mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1891763 - land NSS NSS_3_100_BETA2 UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck 

Differential Revision: https://phabricator.services.mozilla.com/D209058
This commit is contained in:
Dennis Jackson 2024-05-01 09:24:48 +00:00
Родитель f1532761de
Коммит f52be1ea9f
40 изменённых файлов: 277 добавлений и 4805 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_100_BETA1
NSS_3_100_BETA2

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

25
security/nss/lib/ckfw/Makefile
Просмотреть файл

@ -11,29 +11,4 @@ ifdef BUILD_IDG
DEFINES += -DNSSDEBUG
endif
ifdef NOTDEF # was ifdef MOZILLA_CLIENT
NSS_BUILD_CAPI = 1
endif
# This'll need some help from a build person.
# The generated files are checked in, and differ from what ckapi.perl
# will produce. ckapi.perl is currently newer than the targets, so
# these rules are invoked, causing the wrong files to be generated.
# Turning off to fix builds.
#
# nssckepv.h: ck.api ckapi.perl
# nssckft.h: ck.api ckapi.perl
# nssckg.h: ck.api ckapi.perl
# nssck.api: ck.api ckapi.perl
# $(PERL) ckapi.perl ck.api
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
ifdef NSS_BUILD_CAPI
DIRS += capi
endif
endif
include $(CORE_DEPTH)/coreconf/rules.mk

82
security/nss/lib/ckfw/capi/Makefile
Просмотреть файл

@ -1,82 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
include manifest.mn
include $(CORE_DEPTH)/coreconf/config.mk
ifdef BUILD_IDG
DEFINES += -DNSSDEBUG
endif
#
# To create a loadable module on Darwin, we must use -bundle.
#
ifeq ($(OS_TARGET),Darwin)
DSO_LDOPTS = -bundle
endif
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
$(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
ifdef NS_USE_GCC
EXTRA_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
-lcrypt32 \
-ladvapi32 \
-lrpcrt4 \
$(NULL)
else
EXTRA_SHARED_LIBS += \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
crypt32.lib \
advapi32.lib \
rpcrt4.lib \
$(NULL)
endif # NS_USE_GCC
else
EXTRA_LIBS += \
-L$(NSPR_LIB_DIR) \
-lplc4 \
-lplds4 \
-lnspr4 \
$(NULL)
endif
include $(CORE_DEPTH)/coreconf/rules.mk
# Generate certdata.c.
generate:
$(PERL) certdata.perl < certdata.txt
# This'll need some help from a build person.
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
DSO_LDOPTS = -bM:SRE -bh:4 -bnoentry
EXTRA_DSO_LDOPTS = -lc
MKSHLIB = xlC $(DSO_LDOPTS)
$(SHARED_LIBRARY): $(OBJS) | $$(@D)/d
rm -f $@
$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
chmod +x $@
endif
ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
LD += -G
endif

7
security/nss/lib/ckfw/capi/README
Просмотреть файл

@ -1,7 +0,0 @@
This Cryptoki module provides acces to certs and keys stored in
Microsofts CAPI certificate store.
It does not import or export CA Root trust from the CAPI.
It does not import or export CRLs from the CAPI.
It does not handle S/MIME objects (pkcs #7 in capi terms?).
It does not yet handle it's own PIN. (CAPI does all the pin prompting).

17
security/nss/lib/ckfw/capi/anchor.c
Просмотреть файл

@ -1,17 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* capi/canchor.c
*
* This file "anchors" the actual cryptoki entry points in this module's
* shared library, which is required for dynamic loading. See the
* comments in nssck.api for more information.
*/
#include "ckcapi.h"
#define MODULE_NAME ckcapi
#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
#include "nssck.api"

561
security/nss/lib/ckfw/capi/cfind.c
Просмотреть файл

@ -1,561 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef CKCAPI_H
#include "ckcapi.h"
#endif /* CKCAPI_H */
/*
* ckcapi/cfind.c
*
* This file implements the NSSCKMDFindObjects object for the
* "capi" cryptoki module.
*/
struct ckcapiFOStr {
NSSArena *arena;
CK_ULONG n;
CK_ULONG i;
ckcapiInternalObject **objs;
};
static void
ckcapi_mdFindObjects_Final(
NSSCKMDFindObjects *mdFindObjects,
NSSCKFWFindObjects *fwFindObjects,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
NSSArena *arena = fo->arena;
PRUint32 i;
/* walk down an free the unused 'objs' */
for (i = fo->i; i < fo->n; i++) {
nss_ckcapi_DestroyInternalObject(fo->objs[i]);
}
nss_ZFreeIf(fo->objs);
nss_ZFreeIf(fo);
nss_ZFreeIf(mdFindObjects);
if ((NSSArena *)NULL != arena) {
NSSArena_Destroy(arena);
}
return;
}
static NSSCKMDObject *
ckcapi_mdFindObjects_Next(
NSSCKMDFindObjects *mdFindObjects,
NSSCKFWFindObjects *fwFindObjects,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSArena *arena,
CK_RV *pError)
{
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
ckcapiInternalObject *io;
if (fo->i == fo->n) {
*pError = CKR_OK;
return (NSSCKMDObject *)NULL;
}
io = fo->objs[fo->i];
fo->i++;
return nss_ckcapi_CreateMDObject(arena, io, pError);
}
static CK_BBOOL
ckcapi_attrmatch(
CK_ATTRIBUTE_PTR a,
ckcapiInternalObject *o)
{
PRBool prb;
const NSSItem *b;
b = nss_ckcapi_FetchAttribute(o, a->type);
if (b == NULL) {
return CK_FALSE;
}
if (a->ulValueLen != b->size) {
/* match a decoded serial number */
if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
unsigned int len;
unsigned char *data;
data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
if ((len == a->ulValueLen) &&
nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
return CK_TRUE;
}
}
return CK_FALSE;
}
prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
if (PR_TRUE == prb) {
return CK_TRUE;
} else {
return CK_FALSE;
}
}
static CK_BBOOL
ckcapi_match(
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject *o)
{
CK_ULONG i;
for (i = 0; i < ulAttributeCount; i++) {
if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
return CK_FALSE;
}
}
/* Every attribute passed */
return CK_TRUE;
}
#define CKAPI_ITEM_CHUNK 20
#define PUT_Object(obj, err) \
{ \
if (count >= size) { \
*listp = *listp ? nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
(size + \
CKAPI_ITEM_CHUNK)) \
: nss_ZNEWARRAY(NULL, ckcapiInternalObject *, \
(size + \
CKAPI_ITEM_CHUNK)); \
if ((ckcapiInternalObject **)NULL == *listp) { \
err = CKR_HOST_MEMORY; \
goto loser; \
} \
size += CKAPI_ITEM_CHUNK; \
} \
(*listp)[count] = (obj); \
count++; \
}
/*
* pass parameters back through the callback.
*/
typedef struct BareCollectParamsStr {
CK_OBJECT_CLASS objClass;
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG ulAttributeCount;
ckcapiInternalObject ***listp;
PRUint32 size;
PRUint32 count;
} BareCollectParams;
/* collect_bare's callback. Called for each object that
* supposedly has a PROVINDER_INFO property */
static BOOL WINAPI
doBareCollect(
const CRYPT_HASH_BLOB *msKeyID,
DWORD flags,
void *reserved,
void *args,
DWORD cProp,
DWORD *propID,
void **propData,
DWORD *propSize)
{
BareCollectParams *bcp = (BareCollectParams *)args;
PRUint32 size = bcp->size;
PRUint32 count = bcp->count;
ckcapiInternalObject ***listp = bcp->listp;
ckcapiInternalObject *io = NULL;
DWORD i;
CRYPT_KEY_PROV_INFO *keyProvInfo = NULL;
void *idData;
CK_RV error;
/* make sure there is a Key Provider Info property */
for (i = 0; i < cProp; i++) {
if (CERT_KEY_PROV_INFO_PROP_ID == propID[i]) {
keyProvInfo = (CRYPT_KEY_PROV_INFO *)propData[i];
break;
}
}
if ((CRYPT_KEY_PROV_INFO *)NULL == keyProvInfo) {
return 1;
}
/* copy the key ID */
idData = nss_ZNEWARRAY(NULL, char, msKeyID->cbData);
if ((void *)NULL == idData) {
goto loser;
}
nsslibc_memcpy(idData, msKeyID->pbData, msKeyID->cbData);
/* build a bare internal object */
io = nss_ZNEW(NULL, ckcapiInternalObject);
if ((ckcapiInternalObject *)NULL == io) {
goto loser;
}
io->type = ckcapiBareKey;
io->objClass = bcp->objClass;
io->u.key.provInfo = *keyProvInfo;
io->u.key.provInfo.pwszContainerName =
nss_ckcapi_WideDup(keyProvInfo->pwszContainerName);
io->u.key.provInfo.pwszProvName =
nss_ckcapi_WideDup(keyProvInfo->pwszProvName);
io->u.key.provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
io->u.key.containerName =
nss_ckcapi_WideToUTF8(keyProvInfo->pwszContainerName);
io->u.key.hProv = 0;
io->idData = idData;
io->id.data = idData;
io->id.size = msKeyID->cbData;
idData = NULL;
/* see if it matches */
if (CK_FALSE == ckcapi_match(bcp->pTemplate, bcp->ulAttributeCount, io)) {
goto loser;
}
PUT_Object(io, error);
bcp->size = size;
bcp->count = count;
return 1;
loser:
if (io) {
nss_ckcapi_DestroyInternalObject(io);
}
nss_ZFreeIf(idData);
return 1;
}
/*
* collect the bare keys running around
*/
static PRUint32
collect_bare(
CK_OBJECT_CLASS objClass,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject ***listp,
PRUint32 *sizep,
PRUint32 count,
CK_RV *pError)
{
BOOL rc;
BareCollectParams bareCollectParams;
bareCollectParams.objClass = objClass;
bareCollectParams.pTemplate = pTemplate;
bareCollectParams.ulAttributeCount = ulAttributeCount;
bareCollectParams.listp = listp;
bareCollectParams.size = *sizep;
bareCollectParams.count = count;
rc = CryptEnumKeyIdentifierProperties(NULL, CERT_KEY_PROV_INFO_PROP_ID, 0,
NULL, NULL, &bareCollectParams, doBareCollect);
*sizep = bareCollectParams.size;
return bareCollectParams.count;
}
/* find all the certs that represent the appropriate object (cert, priv key, or
* pub key) in the cert store.
*/
static PRUint32
collect_class(
CK_OBJECT_CLASS objClass,
LPCSTR storeStr,
PRBool hasID,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject ***listp,
PRUint32 *sizep,
PRUint32 count,
CK_RV *pError)
{
PRUint32 size = *sizep;
ckcapiInternalObject *next = NULL;
HCERTSTORE hStore;
PCCERT_CONTEXT certContext = NULL;
PRBool isKey =
(objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);
hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
if (NULL == hStore) {
return count; /* none found does not imply an error */
}
/* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
* have to enumerate all the certificates */
while ((PCERT_CONTEXT)NULL !=
(certContext = CertEnumCertificatesInStore(hStore, certContext))) {
/* first filter out non user certs if we are looking for keys */
if (isKey) {
/* make sure there is a Key Provider Info property */
CRYPT_KEY_PROV_INFO *keyProvInfo;
DWORD size = 0;
BOOL rv;
rv = CertGetCertificateContextProperty(certContext,
CERT_KEY_PROV_INFO_PROP_ID, NULL, &size);
if (!rv) {
int reason = GetLastError();
/* we only care if it exists, we don't really need to fetch it yet */
if (reason == CRYPT_E_NOT_FOUND) {
continue;
}
}
/* filter out the non-microsoft providers */
keyProvInfo = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
if (keyProvInfo) {
rv = CertGetCertificateContextProperty(certContext,
CERT_KEY_PROV_INFO_PROP_ID, keyProvInfo, &size);
if (rv) {
char *provName =
nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
nss_ZFreeIf(keyProvInfo);
if (provName &&
(strncmp(provName, "Microsoft", sizeof("Microsoft") - 1) != 0)) {
continue;
}
} else {
int reason =
GetLastError();
/* we only care if it exists, we don't really need to fetch it yet */
nss_ZFreeIf(keyProvInfo);
if (reason ==
CRYPT_E_NOT_FOUND) {
continue;
}
}
}
}
if ((ckcapiInternalObject *)NULL == next) {
next = nss_ZNEW(NULL, ckcapiInternalObject);
if ((ckcapiInternalObject *)NULL == next) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
}
next->type = ckcapiCert;
next->objClass = objClass;
next->u.cert.certContext = certContext;
next->u.cert.hasID = hasID;
next->u.cert.certStore = storeStr;
if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next)) {
/* clear cached values that may be dependent on our old certContext */
memset(&next->u.cert, 0, sizeof(next->u.cert));
/* get a 'permanent' context */
next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
next->objClass = objClass;
next->u.cert.certContext = certContext;
next->u.cert.hasID = hasID;
next->u.cert.certStore = storeStr;
PUT_Object(next, *pError);
next = NULL; /* need to allocate a new one now */
} else {
/* don't cache the values we just loaded */
memset(&next->u.cert, 0, sizeof(next->u.cert));
}
}
loser:
CertCloseStore(hStore, 0);
nss_ZFreeIf(next);
*sizep = size;
return count;
}
NSS_IMPLEMENT PRUint32
nss_ckcapi_collect_all_certs(
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject ***listp,
PRUint32 *sizep,
PRUint32 count,
CK_RV *pError)
{
count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
/*count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError); */
count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate,
ulAttributeCount, listp, sizep, count, pError);
return count;
}
CK_OBJECT_CLASS
ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount)
{
CK_ULONG i;
for (i = 0; i < ulAttributeCount; i++) {
if (pTemplate[i].type == CKA_CLASS) {
return *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
}
}
/* need to return a value that says 'fetch them all' */
return CK_INVALID_HANDLE;
}
static PRUint32
collect_objects(
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject ***listp,
CK_RV *pError)
{
PRUint32 i;
PRUint32 count = 0;
PRUint32 size = 0;
CK_OBJECT_CLASS objClass;
/*
* first handle the static build in objects (if any)
*/
for (i = 0; i < nss_ckcapi_nObjects; i++) {
ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];
if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o)) {
PUT_Object(o, *pError);
}
}
/*
* now handle the various object types
*/
objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
*pError = CKR_OK;
switch (objClass) {
case CKO_CERTIFICATE:
count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
&size, count, pError);
break;
case CKO_PUBLIC_KEY:
count = collect_class(objClass, "My", PR_TRUE, pTemplate,
ulAttributeCount, listp, &size, count, pError);
count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
&size, count, pError);
break;
case CKO_PRIVATE_KEY:
count = collect_class(objClass, "My", PR_TRUE, pTemplate,
ulAttributeCount, listp, &size, count, pError);
count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
&size, count, pError);
break;
/* all of them */
case CK_INVALID_HANDLE:
count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
&size, count, pError);
count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate,
ulAttributeCount, listp, &size, count, pError);
count = collect_bare(CKO_PUBLIC_KEY, pTemplate, ulAttributeCount, listp,
&size, count, pError);
count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate,
ulAttributeCount, listp, &size, count, pError);
count = collect_bare(CKO_PRIVATE_KEY, pTemplate, ulAttributeCount, listp,
&size, count, pError);
break;
default:
goto done; /* no other object types we understand in this module */
}
if (CKR_OK != *pError) {
goto loser;
}
done:
return count;
loser:
nss_ZFreeIf(*listp);
return 0;
}
NSS_IMPLEMENT NSSCKMDFindObjects *
nss_ckcapi_FindObjectsInit(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
/* This could be made more efficient. I'm rather rushed. */
NSSArena *arena;
NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;
arena = NSSArena_Create();
if ((NSSArena *)NULL == arena) {
goto loser;
}
rv = nss_ZNEW(arena, NSSCKMDFindObjects);
if ((NSSCKMDFindObjects *)NULL == rv) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
fo = nss_ZNEW(arena, struct ckcapiFOStr);
if ((struct ckcapiFOStr *)NULL == fo) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
fo->arena = arena;
/* fo->n and fo->i are already zero */
rv->etc = (void *)fo;
rv->Final = ckcapi_mdFindObjects_Final;
rv->Next = ckcapi_mdFindObjects_Next;
rv->null = (void *)NULL;
fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
if (*pError != CKR_OK) {
goto loser;
}
fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
if ((ckcapiInternalObject **)NULL == fo->objs) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
(void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
nss_ZFreeIf(temp);
temp = (ckcapiInternalObject **)NULL;
return rv;
loser:
nss_ZFreeIf(temp);
nss_ZFreeIf(fo);
nss_ZFreeIf(rv);
if ((NSSArena *)NULL != arena) {
NSSArena_Destroy(arena);
}
return (NSSCKMDFindObjects *)NULL;
}

97
security/nss/lib/ckfw/capi/cinst.c
Просмотреть файл

@ -1,97 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
/*
* ckcapi/cinstance.c
*
* This file implements the NSSCKMDInstance object for the
* "capi" cryptoki module.
*/
/*
* NSSCKMDInstance methods
*/
static CK_ULONG
ckcapi_mdInstance_GetNSlots(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (CK_ULONG)1;
}
static CK_VERSION
ckcapi_mdInstance_GetCryptokiVersion(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_CryptokiVersion;
}
static NSSUTF8 *
ckcapi_mdInstance_GetManufacturerID(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
}
static NSSUTF8 *
ckcapi_mdInstance_GetLibraryDescription(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_LibraryDescription;
}
static CK_VERSION
ckcapi_mdInstance_GetLibraryVersion(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_LibraryVersion;
}
static CK_RV
ckcapi_mdInstance_GetSlots(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDSlot *slots[])
{
slots[0] = (NSSCKMDSlot *)&nss_ckcapi_mdSlot;
return CKR_OK;
}
static CK_BBOOL
ckcapi_mdInstance_ModuleHandlesSessionObjects(
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
/* we don't want to allow any session object creation, at least
* until we can investigate whether or not we can use those objects
*/
return CK_TRUE;
}
NSS_IMPLEMENT_DATA const NSSCKMDInstance
nss_ckcapi_mdInstance = {
(void *)NULL, /* etc */
NULL, /* Initialize */
NULL, /* Finalize */
ckcapi_mdInstance_GetNSlots,
ckcapi_mdInstance_GetCryptokiVersion,
ckcapi_mdInstance_GetManufacturerID,
ckcapi_mdInstance_GetLibraryDescription,
ckcapi_mdInstance_GetLibraryVersion,
ckcapi_mdInstance_ModuleHandlesSessionObjects,
/*NULL, /* HandleSessionObjects */
ckcapi_mdInstance_GetSlots,
NULL, /* WaitForSlotEvent */
(void *)NULL /* null terminator */
};

242
security/nss/lib/ckfw/capi/ckcapi.h
Просмотреть файл

@ -1,242 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef CKCAPI_H
#define CKCAPI_H 1
#include "nssckmdt.h"
#include "nssckfw.h"
/*
* I'm including this for access to the arena functions.
* Looks like we should publish that API.
*/
#ifndef BASE_H
#include "base.h"
#endif /* BASE_H */
/*
* This is where the Netscape extensions live, at least for now.
*/
#ifndef CKT_H
#include "ckt.h"
#endif /* CKT_H */
#include "wtypes.h"
#include "wincrypt.h"
/*
* statically defined raw objects. Allows us to data description objects
* to this PKCS #11 module.
*/
struct ckcapiRawObjectStr {
CK_ULONG n;
const CK_ATTRIBUTE_TYPE *types;
const NSSItem *items;
};
typedef struct ckcapiRawObjectStr ckcapiRawObject;
/*
* common values needed for both bare keys and cert referenced keys.
*/
struct ckcapiKeyParamsStr {
NSSItem modulus;
NSSItem exponent;
NSSItem privateExponent;
NSSItem prime1;
NSSItem prime2;
NSSItem exponent1;
NSSItem exponent2;
NSSItem coefficient;
unsigned char publicExponentData[sizeof(CK_ULONG)];
void *privateKey;
void *pubKey;
};
typedef struct ckcapiKeyParamsStr ckcapiKeyParams;
/*
* Key objects. Handles bare keys which do not yet have certs associated
* with them. These are usually short lived, but may exist for several days
* while the CA is issuing the certificate.
*/
struct ckcapiKeyObjectStr {
CRYPT_KEY_PROV_INFO provInfo;
char *provName;
char *containerName;
HCRYPTPROV hProv;
ckcapiKeyParams key;
};
typedef struct ckcapiKeyObjectStr ckcapiKeyObject;
/*
* Certificate and certificate referenced keys.
*/
struct ckcapiCertObjectStr {
PCCERT_CONTEXT certContext;
PRBool hasID;
const char *certStore;
NSSItem label;
NSSItem subject;
NSSItem issuer;
NSSItem serial;
NSSItem derCert;
ckcapiKeyParams key;
unsigned char *labelData;
/* static data: to do, make this dynamic like labelData */
unsigned char derSerial[128];
};
typedef struct ckcapiCertObjectStr ckcapiCertObject;
typedef enum {
ckcapiRaw,
ckcapiCert,
ckcapiBareKey
} ckcapiObjectType;
/*
* all the various types of objects are abstracted away in cobject and
* cfind as ckcapiInternalObjects.
*/
struct ckcapiInternalObjectStr {
ckcapiObjectType type;
union {
ckcapiRawObject raw;
ckcapiCertObject cert;
ckcapiKeyObject key;
} u;
CK_OBJECT_CLASS objClass;
NSSItem hashKey;
NSSItem id;
void *idData;
unsigned char hashKeyData[128];
NSSCKMDObject mdObject;
};
typedef struct ckcapiInternalObjectStr ckcapiInternalObject;
/* our raw object data array */
NSS_EXTERN_DATA ckcapiInternalObject nss_ckcapi_data[];
NSS_EXTERN_DATA const PRUint32 nss_ckcapi_nObjects;
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_CryptokiVersion;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_ManufacturerID;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_LibraryDescription;
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_LibraryVersion;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_SlotDescription;
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_HardwareVersion;
NSS_EXTERN_DATA const CK_VERSION nss_ckcapi_FirmwareVersion;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenLabel;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenModel;
NSS_EXTERN_DATA const NSSUTF8 *nss_ckcapi_TokenSerialNumber;
NSS_EXTERN_DATA const NSSCKMDInstance nss_ckcapi_mdInstance;
NSS_EXTERN_DATA const NSSCKMDSlot nss_ckcapi_mdSlot;
NSS_EXTERN_DATA const NSSCKMDToken nss_ckcapi_mdToken;
NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckcapi_mdMechanismRSA;
NSS_EXTERN NSSCKMDSession *
nss_ckcapi_CreateSession(
NSSCKFWSession *fwSession,
CK_RV *pError);
NSS_EXTERN NSSCKMDFindObjects *
nss_ckcapi_FindObjectsInit(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError);
/*
* Object Utilities
*/
NSS_EXTERN NSSCKMDObject *
nss_ckcapi_CreateMDObject(
NSSArena *arena,
ckcapiInternalObject *io,
CK_RV *pError);
NSS_EXTERN NSSCKMDObject *
nss_ckcapi_CreateObject(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError);
NSS_EXTERN const NSSItem *
nss_ckcapi_FetchAttribute(
ckcapiInternalObject *io,
CK_ATTRIBUTE_TYPE type);
NSS_EXTERN void
nss_ckcapi_DestroyInternalObject(
ckcapiInternalObject *io);
NSS_EXTERN CK_RV
nss_ckcapi_FetchKeyContainer(
ckcapiInternalObject *iKey,
HCRYPTPROV *hProv,
DWORD *keySpec,
HCRYPTKEY *hKey);
/*
* generic utilities
*/
/*
* So everyone else in the worlds stores their bignum data MSB first, but not
* Microsoft, we need to byte swap everything coming into and out of CAPI.
*/
void
ckcapi_ReverseData(
NSSItem *item);
/*
* unwrap a single DER value
*/
unsigned char *
nss_ckcapi_DERUnwrap(
unsigned char *src,
unsigned int size,
unsigned int *outSize,
unsigned char **next);
/*
* Return the size in bytes of a wide string
*/
int
nss_ckcapi_WideSize(
LPCWSTR wide);
/*
* Covert a Unicode wide character string to a UTF8 string
*/
char *
nss_ckcapi_WideToUTF8(
LPCWSTR wide);
/*
* Return a Wide String duplicated with nss allocated memory.
*/
LPWSTR
nss_ckcapi_WideDup(
LPCWSTR wide);
/*
* Covert a UTF8 string to Unicode wide character
*/
LPWSTR
nss_ckcapi_UTF8ToWide(
char *buf);
NSS_EXTERN PRUint32
nss_ckcapi_collect_all_certs(
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
ckcapiInternalObject ***listp,
PRUint32 *sizep,
PRUint32 count,
CK_RV *pError);
#define NSS_CKCAPI_ARRAY_SIZE(x) ((sizeof(x)) / (sizeof((x)[0])))
#endif

17
security/nss/lib/ckfw/capi/ckcapiver.c
Просмотреть файл

@ -1,17 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Library identity and versioning */
#include "nsscapi.h"
#if defined(DEBUG)
#define _DEBUG_STRING " (debug)"
#else
#define _DEBUG_STRING ""
#endif
/*
* Version information
*/
const char __nss_ckcapi_version[] = "Version: NSS Access to Microsoft Certificate Store " NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING;

2226
security/nss/lib/ckfw/capi/cobject.c
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

63
security/nss/lib/ckfw/capi/constants.c
Просмотреть файл

@ -1,63 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* ckcapi/constants.c
*
* Identification and other constants, all collected here in one place.
*/
#ifndef NSSBASET_H
#include "nssbaset.h"
#endif /* NSSBASET_H */
#ifndef NSSCKT_H
#include "nssckt.h"
#endif /* NSSCKT_H */
#ifndef NSSCAPI_H
#include "nsscapi.h"
#endif /* NSSCAPI_H */
NSS_IMPLEMENT_DATA const CK_VERSION
nss_ckcapi_CryptokiVersion = {
NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR,
NSS_CKCAPI_CRYPTOKI_VERSION_MINOR
};
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_ManufacturerID = (NSSUTF8 *)"Mozilla Foundation";
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_LibraryDescription = (NSSUTF8 *)"NSS Access to Microsoft Certificate Store";
NSS_IMPLEMENT_DATA const CK_VERSION
nss_ckcapi_LibraryVersion = {
NSS_CKCAPI_LIBRARY_VERSION_MAJOR,
NSS_CKCAPI_LIBRARY_VERSION_MINOR
};
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_SlotDescription = (NSSUTF8 *)"Microsoft Certificate Store";
NSS_IMPLEMENT_DATA const CK_VERSION
nss_ckcapi_HardwareVersion = {
NSS_CKCAPI_HARDWARE_VERSION_MAJOR,
NSS_CKCAPI_HARDWARE_VERSION_MINOR
};
NSS_IMPLEMENT_DATA const CK_VERSION
nss_ckcapi_FirmwareVersion = {
NSS_CKCAPI_FIRMWARE_VERSION_MAJOR,
NSS_CKCAPI_FIRMWARE_VERSION_MINOR
};
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_TokenLabel = (NSSUTF8 *)"Microsoft Certificate Store";
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_TokenModel = (NSSUTF8 *)"1";
NSS_IMPLEMENT_DATA const NSSUTF8 *
nss_ckcapi_TokenSerialNumber = (NSSUTF8 *)"1";

687
security/nss/lib/ckfw/capi/crsa.c
Просмотреть файл

@ -1,687 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
#include "secdert.h"
#define SSL3_SHAMD5_HASH_SIZE 36 /* LEN_MD5 (16) + LEN_SHA1 (20) */
/*
* ckcapi/crsa.c
*
* This file implements the NSSCKMDMechnaism and NSSCKMDCryptoOperation objects
* for the RSA operation on the CAPI cryptoki module.
*/
/*
* write a Decimal value to a string
*/
static char *
putDecimalString(char *cstr, unsigned long value)
{
unsigned long tenpower;
int first = 1;
for (tenpower = 10000000; tenpower; tenpower /= 10) {
unsigned char digit = (unsigned char)(value / tenpower);
value = value % tenpower;
/* drop leading zeros */
if (first && (0 == digit)) {
continue;
}
first = 0;
*cstr++ = digit + '0';
}
/* if value was zero, put one of them out */
if (first) {
*cstr++ = '0';
}
return cstr;
}
/*
* Create a Capi OID string value from a DER OID
*/
static char *
nss_ckcapi_GetOidString(
unsigned char *oidTag,
unsigned int oidTagSize,
CK_RV *pError)
{
unsigned char *oid;
char *oidStr;
char *cstr;
unsigned long value;
unsigned int oidSize;
if (DER_OBJECT_ID != *oidTag) {
/* wasn't an oid */
*pError = CKR_DATA_INVALID;
return NULL;
}
oid = nss_ckcapi_DERUnwrap(oidTag, oidTagSize, &oidSize, NULL);
if (oidSize < 2) {
*pError = CKR_DATA_INVALID;
return NULL;
}
oidStr = nss_ZNEWARRAY(NULL, char, oidSize * 4);
if ((char *)NULL == oidStr) {
*pError = CKR_HOST_MEMORY;
return NULL;
}
cstr = oidStr;
cstr = putDecimalString(cstr, (*oid) / 40);
*cstr++ = '.';
cstr = putDecimalString(cstr, (*oid) % 40);
oidSize--;
value = 0;
while (oidSize--) {
oid++;
value = (value << 7) + (*oid & 0x7f);
if (0 == (*oid & 0x80)) {
*cstr++ = '.';
cstr = putDecimalString(cstr, value);
value = 0;
}
}
*cstr = 0; /* NULL terminate */
if (value != 0) {
nss_ZFreeIf(oidStr);
*pError = CKR_DATA_INVALID;
return NULL;
}
return oidStr;
}
/*
* PKCS #11 sign for RSA expects to take a fully DER-encoded hash value,
* which includes the hash OID. CAPI expects to take a Hash Context. While
* CAPI does have the capability of setting a raw hash value, it does not
* have the ability to sign an arbitrary value. This function tries to
* reduce the passed in data into something that CAPI could actually sign.
*/
static CK_RV
ckcapi_GetRawHash(
const NSSItem *input,
NSSItem *hash,
ALG_ID *hashAlg)
{
unsigned char *current;
unsigned char *algid;
unsigned char *oid;
unsigned char *hashData;
char *oidStr;
CK_RV error;
unsigned int oidSize;
unsigned int size;
/*
* there are 2 types of hashes NSS typically tries to sign, regular
* RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
* CAPI knows not to add any oids to SSL3_Signed hashes, so if we have any
* random hash that is exactly the same size as an SSL3 hash, then we can
* just pass the data through. CAPI has know way of knowing if the value
* is really a combined hash or some other arbitrary data, so it's safe to
* handle this case first.
*/
if (SSL3_SHAMD5_HASH_SIZE == input->size) {
hash->data = input->data;
hash->size = input->size;
*hashAlg = CALG_SSL3_SHAMD5;
return CKR_OK;
}
current = (unsigned char *)input->data;
/* make sure we have a sequence tag */
if ((DER_SEQUENCE | DER_CONSTRUCTED) != *current) {
return CKR_DATA_INVALID;
}
/* parse the input block to get 1) the hash oid, and 2) the raw hash value.
* unfortunatly CAPI doesn't have a builtin function to do this work, so
* we go ahead and do it by hand here.
*
* format is:
* SEQUENCE {
* SECQUENCE { // algid
* OID {} // oid
* ANY {} // optional params
* }
* OCTECT {} // hash
*/
/* unwrap */
algid = nss_ckcapi_DERUnwrap(current, input->size, &size, NULL);
if (algid + size != current + input->size) {
/* make sure there is not extra data at the end */
return CKR_DATA_INVALID;
}
if ((DER_SEQUENCE | DER_CONSTRUCTED) != *algid) {
/* wasn't an algid */
return CKR_DATA_INVALID;
}
oid = nss_ckcapi_DERUnwrap(algid, size, &oidSize, &hashData);
if (DER_OCTET_STRING != *hashData) {
/* wasn't a hash */
return CKR_DATA_INVALID;
}
/* get the real hash */
current = hashData;
size = size - (hashData - algid);
hash->data = nss_ckcapi_DERUnwrap(current, size, &hash->size, NULL);
/* get the real oid as a string. Again, Microsoft does not
* export anything that does this for us */
oidStr = nss_ckcapi_GetOidString(oid, oidSize, &error);
if ((char *)NULL == oidStr) {
return error;
}
/* look up the hash alg from the oid (fortunately CAPI does to this) */
*hashAlg = CertOIDToAlgId(oidStr);
nss_ZFreeIf(oidStr);
if (0 == *hashAlg) {
return CKR_HOST_MEMORY;
}
/* hash looks reasonably consistent, we should be able to sign it now */
return CKR_OK;
}
/*
* So everyone else in the worlds stores their bignum data MSB first, but not
* Microsoft, we need to byte swap everything coming into and out of CAPI.
*/
void
ckcapi_ReverseData(NSSItem *item)
{
int end = (item->size) - 1;
int middle = (item->size) / 2;
unsigned char *buf = item->data;
int i;
for (i = 0; i < middle; i++) {
unsigned char tmp = buf[i];
buf[i] = buf[end - i];
buf[end - i] = tmp;
}
return;
}
typedef struct ckcapiInternalCryptoOperationRSAPrivStr
ckcapiInternalCryptoOperationRSAPriv;
struct ckcapiInternalCryptoOperationRSAPrivStr {
NSSCKMDCryptoOperation mdOperation;
NSSCKMDMechanism *mdMechanism;
ckcapiInternalObject *iKey;
HCRYPTPROV hProv;
DWORD keySpec;
HCRYPTKEY hKey;
NSSItem *buffer;
};
/*
* ckcapi_mdCryptoOperationRSAPriv_Create
*/
static NSSCKMDCryptoOperation *
ckcapi_mdCryptoOperationRSAPriv_Create(
const NSSCKMDCryptoOperation *proto,
NSSCKMDMechanism *mdMechanism,
NSSCKMDObject *mdKey,
CK_RV *pError)
{
ckcapiInternalObject *iKey = (ckcapiInternalObject *)mdKey->etc;
const NSSItem *classItem = nss_ckcapi_FetchAttribute(iKey, CKA_CLASS);
const NSSItem *keyType = nss_ckcapi_FetchAttribute(iKey, CKA_KEY_TYPE);
ckcapiInternalCryptoOperationRSAPriv *iOperation;
CK_RV error;
HCRYPTPROV hProv;
DWORD keySpec;
HCRYPTKEY hKey;
/* make sure we have the right objects */
if (((const NSSItem *)NULL == classItem) ||
(sizeof(CK_OBJECT_CLASS) != classItem->size) ||
(CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
((const NSSItem *)NULL == keyType) ||
(sizeof(CK_KEY_TYPE) != keyType->size) ||
(CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
*pError = CKR_KEY_TYPE_INCONSISTENT;
return (NSSCKMDCryptoOperation *)NULL;
}
error = nss_ckcapi_FetchKeyContainer(iKey, &hProv, &keySpec, &hKey);
if (error != CKR_OK) {
*pError = error;
return (NSSCKMDCryptoOperation *)NULL;
}
iOperation = nss_ZNEW(NULL, ckcapiInternalCryptoOperationRSAPriv);
if ((ckcapiInternalCryptoOperationRSAPriv *)NULL == iOperation) {
*pError = CKR_HOST_MEMORY;
return (NSSCKMDCryptoOperation *)NULL;
}
iOperation->mdMechanism = mdMechanism;
iOperation->iKey = iKey;
iOperation->hProv = hProv;
iOperation->keySpec = keySpec;
iOperation->hKey = hKey;
nsslibc_memcpy(&iOperation->mdOperation,
proto, sizeof(NSSCKMDCryptoOperation));
iOperation->mdOperation.etc = iOperation;
return &iOperation->mdOperation;
}
static CK_RV
ckcapi_mdCryptoOperationRSAPriv_Destroy(
NSSCKMDCryptoOperation *mdOperation,
NSSCKFWCryptoOperation *fwOperation,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
ckcapiInternalCryptoOperationRSAPriv *iOperation =
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
if (iOperation->hKey) {
CryptDestroyKey(iOperation->hKey);
}
if (iOperation->buffer) {
nssItem_Destroy(iOperation->buffer);
}
nss_ZFreeIf(iOperation);
return CKR_OK;
}
static CK_ULONG
ckcapi_mdCryptoOperationRSA_GetFinalLength(
NSSCKMDCryptoOperation *mdOperation,
NSSCKFWCryptoOperation *fwOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
ckcapiInternalCryptoOperationRSAPriv *iOperation =
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
const NSSItem *modulus =
nss_ckcapi_FetchAttribute(iOperation->iKey, CKA_MODULUS);
return modulus->size;
}
/*
* ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
* we won't know the length until we actually decrypt the
* input block. Since we go to all the work to decrypt the
* the block, we'll save if for when the block is asked for
*/
static CK_ULONG
ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength(
NSSCKMDCryptoOperation *mdOperation,
NSSCKFWCryptoOperation *fwOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *input,
CK_RV *pError)
{
ckcapiInternalCryptoOperationRSAPriv *iOperation =
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
BOOL rc;
/* Microsoft's Decrypt operation works in place. Since we don't want
* to trash our input buffer, we make a copy of it */
iOperation->buffer = nssItem_Duplicate((NSSItem *)input, NULL, NULL);
if ((NSSItem *)NULL == iOperation->buffer) {
*pError = CKR_HOST_MEMORY;
return 0;
}
/* Sigh, reverse it */
ckcapi_ReverseData(iOperation->buffer);
rc = CryptDecrypt(iOperation->hKey, 0, TRUE, 0,
iOperation->buffer->data, &iOperation->buffer->size);
if (!rc) {
DWORD msError = GetLastError();
switch (msError) {
case NTE_BAD_DATA:
*pError =
CKR_ENCRYPTED_DATA_INVALID;
break;
case NTE_FAIL:
case NTE_BAD_UID:
*pError =
CKR_DEVICE_ERROR;
break;
default:
*pError =
CKR_GENERAL_ERROR;
}
return 0;
}
return iOperation->buffer->size;
}
/*
* ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
*
* NOTE: ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to
* have been called previously.
*/
static CK_RV
ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal(
NSSCKMDCryptoOperation *mdOperation,
NSSCKFWCryptoOperation *fwOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *input,
NSSItem *output)
{
ckcapiInternalCryptoOperationRSAPriv *iOperation =
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
NSSItem *buffer = iOperation->buffer;
if ((NSSItem *)NULL == buffer) {
return CKR_GENERAL_ERROR;
}
nsslibc_memcpy(output->data, buffer->data, buffer->size);
output->size = buffer->size;
return CKR_OK;
}
/*
* ckcapi_mdCryptoOperationRSASign_UpdateFinal
*
*/
static CK_RV
ckcapi_mdCryptoOperationRSASign_UpdateFinal(
NSSCKMDCryptoOperation *mdOperation,
NSSCKFWCryptoOperation *fwOperation,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
const NSSItem *input,
NSSItem *output)
{
ckcapiInternalCryptoOperationRSAPriv *iOperation =
(ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
CK_RV error = CKR_OK;
DWORD msError;
NSSItem hash;
HCRYPTHASH hHash = 0;
ALG_ID hashAlg;
DWORD hashSize;
DWORD len; /* temp length value we throw away */
BOOL rc;
/*
* PKCS #11 sign for RSA expects to take a fully DER-encoded hash value,
* which includes the hash OID. CAPI expects to take a Hash Context. While
* CAPI does have the capability of setting a raw hash value, it does not
* have the ability to sign an arbitrary value. This function tries to
* reduce the passed in data into something that CAPI could actually sign.
*/
error = ckcapi_GetRawHash(input, &hash, &hashAlg);
if (CKR_OK != error) {
goto loser;
}
rc = CryptCreateHash(iOperation->hProv, hashAlg, 0, 0, &hHash);
if (!rc) {
goto loser;
}
/* make sure the hash lens match before we set it */
len = sizeof(DWORD);
rc = CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&hashSize, &len, 0);
if (!rc) {
goto loser;
}
if (hash.size != hashSize) {
/* The input must have been bad for this to happen */
error = CKR_DATA_INVALID;
goto loser;
}
/* we have an explicit hash, set it, note that the length is
* implicit by the hashAlg used in create */
rc = CryptSetHashParam(hHash, HP_HASHVAL, hash.data, 0);
if (!rc) {
goto loser;
}
/* OK, we have the data in a hash structure, sign it! */
rc = CryptSignHash(hHash, iOperation->keySpec, NULL, 0,
output->data, &output->size);
if (!rc) {
goto loser;
}
/* Don't return a signature that might have been broken because of a cosmic
* ray, or a broken processor, verify that it is valid... */
rc = CryptVerifySignature(hHash, output->data, output->size,
iOperation->hKey, NULL, 0);
if (!rc) {
goto loser;
}
/* OK, Microsoft likes to do things completely differently than anyone
* else. We need to reverse the data we received here */
ckcapi_ReverseData(output);
CryptDestroyHash(hHash);
return CKR_OK;
loser:
/* map the microsoft error */
if (CKR_OK == error) {
msError = GetLastError();
switch (msError) {
case ERROR_NOT_ENOUGH_MEMORY:
error =
CKR_HOST_MEMORY;
break;
case NTE_NO_MEMORY:
error =
CKR_DEVICE_MEMORY;
break;
case ERROR_MORE_DATA:
return CKR_BUFFER_TOO_SMALL;
case ERROR_INVALID_PARAMETER: /* these params were derived from the */
case ERROR_INVALID_HANDLE: /* inputs, so if they are bad, the input */
case NTE_BAD_ALGID: /* data is bad */
case NTE_BAD_HASH:
error =
CKR_DATA_INVALID;
break;
case ERROR_BUSY:
case NTE_FAIL:
case NTE_BAD_UID:
error =
CKR_DEVICE_ERROR;
break;
default:
error =
CKR_GENERAL_ERROR;
break;
}
}
if (hHash) {
CryptDestroyHash(hHash);
}
return error;
}
NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
ckcapi_mdCryptoOperationRSADecrypt_proto = {
NULL, /* etc */
ckcapi_mdCryptoOperationRSAPriv_Destroy,
NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength,
NULL, /* Final - not needed for one shot operation */
NULL, /* Update - not needed for one shot operation */
NULL, /* DigetUpdate - not needed for one shot operation */
ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal,
NULL, /* UpdateCombo - not needed for one shot operation */
NULL, /* DigetKey - not needed for one shot operation */
(void *)NULL /* null terminator */
};
NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
ckcapi_mdCryptoOperationRSASign_proto = {
NULL, /* etc */
ckcapi_mdCryptoOperationRSAPriv_Destroy,
ckcapi_mdCryptoOperationRSA_GetFinalLength,
NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
NULL, /* Final - not needed for one shot operation */
NULL, /* Update - not needed for one shot operation */
NULL, /* DigetUpdate - not needed for one shot operation */
ckcapi_mdCryptoOperationRSASign_UpdateFinal,
NULL, /* UpdateCombo - not needed for one shot operation */
NULL, /* DigetKey - not needed for one shot operation */
(void *)NULL /* null terminator */
};
/********** NSSCKMDMechansim functions ***********************/
/*
* ckcapi_mdMechanismRSA_Destroy
*/
static void
ckcapi_mdMechanismRSA_Destroy(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
nss_ZFreeIf(fwMechanism);
}
/*
* ckcapi_mdMechanismRSA_GetMinKeySize
*/
static CK_ULONG
ckcapi_mdMechanismRSA_GetMinKeySize(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return 384;
}
/*
* ckcapi_mdMechanismRSA_GetMaxKeySize
*/
static CK_ULONG
ckcapi_mdMechanismRSA_GetMaxKeySize(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return 16384;
}
/*
* ckcapi_mdMechanismRSA_DecryptInit
*/
static NSSCKMDCryptoOperation *
ckcapi_mdMechanismRSA_DecryptInit(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM *pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError)
{
return ckcapi_mdCryptoOperationRSAPriv_Create(
&ckcapi_mdCryptoOperationRSADecrypt_proto,
mdMechanism, mdKey, pError);
}
/*
* ckcapi_mdMechanismRSA_SignInit
*/
static NSSCKMDCryptoOperation *
ckcapi_mdMechanismRSA_SignInit(
NSSCKMDMechanism *mdMechanism,
NSSCKFWMechanism *fwMechanism,
CK_MECHANISM *pMechanism,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKMDObject *mdKey,
NSSCKFWObject *fwKey,
CK_RV *pError)
{
return ckcapi_mdCryptoOperationRSAPriv_Create(
&ckcapi_mdCryptoOperationRSASign_proto,
mdMechanism, mdKey, pError);
}
NSS_IMPLEMENT_DATA const NSSCKMDMechanism
nss_ckcapi_mdMechanismRSA = {
(void *)NULL, /* etc */
ckcapi_mdMechanismRSA_Destroy,
ckcapi_mdMechanismRSA_GetMinKeySize,
ckcapi_mdMechanismRSA_GetMaxKeySize,
NULL, /* GetInHardware - default false */
NULL, /* EncryptInit - default errs */
ckcapi_mdMechanismRSA_DecryptInit,
NULL, /* DigestInit - default errs*/
ckcapi_mdMechanismRSA_SignInit,
NULL, /* VerifyInit - default errs */
ckcapi_mdMechanismRSA_SignInit, /* SignRecoverInit */
NULL, /* VerifyRecoverInit - default errs */
NULL, /* GenerateKey - default errs */
NULL, /* GenerateKeyPair - default errs */
NULL, /* GetWrapKeyLength - default errs */
NULL, /* WrapKey - default errs */
NULL, /* UnwrapKey - default errs */
NULL, /* DeriveKey - default errs */
(void *)NULL /* null terminator */
};

87
security/nss/lib/ckfw/capi/csession.c
Просмотреть файл

@ -1,87 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
/*
* ckcapi/csession.c
*
* This file implements the NSSCKMDSession object for the
* "nss to capi" cryptoki module.
*/
static NSSCKMDFindObjects *
ckcapi_mdSession_FindObjectsInit(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
return nss_ckcapi_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
}
static NSSCKMDObject *
ckcapi_mdSession_CreateObject(
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSArena *arena,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
return nss_ckcapi_CreateObject(fwSession, pTemplate, ulAttributeCount, pError);
}
NSS_IMPLEMENT NSSCKMDSession *
nss_ckcapi_CreateSession(
NSSCKFWSession *fwSession,
CK_RV *pError)
{
NSSArena *arena;
NSSCKMDSession *rv;
arena = NSSCKFWSession_GetArena(fwSession, pError);
if ((NSSArena *)NULL == arena) {
return (NSSCKMDSession *)NULL;
}
rv = nss_ZNEW(arena, NSSCKMDSession);
if ((NSSCKMDSession *)NULL == rv) {
*pError = CKR_HOST_MEMORY;
return (NSSCKMDSession *)NULL;
}
/*
* rv was zeroed when allocated, so we only
* need to set the non-zero members.
*/
rv->etc = (void *)fwSession;
/* rv->Close */
/* rv->GetDeviceError */
/* rv->Login */
/* rv->Logout */
/* rv->InitPIN */
/* rv->SetPIN */
/* rv->GetOperationStateLen */
/* rv->GetOperationState */
/* rv->SetOperationState */
rv->CreateObject = ckcapi_mdSession_CreateObject;
/* rv->CopyObject */
rv->FindObjectsInit = ckcapi_mdSession_FindObjectsInit;
/* rv->SeedRandom */
/* rv->GetRandom */
/* rv->null */
return rv;
}

81
security/nss/lib/ckfw/capi/cslot.c
Просмотреть файл

@ -1,81 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
/*
* ckcapi/cslot.c
*
* This file implements the NSSCKMDSlot object for the
* "nss to capi" cryptoki module.
*/
static NSSUTF8 *
ckcapi_mdSlot_GetSlotDescription(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_SlotDescription;
}
static NSSUTF8 *
ckcapi_mdSlot_GetManufacturerID(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
}
static CK_VERSION
ckcapi_mdSlot_GetHardwareVersion(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_HardwareVersion;
}
static CK_VERSION
ckcapi_mdSlot_GetFirmwareVersion(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_FirmwareVersion;
}
static NSSCKMDToken *
ckcapi_mdSlot_GetToken(
NSSCKMDSlot *mdSlot,
NSSCKFWSlot *fwSlot,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSCKMDToken *)&nss_ckcapi_mdToken;
}
NSS_IMPLEMENT_DATA const NSSCKMDSlot
nss_ckcapi_mdSlot = {
(void *)NULL, /* etc */
NULL, /* Initialize */
NULL, /* Destroy */
ckcapi_mdSlot_GetSlotDescription,
ckcapi_mdSlot_GetManufacturerID,
NULL, /* GetTokenPresent -- defaults to true */
NULL, /* GetRemovableDevice -- defaults to false */
NULL, /* GetHardwareSlot -- defaults to false */
ckcapi_mdSlot_GetHardwareVersion,
ckcapi_mdSlot_GetFirmwareVersion,
ckcapi_mdSlot_GetToken,
(void *)NULL /* null terminator */
};

184
security/nss/lib/ckfw/capi/ctoken.c
Просмотреть файл

@ -1,184 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
/*
* ckcapi/ctoken.c
*
* This file implements the NSSCKMDToken object for the
* "nss to capi" cryptoki module.
*/
static NSSUTF8 *
ckcapi_mdToken_GetLabel(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_TokenLabel;
}
static NSSUTF8 *
ckcapi_mdToken_GetManufacturerID(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
}
static NSSUTF8 *
ckcapi_mdToken_GetModel(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_TokenModel;
}
static NSSUTF8 *
ckcapi_mdToken_GetSerialNumber(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
return (NSSUTF8 *)nss_ckcapi_TokenSerialNumber;
}
static CK_BBOOL
ckcapi_mdToken_GetIsWriteProtected(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return CK_FALSE;
}
/* fake out Mozilla so we don't try to initialize the token */
static CK_BBOOL
ckcapi_mdToken_GetUserPinInitialized(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return CK_TRUE;
}
static CK_VERSION
ckcapi_mdToken_GetHardwareVersion(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_HardwareVersion;
}
static CK_VERSION
ckcapi_mdToken_GetFirmwareVersion(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return nss_ckcapi_FirmwareVersion;
}
static NSSCKMDSession *
ckcapi_mdToken_OpenSession(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
NSSCKFWSession *fwSession,
CK_BBOOL rw,
CK_RV *pError)
{
return nss_ckcapi_CreateSession(fwSession, pError);
}
static CK_ULONG
ckcapi_mdToken_GetMechanismCount(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return (CK_ULONG)1;
}
static CK_RV
ckcapi_mdToken_GetMechanismTypes(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_MECHANISM_TYPE types[])
{
types[0] = CKM_RSA_PKCS;
return CKR_OK;
}
static NSSCKMDMechanism *
ckcapi_mdToken_GetMechanism(
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_MECHANISM_TYPE which,
CK_RV *pError)
{
if (which != CKM_RSA_PKCS) {
*pError = CKR_MECHANISM_INVALID;
return (NSSCKMDMechanism *)NULL;
}
return (NSSCKMDMechanism *)&nss_ckcapi_mdMechanismRSA;
}
NSS_IMPLEMENT_DATA const NSSCKMDToken
nss_ckcapi_mdToken = {
(void *)NULL, /* etc */
NULL, /* Setup */
NULL, /* Invalidate */
NULL, /* InitToken -- default errs */
ckcapi_mdToken_GetLabel,
ckcapi_mdToken_GetManufacturerID,
ckcapi_mdToken_GetModel,
ckcapi_mdToken_GetSerialNumber,
NULL, /* GetHasRNG -- default is false */
ckcapi_mdToken_GetIsWriteProtected,
NULL, /* GetLoginRequired -- default is false */
ckcapi_mdToken_GetUserPinInitialized,
NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
NULL, /* GetHasClockOnToken -- default is false */
NULL, /* GetHasProtectedAuthenticationPath -- default is false */
NULL, /* GetSupportsDualCryptoOperations -- default is false */
NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
NULL, /* GetMaxPinLen -- irrelevant */
NULL, /* GetMinPinLen -- irrelevant */
NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
ckcapi_mdToken_GetHardwareVersion,
ckcapi_mdToken_GetFirmwareVersion,
NULL, /* GetUTCTime -- no clock */
ckcapi_mdToken_OpenSession,
ckcapi_mdToken_GetMechanismCount,
ckcapi_mdToken_GetMechanismTypes,
ckcapi_mdToken_GetMechanism,
(void *)NULL /* null terminator */
};

35
security/nss/lib/ckfw/capi/manifest.mn
Просмотреть файл

@ -1,35 +0,0 @@
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
CORE_DEPTH = ../../../..
MODULE = nss
EXPORTS = \
nsscapi.h \
$(NULL)
CSRCS = \
anchor.c \
constants.c \
cfind.c \
cinst.c \
cobject.c \
crsa.c \
csession.c \
cslot.c \
ctoken.c \
ckcapiver.c \
staticobj.c \
$(NULL)
REQUIRES = nspr
LIBRARY_NAME = nsscapi
MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
LIBRARY = $(NULL)
IMPORT_LIBRARY = $(NULL)
#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4

26
security/nss/lib/ckfw/capi/nsscapi.def
Просмотреть файл

@ -1,26 +0,0 @@
;+#
;+# This Source Code Form is subject to the terms of the Mozilla Public
;+# License, v. 2.0. If a copy of the MPL was not distributed with this
;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
;+#
;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
;+# 1. For all unix platforms, the string ";-" means "remove this line"
;+# 2. For all unix platforms, the string " DATA " will be removed from any
;+# line on which it occurs.
;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
;+# On AIX, lines containing ";+" will be removed.
;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
;+# 5. For all unix platforms, after the above processing has taken place,
;+# all characters after the first ";" on the line will be removed.
;+# And for AIX, the first ";" will also be removed.
;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
;+# directives are hidden behind ";", ";+", and ";-"
;+
;+NSS_3.1 { # NSS 3.1 release
;+ global:
LIBRARY nsscapi ;-
EXPORTS ;-
C_GetFunctionList;
;+ local:
;+*;
;+};

41
security/nss/lib/ckfw/capi/nsscapi.h
Просмотреть файл

@ -1,41 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCAPI_H
#define NSSCAPI_H
/*
* NSS CKCAPI Version numbers.
*
* These are the version numbers for the capi module packaged with
* this release on NSS. To determine the version numbers of the builtin
* module you are using, use the appropriate PKCS #11 calls.
*
* These version numbers detail changes to the PKCS #11 interface. They map
* to the PKCS #11 spec versions.
*/
#define NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR 2
#define NSS_CKCAPI_CRYPTOKI_VERSION_MINOR 20
/* These version numbers detail the changes
* to the list of trusted certificates.
*
* NSS_CKCAPI_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
*/
#define NSS_CKCAPI_LIBRARY_VERSION_MAJOR 1
#define NSS_CKCAPI_LIBRARY_VERSION_MINOR 1
#define NSS_CKCAPI_LIBRARY_VERSION "1.1"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_CKCAPI_HARDWARE_VERSION_MAJOR 1
#define NSS_CKCAPI_HARDWARE_VERSION_MINOR 0
/* These version numbers detail the semantic changes to ckbi itself
* (new PKCS #11 objects), etc. */
#define NSS_CKCAPI_FIRMWARE_VERSION_MAJOR 1
#define NSS_CKCAPI_FIRMWARE_VERSION_MINOR 0
#endif /* NSSCKBI_H */

64
security/nss/lib/ckfw/capi/nsscapi.rc
Просмотреть файл

@ -1,64 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsscapi.h"
#include <winver.h>
#define MY_LIBNAME "nsscapi"
#define MY_FILEDESCRIPTION "NSS Access to Microsoft CAPI"
#ifdef _DEBUG
#define MY_DEBUG_STR " (debug)"
#define MY_FILEFLAGS_1 VS_FF_DEBUG
#else
#define MY_DEBUG_STR ""
#define MY_FILEFLAGS_1 0x0L
#endif
#if NSS_BETA
#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
#else
#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
#endif
#ifdef WINNT
#define MY_FILEOS VOS_NT_WINDOWS32
#else
#define MY_FILEOS VOS__WINDOWS32
#endif
#define MY_INTERNAL_NAME MY_LIBNAME
/////////////////////////////////////////////////////////////////////////////
//
// Version-information resource
//
VS_VERSION_INFO VERSIONINFO
FILEVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
PRODUCTVERSION NSS_CKCAPI_LIBRARY_VERSION_MAJOR,NSS_CKCAPI_LIBRARY_VERSION_MINOR,0,0
FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
FILEFLAGS MY_FILEFLAGS_2
FILEOS MY_FILEOS
FILETYPE VFT_DLL
FILESUBTYPE 0x0L // not used
BEGIN
BLOCK "StringFileInfo"
BEGIN
BLOCK "040904B0" // Lang=US English, CharSet=Unicode
BEGIN
VALUE "CompanyName", "Mozilla Foundation\0"
VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
VALUE "FileVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
VALUE "InternalName", MY_INTERNAL_NAME "\0"
VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
VALUE "ProductName", "Network Security Services\0"
VALUE "ProductVersion", NSS_CKCAPI_LIBRARY_VERSION "\0"
END
END
BLOCK "VarFileInfo"
BEGIN
VALUE "Translation", 0x409, 1200
END
END

40
security/nss/lib/ckfw/capi/staticobj.c
Просмотреть файл

@ -1,40 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef CKCAPI_H
#include "ckcapi.h"
#endif /* CKCAPI_H */
static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
static const CK_BBOOL ck_true = CK_TRUE;
static const CK_OBJECT_CLASS cko_data = CKO_DATA;
static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
static const CK_BBOOL ck_false = CK_FALSE;
static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
/* example of a static object */
static const CK_ATTRIBUTE_TYPE nss_ckcapi_types_1[] = {
CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL
};
static const NSSItem nss_ckcapi_items_1[] = {
{ (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
{ (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
{ (void *)"Mozilla CAPI Access", (PRUint32)20 }
};
ckcapiInternalObject nss_ckcapi_data[] = {
{
ckcapiRaw,
{ 5, nss_ckcapi_types_1, nss_ckcapi_items_1 },
},
};
const PRUint32 nss_ckcapi_nObjects = 1;

8
security/nss/lib/pk11wrap/pk11skey.c
Просмотреть файл

@ -526,16 +526,16 @@ PK11_ImportDataKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin
return NULL;
}
handle = PK11_GetObjectHandle(PK11_TypeGeneric, genObject, NULL);
if (handle == CK_INVALID_HANDLE) {
return NULL;
}
/* A note about ownership of the PKCS #11 handle:
* PK11_CreateGenericObject() will not destroy the object it creates
* on Free, For that you want PK11_CreateManagedGenericObject().
* Below we import the handle into the symKey structure. We pass
* PR_TRUE as the owner so that the symKey will destroy the object
* once it's freed. This is way it's safe to free now. */
* once it's freed. This is why it's safe to destroy genObject now. */
PK11_DestroyGenericObject(genObject);
if (handle == CK_INVALID_HANDLE) {
return NULL;
}
return PK11_SymKeyFromHandle(slot, NULL, origin, type, handle, PR_TRUE, wincx);
}

9
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -94,8 +94,7 @@ static PK11SlotList
pk11_tlsSlotList,
pk11_randomSlotList,
pk11_sha256SlotList,
pk11_sha512SlotList, /* slots do SHA512 and SHA384 */
pk11_kyberSlotList;
pk11_sha512SlotList; /* slots do SHA512 and SHA384 */
/************************************************************
* Generic Slot List and Slot List element manipulations
@ -850,7 +849,6 @@ PK11_InitSlotLists(void)
pk11_InitSlotListStatic(&pk11_randomSlotList);
pk11_InitSlotListStatic(&pk11_sha256SlotList);
pk11_InitSlotListStatic(&pk11_sha512SlotList);
pk11_InitSlotListStatic(&pk11_kyberSlotList);
return SECSuccess;
}
@ -877,7 +875,6 @@ PK11_DestroySlotLists(void)
pk11_FreeSlotListStatic(&pk11_randomSlotList);
pk11_FreeSlotListStatic(&pk11_sha256SlotList);
pk11_FreeSlotListStatic(&pk11_sha512SlotList);
pk11_FreeSlotListStatic(&pk11_kyberSlotList);
return;
}
@ -947,6 +944,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
case CKM_ECDSA_SHA1:
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
case CKM_ECDH1_DERIVE:
case CKM_NSS_KYBER_KEY_PAIR_GEN: /* Bug 1893029 */
case CKM_NSS_KYBER:
return &pk11_ecSlotList;
case CKM_SSL3_PRE_MASTER_KEY_GEN:
case CKM_SSL3_MASTER_KEY_DERIVE:
@ -962,8 +961,6 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
return &pk11_ideaSlotList;
case CKM_FAKE_RANDOM:
return &pk11_randomSlotList;
case CKM_NSS_KYBER_KEY_PAIR_GEN:
return &pk11_kyberSlotList;
}
return NULL;
}

13
security/nss/lib/smime/cmslocal.h
Просмотреть файл

@ -164,14 +164,13 @@ NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp,
extern PK11SymKey *
NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag);
extern SECStatus
NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
SECItem *encKey, SECItem *ukm, SECAlgorithmID *keyEncAlg,
SECItem *originatorPubKey);
/*
* NSS_CMSUtil_DecryptSymKey_RSA_OAEP is the same as NSS_CMSUtil_DecryptSymKey_RSA, except that
* it works with a symmetric key that was wrapped using RSA with OAEP padding rather than PKCS #1
* Version 1.5 padding.
*/
extern PK11SymKey *
NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg);
NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameters, SECItem *encKey, SECOidTag bulkalgtag);
extern SECStatus
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,

351
security/nss/lib/smime/cmspubkey.c
Просмотреть файл

@ -108,6 +108,176 @@ NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOid
return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0);
}
typedef struct RSA_OAEP_CMS_paramsStr RSA_OAEP_CMS_params;
struct RSA_OAEP_CMS_paramsStr {
SECAlgorithmID *hashFunc;
SECAlgorithmID *maskGenFunc;
SECAlgorithmID *pSourceFunc;
};
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = {
{ SEC_ASN1_POINTER | SEC_ASN1_XTRN, 0,
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }
};
static const SEC_ASN1Template RSA_OAEP_CMS_paramsTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(RSA_OAEP_CMS_params) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | 0,
offsetof(RSA_OAEP_CMS_params, hashFunc),
seckey_PointerToAlgorithmIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | 1,
offsetof(RSA_OAEP_CMS_params, maskGenFunc),
seckey_PointerToAlgorithmIDTemplate },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | 2,
offsetof(RSA_OAEP_CMS_params, pSourceFunc),
seckey_PointerToAlgorithmIDTemplate },
{ 0 }
};
/*
* NSS_CMSUtil_DecryptSymKey_RSA_OAEP - unwrap a RSA-wrapped symmetric key
*
* this function takes an RSA-OAEP-wrapped symmetric key and unwraps it, returning a symmetric
* key handle. Please note that the actual unwrapped key data may not be allowed to leave
* a hardware token...
*/
PK11SymKey *
NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKEYPrivateKey *privkey, SECItem *parameters, SECItem *encKey, SECOidTag bulkalgtag)
{
CK_RSA_PKCS_OAEP_PARAMS oaep_params;
RSA_OAEP_CMS_params encoded_params;
SECAlgorithmID mgf1hashAlg;
SECOidTag mgfAlgtag, mgf1hashAlgtag, pSourcetag;
SECItem encoding_params, params;
PK11SymKey *bulkkey = NULL;
SECStatus rv;
CK_MECHANISM_TYPE target;
PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN);
target = PK11_AlgtagToMechanism(bulkalgtag);
if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return NULL;
}
PORT_Memset(&encoded_params, 0, sizeof(RSA_OAEP_CMS_params));
PORT_Memset(&mgf1hashAlg, 0, sizeof(SECAlgorithmID));
PORT_Memset(&encoding_params, 0, sizeof(SECItem));
/* Set default values for the OAEP parameters */
oaep_params.hashAlg = CKM_SHA_1;
oaep_params.mgf = CKG_MGF1_SHA1;
oaep_params.source = CKZ_DATA_SPECIFIED;
oaep_params.pSourceData = NULL;
oaep_params.ulSourceDataLen = 0;
if (parameters->len == 2) {
/* For some reason SEC_ASN1DecodeItem cannot process parameters if it is an emtpy SEQUENCE */
/* Just check that this is a properly encoded empty SEQUENCE */
if ((parameters->data[0] != 0x30) || (parameters->data[1] != 0)) {
return NULL;
}
} else {
rv = SEC_ASN1DecodeItem(NULL, &encoded_params, RSA_OAEP_CMS_paramsTemplate, parameters);
if (rv != SECSuccess) {
goto loser;
}
if (encoded_params.hashFunc != NULL) {
oaep_params.hashAlg = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(encoded_params.hashFunc));
}
if (encoded_params.maskGenFunc != NULL) {
mgfAlgtag = SECOID_GetAlgorithmTag(encoded_params.maskGenFunc);
if (mgfAlgtag != SEC_OID_PKCS1_MGF1) {
/* MGF1 is the only supported mask generation function */
goto loser;
}
/* The parameters field contains an AlgorithmIdentifier specifying the
* hash function to use with MGF1.
*/
rv = SEC_ASN1DecodeItem(NULL, &mgf1hashAlg, SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
&encoded_params.maskGenFunc->parameters);
if (rv != SECSuccess) {
goto loser;
}
mgf1hashAlgtag = SECOID_GetAlgorithmTag(&mgf1hashAlg);
switch (mgf1hashAlgtag) {
case SEC_OID_SHA1:
oaep_params.mgf = CKG_MGF1_SHA1;
break;
case SEC_OID_SHA224:
oaep_params.mgf = CKG_MGF1_SHA224;
break;
case SEC_OID_SHA256:
oaep_params.mgf = CKG_MGF1_SHA256;
break;
case SEC_OID_SHA384:
oaep_params.mgf = CKG_MGF1_SHA384;
break;
case SEC_OID_SHA512:
oaep_params.mgf = CKG_MGF1_SHA512;
break;
case SEC_OID_SHA3_224:
oaep_params.mgf = CKG_MGF1_SHA3_224;
break;
case SEC_OID_SHA3_256:
oaep_params.mgf = CKG_MGF1_SHA3_256;
break;
case SEC_OID_SHA3_384:
oaep_params.mgf = CKG_MGF1_SHA3_384;
break;
case SEC_OID_SHA3_512:
oaep_params.mgf = CKG_MGF1_SHA3_512;
break;
default:
goto loser;
break;
}
}
if (encoded_params.pSourceFunc != NULL) {
pSourcetag = SECOID_GetAlgorithmTag(encoded_params.pSourceFunc);
if (pSourcetag != SEC_OID_PKCS1_PSPECIFIED) {
goto loser;
}
/* The encoding parameters (P) are provided as an OCTET STRING in the parameters field. */
if (encoded_params.pSourceFunc->parameters.len != 0) {
rv = SEC_ASN1DecodeItem(NULL, &encoding_params, SEC_ASN1_GET(SEC_OctetStringTemplate),
&encoded_params.pSourceFunc->parameters);
if (rv != SECSuccess) {
goto loser;
}
oaep_params.ulSourceDataLen = encoding_params.len;
oaep_params.pSourceData = encoding_params.data;
}
}
}
params.type = siBuffer;
params.data = (unsigned char *)&oaep_params;
params.len = sizeof(CK_RSA_PKCS_OAEP_PARAMS);
bulkkey = PK11_PubUnwrapSymKeyWithMechanism(privkey, CKM_RSA_PKCS_OAEP, &params,
encKey, target, CKA_DECRYPT, 0);
loser:
PORT_Free(oaep_params.pSourceData);
if (encoded_params.hashFunc) {
SECOID_DestroyAlgorithmID(encoded_params.hashFunc, PR_TRUE);
}
if (encoded_params.maskGenFunc) {
SECOID_DestroyAlgorithmID(encoded_params.maskGenFunc, PR_TRUE);
}
if (encoded_params.pSourceFunc) {
SECOID_DestroyAlgorithmID(encoded_params.pSourceFunc, PR_TRUE);
}
SECOID_DestroyAlgorithmID(&mgf1hashAlg, PR_FALSE);
return bulkkey;
}
/* ====== ESECDH (Ephemeral-Static Elliptic Curve Diffie-Hellman) =========== */
typedef struct ECC_CMS_SharedInfoStr ECC_CMS_SharedInfo;
@ -117,9 +287,6 @@ struct ECC_CMS_SharedInfoStr {
SECItem suppPubInfo; /* length of KEK in bits as 32-bit number */
};
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_OctetStringTemplate)
static const SEC_ASN1Template ECC_CMS_SharedInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(ECC_CMS_SharedInfo) },
@ -506,181 +673,3 @@ loser:
SECOID_DestroyAlgorithmID(&keyWrapAlg, PR_FALSE);
return bulkkey;
}
/* ====== ESDH (Ephemeral-Static Diffie-Hellman) ==================================== */
SECStatus
NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
SECItem *encKey, SECItem *ukm, SECAlgorithmID *keyEncAlg,
SECItem *pubKey)
{
#if 0 /* not yet done */
SECOidTag certalgtag; /* the certificate's encryption algorithm */
SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
SECStatus rv;
SECItem *params = NULL;
int data_len;
SECStatus err;
PK11SymKey *tek;
CERTCertificate *ourCert;
SECKEYPublicKey *ourPubKey;
NSSCMSKEATemplateSelector whichKEA = NSSCMSKEAInvalid;
certalgtag = SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
PORT_Assert(certalgtag == SEC_OID_X942_DIFFIE_HELMAN_KEY);
/* We really want to show our KEA tag as the key exchange algorithm tag. */
encalgtag = SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN;
/* Get the public key of the recipient. */
publickey = CERT_ExtractPublicKey(cert);
if (publickey == NULL) goto loser;
/* XXXX generate a DH key pair on a PKCS11 module (XXX which parameters?) */
/* XXXX */ourCert = PK11_FindBestKEAMatch(cert, wincx);
if (ourCert == NULL) goto loser;
arena = PORT_NewArena(1024);
if (arena == NULL) goto loser;
/* While we're here, extract the key pair's public key data and copy it into */
/* the outgoing parameters. */
/* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert);
if (ourPubKey == NULL)
{
goto loser;
}
SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey));
SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */
ourPubKey = NULL;
/* Extract our private key in order to derive the KEA key. */
ourPrivKey = PK11_FindKeyByAnyCert(ourCert,wincx);
CERT_DestroyCertificate(ourCert); /* we're done with this */
if (!ourPrivKey) goto loser;
/* If ukm desired, prepare it - allocate enough space (filled with zeros). */
if (ukm) {
ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */);
ukm->len = /* XXXX */;
}
/* Generate the KEK (key exchange key) according to RFC2631 which we use
* to wrap the bulk encryption key. */
kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
ukm, NULL,
/* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, wincx);
SECKEY_DestroyPublicKey(publickey);
SECKEY_DestroyPrivateKey(ourPrivKey);
publickey = NULL;
ourPrivKey = NULL;
if (!kek)
goto loser;
/* allocate space for the encrypted CEK (bulk key) */
encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
encKey->len = SMIME_FORTEZZA_MAX_KEY_SIZE;
if (encKey->data == NULL)
{
PK11_FreeSymKey(kek);
goto loser;
}
/* Wrap the bulk key using CMSRC2WRAP or CMS3DESWRAP, depending on the */
/* bulk encryption algorithm */
switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg))
{
case /* XXXX */CKM_SKIPJACK_CFB8:
err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey);
whichKEA = NSSCMSKEAUsesSkipjack;
break;
case /* XXXX */CKM_SKIPJACK_CFB8:
err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey);
whichKEA = NSSCMSKEAUsesSkipjack;
break;
default:
/* XXXX what do we do here? Neither RC2 nor 3DES... */
err = SECFailure;
/* set error */
break;
}
PK11_FreeSymKey(kek); /* we do not need the KEK anymore */
if (err != SECSuccess)
goto loser;
PORT_Assert(whichKEA != NSSCMSKEAInvalid);
/* see RFC2630 12.3.1.1 "keyEncryptionAlgorithm must be ..." */
/* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */
params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA));
if (params == NULL)
goto loser;
/* now set keyEncAlg */
rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params);
if (rv != SECSuccess)
goto loser;
/* XXXXXXX this is not right yet */
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
if (publickey) {
SECKEY_DestroyPublicKey(publickey);
}
if (ourPrivKey) {
SECKEY_DestroyPrivateKey(ourPrivKey);
}
#endif
return SECFailure;
}
PK11SymKey *
NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey,
SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag,
void *pwfn_arg)
{
#if 0 /* not yet done */
SECStatus err;
CK_MECHANISM_TYPE bulkType;
PK11SymKey *tek;
SECKEYPublicKey *originatorPubKey;
NSSCMSSMIMEKEAParameters keaParams;
/* XXXX get originator's public key */
originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data,
keaParams.originatorKEAKey.len);
if (originatorPubKey == NULL)
goto loser;
/* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key.
The Derive function generates a shared secret and combines it with the originatorRA
data to come up with an unique session key */
tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE,
&keaParams.originatorRA, NULL,
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, pwfn_arg);
SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */
if (tek == NULL)
goto loser;
/* Now that we have the TEK, unwrap the bulk key
with which to decrypt the message. */
/* Skipjack is being used as the bulk encryption algorithm.*/
/* Unwrap the bulk key. */
bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL,
encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0);
return bulkkey;
loser:
#endif
return NULL;
}

31
security/nss/lib/smime/cmsrecinfo.c
Просмотреть файл

@ -157,7 +157,6 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg,
rv = SECFailure;
}
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
PORT_Assert(type == NSSCMSRecipientID_IssuerSN);
if (type != NSSCMSRecipientID_IssuerSN) {
@ -271,7 +270,6 @@ NSS_CMSRecipient_IsSupported(CERTCertificate *cert)
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
return PR_TRUE;
default:
@ -497,7 +495,6 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey,
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
if (rek == NULL) {
@ -519,14 +516,6 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey,
/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
switch (certalgtag) {
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey,
&rek->encKey,
&ri->ri.keyAgreeRecipientInfo.ukm,
&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
&oiok->id.originatorPublicKey.publicKey);
break;
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
if (ri->cmsg) {
wincx = ri->cmsg->pwfn_arg;
@ -566,7 +555,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
{
PK11SymKey *bulkkey = NULL;
SECOidTag encalgtag;
SECItem *enckey, *ukm;
SECItem *enckey, *ukm, *parameters;
NSSCMSOriginatorIdentifierOrKey *oiok;
int error;
void *wincx = NULL;
@ -584,6 +573,12 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
/* get the symmetric (bulk) key by unwrapping it using our private key */
bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag);
break;
case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION:
/* RSA OAEP encryption algorithm: */
/* get the symmetric (bulk) key by unwrapping it using our private key */
parameters = &(ri->ri.keyTransRecipientInfo.keyEncAlg.parameters);
bulkkey = NSS_CMSUtil_DecryptSymKey_RSA_OAEP(privkey, parameters, enckey, bulkalgtag);
break;
default:
error = SEC_ERROR_UNSUPPORTED_KEYALG;
goto loser;
@ -613,18 +608,6 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex,
bulkalgtag, ukm, oiok, wincx);
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
/* Diffie-Helman key exchange */
/* XXX not yet implemented */
/* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */
/* we support ephemeral-static DH only, so if the recipientinfo */
/* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */
/* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */
/* content encryption key using a Unwrap op */
/* the derive operation has to generate the key using the algorithm in RFC2631 */
error = SEC_ERROR_UNSUPPORTED_KEYALG;
goto loser;
break;
default:
error = SEC_ERROR_UNSUPPORTED_KEYALG;
goto loser;

Двоичные данные
security/nss/tests/smime/interop-openssl/Fran.p12 Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-label_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-label_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash-sha256mgf_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256hash_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256mgf-label_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha256mgf_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha384hash_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha384mgf_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha512hash_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep-sha512mgf_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep_ossl-sha256hash-sha256mgf-label.env Normal file
Просмотреть файл

Двоичный файл не отображается.

Двоичные данные
security/nss/tests/smime/interop-openssl/fran-oaep_ossl.env Normal file
Просмотреть файл

Двоичный файл не отображается.

85
security/nss/tests/smime/smime.sh
Просмотреть файл

@ -486,10 +486,95 @@ smime_p7()
smime_enveloped_openssl_interop() {
echo "$SCRIPTNAME: OpenSSL interoperability --------------------------------"
${BINDIR}/pk12util -d ${P_R_ALICEDIR} -i tb/Fran.p12 -W nss -K nss
${BINDIR}/pk12util -d ${P_R_ALICEDIR} -i tb/Fran-ec.p12 -W nss -K nss
echo "This is a test message to Fran." > fran.txt
echo "cmsutil -D -i fran-oaep_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data1"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data1
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data1
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha256hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data2"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data2
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data2
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha384hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data3"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha384hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data3
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data3
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha512hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data4"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha512hash_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data4
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data4
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data5"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data5
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data5
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha384mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data6"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha384mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data6
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data6
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha512mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data7"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha512mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data7
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data7
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data8"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data8
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data8
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha256hash-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data9"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash-sha256mgf_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data9
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data9
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha256hash-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data10"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256hash-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data10
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data10
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep-sha256mgf-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data11"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep-sha256mgf-label_ossl.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data11
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data11
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-oaep_ossl-sha256hash-sha256mgf-label.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data12"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-oaep_ossl-sha256hash-sha256mgf-label.env -d ${P_R_ALICEDIR} -p nss -o fran-oaep.data12
html_msg $? 0 "Decode OpenSSL OAEP Enveloped Data Fran" "."
diff fran.txt fran-oaep.data12
html_msg $? 0 "Compare Decoded with OpenSSL enveloped" "."
echo "cmsutil -D -i fran-ec_ossl-aes128-sha1.env -d ${P_R_ALICEDIR} -p nss -o fran.data1"
${PROFTOOL} ${BINDIR}/cmsutil -D -i fran-ec_ossl-aes128-sha1.env -d ${P_R_ALICEDIR} -p nss -o fran.data1
html_msg $? 0 "Decode OpenSSL Enveloped Data Fran (ECDH, AES128 key wrap, SHA-1 KDF)" "."