зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1891763 - land NSS NSS_3_100_BETA2 UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D209058
This commit is contained in:
Родитель
f1532761de
Коммит
f52be1ea9f
|
@ -1 +1 @@
|
|||
NSS_3_100_BETA1
|
||||
NSS_3_100_BETA2
|
|
@ -10,3 +10,4 @@
|
|||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
|
|
@ -11,29 +11,4 @@ ifdef BUILD_IDG
|
|||
DEFINES += -DNSSDEBUG
|
||||
endif
|
||||
|
||||
ifdef NOTDEF # was ifdef MOZILLA_CLIENT
|
||||
NSS_BUILD_CAPI = 1
|
||||
endif
|
||||
|
||||
# This'll need some help from a build person.
|
||||
|
||||
# The generated files are checked in, and differ from what ckapi.perl
|
||||
# will produce. ckapi.perl is currently newer than the targets, so
|
||||
# these rules are invoked, causing the wrong files to be generated.
|
||||
# Turning off to fix builds.
|
||||
#
|
||||
# nssckepv.h: ck.api ckapi.perl
|
||||
# nssckft.h: ck.api ckapi.perl
|
||||
# nssckg.h: ck.api ckapi.perl
|
||||
# nssck.api: ck.api ckapi.perl
|
||||
# $(PERL) ckapi.perl ck.api
|
||||
|
||||
|
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there.
|
||||
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
|
||||
ifdef NSS_BUILD_CAPI
|
||||
DIRS += capi
|
||||
endif
|
||||
endif
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
|
|
|
@ -1,82 +0,0 @@
|
|||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
include manifest.mn
|
||||
include $(CORE_DEPTH)/coreconf/config.mk
|
||||
|
||||
ifdef BUILD_IDG
|
||||
DEFINES += -DNSSDEBUG
|
||||
endif
|
||||
|
||||
#
|
||||
# To create a loadable module on Darwin, we must use -bundle.
|
||||
#
|
||||
ifeq ($(OS_TARGET),Darwin)
|
||||
DSO_LDOPTS = -bundle
|
||||
endif
|
||||
|
||||
EXTRA_LIBS = \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
|
||||
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
|
||||
$(NULL)
|
||||
|
||||
# can't do this in manifest.mn because OS_TARGET isn't defined there.
|
||||
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
|
||||
|
||||
ifdef NS_USE_GCC
|
||||
EXTRA_LIBS += \
|
||||
-L$(NSPR_LIB_DIR) \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
-lcrypt32 \
|
||||
-ladvapi32 \
|
||||
-lrpcrt4 \
|
||||
$(NULL)
|
||||
else
|
||||
EXTRA_SHARED_LIBS += \
|
||||
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
|
||||
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
|
||||
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
|
||||
crypt32.lib \
|
||||
advapi32.lib \
|
||||
rpcrt4.lib \
|
||||
$(NULL)
|
||||
endif # NS_USE_GCC
|
||||
else
|
||||
|
||||
EXTRA_LIBS += \
|
||||
-L$(NSPR_LIB_DIR) \
|
||||
-lplc4 \
|
||||
-lplds4 \
|
||||
-lnspr4 \
|
||||
$(NULL)
|
||||
endif
|
||||
|
||||
|
||||
include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
|
||||
# Generate certdata.c.
|
||||
generate:
|
||||
$(PERL) certdata.perl < certdata.txt
|
||||
|
||||
# This'll need some help from a build person.
|
||||
|
||||
|
||||
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
|
||||
DSO_LDOPTS = -bM:SRE -bh:4 -bnoentry
|
||||
EXTRA_DSO_LDOPTS = -lc
|
||||
MKSHLIB = xlC $(DSO_LDOPTS)
|
||||
|
||||
$(SHARED_LIBRARY): $(OBJS) | $$(@D)/d
|
||||
rm -f $@
|
||||
$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
|
||||
chmod +x $@
|
||||
|
||||
endif
|
||||
|
||||
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
|
||||
LD += -G
|
||||
endif
|
|
@ -1,7 +0,0 @@
|
|||
This Cryptoki module provides acces to certs and keys stored in
|
||||
Microsofts CAPI certificate store.
|
||||
|
||||
It does not import or export CA Root trust from the CAPI.
|
||||
It does not import or export CRLs from the CAPI.
|
||||
It does not handle S/MIME objects (pkcs #7 in capi terms?).
|
||||
It does not yet handle it's own PIN. (CAPI does all the pin prompting).
|
|
@ -1,17 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*
|
||||
* capi/canchor.c
|
||||
*
|
||||
* This file "anchors" the actual cryptoki entry points in this module's
|
||||
* shared library, which is required for dynamic loading. See the
|
||||
* comments in nssck.api for more information.
|
||||
*/
|
||||
|
||||
#include "ckcapi.h"
|
||||
|
||||
#define MODULE_NAME ckcapi
|
||||
#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
|
||||
#include "nssck.api"
|
|
@ -1,561 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef CKCAPI_H
|
||||
#include "ckcapi.h"
|
||||
#endif /* CKCAPI_H */
|
||||
|
||||
/*
|
||||
* ckcapi/cfind.c
|
||||
*
|
||||
* This file implements the NSSCKMDFindObjects object for the
|
||||
* "capi" cryptoki module.
|
||||
*/
|
||||
|
||||
struct ckcapiFOStr {
|
||||
NSSArena *arena;
|
||||
CK_ULONG n;
|
||||
CK_ULONG i;
|
||||
ckcapiInternalObject **objs;
|
||||
};
|
||||
|
||||
static void
|
||||
ckcapi_mdFindObjects_Final(
|
||||
NSSCKMDFindObjects *mdFindObjects,
|
||||
NSSCKFWFindObjects *fwFindObjects,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
|
||||
NSSArena *arena = fo->arena;
|
||||
PRUint32 i;
|
||||
|
||||
/* walk down an free the unused 'objs' */
|
||||
for (i = fo->i; i < fo->n; i++) {
|
||||
nss_ckcapi_DestroyInternalObject(fo->objs[i]);
|
||||
}
|
||||
|
||||
nss_ZFreeIf(fo->objs);
|
||||
nss_ZFreeIf(fo);
|
||||
nss_ZFreeIf(mdFindObjects);
|
||||
if ((NSSArena *)NULL != arena) {
|
||||
NSSArena_Destroy(arena);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
static NSSCKMDObject *
|
||||
ckcapi_mdFindObjects_Next(
|
||||
NSSCKMDFindObjects *mdFindObjects,
|
||||
NSSCKFWFindObjects *fwFindObjects,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSArena *arena,
|
||||
CK_RV *pError)
|
||||
{
|
||||
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
|
||||
ckcapiInternalObject *io;
|
||||
|
||||
if (fo->i == fo->n) {
|
||||
*pError = CKR_OK;
|
||||
return (NSSCKMDObject *)NULL;
|
||||
}
|
||||
|
||||
io = fo->objs[fo->i];
|
||||
fo->i++;
|
||||
|
||||
return nss_ckcapi_CreateMDObject(arena, io, pError);
|
||||
}
|
||||
|
||||
static CK_BBOOL
|
||||
ckcapi_attrmatch(
|
||||
CK_ATTRIBUTE_PTR a,
|
||||
ckcapiInternalObject *o)
|
||||
{
|
||||
PRBool prb;
|
||||
const NSSItem *b;
|
||||
|
||||
b = nss_ckcapi_FetchAttribute(o, a->type);
|
||||
if (b == NULL) {
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
if (a->ulValueLen != b->size) {
|
||||
/* match a decoded serial number */
|
||||
if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
|
||||
unsigned int len;
|
||||
unsigned char *data;
|
||||
|
||||
data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
|
||||
if ((len == a->ulValueLen) &&
|
||||
nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
|
||||
return CK_TRUE;
|
||||
}
|
||||
}
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
|
||||
|
||||
if (PR_TRUE == prb) {
|
||||
return CK_TRUE;
|
||||
} else {
|
||||
return CK_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
static CK_BBOOL
|
||||
ckcapi_match(
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject *o)
|
||||
{
|
||||
CK_ULONG i;
|
||||
|
||||
for (i = 0; i < ulAttributeCount; i++) {
|
||||
if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
|
||||
return CK_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/* Every attribute passed */
|
||||
return CK_TRUE;
|
||||
}
|
||||
|
||||
#define CKAPI_ITEM_CHUNK 20
|
||||
|
||||
#define PUT_Object(obj, err) \
|
||||
{ \
|
||||
if (count >= size) { \
|
||||
*listp = *listp ? nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
|
||||
(size + \
|
||||
CKAPI_ITEM_CHUNK)) \
|
||||
: nss_ZNEWARRAY(NULL, ckcapiInternalObject *, \
|
||||
(size + \
|
||||
CKAPI_ITEM_CHUNK)); \
|
||||
if ((ckcapiInternalObject **)NULL == *listp) { \
|
||||
err = CKR_HOST_MEMORY; \
|
||||
goto loser; \
|
||||
} \
|
||||
size += CKAPI_ITEM_CHUNK; \
|
||||
} \
|
||||
(*listp)[count] = (obj); \
|
||||
count++; \
|
||||
}
|
||||
|
||||
/*
|
||||
* pass parameters back through the callback.
|
||||
*/
|
||||
typedef struct BareCollectParamsStr {
|
||||
CK_OBJECT_CLASS objClass;
|
||||
CK_ATTRIBUTE_PTR pTemplate;
|
||||
CK_ULONG ulAttributeCount;
|
||||
ckcapiInternalObject ***listp;
|
||||
PRUint32 size;
|
||||
PRUint32 count;
|
||||
} BareCollectParams;
|
||||
|
||||
/* collect_bare's callback. Called for each object that
|
||||
* supposedly has a PROVINDER_INFO property */
|
||||
static BOOL WINAPI
|
||||
doBareCollect(
|
||||
const CRYPT_HASH_BLOB *msKeyID,
|
||||
DWORD flags,
|
||||
void *reserved,
|
||||
void *args,
|
||||
DWORD cProp,
|
||||
DWORD *propID,
|
||||
void **propData,
|
||||
DWORD *propSize)
|
||||
{
|
||||
BareCollectParams *bcp = (BareCollectParams *)args;
|
||||
PRUint32 size = bcp->size;
|
||||
PRUint32 count = bcp->count;
|
||||
ckcapiInternalObject ***listp = bcp->listp;
|
||||
ckcapiInternalObject *io = NULL;
|
||||
DWORD i;
|
||||
CRYPT_KEY_PROV_INFO *keyProvInfo = NULL;
|
||||
void *idData;
|
||||
CK_RV error;
|
||||
|
||||
/* make sure there is a Key Provider Info property */
|
||||
for (i = 0; i < cProp; i++) {
|
||||
if (CERT_KEY_PROV_INFO_PROP_ID == propID[i]) {
|
||||
keyProvInfo = (CRYPT_KEY_PROV_INFO *)propData[i];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if ((CRYPT_KEY_PROV_INFO *)NULL == keyProvInfo) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* copy the key ID */
|
||||
idData = nss_ZNEWARRAY(NULL, char, msKeyID->cbData);
|
||||
if ((void *)NULL == idData) {
|
||||
goto loser;
|
||||
}
|
||||
nsslibc_memcpy(idData, msKeyID->pbData, msKeyID->cbData);
|
||||
|
||||
/* build a bare internal object */
|
||||
io = nss_ZNEW(NULL, ckcapiInternalObject);
|
||||
if ((ckcapiInternalObject *)NULL == io) {
|
||||
goto loser;
|
||||
}
|
||||
io->type = ckcapiBareKey;
|
||||
io->objClass = bcp->objClass;
|
||||
io->u.key.provInfo = *keyProvInfo;
|
||||
io->u.key.provInfo.pwszContainerName =
|
||||
nss_ckcapi_WideDup(keyProvInfo->pwszContainerName);
|
||||
io->u.key.provInfo.pwszProvName =
|
||||
nss_ckcapi_WideDup(keyProvInfo->pwszProvName);
|
||||
io->u.key.provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
|
||||
io->u.key.containerName =
|
||||
nss_ckcapi_WideToUTF8(keyProvInfo->pwszContainerName);
|
||||
io->u.key.hProv = 0;
|
||||
io->idData = idData;
|
||||
io->id.data = idData;
|
||||
io->id.size = msKeyID->cbData;
|
||||
idData = NULL;
|
||||
|
||||
/* see if it matches */
|
||||
if (CK_FALSE == ckcapi_match(bcp->pTemplate, bcp->ulAttributeCount, io)) {
|
||||
goto loser;
|
||||
}
|
||||
PUT_Object(io, error);
|
||||
bcp->size = size;
|
||||
bcp->count = count;
|
||||
return 1;
|
||||
|
||||
loser:
|
||||
if (io) {
|
||||
nss_ckcapi_DestroyInternalObject(io);
|
||||
}
|
||||
nss_ZFreeIf(idData);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* collect the bare keys running around
|
||||
*/
|
||||
static PRUint32
|
||||
collect_bare(
|
||||
CK_OBJECT_CLASS objClass,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject ***listp,
|
||||
PRUint32 *sizep,
|
||||
PRUint32 count,
|
||||
CK_RV *pError)
|
||||
{
|
||||
BOOL rc;
|
||||
BareCollectParams bareCollectParams;
|
||||
|
||||
bareCollectParams.objClass = objClass;
|
||||
bareCollectParams.pTemplate = pTemplate;
|
||||
bareCollectParams.ulAttributeCount = ulAttributeCount;
|
||||
bareCollectParams.listp = listp;
|
||||
bareCollectParams.size = *sizep;
|
||||
bareCollectParams.count = count;
|
||||
|
||||
rc = CryptEnumKeyIdentifierProperties(NULL, CERT_KEY_PROV_INFO_PROP_ID, 0,
|
||||
NULL, NULL, &bareCollectParams, doBareCollect);
|
||||
|
||||
*sizep = bareCollectParams.size;
|
||||
return bareCollectParams.count;
|
||||
}
|
||||
|
||||
/* find all the certs that represent the appropriate object (cert, priv key, or
|
||||
* pub key) in the cert store.
|
||||
*/
|
||||
static PRUint32
|
||||
collect_class(
|
||||
CK_OBJECT_CLASS objClass,
|
||||
LPCSTR storeStr,
|
||||
PRBool hasID,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject ***listp,
|
||||
PRUint32 *sizep,
|
||||
PRUint32 count,
|
||||
CK_RV *pError)
|
||||
{
|
||||
PRUint32 size = *sizep;
|
||||
ckcapiInternalObject *next = NULL;
|
||||
HCERTSTORE hStore;
|
||||
PCCERT_CONTEXT certContext = NULL;
|
||||
PRBool isKey =
|
||||
(objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);
|
||||
|
||||
hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
|
||||
if (NULL == hStore) {
|
||||
return count; /* none found does not imply an error */
|
||||
}
|
||||
|
||||
/* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
|
||||
* have to enumerate all the certificates */
|
||||
while ((PCERT_CONTEXT)NULL !=
|
||||
(certContext = CertEnumCertificatesInStore(hStore, certContext))) {
|
||||
/* first filter out non user certs if we are looking for keys */
|
||||
if (isKey) {
|
||||
/* make sure there is a Key Provider Info property */
|
||||
CRYPT_KEY_PROV_INFO *keyProvInfo;
|
||||
DWORD size = 0;
|
||||
BOOL rv;
|
||||
rv = CertGetCertificateContextProperty(certContext,
|
||||
CERT_KEY_PROV_INFO_PROP_ID, NULL, &size);
|
||||
if (!rv) {
|
||||
int reason = GetLastError();
|
||||
/* we only care if it exists, we don't really need to fetch it yet */
|
||||
if (reason == CRYPT_E_NOT_FOUND) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
/* filter out the non-microsoft providers */
|
||||
keyProvInfo = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
|
||||
if (keyProvInfo) {
|
||||
rv = CertGetCertificateContextProperty(certContext,
|
||||
CERT_KEY_PROV_INFO_PROP_ID, keyProvInfo, &size);
|
||||
if (rv) {
|
||||
char *provName =
|
||||
nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
|
||||
nss_ZFreeIf(keyProvInfo);
|
||||
|
||||
if (provName &&
|
||||
(strncmp(provName, "Microsoft", sizeof("Microsoft") - 1) != 0)) {
|
||||
continue;
|
||||
}
|
||||
} else {
|
||||
int reason =
|
||||
GetLastError();
|
||||
/* we only care if it exists, we don't really need to fetch it yet */
|
||||
nss_ZFreeIf(keyProvInfo);
|
||||
if (reason ==
|
||||
CRYPT_E_NOT_FOUND) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ((ckcapiInternalObject *)NULL == next) {
|
||||
next = nss_ZNEW(NULL, ckcapiInternalObject);
|
||||
if ((ckcapiInternalObject *)NULL == next) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
next->type = ckcapiCert;
|
||||
next->objClass = objClass;
|
||||
next->u.cert.certContext = certContext;
|
||||
next->u.cert.hasID = hasID;
|
||||
next->u.cert.certStore = storeStr;
|
||||
if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next)) {
|
||||
/* clear cached values that may be dependent on our old certContext */
|
||||
memset(&next->u.cert, 0, sizeof(next->u.cert));
|
||||
/* get a 'permanent' context */
|
||||
next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
|
||||
next->objClass = objClass;
|
||||
next->u.cert.certContext = certContext;
|
||||
next->u.cert.hasID = hasID;
|
||||
next->u.cert.certStore = storeStr;
|
||||
PUT_Object(next, *pError);
|
||||
next = NULL; /* need to allocate a new one now */
|
||||
} else {
|
||||
/* don't cache the values we just loaded */
|
||||
memset(&next->u.cert, 0, sizeof(next->u.cert));
|
||||
}
|
||||
}
|
||||
loser:
|
||||
CertCloseStore(hStore, 0);
|
||||
nss_ZFreeIf(next);
|
||||
*sizep = size;
|
||||
return count;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT PRUint32
|
||||
nss_ckcapi_collect_all_certs(
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject ***listp,
|
||||
PRUint32 *sizep,
|
||||
PRUint32 count,
|
||||
CK_RV *pError)
|
||||
{
|
||||
count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
/*count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError); */
|
||||
count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate,
|
||||
ulAttributeCount, listp, sizep, count, pError);
|
||||
return count;
|
||||
}
|
||||
|
||||
CK_OBJECT_CLASS
|
||||
ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount)
|
||||
{
|
||||
CK_ULONG i;
|
||||
|
||||
for (i = 0; i < ulAttributeCount; i++) {
|
||||
if (pTemplate[i].type == CKA_CLASS) {
|
||||
return *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
|
||||
}
|
||||
}
|
||||
/* need to return a value that says 'fetch them all' */
|
||||
return CK_INVALID_HANDLE;
|
||||
}
|
||||
|
||||
static PRUint32
|
||||
collect_objects(
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject ***listp,
|
||||
CK_RV *pError)
|
||||
{
|
||||
PRUint32 i;
|
||||
PRUint32 count = 0;
|
||||
PRUint32 size = 0;
|
||||
CK_OBJECT_CLASS objClass;
|
||||
|
||||
/*
|
||||
* first handle the static build in objects (if any)
|
||||
*/
|
||||
for (i = 0; i < nss_ckcapi_nObjects; i++) {
|
||||
ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];
|
||||
|
||||
if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o)) {
|
||||
PUT_Object(o, *pError);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* now handle the various object types
|
||||
*/
|
||||
objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
|
||||
*pError = CKR_OK;
|
||||
switch (objClass) {
|
||||
case CKO_CERTIFICATE:
|
||||
count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
break;
|
||||
case CKO_PUBLIC_KEY:
|
||||
count = collect_class(objClass, "My", PR_TRUE, pTemplate,
|
||||
ulAttributeCount, listp, &size, count, pError);
|
||||
count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
break;
|
||||
case CKO_PRIVATE_KEY:
|
||||
count = collect_class(objClass, "My", PR_TRUE, pTemplate,
|
||||
ulAttributeCount, listp, &size, count, pError);
|
||||
count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
break;
|
||||
/* all of them */
|
||||
case CK_INVALID_HANDLE:
|
||||
count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate,
|
||||
ulAttributeCount, listp, &size, count, pError);
|
||||
count = collect_bare(CKO_PUBLIC_KEY, pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate,
|
||||
ulAttributeCount, listp, &size, count, pError);
|
||||
count = collect_bare(CKO_PRIVATE_KEY, pTemplate, ulAttributeCount, listp,
|
||||
&size, count, pError);
|
||||
break;
|
||||
default:
|
||||
goto done; /* no other object types we understand in this module */
|
||||
}
|
||||
if (CKR_OK != *pError) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
done:
|
||||
return count;
|
||||
loser:
|
||||
nss_ZFreeIf(*listp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT NSSCKMDFindObjects *
|
||||
nss_ckcapi_FindObjectsInit(
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
CK_RV *pError)
|
||||
{
|
||||
/* This could be made more efficient. I'm rather rushed. */
|
||||
NSSArena *arena;
|
||||
NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
|
||||
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
|
||||
ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;
|
||||
|
||||
arena = NSSArena_Create();
|
||||
if ((NSSArena *)NULL == arena) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
rv = nss_ZNEW(arena, NSSCKMDFindObjects);
|
||||
if ((NSSCKMDFindObjects *)NULL == rv) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
fo = nss_ZNEW(arena, struct ckcapiFOStr);
|
||||
if ((struct ckcapiFOStr *)NULL == fo) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
fo->arena = arena;
|
||||
/* fo->n and fo->i are already zero */
|
||||
|
||||
rv->etc = (void *)fo;
|
||||
rv->Final = ckcapi_mdFindObjects_Final;
|
||||
rv->Next = ckcapi_mdFindObjects_Next;
|
||||
rv->null = (void *)NULL;
|
||||
|
||||
fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
|
||||
if (*pError != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
|
||||
if ((ckcapiInternalObject **)NULL == fo->objs) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
(void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
|
||||
nss_ZFreeIf(temp);
|
||||
temp = (ckcapiInternalObject **)NULL;
|
||||
|
||||
return rv;
|
||||
|
||||
loser:
|
||||
nss_ZFreeIf(temp);
|
||||
nss_ZFreeIf(fo);
|
||||
nss_ZFreeIf(rv);
|
||||
if ((NSSArena *)NULL != arena) {
|
||||
NSSArena_Destroy(arena);
|
||||
}
|
||||
return (NSSCKMDFindObjects *)NULL;
|
||||
}
|
|
@ -1,97 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ckcapi.h"
|
||||
|
||||
/*
|
||||
* ckcapi/cinstance.c
|
||||
*
|
||||
* This file implements the NSSCKMDInstance object for the
|
||||
* "capi" cryptoki module.
|
||||
*/
|
||||
|
||||
/*
|
||||
* NSSCKMDInstance methods
|
||||
*/
|
||||
|
||||
static CK_ULONG
|
||||
ckcapi_mdInstance_GetNSlots(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (CK_ULONG)1;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdInstance_GetCryptokiVersion(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_CryptokiVersion;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdInstance_GetManufacturerID(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdInstance_GetLibraryDescription(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_LibraryDescription;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdInstance_GetLibraryVersion(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_LibraryVersion;
|
||||
}
|
||||
|
||||
static CK_RV
|
||||
ckcapi_mdInstance_GetSlots(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSCKMDSlot *slots[])
|
||||
{
|
||||
slots[0] = (NSSCKMDSlot *)&nss_ckcapi_mdSlot;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static CK_BBOOL
|
||||
ckcapi_mdInstance_ModuleHandlesSessionObjects(
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
/* we don't want to allow any session object creation, at least
|
||||
* until we can investigate whether or not we can use those objects
|
||||
*/
|
||||
return CK_TRUE;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDInstance
|
||||
nss_ckcapi_mdInstance = {
|
||||
(void *)NULL, /* etc */
|
||||
NULL, /* Initialize */
|
||||
NULL, /* Finalize */
|
||||
ckcapi_mdInstance_GetNSlots,
|
||||
ckcapi_mdInstance_GetCryptokiVersion,
|
||||
ckcapi_mdInstance_GetManufacturerID,
|
||||
ckcapi_mdInstance_GetLibraryDescription,
|
||||
ckcapi_mdInstance_GetLibraryVersion,
|
||||
ckcapi_mdInstance_ModuleHandlesSessionObjects,
|
||||
/*NULL, /* HandleSessionObjects */
|
||||
ckcapi_mdInstance_GetSlots,
|
||||
NULL, /* WaitForSlotEvent */
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
|
@ -1,242 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef CKCAPI_H
|
||||
#define CKCAPI_H 1
|
||||
|
||||
#include "nssckmdt.h"
|
||||
#include "nssckfw.h"
|
||||
|
||||
/*
|
||||
* I'm including this for access to the arena functions.
|
||||
* Looks like we should publish that API.
|
||||
*/
|
||||
#ifndef BASE_H
|
||||
#include "base.h"
|
||||
#endif /* BASE_H */
|
||||
|
||||
/*
|
||||
* This is where the Netscape extensions live, at least for now.
|
||||
*/
|
||||
#ifndef CKT_H
|
||||
#include "ckt.h"
|
||||
#endif /* CKT_H */
|
||||
|
||||
#include "wtypes.h"
|
||||
#include "wincrypt.h"
|
||||
|
||||
/*
|
||||
* statically defined raw objects. Allows us to data description objects
|
||||
* to this PKCS #11 module.
|
||||
*/
|
||||
struct ckcapiRawObjectStr {
|
||||
CK_ULONG n;
|
||||
const CK_ATTRIBUTE_TYPE *types;
|
||||
const NSSItem *items;
|
||||
};
|
||||
typedef struct ckcapiRawObjectStr ckcapiRawObject;
|
||||
|
||||
/*
|
||||
* common values needed for both bare keys and cert referenced keys.
|
||||
*/
|
||||
struct ckcapiKeyParamsStr {
|
||||
NSSItem modulus;
|
||||
NSSItem exponent;
|
||||
NSSItem privateExponent;
|
||||
NSSItem prime1;
|
||||
NSSItem prime2;
|
||||
NSSItem exponent1;
|
||||
NSSItem exponent2;
|
||||
NSSItem coefficient;
|
||||
unsigned char publicExponentData[sizeof(CK_ULONG)];
|
||||
void *privateKey;
|
||||
void *pubKey;
|
||||
};
|
||||
typedef struct ckcapiKeyParamsStr ckcapiKeyParams;
|
||||
|
||||
/*
|
||||
* Key objects. Handles bare keys which do not yet have certs associated
|
||||
* with them. These are usually short lived, but may exist for several days
|
||||
* while the CA is issuing the certificate.
|
||||
*/
|
||||
struct ckcapiKeyObjectStr {
|
||||
CRYPT_KEY_PROV_INFO provInfo;
|
||||
char *provName;
|
||||
char *containerName;
|
||||
HCRYPTPROV hProv;
|
||||
ckcapiKeyParams key;
|
||||
};
|
||||
typedef struct ckcapiKeyObjectStr ckcapiKeyObject;
|
||||
|
||||
/*
|
||||
* Certificate and certificate referenced keys.
|
||||
*/
|
||||
struct ckcapiCertObjectStr {
|
||||
PCCERT_CONTEXT certContext;
|
||||
PRBool hasID;
|
||||
const char *certStore;
|
||||
NSSItem label;
|
||||
NSSItem subject;
|
||||
NSSItem issuer;
|
||||
NSSItem serial;
|
||||
NSSItem derCert;
|
||||
ckcapiKeyParams key;
|
||||
unsigned char *labelData;
|
||||
/* static data: to do, make this dynamic like labelData */
|
||||
unsigned char derSerial[128];
|
||||
};
|
||||
typedef struct ckcapiCertObjectStr ckcapiCertObject;
|
||||
|
||||
typedef enum {
|
||||
ckcapiRaw,
|
||||
ckcapiCert,
|
||||
ckcapiBareKey
|
||||
} ckcapiObjectType;
|
||||
|
||||
/*
|
||||
* all the various types of objects are abstracted away in cobject and
|
||||
* cfind as ckcapiInternalObjects.
|
||||
*/
|
||||
struct ckcapiInternalObjectStr {
|
||||
ckcapiObjectType type;
|
||||
union {
|
||||
ckcapiRawObject raw;
|
||||
ckcapiCertObject cert;
|
||||
ckcapiKeyObject key;
|
||||
} u;
|
||||
CK_OBJECT_CLASS objClass;
|
||||
NSSItem hashKey;
|
||||
NSSItem id;
|
||||
void *idData;
|
||||
unsigned char hashKeyData[128];
|
||||
NSSCKMDObject mdObject;
|
||||
};
|
||||
typedef struct ckcapiInternalObjectStr ckcapiInternalObject;
|
||||
|
||||
/* our raw object data array */
|
||||
NSS_EXTERN_DATA ckcapiInternalObject nss_ckcapi_data[];
|
||||
NSS_EXTERN_DATA const PRUint32 nss_ckcapi_nObjects;
|
||||
|
||||
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_CryptokiVersion;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_ManufacturerID;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_LibraryDescription;
|
||||
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_LibraryVersion;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_SlotDescription;
|
||||
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_HardwareVersion;
|
||||
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_FirmwareVersion;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenLabel;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenModel;
|
||||
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenSerialNumber;
|
||||
|
||||
NSS_EXTERN_DATA const NSSCKMDInstance nss_ckcapi_mdInstance;
|
||||
NSS_EXTERN_DATA const NSSCKMDSlot nss_ckcapi_mdSlot;
|
||||
NSS_EXTERN_DATA const NSSCKMDToken nss_ckcapi_mdToken;
|
||||
NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckcapi_mdMechanismRSA;
|
||||
|
||||
NSS_EXTERN NSSCKMDSession *
|
||||
nss_ckcapi_CreateSession(
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_RV *pError);
|
||||
|
||||
NSS_EXTERN NSSCKMDFindObjects *
|
||||
nss_ckcapi_FindObjectsInit(
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
CK_RV *pError);
|
||||
|
||||
/*
|
||||
* Object Utilities
|
||||
*/
|
||||
NSS_EXTERN NSSCKMDObject *
|
||||
nss_ckcapi_CreateMDObject(
|
||||
NSSArena *arena,
|
||||
ckcapiInternalObject *io,
|
||||
CK_RV *pError);
|
||||
|
||||
NSS_EXTERN NSSCKMDObject *
|
||||
nss_ckcapi_CreateObject(
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
CK_RV *pError);
|
||||
|
||||
NSS_EXTERN const NSSItem *
|
||||
nss_ckcapi_FetchAttribute(
|
||||
ckcapiInternalObject *io,
|
||||
CK_ATTRIBUTE_TYPE type);
|
||||
|
||||
NSS_EXTERN void
|
||||
nss_ckcapi_DestroyInternalObject(
|
||||
ckcapiInternalObject *io);
|
||||
|
||||
NSS_EXTERN CK_RV
|
||||
nss_ckcapi_FetchKeyContainer(
|
||||
ckcapiInternalObject *iKey,
|
||||
HCRYPTPROV *hProv,
|
||||
DWORD *keySpec,
|
||||
HCRYPTKEY *hKey);
|
||||
|
||||
/*
|
||||
* generic utilities
|
||||
*/
|
||||
|
||||
/*
|
||||
* So everyone else in the worlds stores their bignum data MSB first, but not
|
||||
* Microsoft, we need to byte swap everything coming into and out of CAPI.
|
||||
*/
|
||||
void
|
||||
ckcapi_ReverseData(
|
||||
NSSItem *item);
|
||||
|
||||
/*
|
||||
* unwrap a single DER value
|
||||
*/
|
||||
unsigned char *
|
||||
nss_ckcapi_DERUnwrap(
|
||||
unsigned char *src,
|
||||
unsigned int size,
|
||||
unsigned int *outSize,
|
||||
unsigned char **next);
|
||||
|
||||
/*
|
||||
* Return the size in bytes of a wide string
|
||||
*/
|
||||
int
|
||||
nss_ckcapi_WideSize(
|
||||
LPCWSTR wide);
|
||||
|
||||
/*
|
||||
* Covert a Unicode wide character string to a UTF8 string
|
||||
*/
|
||||
char *
|
||||
nss_ckcapi_WideToUTF8(
|
||||
LPCWSTR wide);
|
||||
|
||||
/*
|
||||
* Return a Wide String duplicated with nss allocated memory.
|
||||
*/
|
||||
LPWSTR
|
||||
nss_ckcapi_WideDup(
|
||||
LPCWSTR wide);
|
||||
|
||||
/*
|
||||
* Covert a UTF8 string to Unicode wide character
|
||||
*/
|
||||
LPWSTR
|
||||
nss_ckcapi_UTF8ToWide(
|
||||
char *buf);
|
||||
|
||||
NSS_EXTERN PRUint32
|
||||
nss_ckcapi_collect_all_certs(
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
ckcapiInternalObject ***listp,
|
||||
PRUint32 *sizep,
|
||||
PRUint32 count,
|
||||
CK_RV *pError);
|
||||
|
||||
#define NSS_CKCAPI_ARRAY_SIZE(x) ((sizeof(x)) / (sizeof((x)[0])))
|
||||
|
||||
#endif
|
|
@ -1,17 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
/* Library identity and versioning */
|
||||
|
||||
#include "nsscapi.h"
|
||||
|
||||
#if defined(DEBUG)
|
||||
#define _DEBUG_STRING " (debug)"
|
||||
#else
|
||||
#define _DEBUG_STRING ""
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Version information
|
||||
*/
|
||||
const char __nss_ckcapi_version[] = "Version: NSS Access to Microsoft Certificate Store " NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING;
|
Разница между файлами не показана из-за своего большого размера
Загрузить разницу
|
@ -1,63 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*
|
||||
* ckcapi/constants.c
|
||||
*
|
||||
* Identification and other constants, all collected here in one place.
|
||||
*/
|
||||
|
||||
#ifndef NSSBASET_H
|
||||
#include "nssbaset.h"
|
||||
#endif /* NSSBASET_H */
|
||||
|
||||
#ifndef NSSCKT_H
|
||||
#include "nssckt.h"
|
||||
#endif /* NSSCKT_H */
|
||||
|
||||
#ifndef NSSCAPI_H
|
||||
#include "nsscapi.h"
|
||||
#endif /* NSSCAPI_H */
|
||||
|
||||
NSS_IMPLEMENT_DATA const CK_VERSION
|
||||
nss_ckcapi_CryptokiVersion = {
|
||||
NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR,
|
||||
NSS_CKCAPI_CRYPTOKI_VERSION_MINOR
|
||||
};
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_ManufacturerID = (NSSUTF8 *)"Mozilla Foundation";
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_LibraryDescription = (NSSUTF8 *)"NSS Access to Microsoft Certificate Store";
|
||||
|
||||
NSS_IMPLEMENT_DATA const CK_VERSION
|
||||
nss_ckcapi_LibraryVersion = {
|
||||
NSS_CKCAPI_LIBRARY_VERSION_MAJOR,
|
||||
NSS_CKCAPI_LIBRARY_VERSION_MINOR
|
||||
};
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_SlotDescription = (NSSUTF8 *)"Microsoft Certificate Store";
|
||||
|
||||
NSS_IMPLEMENT_DATA const CK_VERSION
|
||||
nss_ckcapi_HardwareVersion = {
|
||||
NSS_CKCAPI_HARDWARE_VERSION_MAJOR,
|
||||
NSS_CKCAPI_HARDWARE_VERSION_MINOR
|
||||
};
|
||||
|
||||
NSS_IMPLEMENT_DATA const CK_VERSION
|
||||
nss_ckcapi_FirmwareVersion = {
|
||||
NSS_CKCAPI_FIRMWARE_VERSION_MAJOR,
|
||||
NSS_CKCAPI_FIRMWARE_VERSION_MINOR
|
||||
};
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_TokenLabel = (NSSUTF8 *)"Microsoft Certificate Store";
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_TokenModel = (NSSUTF8 *)"1";
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSUTF8 *
|
||||
nss_ckcapi_TokenSerialNumber = (NSSUTF8 *)"1";
|
|
@ -1,687 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ckcapi.h"
|
||||
#include "secdert.h"
|
||||
|
||||
#define SSL3_SHAMD5_HASH_SIZE 36 /* LEN_MD5 (16) + LEN_SHA1 (20) */
|
||||
|
||||
/*
|
||||
* ckcapi/crsa.c
|
||||
*
|
||||
* This file implements the NSSCKMDMechnaism and NSSCKMDCryptoOperation objects
|
||||
* for the RSA operation on the CAPI cryptoki module.
|
||||
*/
|
||||
|
||||
/*
|
||||
* write a Decimal value to a string
|
||||
*/
|
||||
|
||||
static char *
|
||||
putDecimalString(char *cstr, unsigned long value)
|
||||
{
|
||||
unsigned long tenpower;
|
||||
int first = 1;
|
||||
|
||||
for (tenpower = 10000000; tenpower; tenpower /= 10) {
|
||||
unsigned char digit = (unsigned char)(value / tenpower);
|
||||
value = value % tenpower;
|
||||
|
||||
/* drop leading zeros */
|
||||
if (first && (0 == digit)) {
|
||||
continue;
|
||||
}
|
||||
first = 0;
|
||||
*cstr++ = digit + '0';
|
||||
}
|
||||
|
||||
/* if value was zero, put one of them out */
|
||||
if (first) {
|
||||
*cstr++ = '0';
|
||||
}
|
||||
return cstr;
|
||||
}
|
||||
|
||||
/*
|
||||
* Create a Capi OID string value from a DER OID
|
||||
*/
|
||||
static char *
|
||||
nss_ckcapi_GetOidString(
|
||||
unsigned char *oidTag,
|
||||
unsigned int oidTagSize,
|
||||
CK_RV *pError)
|
||||
{
|
||||
unsigned char *oid;
|
||||
char *oidStr;
|
||||
char *cstr;
|
||||
unsigned long value;
|
||||
unsigned int oidSize;
|
||||
|
||||
if (DER_OBJECT_ID != *oidTag) {
|
||||
/* wasn't an oid */
|
||||
*pError = CKR_DATA_INVALID;
|
||||
return NULL;
|
||||
}
|
||||
oid = nss_ckcapi_DERUnwrap(oidTag, oidTagSize, &oidSize, NULL);
|
||||
|
||||
if (oidSize < 2) {
|
||||
*pError = CKR_DATA_INVALID;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
oidStr = nss_ZNEWARRAY(NULL, char, oidSize * 4);
|
||||
if ((char *)NULL == oidStr) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return NULL;
|
||||
}
|
||||
cstr = oidStr;
|
||||
cstr = putDecimalString(cstr, (*oid) / 40);
|
||||
*cstr++ = '.';
|
||||
cstr = putDecimalString(cstr, (*oid) % 40);
|
||||
oidSize--;
|
||||
|
||||
value = 0;
|
||||
while (oidSize--) {
|
||||
oid++;
|
||||
value = (value << 7) + (*oid & 0x7f);
|
||||
if (0 == (*oid & 0x80)) {
|
||||
*cstr++ = '.';
|
||||
cstr = putDecimalString(cstr, value);
|
||||
value = 0;
|
||||
}
|
||||
}
|
||||
|
||||
*cstr = 0; /* NULL terminate */
|
||||
|
||||
if (value != 0) {
|
||||
nss_ZFreeIf(oidStr);
|
||||
*pError = CKR_DATA_INVALID;
|
||||
return NULL;
|
||||
}
|
||||
return oidStr;
|
||||
}
|
||||
|
||||
/*
|
||||
* PKCS #11 sign for RSA expects to take a fully DER-encoded hash value,
|
||||
* which includes the hash OID. CAPI expects to take a Hash Context. While
|
||||
* CAPI does have the capability of setting a raw hash value, it does not
|
||||
* have the ability to sign an arbitrary value. This function tries to
|
||||
* reduce the passed in data into something that CAPI could actually sign.
|
||||
*/
|
||||
static CK_RV
|
||||
ckcapi_GetRawHash(
|
||||
const NSSItem *input,
|
||||
NSSItem *hash,
|
||||
ALG_ID *hashAlg)
|
||||
{
|
||||
unsigned char *current;
|
||||
unsigned char *algid;
|
||||
unsigned char *oid;
|
||||
unsigned char *hashData;
|
||||
char *oidStr;
|
||||
CK_RV error;
|
||||
unsigned int oidSize;
|
||||
unsigned int size;
|
||||
/*
|
||||
* there are 2 types of hashes NSS typically tries to sign, regular
|
||||
* RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
|
||||
* CAPI knows not to add any oids to SSL3_Signed hashes, so if we have any
|
||||
* random hash that is exactly the same size as an SSL3 hash, then we can
|
||||
* just pass the data through. CAPI has know way of knowing if the value
|
||||
* is really a combined hash or some other arbitrary data, so it's safe to
|
||||
* handle this case first.
|
||||
*/
|
||||
if (SSL3_SHAMD5_HASH_SIZE == input->size) {
|
||||
hash->data = input->data;
|
||||
hash->size = input->size;
|
||||
*hashAlg = CALG_SSL3_SHAMD5;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
current = (unsigned char *)input->data;
|
||||
|
||||
/* make sure we have a sequence tag */
|
||||
if ((DER_SEQUENCE | DER_CONSTRUCTED) != *current) {
|
||||
return CKR_DATA_INVALID;
|
||||
}
|
||||
|
||||
/* parse the input block to get 1) the hash oid, and 2) the raw hash value.
|
||||
* unfortunatly CAPI doesn't have a builtin function to do this work, so
|
||||
* we go ahead and do it by hand here.
|
||||
*
|
||||
* format is:
|
||||
* SEQUENCE {
|
||||
* SECQUENCE { // algid
|
||||
* OID {} // oid
|
||||
* ANY {} // optional params
|
||||
* }
|
||||
* OCTECT {} // hash
|
||||
*/
|
||||
|
||||
/* unwrap */
|
||||
algid = nss_ckcapi_DERUnwrap(current, input->size, &size, NULL);
|
||||
|
||||
if (algid + size != current + input->size) {
|
||||
/* make sure there is not extra data at the end */
|
||||
return CKR_DATA_INVALID;
|
||||
}
|
||||
|
||||
if ((DER_SEQUENCE | DER_CONSTRUCTED) != *algid) {
|
||||
/* wasn't an algid */
|
||||
return CKR_DATA_INVALID;
|
||||
}
|
||||
oid = nss_ckcapi_DERUnwrap(algid, size, &oidSize, &hashData);
|
||||
|
||||
if (DER_OCTET_STRING != *hashData) {
|
||||
/* wasn't a hash */
|
||||
return CKR_DATA_INVALID;
|
||||
}
|
||||
|
||||
/* get the real hash */
|
||||
current = hashData;
|
||||
size = size - (hashData - algid);
|
||||
hash->data = nss_ckcapi_DERUnwrap(current, size, &hash->size, NULL);
|
||||
|
||||
/* get the real oid as a string. Again, Microsoft does not
|
||||
* export anything that does this for us */
|
||||
oidStr = nss_ckcapi_GetOidString(oid, oidSize, &error);
|
||||
if ((char *)NULL == oidStr) {
|
||||
return error;
|
||||
}
|
||||
|
||||
/* look up the hash alg from the oid (fortunately CAPI does to this) */
|
||||
*hashAlg = CertOIDToAlgId(oidStr);
|
||||
nss_ZFreeIf(oidStr);
|
||||
if (0 == *hashAlg) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
|
||||
/* hash looks reasonably consistent, we should be able to sign it now */
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/*
|
||||
* So everyone else in the worlds stores their bignum data MSB first, but not
|
||||
* Microsoft, we need to byte swap everything coming into and out of CAPI.
|
||||
*/
|
||||
void
|
||||
ckcapi_ReverseData(NSSItem *item)
|
||||
{
|
||||
int end = (item->size) - 1;
|
||||
int middle = (item->size) / 2;
|
||||
unsigned char *buf = item->data;
|
||||
int i;
|
||||
|
||||
for (i = 0; i < middle; i++) {
|
||||
unsigned char tmp = buf[i];
|
||||
buf[i] = buf[end - i];
|
||||
buf[end - i] = tmp;
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
typedef struct ckcapiInternalCryptoOperationRSAPrivStr
|
||||
ckcapiInternalCryptoOperationRSAPriv;
|
||||
struct ckcapiInternalCryptoOperationRSAPrivStr {
|
||||
NSSCKMDCryptoOperation mdOperation;
|
||||
NSSCKMDMechanism *mdMechanism;
|
||||
ckcapiInternalObject *iKey;
|
||||
HCRYPTPROV hProv;
|
||||
DWORD keySpec;
|
||||
HCRYPTKEY hKey;
|
||||
NSSItem *buffer;
|
||||
};
|
||||
|
||||
/*
|
||||
* ckcapi_mdCryptoOperationRSAPriv_Create
|
||||
*/
|
||||
static NSSCKMDCryptoOperation *
|
||||
ckcapi_mdCryptoOperationRSAPriv_Create(
|
||||
const NSSCKMDCryptoOperation *proto,
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKMDObject *mdKey,
|
||||
CK_RV *pError)
|
||||
{
|
||||
ckcapiInternalObject *iKey = (ckcapiInternalObject *)mdKey->etc;
|
||||
const NSSItem *classItem = nss_ckcapi_FetchAttribute(iKey, CKA_CLASS);
|
||||
const NSSItem *keyType = nss_ckcapi_FetchAttribute(iKey, CKA_KEY_TYPE);
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation;
|
||||
CK_RV error;
|
||||
HCRYPTPROV hProv;
|
||||
DWORD keySpec;
|
||||
HCRYPTKEY hKey;
|
||||
|
||||
/* make sure we have the right objects */
|
||||
if (((const NSSItem *)NULL == classItem) ||
|
||||
(sizeof(CK_OBJECT_CLASS) != classItem->size) ||
|
||||
(CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
|
||||
((const NSSItem *)NULL == keyType) ||
|
||||
(sizeof(CK_KEY_TYPE) != keyType->size) ||
|
||||
(CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
|
||||
*pError = CKR_KEY_TYPE_INCONSISTENT;
|
||||
return (NSSCKMDCryptoOperation *)NULL;
|
||||
}
|
||||
|
||||
error = nss_ckcapi_FetchKeyContainer(iKey, &hProv, &keySpec, &hKey);
|
||||
if (error != CKR_OK) {
|
||||
*pError = error;
|
||||
return (NSSCKMDCryptoOperation *)NULL;
|
||||
}
|
||||
|
||||
iOperation = nss_ZNEW(NULL, ckcapiInternalCryptoOperationRSAPriv);
|
||||
if ((ckcapiInternalCryptoOperationRSAPriv *)NULL == iOperation) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDCryptoOperation *)NULL;
|
||||
}
|
||||
iOperation->mdMechanism = mdMechanism;
|
||||
iOperation->iKey = iKey;
|
||||
iOperation->hProv = hProv;
|
||||
iOperation->keySpec = keySpec;
|
||||
iOperation->hKey = hKey;
|
||||
|
||||
nsslibc_memcpy(&iOperation->mdOperation,
|
||||
proto, sizeof(NSSCKMDCryptoOperation));
|
||||
iOperation->mdOperation.etc = iOperation;
|
||||
|
||||
return &iOperation->mdOperation;
|
||||
}
|
||||
|
||||
static CK_RV
|
||||
ckcapi_mdCryptoOperationRSAPriv_Destroy(
|
||||
NSSCKMDCryptoOperation *mdOperation,
|
||||
NSSCKFWCryptoOperation *fwOperation,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation =
|
||||
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
|
||||
|
||||
if (iOperation->hKey) {
|
||||
CryptDestroyKey(iOperation->hKey);
|
||||
}
|
||||
if (iOperation->buffer) {
|
||||
nssItem_Destroy(iOperation->buffer);
|
||||
}
|
||||
nss_ZFreeIf(iOperation);
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static CK_ULONG
|
||||
ckcapi_mdCryptoOperationRSA_GetFinalLength(
|
||||
NSSCKMDCryptoOperation *mdOperation,
|
||||
NSSCKFWCryptoOperation *fwOperation,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation =
|
||||
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
|
||||
const NSSItem *modulus =
|
||||
nss_ckcapi_FetchAttribute(iOperation->iKey, CKA_MODULUS);
|
||||
|
||||
return modulus->size;
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
|
||||
* we won't know the length until we actually decrypt the
|
||||
* input block. Since we go to all the work to decrypt the
|
||||
* the block, we'll save if for when the block is asked for
|
||||
*/
|
||||
static CK_ULONG
|
||||
ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength(
|
||||
NSSCKMDCryptoOperation *mdOperation,
|
||||
NSSCKFWCryptoOperation *fwOperation,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
const NSSItem *input,
|
||||
CK_RV *pError)
|
||||
{
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation =
|
||||
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
|
||||
BOOL rc;
|
||||
|
||||
/* Microsoft's Decrypt operation works in place. Since we don't want
|
||||
* to trash our input buffer, we make a copy of it */
|
||||
iOperation->buffer = nssItem_Duplicate((NSSItem *)input, NULL, NULL);
|
||||
if ((NSSItem *)NULL == iOperation->buffer) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return 0;
|
||||
}
|
||||
/* Sigh, reverse it */
|
||||
ckcapi_ReverseData(iOperation->buffer);
|
||||
|
||||
rc = CryptDecrypt(iOperation->hKey, 0, TRUE, 0,
|
||||
iOperation->buffer->data, &iOperation->buffer->size);
|
||||
if (!rc) {
|
||||
DWORD msError = GetLastError();
|
||||
switch (msError) {
|
||||
case NTE_BAD_DATA:
|
||||
*pError =
|
||||
CKR_ENCRYPTED_DATA_INVALID;
|
||||
break;
|
||||
case NTE_FAIL:
|
||||
case NTE_BAD_UID:
|
||||
*pError =
|
||||
CKR_DEVICE_ERROR;
|
||||
break;
|
||||
default:
|
||||
*pError =
|
||||
CKR_GENERAL_ERROR;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
return iOperation->buffer->size;
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
|
||||
*
|
||||
* NOTE: ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to
|
||||
* have been called previously.
|
||||
*/
|
||||
static CK_RV
|
||||
ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal(
|
||||
NSSCKMDCryptoOperation *mdOperation,
|
||||
NSSCKFWCryptoOperation *fwOperation,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
const NSSItem *input,
|
||||
NSSItem *output)
|
||||
{
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation =
|
||||
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
|
||||
NSSItem *buffer = iOperation->buffer;
|
||||
|
||||
if ((NSSItem *)NULL == buffer) {
|
||||
return CKR_GENERAL_ERROR;
|
||||
}
|
||||
nsslibc_memcpy(output->data, buffer->data, buffer->size);
|
||||
output->size = buffer->size;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdCryptoOperationRSASign_UpdateFinal
|
||||
*
|
||||
*/
|
||||
static CK_RV
|
||||
ckcapi_mdCryptoOperationRSASign_UpdateFinal(
|
||||
NSSCKMDCryptoOperation *mdOperation,
|
||||
NSSCKFWCryptoOperation *fwOperation,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
const NSSItem *input,
|
||||
NSSItem *output)
|
||||
{
|
||||
ckcapiInternalCryptoOperationRSAPriv *iOperation =
|
||||
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
|
||||
CK_RV error = CKR_OK;
|
||||
DWORD msError;
|
||||
NSSItem hash;
|
||||
HCRYPTHASH hHash = 0;
|
||||
ALG_ID hashAlg;
|
||||
DWORD hashSize;
|
||||
DWORD len; /* temp length value we throw away */
|
||||
BOOL rc;
|
||||
|
||||
/*
|
||||
* PKCS #11 sign for RSA expects to take a fully DER-encoded hash value,
|
||||
* which includes the hash OID. CAPI expects to take a Hash Context. While
|
||||
* CAPI does have the capability of setting a raw hash value, it does not
|
||||
* have the ability to sign an arbitrary value. This function tries to
|
||||
* reduce the passed in data into something that CAPI could actually sign.
|
||||
*/
|
||||
error = ckcapi_GetRawHash(input, &hash, &hashAlg);
|
||||
if (CKR_OK != error) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
rc = CryptCreateHash(iOperation->hProv, hashAlg, 0, 0, &hHash);
|
||||
if (!rc) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* make sure the hash lens match before we set it */
|
||||
len = sizeof(DWORD);
|
||||
rc = CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&hashSize, &len, 0);
|
||||
if (!rc) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
if (hash.size != hashSize) {
|
||||
/* The input must have been bad for this to happen */
|
||||
error = CKR_DATA_INVALID;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* we have an explicit hash, set it, note that the length is
|
||||
* implicit by the hashAlg used in create */
|
||||
rc = CryptSetHashParam(hHash, HP_HASHVAL, hash.data, 0);
|
||||
if (!rc) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* OK, we have the data in a hash structure, sign it! */
|
||||
rc = CryptSignHash(hHash, iOperation->keySpec, NULL, 0,
|
||||
output->data, &output->size);
|
||||
if (!rc) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* Don't return a signature that might have been broken because of a cosmic
|
||||
* ray, or a broken processor, verify that it is valid... */
|
||||
rc = CryptVerifySignature(hHash, output->data, output->size,
|
||||
iOperation->hKey, NULL, 0);
|
||||
if (!rc) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* OK, Microsoft likes to do things completely differently than anyone
|
||||
* else. We need to reverse the data we received here */
|
||||
ckcapi_ReverseData(output);
|
||||
CryptDestroyHash(hHash);
|
||||
return CKR_OK;
|
||||
|
||||
loser:
|
||||
/* map the microsoft error */
|
||||
if (CKR_OK == error) {
|
||||
msError = GetLastError();
|
||||
switch (msError) {
|
||||
case ERROR_NOT_ENOUGH_MEMORY:
|
||||
error =
|
||||
CKR_HOST_MEMORY;
|
||||
break;
|
||||
case NTE_NO_MEMORY:
|
||||
error =
|
||||
CKR_DEVICE_MEMORY;
|
||||
break;
|
||||
case ERROR_MORE_DATA:
|
||||
return CKR_BUFFER_TOO_SMALL;
|
||||
case ERROR_INVALID_PARAMETER: /* these params were derived from the */
|
||||
case ERROR_INVALID_HANDLE: /* inputs, so if they are bad, the input */
|
||||
case NTE_BAD_ALGID: /* data is bad */
|
||||
case NTE_BAD_HASH:
|
||||
error =
|
||||
CKR_DATA_INVALID;
|
||||
break;
|
||||
case ERROR_BUSY:
|
||||
case NTE_FAIL:
|
||||
case NTE_BAD_UID:
|
||||
error =
|
||||
CKR_DEVICE_ERROR;
|
||||
break;
|
||||
default:
|
||||
error =
|
||||
CKR_GENERAL_ERROR;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (hHash) {
|
||||
CryptDestroyHash(hHash);
|
||||
}
|
||||
return error;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
|
||||
ckcapi_mdCryptoOperationRSADecrypt_proto = {
|
||||
NULL, /* etc */
|
||||
ckcapi_mdCryptoOperationRSAPriv_Destroy,
|
||||
NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
|
||||
ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength,
|
||||
NULL, /* Final - not needed for one shot operation */
|
||||
NULL, /* Update - not needed for one shot operation */
|
||||
NULL, /* DigetUpdate - not needed for one shot operation */
|
||||
ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal,
|
||||
NULL, /* UpdateCombo - not needed for one shot operation */
|
||||
NULL, /* DigetKey - not needed for one shot operation */
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
|
||||
ckcapi_mdCryptoOperationRSASign_proto = {
|
||||
NULL, /* etc */
|
||||
ckcapi_mdCryptoOperationRSAPriv_Destroy,
|
||||
ckcapi_mdCryptoOperationRSA_GetFinalLength,
|
||||
NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
|
||||
NULL, /* Final - not needed for one shot operation */
|
||||
NULL, /* Update - not needed for one shot operation */
|
||||
NULL, /* DigetUpdate - not needed for one shot operation */
|
||||
ckcapi_mdCryptoOperationRSASign_UpdateFinal,
|
||||
NULL, /* UpdateCombo - not needed for one shot operation */
|
||||
NULL, /* DigetKey - not needed for one shot operation */
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
||||
|
||||
/********** NSSCKMDMechansim functions ***********************/
|
||||
/*
|
||||
* ckcapi_mdMechanismRSA_Destroy
|
||||
*/
|
||||
static void
|
||||
ckcapi_mdMechanismRSA_Destroy(
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKFWMechanism *fwMechanism,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
nss_ZFreeIf(fwMechanism);
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdMechanismRSA_GetMinKeySize
|
||||
*/
|
||||
static CK_ULONG
|
||||
ckcapi_mdMechanismRSA_GetMinKeySize(
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKFWMechanism *fwMechanism,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return 384;
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdMechanismRSA_GetMaxKeySize
|
||||
*/
|
||||
static CK_ULONG
|
||||
ckcapi_mdMechanismRSA_GetMaxKeySize(
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKFWMechanism *fwMechanism,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return 16384;
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdMechanismRSA_DecryptInit
|
||||
*/
|
||||
static NSSCKMDCryptoOperation *
|
||||
ckcapi_mdMechanismRSA_DecryptInit(
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKFWMechanism *fwMechanism,
|
||||
CK_MECHANISM *pMechanism,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSCKMDObject *mdKey,
|
||||
NSSCKFWObject *fwKey,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return ckcapi_mdCryptoOperationRSAPriv_Create(
|
||||
&ckcapi_mdCryptoOperationRSADecrypt_proto,
|
||||
mdMechanism, mdKey, pError);
|
||||
}
|
||||
|
||||
/*
|
||||
* ckcapi_mdMechanismRSA_SignInit
|
||||
*/
|
||||
static NSSCKMDCryptoOperation *
|
||||
ckcapi_mdMechanismRSA_SignInit(
|
||||
NSSCKMDMechanism *mdMechanism,
|
||||
NSSCKFWMechanism *fwMechanism,
|
||||
CK_MECHANISM *pMechanism,
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSCKMDObject *mdKey,
|
||||
NSSCKFWObject *fwKey,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return ckcapi_mdCryptoOperationRSAPriv_Create(
|
||||
&ckcapi_mdCryptoOperationRSASign_proto,
|
||||
mdMechanism, mdKey, pError);
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDMechanism
|
||||
nss_ckcapi_mdMechanismRSA = {
|
||||
(void *)NULL, /* etc */
|
||||
ckcapi_mdMechanismRSA_Destroy,
|
||||
ckcapi_mdMechanismRSA_GetMinKeySize,
|
||||
ckcapi_mdMechanismRSA_GetMaxKeySize,
|
||||
NULL, /* GetInHardware - default false */
|
||||
NULL, /* EncryptInit - default errs */
|
||||
ckcapi_mdMechanismRSA_DecryptInit,
|
||||
NULL, /* DigestInit - default errs*/
|
||||
ckcapi_mdMechanismRSA_SignInit,
|
||||
NULL, /* VerifyInit - default errs */
|
||||
ckcapi_mdMechanismRSA_SignInit, /* SignRecoverInit */
|
||||
NULL, /* VerifyRecoverInit - default errs */
|
||||
NULL, /* GenerateKey - default errs */
|
||||
NULL, /* GenerateKeyPair - default errs */
|
||||
NULL, /* GetWrapKeyLength - default errs */
|
||||
NULL, /* WrapKey - default errs */
|
||||
NULL, /* UnwrapKey - default errs */
|
||||
NULL, /* DeriveKey - default errs */
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
|
@ -1,87 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ckcapi.h"
|
||||
|
||||
/*
|
||||
* ckcapi/csession.c
|
||||
*
|
||||
* This file implements the NSSCKMDSession object for the
|
||||
* "nss to capi" cryptoki module.
|
||||
*/
|
||||
|
||||
static NSSCKMDFindObjects *
|
||||
ckcapi_mdSession_FindObjectsInit(
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return nss_ckcapi_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
|
||||
}
|
||||
|
||||
static NSSCKMDObject *
|
||||
ckcapi_mdSession_CreateObject(
|
||||
NSSCKMDSession *mdSession,
|
||||
NSSCKFWSession *fwSession,
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSArena *arena,
|
||||
CK_ATTRIBUTE_PTR pTemplate,
|
||||
CK_ULONG ulAttributeCount,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return nss_ckcapi_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT NSSCKMDSession *
|
||||
nss_ckcapi_CreateSession(
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_RV *pError)
|
||||
{
|
||||
NSSArena *arena;
|
||||
NSSCKMDSession *rv;
|
||||
|
||||
arena = NSSCKFWSession_GetArena(fwSession, pError);
|
||||
if ((NSSArena *)NULL == arena) {
|
||||
return (NSSCKMDSession *)NULL;
|
||||
}
|
||||
|
||||
rv = nss_ZNEW(arena, NSSCKMDSession);
|
||||
if ((NSSCKMDSession *)NULL == rv) {
|
||||
*pError = CKR_HOST_MEMORY;
|
||||
return (NSSCKMDSession *)NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* rv was zeroed when allocated, so we only
|
||||
* need to set the non-zero members.
|
||||
*/
|
||||
|
||||
rv->etc = (void *)fwSession;
|
||||
/* rv->Close */
|
||||
/* rv->GetDeviceError */
|
||||
/* rv->Login */
|
||||
/* rv->Logout */
|
||||
/* rv->InitPIN */
|
||||
/* rv->SetPIN */
|
||||
/* rv->GetOperationStateLen */
|
||||
/* rv->GetOperationState */
|
||||
/* rv->SetOperationState */
|
||||
rv->CreateObject = ckcapi_mdSession_CreateObject;
|
||||
/* rv->CopyObject */
|
||||
rv->FindObjectsInit = ckcapi_mdSession_FindObjectsInit;
|
||||
/* rv->SeedRandom */
|
||||
/* rv->GetRandom */
|
||||
/* rv->null */
|
||||
|
||||
return rv;
|
||||
}
|
|
@ -1,81 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ckcapi.h"
|
||||
|
||||
/*
|
||||
* ckcapi/cslot.c
|
||||
*
|
||||
* This file implements the NSSCKMDSlot object for the
|
||||
* "nss to capi" cryptoki module.
|
||||
*/
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdSlot_GetSlotDescription(
|
||||
NSSCKMDSlot *mdSlot,
|
||||
NSSCKFWSlot *fwSlot,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_SlotDescription;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdSlot_GetManufacturerID(
|
||||
NSSCKMDSlot *mdSlot,
|
||||
NSSCKFWSlot *fwSlot,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdSlot_GetHardwareVersion(
|
||||
NSSCKMDSlot *mdSlot,
|
||||
NSSCKFWSlot *fwSlot,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_HardwareVersion;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdSlot_GetFirmwareVersion(
|
||||
NSSCKMDSlot *mdSlot,
|
||||
NSSCKFWSlot *fwSlot,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_FirmwareVersion;
|
||||
}
|
||||
|
||||
static NSSCKMDToken *
|
||||
ckcapi_mdSlot_GetToken(
|
||||
NSSCKMDSlot *mdSlot,
|
||||
NSSCKFWSlot *fwSlot,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSCKMDToken *)&nss_ckcapi_mdToken;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDSlot
|
||||
nss_ckcapi_mdSlot = {
|
||||
(void *)NULL, /* etc */
|
||||
NULL, /* Initialize */
|
||||
NULL, /* Destroy */
|
||||
ckcapi_mdSlot_GetSlotDescription,
|
||||
ckcapi_mdSlot_GetManufacturerID,
|
||||
NULL, /* GetTokenPresent -- defaults to true */
|
||||
NULL, /* GetRemovableDevice -- defaults to false */
|
||||
NULL, /* GetHardwareSlot -- defaults to false */
|
||||
ckcapi_mdSlot_GetHardwareVersion,
|
||||
ckcapi_mdSlot_GetFirmwareVersion,
|
||||
ckcapi_mdSlot_GetToken,
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
|
@ -1,184 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ckcapi.h"
|
||||
|
||||
/*
|
||||
* ckcapi/ctoken.c
|
||||
*
|
||||
* This file implements the NSSCKMDToken object for the
|
||||
* "nss to capi" cryptoki module.
|
||||
*/
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdToken_GetLabel(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_TokenLabel;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdToken_GetManufacturerID(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdToken_GetModel(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_TokenModel;
|
||||
}
|
||||
|
||||
static NSSUTF8 *
|
||||
ckcapi_mdToken_GetSerialNumber(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return (NSSUTF8 *)nss_ckcapi_TokenSerialNumber;
|
||||
}
|
||||
|
||||
static CK_BBOOL
|
||||
ckcapi_mdToken_GetIsWriteProtected(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return CK_FALSE;
|
||||
}
|
||||
|
||||
/* fake out Mozilla so we don't try to initialize the token */
|
||||
static CK_BBOOL
|
||||
ckcapi_mdToken_GetUserPinInitialized(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return CK_TRUE;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdToken_GetHardwareVersion(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_HardwareVersion;
|
||||
}
|
||||
|
||||
static CK_VERSION
|
||||
ckcapi_mdToken_GetFirmwareVersion(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return nss_ckcapi_FirmwareVersion;
|
||||
}
|
||||
|
||||
static NSSCKMDSession *
|
||||
ckcapi_mdToken_OpenSession(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
NSSCKFWSession *fwSession,
|
||||
CK_BBOOL rw,
|
||||
CK_RV *pError)
|
||||
{
|
||||
return nss_ckcapi_CreateSession(fwSession, pError);
|
||||
}
|
||||
|
||||
static CK_ULONG
|
||||
ckcapi_mdToken_GetMechanismCount(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance)
|
||||
{
|
||||
return (CK_ULONG)1;
|
||||
}
|
||||
|
||||
static CK_RV
|
||||
ckcapi_mdToken_GetMechanismTypes(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_MECHANISM_TYPE types[])
|
||||
{
|
||||
types[0] = CKM_RSA_PKCS;
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
static NSSCKMDMechanism *
|
||||
ckcapi_mdToken_GetMechanism(
|
||||
NSSCKMDToken *mdToken,
|
||||
NSSCKFWToken *fwToken,
|
||||
NSSCKMDInstance *mdInstance,
|
||||
NSSCKFWInstance *fwInstance,
|
||||
CK_MECHANISM_TYPE which,
|
||||
CK_RV *pError)
|
||||
{
|
||||
if (which != CKM_RSA_PKCS) {
|
||||
*pError = CKR_MECHANISM_INVALID;
|
||||
return (NSSCKMDMechanism *)NULL;
|
||||
}
|
||||
return (NSSCKMDMechanism *)&nss_ckcapi_mdMechanismRSA;
|
||||
}
|
||||
|
||||
NSS_IMPLEMENT_DATA const NSSCKMDToken
|
||||
nss_ckcapi_mdToken = {
|
||||
(void *)NULL, /* etc */
|
||||
NULL, /* Setup */
|
||||
NULL, /* Invalidate */
|
||||
NULL, /* InitToken -- default errs */
|
||||
ckcapi_mdToken_GetLabel,
|
||||
ckcapi_mdToken_GetManufacturerID,
|
||||
ckcapi_mdToken_GetModel,
|
||||
ckcapi_mdToken_GetSerialNumber,
|
||||
NULL, /* GetHasRNG -- default is false */
|
||||
ckcapi_mdToken_GetIsWriteProtected,
|
||||
NULL, /* GetLoginRequired -- default is false */
|
||||
ckcapi_mdToken_GetUserPinInitialized,
|
||||
NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
|
||||
NULL, /* GetHasClockOnToken -- default is false */
|
||||
NULL, /* GetHasProtectedAuthenticationPath -- default is false */
|
||||
NULL, /* GetSupportsDualCryptoOperations -- default is false */
|
||||
NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
NULL, /* GetMaxPinLen -- irrelevant */
|
||||
NULL, /* GetMinPinLen -- irrelevant */
|
||||
NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
|
||||
ckcapi_mdToken_GetHardwareVersion,
|
||||
ckcapi_mdToken_GetFirmwareVersion,
|
||||
NULL, /* GetUTCTime -- no clock */
|
||||
ckcapi_mdToken_OpenSession,
|
||||
ckcapi_mdToken_GetMechanismCount,
|
||||
ckcapi_mdToken_GetMechanismTypes,
|
||||
ckcapi_mdToken_GetMechanism,
|
||||
(void *)NULL /* null terminator */
|
||||
};
|
|
@ -1,35 +0,0 @@
|
|||
#
|
||||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
CORE_DEPTH = ../../../..
|
||||
|
||||
MODULE = nss
|
||||
|
||||
EXPORTS = \
|
||||
nsscapi.h \
|
||||
$(NULL)
|
||||
|
||||
CSRCS = \
|
||||
anchor.c \
|
||||
constants.c \
|
||||
cfind.c \
|
||||
cinst.c \
|
||||
cobject.c \
|
||||
crsa.c \
|
||||
csession.c \
|
||||
cslot.c \
|
||||
ctoken.c \
|
||||
ckcapiver.c \
|
||||
staticobj.c \
|
||||
$(NULL)
|
||||
|
||||
REQUIRES = nspr
|
||||
|
||||
LIBRARY_NAME = nsscapi
|
||||
MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
|
||||
LIBRARY = $(NULL)
|
||||
IMPORT_LIBRARY = $(NULL)
|
||||
|
||||
#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
|
|
@ -1,26 +0,0 @@
|
|||
;+#
|
||||
;+# This Source Code Form is subject to the terms of the Mozilla Public
|
||||
;+# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;+#
|
||||
;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
|
||||
;+# 1. For all unix platforms, the string ";-" means "remove this line"
|
||||
;+# 2. For all unix platforms, the string " DATA " will be removed from any
|
||||
;+# line on which it occurs.
|
||||
;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
|
||||
;+# On AIX, lines containing ";+" will be removed.
|
||||
;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
|
||||
;+# 5. For all unix platforms, after the above processing has taken place,
|
||||
;+# all characters after the first ";" on the line will be removed.
|
||||
;+# And for AIX, the first ";" will also be removed.
|
||||
;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
|
||||
;+# directives are hidden behind ";", ";+", and ";-"
|
||||
;+
|
||||
;+NSS_3.1 { # NSS 3.1 release
|
||||
;+ global:
|
||||
LIBRARY nsscapi ;-
|
||||
EXPORTS ;-
|
||||
C_GetFunctionList;
|
||||
;+ local:
|
||||
;+*;
|
||||
;+};
|
|
@ -1,41 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef NSSCAPI_H
|
||||
#define NSSCAPI_H
|
||||
|
||||
/*
|
||||
* NSS CKCAPI Version numbers.
|
||||
*
|
||||
* These are the version numbers for the capi module packaged with
|
||||
* this release on NSS. To determine the version numbers of the builtin
|
||||
* module you are using, use the appropriate PKCS #11 calls.
|
||||
*
|
||||
* These version numbers detail changes to the PKCS #11 interface. They map
|
||||
* to the PKCS #11 spec versions.
|
||||
*/
|
||||
#define NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR 2
|
||||
#define NSS_CKCAPI_CRYPTOKI_VERSION_MINOR 20
|
||||
|
||||
/* These version numbers detail the changes
|
||||
* to the list of trusted certificates.
|
||||
*
|
||||
* NSS_CKCAPI_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
|
||||
* whether we may use its full range (0-255) or only 0-99 because
|
||||
* of the comment in the CK_VERSION type definition.
|
||||
*/
|
||||
#define NSS_CKCAPI_LIBRARY_VERSION_MAJOR 1
|
||||
#define NSS_CKCAPI_LIBRARY_VERSION_MINOR 1
|
||||
#define NSS_CKCAPI_LIBRARY_VERSION "1.1"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_CKCAPI_HARDWARE_VERSION_MAJOR 1
|
||||
#define NSS_CKCAPI_HARDWARE_VERSION_MINOR 0
|
||||
|
||||
/* These version numbers detail the semantic changes to ckbi itself
|
||||
* (new PKCS #11 objects), etc. */
|
||||
#define NSS_CKCAPI_FIRMWARE_VERSION_MAJOR 1
|
||||
#define NSS_CKCAPI_FIRMWARE_VERSION_MINOR 0
|
||||
|
||||
#endif /* NSSCKBI_H */
|
|
@ -1,64 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "nsscapi.h"
|
||||
#include <winver.h>
|
||||
|
||||
#define MY_LIBNAME "nsscapi"
|
||||
#define MY_FILEDESCRIPTION "NSS Access to Microsoft CAPI"
|
||||
|
||||
#ifdef _DEBUG
|
||||
#define MY_DEBUG_STR " (debug)"
|
||||
#define MY_FILEFLAGS_1 VS_FF_DEBUG
|
||||
#else
|
||||
#define MY_DEBUG_STR ""
|
||||
#define MY_FILEFLAGS_1 0x0L
|
||||
#endif
|
||||
#if NSS_BETA
|
||||
#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
|
||||
#else
|
||||
#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
|
||||
#endif
|
||||
|
||||
#ifdef WINNT
|
||||
#define MY_FILEOS VOS_NT_WINDOWS32
|
||||
#else
|
||||
#define MY_FILEOS VOS__WINDOWS32
|
||||
#endif
|
||||
|
||||
#define MY_INTERNAL_NAME MY_LIBNAME
|
||||
|
||||
/////////////////////////////////////////////////////////////////////////////
|
||||
//
|
||||
// Version-information resource
|
||||
//
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
|
||||
PRODUCTVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
|
||||
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
|
||||
FILEFLAGS MY_FILEFLAGS_2
|
||||
FILEOS MY_FILEOS
|
||||
FILETYPE VFT_DLL
|
||||
FILESUBTYPE 0x0L // not used
|
||||
|
||||
BEGIN
|
||||
BLOCK "StringFileInfo"
|
||||
BEGIN
|
||||
BLOCK "040904B0" // Lang=US English, CharSet=Unicode
|
||||
BEGIN
|
||||
VALUE "CompanyName", "Mozilla Foundation\0"
|
||||
VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
|
||||
VALUE "FileVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
|
||||
VALUE "InternalName", MY_INTERNAL_NAME "\0"
|
||||
VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
|
||||
VALUE "ProductName", "Network Security Services\0"
|
||||
VALUE "ProductVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
|
||||
END
|
||||
END
|
||||
BLOCK "VarFileInfo"
|
||||
BEGIN
|
||||
VALUE "Translation", 0x409, 1200
|
||||
END
|
||||
END
|
|
@ -1,40 +0,0 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef CKCAPI_H
|
||||
#include "ckcapi.h"
|
||||
#endif /* CKCAPI_H */
|
||||
|
||||
static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
|
||||
static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
|
||||
static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
|
||||
static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
|
||||
static const CK_BBOOL ck_true = CK_TRUE;
|
||||
static const CK_OBJECT_CLASS cko_data = CKO_DATA;
|
||||
static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
|
||||
static const CK_BBOOL ck_false = CK_FALSE;
|
||||
static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
|
||||
|
||||
/* example of a static object */
|
||||
static const CK_ATTRIBUTE_TYPE nss_ckcapi_types_1[] = {
|
||||
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL
|
||||
};
|
||||
|
||||
static const NSSItem nss_ckcapi_items_1[] = {
|
||||
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
|
||||
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
|
||||
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
|
||||
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
|
||||
{ (void *)"Mozilla CAPI Access", (PRUint32)20 }
|
||||
};
|
||||
|
||||
ckcapiInternalObject nss_ckcapi_data[] = {
|
||||
{
|
||||
ckcapiRaw,
|
||||
{ 5, nss_ckcapi_types_1, nss_ckcapi_items_1 },
|
||||
},
|
||||
|
||||
};
|
||||
|
||||
const PRUint32 nss_ckcapi_nObjects = 1;
|
|
@ -526,16 +526,16 @@ PK11_ImportDataKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin
|
|||
return NULL;
|
||||
}
|
||||
handle = PK11_GetObjectHandle(PK11_TypeGeneric, genObject, NULL);
|
||||
if (handle == CK_INVALID_HANDLE) {
|
||||
return NULL;
|
||||
}
|
||||
/* A note about ownership of the PKCS #11 handle:
|
||||
* PK11_CreateGenericObject() will not destroy the object it creates
|
||||
* on Free, For that you want PK11_CreateManagedGenericObject().
|
||||
* Below we import the handle into the symKey structure. We pass
|
||||
* PR_TRUE as the owner so that the symKey will destroy the object
|
||||
* once it's freed. This is way it's safe to free now. */
|
||||
* once it's freed. This is why it's safe to destroy genObject now. */
|
||||
PK11_DestroyGenericObject(genObject);
|
||||
if (handle == CK_INVALID_HANDLE) {
|
||||
return NULL;
|
||||
}
|
||||
return PK11_SymKeyFromHandle(slot, NULL, origin, type, handle, PR_TRUE, wincx);
|
||||
}
|
||||
|
||||
|
|
|
@ -94,8 +94,7 @@ static PK11SlotList
|
|||
pk11_tlsSlotList,
|
||||
pk11_randomSlotList,
|
||||
pk11_sha256SlotList,
|
||||
pk11_sha512SlotList, /* slots do SHA512 and SHA384 */
|
||||
pk11_kyberSlotList;
|
||||
pk11_sha512SlotList; /* slots do SHA512 and SHA384 */
|
||||
|
||||
/************************************************************
|
||||
* Generic Slot List and Slot List element manipulations
|
||||
|
@ -850,7 +849,6 @@ PK11_InitSlotLists(void)
|
|||
pk11_InitSlotListStatic(&pk11_randomSlotList);
|
||||
pk11_InitSlotListStatic(&pk11_sha256SlotList);
|
||||
pk11_InitSlotListStatic(&pk11_sha512SlotList);
|
||||
pk11_InitSlotListStatic(&pk11_kyberSlotList);
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
|
@ -877,7 +875,6 @@ PK11_DestroySlotLists(void)
|
|||
pk11_FreeSlotListStatic(&pk11_randomSlotList);
|
||||
pk11_FreeSlotListStatic(&pk11_sha256SlotList);
|
||||
pk11_FreeSlotListStatic(&pk11_sha512SlotList);
|
||||
pk11_FreeSlotListStatic(&pk11_kyberSlotList);
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -947,6 +944,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
|
|||
case CKM_ECDSA_SHA1:
|
||||
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
|
||||
case CKM_ECDH1_DERIVE:
|
||||
case CKM_NSS_KYBER_KEY_PAIR_GEN: /* Bug 1893029 */
|
||||
case CKM_NSS_KYBER:
|
||||
return &pk11_ecSlotList;
|
||||
case CKM_SSL3_PRE_MASTER_KEY_GEN:
|
||||
case CKM_SSL3_MASTER_KEY_DERIVE:
|
||||
|
@ -962,8 +961,6 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
|
|||
return &pk11_ideaSlotList;
|
||||
case CKM_FAKE_RANDOM:
|
||||
return &pk11_randomSlotList;
|
||||
case CKM_NSS_KYBER_KEY_PAIR_GEN:
|
||||
return &pk11_kyberSlotList;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
@ -164,14 +164,13 @@ NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp,
|
|||
extern PK11SymKey *
|
||||
NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
|
||||
|
||||
extern SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
|
||||
SECItem *encKey, SECItem *ukm, SECAlgorithmID *keyEncAlg,
|
||||
SECItem *originatorPubKey);
|
||||
|
||||
/*
|
||||
* NSS_CMSUtil_DecryptSymKey_RSA_OAEP is the same as NSS_CMSUtil_DecryptSymKey_RSA, except that
|
||||
* it works with a symmetric key that was wrapped using RSA with OAEP padding rather than PKCS #1
|
||||
* Version 1.5 padding.
|
||||
*/
|
||||
extern PK11SymKey *
|
||||
NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
|
||||
SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
|
||||
NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameters, SECItem *encKey, SECOidTag bulkalgtag);
|
||||
|
||||
extern SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
|
||||
|
|
|
@ -108,6 +108,176 @@ NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOid
|
|||
return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0);
|
||||
}
|
||||
|
||||
typedef struct RSA_OAEP_CMS_paramsStr RSA_OAEP_CMS_params;
|
||||
struct RSA_OAEP_CMS_paramsStr {
|
||||
SECAlgorithmID *hashFunc;
|
||||
SECAlgorithmID *maskGenFunc;
|
||||
SECAlgorithmID *pSourceFunc;
|
||||
};
|
||||
|
||||
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
|
||||
SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
|
||||
|
||||
static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = {
|
||||
{ SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0,
|
||||
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }
|
||||
};
|
||||
|
||||
static const SEC_ASN1Template RSA_OAEP_CMS_paramsTemplate[] = {
|
||||
{ SEC_ASN1_SEQUENCE,
|
||||
0, NULL, sizeof(RSA_OAEP_CMS_params) },
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
|
||||
SEC_ASN1_CONTEXT_SPECIFIC | 0,
|
||||
offsetof(RSA_OAEP_CMS_params, hashFunc),
|
||||
seckey_PointerToAlgorithmIDTemplate },
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
|
||||
SEC_ASN1_CONTEXT_SPECIFIC | 1,
|
||||
offsetof(RSA_OAEP_CMS_params, maskGenFunc),
|
||||
seckey_PointerToAlgorithmIDTemplate },
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
|
||||
SEC_ASN1_CONTEXT_SPECIFIC | 2,
|
||||
offsetof(RSA_OAEP_CMS_params, pSourceFunc),
|
||||
seckey_PointerToAlgorithmIDTemplate },
|
||||
{ 0 }
|
||||
};
|
||||
|
||||
/*
|
||||
* NSS_CMSUtil_DecryptSymKey_RSA_OAEP - unwrap a RSA-wrapped symmetric key
|
||||
*
|
||||
* this function takes an RSA-OAEP-wrapped symmetric key and unwraps it, returning a symmetric
|
||||
* key handle. Please note that the actual unwrapped key data may not be allowed to leave
|
||||
* a hardware token...
|
||||
*/
|
||||
PK11SymKey *
|
||||
NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameters, SECItem *encKey, SECOidTag bulkalgtag)
|
||||
{
|
||||
CK_RSA_PKCS_OAEP_PARAMS oaep_params;
|
||||
RSA_OAEP_CMS_params encoded_params;
|
||||
SECAlgorithmID mgf1hashAlg;
|
||||
SECOidTag mgfAlgtag, mgf1hashAlgtag, pSourcetag;
|
||||
SECItem encoding_params, params;
|
||||
PK11SymKey *bulkkey = NULL;
|
||||
SECStatus rv;
|
||||
|
||||
CK_MECHANISM_TYPE target;
|
||||
PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN);
|
||||
target = PK11_AlgtagToMechanism(bulkalgtag);
|
||||
if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
PORT_Memset(&encoded_params, 0, sizeof(RSA_OAEP_CMS_params));
|
||||
PORT_Memset(&mgf1hashAlg, 0, sizeof(SECAlgorithmID));
|
||||
PORT_Memset(&encoding_params, 0, sizeof(SECItem));
|
||||
|
||||
/* Set default values for the OAEP parameters */
|
||||
oaep_params.hashAlg = CKM_SHA_1;
|
||||
oaep_params.mgf = CKG_MGF1_SHA1;
|
||||
oaep_params.source = CKZ_DATA_SPECIFIED;
|
||||
oaep_params.pSourceData = NULL;
|
||||
oaep_params.ulSourceDataLen = 0;
|
||||
|
||||
if (parameters->len == 2) {
|
||||
/* For some reason SEC_ASN1DecodeItem cannot process parameters if it is an emtpy SEQUENCE */
|
||||
/* Just check that this is a properly encoded empty SEQUENCE */
|
||||
if ((parameters->data[0] != 0x30) || (parameters->data[1] != 0)) {
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
rv = SEC_ASN1DecodeItem(NULL, &encoded_params, RSA_OAEP_CMS_paramsTemplate, parameters);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
if (encoded_params.hashFunc != NULL) {
|
||||
oaep_params.hashAlg = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(encoded_params.hashFunc));
|
||||
}
|
||||
if (encoded_params.maskGenFunc != NULL) {
|
||||
mgfAlgtag = SECOID_GetAlgorithmTag(encoded_params.maskGenFunc);
|
||||
if (mgfAlgtag != SEC_OID_PKCS1_MGF1) {
|
||||
/* MGF1 is the only supported mask generation function */
|
||||
goto loser;
|
||||
}
|
||||
/* The parameters field contains an AlgorithmIdentifier specifying the
|
||||
* hash function to use with MGF1.
|
||||
*/
|
||||
rv = SEC_ASN1DecodeItem(NULL, &mgf1hashAlg, SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
|
||||
&encoded_params.maskGenFunc->parameters);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
mgf1hashAlgtag = SECOID_GetAlgorithmTag(&mgf1hashAlg);
|
||||
switch (mgf1hashAlgtag) {
|
||||
case SEC_OID_SHA1:
|
||||
oaep_params.mgf = CKG_MGF1_SHA1;
|
||||
break;
|
||||
case SEC_OID_SHA224:
|
||||
oaep_params.mgf = CKG_MGF1_SHA224;
|
||||
break;
|
||||
case SEC_OID_SHA256:
|
||||
oaep_params.mgf = CKG_MGF1_SHA256;
|
||||
break;
|
||||
case SEC_OID_SHA384:
|
||||
oaep_params.mgf = CKG_MGF1_SHA384;
|
||||
break;
|
||||
case SEC_OID_SHA512:
|
||||
oaep_params.mgf = CKG_MGF1_SHA512;
|
||||
break;
|
||||
case SEC_OID_SHA3_224:
|
||||
oaep_params.mgf = CKG_MGF1_SHA3_224;
|
||||
break;
|
||||
case SEC_OID_SHA3_256:
|
||||
oaep_params.mgf = CKG_MGF1_SHA3_256;
|
||||
break;
|
||||
case SEC_OID_SHA3_384:
|
||||
oaep_params.mgf = CKG_MGF1_SHA3_384;
|
||||
break;
|
||||
case SEC_OID_SHA3_512:
|
||||
oaep_params.mgf = CKG_MGF1_SHA3_512;
|
||||
break;
|
||||
default:
|
||||
goto loser;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (encoded_params.pSourceFunc != NULL) {
|
||||
pSourcetag = SECOID_GetAlgorithmTag(encoded_params.pSourceFunc);
|
||||
if (pSourcetag != SEC_OID_PKCS1_PSPECIFIED) {
|
||||
goto loser;
|
||||
}
|
||||
/* The encoding parameters (P) are provided as an OCTET STRING in the parameters field. */
|
||||
if (encoded_params.pSourceFunc->parameters.len != 0) {
|
||||
rv = SEC_ASN1DecodeItem(NULL, &encoding_params, SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
&encoded_params.pSourceFunc->parameters);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
oaep_params.ulSourceDataLen = encoding_params.len;
|
||||
oaep_params.pSourceData = encoding_params.data;
|
||||
}
|
||||
}
|
||||
}
|
||||
params.type = siBuffer;
|
||||
params.data = (unsigned char *)&oaep_params;
|
||||
params.len = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
|
||||
bulkkey = PK11_PubUnwrapSymKeyWithMechanism(privkey, CKM_RSA_PKCS_OAEP, ¶ms,
|
||||
encKey, target, CKA_DECRYPT, 0);
|
||||
|
||||
loser:
|
||||
PORT_Free(oaep_params.pSourceData);
|
||||
if (encoded_params.hashFunc) {
|
||||
SECOID_DestroyAlgorithmID(encoded_params.hashFunc, PR_TRUE);
|
||||
}
|
||||
if (encoded_params.maskGenFunc) {
|
||||
SECOID_DestroyAlgorithmID(encoded_params.maskGenFunc, PR_TRUE);
|
||||
}
|
||||
if (encoded_params.pSourceFunc) {
|
||||
SECOID_DestroyAlgorithmID(encoded_params.pSourceFunc, PR_TRUE);
|
||||
}
|
||||
SECOID_DestroyAlgorithmID(&mgf1hashAlg, PR_FALSE);
|
||||
return bulkkey;
|
||||
}
|
||||
|
||||
/* ====== ESECDH (Ephemeral-Static Elliptic Curve Diffie-Hellman) =========== */
|
||||
|
||||
typedef struct ECC_CMS_SharedInfoStr ECC_CMS_SharedInfo;
|
||||
|
@ -117,9 +287,6 @@ struct ECC_CMS_SharedInfoStr {
|
|||
SECItem suppPubInfo; /* length of KEK in bits as 32-bit number */
|
||||
};
|
||||
|
||||
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
|
||||
SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
|
||||
|
||||
static const SEC_ASN1Template ECC_CMS_SharedInfoTemplate[] = {
|
||||
{ SEC_ASN1_SEQUENCE,
|
||||
0, NULL, sizeof(ECC_CMS_SharedInfo) },
|
||||
|
@ -506,181 +673,3 @@ loser:
|
|||
SECOID_DestroyAlgorithmID(&keyWrapAlg, PR_FALSE);
|
||||
return bulkkey;
|
||||
}
|
||||
|
||||
/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
|
||||
|
||||
SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
|
||||
SECItem *encKey, SECItem *ukm, SECAlgorithmID *keyEncAlg,
|
||||
SECItem *pubKey)
|
||||
{
|
||||
#if 0 /* not yet done */
|
||||
SECOidTag certalgtag; /* the certificate's encryption algorithm */
|
||||
SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
|
||||
SECStatus rv;
|
||||
SECItem *params = NULL;
|
||||
int data_len;
|
||||
SECStatus err;
|
||||
PK11SymKey *tek;
|
||||
CERTCertificate *ourCert;
|
||||
SECKEYPublicKey *ourPubKey;
|
||||
NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
|
||||
|
||||
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
|
||||
PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
|
||||
|
||||
/* We really want to show our KEA tag as the key exchange algorithm tag. */
|
||||
encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
|
||||
|
||||
/* Get the public key of the recipient. */
|
||||
publickey = CERT_ExtractPublicKey(cert);
|
||||
if (publickey == NULL) goto loser;
|
||||
|
||||
/* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
|
||||
/* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
|
||||
if (ourCert == NULL) goto loser;
|
||||
|
||||
arena = PORT_NewArena(1024);
|
||||
if (arena == NULL) goto loser;
|
||||
|
||||
/* While we're here, extract the key pair's public key data and copy it into */
|
||||
/* the outgoing parameters. */
|
||||
/* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
|
||||
if (ourPubKey == NULL)
|
||||
{
|
||||
goto loser;
|
||||
}
|
||||
SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
|
||||
SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
|
||||
ourPubKey = NULL;
|
||||
|
||||
/* Extract our private key in order to derive the KEA key. */
|
||||
ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
|
||||
CERT_DestroyCertificate(ourCert); /* we're done with this */
|
||||
if (!ourPrivKey) goto loser;
|
||||
|
||||
/* If ukm desired, prepare it - allocate enough space (filled with zeros). */
|
||||
if (ukm) {
|
||||
ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
|
||||
ukm->len = /* XXXX */;
|
||||
}
|
||||
|
||||
/* Generate the KEK (key exchange key) according to RFC2631 which we use
|
||||
* to wrap the bulk encryption key. */
|
||||
kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
|
||||
ukm, NULL,
|
||||
/* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
|
||||
CKA_WRAP, 0, wincx);
|
||||
|
||||
SECKEY_DestroyPublicKey(publickey);
|
||||
SECKEY_DestroyPrivateKey(ourPrivKey);
|
||||
publickey = NULL;
|
||||
ourPrivKey = NULL;
|
||||
|
||||
if (!kek)
|
||||
goto loser;
|
||||
|
||||
/* allocate space for the encrypted CEK (bulk key) */
|
||||
encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
|
||||
encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
|
||||
|
||||
if (encKey->data == NULL)
|
||||
{
|
||||
PK11_FreeSymKey(kek);
|
||||
goto loser;
|
||||
}
|
||||
|
||||
|
||||
/* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
|
||||
/* bulk encryption algorithm */
|
||||
switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
|
||||
{
|
||||
case /* XXXX */CKM_SKIPJACK_CFB8:
|
||||
err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
|
||||
whichKEA = NSSCMSKEAUsesSkipjack;
|
||||
break;
|
||||
case /* XXXX */CKM_SKIPJACK_CFB8:
|
||||
err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
|
||||
whichKEA = NSSCMSKEAUsesSkipjack;
|
||||
break;
|
||||
default:
|
||||
/* XXXX what do we do here? Neither RC2 nor 3DES... */
|
||||
err = SECFailure;
|
||||
/* set error */
|
||||
break;
|
||||
}
|
||||
|
||||
PK11_FreeSymKey(kek); /* we do not need the KEK anymore */
|
||||
if (err != SECSuccess)
|
||||
goto loser;
|
||||
|
||||
PORT_Assert(whichKEA != NSSCMSKEAInvalid);
|
||||
|
||||
/* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
|
||||
/* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
|
||||
params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
|
||||
if (params == NULL)
|
||||
goto loser;
|
||||
|
||||
/* now set keyEncAlg */
|
||||
rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
|
||||
/* XXXXXXX this is not right yet */
|
||||
loser:
|
||||
if (arena) {
|
||||
PORT_FreeArena(arena, PR_FALSE);
|
||||
}
|
||||
if (publickey) {
|
||||
SECKEY_DestroyPublicKey(publickey);
|
||||
}
|
||||
if (ourPrivKey) {
|
||||
SECKEY_DestroyPrivateKey(ourPrivKey);
|
||||
}
|
||||
#endif
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
PK11SymKey *
|
||||
NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
|
||||
SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag,
|
||||
void *pwfn_arg)
|
||||
{
|
||||
#if 0 /* not yet done */
|
||||
SECStatus err;
|
||||
CK_MECHANISM_TYPE bulkType;
|
||||
PK11SymKey *tek;
|
||||
SECKEYPublicKey *originatorPubKey;
|
||||
NSSCMSSMIMEKEAParameters keaParams;
|
||||
|
||||
/* XXXX get originator's public key */
|
||||
originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
|
||||
keaParams.originatorKEAKey.len);
|
||||
if (originatorPubKey == NULL)
|
||||
goto loser;
|
||||
|
||||
/* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
|
||||
The Derive function generates a shared secret and combines it with the originatorRA
|
||||
data to come up with an unique session key */
|
||||
tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
|
||||
&keaParams.originatorRA, NULL,
|
||||
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
|
||||
CKA_WRAP, 0, pwfn_arg);
|
||||
SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
|
||||
if (tek == NULL)
|
||||
goto loser;
|
||||
|
||||
/* Now that we have the TEK, unwrap the bulk key
|
||||
with which to decrypt the message. */
|
||||
/* Skipjack is being used as the bulk encryption algorithm.*/
|
||||
/* Unwrap the bulk key. */
|
||||
bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
|
||||
encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
|
||||
|
||||
return bulkkey;
|
||||
|
||||
loser:
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
|
|
@ -157,7 +157,6 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg,
|
|||
rv = SECFailure;
|
||||
}
|
||||
break;
|
||||
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
|
||||
if (type != NSSCMSRecipientID_IssuerSN) {
|
||||
|
@ -271,7 +270,6 @@ NSS_CMSRecipient_IsSupported(CERTCertificate *cert)
|
|||
|
||||
switch (certalgtag) {
|
||||
case SEC_OID_PKCS1_RSA_ENCRYPTION:
|
||||
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
|
@ -497,7 +495,6 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey,
|
|||
|
||||
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
|
||||
break;
|
||||
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
|
||||
if (rek == NULL) {
|
||||
|
@ -519,14 +516,6 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey,
|
|||
/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
|
||||
/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
|
||||
switch (certalgtag) {
|
||||
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
|
||||
rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
|
||||
&rek->encKey,
|
||||
&ri->ri.keyAgreeRecipientInfo.ukm,
|
||||
&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
|
||||
&oiok->id.originatorPublicKey.publicKey);
|
||||
break;
|
||||
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
if (ri->cmsg) {
|
||||
wincx = ri->cmsg->pwfn_arg;
|
||||
|
@ -566,7 +555,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
|
|||
{
|
||||
PK11SymKey *bulkkey = NULL;
|
||||
SECOidTag encalgtag;
|
||||
SECItem *enckey, *ukm;
|
||||
SECItem *enckey, *ukm, *parameters;
|
||||
NSSCMSOriginatorIdentifierOrKey *oiok;
|
||||
int error;
|
||||
void *wincx = NULL;
|
||||
|
@ -584,6 +573,12 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
|
|||
/* get the symmetric (bulk) key by unwrapping it using our private key */
|
||||
bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
|
||||
break;
|
||||
case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION:
|
||||
/* RSA OAEP encryption algorithm: */
|
||||
/* get the symmetric (bulk) key by unwrapping it using our private key */
|
||||
parameters = &(ri->ri.keyTransRecipientInfo.keyEncAlg.parameters);
|
||||
bulkkey = NSS_CMSUtil_DecryptSymKey_RSA_OAEP(privkey, parameters, enckey, bulkalgtag);
|
||||
break;
|
||||
default:
|
||||
error = SEC_ERROR_UNSUPPORTED_KEYALG;
|
||||
goto loser;
|
||||
|
@ -613,18 +608,6 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
|
|||
bulkalgtag, ukm, oiok, wincx);
|
||||
break;
|
||||
|
||||
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
|
||||
/* Diffie-Helman key exchange */
|
||||
/* XXX not yet implemented */
|
||||
/* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
|
||||
/* we support ephemeral-static DH only, so if the recipientinfo */
|
||||
/* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
|
||||
/* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
|
||||
/* content encryption key using a Unwrap op */
|
||||
/* the derive operation has to generate the key using the algorithm in RFC2631 */
|
||||
error = SEC_ERROR_UNSUPPORTED_KEYALG;
|
||||
goto loser;
|
||||
break;
|
||||
default:
|
||||
error = SEC_ERROR_UNSUPPORTED_KEYALG;
|
||||
goto loser;
|
||||
|
|
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-label_ossl.env
Normal file
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-label_ossl.env
Normal file
Двоичный файл не отображается.
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-sha256mgf_ossl.env
Normal file
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-sha256mgf_ossl.env
Normal file
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256mgf-label_ossl.env
Normal file
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256mgf-label_ossl.env
Normal file
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичный файл не отображается.
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep_ossl-sha256hash-sha256mgf-label.env
Normal file
Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep_ossl-sha256hash-sha256mgf-label.env
Normal file
Двоичный файл не отображается.
Двоичный файл не отображается.
|
@ -486,10 +486,95 @@ smime_p7()
|
|||
smime_enveloped_openssl_interop() {
|
||||
echo "$SCRIPTNAME: OpenSSL interoperability --------------------------------"
|
||||
|
||||
${BINDIR}/pk12util -d ${P_R_ALICEDIR} -i tb/Fran.p12 -W nss -K nss
|
||||
${BINDIR}/pk12util -d ${P_R_ALICEDIR} -i tb/Fran-ec.p12 -W nss -K nss
|
||||
|
||||
echo "This is a test message to Fran." > fran.txt
|
||||
|
||||
echo "cmsutil -D -i fran-oaep_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data1"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data1
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data1
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha256hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data2"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data2
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data2
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha384hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data3"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha384hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data3
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data3
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha512hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data4"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha512hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data4
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data4
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data5"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data5
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data5
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha384mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data6"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha384mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data6
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data6
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha512mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data7"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha512mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data7
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data7
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data8"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data8
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data8
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha256hash-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data9"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data9
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data9
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha256hash-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data10"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data10
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data10
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep-sha256mgf-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data11"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256mgf-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data11
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data11
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-oaep_ossl-sha256hash-sha256mgf-label.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data12"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep_ossl-sha256hash-sha256mgf-label.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data12
|
||||
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
|
||||
|
||||
diff fran.txt fran-oaep.data12
|
||||
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
|
||||
|
||||
echo "cmsutil -D -i fran-ec_ossl-aes128-sha1.env -d ${P_R_ALICEDIR} -p nss -o fran.data1"
|
||||
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-ec_ossl-aes128-sha1.env -d ${P_R_ALICEDIR} -p nss -o fran.data1
|
||||
html_msg $? 0 "Decode OpenSSL Enveloped Data Fran (ECDH, AES128 key wrap, SHA-1 KDF)" "."
|
||||
|
|
Загрузка…
Ссылка в новой задаче