Remove padding when doing ECDSA signing via pkcs11

aveenismail · aveenismail · commit d074371eea04 · 2025-04-07T15:54:33.000+02:00
diff --git a/pkcs11/util_pkcs11.c b/pkcs11/util_pkcs11.c
@@ -3225,16 +3225,21 @@ CK_RV apply_sign_mechanism_finalize(yubihsm_pkcs11_op_info *op_info) {
   }
 
   if (is_ECDSA_sign_mechanism(op_info->mechanism.mechanism)) {
-    if (op_info->buffer_length < op_info->op.sign.sig_len / 2) {
-      uint16_t padding =
-        (op_info->op.sign.sig_len / 2) - op_info->buffer_length;
-      memmove(op_info->buffer + padding, op_info->buffer,
-              op_info->buffer_length);
-      memset(op_info->buffer, 0, padding);
-      op_info->buffer_length += padding;
-    } else if (op_info->buffer_length > op_info->op.sign.sig_len / 2) {
+
+    if (op_info->buffer_length > op_info->op.sign.sig_len / 2) {
       op_info->buffer_length = op_info->op.sign.sig_len / 2;
     }
+
+//    if (op_info->buffer_length < op_info->op.sign.sig_len / 2) {
+//      uint16_t padding =
+//        (op_info->op.sign.sig_len / 2) - op_info->buffer_length;
+//      memmove(op_info->buffer + padding, op_info->buffer,
+//              op_info->buffer_length);
+//      memset(op_info->buffer, 0, padding);
+//      op_info->buffer_length += padding;
+//    } else if (op_info->buffer_length > op_info->op.sign.sig_len / 2) {
+//      op_info->buffer_length = op_info->op.sign.sig_len / 2;
+//    }
   }
 
   // TODO(adma): check if more steps are need for PSS or ECDSA
diff --git a/resources/tests/bash/opensc_test.sh b/resources/tests/bash/opensc_test.sh
@@ -37,10 +37,15 @@ echo "this is test data" > data.txt
 ### because it will not look for a key by label/alias. However, specifying an object to delete by its label/alias seems
 ### to work just fine.
 
-EC_CURVES=("secp224r1" "secp256r1" "secp384r1" "secp256k1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1")
-#EC_CURVES=("secp224r1" "secp256r1" "secp384r1" "secp521r1" "secp256k1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1")
+#EC_CURVES=("secp224r1" "secp256r1" "secp384r1" "secp256k1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1")
+EC_CURVES=("secp224r1" "secp256r1" "secp384r1" "secp521r1" "secp256k1" "brainpoolP256r1" "brainpoolP384r1" "brainpoolP512r1")
 
 for curve in "${EC_CURVES[@]}"; do
+
+  echo "**********************************"
+  echo "            $curve"
+  echo "**********************************"
+
 #  # Generate key
   test "pkcs11-tool --module $MODULE --login --pin 0001password --keypairgen --id 1 --key-type EC:$curve" "   Generate EC key with curve $curve"
   test "pkcs11-tool --module $MODULE --login --pin 0001password --read-object --id 1 --type pubkey --output-file pubkey.der" "   Get public key of generated key"
@@ -93,6 +98,11 @@ test "openssl dgst -sha384 -binary -out data.sha384 data.txt" "   Hash data with
 test "openssl dgst -sha512 -binary -out data.sha512 data.txt" "   Hash data with SHA512 and OpenSSL"
 
 for len in "${RSA_LENGTHS[@]}"; do
+
+  echo "**********************************"
+  echo "            RSA$len"
+  echo "**********************************"
+
   # Generate key
   test "pkcs11-tool --module $MODULE --login --pin 0001password --keypairgen --id 1 --key-type rsa:$len --usage-sign --usage-decrypt" "   Generate RSA$len key"
   test "pkcs11-tool --module $MODULE --login --pin 0001password --read-object --id 1 --type pubkey --output-file pubkey.der" "   Get public key of generated key"
