Change all HMAC_ calls to use PKCS#11 interface. Now the PKCS#12 library

only depends on functions already exported from the NSS DSO (the HMAC_ calls will be removed from the exported symbol list). r=nelsonb
2001-01-27 16:34:27 +00:00 · 2001-01-27 16:34:27 +00:00 · 673e033338
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@ -1151,9 +1151,11 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
    PBEBitGenContext *pbeCtxt = NULL;
    SECItem *hmacKey = NULL, hmacRes;
    unsigned char buf[IN_BUF_LEN];
-    void *hmacCx;
    unsigned int bufLen;
    int iteration;
+    PK11Context *pk11cx;
+    SECOidTag algtag;
+    SECItem ignore = {0};
    
    if(!p12dcx || p12dcx->error) {
 	return SECFailure;
@ -1180,16 +1182,18 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
    }

    /* init hmac */
-    hmacCx = HMAC_Create(SECOID_GetAlgorithmTag(
-				&p12dcx->macData.safeMac.digestAlgorithm),
-			 hmacKey->data, hmacKey->len);
+    algtag = SECOID_GetAlgorithmTag(&p12dcx->macData.safeMac.digestAlgorithm);
+    pk11cx = PK11_CreateContextByRawKey(NULL, 
+                                        sec_pkcs12_algtag_to_mech(algtag),
+                                        PK11_OriginDerive, CKA_SIGN, 
+                                        hmacKey, &ignore, NULL);
    SECITEM_ZfreeItem(hmacKey, PR_TRUE);
    hmacKey = NULL;
-    if(!hmacCx) {
+    if(!pk11cx) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
    }
-    HMAC_Begin((HMACContext*)hmacCx);
+    rv = PK11_DigestBegin(pk11cx);

    /* try to open the data for readback */
    if(p12dcx->dOpen && ((*p12dcx->dOpen)(p12dcx->dArg, PR_TRUE) 
@ -1209,16 +1213,14 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
 	    goto loser;
 	}

-	HMAC_Update((HMACContext*)hmacCx, buf, bytesRead);
+	rv = PK11_DigestOp(pk11cx, buf, bytesRead);
 	if(bytesRead < IN_BUF_LEN) {
 	    break;
 	}
    }

    /* finish the hmac context */
-    HMAC_Finish((HMACContext*)hmacCx, buf, &bufLen, IN_BUF_LEN);
-    HMAC_Destroy((HMACContext*)hmacCx);
-    hmacCx = NULL;
+    rv = PK11_DigestFinal(pk11cx, buf, &bufLen, IN_BUF_LEN);

    hmacRes.data = buf;
    hmacRes.len = bufLen;
@ -1237,8 +1239,8 @@ loser:
 	(*p12dcx->dClose)(p12dcx->dArg, PR_TRUE);
    }

-    if(hmacCx) {
-	HMAC_Destroy((HMACContext*)hmacCx);
+    if(pk11cx) {
+	PK11_DestroyContext(pk11cx, PR_TRUE);
    }

    if(hmacKey) {
--- a/security/nss/lib/pkcs12/p12e.c
+++ b/security/nss/lib/pkcs12/p12e.c
@ -149,7 +149,7 @@ typedef struct sec_PKCS12EncoderContextStr {
    unsigned int currentSafe;

    /* hmac context */
-    void *hmacCx;
+    PK11Context *hmacCx;
 } sec_PKCS12EncoderContext;


@ -1588,6 +1588,9 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 {
    sec_PKCS12EncoderContext *p12enc = NULL;
    unsigned int i, nonEmptyCnt;
+    SECStatus rv;
+    SECItem ignore = {0};
+    void *mark;

    if(!p12exp || !p12exp->safeInfos) {
 	return NULL;
@ -1607,6 +1610,7 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
    p12exp->authSafe.encodedSafes[nonEmptyCnt] = NULL;

    /* allocate the encoder context */
+    mark = PORT_ArenaMark(p12exp->arena);
    p12enc = (sec_PKCS12EncoderContext*)PORT_ArenaZAlloc(p12exp->arena, 
    			      sizeof(sec_PKCS12EncoderContext));
    if(!p12enc) {
@ -1646,7 +1650,6 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 	    goto loser;
 	}
 	if(SEC_PKCS7IncludeCertChain(p12enc->aSafeCinfo,NULL) != SECSuccess) {
-	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
 	    goto loser;
 	}
 	rv = SEC_PKCS7AddSigningTime(p12enc->aSafeCinfo);
@ -1675,7 +1678,7 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 	    SECITEM_ZfreeItem(salt, PR_TRUE);

 	    /* generate HMAC key */
-	    if(!sec_pkcs12_convert_item_to_unicode(p12exp->arena, &pwd, 
+	    if(!sec_pkcs12_convert_item_to_unicode(NULL, &pwd, 
 			p12exp->integrityInfo.pwdInfo.password, PR_TRUE, 
 			PR_TRUE, PR_TRUE)) {
 		goto loser;
@ -1683,6 +1686,7 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 	    pbeCtxt = PBE_CreateContext(p12exp->integrityInfo.pwdInfo.algorithm,
 					pbeBitGenIntegrityKey, &pwd, 
 					&(p12enc->mac.macSalt), 160, 1);
+	    SECITEM_ZfreeItem(&pwd, PR_FALSE);
 	    if(!pbeCtxt) {
 		goto loser;
 	    }
@ -1693,15 +1697,18 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 	    }

 	    /* initialize hmac */
-	    p12enc->hmacCx = HMAC_Create(
-				p12exp->integrityInfo.pwdInfo.algorithm,
-				key->data, key->len);
+	    p12enc->hmacCx = PK11_CreateContextByRawKey(NULL, 
+	     sec_pkcs12_algtag_to_mech(p12exp->integrityInfo.pwdInfo.algorithm),
+                                                   PK11_OriginDerive, CKA_SIGN, 
+                                                   key, &ignore, NULL);
 	    SECITEM_ZfreeItem(key, PR_TRUE);
 	    if(!p12enc->hmacCx) {
 		PORT_SetError(SEC_ERROR_NO_MEMORY);
 		goto loser;
 	    }
-	    HMAC_Begin((HMACContext*)p12enc->hmacCx);
+	    rv = PK11_DigestBegin(p12enc->hmacCx);
+	    if (rv != SECSuccess)
+		goto loser;
 	}
    }

@ -1709,6 +1716,8 @@ sec_pkcs12_encoder_start_context(SEC_PKCS12ExportContext *p12exp)
 	goto loser;
    }

+    PORT_ArenaUnmark(p12exp->arena, mark);
+
    return p12enc;

 loser:
@ -1716,9 +1725,12 @@ loser:
 	if(p12enc->aSafeCinfo) {
 	    SEC_PKCS7DestroyContentInfo(p12enc->aSafeCinfo);
 	}
-
-	PORT_Free(p12enc);
+	if(p12enc->hmacCx) {
+	    PK11_DestroyContext(p12enc->hmacCx, PR_TRUE);
+	}
    }
+    if (p12exp->arena != NULL)
+	PORT_ArenaRelease(p12exp->arena, mark);

    return NULL;
 }
@ -1774,7 +1786,7 @@ sec_pkcs12_asafe_update_hmac_and_encode_bits(void *arg, const char *buf,
    sec_PKCS12EncoderContext *p12ecx;

    p12ecx = (sec_PKCS12EncoderContext*)arg;
-    HMAC_Update((HMACContext*)p12ecx->hmacCx, (unsigned char *)buf, len);
+    PK11_DigestOp(p12ecx->hmacCx, (unsigned char *)buf, len);
    sec_pkcs12_wrap_pkcs7_encoder_update(p12ecx->aSafeP7Ecx, buf, len,
    					 depth, data_kind);
 }
@ -1898,8 +1910,7 @@ sec_pkcs12_update_mac(sec_PKCS12EncoderContext *p12ecx)
 	return SECFailure;
    }

-    rv = HMAC_Finish((HMACContext*)p12ecx->hmacCx,
-    		     hmac.data, &hmac.len, SHA1_LENGTH);
+    rv = PK11_DigestFinal(p12ecx->hmacCx, hmac.data, &hmac.len, SHA1_LENGTH);

    if(rv != SECSuccess) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
@ -1936,7 +1947,7 @@ loser:
    if(hmac.data) {
 	SECITEM_ZfreeItem(&hmac, PR_FALSE);
    }
-    HMAC_Destroy((HMACContext*)p12ecx->hmacCx);
+    PK11_DestroyContext(p12ecx->hmacCx, PR_TRUE);
    p12ecx->hmacCx = NULL;

    return rv;
--- a/security/nss/lib/pkcs12/p12local.c
+++ b/security/nss/lib/pkcs12/p12local.c
@ -49,6 +49,21 @@
 SEC_ASN1_MKSUB(SECKEY_PrivateKeyInfoTemplate)
 SEC_ASN1_MKSUB(sgn_DigestInfoTemplate)

+CK_MECHANISM_TYPE
+sec_pkcs12_algtag_to_mech(SECOidTag algtag)
+{
+    switch (algtag) {
+    case SEC_OID_MD2:
+	return CKM_MD2_HMAC;
+    case SEC_OID_MD5:
+	return CKM_MD5_HMAC;
+    case SEC_OID_SHA1:
+	return CKM_SHA_1_HMAC;
+    }
+    /* get rid of compiler warnings... isn't there an INVALID? */
+    return CKM_SHA_1_HMAC;
+}
+
 /* helper functions */
 /* returns proper bag type template based upon object type tag */
 const SEC_ASN1Template *
@ -424,7 +439,8 @@ sec_pkcs12_generate_mac(SECItem *key,
 {
    SECStatus res = SECFailure;
    SECItem *mac = NULL;
-    HMACContext *cx;
+    PK11Context *pk11cx = NULL;    
+    SECItem ignore = {0};

    if((key == NULL) || (msg == NULL)) {
 	return NULL;
@ -435,31 +451,43 @@ sec_pkcs12_generate_mac(SECItem *key,
    }

    /* allocate return item */
-    mac = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
-    if(mac == NULL) {
-    	return NULL;
-    }
-    mac->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char)
-    					     * SHA1_LENGTH);
-    mac->len = SHA1_LENGTH;
-    if(mac->data == NULL) {
-	PORT_Free(mac);
+    mac = SECITEM_AllocItem(NULL, NULL, SHA1_LENGTH);
+    if (mac == NULL) {
 	return NULL;
    }

-    /* compute MAC using HMAC */
-    cx = HMAC_Create(SEC_OID_SHA1, key->data, key->len);
-    if(cx != NULL) {
-	HMAC_Begin(cx);
-	HMAC_Update(cx, msg->data, msg->len);
-	res = HMAC_Finish(cx, mac->data, &mac->len, SHA1_LENGTH);
-	HMAC_Destroy(cx);
+    pk11cx = PK11_CreateContextByRawKey(NULL, CKM_SHA_1_HMAC, PK11_OriginDerive,
+                                        CKA_SIGN, key, &ignore, NULL);
+    if (pk11cx == NULL) {
+	goto loser;
    }

+    res = PK11_DigestBegin(pk11cx);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestOp(pk11cx, msg->data, msg->len);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    res = PK11_DigestFinal(pk11cx, mac->data, &mac->len, SHA1_LENGTH);
+    if (res == SECFailure) {
+	goto loser;
+    }
+
+    PK11_DestroyContext(pk11cx, PR_TRUE);
+    pk11cx = NULL;
+
+loser:

    if(res != SECSuccess) {
 	SECITEM_ZfreeItem(mac, PR_TRUE);
 	mac = NULL;
+	if (pk11cx) {
+	    PK11_DestroyContext(pk11cx, PR_TRUE);
+	}
    }

    return mac;
--- a/security/nss/lib/pkcs12/p12local.h
+++ b/security/nss/lib/pkcs12/p12local.h
@ -67,6 +67,7 @@ extern void *sec_pkcs12_find_object(SEC_PKCS12SafeContents *safe,
 extern PRBool sec_pkcs12_convert_item_to_unicode(PRArenaPool *arena, SECItem *dest,
 						 SECItem *src, PRBool zeroTerm,
 						 PRBool asciiConvert, PRBool toUnicode);
+extern CK_MECHANISM_TYPE sec_pkcs12_algtag_to_mech(SECOidTag algtag);

 /* create functions */
 extern SEC_PKCS12PFXItem *sec_pkcs12_new_pfx(void);