зеркало из https://github.com/mozilla/pjs.git
Bug 142172
1) look up the private key much earlier in the process so we know what slot it is on. 2) if a slot isn't specified, you the private key's slot. 3) if the specified slot and the private key slot don't match & the private key slot can do the PBE, then use the private key slot to do the PBE so we don't have to move the key. 4) if we have generated the PBE key in a different slot from the private key,
This commit is contained in:
Родитель
e749d58091
Коммит
a8a45a9d6e
|
@ -4574,6 +4574,18 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
|
|||
goto loser;
|
||||
}
|
||||
epki->arena = arena;
|
||||
|
||||
pk = PK11_FindKeyByAnyCert(cert, wincx);
|
||||
if(pk == NULL) {
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* if we didn't specify a slot, use the slot the private key was in */
|
||||
if (!slot) {
|
||||
slot = pk->pkcs11Slot;
|
||||
}
|
||||
|
||||
algid = SEC_PKCS5CreateAlgorithmID(algTag, NULL, iteration);
|
||||
if(algid == NULL) {
|
||||
rv = SECFailure;
|
||||
|
@ -4585,6 +4597,15 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
|
|||
pbeMech.mechanism = mechanism;
|
||||
pbeMech.pParameter = pbe_param->data;
|
||||
pbeMech.ulParameterLen = pbe_param->len;
|
||||
|
||||
/* if we specified a different slot, and the private key slot can do the
|
||||
* pbe key gen, generate the key in the private key slot so we don't have
|
||||
* to move it later */
|
||||
if (slot != pk->pkcs11Slot) {
|
||||
if (PK11_DoesMechanism(pk->pkcs11Slot,mechanism)) {
|
||||
slot = pk->pkcs11Slot;
|
||||
}
|
||||
}
|
||||
key = PK11_RawPBEKeyGen(slot, mechanism, pbe_param, pwitem,
|
||||
PR_FALSE, wincx);
|
||||
|
||||
|
@ -4603,11 +4624,6 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
|
|||
crypto_param.data = (unsigned char *)cryptoMech.pParameter;
|
||||
crypto_param.len = cryptoMech.ulParameterLen;
|
||||
|
||||
pk = PK11_FindKeyByAnyCert(cert, wincx);
|
||||
if(pk == NULL) {
|
||||
rv = SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
encryptBufLen = pk11_private_key_encrypt_buffer_length(pk);
|
||||
if(encryptBufLen == -1) {
|
||||
|
@ -4622,6 +4638,20 @@ PK11_ExportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECOidTag algTag,
|
|||
goto loser;
|
||||
}
|
||||
|
||||
/* If the key isn't in the private key slot, move it */
|
||||
if (key->slot != pk->pkcs11Slot) {
|
||||
PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot,
|
||||
key->type, CKA_WRAP, key);
|
||||
if (newkey == NULL) {
|
||||
rv= SECFailure;
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* free the old key and use the new key */
|
||||
PK11_FreeSymKey(key);
|
||||
key = newkey;
|
||||
}
|
||||
|
||||
/* we are extracting an encrypted privateKey structure.
|
||||
* which needs to be freed along with the buffer into which it is
|
||||
* returned. eventually, we should retrieve an encrypted key using
|
||||
|
|
Загрузка…
Ссылка в новой задаче