mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Support SHA256, SHA384, and SHA512 hashes in NSS.

This commit is contained in:
nelsonb%netscape.com 2002-12-12 06:05:45 +00:00
Родитель 35b683c17e
Коммит d442ab6107
30 изменённых файлов: 588 добавлений и 493 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

139
security/nss/cmd/certutil/certutil.c
Просмотреть файл

@ -347,14 +347,56 @@ AddCert(PK11SlotInfo *slot, CERTCertDBHandle *handle, char *name, char *trusts,
return rv;
}
/* This function belongs in libNSS somewhere. */
static SECOidTag
getSignatureOidTag(KeyType keyType, SECOidTag hashAlgTag)
{
SECOidTag sigTag = SEC_OID_UNKNOWN;
switch (keyType) {
case rsaKey:
switch (hashAlgTag) {
case SEC_OID_MD2:
sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION; break;
case SEC_OID_UNKNOWN: /* default for RSA if not specified */
case SEC_OID_MD5:
sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; break;
case SEC_OID_SHA1:
sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; break;
case SEC_OID_SHA256:
sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; break;
case SEC_OID_SHA384:
sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION; break;
case SEC_OID_SHA512:
sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; break;
default:
break;
}
break;
case dsaKey:
switch (hashAlgTag) {
case SEC_OID_UNKNOWN: /* default for DSA if not specified */
case SEC_OID_SHA1:
sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break;
default:
break;
}
break;
default:
break;
}
return sigTag;
}
static SECStatus
CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
CERTName *subject, char *phone, int ascii, const char *emailAddrs,
PRFileDesc *outFile)
SECOidTag hashAlgTag, CERTName *subject, char *phone, int ascii,
const char *emailAddrs, PRFileDesc *outFile)
{
CERTSubjectPublicKeyInfo *spki;
CERTCertificateRequest *cr;
SECItem *encoding;
SECOidTag signAlgTag;
SECItem result;
SECStatus rv;
PRArenaPool *arena;
@ -389,20 +431,13 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
}
/* Sign the request */
switch (keyType) {
case rsaKey:
rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len,
privk, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION);
break;
case dsaKey:
rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len,
privk, SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST);
break;
default:
SECU_PrintError(progName, "Must use rsa or dsa key type");
signAlgTag = getSignatureOidTag(keyType, hashAlgTag);
if (signAlgTag == SEC_OID_UNKNOWN) {
SECU_PrintError(progName, "unknown Key or Hash type");
return SECFailure;
}
rv = SEC_DerSignData(arena, &result, encoding->data, encoding->len,
privk, signAlgTag);
if (rv) {
SECU_PrintError(progName, "signing of data failed");
return SECFailure;
@ -1547,7 +1582,6 @@ static SECStatus
AddEmailSubjectAlt(void *extHandle, const char *emailAddrs)
{
SECItem item = { 0, NULL, 0 };
void *value;
CERTGeneralName *emailList = NULL;
CERTGeneralName *current;
PRCList *prev = NULL;
@ -1686,9 +1720,9 @@ AddBasicConstraint(void *extHandle)
}
static SECItem *
SignCert(CERTCertDBHandle *handle,
CERTCertificate *cert, PRBool selfsign,
SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
{
SECItem der;
SECItem *result = NULL;
@ -1716,17 +1750,10 @@ SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
arena = cert->arena;
switch(privKey->keyType) {
case rsaKey:
algID = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
break;
case dsaKey:
algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
break;
default:
fprintf(stderr, "Unknown key type for issuer.");
algID = getSignatureOidTag(privKey->keyType, hashAlgTag);
if (algID == SEC_OID_UNKNOWN) {
fprintf(stderr, "Unknown key or hash type for issuer.");
goto done;
break;
}
rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
@ -1754,8 +1781,7 @@ SECKEYPrivateKey *privKey, char *issuerNickName, void *pwarg)
goto done;
}
rv = SEC_DerSignData (arena, result, der.data, der.len, privKey,
algID);
rv = SEC_DerSignData(arena, result, der.data, der.len, privKey, algID);
if (rv != SECSuccess) {
fprintf (stderr, "Could not sign encoded certificate data.\n");
PORT_Free(result);
@ -1950,6 +1976,7 @@ CreateCert(
PRFileDesc *outFile,
SECKEYPrivateKey *selfsignprivkey,
void *pwarg,
SECOidTag hashAlgTag,
unsigned int serialNumber,
int warpmonths,
int validitylength,
@ -2043,12 +2070,14 @@ CreateCert(
CERT_FinishExtensions(extHandle);
certDER = SignCert (handle, subjectCert, selfsign, selfsignprivkey, issuerNickName,pwarg);
certDER = SignCert(handle, subjectCert, selfsign, hashAlgTag,
selfsignprivkey, issuerNickName,pwarg);
if (certDER) {
if (ascii) {
PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CERT_HEADER,
BTOA_DataToAscii(certDER->data, certDER->len), NS_CERT_TRAILER);
BTOA_DataToAscii(certDER->data, certDER->len),
NS_CERT_TRAILER);
} else {
PR_Write(outFile, certDER->data, certDER->len);
}
@ -2126,7 +2155,8 @@ enum {
opt_SelfSign,
opt_RW,
opt_Exponent,
opt_NoiseFile
opt_NoiseFile,
opt_Hash
};
static secuCommandFlag certutil_commands[] =
@ -2189,7 +2219,8 @@ static secuCommandFlag certutil_options[] =
{ /* opt_SelfSign */ 'x', PR_FALSE, 0, PR_FALSE },
{ /* opt_RW */ 'X', PR_FALSE, 0, PR_FALSE },
{ /* opt_Exponent */ 'y', PR_TRUE, 0, PR_FALSE },
{ /* opt_NoiseFile */ 'z', PR_TRUE, 0, PR_FALSE }
{ /* opt_NoiseFile */ 'z', PR_TRUE, 0, PR_FALSE },
{ /* opt_Hash */ 'Z', PR_TRUE, 0, PR_FALSE }
};
int
@ -2205,9 +2236,8 @@ main(int argc, char **argv)
char * slotname = "internal";
char * certPrefix = "";
KeyType keytype = rsaKey;
/*char * keyslot = NULL;*/
/*char * keynickname = NULL;*/
char * name = NULL;
SECOidTag hashAlgTag = SEC_OID_UNKNOWN;
int keysize = DEFAULT_KEY_BITS;
int publicExponent = 0x010001;
unsigned int serialNumber = 0;
@ -2267,17 +2297,42 @@ main(int argc, char **argv)
slotname = PL_strdup(certutil.options[opt_TokenName].arg);
}
/* -Z hash type */
if (certutil.options[opt_Hash].activated) {
char * arg = certutil.options[opt_Hash].arg;
if (!PL_strcmp(arg, "MD2")) {
hashAlgTag = SEC_OID_MD2;
} else if (!PL_strcmp(arg, "MD4")) {
hashAlgTag = SEC_OID_MD4;
} else if (!PL_strcmp(arg, "MD5")) {
hashAlgTag = SEC_OID_MD5;
} else if (!PL_strcmp(arg, "SHA1")) {
hashAlgTag = SEC_OID_SHA1;
} else if (!PL_strcmp(arg, "SHA256")) {
hashAlgTag = SEC_OID_SHA256;
} else if (!PL_strcmp(arg, "SHA384")) {
hashAlgTag = SEC_OID_SHA384;
} else if (!PL_strcmp(arg, "SHA512")) {
hashAlgTag = SEC_OID_SHA512;
} else {
PR_fprintf(PR_STDERR, "%s -Z: %s is not a recognized type.\n",
progName, arg);
return 255;
}
}
/* -k key type */
if (certutil.options[opt_KeyType].activated) {
if (PL_strcmp(certutil.options[opt_KeyType].arg, "rsa") == 0) {
char * arg = certutil.options[opt_KeyType].arg;
if (PL_strcmp(arg, "rsa") == 0) {
keytype = rsaKey;
} else if (PL_strcmp(certutil.options[opt_KeyType].arg, "dsa") == 0) {
} else if (PL_strcmp(arg, "dsa") == 0) {
keytype = dsaKey;
} else if (PL_strcmp(certutil.options[opt_KeyType].arg, "all") == 0) {
} else if (PL_strcmp(arg, "all") == 0) {
keytype = nullKey;
} else {
PR_fprintf(PR_STDERR, "%s -k: %s is not a recognized type.\n",
progName, certutil.options[opt_KeyType].arg);
progName, arg);
return 255;
}
}
@ -2670,7 +2725,7 @@ main(int argc, char **argv)
/* Make a cert request (-R or -S). */
if (certutil.commands[cmd_CreateAndAddCert].activated ||
certutil.commands[cmd_CertReq].activated) {
rv = CertReq(privkey, pubkey, keytype, subject,
rv = CertReq(privkey, pubkey, keytype, hashAlgTag, subject,
certutil.options[opt_PhoneNumber].arg,
certutil.options[opt_ASCIIForIO].activated,
certutil.options[opt_ExtendedEmailAddrs].arg,
@ -2710,7 +2765,7 @@ main(int argc, char **argv)
certutil.commands[cmd_CreateNewCert].activated) {
rv = CreateCert(certHandle,
certutil.options[opt_IssuerName].arg,
inFile, outFile, privkey, &pwdata,
inFile, outFile, privkey, &pwdata, hashAlgTag,
serialNumber, warpmonths, validitylength,
certutil.options[opt_ExtendedEmailAddrs].arg,
certutil.options[opt_ASCIIForIO].activated,

49
security/nss/cmd/smimetools/cmsutil.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* cmsutil -- A command to work with CMS data
*
* $Id: cmsutil.c,v 1.36 2002-12-11 01:44:37 thayes%netscape.com Exp $
* $Id: cmsutil.c,v 1.37 2002-12-12 06:05:43 nelsonb%netscape.com Exp $
*/
#include "nspr.h"
@ -113,6 +113,7 @@ Usage(char *progName)
fprintf(stderr, " -N nick use certificate named \"nick\" for signing\n");
fprintf(stderr, " -T do not include content in CMS message\n");
fprintf(stderr, " -G include a signing time attribute\n");
fprintf(stderr, " -H hash use hash (default:SHA1)\n");
fprintf(stderr, " -P include a SMIMECapabilities attribute\n");
fprintf(stderr, " -Y nick include a EncryptionKeyPreference attribute with cert\n");
fprintf(stderr, " (use \"NONE\" to omit)\n");
@ -171,6 +172,7 @@ struct signOptionsStr {
PRBool signingTime;
PRBool smimeProfile;
PRBool detached;
SECOidTag hashAlgTag;
};
struct envelopeOptionsStr {
@ -460,8 +462,8 @@ signed_data(struct signOptionsStr *signOptions)
/*
* create & attach signer information
*/
if ((signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, SEC_OID_SHA1))
== NULL) {
signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, signOptions->hashAlgTag);
if (signerinfo == NULL) {
fprintf(stderr, "ERROR: cannot create CMS signerInfo object.\n");
goto loser;
}
@ -585,7 +587,7 @@ signed_data(struct signOptionsStr *signOptions)
goto loser;
}
if (cms_verbose) {
fprintf(stderr, "created signed-date message\n");
fprintf(stderr, "created signed-data message\n");
}
if (ekpcert) {
CERT_DestroyCertificate(ekpcert);
@ -991,6 +993,8 @@ main(int argc, char **argv)
SECStatus rv;
progName = strrchr(argv[0], '/');
if (!progName)
progName = strrchr(argv[0], '\\');
progName = progName ? progName+1 : argv[0];
inFile = PR_STDIN;
@ -1007,6 +1011,7 @@ main(int argc, char **argv)
signOptions.signingTime = PR_FALSE;
signOptions.smimeProfile = PR_FALSE;
signOptions.encryptionKeyPreferenceNick = NULL;
signOptions.hashAlgTag = SEC_OID_SHA1;
envelopeOptions.recipients = NULL;
encryptOptions.recipients = NULL;
encryptOptions.envmsg = NULL;
@ -1019,7 +1024,7 @@ main(int argc, char **argv)
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv,
"CDSEOnN:TGPY:vh:p:i:c:d:e:o:s:u:r:");
"CDEGH:N:OPSTY:c:d:e:h:i:no:p:r:s:u:v");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@ -1100,6 +1105,38 @@ main(int argc, char **argv)
signOptions.signingTime = PR_TRUE;
break;
case 'H':
if (mode != SIGN) {
fprintf(stderr,
"%s: option -n only supported with option -D.\n",
"%s: option -H only supported with option -S.\n",
progName);
Usage(progName);
exit(1);
}
decodeOptions.suppressContent = PR_TRUE;
if (!strcmp(optstate->value, "MD2"))
signOptions.hashAlgTag = SEC_OID_MD2;
else if (!strcmp(optstate->value, "MD4"))
signOptions.hashAlgTag = SEC_OID_MD4;
else if (!strcmp(optstate->value, "MD5"))
signOptions.hashAlgTag = SEC_OID_MD5;
else if (!strcmp(optstate->value, "SHA1"))
signOptions.hashAlgTag = SEC_OID_SHA1;
else if (!strcmp(optstate->value, "SHA256"))
signOptions.hashAlgTag = SEC_OID_SHA256;
else if (!strcmp(optstate->value, "SHA384"))
signOptions.hashAlgTag = SEC_OID_SHA384;
else if (!strcmp(optstate->value, "SHA512"))
signOptions.hashAlgTag = SEC_OID_SHA512;
else {
fprintf(stderr,
"%s: -H requires one of MD2,MD4,MD5,SHA1,SHA256,SHA384,SHA512\n",
progName);
exit(1);
}
break;
case 'P':
if (mode != SIGN) {
fprintf(stderr,
@ -1387,7 +1424,7 @@ main(int argc, char **argv)
}
if (cms_verbose) {
fprintf(stderr, "input len [%d]\n", input.len);
{ int j;
{ unsigned int j;
for(j=0;j<input.len;j++)
fprintf(stderr, "%2x%c", input.data[j], (j>0&&j%35==0)?'\n':' ');
}

3
security/nss/lib/certdb/certdb.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* Certificate handling code
*
* $Id: certdb.c,v 1.46 2002-10-23 22:00:48 nelsonb%netscape.com Exp $
* $Id: certdb.c,v 1.47 2002-12-12 06:05:25 nelsonb%netscape.com Exp $
*/
#include "nssilock.h"
@ -45,7 +45,6 @@
#include "secder.h"
#include "secoid.h"
#include "secasn1.h"
#include "blapi.h" /* for SHA1_HashBuf */
#include "genname.h"
#include "keyhi.h"
#include "secitem.h"

36
security/nss/lib/certhigh/ocsp.c
Просмотреть файл

@ -35,7 +35,7 @@
* Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.)
*
* $Id: ocsp.c,v 1.14 2002-09-23 23:47:49 wtc%netscape.com Exp $
* $Id: ocsp.c,v 1.15 2002-12-12 06:05:28 nelsonb%netscape.com Exp $
*/
#include "prerror.h"
@ -618,11 +618,7 @@ CERT_DestroyOCSPCertID(CERTOCSPCertID* certID)
* Create and fill-in a CertID. This function fills in the hash values
* (issuerNameHash and issuerKeyHash), and is hardwired to use SHA1.
* Someday it might need to be more flexible about hash algorithm, but
* for now we have no intention/need to create anything else, and until
* we have more flexible underlying interfaces, it's just not as easy
* as it should be to just take an algorithm id and call some helper
* functions to do all the work (no algid->length translation, no function
* to hash from and into a SECItem, etc.).
* for now we have no intention/need to create anything else.
*
* Error causes a null to be returned; most likely cause is trouble
* finding the certificate issuer (SEC_ERROR_UNKNOWN_ISSUER).
@ -2320,7 +2316,7 @@ static PRBool
ocsp_matchcert(SECItem *certIndex,CERTCertificate *testCert)
{
SECItem item;
unsigned char buf[SHA1_LENGTH]; /* MAX Hash Len */
unsigned char buf[HASH_LENGTH_MAX];
item.data = buf;
item.len = SHA1_LENGTH;
@ -2443,7 +2439,7 @@ ocsp_CheckSignature(ocspSignature *signature, void *tbs,
} else {
/*
* The signer is either 1) a known issuer CA we passed in,
* 2) the default OCSP responder, or 3) and intermediate CA
* 2) the default OCSP responder, or 3) an intermediate CA
* passed in the cert list to use. Figure out which it is.
*/
responder = ocsp_CertGetDefaultResponder(handle,NULL);
@ -3899,28 +3895,6 @@ CERT_DisableOCSPDefaultResponder(CERTCertDBHandle *handle)
statusContext->useDefaultResponder = PR_FALSE;
return SECSuccess;
}
static const SECHashObject *
OidTagToDigestObject(SECOidTag digestAlg)
{
const SECHashObject *rawDigestObject;
switch (digestAlg) {
case SEC_OID_MD2:
rawDigestObject = &SECHashObjects[HASH_AlgMD2];
break;
case SEC_OID_MD5:
rawDigestObject = &SECHashObjects[HASH_AlgMD5];
break;
case SEC_OID_SHA1:
rawDigestObject = &SECHashObjects[HASH_AlgSHA1];
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
rawDigestObject = NULL;
break;
}
return(rawDigestObject);
}
/*
* Digest the cert's subject public key using the specified algorithm.
@ -3943,7 +3917,7 @@ CERT_SPKDigestValueForCert(PRArenaPool *arena, CERTCertificate *cert,
mark = PORT_ArenaMark(arena);
}
digestObject = OidTagToDigestObject(digestAlg);
digestObject = HASH_GetHashObjectByOidTag(digestAlg);
if ( digestObject == NULL ) {
goto loser;
}

32
security/nss/lib/crmf/challcli.c
Просмотреть файл

@ -37,6 +37,7 @@
#include "secitem.h"
#include "pk11func.h"
#include "secder.h"
#include "sechash.h"
CMMFPOPODecKeyChallContent*
CMMF_CreatePOPODecKeyChallContentFromDER(const char *buf, long len)
@ -118,16 +119,14 @@ CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
{
CMMFChallenge *challenge;
SECItem *decryptedRand=NULL;
SECStatus rv = SECFailure;
SECAlgorithmID *owf;
PK11SlotInfo *slot;
PK11SymKey *symKey = NULL;
SECStatus rv = SECFailure;
CMMFRand randStr;
SECAlgorithmID *owf;
unsigned char hash[SHA1_LENGTH]; /*SHA1 is the longest, so we'll use
*it's length.
*/
SECItem hashItem;
SECOidTag tag;
unsigned char hash[HASH_LENGTH_MAX];
PORT_Assert(inChalCont != NULL && inPrivKey != NULL);
if (inChalCont == NULL || inIndex <0 || inIndex > inChalCont->numChallenges
@ -158,9 +157,9 @@ CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
decryptedRand = PK11_GetKeyData(symKey);
rv = SEC_ASN1DecodeItem(NULL, &randStr, CMMFRandTemplate,
decryptedRand);
/* The decryptedRand returned points to a member within the symKey structure,
* so we don't want to free it. Let the symKey destruction function deal with
* freeing that memory.
/* The decryptedRand returned points to a member within the symKey
* structure, so we don't want to free it. Let the symKey destruction
* function deal with freeing that memory.
*/
if (rv != SECSuccess) {
goto loser;
@ -175,19 +174,10 @@ CMMF_POPODecKeyChallContDecryptChallenge(CMMFPOPODecKeyChallContent *inChalCont,
}
/* Verify the hashes in the challenge */
tag = SECOID_FindOIDTag(&owf->algorithm);
switch (tag) {
case SEC_OID_MD2:
hashItem.len = MD2_LENGTH;
break;
case SEC_OID_MD5:
hashItem.len = MD5_LENGTH;
break;
case SEC_OID_SHA1:
hashItem.len = SHA1_LENGTH;
break;
default:
goto loser;
}
hashItem.len = HASH_ResultLenByOidTag(tag);
if (!hashItem.len)
goto loser; /* error code has been set */
rv = PK11_HashBuf(tag, hash, randStr.integer.data, randStr.integer.len);
if (rv != SECSuccess) {
goto loser;

41
security/nss/lib/cryptohi/sechash.c
Просмотреть файл

@ -32,6 +32,7 @@
*/
#include "sechash.h"
#include "secoidt.h"
#include "secerr.h"
#include "blapi.h"
#include "pk11func.h" /* for the PK11_ calls below. */
@ -174,11 +175,51 @@ HASH_GetHashObject(HASH_HashType type)
return &SECHashObjects[type];
}
HASH_HashType
HASH_GetHashTypeByOidTag(SECOidTag hashOid)
{
HASH_HashType ht = HASH_AlgNULL;
switch(hashOid) {
case SEC_OID_MD2: ht = HASH_AlgMD2; break;
case SEC_OID_MD5: ht = HASH_AlgMD5; break;
case SEC_OID_SHA1: ht = HASH_AlgSHA1; break;
case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
default: ht = HASH_AlgNULL;
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
break;
}
return ht;
}
const SECHashObject *
HASH_GetHashObjectByOidTag(SECOidTag hashOid)
{
HASH_HashType ht = HASH_GetHashTypeByOidTag(hashOid);
return (ht == HASH_AlgNULL) ? NULL : &SECHashObjects[ht];
}
/* returns zero for unknown hash OID */
unsigned int
HASH_ResultLenByOidTag(SECOidTag hashOid)
{
const SECHashObject * hashObject = HASH_GetHashObjectByOidTag(hashOid);
unsigned int resultLen = 0;
if (hashObject)
resultLen = hashObject->length;
return resultLen;
}
/* returns zero if hash type invalid. */
unsigned int
HASH_ResultLen(HASH_HashType type)
{
if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return(0);
}

9
security/nss/lib/cryptohi/sechash.h
Просмотреть файл

@ -34,11 +34,12 @@
*
* hash.h - public data structures and prototypes for the hashing library
*
* $Id: sechash.h,v 1.2 2001-01-05 01:38:09 nelsonb%netscape.com Exp $
* $Id: sechash.h,v 1.3 2002-12-12 06:05:17 nelsonb%netscape.com Exp $
*/
#include "seccomon.h"
#include "hasht.h"
#include "secoidt.h"
SEC_BEGIN_PROTOS
@ -50,6 +51,8 @@ extern unsigned int HASH_ResultLen(HASH_HashType type);
extern unsigned int HASH_ResultLenContext(HASHContext *context);
extern unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid);
extern SECStatus HASH_HashBuf(HASH_HashType type,
unsigned char *dest,
unsigned char *src,
@ -74,6 +77,10 @@ extern void HASH_End(HASHContext *context,
extern const SECHashObject * HASH_GetHashObject(HASH_HashType type);
extern const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid);
extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid);
SEC_END_PROTOS
#endif /* _HASH_H_ */

36
security/nss/lib/cryptohi/secsign.c
Просмотреть файл

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: secsign.c,v 1.4 2002-09-19 01:07:43 nicolson%netscape.com Exp $
* $Id: secsign.c,v 1.5 2002-12-12 06:05:17 nelsonb%netscape.com Exp $
*/
#include <stdio.h>
@ -85,6 +85,23 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key)
signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
keyType = rsaKey;
break;
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
hashalg = SEC_OID_SHA256;
signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
keyType = rsaKey;
break;
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
hashalg = SEC_OID_SHA384;
signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
keyType = rsaKey;
break;
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
hashalg = SEC_OID_SHA512;
signalg = SEC_OID_PKCS1_RSA_ENCRYPTION;
keyType = rsaKey;
break;
/* what about normal DSA? */
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
@ -147,20 +164,9 @@ SGN_Begin(SGNContext *cx)
cx->hashcx = NULL;
}
switch (cx->hashalg) {
case SEC_OID_MD2:
cx->hashobj = &SECHashObjects[HASH_AlgMD2];
break;
case SEC_OID_MD5:
cx->hashobj = &SECHashObjects[HASH_AlgMD5];
break;
case SEC_OID_SHA1:
cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg);
if (!cx->hashobj)
return SECFailure; /* error code is already set */
cx->hashcx = (*cx->hashobj->create)();
if (cx->hashcx == NULL)

63
security/nss/lib/cryptohi/secvfy.c
Просмотреть файл

@ -32,7 +32,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: secvfy.c,v 1.6 2001-09-20 21:30:48 relyea%netscape.com Exp $
* $Id: secvfy.c,v 1.7 2002-12-12 06:05:17 nelsonb%netscape.com Exp $
*/
#include <stdio.h>
@ -173,31 +173,42 @@ decodeSigAlg(SECOidTag alg, SECOidTag *hashalg)
/* We probably shouldn't be generating MD2 signatures either */
case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
*hashalg = SEC_OID_MD2;
return SECSuccess;
break;
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
*hashalg = SEC_OID_MD5;
return SECSuccess;
break;
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
*hashalg = SEC_OID_SHA1;
return SECSuccess;
break;
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
*hashalg = SEC_OID_SHA256;
break;
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
*hashalg = SEC_OID_SHA384;
break;
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
*hashalg = SEC_OID_SHA512;
break;
/* what about normal DSA? */
case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
*hashalg = SEC_OID_SHA1;
return SECSuccess;
break;
case SEC_OID_MISSI_DSS:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_DSS_OLD:
*hashalg = SEC_OID_SHA1;
return SECSuccess;
break;
/* we don't implement MD4 hashes */
case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
default:
break;
return SECFailure;
}
return SECFailure;
return SECSuccess;
}
VFYContext *
@ -214,7 +225,7 @@ VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
cx->sigAlg = algid;
rv = SECSuccess;
switch (key->keyType) {
case rsaKey:
case rsaKey:
cx->type = VFY_RSA;
cx->key = SECKEY_CopyPublicKey(key); /* extra safety precautions */
if (sig) {
@ -226,8 +237,8 @@ VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
rv = decodeSigAlg(algid,&cx->alg);
}
break;
case fortezzaKey:
case dsaKey:
case fortezzaKey:
case dsaKey:
cx->type = VFY_DSA;
cx->alg = SEC_OID_SHA1;
cx->key = SECKEY_CopyPublicKey(key);
@ -235,17 +246,20 @@ VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag algid,
rv = decodeDSASignature(algid,sig,&cx->digest[0]);
}
break;
default:
default:
rv = SECFailure;
break;
}
if (rv) goto loser;
switch (cx->alg) {
case SEC_OID_MD2:
case SEC_OID_MD5:
case SEC_OID_SHA1:
case SEC_OID_MD2:
case SEC_OID_MD5:
case SEC_OID_SHA1:
case SEC_OID_SHA256:
case SEC_OID_SHA384:
case SEC_OID_SHA512:
break;
default:
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
@ -282,20 +296,9 @@ VFY_Begin(VFYContext *cx)
cx->hashcx = NULL;
}
switch (cx->alg) {
case SEC_OID_MD2:
cx->hashobj = &SECHashObjects[HASH_AlgMD2];
break;
case SEC_OID_MD5:
cx->hashobj = &SECHashObjects[HASH_AlgMD5];
break;
case SEC_OID_SHA1:
cx->hashobj = &SECHashObjects[HASH_AlgSHA1];
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
cx->hashobj = HASH_GetHashObjectByOidTag(cx->alg);
if (!cx->hashobj)
return SECFailure; /* error code is set */
cx->hashcx = (*cx->hashobj->create)();
if (cx->hashcx == NULL)

7
security/nss/lib/dev/devutil.c
Просмотреть файл

@ -32,7 +32,7 @@
*/
#ifdef DEBUG
static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.18 $ $Date: 2002-09-10 20:30:53 $ $Name: $";
static const char CVS_ID[] = "@(#) $RCSfile: devutil.c,v $ $Revision: 1.19 $ $Date: 2002-12-12 06:05:22 $ $Name: $";
#endif /* DEBUG */
#ifndef DEVM_H
@ -1431,6 +1431,11 @@ nssTokenObjectCache_RemoveObject
PZ_Unlock(cache->lock);
}
/* These two hash algorithms are presently sufficient.
** They are used for fingerprints of certs which are stored as the
** CKA_CERT_SHA1_HASH and CKA_CERT_MD5_HASH attributes.
** We don't need to add SHAxxx to these now.
*/
/* XXX of course this doesn't belong here */
NSS_IMPLEMENT NSSAlgorithmAndParameters *
NSSAlgorithmAndParameters_CreateSHA1Digest

3
security/nss/lib/nss/nss.def
Просмотреть файл

@ -722,7 +722,10 @@ CERT_GetFirstEmailAddress;
CERT_GetNextEmailAddress;
CERT_VerifySignedDataWithPubKeyInfo;
CERT_VerifySignedDataWithPublicKey;
HASH_GetHashObjectByOidTag;
HASH_GetHashTypeByOidTag;
PK11_WaitForTokenEvent;
SECITEM_ItemsAreEqual;
;+ local:
;+ *;
;+};

9
security/nss/lib/pk11wrap/pk11init.h
Просмотреть файл

@ -49,15 +49,6 @@ struct PK11PreSlotInfoStr {
char hasRootTrust; /* is this the root cert PKCS #11 module? */
};
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]"
#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
extern void PK11SDR_Init(void);
extern void PK11SDR_Shutdown(void);

12
security/nss/lib/pk11wrap/pk11skey.c
Просмотреть файл

@ -3812,13 +3812,11 @@ PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
return rv;
}
/* we need the output length ... maybe this should be table driven...*/
switch (hashAlg) {
case SEC_OID_SHA1: max_length = SHA1_LENGTH; break;
case SEC_OID_MD2: max_length = MD2_LENGTH; break;
case SEC_OID_MD5: max_length = MD5_LENGTH; break;
default: max_length = 16; break;
}
/* XXX This really should have been an argument to this function! */
max_length = HASH_ResultLenByOidTag(hashAlg);
PORT_Assert(max_length);
if (!max_length)
max_length = HASH_LENGTH_MAX;
rv = PK11_DigestFinal(context,out,&out_length,max_length);
PK11_DestroyContext(context, PR_TRUE);

52
security/nss/lib/pk11wrap/pk11slot.c
Просмотреть файл

@ -76,6 +76,9 @@ PK11DefaultArrayEntry PK11_DefaultArray[] = {
{ "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
{ "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
{ "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
{ "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 },
/* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
{ "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 },
{ "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
{ "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
{ "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
@ -84,7 +87,8 @@ PK11DefaultArrayEntry PK11_DefaultArray[] = {
{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
{ "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
};
int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
const int num_pk11_default_mechanisms =
sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
/*
* These slotlists are lists of modules which provide default support for
@ -104,7 +108,9 @@ static PK11SlotList pk11_aesSlotList,
pk11_ideaSlotList,
pk11_sslSlotList,
pk11_tlsSlotList,
pk11_randomSlotList;
pk11_randomSlotList,
pk11_sha256SlotList,
pk11_sha512SlotList; /* slots do SHA512 and SHA384 */
/*
* Tables used for Extended mechanism mapping (currently not used)
@ -1239,6 +1245,8 @@ PK11_InitSlotLists(void)
pk11_initSlotList(&pk11_sslSlotList);
pk11_initSlotList(&pk11_tlsSlotList);
pk11_initSlotList(&pk11_randomSlotList);
pk11_initSlotList(&pk11_sha256SlotList);
pk11_initSlotList(&pk11_sha512SlotList);
return SECSuccess;
}
@ -1260,6 +1268,8 @@ PK11_DestroySlotLists(void)
pk11_freeSlotList(&pk11_sslSlotList);
pk11_freeSlotList(&pk11_tlsSlotList);
pk11_freeSlotList(&pk11_randomSlotList);
pk11_freeSlotList(&pk11_sha256SlotList);
pk11_freeSlotList(&pk11_sha512SlotList);
return;
}
@ -1287,6 +1297,11 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
return &pk11_rc5SlotList;
case CKM_SHA_1:
return &pk11_sha1SlotList;
case CKM_SHA256:
return &pk11_sha256SlotList;
case CKM_SHA384:
case CKM_SHA512:
return &pk11_sha512SlotList;
case CKM_MD5:
return &pk11_md5SlotList;
case CKM_MD2:
@ -1355,8 +1370,7 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
return;
}
for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
i++) {
for (i=0; i < num_pk11_default_mechanisms; i++) {
if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
PK11SlotList *slotList = PK11_GetSlotList(mechanism);
@ -1418,8 +1432,7 @@ PK11_ClearSlotList(PK11SlotInfo *slot)
if (slot->disabled) return;
if (slot->defaultFlags == 0) return;
for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
i++) {
for (i=0; i < num_pk11_default_mechanisms; i++) {
if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
PK11SlotList *slotList = PK11_GetSlotList(mechanism);
@ -2584,8 +2597,13 @@ PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
listNeedLogin = PR_FALSE;
for (i=0; i < mech_count; i++) {
if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) &&
(type[i] != CKM_MD5) && (type[i] != CKM_MD2)) {
if ((type[i] != CKM_FAKE_RANDOM) &&
(type[i] != CKM_SHA_1) &&
(type[i] != CKM_SHA256) &&
(type[i] != CKM_SHA384) &&
(type[i] != CKM_SHA512) &&
(type[i] != CKM_MD5) &&
(type[i] != CKM_MD2)) {
listNeedLogin = PR_TRUE;
break;
}
@ -2847,6 +2865,9 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
case CKM_MD2_RSA_PKCS:
case CKM_MD5_RSA_PKCS:
case CKM_SHA1_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
case CKM_KEY_WRAP_SET_OAEP:
case CKM_RSA_PKCS_KEY_PAIR_GEN:
return CKK_RSA;
@ -2876,6 +2897,12 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
case CKM_TLS_KEY_AND_MAC_DERIVE:
case CKM_SHA_1_HMAC:
case CKM_SHA_1_HMAC_GENERAL:
case CKM_SHA256_HMAC:
case CKM_SHA256_HMAC_GENERAL:
case CKM_SHA384_HMAC:
case CKM_SHA384_HMAC_GENERAL:
case CKM_SHA512_HMAC:
case CKM_SHA512_HMAC_GENERAL:
case CKM_MD2_HMAC:
case CKM_MD2_HMAC_GENERAL:
case CKM_MD5_HMAC:
@ -3000,6 +3027,9 @@ PK11_GetKeyGen(CK_MECHANISM_TYPE type)
case CKM_MD2_RSA_PKCS:
case CKM_MD5_RSA_PKCS:
case CKM_SHA1_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
case CKM_KEY_WRAP_SET_OAEP:
case CKM_RSA_PKCS_KEY_PAIR_GEN:
return CKM_RSA_PKCS_KEY_PAIR_GEN;
@ -3026,6 +3056,12 @@ PK11_GetKeyGen(CK_MECHANISM_TYPE type)
return CKM_SSL3_PRE_MASTER_KEY_GEN;
case CKM_SHA_1_HMAC:
case CKM_SHA_1_HMAC_GENERAL:
case CKM_SHA256_HMAC:
case CKM_SHA256_HMAC_GENERAL:
case CKM_SHA384_HMAC:
case CKM_SHA384_HMAC_GENERAL:
case CKM_SHA512_HMAC:
case CKM_SHA512_HMAC_GENERAL:
case CKM_MD2_HMAC:
case CKM_MD2_HMAC_GENERAL:
case CKM_MD5_HMAC:

5
security/nss/lib/pk11wrap/secmodt.h
Просмотреть файл

@ -150,6 +150,8 @@ struct PK11DefaultArrayEntryStr {
#define SECMOD_SSL_FLAG 0x00000800L
#define SECMOD_TLS_FLAG 0x00001000L
#define SECMOD_AES_FLAG 0x00002000L
#define SECMOD_SHA256_FLAG 0x00004000L
#define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */
/* reserved bit for future, do not use */
#define SECMOD_RESERVED_FLAG 0X08000000L
#define SECMOD_FRIENDLY_FLAG 0x10000000L
@ -170,7 +172,7 @@ struct PK11DefaultArrayEntryStr {
#define SECMOD_FIPS 2 /* internal fips module */
/* default module configuration strings */
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]"
#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512]"
#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
@ -180,7 +182,6 @@ struct PK11DefaultArrayEntryStr {
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
/*
* What is the origin of a given Key. Normally this doesn't matter, but
* the fortezza code needs to know if it needs to invoke the SSL3 fortezza

3
security/nss/lib/pkcs12/p12d.c
Просмотреть файл

@ -1264,8 +1264,7 @@ loser:
return SECFailure;
}
/* IN_BUF_LEN should be larger than SHA1_LENGTH */
#define IN_BUF_LEN 80
#define IN_BUF_LEN HASH_LENGTH_MAX
/* verify the hmac by reading the data from the temporary file
* using the routines specified when the decodingContext was

6
security/nss/lib/pkcs12/p12local.c
Просмотреть файл

@ -60,6 +60,12 @@ sec_pkcs12_algtag_to_mech(SECOidTag algtag)
return CKM_MD5_HMAC;
case SEC_OID_SHA1:
return CKM_SHA_1_HMAC;
case SEC_OID_SHA256:
return CKM_SHA256_HMAC;
case SEC_OID_SHA384:
return CKM_SHA384_HMAC;
case SEC_OID_SHA512:
return CKM_SHA512_HMAC;
default:
break;
}

60
security/nss/lib/pkcs7/p7decode.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* PKCS7 decoding, verification.
*
* $Id: p7decode.c,v 1.8 2002-07-30 22:51:13 relyea%netscape.com Exp $
* $Id: p7decode.c,v 1.9 2002-12-12 06:05:36 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -263,10 +263,6 @@ static SECStatus
sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
SECAlgorithmID **digestalgs)
{
SECAlgorithmID *algid;
SECOidData *oiddata;
const SECHashObject *digobj;
void *digcx;
int i, digcnt;
if (digestalgs == NULL)
@ -305,26 +301,10 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth,
* Create a digest context for each algorithm.
*/
for (i = 0; i < digcnt; i++) {
algid = digestalgs[i];
oiddata = SECOID_FindOID(&(algid->algorithm));
if (oiddata == NULL) {
digobj = NULL;
} else {
switch (oiddata->offset) {
case SEC_OID_MD2:
digobj = HASH_GetHashObject(HASH_AlgMD2);
break;
case SEC_OID_MD5:
digobj = HASH_GetHashObject(HASH_AlgMD5);
break;
case SEC_OID_SHA1:
digobj = HASH_GetHashObject(HASH_AlgSHA1);
break;
default:
digobj = NULL;
break;
}
}
SECAlgorithmID * algid = digestalgs[i];
SECOidTag oidTag = SECOID_FindOIDTag(&(algid->algorithm));
const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
void *digcx;
/*
* Skip any algorithm we do not even recognize; obviously,
@ -1637,32 +1617,14 @@ sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo,
algiddata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
if (detached_digest != NULL) {
switch (digest_type) {
default:
case HASH_AlgNULL:
HASH_HashType found_type = HASH_GetHashTypeByOidTag(algiddata->offset);
unsigned int hashLen = HASH_ResultLen(digest_type);
if (digest_type != found_type ||
digest_type == HASH_AlgNULL ||
detached_digest->len != hashLen) {
PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
goto done;
case HASH_AlgMD2:
PORT_Assert (detached_digest->len == MD2_LENGTH);
if (algiddata->offset != SEC_OID_MD2) {
PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
goto done;
}
break;
case HASH_AlgMD5:
PORT_Assert (detached_digest->len == MD5_LENGTH);
if (algiddata->offset != SEC_OID_MD5) {
PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
goto done;
}
break;
case HASH_AlgSHA1:
PORT_Assert (detached_digest->len == SHA1_LENGTH);
if (algiddata->offset != SEC_OID_SHA1) {
PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
goto done;
}
break;
}
digest = detached_digest;
} else {

29
security/nss/lib/pkcs7/p7encode.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* PKCS7 encoding.
*
* $Id: p7encode.c,v 1.5 2001-11-08 00:15:16 relyea%netscape.com Exp $
* $Id: p7encode.c,v 1.6 2002-12-12 06:05:36 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -589,26 +589,9 @@ sec_pkcs7_encoder_start_contexts (SEC_PKCS7ContentInfo *cinfo,
}
if (digestalg != NULL) {
SECOidData *oiddata;
SECOidTag oidTag = SECOID_FindOIDTag(&(digestalg->algorithm));
oiddata = SECOID_FindOID (&(digestalg->algorithm));
if (oiddata != NULL) {
switch (oiddata->offset) {
case SEC_OID_MD2:
p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD2);
break;
case SEC_OID_MD5:
p7ecx->digestobj = HASH_GetHashObject(HASH_AlgMD5);
break;
case SEC_OID_SHA1:
p7ecx->digestobj = HASH_GetHashObject(HASH_AlgSHA1);
break;
default:
/* XXX right error? */
PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
break;
}
}
p7ecx->digestobj = HASH_GetHashObjectByOidTag(oidTag);
if (p7ecx->digestobj != NULL) {
p7ecx->digestcx = (* p7ecx->digestobj->create) ();
if (p7ecx->digestcx == NULL)
@ -865,6 +848,12 @@ sec_pkcs7_pick_sign_alg (SECOidTag hashalg, SECOidTag encalg)
return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA1:
return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA256:
return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA384:
return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA512:
return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
default:
return SEC_OID_UNKNOWN;
}

4
security/nss/lib/pkcs7/secmime.c
Просмотреть файл

@ -35,7 +35,7 @@
* Stuff specific to S/MIME policy and interoperability.
* Depends on PKCS7, but there should be no dependency the other way around.
*
* $Id: secmime.c,v 1.1 2000-03-31 19:16:08 relyea%netscape.com Exp $
* $Id: secmime.c,v 1.2 2002-12-12 06:05:36 nelsonb%netscape.com Exp $
*/
#include "secmime.h"
@ -857,7 +857,7 @@ SECMIME_CreateSigned (CERTCertificate *scert,
SECStatus rv;
/* See note in header comment above about digestalg. */
PORT_Assert (digestalg == SEC_OID_SHA1);
/* Doesn't explain this. PORT_Assert (digestalg == SEC_OID_SHA1); */
cinfo = SEC_PKCS7CreateSignedData (scert, certUsageEmailSigner,
certdb, digestalg, digest,

4
security/nss/lib/smime/cmsrecinfo.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* CMS recipientInfo methods.
*
* $Id: cmsrecinfo.c,v 1.6 2001-12-07 01:36:13 relyea%netscape.com Exp $
* $Id: cmsrecinfo.c,v 1.7 2002-12-12 06:05:38 nelsonb%netscape.com Exp $
*/
#include "cmslocal.h"
@ -258,7 +258,7 @@ NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex)
SECOidTag
NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri)
{
SECOidTag encalgtag = SEC_OID_SHA1; /* set to not a valid encryption alg */
SECOidTag encalgtag = SEC_OID_UNKNOWN; /* an invalid encryption alg */
switch (ri->recipientInfoType) {
case NSSCMSRecipientInfoID_KeyTrans:

35
security/nss/lib/smime/cmssiginfo.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* CMS signerInfo methods.
*
* $Id: cmssiginfo.c,v 1.13 2002-10-25 22:46:48 nelsonb%netscape.com Exp $
* $Id: cmssiginfo.c,v 1.14 2002-12-12 06:05:38 nelsonb%netscape.com Exp $
*/
#include "cmslocal.h"
@ -162,7 +162,7 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
CERTCertificate *cert;
SECKEYPrivateKey *privkey = NULL;
SECOidTag digestalgtag;
SECOidTag signalgtag;
SECOidTag pubkAlgTag;
SECItem signature = { 0 };
SECStatus rv;
PLArenaPool *poolp, *tmppoolp;
@ -199,25 +199,30 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
* XXX I think there should be a cert-level interface for this,
* so that I do not have to know about subjectPublicKeyInfo...
*/
signalgtag = SECOID_GetAlgorithmTag(algID);
pubkAlgTag = SECOID_GetAlgorithmTag(algID);
if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID) {
SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
}
/* Fortezza MISSI have weird signature formats. Map them to standard DSA formats */
signalgtag = PK11_FortezzaMapSig(signalgtag);
/* Fortezza MISSI have weird signature formats.
* Map them to standard DSA formats
*/
pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
if (signerinfo->authAttr != NULL) {
SECOidTag signAlgTag;
SECItem encoded_attrs;
/* find and fill in the message digest attribute. */
rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
if (rv != SECSuccess)
goto loser;
if (contentType != NULL) {
/* if the caller wants us to, find and fill in the content type attribute. */
rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
if (rv != SECSuccess)
goto loser;
}
@ -244,12 +249,14 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
encoded_attrs.data = NULL;
encoded_attrs.len = 0;
if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), &encoded_attrs) == NULL)
if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr),
&encoded_attrs) == NULL)
goto loser;
rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, privkey,
NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, signalgtag));
PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
signAlgTag = NSS_CMSUtil_MakeSignatureAlgorithm(digestalgtag, pubkAlgTag);
rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len,
privkey, signAlgTag);
PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
} else {
rv = SGN_Digest(privkey, digestalgtag, &signature, digest);
}
@ -259,12 +266,14 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c
if (rv != SECSuccess)
goto loser;
if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) != SECSuccess)
if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature)
!= SECSuccess)
goto loser;
SECITEM_FreeItem(&signature, PR_FALSE);
if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), signalgtag, NULL) != SECSuccess)
if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag,
NULL) != SECSuccess)
goto loser;
return SECSuccess;

49
security/nss/lib/smime/cmsutil.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* CMS miscellaneous utility functions.
*
* $Id: cmsutil.c,v 1.7 2001-11-02 00:03:32 ddrinan%netscape.com Exp $
* $Id: cmsutil.c,v 1.8 2002-12-12 06:05:39 nelsonb%netscape.com Exp $
*/
#include "nssrenam.h"
@ -178,19 +178,30 @@ NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID
* algorithm was not found.
*/
int
NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag)
NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray,
SECOidTag algtag)
{
SECOidData *algid;
int i;
int i = -1;
if (algorithmArray == NULL || algorithmArray[0] == NULL)
return -1;
return i;
#ifdef ORDER_N_SQUARED
for (i = 0; algorithmArray[i] != NULL; i++) {
algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
if (algid->offset == algtag)
break; /* bingo */
}
#else
algid = SECOID_FindOIDByTag(algtag);
if (!algid)
return i;
for (i = 0; algorithmArray[i] != NULL; i++) {
if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
break; /* bingo */
}
#endif
if (algorithmArray[i] == NULL)
return -1; /* not found */
@ -201,29 +212,9 @@ NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algt
const SECHashObject *
NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid)
{
SECOidData *oiddata;
const SECHashObject *digobj;
SECOidTag oidTag = SECOID_FindOIDTag(&(algid->algorithm));
const SECHashObject *digobj = HASH_GetHashObjectByOidTag(oidTag);
/* here are the algorithms we know */
oiddata = SECOID_FindOID(&(algid->algorithm));
if (oiddata == NULL) {
digobj = NULL;
} else {
switch (oiddata->offset) {
case SEC_OID_MD2:
digobj = HASH_GetHashObject(HASH_AlgMD2);
break;
case SEC_OID_MD5:
digobj = HASH_GetHashObject(HASH_AlgMD5);
break;
case SEC_OID_SHA1:
digobj = HASH_GetHashObject(HASH_AlgSHA1);
break;
default:
digobj = NULL;
break;
}
}
return digobj;
}
@ -243,6 +234,12 @@ NSS_CMSUtil_MakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA1:
return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA256:
return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA384:
return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
case SEC_OID_SHA512:
return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
default:
return SEC_OID_UNKNOWN;
}

4
security/nss/lib/smime/smimemessage.c
Просмотреть файл

@ -34,7 +34,7 @@
/*
* SMIME message methods
*
* $Id: smimemessage.c,v 1.4 2000-12-22 17:16:21 relyea%netscape.com Exp $
* $Id: smimemessage.c,v 1.5 2002-12-12 06:05:39 nelsonb%netscape.com Exp $
*/
#include "cmslocal.h"
@ -166,7 +166,7 @@ NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert,
NSSCMSSignerInfo *signerinfo;
/* See note in header comment above about digestalg. */
PORT_Assert (digestalgtag == SEC_OID_SHA1);
/* Doesn't explain this. PORT_Assert (digestalgtag == SEC_OID_SHA1); */
cmsg = NSS_CMSMessage_Create(NULL);
if (cmsg == NULL)

12
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -261,6 +261,9 @@ static const struct mechanismList mechanisms[] = {
{CKM_MD2_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
{CKM_MD5_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
{CKM_SHA1_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
{CKM_SHA256_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
{CKM_SHA384_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
{CKM_SHA512_RSA_PKCS, {128,CK_MAX,CKF_SN_VR}, PR_TRUE},
/* ------------------------- DSA Operations --------------------------- */
{CKM_DSA_KEY_PAIR_GEN, {512, 1024, CKF_GENERATE_KEY_PAIR}, PR_TRUE},
{CKM_DSA, {512, 1024, CKF_SN_VR}, PR_TRUE},
@ -317,6 +320,15 @@ static const struct mechanismList mechanisms[] = {
{CKM_SHA_1, {0, 0, CKF_DIGEST}, PR_FALSE},
{CKM_SHA_1_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA_1_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA256, {0, 0, CKF_DIGEST}, PR_FALSE},
{CKM_SHA256_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA256_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA384, {0, 0, CKF_DIGEST}, PR_FALSE},
{CKM_SHA384_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA384_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA512, {0, 0, CKF_DIGEST}, PR_FALSE},
{CKM_SHA512_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_SHA512_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE},
{CKM_TLS_PRF_GENERAL, {0, 512, CKF_SN_VR}, PR_FALSE},
/* ------------------------- CAST Operations --------------------------- */
#ifdef NSS_SOFTOKEN_DOES_CAST

299
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -1053,65 +1053,43 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
{
PK11Session *session;
PK11SessionContext *context;
MD2Context *md2_context;
MD5Context *md5_context;
SHA1Context *sha1_context;
CK_RV crv = CKR_OK;
session = pk11_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
if (session == NULL)
return CKR_SESSION_HANDLE_INVALID;
crv = pk11_InitGeneric(session,&context,PK11_HASH,NULL,0,NULL, 0, 0);
if (crv != CKR_OK) {
pk11_FreeSession(session);
return crv;
}
#define INIT_MECH(mech,mmm) \
case mech: { \
mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
context->cipherInfo = (void *)mmm ## _ctx; \
context->cipherInfoLen = mmm ## _FlattenSize(mmm ## _ctx); \
context->currentMech = mech; \
context->hashUpdate = (PK11Hash) mmm ## _Update; \
context->end = (PK11End) mmm ## _End; \
context->destroy = (PK11Destroy) mmm ## _DestroyContext; \
context->maxLen = mmm ## _LENGTH; \
if (mmm ## _ctx) \
mmm ## _Begin(mmm ## _ctx); \
else \
crv = CKR_HOST_MEMORY; \
break; \
}
switch(pMechanism->mechanism) {
case CKM_MD2:
md2_context = MD2_NewContext();
context->cipherInfo = (void *)md2_context;
context->cipherInfoLen = MD2_FlattenSize(md2_context);
context->currentMech = CKM_MD2;
if (context->cipherInfo == NULL) {
crv= CKR_HOST_MEMORY;
}
context->hashUpdate = (PK11Hash) MD2_Update;
context->end = (PK11End) MD2_End;
context->destroy = (PK11Destroy) MD2_DestroyContext;
context->maxLen = MD2_LENGTH;
MD2_Begin(md2_context);
break;
case CKM_MD5:
md5_context = MD5_NewContext();
context->cipherInfo = (void *)md5_context;
context->cipherInfoLen = MD5_FlattenSize(md5_context);
context->currentMech = CKM_MD5;
if (context->cipherInfo == NULL) {
crv= CKR_HOST_MEMORY;
}
context->hashUpdate = (PK11Hash) MD5_Update;
context->end = (PK11End) MD5_End;
context->destroy = (PK11Destroy) MD5_DestroyContext;
context->maxLen = MD5_LENGTH;
MD5_Begin(md5_context);
break;
case CKM_SHA_1:
sha1_context = SHA1_NewContext();
context->cipherInfo = (void *)sha1_context;
context->cipherInfoLen = SHA1_FlattenSize(sha1_context);
context->currentMech = CKM_SHA_1;
if (context->cipherInfo == NULL) {
crv= CKR_HOST_MEMORY;
break;
}
context->hashUpdate = (PK11Hash) SHA1_Update;
context->end = (PK11End) SHA1_End;
context->destroy = (PK11Destroy) SHA1_DestroyContext;
SHA1_Begin(sha1_context);
context->maxLen = SHA1_LENGTH;
break;
INIT_MECH(CKM_MD2, MD2)
INIT_MECH(CKM_MD5, MD5)
INIT_MECH(CKM_SHA_1, SHA1)
INIT_MECH(CKM_SHA256, SHA256)
INIT_MECH(CKM_SHA384, SHA384)
INIT_MECH(CKM_SHA512, SHA512)
default:
crv = CKR_MECHANISM_INVALID;
break;
@ -1206,50 +1184,30 @@ CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
}
/*
* this helper functions are used by Generic Macing and Signing functions
* these helper functions are used by Generic Macing and Signing functions
* that use hashes as part of their operations.
*/
static CK_RV
pk11_doSubMD2(PK11SessionContext *context) {
MD2Context *md2_context = MD2_NewContext();
context->hashInfo = (void *)md2_context;
if (context->hashInfo == NULL) {
return CKR_HOST_MEMORY;
}
context->hashUpdate = (PK11Hash) MD2_Update;
context->end = (PK11End) MD2_End;
context->hashdestroy = (PK11Destroy) MD2_DestroyContext;
MD2_Begin(md2_context);
return CKR_OK;
#define DOSUB(mmm) \
static CK_RV \
pk11_doSub ## mmm(PK11SessionContext *context) { \
mmm ## Context * mmm ## _ctx = mmm ## _NewContext(); \
context->hashInfo = (void *) mmm ## _ctx; \
context->hashUpdate = (PK11Hash) mmm ## _Update; \
context->end = (PK11End) mmm ## _End; \
context->hashdestroy = (PK11Destroy) mmm ## _DestroyContext; \
if (!context->hashInfo) { \
return CKR_HOST_MEMORY; \
} \
mmm ## _Begin( mmm ## _ctx ); \
return CKR_OK; \
}
static CK_RV
pk11_doSubMD5(PK11SessionContext *context) {
MD5Context *md5_context = MD5_NewContext();
context->hashInfo = (void *)md5_context;
if (context->hashInfo == NULL) {
return CKR_HOST_MEMORY;
}
context->hashUpdate = (PK11Hash) MD5_Update;
context->end = (PK11End) MD5_End;
context->hashdestroy = (PK11Destroy) MD5_DestroyContext;
MD5_Begin(md5_context);
return CKR_OK;
}
static CK_RV
pk11_doSubSHA1(PK11SessionContext *context) {
SHA1Context *sha1_context = SHA1_NewContext();
context->hashInfo = (void *)sha1_context;
if (context->hashInfo == NULL) {
return CKR_HOST_MEMORY;
}
context->hashUpdate = (PK11Hash) SHA1_Update;
context->end = (PK11End) SHA1_End;
context->hashdestroy = (PK11Destroy) SHA1_DestroyContext;
SHA1_Begin(sha1_context);
return CKR_OK;
}
DOSUB(MD2)
DOSUB(MD5)
DOSUB(SHA1)
DOSUB(SHA256)
DOSUB(SHA384)
DOSUB(SHA512)
/*
* HMAC General copies only a portion of the result. This update routine likes
@ -1404,8 +1362,8 @@ pk11_doSSLMACInit(PK11SessionContext *context,SECOidTag oid,
if (oid == SEC_OID_SHA1) {
crv = pk11_doSubSHA1(context);
begin = (PK11Begin) SHA1_Begin;
if (crv != CKR_OK) return crv;
begin = (PK11Begin) SHA1_Begin;
padSize = 40;
} else {
crv = pk11_doSubMD5(context);
@ -1847,43 +1805,25 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
context->multi = PR_FALSE;
#define INIT_RSA_SIGN_MECH(mmm) \
case CKM_ ## mmm ## _RSA_PKCS: \
context->multi = PR_TRUE; \
crv = pk11_doSub ## mmm (context); \
if (crv != CKR_OK) break; \
context->update = (PK11Cipher) pk11_HashSign; \
info = PORT_New(PK11HashSignInfo); \
if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
info->hashOid = SEC_OID_ ## mmm ; \
goto finish_rsa;
switch(pMechanism->mechanism) {
case CKM_MD5_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubMD5(context);
if (crv != CKR_OK) break;
context->update = (PK11Cipher) pk11_HashSign;
info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_MD5;
goto finish_rsa;
case CKM_MD2_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubMD2(context);
if (crv != CKR_OK) break;
context->update = (PK11Cipher) pk11_HashSign;
info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_MD2;
goto finish_rsa;
case CKM_SHA1_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubSHA1(context);
if (crv != CKR_OK) break;
context->update = (PK11Cipher) pk11_HashSign;
info = (PK11HashSignInfo *)PORT_Alloc(sizeof(PK11HashSignInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_SHA1;
goto finish_rsa;
INIT_RSA_SIGN_MECH(MD5)
INIT_RSA_SIGN_MECH(MD2)
INIT_RSA_SIGN_MECH(SHA1)
INIT_RSA_SIGN_MECH(SHA256)
INIT_RSA_SIGN_MECH(SHA384)
INIT_RSA_SIGN_MECH(SHA512)
case CKM_RSA_PKCS:
context->update = (PK11Cipher) RSA_Sign;
goto finish_rsa;
@ -1939,20 +1879,22 @@ finish_rsa:
context->maxLen = DSA_SIGNATURE_LEN;
break;
case CKM_MD2_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgMD2,key,
*(CK_ULONG *)pMechanism->pParameter);
break;
case CKM_MD2_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgMD2,key,MD2_LENGTH);
break;
case CKM_MD5_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgMD5,key,
*(CK_ULONG *)pMechanism->pParameter);
break;
case CKM_MD5_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgMD5,key,MD5_LENGTH);
break;
#define INIT_HMAC_MECH(mmm) \
case CKM_ ## mmm ## _HMAC_GENERAL: \
crv = pk11_doHMACInit(context, HASH_Alg ## mmm ,key, \
*(CK_ULONG *)pMechanism->pParameter); \
break; \
case CKM_ ## mmm ## _HMAC: \
crv = pk11_doHMACInit(context, HASH_Alg ## mmm ,key, mmm ## _LENGTH); \
break;
INIT_HMAC_MECH(MD2)
INIT_HMAC_MECH(MD5)
INIT_HMAC_MECH(SHA256)
INIT_HMAC_MECH(SHA384)
INIT_HMAC_MECH(SHA512)
case CKM_SHA_1_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,
*(CK_ULONG *)pMechanism->pParameter);
@ -1960,6 +1902,7 @@ finish_rsa:
case CKM_SHA_1_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
break;
case CKM_SSL3_MD5_MAC:
crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
*(CK_ULONG *)pMechanism->pParameter);
@ -2273,43 +2216,25 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
context->multi = PR_FALSE;
#define INIT_RSA_VFY_MECH(mmm) \
case CKM_ ## mmm ## _RSA_PKCS: \
context->multi = PR_TRUE; \
crv = pk11_doSub ## mmm (context); \
if (crv != CKR_OK) break; \
context->verify = (PK11Verify) pk11_hashCheckSign; \
info = PORT_New(PK11HashVerifyInfo); \
if (info == NULL) { crv = CKR_HOST_MEMORY; break; } \
info->hashOid = SEC_OID_ ## mmm ; \
goto finish_rsa;
switch(pMechanism->mechanism) {
case CKM_MD5_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubMD5(context);
if (crv != CKR_OK) break;
context->verify = (PK11Verify) pk11_hashCheckSign;
info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_MD5;
goto finish_rsa;
case CKM_MD2_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubMD2(context);
if (crv != CKR_OK) break;
context->verify = (PK11Verify) pk11_hashCheckSign;
info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_MD2;
goto finish_rsa;
case CKM_SHA1_RSA_PKCS:
context->multi = PR_TRUE;
crv = pk11_doSubSHA1(context);
if (crv != CKR_OK) break;
context->verify = (PK11Verify) pk11_hashCheckSign;
info = (PK11HashVerifyInfo *)PORT_Alloc(sizeof(PK11HashVerifyInfo));
if (info == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
info->hashOid = SEC_OID_SHA1;
goto finish_rsa;
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
INIT_RSA_VFY_MECH(SHA1)
INIT_RSA_VFY_MECH(SHA256)
INIT_RSA_VFY_MECH(SHA384)
INIT_RSA_VFY_MECH(SHA512)
case CKM_RSA_PKCS:
context->verify = (PK11Verify) RSA_CheckSign;
goto finish_rsa;
@ -2355,20 +2280,13 @@ finish_rsa:
context->destroy = pk11_Null;
break;
case CKM_MD2_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgMD2,key,
*(CK_ULONG *)pMechanism->pParameter);
break;
case CKM_MD2_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgMD2,key,MD2_LENGTH);
break;
case CKM_MD5_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgMD5,key,
*(CK_ULONG *)pMechanism->pParameter);
break;
case CKM_MD5_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgMD5,key,MD5_LENGTH);
break;
INIT_HMAC_MECH(MD2)
INIT_HMAC_MECH(MD5)
INIT_HMAC_MECH(SHA256)
INIT_HMAC_MECH(SHA384)
INIT_HMAC_MECH(SHA512)
case CKM_SHA_1_HMAC_GENERAL:
crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,
*(CK_ULONG *)pMechanism->pParameter);
@ -2376,6 +2294,7 @@ finish_rsa:
case CKM_SHA_1_HMAC:
crv = pk11_doHMACInit(context,HASH_AlgSHA1,key,SHA1_LENGTH);
break;
case CKM_SSL3_MD5_MAC:
crv = pk11_doSSLMACInit(context,SEC_OID_MD5,key,
*(CK_ULONG *)pMechanism->pParameter);

22
security/nss/lib/softoken/pkcs11n.h
Просмотреть файл

@ -36,7 +36,7 @@
#define _PKCS11N_H_
#ifdef DEBUG
static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.5 $ $Date: 2002-11-16 03:25:01 $ $Name: $";
static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.6 $ $Date: 2002-12-12 06:05:11 $ $Name: $";
#endif /* DEBUG */
/*
@ -168,13 +168,21 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.5 $
/* These new SHAxxx mechanisms will be defined as vendor-defined until
** they are given standard mechanism numbers.
*/
#define CKM_SHA256 0x80000401L
#define CKM_SHA384 0x80000402L
#define CKM_SHA512 0x80000403L
#define CKM_SHA256_RSA_PKCS 0x80000411L
#define CKM_SHA384_RSA_PKCS 0x80000412L
#define CKM_SHA512_RSA_PKCS 0x80000413L
#define CKM_SHA256 0x80000401L
#define CKM_SHA256_HMAC 0x80000402L
#define CKM_SHA256_HMAC_GENERAL 0x80000403L
#define CKM_SHA256_RSA_PKCS 0x80000404L
#define CKM_SHA384 0x80000411L
#define CKM_SHA384_HMAC 0x80000412L
#define CKM_SHA384_HMAC_GENERAL 0x80000413L
#define CKM_SHA384_RSA_PKCS 0x80000414L
#define CKM_SHA512 0x80000421L
#define CKM_SHA512_HMAC 0x80000422L
#define CKM_SHA512_HMAC_GENERAL 0x80000423L
#define CKM_SHA512_RSA_PKCS 0x80000424L
/*
* Netscape-defined return values

6
security/nss/lib/util/secalgid.c
Просмотреть файл

@ -88,11 +88,17 @@ SECOID_SetAlgorithmID(PRArenaPool *arena, SECAlgorithmID *id, SECOidTag which,
case SEC_OID_MD4:
case SEC_OID_MD5:
case SEC_OID_SHA1:
case SEC_OID_SHA256:
case SEC_OID_SHA384:
case SEC_OID_SHA512:
case SEC_OID_PKCS1_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
add_null_param = PR_TRUE;
break;
default:

5
security/nss/lib/util/secdig.c
Просмотреть файл

@ -30,7 +30,7 @@
* may use your version of this file under either the MPL or the
* GPL.
*
* $Id: secdig.c,v 1.2 2001-01-07 08:13:12 nelsonb%netscape.com Exp $
* $Id: secdig.c,v 1.3 2002-12-12 06:05:20 nelsonb%netscape.com Exp $
*/
#include "secdig.h"
@ -102,6 +102,9 @@ SGN_CreateDigestInfo(SECOidTag algorithm, unsigned char *sig, unsigned len)
case SEC_OID_MD2:
case SEC_OID_MD5:
case SEC_OID_SHA1:
case SEC_OID_SHA256:
case SEC_OID_SHA384:
case SEC_OID_SHA512:
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);

47
security/nss/tests/smime/smime.sh
Просмотреть файл

@ -88,18 +88,57 @@ smime_init()
smime_main()
{
echo "$SCRIPTNAME: Signing Attached Message ------------------------------"
echo "$SCRIPTNAME: Signing Attached Message (SHA1) ------------------"
echo "cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice" "."
html_msg $? 0 "Create Signature Alice (SHA1)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature" "."
html_msg $? 0 "Decode Alice's Signature (SHA1)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original" "."
html_msg $? 0 "Compare Decoded Signature and Original (SHA1)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA256) ------------------"
echo "cmsutil -S -N Alice -H SHA256 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA256)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA256)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA256)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA384) ------------------"
echo "cmsutil -S -N Alice -H SHA384 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA384)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA384)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA384)" "."
echo "$SCRIPTNAME: Signing Attached Message (SHA512) ------------------"
echo "cmsutil -S -N Alice -H SHA512 -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig"
cmsutil -S -N Alice -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice.sig
html_msg $? 0 "Create Signature Alice (SHA512)" "."
echo "cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1"
cmsutil -D -i alice.sig -d ${P_R_BOBDIR} -o alice.data1
html_msg $? 0 "Decode Alice's Signature (SHA512)" "."
echo "diff alice.txt alice.data1"
diff alice.txt alice.data1
html_msg $? 0 "Compare Decoded Signature and Original (SHA512)" "."
echo "$SCRIPTNAME: Enveloped Data Tests ------------------------------"
echo "cmsutil -E -r bob@bogus.com -i alice.txt -d ${P_R_ALICEDIR} -p nss \\"