diff --git a/src/signature.c b/src/signature.c index 408d032c..253ca96c 100644 --- a/src/signature.c +++ b/src/signature.c @@ -430,9 +430,25 @@ static CK_RSA_PKCS_MGF_TYPE p11prov_sig_map_mgf(const char *digest_name) static CK_RV p11prov_sig_pss_restrictions(P11PROV_SIG_CTX *sigctx, CK_MECHANISM *mechanism) { - CK_ATTRIBUTE *allowed_mechs = - p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS); + CK_BBOOL token_supports_allowed_mechs = CK_TRUE; + CK_ATTRIBUTE *allowed_mechs = NULL; + CK_RV ret; + + /* check if we can add CKA_ALLOWED_MECHANISMS at all */ + ret = p11prov_token_sup_attr(sigctx->provctx, p11prov_obj_get_slotid(sigctx->key), + GET_ATTR, CKA_ALLOWED_MECHANISMS, + &token_supports_allowed_mechs); + if (ret != CKR_OK) { + P11PROV_raise(sigctx->provctx, ret, + "Failed to probe CKA_ALLOWED_MECHANISMS quirk"); + return ret; + } + if (token_supports_allowed_mechs == CK_FALSE) { + /* Token does not support ALLOWED_MECHANISMS so there are no restrictions */ + return CKR_OK; + } + allowed_mechs = p11prov_obj_get_attr(sigctx->key, CKA_ALLOWED_MECHANISMS); if (allowed_mechs) { CK_ATTRIBUTE_TYPE *mechs = (CK_ATTRIBUTE_TYPE *)allowed_mechs->pValue; int num_mechs = allowed_mechs->ulValueLen / sizeof(CK_MECHANISM_TYPE);