Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-02 10:00:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

1) fix warnings on AIX, HP, Linux, and Solaris.

Browse Source 
2) Move private functions into private headers.

3) Sharpen the layer separation between NSS components, especially pkcs #12
and soft token.

4) Remove dead code.
This commit is contained in:
relyea%netscape.com 2001-09-20 21:23:51 +00:00
parent 9ada7bfe84
commit 77fd99946d
13 changed files with 800 additions and 803 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/nss/lib/pk11wrap/manifest.mn
View File

@ -53,13 +53,13 @@ CSRCS = \
pk11load.c \ pk11load.c \
pk11pars.c \ pk11pars.c \
pk11slot.c \ pk11slot.c \
pk11modu.c \
pk11list.c \ pk11list.c \
pk11skey.c \ pk11skey.c \
pk11kea.c \ pk11kea.c \
pk11util.c \ pk11util.c \
pk11sdr.c \ pk11sdr.c \
pk11pqg.c \ pk11pqg.c \
pk11pk12.c \
$(NULL) $(NULL)
REQUIRES = security dbm REQUIRES = security dbm

18
security/nss/lib/pk11wrap/pk11cert.c
View File

@ -298,6 +298,11 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data, PK11_SETATTRS(&theTemplate,CKA_VALUE, pubKey->u.dh.publicValue.data,
pubKey->u.dh.publicValue.len); pubKey->u.dh.publicValue.len);
break; break;
case keaKey:
case fortezzaKey:
case nullKey:
/* fall through and return false */
break;
} }
if (theTemplate.ulValueLen == 0) { if (theTemplate.ulValueLen == 0) {
@ -433,11 +438,11 @@ pk11_HandleTrustObject(PK11SlotInfo *slot, CERTCertificate *cert, CERTCertTrust
CK_OBJECT_HANDLE tobjID; CK_OBJECT_HANDLE tobjID;
unsigned char sha1_hash[SHA1_LENGTH]; unsigned char sha1_hash[SHA1_LENGTH];
CK_TRUST serverAuth, codeSigning, emailProtection;
/*
CK_TRUST digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, CK_TRUST digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment,
keyAgreement, keyCertSign, crlSign, serverAuth, clientAuth, codeSigning, keyAgreement, keyCertSign, crlSign, serverAuth, clientAuth, codeSigning,
emailProtection, ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamping; emailProtection, ipsecEndSystem, ipsecTunnel, ipsecUser, timeStamping; */
SECItem item;
PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len); PK11_HashBuf(SEC_OID_SHA1, sha1_hash, cert->derCert.data, cert->derCert.len);
@ -853,7 +858,6 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg)
int i; int i;
CK_OBJECT_HANDLE *objID = NULL; CK_OBJECT_HANDLE *objID = NULL;
int object_count = 0; int object_count = 0;
CK_ULONG returned_count = 0;
pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg; pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg;
objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate, objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate,
@ -1755,7 +1759,6 @@ pk11_AllFindCertObjectByRecipientNew(NSSCMSRecipient **recipientlist, void *winc
PK11SlotList *list; PK11SlotList *list;
PK11SlotListElement *le; PK11SlotListElement *le;
CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY; CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
PK11SlotInfo *slot = NULL;
SECStatus rv; SECStatus rv;
/* get them all! */ /* get them all! */
@ -1898,7 +1901,6 @@ PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slotPtr,
{ {
CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY; CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY; CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY;
PK11SlotInfo *slot = NULL;
CERTCertificate *cert = NULL; CERTCertificate *cert = NULL;
SECStatus rv; SECStatus rv;
@ -1949,7 +1951,6 @@ PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, void *win
{ {
CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY; CK_OBJECT_HANDLE certHandle = CK_INVALID_KEY;
CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY; CK_OBJECT_HANDLE keyHandle = CK_INVALID_KEY;
SECStatus rv;
NSSCMSRecipient *rl; NSSCMSRecipient *rl;
int rlIndex; int rlIndex;
@ -2488,8 +2489,6 @@ SECStatus
PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2, PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, PK11SlotInfo *slot2,
CERTCertificate **cert1, CERTCertificate **cert2) CERTCertificate **cert1, CERTCertificate **cert2)
{ {
PK11SlotList *keaList = PK11_GetAllTokens(CKM_KEA_KEY_DERIVE,
PR_FALSE,PR_TRUE,NULL);
CERTCertificate *returnedCert = NULL; CERTCertificate *returnedCert = NULL;
int i; int i;
@ -2761,7 +2760,6 @@ SECItem *
PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
CERTCertificate *cert, void *wincx) CERTCertificate *cert, void *wincx)
{ {
CK_OBJECT_CLASS certClass = CKO_CERTIFICATE;
CK_ATTRIBUTE theTemplate[] = { CK_ATTRIBUTE theTemplate[] = {
{ CKA_VALUE, NULL, 0 }, { CKA_VALUE, NULL, 0 },
{ CKA_CLASS, NULL, 0 } { CKA_CLASS, NULL, 0 }

9
security/nss/lib/pk11wrap/pk11load.c
View File

@ -123,9 +123,9 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
* load a new module into our address space and initialize it. * load a new module into our address space and initialize it.
*/ */
SECStatus SECStatus
SECMOD_LoadModule(SECMODModule *mod) { SECMOD_LoadPKCS11Module(SECMODModule *mod) {
PRLibrary *library = NULL; PRLibrary *library = NULL;
CK_C_GetFunctionList entry; CK_C_GetFunctionList entry = NULL;
char * full_name; char * full_name;
CK_INFO info; CK_INFO info;
CK_ULONG slotCount = 0; CK_ULONG slotCount = 0;
@ -144,7 +144,10 @@ SECMOD_LoadModule(SECMODModule *mod) {
if (mod->isModuleDB) { if (mod->isModuleDB) {
mod->moduleDBFunc = (void *) NSC_ModuleDBFunc; mod->moduleDBFunc = (void *) NSC_ModuleDBFunc;
} }
if (mod->moduleDBOnly) return SECSuccess; if (mod->moduleDBOnly) {
mod->loaded = PR_TRUE;
return SECSuccess;
}
} else { } else {
/* Not internal, load the DLL and look up C_GetFunctionList */ /* Not internal, load the DLL and look up C_GetFunctionList */
if (mod->dllName == NULL) { if (mod->dllName == NULL) {

285
security/nss/lib/pk11wrap/pk11modu.c
View File

@ -1,285 +0,0 @@
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1994-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
* replace them with the notice and other provisions required by
* the GPL. If you do not delete the provisions above, a recipient
* may use your version of this file under either the MPL or the
* GPL.
*/
/*
* The following code handles the storage of PKCS 11 modules used by the
* NSS. This file is written to abstract away how the modules are
* stored so we can deside that later.
*/
#include "seccomon.h"
#include "secmod.h"
#include "nssilock.h"
#include "pkcs11.h"
#include "secmodi.h"
#include "pk11func.h"
#include "mcom_db.h"
/* create a new module */
SECMODModule *SECMOD_NewModule(void) {
SECMODModule *newMod;
PRArenaPool *arena;
/* create an arena in which dllName and commonName can be
* allocated.
*/
arena = PORT_NewArena(512);
if (arena == NULL) {
return NULL;
}
newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
if (newMod == NULL) {
PORT_FreeArena(arena,PR_FALSE);
return NULL;
}
/*
* initialize of the fields of the module
*/
newMod->arena = arena;
newMod->internal = PR_FALSE;
newMod->loaded = PR_FALSE;
newMod->isFIPS = PR_FALSE;
newMod->dllName = NULL;
newMod->commonName = NULL;
newMod->library = NULL;
newMod->functionList = NULL;
newMod->slotCount = 0;
newMod->slots = NULL;
newMod->slotInfo = NULL;
newMod->slotInfoCount = 0;
newMod->refCount = 1;
newMod->ssl[0] = 0;
newMod->ssl[1] = 0;
newMod->libraryParams = NULL;
newMod->moduleDBFunc = NULL;
newMod->parent = NULL;
newMod->isCritical = PR_FALSE;
newMod->isModuleDB = PR_FALSE;
newMod->moduleDBOnly = PR_FALSE;
newMod->trustOrder = 0;
newMod->cipherOrder = 0;
#ifdef PKCS11_USE_THREADS
newMod->refLock = (void *)PZ_NewLock(nssILockRefLock);
if (newMod->refLock == NULL) {
PORT_FreeArena(arena,PR_FALSE);
return NULL;
}
#else
newMod->refLock = NULL;
#endif
return newMod;
}
/* create a new ModuleListElement */
SECMODModuleList *SECMOD_NewModuleListElement(void) {
SECMODModuleList *newModList;
newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
if (newModList) {
newModList->next = NULL;
newModList->module = NULL;
}
return newModList;
}
static unsigned long internalFlags = SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|
SECMOD_RC2_FLAG| SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|SECMOD_SSL_FLAG|
SECMOD_TLS_FLAG|SECMOD_AES_FLAG;
/* create a Internal module */
SECMODModule *SECMOD_NewInternal(void) {
SECMODModule *intern;
static PK11PreSlotInfo internSlotInfo =
{ 1, SECMOD_RSA_FLAG|SECMOD_DSA_FLAG|SECMOD_RC2_FLAG|
SECMOD_RC4_FLAG|SECMOD_DES_FLAG|SECMOD_RANDOM_FLAG|
SECMOD_SHA1_FLAG|SECMOD_MD5_FLAG|SECMOD_MD2_FLAG|
SECMOD_SSL_FLAG|SECMOD_TLS_FLAG|SECMOD_AES_FLAG, -1, 30, 0 };
intern = SECMOD_NewModule();
if (intern == NULL) {
return NULL;
}
/*
* make this module an internal module
*/
intern->commonName = "NSS Internal PKCS #11 Module";
intern->internal = PR_TRUE;
intern->slotInfoCount = 1;
intern->slotInfo = &internSlotInfo;
return (intern);
}
/* create a FIPS Internal module */
SECMODModule *SECMOD_GetFIPSInternal(void) {
SECMODModule *intern;
intern = SECMOD_NewInternal();
if (intern == NULL) {
return NULL;
}
/*
* make this module a FIPS internal module
*/
intern->slotInfo[0].slotID = 3; /* FIPS slot */
intern->commonName = "NSS Internal FIPS PKCS #11 Module";
intern->isFIPS = PR_TRUE;
return (intern);
}
SECMODModule *SECMOD_DupModule(SECMODModule *old) {
SECMODModule *newMod;
newMod = SECMOD_NewModule();
if (newMod == NULL) {
return NULL;
}
/*
* initialize of the fields of the module
*/
newMod->dllName = PORT_ArenaStrdup(newMod->arena,old->dllName);
newMod->commonName = PORT_ArenaStrdup(newMod->arena,old->commonName);;
return newMod;
}
/*
* make a new reference to a module so It doesn't go away on us
*/
SECMODModule *
SECMOD_ReferenceModule(SECMODModule *module) {
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
PORT_Assert(module->refCount > 0);
module->refCount++;
PK11_USE_THREADS(PZ_Unlock((PZLock*)module->refLock);)
return module;
}
/* destroy an existing module */
void
SECMOD_DestroyModule(SECMODModule *module) {
PRBool willfree = PR_FALSE;
int slotCount;
int i;
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
if (module->refCount-- == 1) {
willfree = PR_TRUE;
}
PORT_Assert(willfree || (module->refCount > 0));
PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
if (!willfree) {
return;
}
/* slots can't really disappear until our module starts freeing them,
* so this check is safe */
slotCount = module->slotCount;
if (slotCount == 0) {
SECMOD_SlotDestroyModule(module,PR_FALSE);
return;
}
/* now free all out slots, when they are done, they will cause the
* module to disappear altogether */
for (i=0 ; i < slotCount; i++) {
if (!module->slots[i]->disabled) {
PK11_ClearSlotList(module->slots[i]);
}
PK11_FreeSlot(module->slots[i]);
}
/* WARNING: once the last slot has been freed is it possible (even likely)
* that module is no more... touching it now is a good way to go south */
}
/* we can only get here if we've destroyed the module, or some one has
* erroneously freed a slot that wasn't referenced. */
void
SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) {
PRBool willfree = PR_FALSE;
if (fromSlot) {
PORT_Assert(module->refCount == 0);
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
if (module->slotCount-- == 1) {
willfree = PR_TRUE;
}
PORT_Assert(willfree || (module->slotCount > 0));
PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
if (!willfree) return;
}
if (module->loaded) {
SECMOD_UnloadModule(module);
}
PK11_USE_THREADS(PZ_DestroyLock((PZLock *)module->refLock);)
PORT_FreeArena(module->arena,PR_FALSE);
}
/* destroy a list element
* this destroys a single element, and returns the next element
* on the chain. It makes it easy to implement for loops to delete
* the chain. It also make deleting a single element easy */
SECMODModuleList *
SECMOD_DestroyModuleListElement(SECMODModuleList *element) {
SECMODModuleList *next = element->next;
if (element->module) {
SECMOD_DestroyModule(element->module);
element->module = NULL;
}
PORT_Free(element);
return next;
}
/*
* Destroy an entire module list
*/
void
SECMOD_DestroyModuleList(SECMODModuleList *list) {
SECMODModuleList *lp;
for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
}

132
security/nss/lib/pk11wrap/pk11pars.c
View File

@ -43,13 +43,74 @@
#include "pk11pars.h" #include "pk11pars.h"
/* create a new module */
static SECMODModule *
secmod_NewModule(void)
{
SECMODModule *newMod;
PRArenaPool *arena;
/* create an arena in which dllName and commonName can be
* allocated.
*/
arena = PORT_NewArena(512);
if (arena == NULL) {
return NULL;
}
newMod = (SECMODModule *)PORT_ArenaAlloc(arena,sizeof (SECMODModule));
if (newMod == NULL) {
PORT_FreeArena(arena,PR_FALSE);
return NULL;
}
/*
* initialize of the fields of the module
*/
newMod->arena = arena;
newMod->internal = PR_FALSE;
newMod->loaded = PR_FALSE;
newMod->isFIPS = PR_FALSE;
newMod->dllName = NULL;
newMod->commonName = NULL;
newMod->library = NULL;
newMod->functionList = NULL;
newMod->slotCount = 0;
newMod->slots = NULL;
newMod->slotInfo = NULL;
newMod->slotInfoCount = 0;
newMod->refCount = 1;
newMod->ssl[0] = 0;
newMod->ssl[1] = 0;
newMod->libraryParams = NULL;
newMod->moduleDBFunc = NULL;
newMod->parent = NULL;
newMod->isCritical = PR_FALSE;
newMod->isModuleDB = PR_FALSE;
newMod->moduleDBOnly = PR_FALSE;
newMod->trustOrder = 0;
newMod->cipherOrder = 0;
#ifdef PKCS11_USE_THREADS
newMod->refLock = (void *)PZ_NewLock(nssILockRefLock);
if (newMod->refLock == NULL) {
PORT_FreeArena(arena,PR_FALSE);
return NULL;
}
#else
newMod->refLock = NULL;
#endif
return newMod;
}
/* /*
* for 3.4 we continue to use the old SECMODModule structure * for 3.4 we continue to use the old SECMODModule structure
*/ */
static SECMODModule * SECMODModule *
pk11_CreateModule(char *library, char *moduleName, char *parameters, char *nss) SECMOD_CreateModule(char *library, char *moduleName, char *parameters, char *nss)
{ {
SECMODModule *mod = SECMOD_NewModule(); SECMODModule *mod = secmod_NewModule();
char *slotParams,*ciphers; char *slotParams,*ciphers;
if (mod == NULL) return NULL; if (mod == NULL) return NULL;
@ -147,7 +208,7 @@ loser:
char ** char **
pk11_getModuleSpecList(SECMODModule *module) SECMOD_GetModuleSpecList(SECMODModule *module)
{ {
SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc; SECMODModuleDBFunc func = (SECMODModuleDBFunc) module->moduleDBFunc;
if (func) { if (func) {
@ -158,7 +219,7 @@ pk11_getModuleSpecList(SECMODModule *module)
} }
SECStatus SECStatus
pk11_AddPermDB(SECMODModule *module) SECMOD_AddPermDB(SECMODModule *module)
{ {
SECMODModuleDBFunc func; SECMODModuleDBFunc func;
char *moduleSpec; char *moduleSpec;
@ -178,7 +239,7 @@ pk11_AddPermDB(SECMODModule *module)
} }
SECStatus SECStatus
pk11_DeletePermDB(SECMODModule *module) SECMOD_DeletePermDB(SECMODModule *module)
{ {
SECMODModuleDBFunc func; SECMODModuleDBFunc func;
char *moduleSpec; char *moduleSpec;
@ -197,7 +258,8 @@ pk11_DeletePermDB(SECMODModule *module)
return SECFailure; return SECFailure;
} }
pk11_freeModuleSpecList(char **moduleSpecList) SECStatus
SECMOD_FreeModuleSpecList(SECMODModule *parent, char **moduleSpecList)
{ {
char ** index; char ** index;
@ -205,10 +267,11 @@ pk11_freeModuleSpecList(char **moduleSpecList)
PORT_Free(*index); PORT_Free(*index);
} }
PORT_Free(moduleSpecList); PORT_Free(moduleSpecList);
return SECSuccess;
} }
SECStatus SECMODModule *
PK11_LoadPKCS11Module(char *modulespec,SECMODModule *parent, PRBool recurse) SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
{ {
char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL; char *library = NULL, *moduleName = NULL, *parameters = NULL, *nss= NULL;
SECStatus status; SECStatus status;
@ -224,14 +287,14 @@ PK11_LoadPKCS11Module(char *modulespec,SECMODModule *parent, PRBool recurse)
goto loser; goto loser;
} }
module = pk11_CreateModule(library, moduleName, parameters, nss); module = SECMOD_CreateModule(library, moduleName, parameters, nss);
if (library) PORT_Free(library); if (library) PORT_Free(library);
if (moduleName) PORT_Free(moduleName); if (moduleName) PORT_Free(moduleName);
if (parameters) PORT_Free(parameters); if (parameters) PORT_Free(parameters);
if (nss) PORT_Free(nss); if (nss) PORT_Free(nss);
/* load it */ /* load it */
rv = SECMOD_LoadModule(module); rv = SECMOD_LoadPKCS11Module(module);
if (rv != SECSuccess) { if (rv != SECSuccess) {
goto loser; goto loser;
} }
@ -240,14 +303,20 @@ PK11_LoadPKCS11Module(char *modulespec,SECMODModule *parent, PRBool recurse)
char ** moduleSpecList; char ** moduleSpecList;
char **index; char **index;
moduleSpecList = pk11_getModuleSpecList(module); moduleSpecList = SECMOD_GetModuleSpecList(module);
for (index = moduleSpecList; index && *index; index++) { for (index = moduleSpecList; index && *index; index++) {
rv = PK11_LoadPKCS11Module(*index,module,PR_TRUE); SECMODModule *child;
if (rv != SECSuccess) break; child = SECMOD_LoadModule(*index,module,PR_TRUE);
if (!child) break;
if (child->isCritical && !child->loaded) {
SECMOD_DestroyModule(child);
break;
}
SECMOD_DestroyModule(child);
} }
pk11_freeModuleSpecList(moduleSpecList); SECMOD_FreeModuleSpecList(module,moduleSpecList);
} }
if (rv != SECSuccess) { if (rv != SECSuccess) {
@ -257,43 +326,20 @@ PK11_LoadPKCS11Module(char *modulespec,SECMODModule *parent, PRBool recurse)
if (parent) { if (parent) {
module->parent = SECMOD_ReferenceModule(parent); module->parent = SECMOD_ReferenceModule(parent);
} }
/* inherit the reference */
if (!module->moduleDBOnly) { if (!module->moduleDBOnly) {
SECMOD_AddModuleToList(module); SECMOD_AddModuleToList(module);
} else { } else {
SECMOD_AddModuleToDBOnlyList(module); SECMOD_AddModuleToDBOnlyList(module);
} }
#ifdef notdef
printf("-------------------------------------------------\n");
printf("Module Name: %s\n",module->commonName);
printf("Library Name: %s\n", module->dllName);
printf("Module Parameters: %s\n", module->moduleParams);
printf("Module type: %s\n",module->internal?"internal":"external");
printf("FIPS module: %s\n", module->isFIPS ?"on": "off");
printf("Trust Order: %d\n", module->trustOrder);
printf("Cipher Order: %d\n", module->cipherOrder);
printf("New Ciphers: 0x%08x,0x%08x\n",module->ssl[0], module->ssl[1]);
printf("Can Load PKCS #11 module: %s\n", module->isModuleDB ? "True" : "False");
if (module->slotInfoCount) {
int i;
printf("Slot Infos: %d\n", module->slotInfoCount);
for (i=0; i < module->slotInfoCount; i++) {
printf(" ++++++++++++++++++++++++++++++++++++++++++++\n");
printf(" Slot ID=0x%08x\n",module->slotInfo[i].slotID);
printf(" Slot Flags = 0x%08x\n",module->slotInfo[i].defaultFlags);
printf(" Slot PWarg = %d\n",module->slotInfo[i].askpw);
printf(" Slot timeout = %d\n",module->slotInfo[i].timeout);
}
}
#endif
/* handle any additional work here */ /* handle any additional work here */
return SECSuccess; return module;
loser: loser:
if (module) { if (module) {
PRBool critical = module->isCritical || (parent == NULL); SECMOD_AddModuleToUnloadList(module);
SECMOD_DestroyModule(module);
return critical ? SECFailure: SECSuccess;
} }
return SECFailure; return module;
} }

425
security/nss/lib/pk11wrap/pk11pk12.c Normal file
View File

@ -0,0 +1,425 @@
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1994-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
* replace them with the notice and other provisions required by
* the GPL. If you do not delete the provisions above, a recipient
* may use your version of this file under either the MPL or the
* GPL.
*/
/*
* This file PKCS #12 fuctions that should really be moved to the
* PKCS #12 directory, however we can't do that in a point release
* because that will break binary compatibility, so we keep them here for now.
*/
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
#include "key.h"
#include "secoid.h"
#include "secasn1.h"
#include "secerr.h"
/* These data structures should move to a common .h file shared between the
* wrappers and the pkcs 12 code. */
/*
** RSA Raw Private Key structures
*/
/* member names from PKCS#1, section 7.2 */
struct SECKEYRSAPrivateKeyStr {
PRArenaPool * arena;
SECItem version;
SECItem modulus;
SECItem publicExponent;
SECItem privateExponent;
SECItem prime1;
SECItem prime2;
SECItem exponent1;
SECItem exponent2;
SECItem coefficient;
};
typedef struct SECKEYRSAPrivateKeyStr SECKEYRSAPrivateKey;
/*
** DSA Raw Private Key structures
*/
struct SECKEYDSAPrivateKeyStr {
SECKEYPQGParams params;
SECItem privateValue;
};
typedef struct SECKEYDSAPrivateKeyStr SECKEYDSAPrivateKey;
/*
** Diffie-Hellman Raw Private Key structures
** Structure member names suggested by PKCS#3.
*/
struct SECKEYDHPrivateKeyStr {
PRArenaPool * arena;
SECItem prime;
SECItem base;
SECItem privateValue;
};
typedef struct SECKEYDHPrivateKeyStr SECKEYDHPrivateKey;
/*
** raw private key object
*/
struct SECKEYRawPrivateKeyStr {
PLArenaPool *arena;
KeyType keyType;
union {
SECKEYRSAPrivateKey rsa;
SECKEYDSAPrivateKey dsa;
SECKEYDHPrivateKey dh;
} u;
};
typedef struct SECKEYRawPrivateKeyStr SECKEYRawPrivateKey;
/*const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];*/
const SEC_ASN1Template SECKEY_RSAPrivateKeyExportTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.version) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.modulus) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.publicExponent) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.privateExponent) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime1) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.prime2) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent1) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.exponent2) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.rsa.coefficient) },
{ 0 }
};
const SEC_ASN1Template SECKEY_DSAPrivateKeyExportTemplate[] = {
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dsa.privateValue) },
};
const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.privateValue) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.base) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey,u.dh.prime) },
};
SECStatus
PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, unsigned int keyUsage, void *wincx)
{
SECKEYPrivateKeyInfo *pki = NULL;
PRArenaPool *temparena = NULL;
SECStatus rv = SECFailure;
temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
pki = PORT_ZNew(SECKEYPrivateKeyInfo);
rv = SEC_ASN1DecodeItem(temparena, pki, SECKEY_PrivateKeyInfoTemplate,
derPKI);
if( rv != SECSuccess ) {
goto finish;
}
rv = PK11_ImportPrivateKeyInfo(slot, pki, nickname, publicValue,
isPerm, isPrivate, keyUsage, wincx);
finish:
if( pki != NULL ) {
SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
}
if( temparena != NULL ) {
PORT_FreeArena(temparena, PR_TRUE);
}
return rv;
}
/*
* import a private key info into the desired slot
*/
SECStatus
PK11_ImportPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, unsigned int keyUsage, void *wincx)
{
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_RSA;
CK_OBJECT_HANDLE objectID;
CK_ATTRIBUTE theTemplate[20];
int templateCount = 0;
SECStatus rv = SECFailure;
PRArenaPool *arena;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE *signedattr = NULL;
int signedcount = 0;
CK_ATTRIBUTE *ap;
SECItem *ck_id = NULL;
arena = PORT_NewArena(2048);
if(!arena) {
return SECFailure;
}
attrs = theTemplate;
PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
switch (lpk->keyType) {
case rsaKey:
PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER,
(keyUsage & KU_DIGITAL_SIGNATURE) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
if (nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++;
}
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
lpk->u.rsa.modulus.len); attrs++;
PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT,
lpk->u.rsa.publicExponent.data,
lpk->u.rsa.publicExponent.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT,
lpk->u.rsa.privateExponent.data,
lpk->u.rsa.privateExponent.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIME_1,
lpk->u.rsa.prime1.data,
lpk->u.rsa.prime1.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIME_2,
lpk->u.rsa.prime2.data,
lpk->u.rsa.prime2.len); attrs++;
PK11_SETATTRS(attrs, CKA_EXPONENT_1,
lpk->u.rsa.exponent1.data,
lpk->u.rsa.exponent1.len); attrs++;
PK11_SETATTRS(attrs, CKA_EXPONENT_2,
lpk->u.rsa.exponent2.data,
lpk->u.rsa.exponent2.len); attrs++;
PK11_SETATTRS(attrs, CKA_COEFFICIENT,
lpk->u.rsa.coefficient.data,
lpk->u.rsa.coefficient.len); attrs++;
break;
case dsaKey:
/* To make our intenal PKCS #11 module work correctly with
* our database, we need to pass in the public key value for
* this dsa key. We have a netscape only CKA_ value to do this.
* Only send it to internal slots */
if( publicValue == NULL ) {
goto loser;
}
if (PK11_IsInternal(slot)) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
publicValue->data, publicValue->len); attrs++;
}
PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
if(nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
attrs++;
}
ck_id = PK11_MakeIDFromPubKey(publicValue);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dsa.params.prime.data,
lpk->u.dsa.params.prime.len); attrs++;
PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
lpk->u.dsa.params.subPrime.len); attrs++;
PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dsa.params.base.data,
lpk->u.dsa.params.base.len); attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dsa.privateValue.data,
lpk->u.dsa.privateValue.len); attrs++;
break;
case dhKey:
/* To make our intenal PKCS #11 module work correctly with
* our database, we need to pass in the public key value for
* this dh key. We have a netscape only CKA_ value to do this.
* Only send it to internal slots */
if (PK11_IsInternal(slot)) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
publicValue->data, publicValue->len); attrs++;
}
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
if(nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
attrs++;
}
ck_id = PK11_MakeIDFromPubKey(publicValue);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dh.prime.data,
lpk->u.dh.prime.len); attrs++;
PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data,
lpk->u.dh.base.len); attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data,
lpk->u.dh.privateValue.len); attrs++;
break;
/* what about fortezza??? */
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
PORT_Assert(signedattr != NULL);
signedcount = attrs - signedattr;
for (ap=signedattr; signedcount; ap++, signedcount--) {
pk11_SignedToUnsigned(ap);
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
theTemplate, templateCount, isPerm, &objectID);
loser:
if (ck_id) {
SECITEM_ZfreeItem(ck_id, PR_TRUE);
}
return rv;
}
/*
* import a private key info into the desired slot
*/
SECStatus
PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, unsigned int keyUsage, void *wincx)
{
CK_KEY_TYPE keyType = CKK_RSA;
SECStatus rv = SECFailure;
SECKEYRawPrivateKey *lpk = NULL;
const SEC_ASN1Template *keyTemplate, *paramTemplate;
void *paramDest = NULL;
PRArenaPool *arena;
arena = PORT_NewArena(2048);
if(!arena) {
return SECFailure;
}
/* need to change this to use RSA/DSA keys */
lpk = (SECKEYRawPrivateKey *)PORT_ArenaZAlloc(arena,
sizeof(SECKEYRawPrivateKey));
if(lpk == NULL) {
goto loser;
}
lpk->arena = arena;
switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
keyTemplate = SECKEY_RSAPrivateKeyExportTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = rsaKey;
keyType = CKK_RSA;
break;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
paramTemplate = SECKEY_PQGParamsTemplate;
paramDest = &(lpk->u.dsa.params);
lpk->keyType = dsaKey;
keyType = CKK_DSA;
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
if(!publicValue) {
goto loser;
}
keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = dhKey;
keyType = CKK_DH;
break;
default:
keyTemplate = NULL;
paramTemplate = NULL;
paramDest = NULL;
break;
}
if(!keyTemplate) {
goto loser;
}
/* decode the private key and any algorithm parameters */
rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
if(rv != SECSuccess) {
goto loser;
}
if(paramDest && paramTemplate) {
rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
if(rv != SECSuccess) {
goto loser;
}
}
rv = PK11_ImportPrivateKey(slot,lpk,nickname,publicValue, isPerm,
isPrivate, keyUsage, wincx);
loser:
if (lpk!= NULL) {
PORT_FreeArena(arena, PR_TRUE);
}
return rv;
}

307
security/nss/lib/pk11wrap/pk11skey.c
View File

@ -49,6 +49,7 @@
#include "sechash.h" #include "sechash.h"
#include "cert.h" #include "cert.h"
#include "secerr.h" #include "secerr.h"
#include "secpkcs5.h"
#define PAIRWISE_SECITEM_TYPE siBuffer #define PAIRWISE_SECITEM_TYPE siBuffer
#define PAIRWISE_DIGEST_LENGTH SHA1_LENGTH /* 160-bits */ #define PAIRWISE_DIGEST_LENGTH SHA1_LENGTH /* 160-bits */
@ -156,7 +157,6 @@ pk11_ExitKeyMonitor(PK11SymKey *symKey) {
} }
static PK11SymKey *pk11SymKeyHead = NULL;
static PK11SymKey * static PK11SymKey *
pk11_getKeyFromList(PK11SlotInfo *slot) { pk11_getKeyFromList(PK11SlotInfo *slot) {
PK11SymKey *symKey = NULL; PK11SymKey *symKey = NULL;
@ -1058,14 +1058,13 @@ pk11_backupGetSignLength(SECKEYPrivateKey *key)
int int
PK11_SignatureLen(SECKEYPrivateKey *key) PK11_SignatureLen(SECKEYPrivateKey *key)
{ {
PK11SlotInfo *slot = key->pkcs11Slot;
int val; int val;
switch (key->keyType) { switch (key->keyType) {
case rsaKey: case rsaKey:
val = PK11_GetPrivateModulusLen(key); val = PK11_GetPrivateModulusLen(key);
if (val == -1) { if (val == -1) {
break; /* failed */ return pk11_backupGetSignLength(key);
} }
return (unsigned long) val; return (unsigned long) val;
@ -1214,7 +1213,6 @@ PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param,
CK_MECHANISM mechanism; CK_MECHANISM mechanism;
CK_RV crv; CK_RV crv;
PRBool weird = PR_FALSE; /* hack for fortezza */ PRBool weird = PR_FALSE; /* hack for fortezza */
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE; CK_BBOOL cktrue = CK_TRUE;
CK_ULONG ck_key_size; /* only used for variable-length keys */ CK_ULONG ck_key_size; /* only used for variable-length keys */
@ -1780,8 +1778,8 @@ PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
int dhPubCount = sizeof(dhPubTemplate)/sizeof(dhPubTemplate[0]); int dhPubCount = sizeof(dhPubTemplate)/sizeof(dhPubTemplate[0]);
int pubCount = 0; int pubCount = 0;
PK11RSAGenParams *rsaParams; PK11RSAGenParams *rsaParams;
PQGParams *dsaParams; SECKEYPQGParams *dsaParams;
DHParams * dhParams; SECKEYDHParams * dhParams;
CK_MECHANISM mechanism; CK_MECHANISM mechanism;
CK_MECHANISM test_mech; CK_MECHANISM test_mech;
CK_SESSION_HANDLE session_handle; CK_SESSION_HANDLE session_handle;
@ -1889,7 +1887,7 @@ PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
test_mech.mechanism = CKM_RSA_PKCS; test_mech.mechanism = CKM_RSA_PKCS;
break; break;
case CKM_DSA_KEY_PAIR_GEN: case CKM_DSA_KEY_PAIR_GEN:
dsaParams = (PQGParams *)param; dsaParams = (SECKEYPQGParams *)param;
attrs = dsaPubTemplate; attrs = dsaPubTemplate;
PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data, PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
dsaParams->prime.len); attrs++; dsaParams->prime.len); attrs++;
@ -1903,7 +1901,7 @@ PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
test_mech.mechanism = CKM_DSA; test_mech.mechanism = CKM_DSA;
break; break;
case CKM_DH_PKCS_KEY_PAIR_GEN: case CKM_DH_PKCS_KEY_PAIR_GEN:
dhParams = (DHParams *)param; dhParams = (SECKEYDHParams *)param;
attrs = dhPubTemplate; attrs = dhPubTemplate;
PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data, PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
dhParams->prime.len); attrs++; dhParams->prime.len); attrs++;
@ -2544,8 +2542,8 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
case nullKey: case nullKey:
PORT_SetError(SEC_ERROR_BAD_KEY); PORT_SetError(SEC_ERROR_BAD_KEY);
break; break;
/* case keaKey: */
case dsaKey: case dsaKey:
case keaKey:
case fortezzaKey: case fortezzaKey:
{ {
CK_KEA_DERIVE_PARAMS param; CK_KEA_DERIVE_PARAMS param;
@ -2644,7 +2642,6 @@ pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
PK11SymKey *symKey; PK11SymKey *symKey;
CK_RV crv; CK_RV crv;
PRBool owner = PR_TRUE; PRBool owner = PR_TRUE;
PRBool bool = PR_TRUE;
CK_SESSION_HANDLE session; CK_SESSION_HANDLE session;
/* remove any VALUE_LEN parameters */ /* remove any VALUE_LEN parameters */
@ -2723,7 +2720,6 @@ pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey,
{ {
PK11SymKey * symKey; PK11SymKey * symKey;
SECItem * param_free = NULL; SECItem * param_free = NULL;
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE; CK_BBOOL cktrue = CK_TRUE;
CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
@ -2949,8 +2945,7 @@ PK11_VerifyRecover(SECKEYPublicKey *key,
SECStatus SECStatus
PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx) PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
{ {
PK11SlotInfo *slot = key->pkcs11Slot; PK11SlotInfo *slot = PK11_ReferenceSlot(key->pkcs11Slot);
PK11SlotInfo *tmpslot = key->pkcs11Slot;
CK_OBJECT_HANDLE id = key->pkcs11ID; CK_OBJECT_HANDLE id = key->pkcs11ID;
CK_MECHANISM mech = {0, NULL, 0 }; CK_MECHANISM mech = {0, NULL, 0 };
PRBool owner = PR_TRUE; PRBool owner = PR_TRUE;
@ -2960,12 +2955,7 @@ PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
mech.mechanism = pk11_mapSignKeyType(key->keyType); mech.mechanism = pk11_mapSignKeyType(key->keyType);
if (slot == NULL) { if (slot == NULL) {
if (mech.mechanism == CKM_DSA) { slot = PK11_GetBestSlot(mech.mechanism,wincx);
slot = PK11_GetInternalSlot(); /* use internal slot for
DSA verify */
} else {
slot = PK11_GetBestSlot(mech.mechanism,wincx);
};
if (slot == NULL) { if (slot == NULL) {
PORT_SetError( SEC_ERROR_NO_MODULE ); PORT_SetError( SEC_ERROR_NO_MODULE );
@ -2981,6 +2971,7 @@ PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
if (crv != CKR_OK) { if (crv != CKR_OK) {
if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner); pk11_CloseSession(slot,session,owner);
PK11_FreeSlot(slot);
PORT_SetError( PK11_MapError(crv) ); PORT_SetError( PK11_MapError(crv) );
return SECFailure; return SECFailure;
} }
@ -2988,6 +2979,7 @@ PK11_Verify(SECKEYPublicKey *key, SECItem *sig, SECItem *hash, void *wincx)
hash->len, sig->data, sig->len); hash->len, sig->data, sig->len);
if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
pk11_CloseSession(slot,session,owner); pk11_CloseSession(slot,session,owner);
PK11_FreeSlot(slot);
if (crv != CKR_OK) { if (crv != CKR_OK) {
PORT_SetError( PK11_MapError(crv) ); PORT_SetError( PK11_MapError(crv) );
return SECFailure; return SECFailure;
@ -3694,7 +3686,6 @@ PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen,
CK_RV crv = CKR_OK; CK_RV crv = CKR_OK;
CK_ULONG length = maxout; CK_ULONG length = maxout;
CK_ULONG offset =0; CK_ULONG offset =0;
PK11SymKey *symKey = context->key;
SECStatus rv = SECSuccess; SECStatus rv = SECSuccess;
unsigned char *saveOut = out; unsigned char *saveOut = out;
unsigned char *allocOut = NULL; unsigned char *allocOut = NULL;
@ -4161,9 +4152,9 @@ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
CK_RV crv; CK_RV crv;
SECKEYPrivateKey *privKey = NULL; SECKEYPrivateKey *privKey = NULL;
PRBool faulty3DES = PR_FALSE; PRBool faulty3DES = PR_FALSE;
int usageCount; int usageCount = 0;
CK_KEY_TYPE key_type; CK_KEY_TYPE key_type;
CK_ATTRIBUTE_TYPE *usage; CK_ATTRIBUTE_TYPE *usage = NULL;
CK_ATTRIBUTE_TYPE rsaUsage[] = { CK_ATTRIBUTE_TYPE rsaUsage[] = {
CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER }; CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER };
CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN }; CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
@ -4233,6 +4224,8 @@ try_faulty_3des:
crypto_param.data = (unsigned char*)cryptoMech.pParameter; crypto_param.data = (unsigned char*)cryptoMech.pParameter;
crypto_param.len = cryptoMech.ulParameterLen; crypto_param.len = cryptoMech.ulParameterLen;
PORT_Assert(usage != NULL);
PORT_Assert(usageCount = 0);
privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism, privKey = PK11_UnwrapPrivKey(slot, key, cryptoMech.mechanism,
&crypto_param, &epki->encryptedData, &crypto_param, &epki->encryptedData,
nickname, publicValue, isPerm, isPrivate, nickname, publicValue, isPerm, isPrivate,
@ -4292,276 +4285,6 @@ done:
return rv; return rv;
} }
SECStatus
PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, unsigned int keyUsage, void *wincx)
{
SECKEYPrivateKeyInfo *pki = NULL;
PRArenaPool *temparena = NULL;
SECStatus rv = SECFailure;
temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
pki = PORT_ZNew(SECKEYPrivateKeyInfo);
rv = SEC_ASN1DecodeItem(temparena, pki, SECKEY_PrivateKeyInfoTemplate,
derPKI);
if( rv != SECSuccess ) {
goto finish;
}
rv = PK11_ImportPrivateKeyInfo(slot, pki, nickname, publicValue,
isPerm, isPrivate, keyUsage, wincx);
finish:
if( pki != NULL ) {
SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/);
}
if( temparena != NULL ) {
PORT_FreeArena(temparena, PR_TRUE);
}
return rv;
}
/*
* import a private key info into the desired slot
*/
SECStatus
PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki,
SECItem *nickname, SECItem *publicValue, PRBool isPerm,
PRBool isPrivate, unsigned int keyUsage, void *wincx)
{
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
CK_KEY_TYPE keyType = CKK_RSA;
CK_OBJECT_HANDLE objectID;
CK_ATTRIBUTE theTemplate[20];
int templateCount = 0;
SECStatus rv = SECFailure;
SECKEYLowPrivateKey *lpk = NULL;
const SEC_ASN1Template *keyTemplate, *paramTemplate;
void *paramDest = NULL;
PRArenaPool *arena;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE *signedattr = NULL;
int signedcount = 0;
CK_ATTRIBUTE *ap;
SECItem *ck_id = NULL;
arena = PORT_NewArena(2048);
if(!arena) {
return SECFailure;
}
/* need to change this to use RSA/DSA keys */
lpk = (SECKEYLowPrivateKey *)PORT_ArenaZAlloc(arena,
sizeof(SECKEYLowPrivateKey));
if(lpk == NULL) {
goto loser;
}
lpk->arena = arena;
attrs = theTemplate;
switch(SECOID_GetAlgorithmTag(&pki->algorithm)) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
keyTemplate = SECKEY_RSAPrivateKeyTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = rsaKey;
keyType = CKK_RSA;
break;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
keyTemplate = SECKEY_DSAPrivateKeyExportTemplate;
paramTemplate = SECKEY_PQGParamsTemplate;
paramDest = &(lpk->u.dsa.params);
lpk->keyType = dsaKey;
keyType = CKK_DSA;
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
if(!publicValue) {
goto loser;
}
keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = dhKey;
keyType = CKK_DH;
break;
default:
keyTemplate = NULL;
paramTemplate = NULL;
paramDest = NULL;
break;
}
if(!keyTemplate) {
goto loser;
}
/* decode the private key and any algorithm parameters */
rv = SEC_ASN1DecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
if(rv != SECSuccess) {
goto loser;
}
if(paramDest && paramTemplate) {
rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
if(rv != SECSuccess) {
goto loser;
}
}
PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++;
PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, isPerm ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SENSITIVE, isPrivate ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_PRIVATE, isPrivate ? &cktrue : &ckfalse,
sizeof(CK_BBOOL) ); attrs++;
switch (lpk->keyType) {
case rsaKey:
PK11_SETATTRS(attrs, CKA_UNWRAP, (keyUsage & KU_KEY_ENCIPHERMENT) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_DECRYPT, (keyUsage & KU_DATA_ENCIPHERMENT) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN, (keyUsage & KU_DIGITAL_SIGNATURE) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER,
(keyUsage & KU_DIGITAL_SIGNATURE) ?
&cktrue : &ckfalse, sizeof(CK_BBOOL) ); attrs++;
ck_id = PK11_MakeIDFromPubKey(&lpk->u.rsa.modulus);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
if (nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len); attrs++;
}
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_MODULUS, lpk->u.rsa.modulus.data,
lpk->u.rsa.modulus.len); attrs++;
PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT,
lpk->u.rsa.publicExponent.data,
lpk->u.rsa.publicExponent.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIVATE_EXPONENT,
lpk->u.rsa.privateExponent.data,
lpk->u.rsa.privateExponent.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIME_1,
lpk->u.rsa.prime1.data,
lpk->u.rsa.prime1.len); attrs++;
PK11_SETATTRS(attrs, CKA_PRIME_2,
lpk->u.rsa.prime2.data,
lpk->u.rsa.prime2.len); attrs++;
PK11_SETATTRS(attrs, CKA_EXPONENT_1,
lpk->u.rsa.exponent1.data,
lpk->u.rsa.exponent1.len); attrs++;
PK11_SETATTRS(attrs, CKA_EXPONENT_2,
lpk->u.rsa.exponent2.data,
lpk->u.rsa.exponent2.len); attrs++;
PK11_SETATTRS(attrs, CKA_COEFFICIENT,
lpk->u.rsa.coefficient.data,
lpk->u.rsa.coefficient.len); attrs++;
break;
case dsaKey:
/* To make our intenal PKCS #11 module work correctly with
* our database, we need to pass in the public key value for
* this dsa key. We have a netscape only CKA_ value to do this.
* Only send it to internal slots */
if( publicValue == NULL ) {
/*
* Try to extract the public value out of the private key.
* This might not work, since the public value is not
* required to be in the private key.
*/
publicValue = &lpk->u.dsa.publicValue;
if( publicValue->data == NULL || publicValue->len == 0) {
goto loser;
}
}
if (PK11_IsInternal(slot)) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
publicValue->data, publicValue->len); attrs++;
}
PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL)); attrs++;
PK11_SETATTRS(attrs, CKA_SIGN_RECOVER, &cktrue, sizeof(CK_BBOOL)); attrs++;
if(nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
attrs++;
}
ck_id = PK11_MakeIDFromPubKey(publicValue);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dsa.params.prime.data,
lpk->u.dsa.params.prime.len); attrs++;
PK11_SETATTRS(attrs,CKA_SUBPRIME,lpk->u.dsa.params.subPrime.data,
lpk->u.dsa.params.subPrime.len); attrs++;
PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dsa.params.base.data,
lpk->u.dsa.params.base.len); attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dsa.privateValue.data,
lpk->u.dsa.privateValue.len); attrs++;
break;
case dhKey:
/* To make our intenal PKCS #11 module work correctly with
* our database, we need to pass in the public key value for
* this dh key. We have a netscape only CKA_ value to do this.
* Only send it to internal slots */
if (PK11_IsInternal(slot)) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
publicValue->data, publicValue->len); attrs++;
}
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); attrs++;
if(nickname) {
PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
attrs++;
}
ck_id = PK11_MakeIDFromPubKey(publicValue);
if (ck_id == NULL) {
goto loser;
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data,ck_id->len); attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, lpk->u.dh.prime.data,
lpk->u.dh.prime.len); attrs++;
PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data,
lpk->u.dh.base.len); attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data,
lpk->u.dh.privateValue.len); attrs++;
break;
/* what about fortezza??? */
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
}
templateCount = attrs - theTemplate;
PR_ASSERT(templateCount <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
signedcount = attrs - signedattr;
for (ap=signedattr; signedcount; ap++, signedcount--) {
pk11_SignedToUnsigned(ap);
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
theTemplate, templateCount, isPerm, &objectID);
if (ck_id) {
SECITEM_ZfreeItem(ck_id, PR_TRUE);
}
loser:
if (lpk!= NULL) {
SECKEY_LowDestroyPrivateKey(lpk);
}
return rv;
}
SECKEYPrivateKeyInfo * SECKEYPrivateKeyInfo *
PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx) PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
{ {

5
security/nss/lib/pk11wrap/pk11slot.c
View File

@ -49,6 +49,7 @@
#include "prtime.h" #include "prtime.h"
#include "prlong.h" #include "prlong.h"
#include "secerr.h" #include "secerr.h"
#include "secpkcs5.h"
#define NSSCKT_H /* we included pkcs11t.h, so block ckt.h from including nssckt.h */ #define NSSCKT_H /* we included pkcs11t.h, so block ckt.h from including nssckt.h */
#include "ckt.h" #include "ckt.h"
@ -741,7 +742,7 @@ PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
void void
PK11_SlotDBUpdate(PK11SlotInfo *slot) PK11_SlotDBUpdate(PK11SlotInfo *slot)
{ {
pk11_AddPermDB(slot->module); SECMOD_UpdateModule(slot->module);
} }
/* /*
@ -1475,10 +1476,8 @@ PK11_VerifySlotMechanisms(PK11SlotInfo *slot)
CK_MECHANISM_TYPE *mechList = mechListArray; CK_MECHANISM_TYPE *mechList = mechListArray;
static SECItem data; static SECItem data;
static SECItem iv; static SECItem iv;
static SECItem key;
static unsigned char dataV[8]; static unsigned char dataV[8];
static unsigned char ivV[8]; static unsigned char ivV[8];
static unsigned char keyV[8];
static PRBool generated = PR_FALSE; static PRBool generated = PR_FALSE;
CK_ULONG count; CK_ULONG count;
int i; int i;

294
security/nss/lib/pk11wrap/pk11util.c
View File

@ -43,107 +43,16 @@
static SECMODModuleList *modules = NULL; static SECMODModuleList *modules = NULL;
static SECMODModuleList *modulesDB = NULL; static SECMODModuleList *modulesDB = NULL;
static SECMODModuleList *modulesUnload = NULL;
static SECMODModule *internalModule = NULL; static SECMODModule *internalModule = NULL;
static SECMODModule *defaultDBModule = NULL; static SECMODModule *defaultDBModule = NULL;
static SECMODListLock *moduleLock = NULL; static SECMODListLock *moduleLock = NULL;
extern SECStatus
PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
PRBool add);
extern int XP_SEC_MODULE_NO_LIB;
extern PK11DefaultArrayEntry PK11_DefaultArray[]; extern PK11DefaultArrayEntry PK11_DefaultArray[];
extern int num_pk11_default_mechanisms; extern int num_pk11_default_mechanisms;
static PRBool secmod_ModuleHasRoots(SECMODModule *module)
{
int i;
for (i=0; i < module->slotInfoCount; i++) {
if (module->slotInfo[i].hasRootCerts) {
return PR_TRUE;
}
}
return PR_FALSE;
}
/*
* The following code is an attempt to automagically find the external root
* module. NOTE: This code should be checked out on the MAC! There must be
* some cross platform support out there to help out with this?
* Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
*/
static char *dllnames[]= {
#if defined(XP_WIN32) || defined(XP_OS2)
"nssckbi.dll",
"roots.dll",
"netckbi.dll",
"mozckbi.dll",
#elif defined(HPUX)
"libnssckbi.sl",
"libroots.sl",
"libnetckbi.sl",
"libmozckbi.sl",
#elif defined(XP_UNIX)
"libnssckbi.so",
"libroots.so",
"libnetckbi.so",
"libmozckbi.so",
#elif defined(XP_MAC)
"NSS Builtin Root Certs",
"Root Certs",
"Netscape Builtin Root Certs",
"Mozilla Builtin Root Certs",
#else
#error "Uh! Oh! I don't know about this platform."
#endif
0 };
#define MAXDLLNAME 40
/* Should we have platform ifdefs here??? */
#define FILE_SEP '/'
static void
secmod_FindExternalRoot(char *dbname)
{
char *path, *cp, **cur_name;
int len = PORT_Strlen(dbname);
int path_len;
path = PORT_Alloc(len+MAXDLLNAME);
if (path == NULL) return;
/* back up to the top of the directory */
for (cp = &dbname[len]; cp != dbname && (*cp != FILE_SEP); cp--) ;
path_len = cp-dbname;
PORT_Memcpy(path,dbname,path_len);
path[path_len++] = FILE_SEP;
/* now walk our tree of dll names looking for the file of interest. */
for (cur_name= dllnames; *cur_name != 0; cur_name++) {
PORT_Memcpy(&path[path_len],*cur_name,PORT_Strlen(*cur_name)+1);
if (SECMOD_AddNewModule("Root Certs",path, 0, 0) == SECSuccess) {
break;
}
}
PORT_Free(path);
return;
}
void SECMOD_Init() { void SECMOD_Init() {
SECMODModuleList *thisModule;
int found=0;
int rootFound=0;
SECStatus rv = SECFailure;
/* don't initialize twice */ /* don't initialize twice */
if (moduleLock) return; if (moduleLock) return;
@ -171,7 +80,12 @@ void SECMOD_Shutdown() {
if (modulesDB) { if (modulesDB) {
SECMOD_DestroyModuleList(modulesDB); SECMOD_DestroyModuleList(modulesDB);
modules = NULL; modulesDB = NULL;
}
if (modulesUnload) {
SECMOD_DestroyModuleList(modulesUnload);
modulesUnload = NULL;
} }
/* make all the slots and the lists go away */ /* make all the slots and the lists go away */
@ -187,25 +101,9 @@ SECMOD_GetInternalModule(void) {
return internalModule; return internalModule;
} }
/* called from security/cmd/swfort/instinit, which doesn't need a full
* security LIBRARY (it used the swfortezza code, but it does have to verify
* cert chains against it's own list of certs. We need to initialize the
* security code without any database.
*/
void
SECMOD_SetInternalModule( SECMODModule *mod) {
internalModule = SECMOD_ReferenceModule(mod);
modules = SECMOD_NewModuleListElement();
modules->module = SECMOD_ReferenceModule(mod);
modules->next = NULL;
if (!moduleLock) {
moduleLock = SECMOD_NewListLock();
}
}
SECStatus SECStatus
secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) { secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) {
SECStatus rv;
SECMODModuleList *mlp, *newListElement, *last = NULL; SECMODModuleList *mlp, *newListElement, *last = NULL;
newListElement = SECMOD_NewModuleListElement(); newListElement = SECMOD_NewModuleListElement();
@ -213,7 +111,7 @@ secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) {
return SECFailure; return SECFailure;
} }
newListElement->module = newModule; newListElement->module = SECMOD_ReferenceModule(newModule);
SECMOD_GetWriteLock(moduleLock); SECMOD_GetWriteLock(moduleLock);
/* Added it to the end (This is very inefficient, but Adding a module /* Added it to the end (This is very inefficient, but Adding a module
@ -230,7 +128,6 @@ secmod_AddModuleToList(SECMODModuleList **moduleList,SECMODModule *newModule) {
} }
SECMOD_ReleaseWriteLock(moduleLock); SECMOD_ReleaseWriteLock(moduleLock);
return SECSuccess; return SECSuccess;
return;
} }
SECStatus SECStatus
@ -249,10 +146,9 @@ SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule) {
return secmod_AddModuleToList(&modulesDB,newModule); return secmod_AddModuleToList(&modulesDB,newModule);
} }
SECMODModule * SECStatus
SECMOD_GetDefaultDBModule(void) SECMOD_AddModuleToUnloadList(SECMODModule *newModule) {
{ return secmod_AddModuleToList(&modulesUnload,newModule);
return SECMOD_ReferenceModule(defaultDBModule);
} }
/* /*
@ -361,7 +257,7 @@ SECMOD_DeleteModule(char *name, int *type) {
if (rv == SECSuccess) { if (rv == SECSuccess) {
pk11_DeletePermDB(mlp->module); SECMOD_DeletePermDB(mlp->module);
SECMOD_DestroyModuleListElement(mlp); SECMOD_DestroyModuleListElement(mlp);
} }
return rv; return rv;
@ -394,12 +290,14 @@ SECMOD_DeleteInternalModule(char *name) {
SECMODModule *newModule,*oldModule; SECMODModule *newModule,*oldModule;
if (mlp->module->isFIPS) { if (mlp->module->isFIPS) {
newModule = SECMOD_NewInternal(); newModule = SECMOD_CreateModule(NULL,SECMOD_INT_NAME,NULL,
SECMOD_INT_FLAGS);
} else { } else {
newModule = SECMOD_GetFIPSInternal(); newModule = SECMOD_CreateModule(NULL,SECMOD_FIPS_NAME,NULL,
SECMOD_FIPS_FLAGS);
} }
if (newModule == NULL) { if (newModule == NULL) {
SECMODModuleList *last,*mlp2; SECMODModuleList *last = NULL,*mlp2;
/* we're in pretty deep trouble if this happens...Security /* we're in pretty deep trouble if this happens...Security
* not going to work well... try to put the old module back on * not going to work well... try to put the old module back on
* the list */ * the list */
@ -422,7 +320,7 @@ SECMOD_DeleteInternalModule(char *name) {
internalModule = SECMOD_ReferenceModule(newModule); internalModule = SECMOD_ReferenceModule(newModule);
SECMOD_AddModule(internalModule); SECMOD_AddModule(internalModule);
SECMOD_DestroyModule(oldModule); SECMOD_DestroyModule(oldModule);
pk11_DeletePermDB(mlp->module); SECMOD_DeletePermDB(mlp->module);
SECMOD_DestroyModuleListElement(mlp); SECMOD_DestroyModuleListElement(mlp);
} }
return rv; return rv;
@ -431,7 +329,6 @@ SECMOD_DeleteInternalModule(char *name) {
SECStatus SECStatus
SECMOD_AddModule(SECMODModule *newModule) { SECMOD_AddModule(SECMODModule *newModule) {
SECStatus rv; SECStatus rv;
SECMODModuleList *mlp, *newListElement, *last = NULL;
/* Test if a module w/ the same name already exists */ /* Test if a module w/ the same name already exists */
/* and return SECWouldBlock if so. */ /* and return SECWouldBlock if so. */
@ -443,7 +340,7 @@ SECMOD_AddModule(SECMODModule *newModule) {
/* module already exists. */ /* module already exists. */
} }
rv = SECMOD_LoadModule(newModule); rv = SECMOD_LoadPKCS11Module(newModule);
if (rv != SECSuccess) { if (rv != SECSuccess) {
return rv; return rv;
} }
@ -452,7 +349,7 @@ SECMOD_AddModule(SECMODModule *newModule) {
newModule->parent = SECMOD_ReferenceModule(defaultDBModule); newModule->parent = SECMOD_ReferenceModule(defaultDBModule);
} }
pk11_AddPermDB(newModule); SECMOD_AddPermDB(newModule);
SECMOD_AddModuleToList(newModule); SECMOD_AddModuleToList(newModule);
return SECSuccess; return SECSuccess;
@ -513,19 +410,7 @@ SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
int s,i; int s,i;
PK11SlotInfo* slot; PK11SlotInfo* slot;
module = SECMOD_NewModule(); module = SECMOD_CreateModule(dllPath,moduleName,NULL, NULL);
if (moduleName) {
module->commonName=PORT_ArenaStrdup(module->arena,moduleName);
} else {
module->commonName=NULL;
}
if (dllPath) {
module->dllName=PORT_ArenaStrdup(module->arena,dllPath);
} else {
module->dllName=NULL;
}
if (module->dllName != NULL) { if (module->dllName != NULL) {
if (module->dllName[0] != 0) { if (module->dllName[0] != 0) {
@ -554,15 +439,7 @@ SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
} /* for each slot of this module */ } /* for each slot of this module */
/* delete and re-add module in order to save changes to the module */ /* delete and re-add module in order to save changes to the module */
result = pk11_DeletePermDB(module); result = SECMOD_UpdateModule(module);
if (result == SECSuccess) {
result = pk11_AddPermDB(module);
if (result == SECSuccess) {
return SECSuccess;
}
}
} }
} }
} }
@ -570,6 +447,18 @@ SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
return result; return result;
} }
SECStatus SECMOD_UpdateModule(SECMODModule *module)
{
SECStatus result;
result = SECMOD_DeletePermDB(module);
if (result == SECSuccess) {
result = SECMOD_AddPermDB(module);
}
return result;
}
/* Public & Internal(Security Library) representation of /* Public & Internal(Security Library) representation of
* encryption mechanism flags conversion */ * encryption mechanism flags conversion */
@ -615,7 +504,6 @@ SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
{ {
PRBool result = PR_FALSE; PRBool result = PR_FALSE;
SECMODModuleList *mods = SECMOD_GetDefaultModuleList(); SECMODModuleList *mods = SECMOD_GetDefaultModuleList();
SECMODListLock *modsLock = SECMOD_GetDefaultModuleListLock();
SECMOD_GetReadLock(moduleLock); SECMOD_GetReadLock(moduleLock);
@ -628,3 +516,117 @@ SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags )
SECMOD_ReleaseReadLock(moduleLock); SECMOD_ReleaseReadLock(moduleLock);
return result; return result;
} }
/* create a new ModuleListElement */
SECMODModuleList *SECMOD_NewModuleListElement(void) {
SECMODModuleList *newModList;
newModList= (SECMODModuleList *) PORT_Alloc(sizeof(SECMODModuleList));
if (newModList) {
newModList->next = NULL;
newModList->module = NULL;
}
return newModList;
}
/*
* make a new reference to a module so It doesn't go away on us
*/
SECMODModule *
SECMOD_ReferenceModule(SECMODModule *module) {
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
PORT_Assert(module->refCount > 0);
module->refCount++;
PK11_USE_THREADS(PZ_Unlock((PZLock*)module->refLock);)
return module;
}
/* destroy an existing module */
void
SECMOD_DestroyModule(SECMODModule *module) {
PRBool willfree = PR_FALSE;
int slotCount;
int i;
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
if (module->refCount-- == 1) {
willfree = PR_TRUE;
}
PORT_Assert(willfree || (module->refCount > 0));
PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
if (!willfree) {
return;
}
/* slots can't really disappear until our module starts freeing them,
* so this check is safe */
slotCount = module->slotCount;
if (slotCount == 0) {
SECMOD_SlotDestroyModule(module,PR_FALSE);
return;
}
/* now free all out slots, when they are done, they will cause the
* module to disappear altogether */
for (i=0 ; i < slotCount; i++) {
if (!module->slots[i]->disabled) {
PK11_ClearSlotList(module->slots[i]);
}
PK11_FreeSlot(module->slots[i]);
}
/* WARNING: once the last slot has been freed is it possible (even likely)
* that module is no more... touching it now is a good way to go south */
}
/* we can only get here if we've destroyed the module, or some one has
* erroneously freed a slot that wasn't referenced. */
void
SECMOD_SlotDestroyModule(SECMODModule *module, PRBool fromSlot) {
PRBool willfree = PR_FALSE;
if (fromSlot) {
PORT_Assert(module->refCount == 0);
PK11_USE_THREADS(PZ_Lock((PZLock *)module->refLock);)
if (module->slotCount-- == 1) {
willfree = PR_TRUE;
}
PORT_Assert(willfree || (module->slotCount > 0));
PK11_USE_THREADS(PZ_Unlock((PZLock *)module->refLock);)
if (!willfree) return;
}
if (module->loaded) {
SECMOD_UnloadModule(module);
}
PK11_USE_THREADS(PZ_DestroyLock((PZLock *)module->refLock);)
PORT_FreeArena(module->arena,PR_FALSE);
}
/* destroy a list element
* this destroys a single element, and returns the next element
* on the chain. It makes it easy to implement for loops to delete
* the chain. It also make deleting a single element easy */
SECMODModuleList *
SECMOD_DestroyModuleListElement(SECMODModuleList *element) {
SECMODModuleList *next = element->next;
if (element->module) {
SECMOD_DestroyModule(element->module);
element->module = NULL;
}
PORT_Free(element);
return next;
}
/*
* Destroy an entire module list
*/
void
SECMOD_DestroyModuleList(SECMODModuleList *list) {
SECMODModuleList *lp;
for ( lp = list; lp != NULL; lp = SECMOD_DestroyModuleListElement(lp)) ;
}

30
security/nss/lib/pk11wrap/secmod.h
View File

@ -75,12 +75,25 @@
SEC_BEGIN_PROTOS SEC_BEGIN_PROTOS
/*
* the following functions are going to be depricated in NSS 4.0 in
* favor of the new stan functions.
*/
/* Initialization */
extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent,
PRBool recurse);
/* Module Management */
char **SECMOD_GetModuleSpecList(SECMODModule *module);
SECStatus SECMOD_FreeModuleSpecList(SECMODModule *module,char **moduleSpecList);
/* protoypes */ /* protoypes */
extern void SECMOD_init(char *dbname);
extern void SECMOD_Shutdown(void);
extern SECMODModuleList *SECMOD_GetDefaultModuleList(void); extern SECMODModuleList *SECMOD_GetDefaultModuleList(void);
extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void); extern SECMODListLock *SECMOD_GetDefaultModuleListLock(void);
extern SECStatus SECMOD_UpdateModule(SECMODModule *module);
/* lock management */ /* lock management */
extern SECMODListLock *SECMOD_NewListLock(void); extern SECMODListLock *SECMOD_NewListLock(void);
extern void SECMOD_DestroyListLock(SECMODListLock *); extern void SECMOD_DestroyListLock(SECMODListLock *);
@ -89,30 +102,17 @@ extern void SECMOD_ReleaseReadLock(SECMODListLock *);
extern void SECMOD_GetWriteLock(SECMODListLock *); extern void SECMOD_GetWriteLock(SECMODListLock *);
extern void SECMOD_ReleaseWriteLock(SECMODListLock *); extern void SECMOD_ReleaseWriteLock(SECMODListLock *);
/* list managment */
extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
/* Operate on modules by name */ /* Operate on modules by name */
extern SECMODModule *SECMOD_FindModule(char *name); extern SECMODModule *SECMOD_FindModule(char *name);
extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
extern SECStatus SECMOD_DeleteModule(char *name, int *type); extern SECStatus SECMOD_DeleteModule(char *name, int *type);
extern SECStatus SECMOD_DeleteInternalModule(char *name); extern SECStatus SECMOD_DeleteInternalModule(char *name);
extern SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath, extern SECStatus SECMOD_AddNewModule(char* moduleName, char* dllPath,
unsigned long defaultMechanismFlags, unsigned long defaultMechanismFlags,
unsigned long cipherEnableFlags); unsigned long cipherEnableFlags);
/* database/memory management */ /* database/memory management */
extern SECMODModule *SECMOD_NewModule(void);
extern SECMODModuleList *SECMOD_NewModuleListElement(void);
extern SECMODModule *SECMOD_GetInternalModule(void); extern SECMODModule *SECMOD_GetInternalModule(void);
extern SECMODModule *SECMOD_GetFIPSInternal(void);
extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module); extern SECMODModule *SECMOD_ReferenceModule(SECMODModule *module);
extern void SECMOD_DestroyModule(SECMODModule *module); extern void SECMOD_DestroyModule(SECMODModule *module);
extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
extern void SECMOD_DestroyModuleList(SECMODModuleList *);
extern SECMODModule *SECMOD_DupModule(SECMODModule *old);
extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name);
extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module, extern PK11SlotInfo *SECMOD_LookupSlot(SECMODModuleID module,
unsigned long slotID); unsigned long slotID);

38
security/nss/lib/pk11wrap/secmodi.h
View File

@ -42,6 +42,7 @@
#include "secoidt.h" #include "secoidt.h"
#include "secdert.h" #include "secdert.h"
#include "certt.h" #include "certt.h"
#include "secmodt.h"
#include "secmodti.h" #include "secmodti.h"
#ifdef PKCS11_USE_THREADS #ifdef PKCS11_USE_THREADS
@ -53,13 +54,36 @@
SEC_BEGIN_PROTOS SEC_BEGIN_PROTOS
/* proto-types */ /* proto-types */
SECMODModule * SECMOD_NewModule(void); /* create a new module */ SECMODModule * SECMOD_CreateModule(char *lib, char *name, char *param,
SECMODModule * SECMOD_NewInternal(void); /* create an internal module */ char *nss);
extern SECStatus SECMOD_DeletePermDB(SECMODModule *module);
extern SECStatus SECMOD_AddPermDB(SECMODModule *module);
/*void SECMOD_ReferenceModule(SECMODModule *); */ extern void SECMOD_Init(void);
extern void SECMOD_Shutdown(void);
/* list managment */
extern SECStatus SECMOD_AddModuleToList(SECMODModule *newModule);
extern SECStatus SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule);
extern SECStatus SECMOD_AddModuleToUnloadList(SECMODModule *newModule);
extern void SECMOD_RemoveList(SECMODModuleList **,SECMODModuleList *);
extern void SECMOD_AddList(SECMODModuleList *,SECMODModuleList *,SECMODListLock *);
/* Operate on modules by name */
extern SECMODModule *SECMOD_FindModuleByID(SECMODModuleID);
/* database/memory management */
extern SECMODModuleList *SECMOD_NewModuleListElement(void);
extern SECMODModuleList *SECMOD_DestroyModuleListElement(SECMODModuleList *);
extern void SECMOD_DestroyModuleList(SECMODModuleList *);
extern SECStatus SECMOD_AddModule(SECMODModule *newModule);
extern PK11SlotInfo *SECMOD_FindSlot(SECMODModule *module,char *name);
extern unsigned long SECMOD_PubCipherFlagstoInternal(unsigned long publicFlags);
extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags);
/* Library functions */ /* Library functions */
SECStatus SECMOD_LoadModule(SECMODModule *); SECStatus SECMOD_LoadPKCS11Module(SECMODModule *);
SECStatus SECMOD_UnloadModule(SECMODModule *); SECStatus SECMOD_UnloadModule(SECMODModule *);
void SECMOD_SetInternalModule(SECMODModule *); void SECMOD_SetInternalModule(SECMODModule *);
@ -69,10 +93,16 @@ CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib); void pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib);
CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot, CK_OBJECT_HANDLE pk11_FindObjectByTemplate(PK11SlotInfo *slot,
CK_ATTRIBUTE *inTemplate,int tsize); CK_ATTRIBUTE *inTemplate,int tsize);
SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
PK11DefaultArrayEntry *entry, PRBool add);
SEC_END_PROTOS SEC_END_PROTOS
#define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList)) #define PK11_GETTAB(x) ((CK_FUNCTION_LIST_PTR)((x)->functionList))
#define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \ #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
(x)->pValue=(v); (x)->ulValueLen = (l); (x)->pValue=(v); (x)->ulValueLen = (l);
SECStatus PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
CK_ATTRIBUTE *theTemplate, int count,
PRBool token, CK_OBJECT_HANDLE *objectID);
#endif #endif

48
security/nss/lib/pk11wrap/secmodt.h
View File

@ -36,6 +36,17 @@
#ifndef _SECMODT_H_ #ifndef _SECMODT_H_
#define _SECMODT_H_ 1 #define _SECMODT_H_ 1
#include "secoid.h"
#include "secasn1.h"
/* find a better home for these... */
extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
/* PKCS11 needs to be included */ /* PKCS11 needs to be included */
typedef struct SECMODModuleStr SECMODModule; typedef struct SECMODModuleStr SECMODModule;
typedef struct SECMODModuleListStr SECMODModuleList; typedef struct SECMODModuleListStr SECMODModuleList;
@ -79,7 +90,6 @@ struct SECMODModuleStr {
PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
int trustOrder; /* order for this module's certificate trust rollup */ int trustOrder; /* order for this module's certificate trust rollup */
int cipherOrder; /* order for cipher operations */ int cipherOrder; /* order for cipher operations */
}; };
struct SECMODModuleListStr { struct SECMODModuleListStr {
@ -189,4 +199,40 @@ typedef char *(*PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
typedef PRBool (*PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); typedef PRBool (*PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
typedef PRBool (*PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); typedef PRBool (*PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
/*
* PKCS #11 key structures
*/
/*
** Attributes
*/
struct SECKEYPrivAttributeStr {
SECItem attrType;
SECItem **attrValue;
};
typedef struct SECKEYPrivAttributeStr SECKEYPrivAttribute;
/*
** A PKCS#8 private key info object
*/
struct SECKEYPrivateKeyInfoStr {
PLArenaPool *arena;
SECItem version;
SECAlgorithmID algorithm;
SECItem privateKey;
SECKEYPrivAttribute **attributes;
};
typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
#define SEC_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
/*
** A PKCS#8 private key info object
*/
struct SECKEYEncryptedPrivateKeyInfoStr {
PLArenaPool *arena;
SECAlgorithmID algorithm;
SECItem encryptedData;
};
typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
#endif /*_SECMODT_H_ */ #endif /*_SECMODT_H_ */

10
security/nss/lib/pk11wrap/secmodti.h
View File

@ -135,6 +135,16 @@ struct PK11PreSlotInfoStr {
char hasRootTrust; /* is this the root cert PKCS #11 module? */ char hasRootTrust; /* is this the root cert PKCS #11 module? */
}; };
#define SECMOD_SLOT_FLAGS "slotFlags={RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES}"
#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
/* Symetric Key structure. Reference Counted */ /* Symetric Key structure. Reference Counted */
struct PK11SymKeyStr { struct PK11SymKeyStr {
CK_MECHANISM_TYPE type; /* type of operation this key was created for*/ CK_MECHANISM_TYPE type; /* type of operation this key was created for*/