mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[Bug 401928] Support generalized PKCS#5 v2 PBEs 

pk11wrap patch (base API support).
r=nelson
This commit is contained in:
rrelyea%redhat.com 2008-01-17 00:45:04 +00:00
Родитель 660fe310b9
Коммит 2df39ddfcc
10 изменённых файлов: 989 добавлений и 294 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
security/nss/lib/nss/nss.def
Просмотреть файл

@ -924,13 +924,16 @@ CERT_GetValidDNSPatternsFromCert;
CERT_SetOCSPTimeout;
CERT_PKIXVerifyCert;
PK11_CreateGenericObject;
PK11_CreatePBEV2AlgorithmID;
PK11_GenerateKeyPairWithOpFlags;
PK11_GetAllSlotsForCert;
PK11_GetPBECryptoMechanism;
PK11_WriteRawAttribute;
SECKEY_ECParamsToBasePointOrderLen;
SECKEY_ECParamsToKeySize;
SECMOD_DeleteModuleEx;
SEC_GetRegisteredHttpClient;
SEC_PKCS5IsAlgorithmPBEAlgTag;
VFY_CreateContextDirect;
VFY_CreateContextWithAlgorithmID;
VFY_VerifyDataDirect;

121
security/nss/lib/pk11wrap/pk11akey.c
Просмотреть файл

@ -1235,12 +1235,11 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
PRBool isPrivate, KeyType keyType,
unsigned int keyUsage, void *wincx)
{
CK_MECHANISM_TYPE mechanism;
SECItem *pbe_param, crypto_param;
CK_MECHANISM_TYPE pbeMechType;
SECItem *crypto_param = NULL;
PK11SymKey *key = NULL;
SECStatus rv = SECSuccess;
CK_MECHANISM cryptoMech, pbeMech;
CK_RV crv;
CK_MECHANISM_TYPE cryptoMechType;
SECKEYPrivateKey *privKey = NULL;
PRBool faulty3DES = PR_FALSE;
int usageCount = 0;
@ -1254,9 +1253,7 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
if((epki == NULL) || (pwitem == NULL))
return SECFailure;
crypto_param.data = NULL;
mechanism = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
pbeMechType = PK11_AlgtagToMechanism(SECOID_FindOIDTag(
&epki->algorithm.algorithm));
switch (keyType) {
@ -1310,34 +1307,26 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
}
try_faulty_3des:
pbe_param = PK11_ParamFromAlgid(&epki->algorithm);
key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem,
faulty3DES, wincx);
if((key == NULL) || (pbe_param == NULL)) {
key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx);
if (key == NULL) {
rv = SECFailure;
goto done;
}
cryptoMechType = pk11_GetPBECryptoMechanism(&epki->algorithm,
&crypto_param, pwitem, faulty3DES);
if (cryptoMechType == CKM_INVALID_MECHANISM) {
rv = SECFailure;
goto done;
}
pbeMech.mechanism = mechanism;
pbeMech.pParameter = pbe_param->data;
pbeMech.ulParameterLen = pbe_param->len;
crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech,
pwitem, faulty3DES);
if(crv != CKR_OK) {
rv = SECFailure;
goto done;
}
cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
crypto_param.data = (unsigned char*)cryptoMech.pParameter;
crypto_param.len = cryptoMech.ulParameterLen;
cryptoMechType = PK11_GetPadMechanism(cryptoMechType);
PORT_Assert(usage != NULL);
PORT_Assert(usageCount != 0);
privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism,
&crypto_param, &epki->encryptedData,
privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType,
crypto_param, &epki->encryptedData,
nickname, publicValue, isPerm, isPrivate,
key_type, usage, usageCount, wincx);
if(privKey) {
@ -1347,28 +1336,21 @@ try_faulty_3des:
goto done;
}
/* if we are unable to import the key and the mechanism is
/* if we are unable to import the key and the pbeMechType is
* CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
* the encrypted blob was created with a buggy key generation method
* which is described in the PKCS 12 implementation notes. So we
* need to try importing via that method.
*/
if((mechanism == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
if((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) {
/* clean up after ourselves before redoing the key generation. */
PK11_FreeSymKey(key);
key = NULL;
if(pbe_param) {
SECITEM_ZfreeItem(pbe_param, PR_TRUE);
pbe_param = NULL;
}
if(crypto_param.data) {
SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
crypto_param.data = NULL;
cryptoMech.pParameter = NULL;
crypto_param.len = cryptoMech.ulParameterLen = 0;
if(crypto_param) {
SECITEM_ZfreeItem(crypto_param, PR_TRUE);
crypto_param = NULL;
}
faulty3DES = PR_TRUE;
@ -1379,13 +1361,8 @@ try_faulty_3des:
rv = SECFailure;
done:
if(pbe_param != NULL) {
SECITEM_ZfreeItem(pbe_param, PR_TRUE);
pbe_param = NULL;
}
if(crypto_param.data != NULL) {
SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
if(crypto_param != NULL) {
SECITEM_ZfreeItem(crypto_param, PR_TRUE);
}
if(key != NULL) {
@ -1413,29 +1390,28 @@ PK11_ExportEncryptedPrivKeyInfo(
SECKEYEncryptedPrivateKeyInfo *epki = NULL;
PRArenaPool *arena = NULL;
SECAlgorithmID *algid;
SECItem *pbe_param = NULL;
SECOidTag pbeAlgTag = SEC_OID_UNKNOWN;
SECItem *crypto_param = NULL;
PK11SymKey *key = NULL;
SECKEYPrivateKey *tmpPK = NULL;
SECStatus rv = SECSuccess;
CK_RV crv;
CK_ULONG encBufLen;
CK_MECHANISM_TYPE mechanism;
CK_MECHANISM pbeMech;
CK_MECHANISM_TYPE pbeMechType;
CK_MECHANISM_TYPE cryptoMechType;
CK_MECHANISM cryptoMech;
SECItem crypto_param;
if (!pwitem || !pk) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
algid = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, SEC_OID_UNKNOWN,
&pbeAlgTag, 0, NULL, iteration);
if (algid == NULL) {
return NULL;
}
crypto_param.data = NULL;
arena = PORT_NewArena(2048);
if (arena)
epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo);
@ -1445,15 +1421,6 @@ PK11_ExportEncryptedPrivKeyInfo(
}
epki->arena = arena;
mechanism = PK11_AlgtagToMechanism(algTag);
pbe_param = PK11_ParamFromAlgid(algid);
if (!pbe_param || mechanism == CKM_INVALID_MECHANISM) {
rv = SECFailure;
goto loser;
}
pbeMech.mechanism = mechanism;
pbeMech.pParameter = pbe_param->data;
pbeMech.ulParameterLen = pbe_param->len;
/* if we didn't specify a slot, use the slot the private key was in */
if (!slot) {
@ -1463,28 +1430,27 @@ PK11_ExportEncryptedPrivKeyInfo(
/* if we specified a different slot, and the private key slot can do the
* pbe key gen, generate the key in the private key slot so we don't have
* to move it later */
pbeMechType = PK11_AlgtagToMechanism(pbeAlgTag);
if (slot != pk->pkcs11Slot) {
if (PK11_DoesMechanism(pk->pkcs11Slot,mechanism)) {
if (PK11_DoesMechanism(pk->pkcs11Slot,pbeMechType)) {
slot = pk->pkcs11Slot;
}
}
key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem,
PR_FALSE, wincx);
if((key == NULL) || (pbe_param == NULL)) {
key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx);
if (key == NULL) {
rv = SECFailure;
goto loser;
}
crv = PK11_MapPBEMechanismToCryptoMechanism(&pbeMech, &cryptoMech,
pwitem, PR_FALSE);
if(crv != CKR_OK) {
cryptoMechType = PK11_GetPBECryptoMechanism(algid, &crypto_param, pwitem);
if (cryptoMechType == CKM_INVALID_MECHANISM) {
rv = SECFailure;
goto loser;
}
cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMech.mechanism);
crypto_param.data = (unsigned char *)cryptoMech.pParameter;
crypto_param.len = cryptoMech.ulParameterLen;
cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMechType);
cryptoMech.pParameter = crypto_param ? crypto_param->data : NULL;
cryptoMech.ulParameterLen = crypto_param ? crypto_param->len : 0;
/* If the key isn't in the private key slot, move it */
if (key->slot != pk->pkcs11Slot) {
@ -1545,14 +1511,9 @@ PK11_ExportEncryptedPrivKeyInfo(
rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid);
loser:
if(pbe_param != NULL) {
SECITEM_ZfreeItem(pbe_param, PR_TRUE);
pbe_param = NULL;
}
if(crypto_param.data != NULL) {
SECITEM_ZfreeItem(&crypto_param, PR_FALSE);
crypto_param.data = NULL;
if(crypto_param != NULL) {
SECITEM_ZfreeItem(crypto_param, PR_TRUE);
crypto_param = NULL;
}
if(key != NULL) {

25
security/nss/lib/pk11wrap/pk11mech.c
Просмотреть файл

@ -61,12 +61,14 @@ typedef struct {
CK_MECHANISM_TYPE keyGen;
CK_KEY_TYPE keyType;
CK_MECHANISM_TYPE type;
CK_MECHANISM_TYPE padType;
int blockSize;
int iv;
} pk11MechanismData;
static pk11MechanismData pk11_default =
{ CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 };
{ CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET,
CKM_FAKE_RANDOM, CKM_FAKE_RANDOM, 8, 8 };
static pk11MechanismData *pk11_MechanismTable = NULL;
static int pk11_MechTableSize = 0;
static int pk11_MechEntrySize = 0;
@ -139,7 +141,9 @@ PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
*/
void
PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize)
CK_MECHANISM_TYPE keyGen,
CK_MECHANISM_TYPE padType,
int ivLen, int blockSize)
{
int tableSize = pk11_MechTableSize;
int size = pk11_MechEntrySize;
@ -160,6 +164,7 @@ PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
newt[entry].type = type;
newt[entry].keyType = key;
newt[entry].keyGen = keyGen;
newt[entry].padType = padType;
newt[entry].iv = ivLen;
newt[entry].blockSize = blockSize;
@ -603,6 +608,7 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
case CKM_PBE_SHA1_RC4_128:
case CKM_PBE_SHA1_DES3_EDE_CBC:
case CKM_PBE_SHA1_DES2_EDE_CBC:
case CKM_PKCS5_PBKD2:
return type;
default:
return pk11_lookup(type)->keyGen;
@ -976,6 +982,8 @@ PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
case CKM_CAST_CBC:
case CKM_CAST3_CBC:
case CKM_CAST5_CBC:
case CKM_CAMELLIA_CBC_PAD:
case CKM_AES_CBC_PAD:
case CKM_DES_CBC_PAD:
case CKM_DES3_CBC_PAD:
case CKM_IDEA_CBC_PAD:
@ -1217,6 +1225,7 @@ PK11_ParamFromAlgid(SECAlgorithmID *algid)
case CKM_PBE_SHA1_RC2_128_CBC:
case CKM_PBE_SHA1_RC4_40:
case CKM_PBE_SHA1_RC4_128:
case CKM_PKCS5_PBKD2:
rv = pbe_PK11AlgidToParam(algid,mech);
if (rv != SECSuccess) {
goto loser;
@ -1369,7 +1378,7 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) {
}
/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
* or RC4 key. Of course that wouldn't happen here doing RC2:).*/
*rc2_ecb_params = PK11_GetKeyLength(key)*8;
*rc2_ecb_params = key ? PK11_GetKeyLength(key)*8 : 128;
mech->data = (unsigned char *) rc2_ecb_params;
mech->len = sizeof(CK_RC2_PARAMS);
break;
@ -1387,7 +1396,7 @@ PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) {
}
/* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
* or RC4 key. Of course that wouldn't happen here doing RC2:).*/
rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8;
rc2_params->ulEffectiveBits = key ? PK11_GetKeyLength(key)*8 : 128;
if (iv.data)
PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
mech->data = (unsigned char *) rc2_params;
@ -1695,6 +1704,14 @@ PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
return CKR_HOST_MEMORY;
}
/* pkcs5 v2 cannot be supported by this interface.
* use PK11_GetPBECryptoMechanism instead.
*/
if ((pPBEMechanism->mechanism == CKM_INVALID_MECHANISM) ||
(pPBEMechanism->mechanism == CKM_PKCS5_PBKD2)) {
return CKR_MECHANISM_INVALID;
}
pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);

974
security/nss/lib/pk11wrap/pk11pbe.c
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
security/nss/lib/pk11wrap/pk11priv.h
Просмотреть файл

@ -65,6 +65,7 @@ SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
PK11SlotInfo *slot);
PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE type);
/************************************************************
* Generic Slot Management
@ -122,7 +123,8 @@ SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
* Mechanism Mapping functions
*********************************************************************/
void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
CK_MECHANISM_TYPE keygen, CK_MECHANISM_TYPE pad,
int ivLen, int blocksize);
CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);

20
security/nss/lib/pk11wrap/pk11pub.h
Просмотреть файл

@ -258,6 +258,9 @@ SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *,unsigned char *data,int len);
SECStatus PK11_RandomUpdate(void *data, size_t bytes);
SECStatus PK11_GenerateRandom(unsigned char *data,int len);
/* warning: cannot work with pkcs 5 v2
* use algorithm ID s instead of pkcs #11 mechanism pointers */
CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
CK_MECHANISM_PTR pCryptoMechanism,
SECItem *pbe_pwd, PRBool bad3DES);
@ -682,14 +685,31 @@ void PK11_DestroyPBEParams(SECItem *params);
SECAlgorithmID *
PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
/* use to create PKCS5 V2 algorithms with finder control than that provided
* by PK11_CreatePBEAlgorithmID. */
SECAlgorithmID *
PK11_CreatePBEV2AlgorithmID(SECOidTag pbeAlgTag, SECOidTag cipherAlgTag,
SECOidTag prfAlgTag, int keyLength, int iteration,
SECItem *salt);
PK11SymKey *
PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
PRBool faulty3DES, void *wincx);
/* warning: cannot work with PKCS 5 v2 use PK11_PBEKeyGen instead */
PK11SymKey *
PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
SECItem *pwitem, PRBool faulty3DES, void *wincx);
SECItem *
PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
/*
* Get the Mechanism and parameter of the base encryption or mac scheme from
* a PBE algorithm ID.
* Caller is responsible for freeing the return parameter (param).
*/
CK_MECHANISM_TYPE
PK11_GetPBECryptoMechanism(SECAlgorithmID *algid,
SECItem **param, SECItem *pwd);
/**********************************************************************
* Functions to manage secmod flags

65
security/nss/lib/pk11wrap/pk11skey.c
Просмотреть файл

@ -876,23 +876,31 @@ PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
operation, flags, perm, symKey);
}
/*
* Use the token to generate a key. keySize must be 'zero' for fixed key
* length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
* to be added to the template for the key. PKCS #11 modules fail if you
* specify the CKA_VALUE_LEN attribute for keys with fixed length.
* NOTE: this means to generate a DES2 key from this interface you must
* specify CKM_DES2_KEY_GEN as the mechanism directly; specifying
* CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work.
* Use the token to generate a key.
*
* keySize must be 'zero' for fixed key length algorithms. A nonzero
* keySize causes the CKA_VALUE_LEN attribute to be added to the template
* for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN
* attribute for keys with fixed length. The exception is DES2. If you
* select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
* paramter and use the key size to determine which underlying DES keygen
* function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
*
* keyType must be -1 for most algorithms. Some PBE algorthims cannot
* determine the correct key type from the mechanism or the paramters,
* so key type must be specified. Other PKCS #11 mechanisms may do so in
* the future. Currently there is no need to export this publically.
* Keep it private until there is a need in case we need to expand the
* keygen parameters again...
*
* CK_FLAGS flags: key operation flags
* PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
*/
PK11SymKey *
PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags,
PK11AttrFlags attrFlags, void *wincx)
pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid,
CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx)
{
PK11SymKey *symKey;
CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS];
@ -911,13 +919,19 @@ PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
return NULL;
}
if (keySize != 0) {
if ((keySize != 0) && (type != CKM_DES3_CBC) &&
(type !=CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) {
ck_key_size = keySize; /* Convert to PK11 type */
PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size));
attrs++;
}
if (keyType != -1) {
PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE));
attrs++;
}
/* Include key id value if provided */
if (keyid) {
PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); attrs++;
@ -1002,6 +1016,29 @@ PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
return symKey;
}
/*
* Use the token to generate a key. - Public
*
* keySize must be 'zero' for fixed key length algorithms. A nonzero
* keySize causes the CKA_VALUE_LEN attribute to be added to the template
* for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN
* attribute for keys with fixed length. The exception is DES2. If you
* select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN
* paramter and use the key size to determine which underlying DES keygen
* function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN).
*
* CK_FLAGS flags: key operation flags
* PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags
*/
PK11SymKey *
PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags,
PK11AttrFlags attrFlags, void *wincx)
{
return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize,
keyid, opFlags, attrFlags, wincx);
}
/*
* Use the token to generate a key. keySize must be 'zero' for fixed key
* length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute
@ -1031,8 +1068,8 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
}
symKey = PK11_TokenKeyGenWithFlags(slot, type, param, keySize, keyid,
opFlags, attrFlags, wincx);
symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param,
-1, keySize, keyid, opFlags, attrFlags, wincx);
if (symKey && weird) {
PK11_SetFortezzaHack(symKey);
}

55
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -2124,6 +2124,61 @@ PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
return mechanism_info.ulMaxKeySize;
}
/*
* This function uses the existing PKCS #11 module to find the
* longest supported key length in the preferred token for a mechanism.
* This varies from the above function in that 1) it returns the key length
* even for fixed key algorithms, and 2) it looks through the tokens
* generally rather than for a specific token. This is used in liu of
* a PK11_GetKeyLength function in pk11mech.c since we can actually read
* supported key lengths from PKCS #11.
*
* For symmetric key operations the length is returned in bytes.
*/
int
PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism)
{
CK_MECHANISM_INFO mechanism_info;
PK11SlotList *list = NULL;
PK11SlotListElement *le ;
PRBool freeit = PR_FALSE;
int keyLength = 0;
list = PK11_GetSlotList(mechanism);
if ((list == NULL) || (list->head == NULL)) {
/* We need to look up all the tokens for the mechanism */
list = PK11_GetAllTokens(mechanism,PR_FALSE,PR_FALSE,NULL);
freeit = PR_TRUE;
}
/* no tokens recognize this mechanism */
if (list == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return 0;
}
for (le = PK11_GetFirstSafe(list); le;
le = PK11_GetNextSafe(list,le,PR_TRUE)) {
PK11SlotInfo *slot = le->slot;
CK_RV crv;
if (PK11_IsPresent(slot)) {
if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
mechanism,&mechanism_info);
if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0)
&& (mechanism_info.ulMaxKeySize != 0xffffffff)) {
keyLength = mechanism_info.ulMaxKeySize;
break;
}
}
}
if (freeit) { PK11_FreeSlotList(list); }
return keyLength;
}
SECStatus
PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
CK_RV crv;

10
security/nss/lib/pk11wrap/secmodi.h
Просмотреть файл

@ -111,6 +111,16 @@ SECStatus pbe_PK11AlgidToParam(SECAlgorithmID *algid,SECItem *mech);
SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param,
PRArenaPool *arena, SECAlgorithmID *algId);
PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType,
int keySize, SECItem *keyId, CK_FLAGS opFlags,
PK11AttrFlags attrFlags, void *wincx);
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
SECItem **param, SECItem *pwd, PRBool faulty3DES);
extern void pk11sdr_Init(void);
extern void pk11sdr_Shutdown(void);

6
security/nss/lib/pk11wrap/secpkcs5.h
Просмотреть файл

@ -50,8 +50,11 @@ typedef struct PBEBitGenContextStr PBEBitGenContext;
SEC_BEGIN_PROTOS
/* private */
SECAlgorithmID *
SEC_PKCS5CreateAlgorithmID(SECOidTag algorithm, SECItem *salt, int iteration);
sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, SECOidTag cipherAlgorithm,
SECOidTag prfAlg, SECOidTag *pPbeAlgorithm,
int keyLengh, SECItem *salt, int iteration);
/* Get the initialization vector. The password is passed in, hashing
* is performed, and the initialization vector is returned.
@ -65,6 +68,7 @@ SEC_PKCS5GetIV(SECAlgorithmID *algid, SECItem *pwitem, PRBool faulty3DES);
SECOidTag SEC_PKCS5GetCryptoAlgorithm(SECAlgorithmID *algid);
PRBool SEC_PKCS5IsAlgorithmPBEAlg(SECAlgorithmID *algid);
PRBool SEC_PKCS5IsAlgorithmPBEAlgTag(SECOidTag algTag);
SECOidTag SEC_PKCS5GetPBEAlgorithm(SECOidTag algTag, int keyLen);
int SEC_PKCS5GetKeyLength(SECAlgorithmID *algid);