Skip to content

Commit 2ef7fa4

Browse files
committed
Fix magic ID selection in NCryptExportKey.
Add algorithm-based magic ID selection, instead of hardcoding the EC-P256 ID. Interesting that signtool did not throw any errors or warnings. Bug: b/289095059 Change-Id: Ic430f1fd94892ed007847541a7f08787ae0691ea
1 parent 23a1331 commit 2ef7fa4

File tree

3 files changed

+29
-1
lines changed

3 files changed

+29
-1
lines changed

kmscng/operation/sign_utils.cc

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,20 @@ absl::StatusOr<int> CurveIdForAlgorithm(
102102
}
103103
}
104104

105+
absl::StatusOr<uint32_t> MagicIdForAlgorithm(
106+
kms_v1::CryptoKeyVersion::CryptoKeyVersionAlgorithm algorithm) {
107+
switch (algorithm) {
108+
case kms_v1::CryptoKeyVersion::EC_SIGN_P256_SHA256:
109+
return BCRYPT_ECDSA_PUBLIC_P256_MAGIC;
110+
case kms_v1::CryptoKeyVersion::EC_SIGN_P384_SHA384:
111+
return BCRYPT_ECDSA_PUBLIC_P384_MAGIC;
112+
default:
113+
return NewInternalError(
114+
absl::StrFormat("cannot get magic ID for algorithm: %d", algorithm),
115+
SOURCE_LOCATION);
116+
}
117+
}
118+
105119
absl::Status ValidateKeyPreconditions(Object* object) {
106120
RETURN_IF_ERROR(IsValidSigningAlgorithm(object->algorithm()));
107121
ASSIGN_OR_RETURN(AlgorithmDetails details, GetDetails(object->algorithm()));
@@ -161,7 +175,7 @@ absl::StatusOr<std::vector<uint8_t>> SerializePublicKey(Object* object) {
161175
}
162176
BCRYPT_ECCKEY_BLOB* header =
163177
reinterpret_cast<BCRYPT_ECCKEY_BLOB*>(result.data());
164-
header->dwMagic = BCRYPT_ECDSA_PUBLIC_P256_MAGIC;
178+
ASSIGN_OR_RETURN(header->dwMagic, MagicIdForAlgorithm(object->algorithm()));
165179
header->cbKey = uncompressed_length / 2;
166180
return result;
167181
}

kmscng/operation/sign_utils.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,10 @@ absl::StatusOr<const EVP_MD*> DigestForAlgorithm(
3838
absl::StatusOr<int> CurveIdForAlgorithm(
3939
kms_v1::CryptoKeyVersion::CryptoKeyVersionAlgorithm algorithm);
4040

41+
// Returns the right magic ID for the provided KMS algorithm.
42+
absl::StatusOr<uint32_t> MagicIdForAlgorithm(
43+
kms_v1::CryptoKeyVersion::CryptoKeyVersionAlgorithm algorithm);
44+
4145
// Checks the object properties against the expected properties defined in the
4246
// relevant AlgorithmDetails struct.
4347
absl::Status ValidateKeyPreconditions(Object* object);

kmscng/operation/sign_utils_test.cc

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,16 @@ TEST(CurveIdForAlgorithmTest, InvalidAlgoritmhm) {
6262
StatusIs(absl::StatusCode::kInternal, HasSubstr("cannot get curve")));
6363
}
6464

65+
TEST(MagicIdForAlgorithmTest, Success) {
66+
EXPECT_OK(MagicIdForAlgorithm(kms_v1::CryptoKeyVersion::EC_SIGN_P384_SHA384));
67+
}
68+
69+
TEST(MagicIdForAlgorithmTest, InvalidAlgoritmhm) {
70+
EXPECT_THAT(
71+
MagicIdForAlgorithm(kms_v1::CryptoKeyVersion::RSA_DECRYPT_OAEP_2048_SHA1),
72+
StatusIs(absl::StatusCode::kInternal, HasSubstr("cannot get magic")));
73+
}
74+
6575
class SignUtilsTest : public testing::Test {
6676
protected:
6777
void SetUp() override {

0 commit comments

Comments
 (0)