changes related to bug 115660

* fipstoken will only force authentication for object-related functions when the object is a private or secret key * certutil does not authenticate to token when in FIPS and only doing cert-related operations * QA does not provide password to certutil when doing cert-related operations in FIPS tests
2002-01-29 17:30:22 +00:00 · 2002-01-29 17:30:22 +00:00 · 2e7dccd29d
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@ -642,8 +642,7 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
    } else {
 #endif
 	/* List certs on a non-internal slot. */
-	if ( PK11_IsFIPS() || 
-	     (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) )
+	if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot))
 	    PK11_Authenticate(slot, PR_TRUE, pwarg);
 	if (name) {
 	    CERTCertificate *the_cert;
@ -937,6 +936,7 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg)
 struct secuCBData {
    FILE *file;
    int	keycount;
+    void *wincx;
 };

 /* callback for listing certs through pkcs11 */
@ -949,7 +949,7 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data)

    cbdata = (struct secuCBData *)data;
    out = cbdata->file;
-    key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
+    key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, cbdata->wincx);
    if (!key) {
 	fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
 	return SECFailure;
@ -970,6 +970,7 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)

    cbdata.keycount = 0;
    cbdata.file = stdout;
+    cbdata.wincx = pwarg;

 #ifdef notdef
    if (PK11_IsInternal(slot)) {
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@ -134,6 +134,24 @@ static CK_FUNCTION_LIST pk11_fipsTable = {

 #undef __PASTE

+static CK_RV
+fips_login_if_key_object(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+    CK_RV rv;
+    CK_OBJECT_CLASS objClass;
+    CK_ATTRIBUTE class; 
+    class.type = CKA_CLASS;
+    class.pValue = &objClass;
+    class.ulValueLen = sizeof(objClass);
+    rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
+    if (rv == CKR_OK) {
+	if ((objClass == CKO_PRIVATE_KEY) || (objClass == CKO_SECRET_KEY)) {
+	    rv = pk11_fipsCheck();
+	}
+    }
+    return rv;
+}
+

 /**********************************************************************
 *
@ -352,7 +370,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession,
       CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount,
 					CK_OBJECT_HANDLE_PTR phNewObject) {
-    PK11_FIPSCHECK();
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
    return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject);
 }

@ -360,7 +383,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 /* FC_DestroyObject destroys an object. */
 CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession,
 		 				CK_OBJECT_HANDLE hObject) {
-    PK11_FIPSCHECK();
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
    return NSC_DestroyObject(hSession,hObject);
 }

@ -368,7 +396,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 /* FC_GetObjectSize gets the size of an object in bytes. */
 CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession,
    			CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) {
-    PK11_FIPSCHECK();
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
    return NSC_GetObjectSize(hSession, hObject, pusSize);
 }

@ -376,9 +409,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 /* FC_GetAttributeValue obtains the value of one or more object attributes. */
 CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
 CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    /* depend on the normal soft token to protect sensitive objects and
-     * data */
+    CK_RV rv;
    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
    return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount);
 }

@ -386,7 +422,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
 /* FC_SetAttributeValue modifies the value of one or more object attributes */
 CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession,
 CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) {
-    PK11_FIPSCHECK();
+    CK_RV rv;
+    PK11_FIPSFATALCHECK();
+    rv = fips_login_if_key_object(hSession, hObject);
+    if (rv != CKR_OK) {
+	return rv;
+    }
    return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount);
 }

--- a/security/nss/tests/fips/fips.sh
+++ b/security/nss/tests/fips/fips.sh
@ -91,8 +91,8 @@ fips_init()
 fips_140_1()
 {
  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
-  echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}"
-  certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
  html_msg $? 0 "List the FIPS module certificates (certutil -L)"

  echo "$SCRIPTNAME: List the FIPS module keys -------------------------"
@ -118,13 +118,13 @@ fips_140_1()
  html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)"

  echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------"
-  echo "certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt -f ${R_FIPSPWFILE}"
-  certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt -f ${R_FIPSPWFILE} 2>&1
+  echo "certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt"
+  certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1
  html_msg $? 0 "Export the certificate as a DER (certutil -L -r)"

  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
-  echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}"
-  certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
  html_msg $? 0 "List the FIPS module certificates (certutil -L)"

  echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module"
@ -134,8 +134,8 @@ fips_140_1()


  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
-  echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}"
-  certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
  html_msg $? 0 "List the FIPS module certificates (certutil -L)"

  echo "$SCRIPTNAME: List the FIPS module keys."
@ -151,8 +151,8 @@ fips_140_1()
  html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)"

  echo "$SCRIPTNAME: List the FIPS module certificates -----------------"
-  echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}"
-  certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1
+  echo "certutil -d ${R_FIPSDIR} -L"
+  certutil -d ${R_FIPSDIR} -L 2>&1
  html_msg $? 0 "List the FIPS module certificates (certutil -L)"

  echo "$SCRIPTNAME: List the FIPS module keys --------------------------"