From 77cb1d9d487d0f07768e898ba4f120f758496111 Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Thu, 24 Nov 2005 00:40:14 +0000 Subject: [PATCH] Bug 316925 Key export does not work on tokens with non-sensitive keys that can't wrap. r=kaie --- security/nss/lib/pk11wrap/pk11akey.c | 22 ++++++++++++++++------ security/nss/lib/pk11wrap/pk11kea.c | 5 +++++ 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index a6189cf4343d..7b65e238be8c 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -1389,6 +1389,7 @@ PK11_ExportEncryptedPrivKeyInfo( SECAlgorithmID *algid; SECItem *pbe_param = NULL; PK11SymKey *key = NULL; + SECKEYPrivateKey *tmpPK = NULL; SECStatus rv = SECSuccess; int encryptBufLen; CK_RV crv; @@ -1480,13 +1481,19 @@ PK11_ExportEncryptedPrivKeyInfo( PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot, key->type, CKA_WRAP, key); if (newkey == NULL) { - rv= SECFailure; - goto loser; + tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE); + if (tmpPK == NULL) { + /* couldn't import the wrapping key, couldn't export the + * private key, we are done */ + rv = SECFailure; + goto loser; + } + pk = tmpPK; + } else { + /* free the old key and use the new key */ + PK11_FreeSymKey(key); + key = newkey; } - - /* free the old key and use the new key */ - PK11_FreeSymKey(key); - key = newkey; } /* we are extracting an encrypted privateKey structure. @@ -1531,6 +1538,9 @@ loser: if(key != NULL) { PK11_FreeSymKey(key); } + if (tmpPK != NULL) { + SECKEY_DestroyPrivateKey(tmpPK); + } SECOID_DestroyAlgorithmID(algid, PR_TRUE); if(rv == SECFailure) { diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c index a0db40729f14..52bff114f14d 100644 --- a/security/nss/lib/pk11wrap/pk11kea.c +++ b/security/nss/lib/pk11wrap/pk11kea.c @@ -144,6 +144,11 @@ pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, if (rv == SECSuccess) { newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey, &wrapData,type,operation,symKeyLength,flags,isPerm); + /* make sure we wound up where we wanted to be! */ + if (newSymKey && newSymKey->slot != slot) { + PK11_FreeSymKey(newSymKey); + newSymKey = NULL; + } } rsa_failed: if (wrapData.data != NULL) PORT_Free(wrapData.data);