mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

refactor pk11util, splitting large single files down to a managable size. 

bug 246130. The new factor is:

pk11akey.c - asymetric keys constructed from pk11cert.c and pk11skey.c
pk11auth.c - authentication/password management factored from pk11slot.c
pk11cert.c - cert code with private key, crls and trust factored out.
pk11ctx.c -- pkcs11 context code, factored out of pk11skey.c
new pk11func.h -- for backward compatibility.
pk11mech.c - mechanism mapping code, factored mostly from pk11slot.c
pk11nobj.c - netscape objects (crls and trust), factored mostly from pk11cert.c
pk11obj.c - generic object support, factored from pk11skey.c pk11slot.c and
pk11cert.c
pk11priv.h -- private functions factored from pk11func.h
pk11pub.h -- public functions factored from pk11func.h
pk11skey.c - now only symetric key ops; private, public key ops, generic ops
and crypto contexs have been factored out.
pk11slot.c - still slot operations. Authentication, generic object ops,
mechanism mapping has been factored out.

This patch should only have refactoring, no new functions or other changes.
This commit is contained in:
relyea%netscape.com 2004-07-19 22:12:38 +00:00
Родитель f3754bca20
Коммит 73f15b0963
24 изменённых файлов: 9322 добавлений и 8836 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

27
security/nss/lib/pk11wrap/manifest.mn
Просмотреть файл

@ -41,13 +41,14 @@ EXPORTS = \
secmodt.h \
secpkcs5.h \
pk11func.h \
pk11pub.h \
pk11priv.h \
pk11sdr.h \
pk11pqg.h \
$(NULL)
PRIVATE_EXPORTS = \
secmodi.h \
secmodti.h \
pk11init.h \
dev3hack.h \
$(NULL)
@ -56,19 +57,25 @@ MODULE = nss
CSRCS = \
dev3hack.c \
pk11akey.c \
pk11auth.c \
pk11cert.c \
pk11cxt.c \
pk11err.c \
pk11load.c \
pk11pars.c \
pk11slot.c \
pk11list.c \
pk11skey.c \
pk11kea.c \
pk11util.c \
pk11sdr.c \
pk11pqg.c \
pk11pk12.c \
pk11list.c \
pk11load.c \
pk11mech.c \
pk11nobj.c \
pk11obj.c \
pk11pars.c \
pk11pbe.c \
pk11pk12.c \
pk11pqg.c \
pk11sdr.c \
pk11skey.c \
pk11slot.c \
pk11util.c \
$(NULL)
REQUIRES = dbm

2267
security/nss/lib/pk11wrap/pk11akey.c Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

702
security/nss/lib/pk11wrap/pk11auth.c Normal file
Просмотреть файл

@ -0,0 +1,702 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* This file deals with PKCS #11 passwords and authentication.
*/
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11t.h"
#include "pk11func.h"
#include "secitem.h"
#include "secerr.h"
#include "pkim.h"
/*************************************************************
* local static and global data
*************************************************************/
/*
* This structure keeps track of status that spans all the Slots.
* NOTE: This is a global data structure. It semantics expect thread crosstalk
* be very careful when you see it used.
* It's major purpose in life is to allow the user to log in one PER
* Tranaction, even if a transaction spans threads. The problem is the user
* may have to enter a password one just to be able to look at the
* personalities/certificates (s)he can use. Then if Auth every is one, they
* may have to enter the password again to use the card. See PK11_StartTransac
* and PK11_EndTransaction.
*/
static struct PK11GlobalStruct {
int transaction;
PRBool inTransaction;
char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
/***********************************************************
* Password Utilities
***********************************************************/
/*
* Check the user's password. Log into the card if it's correct.
* succeed if the user is already logged in.
*/
SECStatus
pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
{
int len = PORT_Strlen(pw);
CK_RV crv;
SECStatus rv;
int64 currtime = PR_Now();
if (slot->protectedAuthPath) {
len = 0;
pw = NULL;
}
PK11_EnterSlotMonitor(slot);
crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
(unsigned char *)pw,len);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
switch (crv) {
/* if we're already logged in, we're good to go */
case CKR_OK:
slot->authTransact = PK11_Global.transaction;
case CKR_USER_ALREADY_LOGGED_IN:
slot->authTime = currtime;
rv = SECSuccess;
break;
case CKR_PIN_INCORRECT:
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
break;
default:
PORT_SetError(PK11_MapError(crv));
rv = SECFailure; /* some failure we can't fix by retrying */
}
return rv;
}
/*
* Check the user's password. Logout before hand to make sure that
* we are really checking the password.
*/
SECStatus
PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw)
{
int len = PORT_Strlen(pw);
CK_RV crv;
SECStatus rv;
int64 currtime = PR_Now();
if (slot->protectedAuthPath) {
len = 0;
pw = NULL;
}
/* force a logout */
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Logout(slot->session);
crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
(unsigned char *)pw,len);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
switch (crv) {
/* if we're already logged in, we're good to go */
case CKR_OK:
slot->authTransact = PK11_Global.transaction;
slot->authTime = currtime;
rv = SECSuccess;
break;
case CKR_PIN_INCORRECT:
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
break;
default:
PORT_SetError(PK11_MapError(crv));
rv = SECFailure; /* some failure we can't fix by retrying */
}
return rv;
}
SECStatus
PK11_Logout(PK11SlotInfo *slot)
{
CK_RV crv;
/* force a logout */
PK11_EnterSlotMonitor(slot);
crv = PK11_GETTAB(slot)->C_Logout(slot->session);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return SECFailure;
}
return SECSuccess;
}
/*
* transaction stuff is for when we test for the need to do every
* time auth to see if we already did it for this slot/transaction
*/
void PK11_StartAuthTransaction(void)
{
PK11_Global.transaction++;
PK11_Global.inTransaction = PR_TRUE;
}
void PK11_EndAuthTransaction(void)
{
PK11_Global.transaction++;
PK11_Global.inTransaction = PR_FALSE;
}
/*
* before we do a private key op, we check to see if we
* need to reauthenticate.
*/
void
PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
{
int askpw = slot->askpw;
PRBool NeedAuth = PR_FALSE;
if (!slot->needLogin) return;
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
if (def_slot) {
askpw = def_slot->askpw;
PK11_FreeSlot(def_slot);
}
}
/* timeouts are handled by isLoggedIn */
if (!PK11_IsLoggedIn(slot,wincx)) {
NeedAuth = PR_TRUE;
} else if (askpw == -1) {
if (!PK11_Global.inTransaction ||
(PK11_Global.transaction != slot->authTransact)) {
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Logout(slot->session);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
NeedAuth = PR_TRUE;
}
}
if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
}
void
PK11_SlotDBUpdate(PK11SlotInfo *slot)
{
SECMOD_UpdateModule(slot->module);
}
/*
* set new askpw and timeout values
*/
void
PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
{
slot->askpw = askpw;
slot->timeout = timeout;
slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
PK11_SlotDBUpdate(slot);
}
/*
* Get the askpw and timeout values for this slot
*/
void
PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
{
*askpw = slot->askpw;
*timeout = slot->timeout;
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
if (def_slot) {
*askpw = def_slot->askpw;
*timeout = def_slot->timeout;
PK11_FreeSlot(def_slot);
}
}
}
/*
* Returns true if the token is needLogin and isn't logged in.
* This function is used to determine if authentication is needed
* before attempting a potentially privelleged operation.
*/
PRBool
pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx)
{
return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
}
/*
* make sure a slot is authenticated...
* This function only does the authentication if it is needed.
*/
SECStatus
PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
if (pk11_LoginStillRequired(slot,wincx)) {
return PK11_DoPassword(slot,loadCerts,wincx);
}
return SECSuccess;
}
/*
* Authenticate to "unfriendly" tokens (tokens which need to be logged
* in to find the certs.
*/
SECStatus
pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
{
SECStatus rv = SECSuccess;
if (!PK11_IsFriendly(slot)) {
rv = PK11_Authenticate(slot, loadCerts, wincx);
}
return rv;
}
/*
* NOTE: this assumes that we are logged out of the card before hand
*/
SECStatus
PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
{
CK_SESSION_HANDLE rwsession;
CK_RV crv;
SECStatus rv = SECFailure;
int len = PORT_Strlen(ssopw);
/* get a rwsession */
rwsession = PK11_GetRWSession(slot);
if (rwsession == CK_INVALID_SESSION) return rv;
if (slot->protectedAuthPath) {
len = 0;
ssopw = NULL;
}
/* check the password */
crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
(unsigned char *)ssopw,len);
slot->lastLoginCheck = 0;
switch (crv) {
/* if we're already logged in, we're good to go */
case CKR_OK:
rv = SECSuccess;
break;
case CKR_PIN_INCORRECT:
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
break;
default:
PORT_SetError(PK11_MapError(crv));
rv = SECFailure; /* some failure we can't fix by retrying */
}
PK11_GETTAB(slot)->C_Logout(rwsession);
slot->lastLoginCheck = 0;
/* release rwsession */
PK11_RestoreROSession(slot,rwsession);
return rv;
}
/*
* make sure the password conforms to your token's requirements.
*/
SECStatus
PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
{
int len = PORT_Strlen(pw);
if ((slot->minPassword > len) || (slot->maxPassword < len)) {
PORT_SetError(SEC_ERROR_BAD_DATA);
return SECFailure;
}
return SECSuccess;
}
/*
* initialize a user PIN Value
*/
SECStatus
PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw)
{
CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
CK_RV crv;
SECStatus rv = SECFailure;
int len;
int ssolen;
if (userpw == NULL) userpw = "";
if (ssopw == NULL) ssopw = "";
len = PORT_Strlen(userpw);
ssolen = PORT_Strlen(ssopw);
/* get a rwsession */
rwsession = PK11_GetRWSession(slot);
if (rwsession == CK_INVALID_SESSION) goto done;
if (slot->protectedAuthPath) {
len = 0;
ssolen = 0;
ssopw = NULL;
userpw = NULL;
}
/* check the password */
crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
(unsigned char *)ssopw,ssolen);
slot->lastLoginCheck = 0;
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
goto done;
}
crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
} else {
rv = SECSuccess;
}
done:
PK11_GETTAB(slot)->C_Logout(rwsession);
slot->lastLoginCheck = 0;
PK11_RestoreROSession(slot,rwsession);
if (rv == SECSuccess) {
/* update our view of the world */
PK11_InitToken(slot,PR_TRUE);
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
(unsigned char *)userpw,len);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
}
return rv;
}
/*
* Change an existing user password
*/
SECStatus
PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw)
{
CK_RV crv;
SECStatus rv = SECFailure;
int newLen;
int oldLen;
CK_SESSION_HANDLE rwsession;
if (newpw == NULL) newpw = "";
if (oldpw == NULL) oldpw = "";
newLen = PORT_Strlen(newpw);
oldLen = PORT_Strlen(oldpw);
/* get a rwsession */
rwsession = PK11_GetRWSession(slot);
crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
if (crv == CKR_OK) {
rv = SECSuccess;
} else {
PORT_SetError(PK11_MapError(crv));
}
PK11_RestoreROSession(slot,rwsession);
/* update our view of the world */
PK11_InitToken(slot,PR_TRUE);
return rv;
}
static char *
pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
{
if (PK11_Global.getPass == NULL) return NULL;
return (*PK11_Global.getPass)(slot, retry, wincx);
}
void
PK11_SetPasswordFunc(PK11PasswordFunc func)
{
PK11_Global.getPass = func;
}
void
PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
{
PK11_Global.verifyPass = func;
}
void
PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
{
PK11_Global.isLoggedIn = func;
}
/*
* authenticate to a slot. This loops until we can't recover, the user
* gives up, or we succeed. If we're already logged in and this function
* is called we will still prompt for a password, but we will probably
* succeed no matter what the password was (depending on the implementation
* of the PKCS 11 module.
*/
SECStatus
PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
{
SECStatus rv = SECFailure;
char * password;
PRBool attempt = PR_FALSE;
if (PK11_NeedUserInit(slot)) {
PORT_SetError(SEC_ERROR_IO);
return SECFailure;
}
/*
* Central server type applications which control access to multiple
* slave applications to single crypto devices need to virtuallize the
* login state. This is done by a callback out of PK11_IsLoggedIn and
* here. If we are actually logged in, then we got here because the
* higher level code told us that the particular client application may
* still need to be logged in. If that is the case, we simply tell the
* server code that it should now verify the clients password and tell us
* the results.
*/
if (PK11_IsLoggedIn(slot,NULL) &&
(PK11_Global.verifyPass != NULL)) {
if (!PK11_Global.verifyPass(slot,wincx)) {
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return SECFailure;
}
return SECSuccess;
}
/* get the password. This can drop out of the while loop
* for the following reasons:
* (1) the user refused to enter a password.
* (return error to caller)
* (2) the token user password is disabled [usually due to
* too many failed authentication attempts].
* (return error to caller)
* (3) the password was successful.
*/
while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
attempt = PR_TRUE;
rv = pk11_CheckPassword(slot,password);
PORT_Memset(password, 0, PORT_Strlen(password));
PORT_Free(password);
if (rv != SECWouldBlock) break;
}
if (rv == SECSuccess) {
rv = pk11_CheckVerifyTest(slot);
if (!PK11_IsFriendly(slot)) {
nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
slot->nssToken);
}
} else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return rv;
}
void PK11_LogoutAll(void)
{
SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
SECMODModuleList *mlp = NULL;
int i;
SECMOD_GetReadLock(lock);
/* find the number of entries */
for (mlp = modList; mlp != NULL; mlp = mlp->next) {
for (i=0; i < mlp->module->slotCount; i++) {
PK11_Logout(mlp->module->slots[i]);
}
}
SECMOD_ReleaseReadLock(lock);
}
int
PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
{
return ((int)slot->minPassword);
}
/* Does this slot have a protected pin path? */
PRBool
PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
{
return slot->protectedAuthPath;
}
/*
* we can initialize the password if 1) The toke is not inited
* (need login == true and see need UserInit) or 2) the token has
* a NULL password. (slot->needLogin = false & need user Init = false).
*/
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
{
if (slot->needLogin && PK11_NeedUserInit(slot)) {
return PR_TRUE;
}
if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
return PR_TRUE;
}
return PR_FALSE;
}
PRBool PK11_NeedPWInit()
{
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
PRBool ret = PK11_NeedPWInitForSlot(slot);
PK11_FreeSlot(slot);
return ret;
}
PRBool
pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime,
PRIntervalTime *retTime)
{
PRIntervalTime time;
*retTime = time = PR_IntervalNow();
return (PRBool) (lastTime) && ((time-lastTime) < delayTime);
}
/*
* Determine if the token is logged in. We have to actually query the token,
* because it's state can change without intervention from us.
*/
PRBool
PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
{
CK_SESSION_INFO sessionInfo;
int askpw = slot->askpw;
int timeout = slot->timeout;
CK_RV crv;
PRIntervalTime curTime;
static PRIntervalTime login_delay_time = 0;
if (login_delay_time == 0) {
login_delay_time = PR_SecondsToInterval(1);
}
/* If we don't have our own password default values, use the system
* ones */
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
if (def_slot) {
askpw = def_slot->askpw;
timeout = def_slot->timeout;
PK11_FreeSlot(def_slot);
}
}
if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
/* forget the password if we've been inactive too long */
if (askpw == 1) {
int64 currtime = PR_Now();
int64 result;
int64 mult;
LL_I2L(result, timeout);
LL_I2L(mult, 60*1000*1000);
LL_MUL(result,result,mult);
LL_ADD(result, result, slot->authTime);
if (LL_CMP(result, <, currtime) ) {
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Logout(slot->session);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
} else {
slot->authTime = currtime;
}
}
PK11_EnterSlotMonitor(slot);
if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) {
sessionInfo.state = slot->lastState;
crv = CKR_OK;
} else {
crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
if (crv == CKR_OK) {
slot->lastState = sessionInfo.state;
slot->lastLoginCheck = curTime;
}
}
PK11_ExitSlotMonitor(slot);
/* if we can't get session info, something is really wrong */
if (crv != CKR_OK) {
slot->session = CK_INVALID_SESSION;
return PR_FALSE;
}
switch (sessionInfo.state) {
case CKS_RW_PUBLIC_SESSION:
case CKS_RO_PUBLIC_SESSION:
default:
break; /* fail */
case CKS_RW_USER_FUNCTIONS:
case CKS_RW_SO_FUNCTIONS:
case CKS_RO_USER_FUNCTIONS:
return PR_TRUE;
}
return PR_FALSE;
}

1496
security/nss/lib/pk11wrap/pk11cert.c
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1051
security/nss/lib/pk11wrap/pk11cxt.c Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

672
security/nss/lib/pk11wrap/pk11func.h
Просмотреть файл

@ -19,7 +19,6 @@
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
@ -36,675 +35,12 @@
* ***** END LICENSE BLOCK ***** */
#ifndef _PK11FUNC_H_
#define _PK11FUNC_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keyt.h"
#include "certt.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "seccomon.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
SEC_BEGIN_PROTOS
/************************************************************
* Generic Slot Lists Management
************************************************************/
PK11SlotList * PK11_NewSlotList(void);
void PK11_FreeSlotList(PK11SlotList *list);
SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list,
PK11SlotListElement *le, PRBool restart);
PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
PK11SlotInfo *slot);
/************************************************************
* Generic Slot Management
************************************************************/
PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
void PK11_FreeSlot(PK11SlotInfo *slot);
SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type);
PK11SlotInfo *PK11_GetInternalKeySlot(void);
PK11SlotInfo *PK11_GetInternalSlot(void);
char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
int stringLen);
int PK11_MapError(CK_RV error);
CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
CK_SESSION_HANDLE session_handle);
PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
SECStatus PK11_Logout(PK11SlotInfo *slot);
void PK11_LogoutAll(void);
void PK11_EnterSlotMonitor(PK11SlotInfo *);
void PK11_ExitSlotMonitor(PK11SlotInfo *);
void PK11_CleanKeyList(PK11SlotInfo *slot);
/************************************************************
* Slot Password Management
************************************************************/
void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
void PK11_SetPasswordFunc(PK11PasswordFunc func);
void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
/************************************************************
* Manage the built-In Slot Lists
************************************************************/
SECStatus PK11_InitSlotLists(void);
void PK11_DestroySlotLists(void);
PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
void PK11_ClearSlotList(PK11SlotInfo *slot);
/******************************************************************
* Slot initialization
******************************************************************/
PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
/******************************************************************
* Slot info functions
******************************************************************/
PK11SlotInfo *PK11_FindSlotByName(char *name);
PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
/******************************************************************
* PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
* more criteria : dllName, slotName and tokenName . In addition, if
* presentOnly is set , only slots with a token inserted will be
* returned.
******************************************************************/
PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
const char* slotName, const char* tokenName, PRBool presentOnly);
PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
PRBool PK11_IsInternal(PK11SlotInfo *slot);
char * PK11_GetTokenName(PK11SlotInfo *slot);
char * PK11_GetSlotName(PK11SlotInfo *slot);
PRBool PK11_NeedLogin(PK11SlotInfo *slot);
PRBool PK11_IsFriendly(PK11SlotInfo *slot);
PRBool PK11_IsHW(PK11SlotInfo *slot);
PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
int PK11_GetSlotSeries(PK11SlotInfo *slot);
int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
PRBool PK11_IsDisabled(PK11SlotInfo *slot);
PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
/* Prevents the slot from being used, and set disable reason to user-disable */
/* NOTE: Mechanisms that were ON continue to stay ON */
/* Therefore, when the slot is enabled, it will remember */
/* what mechanisms needs to be turned on */
PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
/* Allow all mechanisms that are ON before UserDisableSlot() */
/* was called to be available again */
PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
/*
* wait for a specific slot event.
* event is a specific event to wait for. Currently only
* PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
* timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
* poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
* pollInterval is a suggested pulling interval value. '0' means use the
* default. Future implementations that don't poll may ignore this value.
* series is the current series for the last slot. This should be the series
* value for the slot the last time you read persistant information from the
* slot. For instance, if you publish a cert from the slot, you should obtain
* the slot series at that time. Then PK11_WaitForTokenEvent can detect a
* a change in the slot between the time you publish and the time
* PK11_WaitForTokenEvent is called, elliminating potential race conditions.
*
* The current status that is returned is:
* PK11TokenNotRemovable - always returned for any non-removable token.
* PK11TokenPresent - returned when the token is present and we are waiting
* on a PK11TokenPresentEvent. Then next event to look for is a
* PK11TokenChangeOrRemovalEvent.
* PK11TokenChanged - returned when the old token has been removed and a new
* token ad been inserted, and we are waiting for a
* PK11TokenChangeOrRemovalEvent. The next event to look for is another
* PK11TokenChangeOrRemovalEvent.
* PK11TokenRemoved - returned when the token is not present and we are
* waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
* is a PK11TokenPresentEvent.
*/
PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
PRBool PK11_NeedPWInit(void);
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
PRBool PK11_IsFIPS(void);
SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
/*********************************************************************
* Slot mapping utility functions.
*********************************************************************/
PRBool PK11_IsPresent(PK11SlotInfo *slot);
PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
PRBool loadCerts, void *wincx);
PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
PRBool needRW,void *wincx);
PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
void *wincx);
PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
/*********************************************************************
* Mechanism Mapping functions
*********************************************************************/
void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);
int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
int PK11_GetIVLength(CK_MECHANISM_TYPE type);
SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
SECItem * PK11_BlockData(SECItem *data,unsigned long size);
/* PKCS #11 to DER mapping functions */
SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
PRArenaPool *arena, SECAlgorithmID *algid);
SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
SECStatus PK11_RandomUpdate(void *data, size_t bytes);
SECStatus PK11_GenerateRandom(unsigned char *data,int len);
CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
CK_MECHANISM_PTR pCryptoMechanism,
SECItem *pbe_pwd, PRBool bad3DES);
CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
/**********************************************************************
* Symetric, Public, and Private Keys
**********************************************************************/
PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PRBool owner, void *wincx);
void PK11_FreeSymKey(PK11SymKey *key);
PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
PRBool owner, void *wincx);
PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
CK_MECHANISM_TYPE type,int series, void *wincx);
/*
* This function is not thread-safe. It can only be called when only
* one thread has a reference to wrapKey.
*/
void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
SECKEYPublicKey *pubKey, PRBool isToken);
PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
SECItem *param, int keySize,void *wincx);
PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, SECItem *keyid,
PRBool isToken, void *wincx);
PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
void *wincx);
PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
/* Key Generation specialized for SDR (fixed DES3 key) */
PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
* operation or the flags and making the key permanent at the same time.
* If the key is moved to the same slot, operation and flags values are
* currently ignored */
PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
/*
* derive a new key from the base key.
* PK11_Derive returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
* CKF_ flags to enable more than one operation.
* PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
* (optionally) make the key permanent (token key).
*/
PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive,
SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_ULONG kdf, SECItem *sharedData, void *wincx);
/*
* unwrap a new key with a symetric key.
* PK11_Unwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
* CKF_ flags to enable more than one operation.
* PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
* (optionally) make the key permanent (token key).
* the original pk11func.h had a mix of public and private functions.
* continue to provide those for backward compatibility.
*/
PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key,
CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags);
PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
/*
* unwrap a new key with a private key.
* PK11_PubUnwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
* use * CKF_ flags to enable more than one operation, and optionally make
* the key permanent (token key).
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *keyID, void *wincx);
SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
PRBool token, PRBool sensitive);
SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
CK_OBJECT_HANDLE id);
char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
const char *nickname);
SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
const char *nickname);
/* size to hold key in bytes */
unsigned int PK11_GetKeyLength(PK11SymKey *key);
/* size of actual secret parts of key in bits */
/* algid is because RC4 strength is determined by the effective bits as well
* as the key bits */
unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
SECItem * PK11_GetKeyData(PK11SymKey *symKey);
PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
void *PK11_GetWindow(PK11SymKey *symKey);
SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
PRBool isPerm, PRBool isSensitive, void *wincx);
SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
void *wincx);
CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
void *wincx, PK11SlotInfo **pSlot);
int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
/* The encrypt version of the above function */
SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
unsigned char *data, unsigned dataLen, void *wincx);
SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
CERTCertificate *cert, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
SECKEYPrivateKey *pk, int iteration, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
CERTCertificate *cert, int iteration, void *wincx);
SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
PRBool PK11_VerifyKeyOK(PK11SymKey *key);
SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot,
PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, SECItem *label,
SECItem *publicValue, PRBool token, PRBool sensitive,
CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
void *wincx);
SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, void *wincx);
PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx);
SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx);
SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
CK_MECHANISM_TYPE mech);
SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
char *nickname, void *wincx);
SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
char *nickname);
SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
/* depricated */
SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
void *wincx);
SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
SECKEYPrivateKey *privk, void* wincx);
/**********************************************************************
* Certs
**********************************************************************/
SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
SECStatus PK11_TraverseSlotCerts(
SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
void *arg, void *wincx);
SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
void *wincx);
PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
void *wincx);
CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
void *wincx);
PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
CK_OBJECT_CLASS o_class);
CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
CERTIssuerAndSN *sn, void *wincx);
CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
SECKEYPrivateKey**privKey, void *wincx);
int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
void *wincx);
CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type );
CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
SECStatus(*callback)(CERTCertificate *, void *), void *arg);
SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
void *arg);
CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
SECItem *derCert, void *wincx);
CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
PK11SlotInfo *slot,
CERTCertificate *cert, char *nickname,
void *wincx);
SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
char *nickname, PRBool addUsage,
void *wincx);
CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
void *wincx);
SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
void *arg);
SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
SECStatus(* callback)(CERTCertificate*, void *), void *arg);
CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions);
/* import options */
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
/**********************************************************************
* Sign/Verify
**********************************************************************/
int PK11_SignatureLen(SECKEYPrivateKey *key);
PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
SECItem *dsig, void * wincx);
SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig,
SECItem *hash, void *wincx);
/**********************************************************************
* Crypto Contexts
**********************************************************************/
void PK11_DestroyContext(PK11Context *context, PRBool freeit);
PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, SECItem *param, void *wincx);
PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
PK11Context *PK11_CloneContext(PK11Context *old);
SECStatus PK11_DigestBegin(PK11Context *cx);
SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
int32 len);
SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in,
unsigned len);
SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen,
int maxout, unsigned char *in, int inlen);
SECStatus PK11_Finalize(PK11Context *context);
SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data,
unsigned int *outLen, unsigned int length);
PRBool PK11_HashOK(SECOidTag hashAlg);
SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
int *len, int saveLength);
/* Save the context's state, with possible allocation.
* The caller may supply an already allocated buffer in preAllocBuf,
* with length pabLen. If the buffer is large enough for the context's
* state, it will receive the state.
* If the buffer is not large enough (or NULL), then a new buffer will
* be allocated with PORT_Alloc.
* In either case, the state will be returned as a buffer, and the length
* of the state will be given in *stateLen.
*/
unsigned char *
PK11_SaveContextAlloc(PK11Context *cx,
unsigned char *preAllocBuf, unsigned int pabLen,
unsigned int *stateLen);
SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
/**********************************************************************
* PBE functions
**********************************************************************/
/* This function creates PBE parameters from the given inputs. The result
* can be used to create a password integrity key for PKCS#12, by sending
* the return value to PK11_KeyGen along with the appropriate mechanism.
*/
SECItem *
PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
/* free params created above (can be called after keygen is done */
void PK11_DestroyPBEParams(SECItem *params);
SECAlgorithmID *
PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
PK11SymKey *
PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
PRBool faulty3DES, void *wincx);
PK11SymKey *
PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
SECItem *pwitem, PRBool faulty3DES, void *wincx);
SECItem *
PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
/**********************************************************************
* Functions to manage secmod flags
**********************************************************************/
PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
PRBool );
/**********************************************************************
* Functions to look at PKCS #11 dependent data
**********************************************************************/
PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot,
CK_OBJECT_CLASS objClass);
PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
PK11GenericObject *PK11_GetPrevtGenericObject(PK11GenericObject *object);
SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
PK11GenericObject *object);
SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object,
CK_ATTRIBUTE_TYPE attr, SECItem *item);
/**********************************************************************
* New fucntions which are already depricated....
**********************************************************************/
SECItem *
PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *pwarg);
SECItem *
PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
SECItem *
PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
SECItem *derName, int type, char **url);
CK_OBJECT_HANDLE
PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl,
SECItem *name, char *url, int type);
SECItem *
PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
SECItem **profileTime);
SECStatus
PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
SECItem *emailProfile, SECItem *profileTime);
PRBool SECMOD_HasRootCerts(void);
PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
const char *nickname) ;
/* private */
SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
void *cbArg, void *pwArg);
SEC_END_PROTOS
#include "pk11pub.h"
#include "pk11priv.h"
#endif

7
security/nss/lib/pk11wrap/pk11kea.c
Просмотреть файл

@ -42,6 +42,7 @@
#include "secmod.h"
#include "nssilock.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
@ -78,9 +79,9 @@ pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
{
PK11SymKey *newSymKey = NULL;
SECStatus rv;
/* performance improvement can go here --- use a generated key to as a
* per startup wrapping key. If it exists, use it, otherwise do a full
* key exchange. */
/* performance improvement can go here --- use a generated key at startup
* to generate a per token wrapping key. If it exists, use it, otherwise
* do a full key exchange. */
/* find a common Key Exchange algorithm */
/* RSA */

3
security/nss/lib/pk11wrap/pk11list.c
Просмотреть файл

@ -40,10 +40,9 @@
#include "seccomon.h"
#include "nssilock.h"
#include "prmon.h"
#include "secmod.h"
#include "secmodi.h"
#include "prlong.h"
#include "secmodti.h"
#define ISREADING 1
#define ISWRITING 2

1
security/nss/lib/pk11wrap/pk11load.c
Просмотреть файл

@ -43,6 +43,7 @@
#include "prlink.h"
#include "pk11func.h"
#include "secmodi.h"
#include "secmodti.h"
#include "nssilock.h"
extern void FC_GetFunctionList(void);

1787
security/nss/lib/pk11wrap/pk11mech.c Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

796
security/nss/lib/pk11wrap/pk11nobj.c Normal file
Просмотреть файл

@ -0,0 +1,796 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* This file manages Netscape specific PKCS #11 objects (CRLs, Trust objects,
* etc).
*/
#include "secport.h"
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "cert.h"
#include "certi.h"
#include "secitem.h"
#include "sechash.h"
#include "secoid.h"
#include "certdb.h"
#include "secerr.h"
#include "sslerr.h"
#ifndef NSS_3_4_CODE
#define NSS_3_4_CODE
#endif /* NSS_3_4_CODE */
#include "pki3hack.h"
#include "dev3hack.h"
#include "devm.h"
#include "pki.h"
#include "pkim.h"
CK_TRUST
pk11_GetTrustField(PK11SlotInfo *slot, PRArenaPool *arena,
CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type)
{
CK_TRUST rv = 0;
SECItem item;
item.data = NULL;
item.len = 0;
if( SECSuccess == PK11_ReadAttribute(slot, id, type, arena, &item) ) {
PORT_Assert(item.len == sizeof(CK_TRUST));
PORT_Memcpy(&rv, item.data, sizeof(CK_TRUST));
/* Damn, is there an endian problem here? */
return rv;
}
return 0;
}
PRBool
pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust *trust)
{
PRArenaPool *arena;
CK_ATTRIBUTE tobjTemplate[] = {
{ CKA_CLASS, NULL, 0 },
{ CKA_CERT_SHA1_HASH, NULL, 0 },
};
CK_OBJECT_CLASS tobjc = CKO_NETSCAPE_TRUST;
CK_OBJECT_HANDLE tobjID;
unsigned char sha1_hash[SHA1_LENGTH];
CK_TRUST serverAuth, codeSigning, emailProtection, clientAuth;
PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
PK11_SETATTRS(&tobjTemplate[0], CKA_CLASS, &tobjc, sizeof(tobjc));
PK11_SETATTRS(&tobjTemplate[1], CKA_CERT_SHA1_HASH, sha1_hash,
SHA1_LENGTH);
tobjID = pk11_FindObjectByTemplate(slot, tobjTemplate,
sizeof(tobjTemplate)/sizeof(tobjTemplate[0]));
if( CK_INVALID_HANDLE == tobjID ) {
return PR_FALSE;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if( NULL == arena ) return PR_FALSE;
/* Unfortunately, it seems that PK11_GetAttributes doesn't deal
* well with nonexistant attributes. I guess we have to check
* the trust info fields one at a time.
*/
/* We could verify CKA_CERT_HASH here */
/* We could verify CKA_EXPIRES here */
/* "Purpose" trust information */
serverAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_SERVER_AUTH);
clientAuth = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CLIENT_AUTH);
codeSigning = pk11_GetTrustField(slot, arena, tobjID, CKA_TRUST_CODE_SIGNING);
emailProtection = pk11_GetTrustField(slot, arena, tobjID,
CKA_TRUST_EMAIL_PROTECTION);
/* Here's where the fun logic happens. We have to map back from the
* key usage, extended key usage, purpose, and possibly other trust values
* into the old trust-flags bits. */
/* First implementation: keep it simple for testing. We can study what other
* mappings would be appropriate and add them later.. fgmr 20000724 */
if ( serverAuth == CKT_NETSCAPE_TRUSTED ) {
trust->sslFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
}
if ( serverAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
trust->sslFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA |
CERTDB_NS_TRUSTED_CA;
}
if ( clientAuth == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
trust->sslFlags |= CERTDB_TRUSTED_CLIENT_CA ;
}
if ( emailProtection == CKT_NETSCAPE_TRUSTED ) {
trust->emailFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
}
if ( emailProtection == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
trust->emailFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
}
if( codeSigning == CKT_NETSCAPE_TRUSTED ) {
trust->objectSigningFlags |= CERTDB_VALID_PEER | CERTDB_TRUSTED;
}
if( codeSigning == CKT_NETSCAPE_TRUSTED_DELEGATOR ) {
trust->objectSigningFlags |= CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_NS_TRUSTED_CA;
}
/* There's certainly a lot more logic that can go here.. */
PORT_FreeArena(arena, PR_FALSE);
return PR_TRUE;
}
static SECStatus
pk11_CollectCrls(PK11SlotInfo *slot, CK_OBJECT_HANDLE crlID, void *arg)
{
SECItem derCrl;
CERTCrlHeadNode *head = (CERTCrlHeadNode *) arg;
CERTCrlNode *new_node = NULL;
CK_ATTRIBUTE fetchCrl[3] = {
{ CKA_VALUE, NULL, 0},
{ CKA_NETSCAPE_KRL, NULL, 0},
{ CKA_NETSCAPE_URL, NULL, 0},
};
const int fetchCrlSize = sizeof(fetchCrl)/sizeof(fetchCrl[2]);
CK_RV crv;
SECStatus rv = SECFailure;
crv = PK11_GetAttributes(head->arena,slot,crlID,fetchCrl,fetchCrlSize);
if (CKR_OK != crv) {
PORT_SetError(PK11_MapError(crv));
goto loser;
}
if (!fetchCrl[1].pValue) {
PORT_SetError(SEC_ERROR_CRL_INVALID);
goto loser;
}
new_node = (CERTCrlNode *)PORT_ArenaAlloc(head->arena, sizeof(CERTCrlNode));
if (new_node == NULL) {
goto loser;
}
if (*((CK_BBOOL *)fetchCrl[1].pValue))
new_node->type = SEC_KRL_TYPE;
else
new_node->type = SEC_CRL_TYPE;
derCrl.type = siBuffer;
derCrl.data = (unsigned char *)fetchCrl[0].pValue;
derCrl.len = fetchCrl[0].ulValueLen;
new_node->crl=CERT_DecodeDERCrl(head->arena,&derCrl,new_node->type);
if (new_node->crl == NULL) {
goto loser;
}
if (fetchCrl[2].pValue) {
int nnlen = fetchCrl[2].ulValueLen;
new_node->crl->url = (char *)PORT_ArenaAlloc(head->arena, nnlen+1);
if ( !new_node->crl->url ) {
goto loser;
}
PORT_Memcpy(new_node->crl->url, fetchCrl[2].pValue, nnlen);
new_node->crl->url[nnlen] = 0;
} else {
new_node->crl->url = NULL;
}
new_node->next = NULL;
if (head->last) {
head->last->next = new_node;
head->last = new_node;
} else {
head->first = head->last = new_node;
}
rv = SECSuccess;
loser:
return(rv);
}
/*
* Return a list of all the CRLs
*/
SECStatus
PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx) {
pk11TraverseSlot creater;
CK_ATTRIBUTE theTemplate[2];
CK_ATTRIBUTE *attrs;
CK_OBJECT_CLASS certClass = CKO_NETSCAPE_CRL;
attrs = theTemplate;
PK11_SETATTRS(attrs, CKA_CLASS, &certClass, sizeof(certClass)); attrs++;
if (type != -1) {
CK_BBOOL isKrl = (CK_BBOOL) (type == SEC_KRL_TYPE);
PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, &isKrl, sizeof(isKrl)); attrs++;
}
creater.callback = pk11_CollectCrls;
creater.callbackArg = (void *) nodes;
creater.findTemplate = theTemplate;
creater.templateCount = (attrs - theTemplate);
return pk11_TraverseAllSlots(PK11_TraverseSlot, &creater, wincx);
}
/*
* return the crl associated with a derSubjectName
*/
SECItem *
PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *crlHandle,
SECItem *name, int type, char **url)
{
#ifdef NSS_CLASSIC
CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
CK_ATTRIBUTE theTemplate[] = {
{ CKA_SUBJECT, NULL, 0 },
{ CKA_CLASS, NULL, 0 },
{ CKA_NETSCAPE_KRL, NULL, 0 },
};
CK_ATTRIBUTE crlData[] = {
{ CKA_VALUE, NULL, 0 },
{ CKA_NETSCAPE_URL, NULL, 0 },
};
/* if you change the array, change the variable below as well */
int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
CK_BBOOL ck_true = CK_TRUE;
CK_BBOOL ck_false = CK_FALSE;
CK_OBJECT_HANDLE crlh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_RV crv;
SECItem *derCrl = NULL;
PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, (type == SEC_CRL_TYPE) ?
&ck_false : &ck_true, sizeof (CK_BBOOL)); attrs++;
if (*slot) {
crlh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
} else {
PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
PR_FALSE,PR_TRUE,NULL);
PK11SlotListElement *le;
/* loop through all the fortezza tokens */
for (le = list->head; le; le = le->next) {
crlh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
if (crlh != CK_INVALID_HANDLE) {
*slot = PK11_ReferenceSlot(le->slot);
break;
}
}
PK11_FreeSlotList(list);
}
if (crlh == CK_INVALID_HANDLE) {
PORT_SetError(SEC_ERROR_NO_KRL);
return NULL;
}
crv = PK11_GetAttributes(NULL,*slot,crlh,crlData,2);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError (crv));
goto loser;
}
derCrl = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
if (derCrl == NULL) {
goto loser;
}
derCrl->data = crlData[0].pValue;
derCrl->len = crlData[0].ulValueLen;
if (crlHandle) {
*crlHandle = crlh;
}
if ((url) && crlData[1].ulValueLen != 0) {
/* make sure it's a null terminated string */
*url = PORT_ZAlloc (crlData[1].ulValueLen+1);
if (*url) {
PORT_Memcpy(*url,crlData[1].pValue,crlData[1].ulValueLen);
}
}
loser:
if (!derCrl) {
if (crlData[0].pValue) PORT_Free(crlData[0].pValue);
}
if (crlData[1].pValue) PORT_Free(crlData[1].pValue);
return derCrl;
#else
NSSCRL **crls, **crlp, *crl;
NSSDER subject;
SECItem *rvItem;
NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
NSSITEM_FROM_SECITEM(&subject, name);
if (*slot) {
nssCryptokiObject **instances;
nssPKIObjectCollection *collection;
nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
NSSToken *token = PK11Slot_GetNSSToken(*slot);
collection = nssCRLCollection_Create(td, NULL);
if (!collection) {
return NULL;
}
instances = nssToken_FindCRLsBySubject(token, NULL, &subject,
tokenOnly, 0, NULL);
nssPKIObjectCollection_AddInstances(collection, instances, 0);
nss_ZFreeIf(instances);
crls = nssPKIObjectCollection_GetCRLs(collection, NULL, 0, NULL);
nssPKIObjectCollection_Destroy(collection);
} else {
crls = nssTrustDomain_FindCRLsBySubject(td, &subject);
}
if ((!crls) || (*crls == NULL)) {
if (crls) {
nssCRLArray_Destroy(crls);
}
if (NSS_GetError() == NSS_ERROR_NOT_FOUND) {
PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
}
return NULL;
}
crl = NULL;
for (crlp = crls; *crlp; crlp++) {
if ((!(*crlp)->isKRL && type == SEC_CRL_TYPE) ||
((*crlp)->isKRL && type != SEC_CRL_TYPE))
{
crl = nssCRL_AddRef(*crlp);
break;
}
}
nssCRLArray_Destroy(crls);
if (!crl) {
/* CRL collection was found, but no interesting CRL's were on it.
* Not an error */
PORT_SetError(SEC_ERROR_CRL_NOT_FOUND);
return NULL;
}
if (crl->url) {
*url = PORT_Strdup(crl->url);
if (!*url) {
nssCRL_Destroy(crl);
return NULL;
}
} else {
*url = NULL;
}
rvItem = SECITEM_AllocItem(NULL, NULL, crl->encoding.size);
if (!rvItem) {
PORT_Free(*url);
nssCRL_Destroy(crl);
return NULL;
}
memcpy(rvItem->data, crl->encoding.data, crl->encoding.size);
*slot = PK11_ReferenceSlot(crl->object.instances[0]->token->pk11slot);
*crlHandle = crl->object.instances[0]->handle;
nssCRL_Destroy(crl);
return rvItem;
#endif
}
CK_OBJECT_HANDLE
PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, SECItem *name,
char *url, int type)
{
#ifdef NSS_CLASSIC
CK_OBJECT_CLASS crlClass = CKO_NETSCAPE_CRL;
CK_ATTRIBUTE theTemplate[] = {
{ CKA_SUBJECT, NULL, 0 },
{ CKA_CLASS, NULL, 0 },
{ CKA_NETSCAPE_KRL, NULL, 0 },
{ CKA_NETSCAPE_URL, NULL, 0 },
{ CKA_VALUE, NULL, 0 },
{ CKA_TOKEN, NULL, 0 }
};
/* if you change the array, change the variable below as well */
int tsize;
CK_BBOOL ck_true = CK_TRUE;
CK_BBOOL ck_false = CK_FALSE;
CK_OBJECT_HANDLE crlh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_SESSION_HANDLE rwsession;
CK_RV crv;
PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
PK11_SETATTRS(attrs, CKA_CLASS, &crlClass, sizeof(crlClass)); attrs++;
PK11_SETATTRS(attrs, CKA_NETSCAPE_KRL, (type == SEC_CRL_TYPE) ?
&ck_false : &ck_true, sizeof (CK_BBOOL)); attrs++;
if (url) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_URL, url, PORT_Strlen(url)+1); attrs++;
}
PK11_SETATTRS(attrs, CKA_VALUE,crl->data,crl->len); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true,sizeof(CK_BBOOL)); attrs++;
tsize = attrs - &theTemplate[0];
PORT_Assert(tsize <= sizeof(theTemplate)/sizeof(theTemplate[0]));
rwsession = PK11_GetRWSession(slot);
if (rwsession == CK_INVALID_SESSION) {
PORT_SetError(SEC_ERROR_READ_ONLY);
return crlh;
}
crv = PK11_GETTAB(slot)->
C_CreateObject(rwsession,theTemplate,tsize,&crlh);
if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) );
}
PK11_RestoreROSession(slot,rwsession);
return crlh;
#else
NSSItem derCRL, derSubject;
NSSToken *token = PK11Slot_GetNSSToken(slot);
nssCryptokiObject *object;
PRBool isKRL = (type == SEC_CRL_TYPE) ? PR_FALSE : PR_TRUE;
CK_OBJECT_HANDLE rvH;
NSSITEM_FROM_SECITEM(&derSubject, name);
NSSITEM_FROM_SECITEM(&derCRL, crl);
object = nssToken_ImportCRL(token, NULL,
&derSubject, &derCRL, isKRL, url, PR_TRUE);
if (object) {
rvH = object->handle;
nssCryptokiObject_Destroy(object);
} else {
rvH = CK_INVALID_HANDLE;
}
return rvH;
#endif
}
/*
* delete a crl.
*/
SECStatus
SEC_DeletePermCRL(CERTSignedCrl *crl)
{
#ifdef NSS_CLASSIC
PK11SlotInfo *slot = crl->slot;
CK_RV crv;
if (slot == NULL) {
/* shouldn't happen */
PORT_SetError( SEC_ERROR_CRL_INVALID);
return SECFailure;
}
crv = PK11_DestroyTokenObject(slot,crl->pkcs11ID);
if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) );
return SECFailure;
}
crl->slot = NULL;
PK11_FreeSlot(slot);
return SECSuccess;
#else
PRStatus status;
NSSToken *token;
nssCryptokiObject *object;
PK11SlotInfo *slot = crl->slot;
if (slot == NULL) {
PORT_Assert(slot);
/* shouldn't happen */
PORT_SetError( SEC_ERROR_CRL_INVALID);
return SECFailure;
}
token = PK11Slot_GetNSSToken(slot);
object = nss_ZNEW(NULL, nssCryptokiObject);
object->token = nssToken_AddRef(token);
object->handle = crl->pkcs11ID;
object->isTokenObject = PR_TRUE;
status = nssToken_DeleteStoredObject(object);
nssCryptokiObject_Destroy(object);
return (status == PR_SUCCESS) ? SECSuccess : SECFailure;
#endif
}
/*
* return the certificate associated with a derCert
*/
SECItem *
PK11_FindSMimeProfile(PK11SlotInfo **slot, char *emailAddr,
SECItem *name, SECItem **profileTime)
{
CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
CK_ATTRIBUTE theTemplate[] = {
{ CKA_SUBJECT, NULL, 0 },
{ CKA_CLASS, NULL, 0 },
{ CKA_NETSCAPE_EMAIL, NULL, 0 },
};
CK_ATTRIBUTE smimeData[] = {
{ CKA_SUBJECT, NULL, 0 },
{ CKA_VALUE, NULL, 0 },
};
/* if you change the array, change the variable below as well */
int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_RV crv;
SECItem *emailProfile = NULL;
PK11_SETATTRS(attrs, CKA_SUBJECT, name->data, name->len); attrs++;
PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL, emailAddr, strlen(emailAddr));
attrs++;
if (*slot) {
smimeh = pk11_FindObjectByTemplate(*slot,theTemplate,tsize);
} else {
PK11SlotList *list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,
PR_FALSE,PR_TRUE,NULL);
PK11SlotListElement *le;
/* loop through all the fortezza tokens */
for (le = list->head; le; le = le->next) {
smimeh = pk11_FindObjectByTemplate(le->slot,theTemplate,tsize);
if (smimeh != CK_INVALID_HANDLE) {
*slot = PK11_ReferenceSlot(le->slot);
break;
}
}
PK11_FreeSlotList(list);
}
if (smimeh == CK_INVALID_HANDLE) {
PORT_SetError(SEC_ERROR_NO_KRL);
return NULL;
}
if (profileTime) {
PK11_SETATTRS(smimeData, CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0);
}
crv = PK11_GetAttributes(NULL,*slot,smimeh,smimeData,2);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError (crv));
goto loser;
}
if (!profileTime) {
SECItem profileSubject;
profileSubject.data = (unsigned char*) smimeData[0].pValue;
profileSubject.len = smimeData[0].ulValueLen;
if (!SECITEM_ItemsAreEqual(&profileSubject,name)) {
goto loser;
}
}
emailProfile = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
if (emailProfile == NULL) {
goto loser;
}
emailProfile->data = (unsigned char*) smimeData[1].pValue;
emailProfile->len = smimeData[1].ulValueLen;
if (profileTime) {
*profileTime = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
if (*profileTime) {
(*profileTime)->data = (unsigned char*) smimeData[0].pValue;
(*profileTime)->len = smimeData[0].ulValueLen;
}
}
loser:
if (emailProfile == NULL) {
if (smimeData[1].pValue) {
PORT_Free(smimeData[1].pValue);
}
}
if (profileTime == NULL || *profileTime == NULL) {
if (smimeData[0].pValue) {
PORT_Free(smimeData[0].pValue);
}
}
return emailProfile;
}
SECStatus
PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
SECItem *emailProfile, SECItem *profileTime)
{
CK_OBJECT_CLASS smimeClass = CKO_NETSCAPE_SMIME;
CK_BBOOL ck_true = CK_TRUE;
CK_ATTRIBUTE theTemplate[] = {
{ CKA_CLASS, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_SUBJECT, NULL, 0 },
{ CKA_NETSCAPE_EMAIL, NULL, 0 },
{ CKA_NETSCAPE_SMIME_TIMESTAMP, NULL, 0 },
{ CKA_VALUE, NULL, 0 }
};
/* if you change the array, change the variable below as well */
int realSize = 0;
CK_OBJECT_HANDLE smimeh = CK_INVALID_HANDLE;
CK_ATTRIBUTE *attrs = theTemplate;
CK_SESSION_HANDLE rwsession;
PK11SlotInfo *free_slot = NULL;
CK_RV crv;
#ifdef DEBUG
int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]);
#endif
PK11_SETATTRS(attrs, CKA_CLASS, &smimeClass, sizeof(smimeClass)); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, &ck_true, sizeof(ck_true)); attrs++;
PK11_SETATTRS(attrs, CKA_SUBJECT, derSubj->data, derSubj->len); attrs++;
PK11_SETATTRS(attrs, CKA_NETSCAPE_EMAIL,
emailAddr, PORT_Strlen(emailAddr)+1); attrs++;
if (profileTime) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_SMIME_TIMESTAMP, profileTime->data,
profileTime->len); attrs++;
PK11_SETATTRS(attrs, CKA_VALUE,emailProfile->data,
emailProfile->len); attrs++;
}
realSize = attrs - theTemplate;
PORT_Assert (realSize <= tsize);
if (slot == NULL) {
free_slot = slot = PK11_GetInternalKeySlot();
/* we need to free the key slot in the end!!! */
}
rwsession = PK11_GetRWSession(slot);
if (rwsession == CK_INVALID_SESSION) {
PORT_SetError(SEC_ERROR_READ_ONLY);
if (free_slot) {
PK11_FreeSlot(free_slot);
}
return SECFailure;
}
crv = PK11_GETTAB(slot)->
C_CreateObject(rwsession,theTemplate,realSize,&smimeh);
if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) );
}
PK11_RestoreROSession(slot,rwsession);
if (free_slot) {
PK11_FreeSlot(free_slot);
}
return SECSuccess;
}
CERTSignedCrl * crl_storeCRL (PK11SlotInfo *slot,char *url,
CERTSignedCrl *newCrl, SECItem *derCrl, int type);
/* import the CRL into the token */
CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena,
PRInt32 decodeoptions)
{
CERTSignedCrl *newCrl, *crl;
SECStatus rv;
CERTCertificate *caCert = NULL;
newCrl = crl = NULL;
do {
newCrl = CERT_DecodeDERCrlWithFlags(arena, derCRL, type,
decodeoptions);
if (newCrl == NULL) {
if (type == SEC_CRL_TYPE) {
/* only promote error when the error code is too generic */
if (PORT_GetError () == SEC_ERROR_BAD_DER)
PORT_SetError(SEC_ERROR_CRL_INVALID);
} else {
PORT_SetError(SEC_ERROR_KRL_INVALID);
}
break;
}
if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
PR_ASSERT(handle != NULL);
caCert = CERT_FindCertByName (handle,
&newCrl->crl.derName);
if (caCert == NULL) {
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
break;
}
/* If caCert is a v3 certificate, make sure that it can be used for
crl signing purpose */
rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
if (rv != SECSuccess) {
break;
}
rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
PR_Now(), wincx);
if (rv != SECSuccess) {
if (type == SEC_CRL_TYPE) {
PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
} else {
PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
}
break;
}
}
crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
} while (0);
if (crl == NULL) {
SEC_DestroyCrl (newCrl);
}
if (caCert) {
CERT_DestroyCertificate(caCert);
}
return (crl);
}

1579
security/nss/lib/pk11wrap/pk11obj.c Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1
security/nss/lib/pk11wrap/pk11pars.c
Просмотреть файл

@ -43,6 +43,7 @@
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pki3hack.h"
#include "secerr.h"

155
security/nss/lib/pk11wrap/pk11pbe.c
Просмотреть файл

@ -50,6 +50,12 @@
#include "secmod.h"
#include "pk11func.h"
#include "secpkcs5.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
#include "key.h"
typedef struct SEC_PKCS5PBEParameterStr SEC_PKCS5PBEParameter;
struct SEC_PKCS5PBEParameterStr {
@ -688,3 +694,152 @@ RSA_FormatBlock(SECItem *result, unsigned modulusLen,
return SECFailure;
}
/****************************************************************************
*
* Now Do The PBE Functions Here...
*
****************************************************************************/
static void
pk11_destroy_ck_pbe_params(CK_PBE_PARAMS *pbe_params)
{
if (pbe_params) {
if (pbe_params->pPassword)
PORT_ZFree(pbe_params->pPassword, PR_FALSE);
if (pbe_params->pSalt)
PORT_ZFree(pbe_params->pSalt, PR_FALSE);
PORT_ZFree(pbe_params, PR_TRUE);
}
}
SECItem *
PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations)
{
CK_PBE_PARAMS *pbe_params = NULL;
SECItem *paramRV = NULL;
pbe_params = (CK_PBE_PARAMS *)PORT_ZAlloc(sizeof(CK_PBE_PARAMS));
pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwd->len);
if (pbe_params->pPassword != NULL) {
PORT_Memcpy(pbe_params->pPassword, pwd->data, pwd->len);
pbe_params->ulPasswordLen = pwd->len;
} else goto loser;
pbe_params->pSalt = (CK_CHAR_PTR)PORT_ZAlloc(salt->len);
if (pbe_params->pSalt != NULL) {
PORT_Memcpy(pbe_params->pSalt, salt->data, salt->len);
pbe_params->ulSaltLen = salt->len;
} else goto loser;
pbe_params->ulIteration = (CK_ULONG)iterations;
paramRV = SECITEM_AllocItem(NULL, NULL, sizeof(CK_PBE_PARAMS));
paramRV->data = (unsigned char *)pbe_params;
return paramRV;
loser:
pk11_destroy_ck_pbe_params(pbe_params);
return NULL;
}
void
PK11_DestroyPBEParams(SECItem *params)
{
pk11_destroy_ck_pbe_params((CK_PBE_PARAMS *)params->data);
}
SECAlgorithmID *
PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt)
{
SECAlgorithmID *algid = NULL;
algid = SEC_PKCS5CreateAlgorithmID(algorithm, salt, iteration);
return algid;
}
PK11SymKey *
PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *mech,
SECItem *pwitem, PRBool faulty3DES, void *wincx)
{
/* pbe stuff */
CK_PBE_PARAMS *pbe_params;
PK11SymKey *symKey;
if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
}
if(mech == NULL) {
return NULL;
}
pbe_params = (CK_PBE_PARAMS *)mech->data;
pbe_params->pPassword = (CK_CHAR_PTR)PORT_ZAlloc(pwitem->len);
if(pbe_params->pPassword != NULL) {
PORT_Memcpy(pbe_params->pPassword, pwitem->data, pwitem->len);
pbe_params->ulPasswordLen = pwitem->len;
} else {
SECITEM_ZfreeItem(mech, PR_TRUE);
return NULL;
}
symKey = PK11_KeyGen(slot, type, mech, 0, wincx);
PORT_ZFree(pbe_params->pPassword, pwitem->len);
pbe_params->pPassword = NULL;
pbe_params->ulPasswordLen = 0;
return symKey;
}
PK11SymKey *
PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
PRBool faulty3DES, void *wincx)
{
/* pbe stuff */
CK_MECHANISM_TYPE type;
SECItem *mech;
PK11SymKey *symKey;
mech = PK11_ParamFromAlgid(algid);
type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
if(faulty3DES && (type == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC)) {
type = CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC;
}
if(mech == NULL) {
return NULL;
}
symKey = PK11_RawPBEKeyGen(slot, type, mech, pwitem, faulty3DES, wincx);
SECITEM_ZfreeItem(mech, PR_TRUE);
return symKey;
}
SECItem *
PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem)
{
/* pbe stuff */
CK_MECHANISM_TYPE type;
SECItem *mech;
PK11SymKey *symKey;
PK11SlotInfo *slot = PK11_GetInternalSlot();
int iv_len = 0;
CK_PBE_PARAMS_PTR pPBEparams;
SECItem src;
SECItem *iv;
mech = PK11_ParamFromAlgid(algid);
type = PK11_AlgtagToMechanism(SECOID_FindOIDTag(&algid->algorithm));
if(mech == NULL) {
return NULL;
}
symKey = PK11_RawPBEKeyGen(slot, type, mech, pwitem, PR_FALSE, NULL);
PK11_FreeSlot(slot);
if (symKey == NULL) {
SECITEM_ZfreeItem(mech, PR_TRUE);
return NULL;
}
PK11_FreeSymKey(symKey);
pPBEparams = (CK_PBE_PARAMS_PTR)mech->data;
iv_len = PK11_GetIVLength(type);
src.data = (unsigned char *)pPBEparams->pInitVector;
src.len = iv_len;
iv = SECITEM_DupItem(&src);
SECITEM_ZfreeItem(mech, PR_TRUE);
return iv;
}

1
security/nss/lib/pk11wrap/pk11pqg.c
Просмотреть файл

@ -40,6 +40,7 @@
#include "pk11func.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11t.h"
#include "pk11pqg.h"
#include "pqgutil.h"

217
security/nss/lib/pk11wrap/pk11priv.h Normal file
Просмотреть файл

@ -0,0 +1,217 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef _PK11PRIV_H_
#define _PK11PRIV_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keyt.h"
#include "certt.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "seccomon.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
/*
* These are the private NSS functions. They are not exported by nss.def, and
* are not callable outside nss3.dll.
*/
SEC_BEGIN_PROTOS
/************************************************************
* Generic Slot Lists Management
************************************************************/
PK11SlotList * PK11_NewSlotList(void);
PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
PRBool needRW,void *wincx);
SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
PK11SlotInfo *slot);
PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
/************************************************************
* Generic Slot Management
************************************************************/
CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type);
char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
int stringLen);
int PK11_MapError(CK_RV error);
CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
CK_SESSION_HANDLE session_handle);
PK11SlotInfo *PK11_NewSlotInfo(SECMODModule *mod);
void PK11_EnterSlotMonitor(PK11SlotInfo *);
void PK11_ExitSlotMonitor(PK11SlotInfo *);
void PK11_CleanKeyList(PK11SlotInfo *slot);
/************************************************************
* Slot Password Management
************************************************************/
SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
/************************************************************
* Manage the built-In Slot Lists
************************************************************/
SECStatus PK11_InitSlotLists(void);
void PK11_DestroySlotLists(void);
PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
void PK11_ClearSlotList(PK11SlotInfo *slot);
/******************************************************************
* Slot initialization
******************************************************************/
PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
/*********************************************************************
* Mechanism Mapping functions
*********************************************************************/
void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
CK_MECHANISM_TYPE PK11_GetKeyMechanism(CK_KEY_TYPE type);
CK_MECHANISM_TYPE PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size);
/**********************************************************************
* Symetric, Public, and Private Keys
**********************************************************************/
PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PRBool owner, void *wincx);
/* Key Generation specialized for SDR (fixed DES3 key) */
PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
CK_OBJECT_HANDLE id);
CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
void *wincx, PK11SlotInfo **pSlot);
PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
/**********************************************************************
* Certs
**********************************************************************/
CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
void *wincx);
CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
CK_OBJECT_CLASS o_class);
CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type );
CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
SECStatus(*callback)(CERTCertificate *, void *), void *arg);
CERTCertificate *PK11_FindCertFromDERCertItem(PK11SlotInfo *slot,
SECItem *derCert, void *wincx);
CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
PK11SlotInfo *slot,
CERTCertificate *cert, char *nickname,
void *wincx);
SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
SECStatus(* callback)(CERTCertificate*, void *), void *arg);
SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
/**********************************************************************
* Crypto Contexts
**********************************************************************/
PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, SECItem *param, void *wincx);
PRBool PK11_HashOK(SECOidTag hashAlg);
/**********************************************************************
* Functions which are depricated....
**********************************************************************/
SECItem *
PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
SECItem *derName, int type, char **url);
CK_OBJECT_HANDLE
PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl,
SECItem *name, char *url, int type);
SECItem *
PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
SECItem **profileTime);
SECStatus
PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
SECItem *emailProfile, SECItem *profileTime);
PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
const char *nickname) ;
/* private */
SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
void *cbArg, void *pwArg);
SEC_END_PROTOS
#endif

583
security/nss/lib/pk11wrap/pk11pub.h Normal file
Просмотреть файл

@ -0,0 +1,583 @@
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1994-2000
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
#ifndef _PK11PUB_H_
#define _PK11PUB_H_
#include "plarena.h"
#include "seccomon.h"
#include "secoidt.h"
#include "secdert.h"
#include "keyt.h"
#include "certt.h"
#include "pkcs11t.h"
#include "secmodt.h"
#include "seccomon.h"
#include "pkcs7t.h"
#include "cmsreclist.h"
/*
* Exported PK11 wrap functions.
*/
SEC_BEGIN_PROTOS
/************************************************************
* Generic Slot Lists Management
************************************************************/
void PK11_FreeSlotList(PK11SlotList *list);
PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list,
PK11SlotListElement *le, PRBool restart);
/************************************************************
* Generic Slot Management
************************************************************/
PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
void PK11_FreeSlot(PK11SlotInfo *slot);
SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
PK11SlotInfo *PK11_GetInternalKeySlot(void);
PK11SlotInfo *PK11_GetInternalSlot(void);
SECStatus PK11_Logout(PK11SlotInfo *slot);
void PK11_LogoutAll(void);
/************************************************************
* Slot Password Management
************************************************************/
void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
void PK11_SetPasswordFunc(PK11PasswordFunc func);
int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
SECStatus PK11_TokenRefresh(PK11SlotInfo *slot);
/******************************************************************
* Slot info functions
******************************************************************/
PK11SlotInfo *PK11_FindSlotByName(char *name);
/******************************************************************
* PK11_FindSlotsByNames searches for a PK11SlotInfo using one or
* more criteria : dllName, slotName and tokenName . In addition, if
* presentOnly is set , only slots with a token inserted will be
* returned.
******************************************************************/
PK11SlotList *PK11_FindSlotsByNames(const char *dllName,
const char* slotName, const char* tokenName, PRBool presentOnly);
PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
PRBool PK11_IsInternal(PK11SlotInfo *slot);
char * PK11_GetTokenName(PK11SlotInfo *slot);
char * PK11_GetSlotName(PK11SlotInfo *slot);
PRBool PK11_NeedLogin(PK11SlotInfo *slot);
PRBool PK11_IsFriendly(PK11SlotInfo *slot);
PRBool PK11_IsHW(PK11SlotInfo *slot);
PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
int PK11_GetSlotSeries(PK11SlotInfo *slot);
int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
PRBool PK11_IsDisabled(PK11SlotInfo *slot);
PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
/* Prevents the slot from being used, and set disable reason to user-disable */
/* NOTE: Mechanisms that were ON continue to stay ON */
/* Therefore, when the slot is enabled, it will remember */
/* what mechanisms needs to be turned on */
PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
/* Allow all mechanisms that are ON before UserDisableSlot() */
/* was called to be available again */
PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
/*
* wait for a specific slot event.
* event is a specific event to wait for. Currently only
* PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
* timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
* poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
* pollInterval is a suggested pulling interval value. '0' means use the
* default. Future implementations that don't poll may ignore this value.
* series is the current series for the last slot. This should be the series
* value for the slot the last time you read persistant information from the
* slot. For instance, if you publish a cert from the slot, you should obtain
* the slot series at that time. Then PK11_WaitForTokenEvent can detect a
* a change in the slot between the time you publish and the time
* PK11_WaitForTokenEvent is called, elliminating potential race conditions.
*
* The current status that is returned is:
* PK11TokenNotRemovable - always returned for any non-removable token.
* PK11TokenPresent - returned when the token is present and we are waiting
* on a PK11TokenPresentEvent. Then next event to look for is a
* PK11TokenChangeOrRemovalEvent.
* PK11TokenChanged - returned when the old token has been removed and a new
* token ad been inserted, and we are waiting for a
* PK11TokenChangeOrRemovalEvent. The next event to look for is another
* PK11TokenChangeOrRemovalEvent.
* PK11TokenRemoved - returned when the token is not present and we are
* waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
* is a PK11TokenPresentEvent.
*/
PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
PRBool PK11_NeedPWInit(void);
PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
PRBool PK11_IsFIPS(void);
SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
/*********************************************************************
* Slot mapping utility functions.
*********************************************************************/
PRBool PK11_IsPresent(PK11SlotInfo *slot);
PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
PRBool loadCerts, void *wincx);
PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
void *wincx);
PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
/*********************************************************************
* Mechanism Mapping functions
*********************************************************************/
CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
int PK11_GetIVLength(CK_MECHANISM_TYPE type);
SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
SECItem * PK11_BlockData(SECItem *data,unsigned long size);
/* PKCS #11 to DER mapping functions */
SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
PRArenaPool *arena, SECAlgorithmID *algid);
SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
SECStatus PK11_RandomUpdate(void *data, size_t bytes);
SECStatus PK11_GenerateRandom(unsigned char *data,int len);
CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
CK_MECHANISM_PTR pCryptoMechanism,
SECItem *pbe_pwd, PRBool bad3DES);
CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
/**********************************************************************
* Symetric, Public, and Private Keys
**********************************************************************/
void PK11_FreeSymKey(PK11SymKey *key);
PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
PRBool owner, void *wincx);
PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
CK_MECHANISM_TYPE type,int series, void *wincx);
/*
* This function is not thread-safe. It can only be called when only
* one thread has a reference to wrapKey.
*/
void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
SECKEYPublicKey *pubKey, PRBool isToken);
PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
SECItem *param, int keySize,void *wincx);
PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *param, int keySize, SECItem *keyid,
PRBool isToken, void *wincx);
PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
void *wincx);
PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
CK_KEY_TYPE PK11_GetSymKeyType(PK11SymKey *key);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
* operation or the flags and making the key permanent at the same time.
* If the key is moved to the same slot, operation and flags values are
* currently ignored */
PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
/*
* derive a new key from the base key.
* PK11_Derive returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_DeriveWithFlags is the same as PK11_Derive, except you can use
* CKF_ flags to enable more than one operation.
* PK11_DeriveWithFlagsPerm is the same as PK11_DeriveWithFlags except you can
* (optionally) make the key permanent (token key).
*/
PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
PK11SymKey * PK11_DeriveWithFlagsPerm( PK11SymKey *baseKey,
CK_MECHANISM_TYPE derive,
SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
PK11SymKey *PK11_PubDeriveWithKDF( SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_ULONG kdf, SECItem *sharedData, void *wincx);
/*
* unwrap a new key with a symetric key.
* PK11_Unwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_UnwrapWithFlags is the same as PK11_Unwrap, except you can use
* CKF_ flags to enable more than one operation.
* PK11_UnwrapWithFlagsPerm is the same as PK11_UnwrapWithFlags except you can
* (optionally) make the key permanent (token key).
*/
PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key,
CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags);
PK11SymKey * PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation,
int keySize, CK_FLAGS flags, PRBool isPerm);
/*
* unwrap a new key with a private key.
* PK11_PubUnwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
* use * CKF_ flags to enable more than one operation, and optionally make
* the key permanent (token key).
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
PK11SymKey * PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *keyID, void *wincx);
SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
PRBool token, PRBool sensitive);
char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
const char *nickname);
SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
const char *nickname);
/* size to hold key in bytes */
unsigned int PK11_GetKeyLength(PK11SymKey *key);
/* size of actual secret parts of key in bits */
/* algid is because RC4 strength is determined by the effective bits as well
* as the key bits */
unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
SECItem * PK11_GetKeyData(PK11SymKey *symKey);
PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
void *PK11_GetWindow(PK11SymKey *symKey);
SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
PRBool isPerm, PRBool isSensitive, void *wincx);
SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
void *wincx);
int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
/* The encrypt version of the above function */
SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
unsigned char *data, unsigned dataLen, void *wincx);
SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECKEYPrivateKeyInfo *pki, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, void *wincx);
SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
SECItem *derPKI, SECItem *nickname,
SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, KeyType type,
unsigned int usage, void *wincx);
SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
CERTCertificate *cert, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
SECKEYPrivateKey *pk, int iteration, void *wincx);
SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
CERTCertificate *cert, int iteration, void *wincx);
SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
PRBool PK11_VerifyKeyOK(PK11SymKey *key);
SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot,
PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, SECItem *label,
SECItem *publicValue, PRBool token, PRBool sensitive,
CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
void *wincx);
SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
SECItem *param, SECItem *wrappedKey, void *wincx);
SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
CK_MECHANISM_TYPE mech);
SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
char *nickname, void *wincx);
SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
char *nickname);
SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
/* depricated */
SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
void *wincx);
SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
SECKEYPrivateKey *privk, void* wincx);
/**********************************************************************
* Certs
**********************************************************************/
SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
SECStatus PK11_TraverseSlotCerts(
SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
void *arg, void *wincx);
CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
void *wincx);
PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
void *wincx);
PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
CK_OBJECT_HANDLE *keyPtr, void *wincx);
CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
CERTIssuerAndSN *sn, void *wincx);
CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
SECKEYPrivateKey**privKey, void *wincx);
int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
void *wincx);
SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
void *arg);
CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx);
SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
char *nickname, PRBool addUsage,
void *wincx);
CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
void *wincx);
SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
void *arg);
CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions);
/**********************************************************************
* Sign/Verify
**********************************************************************/
int PK11_SignatureLen(SECKEYPrivateKey *key);
PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
SECItem *dsig, void * wincx);
SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig,
SECItem *hash, void *wincx);
/**********************************************************************
* Crypto Contexts
**********************************************************************/
void PK11_DestroyContext(PK11Context *context, PRBool freeit);
PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
PK11Context *PK11_CloneContext(PK11Context *old);
SECStatus PK11_DigestBegin(PK11Context *cx);
SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
int32 len);
SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in,
unsigned len);
SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen,
int maxout, unsigned char *in, int inlen);
SECStatus PK11_Finalize(PK11Context *context);
SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data,
unsigned int *outLen, unsigned int length);
SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
int *len, int saveLength);
/* Save the context's state, with possible allocation.
* The caller may supply an already allocated buffer in preAllocBuf,
* with length pabLen. If the buffer is large enough for the context's
* state, it will receive the state.
* If the buffer is not large enough (or NULL), then a new buffer will
* be allocated with PORT_Alloc.
* In either case, the state will be returned as a buffer, and the length
* of the state will be given in *stateLen.
*/
unsigned char *
PK11_SaveContextAlloc(PK11Context *cx,
unsigned char *preAllocBuf, unsigned int pabLen,
unsigned int *stateLen);
SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
/**********************************************************************
* PBE functions
**********************************************************************/
/* This function creates PBE parameters from the given inputs. The result
* can be used to create a password integrity key for PKCS#12, by sending
* the return value to PK11_KeyGen along with the appropriate mechanism.
*/
SECItem *
PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
/* free params created above (can be called after keygen is done */
void PK11_DestroyPBEParams(SECItem *params);
SECAlgorithmID *
PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
PK11SymKey *
PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
PRBool faulty3DES, void *wincx);
PK11SymKey *
PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
SECItem *pwitem, PRBool faulty3DES, void *wincx);
SECItem *
PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
/**********************************************************************
* Functions to manage secmod flags
**********************************************************************/
PK11DefaultArrayEntry * PK11_GetDefaultArray(int *);
SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *, PK11DefaultArrayEntry *,
PRBool );
/**********************************************************************
* Functions to look at PKCS #11 dependent data
**********************************************************************/
PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot,
CK_OBJECT_CLASS objClass);
PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
PK11GenericObject *PK11_GetPrevtGenericObject(PK11GenericObject *object);
SECStatus PK11_UnlinkGenericObject(PK11GenericObject *object);
SECStatus PK11_LinkGenericObject(PK11GenericObject *list,
PK11GenericObject *object);
SECStatus PK11_DestroyGenericObjects(PK11GenericObject *object);
SECStatus PK11_DestroyGenericObject(PK11GenericObject *object);
SECStatus PK11_ReadRawAttribute(PK11ObjectType type, void *object,
CK_ATTRIBUTE_TYPE attr, SECItem *item);
/**********************************************************************
* New fucntions which are already depricated....
**********************************************************************/
SECItem *
PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *pwarg);
SECItem *
PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
PRBool SECMOD_HasRootCerts(void);
SEC_END_PROTOS
#endif

4120
security/nss/lib/pk11wrap/pk11skey.c
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

2618
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

1
security/nss/lib/pk11wrap/pk11util.c
Просмотреть файл

@ -40,6 +40,7 @@
#include "secmod.h"
#include "nssilock.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pk11func.h"
#include "pki3hack.h"
#include "secerr.h"

9
security/nss/lib/pk11wrap/secmod.h
Просмотреть файл

@ -91,8 +91,6 @@ SECStatus SECMOD_UnloadUserModule(SECMODModule *mod);
SECMODModule * SECMOD_CreateModule(const char *lib, const char *name,
const char *param, const char *nss);
extern SECStatus SECMOD_Shutdown(void);
void nss_DumpModuleLog(void);
/* Module Management */
@ -114,12 +112,8 @@ extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
/* lock management */
extern SECMODListLock *SECMOD_NewListLock(void);
extern void SECMOD_DestroyListLock(SECMODListLock *);
extern void SECMOD_GetReadLock(SECMODListLock *);
extern void SECMOD_ReleaseReadLock(SECMODListLock *);
extern void SECMOD_GetWriteLock(SECMODListLock *);
extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
/* Operate on modules by name */
extern SECMODModule *SECMOD_FindModule(const char *name);
@ -152,10 +146,7 @@ PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
/* Functions used to convert between internal & public representation
* of Mechanism Flags and Cipher Enable Flags */
extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
SEC_END_PROTOS

43
security/nss/lib/pk11wrap/secmodi.h
Просмотреть файл

@ -46,7 +46,7 @@
#include "secdert.h"
#include "certt.h"
#include "secmodt.h"
#include "secmodti.h"
#include "keyt.h"
#ifdef PKCS11_USE_THREADS
#define PK11_USE_THREADS(x) x
@ -59,6 +59,8 @@ SEC_BEGIN_PROTOS
/* proto-types */
extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
extern SECStatus SECMOD_Shutdown(void);
void nss_DumpModuleLog(void);
extern int secmod_PrivateModuleCount;
@ -70,6 +72,10 @@ extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule);
extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule);
extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
extern SECMODListLock *SECMOD_NewListLock(void);
extern void SECMOD_DestroyListLock(SECMODListLock *);
extern void SECMOD_GetWriteLock(SECMODListLock *);
extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
/* Operate on modules by name */
extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
@ -81,7 +87,7 @@ extern void SECMOD_DestroyModuleList(SECMODModuleList *);
extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
SECStatus SECMOD_DeleteModuleEx(const char * name, SECMODModule *mod, int *type, PRBool permdb);
extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
extern unsigned long SECMOD_InternaltoPubMechFlags(unsigned long internalFlags);
extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
/* Library functions */
@ -114,8 +120,39 @@ SECStatus PBE_PK11ParamToAlgid(SECOidTag algTag, SECItem *param,
extern void pk11sdr_Init(void);
extern void pk11sdr_Shutdown(void);
PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);
/*
* Private to pk11wrap.
*/
PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);
CK_SESSION_HANDLE pk11_GetNewSession(PK11SlotInfo *slot, PRBool *owner);
void pk11_CloseSession(PK11SlotInfo *slot, CK_SESSION_HANDLE sess, PRBool own);
PK11SymKey *pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation);
unsigned int pk11_FlagsToAttributes(CK_FLAGS flags,
CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue);
PRBool pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs,
CK_ATTRIBUTE_TYPE target);
CK_MECHANISM_TYPE pk11_mapSignKeyType(KeyType keyType);
CK_MECHANISM_TYPE pk11_mapWrapKeyType(KeyType keyType);
PK11SymKey *pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, PRBool isPerm,
PK11SymKey *symKey);
PRBool pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert,
CERTCertTrust *trust);
CK_OBJECT_HANDLE pk11_FindPubKeyByAnyCert(CERTCertificate *cert,
PK11SlotInfo **slot, void *wincx);
SECStatus pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts,
void *wincx);
int PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate,
int templateCount);
SECItem *pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot,
CK_OBJECT_HANDLE handle);
SECStatus PK11_TraverseSlot(PK11SlotInfo *slot, void *arg);
CK_OBJECT_HANDLE pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot,
SECItem *keyID);
SEC_END_PROTOS
#endif

6
security/nss/lib/pk11wrap/secmodt.h
Просмотреть файл

@ -281,4 +281,10 @@ typedef enum {
PK11TokenPresentEvent = 1
} PK11TokenEvent;
/*
* CRL Import Flags
*/
#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
#endif /*_SECMODT_H_ */

16
security/nss/lib/pk11wrap/secmodti.h
Просмотреть файл

@ -54,6 +54,15 @@
/* internal data structures */
/* Traverse slots callback */
typedef struct pk11TraverseSlotStr {
SECStatus (*callback)(PK11SlotInfo *,CK_OBJECT_HANDLE, void *);
void *callbackArg;
CK_ATTRIBUTE *findTemplate;
int templateCount;
} pk11TraverseSlot;
/* structure to allow us to implement the read/write locks for our
* module lists */
struct SECMODListLockStr {
@ -204,4 +213,11 @@ struct PK11GenericObjectStr {
CK_OBJECT_HANDLE objectID;
};
#define MAX_TEMPL_ATTRS 16 /* maximum attributes in template */
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
#endif /* _SECMODTI_H_ */