mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-17 15:25:52 +00:00
Implement PKCS #11 2.11 DSA PQG Parameter generation.
This commit is contained in:
parent
27a4ab74b6
commit
0a88feb486
@ -1405,6 +1405,108 @@ pk11_handleKeyObject(PK11Session *session, PK11Object *object)
|
||||
return CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
|
||||
/*
|
||||
* check the consistancy and Verify a DSA Parameter Object
|
||||
*/
|
||||
static CK_RV
|
||||
pk11_handleDSAParameterObject(PK11Session *session, PK11Object *object)
|
||||
{
|
||||
PK11Attribute *primeAttr = NULL;
|
||||
PK11Attribute *subPrimeAttr = NULL;
|
||||
PK11Attribute *baseAttr = NULL;
|
||||
PK11Attribute *seedAttr = NULL;
|
||||
PK11Attribute *hAttr = NULL;
|
||||
PK11Attribute *attribute;
|
||||
CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
|
||||
PQGParams params;
|
||||
PQGVerify vfy, *verify = NULL;
|
||||
SECStatus result,rv;
|
||||
|
||||
primeAttr = pk11_FindAttribute(object,CKA_PRIME);
|
||||
if (primeAttr == NULL) goto loser;
|
||||
params.prime.data = primeAttr->attrib.pValue;
|
||||
params.prime.len = primeAttr->attrib.ulValueLen;
|
||||
|
||||
subPrimeAttr = pk11_FindAttribute(object,CKA_SUBPRIME);
|
||||
if (subPrimeAttr == NULL) goto loser;
|
||||
params.subPrime.data = subPrimeAttr->attrib.pValue;
|
||||
params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
|
||||
|
||||
baseAttr = pk11_FindAttribute(object,CKA_BASE);
|
||||
if (baseAttr == NULL) goto loser;
|
||||
params.base.data = baseAttr->attrib.pValue;
|
||||
params.base.len = baseAttr->attrib.ulValueLen;
|
||||
|
||||
attribute = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER);
|
||||
if (attribute != NULL) {
|
||||
vfy.counter = *(CK_ULONG *) attribute->attrib.pValue;
|
||||
pk11_FreeAttribute(attribute);
|
||||
|
||||
seedAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_SEED);
|
||||
if (seedAttr == NULL) goto loser;
|
||||
vfy.seed.data = seedAttr->attrib.pValue;
|
||||
vfy.seed.len = seedAttr->attrib.ulValueLen;
|
||||
|
||||
hAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_H);
|
||||
if (hAttr == NULL) goto loser;
|
||||
vfy.h.data = hAttr->attrib.pValue;
|
||||
vfy.h.len = hAttr->attrib.ulValueLen;
|
||||
|
||||
verify = &vfy;
|
||||
}
|
||||
|
||||
crv = CKR_FUNCTION_FAILED;
|
||||
rv = PQG_VerifyParams(¶ms,verify,&result);
|
||||
if (rv == SECSuccess) {
|
||||
crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
|
||||
loser:
|
||||
if (hAttr) pk11_FreeAttribute(hAttr);
|
||||
if (seedAttr) pk11_FreeAttribute(seedAttr);
|
||||
if (baseAttr) pk11_FreeAttribute(baseAttr);
|
||||
if (subPrimeAttr) pk11_FreeAttribute(subPrimeAttr);
|
||||
if (primeAttr) pk11_FreeAttribute(primeAttr);
|
||||
|
||||
return crv;
|
||||
}
|
||||
|
||||
/*
|
||||
* check the consistancy and initialize a Key Parameter Object
|
||||
*/
|
||||
static CK_RV
|
||||
pk11_handleKeyParameterObject(PK11Session *session, PK11Object *object)
|
||||
{
|
||||
PK11Attribute *attribute;
|
||||
CK_KEY_TYPE key_type;
|
||||
CK_BBOOL cktrue = CK_TRUE;
|
||||
CK_BBOOL ckfalse = CK_FALSE;
|
||||
CK_RV crv;
|
||||
|
||||
/* verify the required fields */
|
||||
if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) {
|
||||
return CKR_TEMPLATE_INCOMPLETE;
|
||||
}
|
||||
|
||||
/* now verify the common fields */
|
||||
crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
|
||||
if (crv != CKR_OK) return crv;
|
||||
|
||||
/* get the key type */
|
||||
attribute = pk11_FindAttribute(object,CKA_KEY_TYPE);
|
||||
key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
|
||||
pk11_FreeAttribute(attribute);
|
||||
|
||||
switch (key_type) {
|
||||
case CKK_DSA:
|
||||
return pk11_handleDSAParameterObject(session,object);
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return CKR_KEY_TYPE_INCONSISTENT;
|
||||
}
|
||||
|
||||
/*
|
||||
* Handle Object does all the object consistancy checks, automatic attribute
|
||||
* generation, attribute defaulting, etc. If handleObject succeeds, the object
|
||||
@ -1480,6 +1582,9 @@ pk11_handleObject(PK11Object *object, PK11Session *session)
|
||||
case CKO_SECRET_KEY:
|
||||
crv = pk11_handleKeyObject(session,object);
|
||||
break;
|
||||
case CKO_KG_PARAMETERS:
|
||||
crv = pk11_handleKeyParameterObject(session,object);
|
||||
break;
|
||||
default:
|
||||
crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
break;
|
||||
|
@ -2562,6 +2562,76 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
|
||||
}
|
||||
return CKR_OK;
|
||||
}
|
||||
static CK_RV
|
||||
nsc_parameter_gen(CK_KEY_TYPE key_type, PK11Object *key)
|
||||
{
|
||||
PK11Attribute *attribute;
|
||||
CK_ULONG counter;
|
||||
unsigned int seedBits = 0;
|
||||
unsigned int primeBits;
|
||||
CK_RV crv = CKR_OK;
|
||||
PQGParams *params = NULL;
|
||||
PQGVerify *vfy = NULL;
|
||||
SECStatus rv;
|
||||
|
||||
attribute = pk11_FindAttribute(key, CKA_PRIME_BITS);
|
||||
if (attribute == NULL) {
|
||||
return CKR_TEMPLATE_INCOMPLETE;
|
||||
}
|
||||
primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
|
||||
pk11_FreeAttribute(attribute);
|
||||
|
||||
attribute = pk11_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
|
||||
if (attribute != NULL) {
|
||||
seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
|
||||
pk11_FreeAttribute(attribute);
|
||||
}
|
||||
|
||||
pk11_DeleteAttributeType(key,CKA_PRIME_BITS);
|
||||
pk11_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
|
||||
|
||||
if (seedBits == 0) {
|
||||
rv = PQG_ParamGen(primeBits, ¶ms, &vfy);
|
||||
} else {
|
||||
rv = PQG_ParamGenSeedLen(primeBits,seedBits/8, ¶ms, &vfy);
|
||||
}
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
||||
crv = pk11_AddAttributeType(key,CKA_PRIME,
|
||||
params->prime.data, params->prime.len);
|
||||
if (crv != CKR_OK) goto loser;
|
||||
crv = pk11_AddAttributeType(key,CKA_SUBPRIME,
|
||||
params->subPrime.data, params->subPrime.len);
|
||||
if (crv != CKR_OK) goto loser;
|
||||
crv = pk11_AddAttributeType(key,CKA_BASE,
|
||||
params->base.data, params->base.len);
|
||||
if (crv != CKR_OK) goto loser;
|
||||
counter = vfy->counter;
|
||||
crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER,
|
||||
&counter, sizeof(counter));
|
||||
crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED,
|
||||
vfy->seed.data, vfy->seed.len);
|
||||
if (crv != CKR_OK) goto loser;
|
||||
crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_H,
|
||||
vfy->h.data, vfy->h.len);
|
||||
if (crv != CKR_OK) goto loser;
|
||||
|
||||
loser:
|
||||
if (params) {
|
||||
PQG_DestroyParams(params);
|
||||
}
|
||||
if (vfy) {
|
||||
PQG_DestroyVerify(vfy);
|
||||
}
|
||||
return crv;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
static CK_RV
|
||||
@ -2747,7 +2817,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
|
||||
int i;
|
||||
PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
|
||||
char buf[MAX_KEY_LEN];
|
||||
enum {nsc_pbe, nsc_ssl, nsc_bulk} key_gen_type;
|
||||
enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type;
|
||||
NSSPKCS5PBEParameter *pbe_param;
|
||||
SSL3RSAPreMasterSecret *rsa_pms;
|
||||
CK_VERSION *version;
|
||||
@ -2837,6 +2907,12 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
|
||||
key_gen_type = nsc_pbe;
|
||||
crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type);
|
||||
break;
|
||||
case CKM_DSA_PARAMETER_GEN:
|
||||
key_gen_type = nsc_param;
|
||||
key_type = CKK_DSA;
|
||||
objclass = CKO_KG_PARAMETERS;
|
||||
crv = CKR_OK;
|
||||
break;
|
||||
default:
|
||||
crv = CKR_MECHANISM_INVALID;
|
||||
break;
|
||||
@ -2879,6 +2955,11 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
|
||||
} while (crv == CKR_OK && checkWeak &&
|
||||
pk11_IsWeakKey((unsigned char *)buf,key_type));
|
||||
break;
|
||||
case nsc_param:
|
||||
/* generate parameters */
|
||||
*buf = 0;
|
||||
crv = nsc_parameter_gen(key_type,key);
|
||||
break;
|
||||
}
|
||||
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
@ -2888,10 +2969,10 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
crv = pk11_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
if (key_length != 0) {
|
||||
crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
|
||||
if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
|
||||
}
|
||||
|
||||
/* get the session */
|
||||
session = pk11_SessionFromHandle(hSession);
|
||||
|
@ -36,7 +36,7 @@
|
||||
#define _PKCS11N_H_
|
||||
|
||||
#ifdef DEBUG
|
||||
static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.2 $ $Date: 2001/11/08 00:15:39 $ $Name: $";
|
||||
static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.3 $ $Date: 2002/03/02 00:52:04 $ $Name: $";
|
||||
#endif /* DEBUG */
|
||||
|
||||
/*
|
||||
@ -97,7 +97,12 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile: pkcs11n.h,v $ $Revision: 1.2 $
|
||||
#define CKA_NETSCAPE_PKCS8_SALT (CKA_NETSCAPE + 5)
|
||||
#define CKA_NETSCAPE_PASSWORD_CHECK (CKA_NETSCAPE + 6)
|
||||
#define CKA_NETSCAPE_EXPIRES (CKA_NETSCAPE + 7)
|
||||
#define CKA_NETSCAPE_KRL (CKA_NETSCAPE + 7)
|
||||
#define CKA_NETSCAPE_KRL (CKA_NETSCAPE + 8)
|
||||
|
||||
#define CKA_NETSCAPE_PQG_COUNTER (CKA_NETSCAPE + 20)
|
||||
#define CKA_NETSCAPE_PQG_SEED (CKA_NETSCAPE + 21)
|
||||
#define CKA_NETSCAPE_PQG_H (CKA_NETSCAPE + 22)
|
||||
#define CKA_NETSCAPE_PQG_SEED_BITS (CKA_NETSCAPE + 23)
|
||||
|
||||
/*
|
||||
* Trust attributes:
|
||||
|
@ -360,6 +360,7 @@ typedef CK_ULONG CK_OBJECT_CLASS;
|
||||
#define CKO_SECRET_KEY 0x00000004
|
||||
#define CKO_HW_FEATURE 0x00000005
|
||||
#define CKO_DOMAIN_PARAMETERS 0x00000006
|
||||
#define CKO_KG_PARAMETERS 0x00000006
|
||||
#define CKO_VENDOR_DEFINED 0x80000000
|
||||
|
||||
typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
|
||||
|
Loading…
Reference in New Issue
Block a user