in aws_signing_helper/pkcs11_signer.go [1103:1146]
func checkPrivateKeyMatchesCert(module *pkcs11.Ctx, session pkcs11.SessionHandle, keyType uint, userPin string, alwaysAuth uint, contextSpecificPin string, reusePin bool, privateKeyObj KeyObjInfo, keySlot SlotIdInfo, certificate *x509.Certificate, manufacturerId string) (string, bool) {
var digestSuffix []byte
publicKey := certificate.PublicKey
ecdsaPublicKey, isEcKey := publicKey.(*ecdsa.PublicKey)
if isEcKey {
digestSuffixArr := sha256.Sum256(append([]byte("IAM RA"), elliptic.Marshal(ecdsaPublicKey, ecdsaPublicKey.X, ecdsaPublicKey.Y)...))
digestSuffix = digestSuffixArr[:]
if keyType != pkcs11.CKK_EC {
return "", false
}
}
rsaPublicKey, isRsaKey := publicKey.(*rsa.PublicKey)
if isRsaKey {
digestSuffixArr := sha256.Sum256(append([]byte("IAM RA"), x509.MarshalPKCS1PublicKey(rsaPublicKey)...))
digestSuffix = digestSuffixArr[:]
if keyType != pkcs11.CKK_RSA {
return "", false
}
}
// "AWS Roles Anywhere Credential Helper PKCS11 Test" || PKCS11_TEST_VERSION ||
// MANUFACTURER_ID || SHA256("IAM RA" || PUBLIC_KEY_BYTE_ARRAY)
digest := "AWS Roles Anywhere Credential Helper PKCS11 Test" +
strconv.Itoa(int(PKCS11_TEST_VERSION)) + manufacturerId + string(digestSuffix)
digestBytes := []byte(digest)
hash := sha256.Sum256(digestBytes)
contextSpecificPin, signature, err := signHelper(module, session, privateKeyObj, keySlot, userPin, alwaysAuth, "", reusePin, keyType, digestBytes, crypto.SHA256)
if err != nil {
return "", false
}
if isEcKey {
valid := ecdsa.VerifyASN1(ecdsaPublicKey, hash[:], signature)
return contextSpecificPin, valid
}
if isRsaKey {
err := rsa.VerifyPKCS1v15(rsaPublicKey, crypto.SHA256, hash[:], signature)
return contextSpecificPin, err == nil
}
return "", false
}