHM_RSA_PAD_PSS;

-		else

-			*pflags |= SC_ALGORITHM_RSA_PAD_PSS;

+

+	} else if ((caps & SC_ALGORITHM_RSA_PAD_PSS) &&

+                   (iflags & SC_ALGORITHM_RSA_PAD_PSS)) {

+		*sflags |= SC_ALGORITHM_RSA_PAD_PSS;

+

+	} else if (((caps & SC_ALGORITHM_RSA_RAW) &&

+	            (iflags & SC_ALGORITHM_RSA_PAD_PKCS1))

+	           || iflags & SC_ALGORITHM_RSA_PAD_PSS) {

+		/* Use the card's raw RSA capability on the padded input */

+		*sflags = SC_ALGORITHM_RSA_PAD_NONE;

+		*pflags = iflags;

+

+	} else if ((caps & (SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE)) &&

+	           (iflags & SC_ALGORITHM_RSA_PAD_PKCS1)) {

+		/* A corner case - the card can partially do PKCS1, if we prepend the

+		 * DigestInfo bit it will do the rest. */

+		*sflags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE;

+		*pflags = iflags & SC_ALGORITHM_RSA_HASHES;

+

 	} else {

 		LOG_TEST_RET(ctx, SC_ERROR_NOT_SUPPORTED, "unsupported algorithm");

 	}

diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c

index 6ee4fa3c7..3e7e03b12 100644

--- a/src/libopensc/pkcs15-sec.c

+++ b/src/libopensc/pkcs15-sec.c

@@ -329,7 +329,7 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,

 	switch (obj->type) {

 		case SC_PKCS15_TYPE_PRKEY_RSA:

-			modlen = prkey->modulus_length / 8;

+			modlen = (prkey->modulus_length + 7) / 8;

 			break;

 		case SC_PKCS15_TYPE_PRKEY_GOSTR3410:

 			modlen = (prkey->modulus_length + 7) / 8 * 2;

@@ -377,7 +377,8 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,

 		if (modlen > tmplen)

 			LOG_TEST_RET(ctx, SC_ERROR_NOT_ALLOWED, "Buffer too small, needs recompile!");

-		r = sc_pkcs1_encode(ctx, flags, in, inlen, buf, &tmplen, modlen);

+		/* XXX Assuming RSA key here */

+		r = sc_pkcs1_encode(ctx, flags, in, inlen, buf, &tmplen, prkey->modulus_length);

 		/* no padding needed - already done */

 		flags &= ~SC_ALGORITHM_RSA_PADS;

@@ -391,10 +392,15 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,

 	}

-	/* If the card doesn't support the requested algorithm, see if we

-	 * can strip the input so a more restrictive algo can be used */

+	/* If the card doesn't support the requested algorithm, we normally add the

+	 * padding here in software and ask the card to do a raw signature.  There's

+	 * one exception to that, where we might be able to get the signature to

+	 * succeed by stripping padding if the card only offers higher-level

+	 * signature operations.  The only thing we can strip is the DigestInfo

+	 * block from PKCS1 padding. */

 	if ((flags == (SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE)) &&

-			!(alg_info->flags & (SC_ALGORITHM_RSA_RAW | SC_ALGORITHM_RSA_HASH_NONE))) {

+	    !(alg_info->flags & SC_ALGORITHM_RSA_RAW) &&

+	    !(alg_info->flags & (SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE))) {

 		unsigned int algo;

 		size_t tmplen = sizeof(buf);

@@ -420,19 +426,16 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,

 	/* add the padding bytes (if necessary) */

 	if (pad_flags != 0) {

-		if (flags & SC_ALGORITHM_RSA_PAD_PSS) {

-			// TODO PSS padding

-		} else {

-			size_t tmplen = sizeof(buf);

-

-			r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen, modlen);

-			SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");

+		size_t tmplen = sizeof(buf);

-			inlen = tmplen;

-		}

+		/* XXX Assuming RSA key here */

+		r = sc_pkcs1_encode(ctx, pad_flags, tmp, inlen, tmp, &tmplen,

+		    prkey->modulus_length);

+		SC_TEST_RET(ctx, SC_LOG_DEBUG_NORMAL, r, "Unable to add padding");

+		inlen = tmplen;

 	}

 	else if ( senv.algorithm == SC_ALGORITHM_RSA &&

-			(flags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {

+	          (flags & SC_ALGORITHM_RSA_PADS) == SC_ALGORITHM_RSA_PAD_NONE) {

 		/* Add zero-padding if input is shorter than the modulus */

 		if (inlen < modlen) {

 			if (modlen > sizeof(buf))

diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c

index 80f9ce89f..a75d239f4 100644

--- a/src/pkcs11/framework-pkcs15.c

+++ b/src/pkcs11/framework-pkcs15.c

@@ -3478,7 +3478,8 @@ struct sc_pkcs11_object_ops pkcs15_cert_ops = {

 	NULL,	/* unwrap_key */

 	NULL,	/* decrypt */

 	NULL,	/* derive */

-	NULL	/* can_do */

+	NULL,	/* can_do */

+	NULL	/* init_params */

 };

 /*

@@ -3703,53 +3704,44 @@ static CK_RV

 pkcs15_prkey_check_pss_param(CK_MECHANISM_PTR pMechanism, CK_ULONG hlen)

 {

 	CK_RSA_PKCS_PSS_PARAMS *pss_param;

-

-	if (pMechanism->pParameter == NULL)

-		return CKR_OK;				// Support applications that don't provide CK_RSA_PKCS_PSS_PARAMS

-

-	if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS))

-		return CKR_MECHANISM_PARAM_INVALID;

+	int i;

+	const unsigned int hash_lens[5] = { 160, 256, 385, 512, 224 };

+	const unsigned int hashes[5] = { CKM_SHA_1, CKM_SHA256,

+		CKM_SHA384, CKM_SHA512, CKM_SHA224 };

 	pss_param = (CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter;

-	// Hash parameter must match mechanisms or length of data supplied for CKM_RSA_PKCS_PSS

-	switch(pss_param->hashAlg) {

-	case CKM_SHA_1:

-		if (hlen != 20)

-			return CKR_MECHANISM_PARAM_INVALID;

-		break;

-	case CKM_SHA256:

-		if (hlen != 32)

+	// Hash parameter must match length of data supplied for CKM_RSA_PKCS_PSS

+	for (i = 0; i < 5; i++) {

+		if (pss_param->hashAlg == hashes[i]

+		    && hlen != hash_lens[i]/8)

 			return CKR_MECHANISM_PARAM_INVALID;

-		break;

-	default:

-		return CKR_MECHANISM_PARAM_INVALID;

 	}

+	/* other aspects of pss params were already verified during SignInit */

-	// SmartCards typically only support MGFs based on the same hash as the

-	// message digest

-	switch(pss_param->mgf) {

-	case CKG_MGF1_SHA1:

-		if (hlen != 20)

-			return CKR_MECHANISM_PARAM_INVALID;

+	return CKR_OK;

+}

+

+static int mgf2flags(CK_RSA_PKCS_MGF_TYPE mgf)

+{

+	switch (mgf) {

+	case CKG_MGF1_SHA224:

+		return SC_ALGORITHM_MGF1_SHA224;

 		break;

 	case CKG_MGF1_SHA256:

-		if (hlen != 32)

-			return CKR_MECHANISM_PARAM_INVALID;

-		break;

+		return SC_ALGORITHM_MGF1_SHA256;

+	case CKG_MGF1_SHA384:

+		return SC_ALGORITHM_MGF1_SHA384;

+	case CKG_MGF1_SHA512:

+		return SC_ALGORITHM_MGF1_SHA512;

+	case CKG_MGF1_SHA1:

+		return SC_ALGORITHM_MGF1_SHA1;

 	default:

-		return CKR_MECHANISM_PARAM_INVALID;

+		return -1;

 	}

-

-	// SmartCards typically support only a salt length equal to the hash length

-	if (pss_param->sLen != hlen)

-		return CKR_MECHANISM_PARAM_INVALID;

-

-	return CKR_OK;

 }

-