Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-02-26 20:30:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1271496 - Stop using Scoped.h in non-exported PSM code. r=keeler

Browse Source 
Scoped.h is deprecated in favour of the standardised UniquePtr.

This patch removes use of Scoped.h everywhere in PSM except ScopedNSSTypes.h,
which is exported. Other consumers of ScopedNSSTypes.h can move off Scoped.h
at their own pace.

This patch also changes parameters and return types of various functions to make
ownership more explicit.

MozReview-Commit-ID: BFbtCDjENzy

--HG--
extra : transplant_source : %0B%C7%9F%40%FA9%A4%F2%5E%0D%92%1C%A6%A49%94%C3%7E%1Cz
This commit is contained in:
Cykesiopka 2016-05-23 19:50:26 -07:00
parent 524ca57c7e
commit 0b04616a47
9 changed files with 160 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -101,9 +101,9 @@ FindIssuerInner(const UniqueCERTCertList& candidates, bool useRoots,
const_cast<unsigned char*>(encodedIssuerName.UnsafeGetData()),
encodedIssuerName.GetLength()
};
ScopedSECItem nameConstraints(::SECITEM_AllocItem(nullptr, nullptr, 0));
ScopedAutoSECItem nameConstraints;
SECStatus srv = CERT_GetImposedNameConstraints(&encodedIssuerNameItem,
nameConstraints.get());
&nameConstraints);
if (srv != SECSuccess) {
if (PR_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
@ -114,9 +114,8 @@ FindIssuerInner(const UniqueCERTCertList& candidates, bool useRoots,
} else {
// Otherwise apply the constraints
Input nameConstraintsInput;
if (nameConstraintsInput.Init(
nameConstraints->data,
nameConstraints->len) != Success) {
if (nameConstraintsInput.Init(nameConstraints.data, nameConstraints.len)
!= Success) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
rv = checker.Check(certDER, &nameConstraintsInput, keepGoing);

2
security/manager/ssl/CSTrustDomain.cpp
View File

@ -37,7 +37,7 @@ CSTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
}
SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER);
ScopedCERTCertificate candidateCert(
UniqueCERTCertificate candidateCert(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &candidateCertDERSECItem,
nullptr, false, true));
if (!candidateCert) {

38
security/manager/ssl/LocalCertService.cpp
View File

@ -37,7 +37,7 @@ protected:
nsresult rv;
for (;;) {
ScopedCERTCertificate cert(
UniqueCERTCertificate cert(
PK11_FindCertFromNickname(mNickname.get(), nullptr));
if (!cert) {
return NS_OK; // All done
@ -57,7 +57,7 @@ protected:
return NS_ERROR_UNEXPECTED; // Issuer should match nickname
}
rv = MapSECStatus(PK11_DeleteTokenCertAndKey(cert, nullptr));
rv = MapSECStatus(PK11_DeleteTokenCertAndKey(cert.get(), nullptr));
if (NS_FAILED(rv)) {
return rv; // Some error, abort the loop
}
@ -124,7 +124,7 @@ private:
// Generate a new cert
NS_NAMED_LITERAL_CSTRING(commonNamePrefix, "CN=");
nsAutoCString subjectNameStr(commonNamePrefix + mNickname);
ScopedCERTName subjectName(CERT_AsciiToName(subjectNameStr.get()));
UniqueCERTName subjectName(CERT_AsciiToName(subjectNameStr.get()));
if (!subjectName) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
@ -142,25 +142,25 @@ private:
memcpy(keyParams.data + 2, curveOidData->oid.data, curveOidData->oid.len);
// Generate cert key pair
ScopedSECKEYPublicKey publicKey;
SECKEYPublicKey* tempPublicKey;
UniqueSECKEYPrivateKey privateKey(
PK11_GenerateKeyPair(slot.get(), CKM_EC_KEY_PAIR_GEN, &keyParams,
&tempPublicKey, true /* token */,
true /* sensitive */, nullptr));
if (!privateKey) {
UniqueSECKEYPublicKey publicKey(tempPublicKey);
tempPublicKey = nullptr;
if (!privateKey || !publicKey) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
publicKey = tempPublicKey;
// Create subject public key info and cert request
ScopedCERTSubjectPublicKeyInfo spki(
SECKEY_CreateSubjectPublicKeyInfo(publicKey));
UniqueCERTSubjectPublicKeyInfo spki(
SECKEY_CreateSubjectPublicKeyInfo(publicKey.get()));
if (!spki) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
ScopedCERTCertificateRequest certRequest(
CERT_CreateCertificateRequest(subjectName, spki, nullptr));
UniqueCERTCertificateRequest certRequest(
CERT_CreateCertificateRequest(subjectName.get(), spki.get(), nullptr));
if (!certRequest) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
@ -174,7 +174,7 @@ private:
PRTime now = PR_Now();
PRTime notBefore = now - oneDay;
PRTime notAfter = now + (PRTime(365) * oneDay);
ScopedCERTValidity validity(CERT_CreateValidity(notBefore, notAfter));
UniqueCERTValidity validity(CERT_CreateValidity(notBefore, notAfter));
if (!validity) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
@ -190,8 +190,9 @@ private:
}
// Create the cert from these pieces
ScopedCERTCertificate cert(
CERT_CreateCertificate(serial, subjectName, validity, certRequest));
UniqueCERTCertificate cert(
CERT_CreateCertificate(serial, subjectName.get(), validity.get(),
certRequest.get()));
if (!cert) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
@ -216,8 +217,8 @@ private:
}
// Encode and self-sign the cert
ScopedSECItem certDER(
SEC_ASN1EncodeItem(nullptr, nullptr, cert,
UniqueSECItem certDER(
SEC_ASN1EncodeItem(nullptr, nullptr, cert.get(),
SEC_ASN1_GET(CERT_CertificateTemplate)));
if (!certDER) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
@ -231,7 +232,7 @@ private:
}
// Create a CERTCertificate from the signed data
ScopedCERTCertificate certFromDER(
UniqueCERTCertificate certFromDER(
CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &cert->derCert, nullptr,
true /* perm */, true /* copyDER */));
if (!certFromDER) {
@ -239,8 +240,9 @@ private:
}
// Save the cert in the DB
rv = MapSECStatus(PK11_ImportCert(slot.get(), certFromDER, CK_INVALID_HANDLE,
mNickname.get(), false /* unused */));
rv = MapSECStatus(PK11_ImportCert(slot.get(), certFromDER.get(),
CK_INVALID_HANDLE, mNickname.get(),
false /* unused */));
if (NS_FAILED(rv)) {
return rv;
}

11
security/manager/ssl/SSLServerCertVerification.cpp
View File

@ -762,7 +762,7 @@ private:
const Time mTime;
const PRTime mPRTime;
const TimeStamp mJobStartTime;
const ScopedSECItem mStapledOCSPResponse;
const UniqueSECItem mStapledOCSPResponse;
};
SSLServerCertVerificationJob::SSLServerCertVerificationJob(
@ -925,7 +925,7 @@ GatherBaselineRequirementsTelemetry(const UniqueCERTCertList& certList)
"(or IsCertBuiltInRoot failed)\n", commonName.get()));
return;
}
SECItem altNameExtension;
ScopedAutoSECItem altNameExtension;
SECStatus rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME,
&altNameExtension);
if (rv != SECSuccess) {
@ -941,11 +941,6 @@ GatherBaselineRequirementsTelemetry(const UniqueCERTCertList& certList)
UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
CERTGeneralName* subjectAltNames =
CERT_DecodeAltNameExtension(arena.get(), &altNameExtension);
// CERT_FindCertExtension takes a pointer to a SECItem and allocates memory
// in its data field. This is a bad way to do this because we can't use a
// ScopedSECItem and neither is that memory tracked by an arena. We have to
// manually reach in and free the memory.
PORT_Free(altNameExtension.data);
if (!subjectAltNames) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("BR telemetry: could not decode subject alt names for '%s'\n",
@ -1437,7 +1432,7 @@ SSLServerCertVerificationJob::Run()
// set the error code if/when it fails.
PR_SetError(0, 0);
SECStatus rv = AuthCertificate(*mCertVerifier, mInfoObject, mCert,
mPeerCertChain, mStapledOCSPResponse,
mPeerCertChain, mStapledOCSPResponse.get(),
mProviderFlags, mTime);
MOZ_ASSERT(mPeerCertChain || rv != SECSuccess,
"AuthCertificate() should take ownership of chain on failure");

15
security/manager/ssl/ScopedNSSTypes.h
View File

@ -100,14 +100,14 @@ MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedCERTValidity,
CERT_DestroyValidity)
// Deprecated: use the equivalent UniquePtr templates instead.
namespace psm {
namespace internal {
inline void
PK11_DestroyContext_true(PK11Context * ctx) {
PK11_DestroyContext(ctx, true);
}
} // namespace mozilla::psm
} // namespace internal
// Deprecated: use the equivalent UniquePtr templates instead.
MOZ_TYPE_SPECIFIC_SCOPED_POINTER_TEMPLATE(ScopedSGNDigestInfo,
@ -124,7 +124,7 @@ typedef UniquePtr<Type, name##DeletePolicy> name;
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniquePK11Context,
PK11Context,
mozilla::psm::PK11_DestroyContext_true)
internal::PK11_DestroyContext_true)
/** A more convenient way of dealing with digests calculated into
* stack-allocated buffers. NSS must be initialized on the main thread before
@ -337,12 +337,18 @@ MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateList,
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificatePolicies,
CERTCertificatePolicies,
CERT_DestroyCertificatePoliciesExtension)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertificateRequest,
CERTCertificateRequest,
CERT_DestroyCertificateRequest)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertList,
CERTCertList,
CERT_DestroyCertList)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTCertNicknames,
CERTCertNicknames,
CERT_FreeNicknames)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTName,
CERTName,
CERT_DestroyName)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTOidSequence,
CERTOidSequence,
CERT_DestroyOidSequence)
@ -352,6 +358,9 @@ MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTSubjectPublicKeyInfo,
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTUserNotice,
CERTUserNotice,
CERT_DestroyUserNotice)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueCERTValidity,
CERTValidity,
CERT_DestroyValidity)
MOZ_TYPE_SPECIFIC_UNIQUE_PTR_TEMPLATE(UniqueNSSCMSMessage,
NSSCMSMessage,

191
security/manager/ssl/nsNSSU2FToken.cpp
View File

@ -14,6 +14,7 @@
#include "secerr.h"
#include "WebCryptoCommon.h"
using namespace mozilla;
using mozilla::dom::CreateECParamsForCurve;
NS_IMPL_ISUPPORTS(nsNSSU2FToken, nsINSSU2FToken)
@ -83,11 +84,16 @@ nsNSSU2FToken::destructorSafeDestroyNSSReference()
mWrappingKey = nullptr;
}
static PK11SymKey*
static UniquePK11SymKey
GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot,
nsCString aNickname,
const nsNSSShutDownPreventionLock&)
{
MOZ_ASSERT(aSlot);
if (!aSlot) {
return nullptr;
}
MOZ_LOG(gNSSTokenLog, LogLevel::Debug,
("Searching for a symmetric key named %s", aNickname.get()));
@ -96,13 +102,13 @@ GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot,
const_cast<char*>(aNickname.get()),
/* wincx */ nullptr);
while (keyList) {
ScopedPK11SymKey freeKey(keyList);
UniquePK11SymKey freeKey(keyList);
UniquePORTString freeKeyName(PK11_GetSymKeyNickname(freeKey.get()));
if (aNickname == freeKeyName.get()) {
MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("Symmetric key found!"));
return freeKey.forget();
return freeKey;
}
keyList = PK11_GetNextSymKey(keyList);
@ -113,9 +119,16 @@ GetSymKeyByNickname(const UniquePK11SlotInfo& aSlot,
}
static nsresult
GenEcKeypair(const UniquePK11SlotInfo& aSlot, ScopedSECKEYPrivateKey& aPrivKey,
ScopedSECKEYPublicKey& aPubKey, const nsNSSShutDownPreventionLock&)
GenEcKeypair(const UniquePK11SlotInfo& aSlot,
/*out*/ UniqueSECKEYPrivateKey& aPrivKey,
/*out*/ UniqueSECKEYPublicKey& aPubKey,
const nsNSSShutDownPreventionLock&)
{
MOZ_ASSERT(aSlot);
if (!aSlot) {
return NS_ERROR_INVALID_ARG;
}
UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena) {
return NS_ERROR_OUT_OF_MEMORY;
@ -131,10 +144,12 @@ GenEcKeypair(const UniquePK11SlotInfo& aSlot, ScopedSECKEYPrivateKey& aPrivKey,
CK_MECHANISM_TYPE mechanism = CKM_EC_KEY_PAIR_GEN;
SECKEYPublicKey* pubKeyRaw;
aPrivKey = PK11_GenerateKeyPair(aSlot.get(), mechanism, keyParams, &pubKeyRaw,
/* ephemeral */ PR_FALSE, PR_FALSE,
/* wincx */ nullptr);
aPubKey = pubKeyRaw;
aPrivKey = UniqueSECKEYPrivateKey(
PK11_GenerateKeyPair(aSlot.get(), mechanism, keyParams, &pubKeyRaw,
/* ephemeral */ false, false,
/* wincx */ nullptr));
aPubKey = UniqueSECKEYPublicKey(pubKeyRaw);
pubKeyRaw = nullptr;
if (!aPrivKey.get() || !aPubKey.get()) {
return NS_ERROR_FAILURE;
}
@ -151,6 +166,11 @@ nsresult
nsNSSU2FToken::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot,
const nsNSSShutDownPreventionLock& locker)
{
MOZ_ASSERT(aSlot);
if (!aSlot) {
return NS_ERROR_INVALID_ARG;
}
// Search for an existing wrapping key. If we find it,
// store it for later and mark ourselves initialized.
mWrappingKey = GetSymKeyByNickname(aSlot, mSecretNickname, locker);
@ -165,14 +185,15 @@ nsNSSU2FToken::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot,
// We did not find an existing wrapping key, so we generate one in the
// persistent database (e.g, Token).
mWrappingKey = PK11_TokenKeyGenWithFlags(aSlot.get(), CKM_AES_KEY_GEN,
/* default params */ nullptr,
kWrappingKeyByteLen,
/* empty keyid */ nullptr,
/* flags */ CKF_WRAP | CKF_UNWRAP,
/* attributes */ PK11_ATTR_TOKEN |
PK11_ATTR_PRIVATE,
/* wincx */ nullptr);
mWrappingKey = UniquePK11SymKey(
PK11_TokenKeyGenWithFlags(aSlot.get(), CKM_AES_KEY_GEN,
/* default params */ nullptr,
kWrappingKeyByteLen,
/* empty keyid */ nullptr,
/* flags */ CKF_WRAP | CKF_UNWRAP,
/* attributes */ PK11_ATTR_TOKEN |
PK11_ATTR_PRIVATE,
/* wincx */ nullptr));
if (!mWrappingKey) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
@ -180,7 +201,8 @@ nsNSSU2FToken::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot,
return NS_ERROR_FAILURE;
}
SECStatus srv = PK11_SetSymKeyNickname(mWrappingKey, mSecretNickname.get());
SECStatus srv = PK11_SetSymKeyNickname(mWrappingKey.get(),
mSecretNickname.get());
if (srv != SECSuccess) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to set nickname, NSS error #%d", PORT_GetError()));
@ -196,11 +218,16 @@ nsNSSU2FToken::GetOrCreateWrappingKey(const UniquePK11SlotInfo& aSlot,
static nsresult
GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
ScopedSECKEYPrivateKey& aAttestPrivKey,
ScopedCERTCertificate& aAttestCert,
/*out*/ UniqueSECKEYPrivateKey& aAttestPrivKey,
/*out*/ UniqueCERTCertificate& aAttestCert,
const nsNSSShutDownPreventionLock& locker)
{
ScopedSECKEYPublicKey pubKey;
MOZ_ASSERT(aSlot);
if (!aSlot) {
return NS_ERROR_INVALID_ARG;
}
UniqueSECKEYPublicKey pubKey;
// Construct an ephemeral keypair for this Attestation Certificate
nsresult rv = GenEcKeypair(aSlot, aAttestPrivKey, pubKey, locker);
@ -211,23 +238,23 @@ GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
}
// Construct the Attestation Certificate itself
ScopedCERTName subjectName(CERT_AsciiToName(kAttestCertSubjectName.get()));
UniqueCERTName subjectName(CERT_AsciiToName(kAttestCertSubjectName.get()));
if (!subjectName) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to set subject name, NSS error #%d", PORT_GetError()));
return NS_ERROR_FAILURE;
}
ScopedCERTSubjectPublicKeyInfo spki(
SECKEY_CreateSubjectPublicKeyInfo(pubKey));
UniqueCERTSubjectPublicKeyInfo spki(
SECKEY_CreateSubjectPublicKeyInfo(pubKey.get()));
if (!spki) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to set SPKI, NSS error #%d", PORT_GetError()));
return NS_ERROR_FAILURE;
}
ScopedCERTCertificateRequest certreq(
CERT_CreateCertificateRequest(subjectName, spki, nullptr));
UniqueCERTCertificateRequest certreq(
CERT_CreateCertificateRequest(subjectName.get(), spki.get(), nullptr));
if (!certreq) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to gen CSR, NSS error #%d", PORT_GetError()));
@ -238,7 +265,7 @@ GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
PRTime notBefore = now - kExpirationSlack;
PRTime notAfter = now + kExpirationLife;
ScopedCERTValidity validity(CERT_CreateValidity(notBefore, notAfter));
UniqueCERTValidity validity(CERT_CreateValidity(notBefore, notAfter));
if (!validity) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to gen validity, NSS error #%d", PORT_GetError()));
@ -264,14 +291,16 @@ GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
// which also wouldn't be valid).
serialBytes[0] |= 0x01;
aAttestCert = CERT_CreateCertificate(serial, subjectName, validity, certreq);
aAttestCert = UniqueCERTCertificate(
CERT_CreateCertificate(serial, subjectName.get(), validity.get(),
certreq.get()));
if (!aAttestCert) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to gen certificate, NSS error #%d", PORT_GetError()));
return NS_ERROR_FAILURE;
}
PLArenaPool *arena = aAttestCert->arena;
PLArenaPool* arena = aAttestCert->arena;
srv = SECOID_SetAlgorithmID(arena, &aAttestCert->signature,
SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
@ -285,18 +314,19 @@ GetAttestationCertificate(const UniquePK11SlotInfo& aSlot,
aAttestCert->version.len = 1;
SECItem innerDER = { siBuffer, nullptr, 0 };
if (!SEC_ASN1EncodeItem(arena, &innerDER, aAttestCert,
if (!SEC_ASN1EncodeItem(arena, &innerDER, aAttestCert.get(),
SEC_ASN1_GET(CERT_CertificateTemplate))) {
return NS_ERROR_FAILURE;
}
SECItem *signedCert = PORT_ArenaZNew(arena, SECItem);
SECItem* signedCert = PORT_ArenaZNew(arena, SECItem);
if (!signedCert) {
return NS_ERROR_FAILURE;
}
srv = SEC_DerSignData(arena, signedCert, innerDER.data, innerDER.len,
aAttestPrivKey, SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE);
aAttestPrivKey.get(),
SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE);
if (srv != SECSuccess) {
return NS_ERROR_FAILURE;
}
@ -339,13 +369,20 @@ nsNSSU2FToken::Init()
// Convert a Private Key object into an opaque key handle, using AES Key Wrap
// and aWrappingKey to convert aPrivKey.
static SECItem*
static UniqueSECItem
KeyHandleFromPrivateKey(const UniquePK11SlotInfo& aSlot,
PK11SymKey* aWrappingKey,
SECKEYPrivateKey* aPrivKey,
const UniquePK11SymKey& aWrappingKey,
const UniqueSECKEYPrivateKey& aPrivKey,
const nsNSSShutDownPreventionLock&)
{
ScopedSECItem wrappedKey(SECITEM_AllocItem(/* default arena */ nullptr,
MOZ_ASSERT(aSlot);
MOZ_ASSERT(aWrappingKey);
MOZ_ASSERT(aPrivKey);
if (!aSlot || !aWrappingKey || !aPrivKey) {
return nullptr;
}
UniqueSECItem wrappedKey(SECITEM_AllocItem(/* default arena */ nullptr,
/* no buffer */ nullptr,
kWrappedKeyBufLen));
if (!wrappedKey) {
@ -354,50 +391,57 @@ KeyHandleFromPrivateKey(const UniquePK11SlotInfo& aSlot,
return nullptr;
}
ScopedSECItem param(PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP_PAD,
UniqueSECItem param(PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP_PAD,
/* default IV */ nullptr ));
SECStatus srv = PK11_WrapPrivKey(aSlot.get(), aWrappingKey, aPrivKey,
CKM_NSS_AES_KEY_WRAP_PAD, param,
wrappedKey.get(), /* wincx */ nullptr);
SECStatus srv = PK11_WrapPrivKey(aSlot.get(), aWrappingKey.get(),
aPrivKey.get(), CKM_NSS_AES_KEY_WRAP_PAD,
param.get(), wrappedKey.get(),
/* wincx */ nullptr);
if (srv != SECSuccess) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning,
("Failed to wrap U2F key, NSS error #%d", PORT_GetError()));
return nullptr;
}
return wrappedKey.forget();
return wrappedKey;
}
// Convert an opaque key handle aKeyHandle back into a Private Key object, using
// aWrappingKey and the AES Key Wrap algorithm.
static SECKEYPrivateKey*
static UniqueSECKEYPrivateKey
PrivateKeyFromKeyHandle(const UniquePK11SlotInfo& aSlot,
PK11SymKey* aWrappingKey,
const UniquePK11SymKey& aWrappingKey,
uint8_t* aKeyHandle, uint32_t aKeyHandleLen,
const nsNSSShutDownPreventionLock&)
{
MOZ_ASSERT(aSlot);
MOZ_ASSERT(aWrappingKey);
MOZ_ASSERT(aKeyHandle);
if (!aSlot || !aWrappingKey || !aKeyHandle) {
return nullptr;
}
ScopedAutoSECItem pubKey(kPublicKeyLen);
ScopedAutoSECItem keyHandleItem(aKeyHandleLen);
memcpy(keyHandleItem.data, aKeyHandle, keyHandleItem.len);
ScopedSECItem param(PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP_PAD,
UniqueSECItem param(PK11_ParamFromIV(CKM_NSS_AES_KEY_WRAP_PAD,
/* default IV */ nullptr ));
CK_ATTRIBUTE_TYPE usages[] = { CKA_SIGN };
int usageCount = 1;
SECKEYPrivateKey* unwrappedKey;
unwrappedKey = PK11_UnwrapPrivKey(aSlot.get(), aWrappingKey,
CKM_NSS_AES_KEY_WRAP_PAD,
param, &keyHandleItem,
/* no nickname */ nullptr,
/* discard pubkey */ &pubKey,
/* not permanent */ PR_FALSE,
/* non-exportable */ PR_TRUE,
CKK_EC, usages, usageCount,
/* wincx */ nullptr);
UniqueSECKEYPrivateKey unwrappedKey(
PK11_UnwrapPrivKey(aSlot.get(), aWrappingKey.get(), CKM_NSS_AES_KEY_WRAP_PAD,
param.get(), &keyHandleItem,
/* no nickname */ nullptr,
/* discard pubkey */ &pubKey,
/* not permanent */ false,
/* non-exportable */ true,
CKK_EC, usages, usageCount,
/* wincx */ nullptr));
if (!unwrappedKey) {
// Not our key.
MOZ_LOG(gNSSTokenLog, LogLevel::Debug,
@ -445,11 +489,10 @@ nsNSSU2FToken::IsRegistered(uint8_t* aKeyHandle, uint32_t aKeyHandleLen,
MOZ_ASSERT(slot.get());
// Decode the key handle
UniqueSECKEYPrivateKey privKey(PrivateKeyFromKeyHandle(slot,
mWrappingKey.get(),
aKeyHandle,
aKeyHandleLen,
locker));
UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey,
aKeyHandle,
aKeyHandleLen,
locker);
*aResult = (privKey.get() != nullptr);
return NS_OK;
}
@ -508,8 +551,8 @@ nsNSSU2FToken::Register(uint8_t* aApplication,
MOZ_ASSERT(slot.get());
// Construct a one-time-use Attestation Certificate
ScopedSECKEYPrivateKey attestPrivKey;
ScopedCERTCertificate attestCert;
UniqueSECKEYPrivateKey attestPrivKey;
UniqueCERTCertificate attestCert;
nsresult rv = GetAttestationCertificate(slot, attestPrivKey, attestCert,
locker);
if (NS_WARN_IF(NS_FAILED(rv))) {
@ -519,17 +562,16 @@ nsNSSU2FToken::Register(uint8_t* aApplication,
MOZ_ASSERT(attestPrivKey);
// Generate a new keypair; the private will be wrapped into a Key Handle
ScopedSECKEYPrivateKey privKey;
ScopedSECKEYPublicKey pubKey;
UniqueSECKEYPrivateKey privKey;
UniqueSECKEYPublicKey pubKey;
rv = GenEcKeypair(slot, privKey, pubKey, locker);
if (NS_WARN_IF(NS_FAILED(rv))) {
return NS_ERROR_FAILURE;
}
// The key handle will be the result of keywrap(privKey, key=mWrappingKey)
UniqueSECItem keyHandleItem(KeyHandleFromPrivateKey(slot, mWrappingKey.get(),
privKey.get(),
locker));
UniqueSECItem keyHandleItem = KeyHandleFromPrivateKey(slot, mWrappingKey,
privKey, locker);
if (!keyHandleItem.get()) {
return NS_ERROR_FAILURE;
}
@ -550,7 +592,7 @@ nsNSSU2FToken::Register(uint8_t* aApplication,
signedDataBuf.AppendSECItem(keyHandleItem.get());
signedDataBuf.AppendSECItem(pubKey->u.ec.publicValue);
ScopedSECItem signatureItem(::SECITEM_AllocItem(/* default arena */ nullptr,
UniqueSECItem signatureItem(::SECITEM_AllocItem(/* default arena */ nullptr,
/* no buffer */ nullptr, 0));
if (!signatureItem) {
return NS_ERROR_OUT_OF_MEMORY;
@ -643,11 +685,10 @@ nsNSSU2FToken::Sign(uint8_t* aApplication, uint32_t aApplicationLen,
}
// Decode the key handle
UniqueSECKEYPrivateKey privKey(PrivateKeyFromKeyHandle(slot,
mWrappingKey.get(),
aKeyHandle,
aKeyHandleLen,
locker));
UniqueSECKEYPrivateKey privKey = PrivateKeyFromKeyHandle(slot, mWrappingKey,
aKeyHandle,
aKeyHandleLen,
locker);
if (!privKey.get()) {
MOZ_LOG(gNSSTokenLog, LogLevel::Warning, ("Couldn't get the priv key!"));
return NS_ERROR_FAILURE;
@ -675,7 +716,7 @@ nsNSSU2FToken::Sign(uint8_t* aApplication, uint32_t aApplicationLen,
signedDataBuf.AppendSECItem(counterItem);
signedDataBuf.AppendElements(aChallenge, aChallengeLen, mozilla::fallible);
ScopedSECItem signatureItem(::SECITEM_AllocItem(/* default arena */ nullptr,
UniqueSECItem signatureItem(::SECITEM_AllocItem(/* default arena */ nullptr,
/* no buffer */ nullptr, 0));
if (!signatureItem) {
return NS_ERROR_OUT_OF_MEMORY;
@ -690,7 +731,7 @@ nsNSSU2FToken::Sign(uint8_t* aApplication, uint32_t aApplicationLen,
return NS_ERROR_FAILURE;
}
// Assmeble the signature data into a buffer for return
// Assemble the signature data into a buffer for return
mozilla::dom::CryptoBuffer signatureBuf;
if (!signatureBuf.SetCapacity(1 + counterItem.len + signatureItem->len,
mozilla::fallible)) {
@ -701,7 +742,7 @@ nsNSSU2FToken::Sign(uint8_t* aApplication, uint32_t aApplicationLen,
// pre-allocated space
signatureBuf.AppendElement(0x01, mozilla::fallible);
signatureBuf.AppendSECItem(counterItem);
signatureBuf.AppendSECItem(signatureItem);
signatureBuf.AppendSECItem(signatureItem.get());
if (!signatureBuf.ToNewUnsignedBuffer(aSignature, aSignatureLen)) {
return NS_ERROR_FAILURE;

2
security/manager/ssl/nsNSSU2FToken.h
View File

@ -30,7 +30,7 @@ public:
private:
bool mInitialized;
mozilla::ScopedPK11SymKey mWrappingKey;
mozilla::UniquePK11SymKey mWrappingKey;
static const nsCString mSecretNickname;
static const nsString mVersion;

5
security/manager/ssl/tests/unit/tlsserver/lib/OCSPCommon.cpp
View File

@ -7,7 +7,6 @@
#include <stdio.h>
#include "pkixtestutil.h"
#include "ScopedNSSTypes.h"
#include "TLSServer.h"
#include "secder.h"
#include "secerr.h"
@ -33,11 +32,11 @@ CreateTestKeyPairFromCert(const UniqueCERTCertificate& cert)
if (!privateKey) {
return nullptr;
}
ScopedSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
UniqueSECKEYPublicKey publicKey(CERT_ExtractPublicKey(cert.get()));
if (!publicKey) {
return nullptr;
}
return CreateTestKeyPair(RSA_PKCS1(), *publicKey, privateKey.release());
return CreateTestKeyPair(RSA_PKCS1(), *publicKey.get(), privateKey.release());
}
SECItemArray*

2
security/manager/ssl/tests/unit/tlsserver/lib/TLSServer.cpp
View File

@ -134,7 +134,7 @@ AddKeyFromFile(const char* basePath, const char* filename)
PrintPRError("ATOB_AsciiToData failed");
return SECFailure;
}
ScopedSECItem secitem(::SECITEM_AllocItem(nullptr, nullptr, binLength));
UniqueSECItem secitem(::SECITEM_AllocItem(nullptr, nullptr, binLength));
if (!secitem) {
PrintPRError("SECITEM_AllocItem failed");
return SECFailure;