diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index 23ed406c8d5..79185c6b17a 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -577,44 +577,52 @@ SECKEY_UpdateCertPQG(CERTCertificate * subjectCert) SECStatus SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) { - SECStatus rv; - SECKEYPQGDualParams dual_params; + SECStatus rv; + SECKEYPQGDualParams dual_params; + SECItem newparams; + + PORT_Assert(arena); if (params == NULL) return SECFailure; if (params->data == NULL) return SECFailure; + /* make a copy of the data into the arena so QuickDER output is valid */ + rv = SECITEM_CopyItem(arena, &newparams, params); + /* Check if params use the standard format. * The value 0xa1 will appear in the first byte of the parameter data * if the PQG parameters are not using the standard format. This * code should be changed to use a better method to detect non-standard * parameters. */ - if ((params->data[0] != 0xa1) && - (params->data[0] != 0xa0)) { + if ((newparams.data[0] != 0xa1) && + (newparams.data[0] != 0xa0)) { + if (SECSuccess == rv) { /* PQG params are in the standard format */ /* Store DSA PQG parameters */ prepare_pqg_params_for_asn1(&pubk->u.fortezza.params); - rv = SEC_ASN1DecodeItem(arena, &pubk->u.fortezza.params, + rv = SEC_QuickDERDecodeItem(arena, &pubk->u.fortezza.params, SECKEY_PQGParamsTemplate, - params); + &newparams); + } - if (rv == SECSuccess) { - - /* Copy the DSA PQG parameters to the KEA PQG parameters. */ - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, - &pubk->u.fortezza.params.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, - &pubk->u.fortezza.params.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, - &pubk->u.fortezza.params.base); - if (rv != SECSuccess) return rv; - } + if (SECSuccess == rv) { + /* Copy the DSA PQG parameters to the KEA PQG parameters. */ + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, + &pubk->u.fortezza.params.prime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, + &pubk->u.fortezza.params.subPrime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, + &pubk->u.fortezza.params.base); + } } else { dual_params.CommParams.prime.len = 0; @@ -626,67 +634,79 @@ SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk, /* else the old fortezza-only wrapped format is used. */ - if (params->data[0] == 0xa1) { - rv = SEC_ASN1DecodeItem(arena, &dual_params, - SECKEY_FortezzaPreParamTemplate, params); - } else { - rv = SEC_ASN1DecodeItem(arena, &dual_params, - SECKEY_FortezzaAltPreParamTemplate, params); + if (SECSuccess == rv) { + if (newparams.data[0] == 0xa1) { + rv = SEC_QuickDERDecodeItem(arena, &dual_params, + SECKEY_FortezzaPreParamTemplate, &newparams); + } else { + rv = SEC_QuickDERDecodeItem(arena, &dual_params, + SECKEY_FortezzaAltPreParamTemplate, &newparams); + } } - - if (rv < 0) return rv; if ( (dual_params.CommParams.prime.len > 0) && (dual_params.CommParams.subPrime.len > 0) && (dual_params.CommParams.base.len > 0) ) { /* copy in common params */ - - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, - &dual_params.CommParams.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, - &dual_params.CommParams.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, - &dual_params.CommParams.base); + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, + &dual_params.CommParams.prime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, + &dual_params.CommParams.subPrime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, + &dual_params.CommParams.base); + } /* Copy the DSA PQG parameters to the KEA PQG parameters. */ - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, - &pubk->u.fortezza.params.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, - &pubk->u.fortezza.params.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, - &pubk->u.fortezza.params.base); - if (rv != SECSuccess) return rv; - + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, + &pubk->u.fortezza.params.prime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, + &pubk->u.fortezza.params.subPrime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, + &pubk->u.fortezza.params.base); + } } else { /* else copy in different params */ /* copy DSA PQG parameters */ - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, &dual_params.DiffParams.DiffDSAParams.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, &dual_params.DiffParams.DiffDSAParams.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, &dual_params.DiffParams.DiffDSAParams.base); + } /* copy KEA PQG parameters */ - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, &dual_params.DiffParams.DiffKEAParams.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, &dual_params.DiffParams.DiffKEAParams.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, &dual_params.DiffParams.DiffKEAParams.base); + } } - } return rv; } @@ -699,27 +719,35 @@ SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk, SECStatus SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) { - SECStatus rv; - SECKEYPQGDualParams dual_params; + SECStatus rv; + SECKEYPQGDualParams dual_params; + SECItem newparams; if (params == NULL) return SECFailure; if (params->data == NULL) return SECFailure; + PORT_Assert(arena); + + /* make a copy of the data into the arena so QuickDER output is valid */ + rv = SECITEM_CopyItem(arena, &newparams, params); + /* Check if params use the standard format. * The value 0xa1 will appear in the first byte of the parameter data * if the PQG parameters are not using the standard format. This * code should be changed to use a better method to detect non-standard * parameters. */ - if ((params->data[0] != 0xa1) && - (params->data[0] != 0xa0)) { + if ((newparams.data[0] != 0xa1) && + (newparams.data[0] != 0xa0)) { - /* PQG params are in the standard format */ - prepare_pqg_params_for_asn1(&pubk->u.dsa.params); - rv = SEC_ASN1DecodeItem(arena, &pubk->u.dsa.params, - SECKEY_PQGParamsTemplate, - params); + if (SECSuccess == rv) { + /* PQG params are in the standard format */ + prepare_pqg_params_for_asn1(&pubk->u.dsa.params); + rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params, + SECKEY_PQGParamsTemplate, + &newparams); + } } else { dual_params.CommParams.prime.len = 0; @@ -729,52 +757,57 @@ SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) dual_params.DiffParams.DiffDSAParams.subPrime.len = 0; dual_params.DiffParams.DiffDSAParams.base.len = 0; - /* else the old fortezza-only wrapped format is used. */ - if (params->data[0] == 0xa1) { - rv = SEC_ASN1DecodeItem(arena, &dual_params, - SECKEY_FortezzaPreParamTemplate, params); - } else { - rv = SEC_ASN1DecodeItem(arena, &dual_params, - SECKEY_FortezzaAltPreParamTemplate, params); + if (SECSuccess == rv) { + /* else the old fortezza-only wrapped format is used. */ + if (newparams.data[0] == 0xa1) { + rv = SEC_QuickDERDecodeItem(arena, &dual_params, + SECKEY_FortezzaPreParamTemplate, &newparams); + } else { + rv = SEC_QuickDERDecodeItem(arena, &dual_params, + SECKEY_FortezzaAltPreParamTemplate, &newparams); + } } - if (rv < 0) return rv; - if ( (dual_params.CommParams.prime.len > 0) && (dual_params.CommParams.subPrime.len > 0) && (dual_params.CommParams.base.len > 0) ) { /* copy in common params */ - - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, - &dual_params.CommParams.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, - &dual_params.CommParams.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, - &dual_params.CommParams.base); + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, + &dual_params.CommParams.prime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, + &dual_params.CommParams.subPrime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, + &dual_params.CommParams.base); + } } else { /* else copy in different params */ /* copy DSA PQG parameters */ - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, - &dual_params.DiffParams.DiffDSAParams.prime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, - &dual_params.DiffParams.DiffDSAParams.subPrime); - if (rv != SECSuccess) return rv; - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, - &dual_params.DiffParams.DiffDSAParams.base); - + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, + &dual_params.DiffParams.DiffDSAParams.prime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, + &dual_params.DiffParams.DiffDSAParams.subPrime); + } + if (SECSuccess == rv) { + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, + &dual_params.DiffParams.DiffDSAParams.base); + } } } return rv; } - /* Decodes the DER encoded fortezza public key and stores the results in a * structure of type SECKEYPublicKey. */ diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index 1ec9dd438e5..5cbb38a7361 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -422,10 +422,10 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech) } if (sec_pkcs5_is_algorithm_v2_pkcs12_algorithm(algorithm)) { - rv = SEC_ASN1DecodeItem(arena, &p5_param, + rv = SEC_QuickDERDecodeItem(arena, &p5_param, SEC_V2PKCS12PBEParameterTemplate, &algid->parameters); } else { - rv = SEC_ASN1DecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, + rv = SEC_QuickDERDecodeItem(arena,&p5_param,SEC_PKCS5PBEParameterTemplate, &algid->parameters); } diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c index 35a4cbc07d5..fdfc0f22916 100644 --- a/security/nss/lib/pk11wrap/pk11pk12.c +++ b/security/nss/lib/pk11wrap/pk11pk12.c @@ -250,11 +250,18 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, SECStatus rv = SECFailure; temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!temparena) { + goto finish; + } pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo); + if (!pki) { + goto finish; + } pki->arena = temparena; - rv = SEC_ASN1DecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate, + rv = SEC_QuickDERDecodeItem(pki->arena, pki, SECKEY_PrivateKeyInfoTemplate, derPKI); + if( rv != SECSuccess ) { goto finish; } @@ -263,9 +270,13 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI, publicValue, isPerm, isPrivate, keyUsage, privk, wincx); finish: - if( pki != NULL ) { - /* this zeroes the key and frees the arena */ - SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/); + if( temparena != NULL ) { + if (pki) { + /* this zeroes the key and frees the arena */ + SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/); + } else { + PORT_FreeArena(temparena, PR_FALSE); + } } return rv; } @@ -522,12 +533,12 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, } /* decode the private key and any algorithm parameters */ - rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey); + rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey); if(rv != SECSuccess) { goto loser; } if(paramDest && paramTemplate) { - rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate, + rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate, &(pki->algorithm.parameters)); if(rv != SECSuccess) { goto loser; diff --git a/security/nss/lib/pk11wrap/pk11sdr.c b/security/nss/lib/pk11wrap/pk11sdr.c index 28d7f2daebe..2360c2b569e 100644 --- a/security/nss/lib/pk11wrap/pk11sdr.c +++ b/security/nss/lib/pk11wrap/pk11sdr.c @@ -275,7 +275,7 @@ PK11SDR_Decrypt(SECItem *data, SECItem *result, void *cx) /* Decode the incoming data */ memset(&sdrResult, 0, sizeof sdrResult); - rv = SEC_ASN1DecodeItem(arena, &sdrResult, template, data); + rv = SEC_QuickDERDecodeItem(arena, &sdrResult, template, data); if (rv != SECSuccess) goto loser; /* Invalid format */ /* Find the slot and key for the given keyid */ diff --git a/security/nss/lib/softoken/keydb.c b/security/nss/lib/softoken/keydb.c index a7c73306b9d..3f52f3f90f3 100644 --- a/security/nss/lib/softoken/keydb.c +++ b/security/nss/lib/softoken/keydb.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: keydb.c,v 1.38 2004-04-27 23:04:38 gerv%gerv.net Exp $ */ +/* $Id: keydb.c,v 1.39 2004-06-05 00:50:32 jpierre%netscape.com Exp $ */ #include "lowkeyi.h" #include "seccomon.h" @@ -1917,10 +1917,13 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki, if(dest != NULL) { + SECItem newPrivateKey; + SECItem newAlgParms; + SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1, dest); - rv = SEC_ASN1DecodeItem(temparena, pki, + rv = SEC_QuickDERDecodeItem(temparena, pki, nsslowkey_PrivateKeyInfoTemplate, dest); if(rv == SECSuccess) { @@ -1929,29 +1932,37 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki, case SEC_OID_PKCS1_RSA_ENCRYPTION: pk->keyType = NSSLOWKEYRSAKey; prepare_low_rsa_priv_key_for_asn1(pk); - rv = SEC_ASN1DecodeItem(permarena, pk, + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey) ) break; + rv = SEC_QuickDERDecodeItem(permarena, pk, nsslowkey_RSAPrivateKeyTemplate, - &pki->privateKey); + &newPrivateKey); break; case SEC_OID_ANSIX9_DSA_SIGNATURE: pk->keyType = NSSLOWKEYDSAKey; prepare_low_dsa_priv_key_for_asn1(pk); - rv = SEC_ASN1DecodeItem(permarena, pk, + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey) ) break; + rv = SEC_QuickDERDecodeItem(permarena, pk, nsslowkey_DSAPrivateKeyTemplate, - &pki->privateKey); + &newPrivateKey); if (rv != SECSuccess) goto loser; prepare_low_pqg_params_for_asn1(&pk->u.dsa.params); - rv = SEC_ASN1DecodeItem(permarena, &pk->u.dsa.params, + if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms, + &pki->algorithm.parameters) ) break; + rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params, nsslowkey_PQGParamsTemplate, - &pki->algorithm.parameters); + &newAlgParms); break; case SEC_OID_X942_DIFFIE_HELMAN_KEY: pk->keyType = NSSLOWKEYDHKey; prepare_low_dh_priv_key_for_asn1(pk); - rv = SEC_ASN1DecodeItem(permarena, pk, + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey) ) break; + rv = SEC_QuickDERDecodeItem(permarena, pk, nsslowkey_DHPrivateKeyTemplate, - &pki->privateKey); + &newPrivateKey); break; #ifdef NSS_ENABLE_ECC case SEC_OID_ANSIX962_EC_PUBLIC_KEY: @@ -1961,9 +1972,11 @@ seckey_decrypt_private_key(NSSLOWKEYEncryptedPrivateKeyInfo *epki, fordebug = &pki->privateKey; SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", pk->keyType, fordebug); - rv = SEC_ASN1DecodeItem(permarena, pk, + if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey, + &pki->privateKey) ) break; + rv = SEC_QuickDERDecodeItem(permarena, pk, nsslowkey_ECPrivateKeyTemplate, - &pki->privateKey); + &newPrivateKey); if (rv != SECSuccess) goto loser; @@ -2059,7 +2072,7 @@ seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SECItem *pwitem) goto loser; } - rv = SEC_ASN1DecodeItem(temparena, epki, + rv = SEC_QuickDERDecodeItem(temparena, epki, nsslowkey_EncryptedPrivateKeyInfoTemplate, &(dbkey->derPK)); if(rv != SECSuccess) {