From cdcebb8e7ed5c41b968b228ad6085766173de7e7 Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Wed, 23 Nov 2005 23:04:08 +0000 Subject: [PATCH] PKCS #11 module to supply Access to the Mac OS X Keychain. --- security/nss/lib/ckfw/nssmkey/Makefile | 105 ++ security/nss/lib/ckfw/nssmkey/README | 21 + security/nss/lib/ckfw/nssmkey/ckmk.h | 236 +++ security/nss/lib/ckfw/nssmkey/ckmkver.c | 59 + security/nss/lib/ckfw/nssmkey/config.mk | 57 + security/nss/lib/ckfw/nssmkey/manchor.c | 55 + security/nss/lib/ckfw/nssmkey/manifest.mn | 66 + security/nss/lib/ckfw/nssmkey/mconstants.c | 96 + security/nss/lib/ckfw/nssmkey/mfind.c | 404 ++++ security/nss/lib/ckfw/nssmkey/minst.c | 148 ++ security/nss/lib/ckfw/nssmkey/mobject.c | 1959 ++++++++++++++++++++ security/nss/lib/ckfw/nssmkey/mrsa.c | 547 ++++++ security/nss/lib/ckfw/nssmkey/msession.c | 131 ++ security/nss/lib/ckfw/nssmkey/mslot.c | 129 ++ security/nss/lib/ckfw/nssmkey/mtoken.c | 246 +++ security/nss/lib/ckfw/nssmkey/nssmkey.def | 58 + security/nss/lib/ckfw/nssmkey/nssmkey.h | 75 + security/nss/lib/ckfw/nssmkey/staticobj.c | 74 + 18 files changed, 4466 insertions(+) create mode 100644 security/nss/lib/ckfw/nssmkey/Makefile create mode 100644 security/nss/lib/ckfw/nssmkey/README create mode 100644 security/nss/lib/ckfw/nssmkey/ckmk.h create mode 100644 security/nss/lib/ckfw/nssmkey/ckmkver.c create mode 100644 security/nss/lib/ckfw/nssmkey/config.mk create mode 100644 security/nss/lib/ckfw/nssmkey/manchor.c create mode 100644 security/nss/lib/ckfw/nssmkey/manifest.mn create mode 100644 security/nss/lib/ckfw/nssmkey/mconstants.c create mode 100644 security/nss/lib/ckfw/nssmkey/mfind.c create mode 100644 security/nss/lib/ckfw/nssmkey/minst.c create mode 100644 security/nss/lib/ckfw/nssmkey/mobject.c create mode 100644 security/nss/lib/ckfw/nssmkey/mrsa.c create mode 100644 security/nss/lib/ckfw/nssmkey/msession.c create mode 100644 security/nss/lib/ckfw/nssmkey/mslot.c create mode 100644 security/nss/lib/ckfw/nssmkey/mtoken.c create mode 100644 security/nss/lib/ckfw/nssmkey/nssmkey.def create mode 100644 security/nss/lib/ckfw/nssmkey/nssmkey.h create mode 100644 security/nss/lib/ckfw/nssmkey/staticobj.c diff --git a/security/nss/lib/ckfw/nssmkey/Makefile b/security/nss/lib/ckfw/nssmkey/Makefile new file mode 100644 index 000000000000..fb68dbc9bd3d --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/Makefile @@ -0,0 +1,105 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +MAKEFILE_CVS_ID = "@(#) $RCSfile: Makefile,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $" + +include manifest.mn +include $(CORE_DEPTH)/coreconf/config.mk +include config.mk + +EXTRA_LIBS = \ + $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ + $(NULL) + +# can't do this in manifest.mn because OS_TARGET isn't defined there. +ifeq (,$(filter-out WIN%,$(OS_TARGET))) + +ifdef NS_USE_GCC +EXTRA_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +else +EXTRA_SHARED_LIBS += \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ + $(NULL) +endif # NS_USE_GCC +else + +EXTRA_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + -framework Security \ + -framework CoreServices \ + $(NULL) +endif + + +include $(CORE_DEPTH)/coreconf/rules.mk + +# Generate certdata.c. +generate: + perl certdata.perl < certdata.txt + +# This'll need some help from a build person. + + +ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1) +DSO_LDOPTS = -bM:SRE -bh:4 -bnoentry +EXTRA_DSO_LDOPTS = -lc +MKSHLIB = xlC $(DSO_LDOPTS) + +$(SHARED_LIBRARY): $(OBJS) + @$(MAKE_OBJDIR) + rm -f $@ + $(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS) + chmod +x $@ + +endif + +ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2) +LD += -G +endif + + diff --git a/security/nss/lib/ckfw/nssmkey/README b/security/nss/lib/ckfw/nssmkey/README new file mode 100644 index 000000000000..c060d9c3c0a2 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/README @@ -0,0 +1,21 @@ +This Cryptoki module provides acces to certs and keys stored in +Macintosh key Ring. + +- It does not yet export PKCS #12 keys. To get this to work should be + implemented using exporting the key object in PKCS #8 wrapped format. + PSM work needs to happen before this can be completed. +- It does not import or export CA Root trust from the mac keychain. +- It does not handle S/MIME objects (pkcs #7 in mac keychain terms?). +- The AuthRoots don't show up on the default list. +- Only RSA keys are supported currently. + +There are a number of things that have not been tested that other PKCS #11 +apps may need: +- reading Modulus and Public Exponents from private keys and public keys. +- storing public keys. +- setting attributes other than CKA_ID and CKA_LABEL. + +Other TODOs: +- Check for and plug memory leaks. +- Need to map mac errors into something more intellegible than + CKR_GENERAL_ERROR. diff --git a/security/nss/lib/ckfw/nssmkey/ckmk.h b/security/nss/lib/ckfw/nssmkey/ckmk.h new file mode 100644 index 000000000000..5ff2d1fc9655 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/ckmk.h @@ -0,0 +1,236 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef CKMK_H +#define CKMK_H 1 + +#ifdef DEBUG +static const char CKMK_CVS_ID[] = "@(#) $RCSfile: ckmk.h,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include +#include +#include +#include +#include +#include +#include + +#define NTO + +#include "nssckmdt.h" +#include "nssckfw.h" +/* + * I'm including this for access to the arena functions. + * Looks like we should publish that API. + */ +#ifndef BASE_H +#include "base.h" +#endif /* BASE_H */ +/* + * This is where the Netscape extensions live, at least for now. + */ +#ifndef CKT_H +#include "ckt.h" +#endif /* CKT_H */ + +/* + * statically defined raw objects. Allows us to data description objects + * to this PKCS #11 module. + */ +struct ckmkRawObjectStr { + CK_ULONG n; + const CK_ATTRIBUTE_TYPE *types; + const NSSItem *items; +}; +typedef struct ckmkRawObjectStr ckmkRawObject; + +/* + * Key/Cert Items + */ +struct ckmkItemObjectStr { + SecKeychainItemRef itemRef; + SecItemClass itemClass; + PRBool hasID; + NSSItem modify; + NSSItem private; + NSSItem encrypt; + NSSItem decrypt; + NSSItem derive; + NSSItem sign; + NSSItem signRecover; + NSSItem verify; + NSSItem verifyRecover; + NSSItem wrap; + NSSItem unwrap; + NSSItem label; + NSSItem subject; + NSSItem issuer; + NSSItem serial; + NSSItem derCert; + NSSItem id; + NSSItem modulus; + NSSItem exponent; + NSSItem privateExponent; + NSSItem prime1; + NSSItem prime2; + NSSItem exponent1; + NSSItem exponent2; + NSSItem coefficient; +}; +typedef struct ckmkItemObjectStr ckmkItemObject; + +typedef enum { + ckmkRaw, + ckmkItem, +} ckmkObjectType; + +/* + * all the various types of objects are abstracted away in cobject and + * cfind as ckmkInternalObjects. + */ +struct ckmkInternalObjectStr { + ckmkObjectType type; + union { + ckmkRawObject raw; + ckmkItemObject item; + } u; + CK_OBJECT_CLASS objClass; + NSSItem hashKey; + unsigned char hashKeyData[128]; + NSSCKMDObject mdObject; +}; +typedef struct ckmkInternalObjectStr ckmkInternalObject; + +/* our raw object data array */ +NSS_EXTERN_DATA ckmkInternalObject nss_ckmk_data[]; +NSS_EXTERN_DATA const PRUint32 nss_ckmk_nObjects; + +NSS_EXTERN_DATA const CK_VERSION nss_ckmk_CryptokiVersion; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_ManufacturerID; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_LibraryDescription; +NSS_EXTERN_DATA const CK_VERSION nss_ckmk_LibraryVersion; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_SlotDescription; +NSS_EXTERN_DATA const CK_VERSION nss_ckmk_HardwareVersion; +NSS_EXTERN_DATA const CK_VERSION nss_ckmk_FirmwareVersion; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_TokenLabel; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_TokenModel; +NSS_EXTERN_DATA const NSSUTF8 * nss_ckmk_TokenSerialNumber; + +NSS_EXTERN_DATA const NSSCKMDInstance nss_ckmk_mdInstance; +NSS_EXTERN_DATA const NSSCKMDSlot nss_ckmk_mdSlot; +NSS_EXTERN_DATA const NSSCKMDToken nss_ckmk_mdToken; +NSS_EXTERN_DATA const NSSCKMDMechanism nss_ckmk_mdMechanismRSA; + +NSS_EXTERN NSSCKMDSession * +nss_ckmk_CreateSession +( + NSSCKFWSession *fwSession, + CK_RV *pError +); + +NSS_EXTERN NSSCKMDFindObjects * +nss_ckmk_FindObjectsInit +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +); + +/* + * Object Utilities + */ +NSS_EXTERN NSSCKMDObject * +nss_ckmk_CreateMDObject +( + NSSArena *arena, + ckmkInternalObject *io, + CK_RV *pError +); + +NSS_EXTERN NSSCKMDObject * +nss_ckmk_CreateObject +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +); + +NSS_EXTERN const NSSItem * +nss_ckmk_FetchAttribute +( + ckmkInternalObject *io, + CK_ATTRIBUTE_TYPE type, + CK_RV *pError +); + +NSS_EXTERN void +nss_ckmk_DestroyInternalObject +( + ckmkInternalObject *io +); + +unsigned char * +nss_ckmk_DERUnwrap +( + unsigned char *src, + int size, + int *outSize, + unsigned char **next +); + +CK_ULONG +nss_ckmk_GetULongAttribute +( + CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *template, + CK_ULONG templateSize, + CK_RV *pError; +); + +#define NSS_CKMK_ARRAY_SIZE(x) ((sizeof (x))/(sizeof ((x)[0]))) + +#ifdef DEBUG +#define CKMK_MACERR(str,err) cssmPerror(str,err) +#else +#define CKMK_MACERR(str,err) +#endif + +#endif diff --git a/security/nss/lib/ckfw/nssmkey/ckmkver.c b/security/nss/lib/ckfw/nssmkey/ckmkver.c new file mode 100644 index 000000000000..9cbb2d2e02f3 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/ckmkver.c @@ -0,0 +1,59 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +/* Library identity and versioning */ + +#include "nssmkey.h" + +#if defined(DEBUG) +#define _DEBUG_STRING " (debug)" +#else +#define _DEBUG_STRING "" +#endif + +/* + * Version information for the 'ident' and 'what commands + * + * NOTE: the first component of the concatenated rcsid string + * must not end in a '$' to prevent rcs keyword substitution. + */ +const char __nss_ckmk_rcsid[] = "$Header: NSS Access to the MAC OS X Key Ring " + NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING + " " __DATE__ " " __TIME__ " $"; +const char __nss_ckmk_sccsid[] = "@(#)NSS Access to the MAC OS X Key Ring " + NSS_CKMK_LIBRARY_VERSION _DEBUG_STRING + " " __DATE__ " " __TIME__; diff --git a/security/nss/lib/ckfw/nssmkey/config.mk b/security/nss/lib/ckfw/nssmkey/config.mk new file mode 100644 index 000000000000..4f65475bca97 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/config.mk @@ -0,0 +1,57 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CONFIG_CVS_ID = "@(#) $RCSfile: config.mk,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $" + +ifdef BUILD_IDG +DEFINES += -DNSSDEBUG +endif + +ifdef NS_USE_CKFW_TRACE +DEFINES += -DTRACE +endif + +# +# Override TARGETS variable so that only static libraries +# are specifed as dependencies within rules.mk. +# + +TARGETS = $(LIBRARY) +SHARED_LIBRARY = +IMPORT_LIBRARY = +PROGRAM = + + diff --git a/security/nss/lib/ckfw/nssmkey/manchor.c b/security/nss/lib/ckfw/nssmkey/manchor.c new file mode 100644 index 000000000000..16977110d0ff --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/manchor.c @@ -0,0 +1,55 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: manchor.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +/* + * nssmkey/manchor.c + * + * This file "anchors" the actual cryptoki entry points in this module's + * shared library, which is required for dynamic loading. See the + * comments in nssck.api for more information. + */ + +#include "ckmk.h" + +#define MODULE_NAME ckmk +#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckmk_mdInstance +#include "nssck.api" diff --git a/security/nss/lib/ckfw/nssmkey/manifest.mn b/security/nss/lib/ckfw/nssmkey/manifest.mn new file mode 100644 index 000000000000..3a905922fda4 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/manifest.mn @@ -0,0 +1,66 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +MANIFEST_CVS_ID = "@(#) $RCSfile: manifest.mn,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $" + +CORE_DEPTH = ../../../.. + +MODULE = nss +MAPFILE = $(OBJDIR)/nssmkey.def + +EXPORTS = \ + nssmkey.h \ + $(NULL) + +CSRCS = \ + manchor.c \ + mconstants.c \ + mfind.c \ + minst.c \ + mobject.c \ + mrsa.c \ + msession.c \ + mslot.c \ + mtoken.c \ + ckmkver.c \ + staticobj.c \ + $(NULL) + +REQUIRES = nspr + +LIBRARY_NAME = nssmkey + +#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 diff --git a/security/nss/lib/ckfw/nssmkey/mconstants.c b/security/nss/lib/ckfw/nssmkey/mconstants.c new file mode 100644 index 000000000000..1fa7a4650d32 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mconstants.c @@ -0,0 +1,96 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mconstants.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +/* + * nssmkey/constants.c + * + * Identification and other constants, all collected here in one place. + */ + +#ifndef NSSBASET_H +#include "nssbaset.h" +#endif /* NSSBASET_H */ + +#ifndef NSSCKT_H +#include "nssckt.h" +#endif /* NSSCKT_H */ + +#include "nssmkey.h" + +NSS_IMPLEMENT_DATA const CK_VERSION +nss_ckmk_CryptokiVersion = { + NSS_CKMK_CRYPTOKI_VERSION_MAJOR, + NSS_CKMK_CRYPTOKI_VERSION_MINOR }; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation"; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_LibraryDescription = (NSSUTF8 *) "NSS Access to Mac OS X Key Ring"; + +NSS_IMPLEMENT_DATA const CK_VERSION +nss_ckmk_LibraryVersion = { + NSS_CKMK_LIBRARY_VERSION_MAJOR, + NSS_CKMK_LIBRARY_VERSION_MINOR}; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_SlotDescription = (NSSUTF8 *) "Mac OS X Key Ring"; + +NSS_IMPLEMENT_DATA const CK_VERSION +nss_ckmk_HardwareVersion = { + NSS_CKMK_HARDWARE_VERSION_MAJOR, + NSS_CKMK_HARDWARE_VERSION_MINOR }; + +NSS_IMPLEMENT_DATA const CK_VERSION +nss_ckmk_FirmwareVersion = { + NSS_CKMK_FIRMWARE_VERSION_MAJOR, + NSS_CKMK_FIRMWARE_VERSION_MINOR }; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_TokenLabel = (NSSUTF8 *) "Mac OS X Key Ring"; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_TokenModel = (NSSUTF8 *) "1"; + +NSS_IMPLEMENT_DATA const NSSUTF8 * +nss_ckmk_TokenSerialNumber = (NSSUTF8 *) "1"; + diff --git a/security/nss/lib/ckfw/nssmkey/mfind.c b/security/nss/lib/ckfw/nssmkey/mfind.c new file mode 100644 index 000000000000..3beaa93f55d6 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mfind.c @@ -0,0 +1,404 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mfind.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#ifndef CKMK_H +#include "ckmk.h" +#endif /* CKMK_H */ + +/* + * nssmkey/mfind.c + * + * This file implements the NSSCKMDFindObjects object for the + * "nssmkey" cryptoki module. + */ + +struct ckmkFOStr { + NSSArena *arena; + CK_ULONG n; + CK_ULONG i; + ckmkInternalObject **objs; +}; + +static void +ckmk_mdFindObjects_Final +( + NSSCKMDFindObjects *mdFindObjects, + NSSCKFWFindObjects *fwFindObjects, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc; + NSSArena *arena = fo->arena; + PRUint32 i; + + /* walk down an free the unused 'objs' */ + for (i=fo->i; i < fo->n ; i++) { + nss_ckmk_DestroyInternalObject(fo->objs[i]); + } + + nss_ZFreeIf(fo->objs); + nss_ZFreeIf(fo); + nss_ZFreeIf(mdFindObjects); + if ((NSSArena *)NULL != arena) { + NSSArena_Destroy(arena); + } + + return; +} + +static NSSCKMDObject * +ckmk_mdFindObjects_Next +( + NSSCKMDFindObjects *mdFindObjects, + NSSCKFWFindObjects *fwFindObjects, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSArena *arena, + CK_RV *pError +) +{ + struct ckmkFOStr *fo = (struct ckmkFOStr *)mdFindObjects->etc; + ckmkInternalObject *io; + + if( fo->i == fo->n ) { + *pError = CKR_OK; + return (NSSCKMDObject *)NULL; + } + + io = fo->objs[ fo->i ]; + fo->i++; + + return nss_ckmk_CreateMDObject(arena, io, pError); +} + +static CK_BBOOL +ckmk_attrmatch +( + CK_ATTRIBUTE_PTR a, + ckmkInternalObject *o +) +{ + PRBool prb; + const NSSItem *b; + CK_RV error; + + b = nss_ckmk_FetchAttribute(o, a->type, &error); + if (b == NULL) { + return CK_FALSE; + } + + if( a->ulValueLen != b->size ) { + /* match a decoded serial number */ + if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) { + int len; + unsigned char *data; + + data = nss_ckmk_DERUnwrap(b->data, b->size, &len, NULL); + if ((len == a->ulValueLen) && + nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) { + return CK_TRUE; + } + } + return CK_FALSE; + } + + prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL); + + if( PR_TRUE == prb ) { + return CK_TRUE; + } else { + return CK_FALSE; + } +} + + +static CK_BBOOL +ckmk_match +( + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + ckmkInternalObject *o +) +{ + CK_ULONG i; + + for( i = 0; i < ulAttributeCount; i++ ) { + if (CK_FALSE == ckmk_attrmatch(&pTemplate[i], o)) { + return CK_FALSE; + } + } + + /* Every attribute passed */ + return CK_TRUE; +} + +#define CKMK_ITEM_CHUNK 20 + +#define PUT_OBJECT(obj, err, size, count, list) \ + { \ + if (count >= size) { \ + (list) = (list) ? \ + nss_ZREALLOCARRAY(list, ckmkInternalObject *, \ + ((size)+CKMK_ITEM_CHUNK) ) : \ + nss_ZNEWARRAY(NULL, ckmkInternalObject *, \ + ((size)+CKMK_ITEM_CHUNK) ) ; \ + if ((ckmkInternalObject **)NULL == list) { \ + err = CKR_HOST_MEMORY; \ + goto loser; \ + } \ + (size) += CKMK_ITEM_CHUNK; \ + } \ + (list)[ count ] = (obj); \ + count++; \ + } + + +/* find all the certs that represent the appropriate object (cert, priv key, or + * pub key) in the cert store. + */ +static PRUint32 +collect_class( + CK_OBJECT_CLASS objClass, + SecItemClass itemClass, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + ckmkInternalObject ***listp, + PRUint32 *sizep, + PRUint32 count, + CK_RV *pError +) +{ + ckmkInternalObject *next = NULL; + SecKeychainSearchRef searchRef = 0; + SecKeychainItemRef itemRef = 0; + OSStatus error; + + /* future, build the attribute list based on the template + * so we can refine the search */ + error = SecKeychainSearchCreateFromAttributes( + NULL, itemClass, NULL, &searchRef); + + while (noErr == SecKeychainSearchCopyNext(searchRef, &itemRef)) { + /* if we don't have an internal object structure, get one */ + if ((ckmkInternalObject *)NULL == next) { + next = nss_ZNEW(NULL, ckmkInternalObject); + if ((ckmkInternalObject *)NULL == next) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + } + /* fill in the relevant object data */ + next->type = ckmkItem; + next->objClass = objClass; + next->u.item.itemRef = itemRef; + next->u.item.itemClass = itemClass; + + /* see if this is one of the objects we are looking for */ + if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, next) ) { + /* yes, put it on the list */ + PUT_OBJECT(next, *pError, *sizep, count, *listp); + next = NULL; /* this one is on the list, need to allocate a new one now */ + } else { + /* no , release the current item and clear out the structure for reuse */ + CFRelease(itemRef); + /* don't cache the values we just loaded */ + nsslibc_memset(next, 0, sizeof(*next)); + } + } +loser: + if (searchRef) { + CFRelease(searchRef); + } + nss_ZFreeIf(next); + return count; +} + +static PRUint32 +collect_objects( + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + ckmkInternalObject ***listp, + CK_RV *pError +) +{ + PRUint32 i; + PRUint32 count = 0; + PRUint32 size = 0; + CK_OBJECT_CLASS objClass; + + /* + * first handle the static build in objects (if any) + */ + for( i = 0; i < nss_ckmk_nObjects; i++ ) { + ckmkInternalObject *o = (ckmkInternalObject *)&nss_ckmk_data[i]; + + if( CK_TRUE == ckmk_match(pTemplate, ulAttributeCount, o) ) { + PUT_OBJECT(o, *pError, size, count, *listp); + } + } + + /* + * now handle the various object types + */ + objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, + pTemplate, ulAttributeCount, pError); + if (CKR_OK != *pError) { + objClass = CK_INVALID_HANDLE; + } + *pError = CKR_OK; + switch (objClass) { + case CKO_CERTIFICATE: + count = collect_class(objClass, kSecCertificateItemClass, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + break; + case CKO_PUBLIC_KEY: + count = collect_class(objClass, CSSM_DL_DB_RECORD_PUBLIC_KEY, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + break; + case CKO_PRIVATE_KEY: + count = collect_class(objClass, CSSM_DL_DB_RECORD_PRIVATE_KEY, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + break; + /* all of them */ + case CK_INVALID_HANDLE: + count = collect_class(CKO_CERTIFICATE, kSecCertificateItemClass, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + count = collect_class(CKO_PUBLIC_KEY, CSSM_DL_DB_RECORD_PUBLIC_KEY, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + count = collect_class(CKO_PUBLIC_KEY, CSSM_DL_DB_RECORD_PRIVATE_KEY, + pTemplate, ulAttributeCount, listp, + &size, count, pError); + break; + default: + break; + } + if (CKR_OK != *pError) { + goto loser; + } + + return count; +loser: + nss_ZFreeIf(*listp); + return 0; +} + + +NSS_IMPLEMENT NSSCKMDFindObjects * +nss_ckmk_FindObjectsInit +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + /* This could be made more efficient. I'm rather rushed. */ + NSSArena *arena; + NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL; + struct ckmkFOStr *fo = (struct ckmkFOStr *)NULL; + ckmkInternalObject **temp = (ckmkInternalObject **)NULL; + + arena = NSSArena_Create(); + if( (NSSArena *)NULL == arena ) { + goto loser; + } + + rv = nss_ZNEW(arena, NSSCKMDFindObjects); + if( (NSSCKMDFindObjects *)NULL == rv ) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + fo = nss_ZNEW(arena, struct ckmkFOStr); + if( (struct ckmkFOStr *)NULL == fo ) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + fo->arena = arena; + /* fo->n and fo->i are already zero */ + + rv->etc = (void *)fo; + rv->Final = ckmk_mdFindObjects_Final; + rv->Next = ckmk_mdFindObjects_Next; + rv->null = (void *)NULL; + + fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError); + if (*pError != CKR_OK) { + goto loser; + } + + fo->objs = nss_ZNEWARRAY(arena, ckmkInternalObject *, fo->n); + if( (ckmkInternalObject **)NULL == fo->objs ) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckmkInternalObject *) * fo->n); + nss_ZFreeIf(temp); + temp = (ckmkInternalObject **)NULL; + + return rv; + + loser: + nss_ZFreeIf(temp); + nss_ZFreeIf(fo); + nss_ZFreeIf(rv); + if ((NSSArena *)NULL != arena) { + NSSArena_Destroy(arena); + } + return (NSSCKMDFindObjects *)NULL; +} + diff --git a/security/nss/lib/ckfw/nssmkey/minst.c b/security/nss/lib/ckfw/nssmkey/minst.c new file mode 100644 index 000000000000..190985330342 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/minst.c @@ -0,0 +1,148 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: minst.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" + +/* + * nssmkey/minstance.c + * + * This file implements the NSSCKMDInstance object for the + * "nssmkey" cryptoki module. + */ + +/* + * NSSCKMDInstance methods + */ + +static CK_ULONG +ckmk_mdInstance_GetNSlots +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (CK_ULONG)1; +} + +static CK_VERSION +ckmk_mdInstance_GetCryptokiVersion +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_CryptokiVersion; +} + +static NSSUTF8 * +ckmk_mdInstance_GetManufacturerID +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_ManufacturerID; +} + +static NSSUTF8 * +ckmk_mdInstance_GetLibraryDescription +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_LibraryDescription; +} + +static CK_VERSION +ckmk_mdInstance_GetLibraryVersion +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_LibraryVersion; +} + +static CK_RV +ckmk_mdInstance_GetSlots +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKMDSlot *slots[] +) +{ + slots[0] = (NSSCKMDSlot *)&nss_ckmk_mdSlot; + return CKR_OK; +} + +static CK_BBOOL +ckmk_mdInstance_ModuleHandlesSessionObjects +( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + /* we don't want to allow any session object creation, at least + * until we can investigate whether or not we can use those objects + */ + return CK_TRUE; +} + +NSS_IMPLEMENT_DATA const NSSCKMDInstance +nss_ckmk_mdInstance = { + (void *)NULL, /* etc */ + NULL, /* Initialize */ + NULL, /* Finalize */ + ckmk_mdInstance_GetNSlots, + ckmk_mdInstance_GetCryptokiVersion, + ckmk_mdInstance_GetManufacturerID, + ckmk_mdInstance_GetLibraryDescription, + ckmk_mdInstance_GetLibraryVersion, + ckmk_mdInstance_ModuleHandlesSessionObjects, + /*NULL, /* HandleSessionObjects */ + ckmk_mdInstance_GetSlots, + NULL, /* WaitForSlotEvent */ + (void *)NULL /* null terminator */ +}; diff --git a/security/nss/lib/ckfw/nssmkey/mobject.c b/security/nss/lib/ckfw/nssmkey/mobject.c new file mode 100644 index 000000000000..23209f91c95e --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mobject.c @@ -0,0 +1,1959 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mobject.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" +#include "nssbase.h" + +#include "secdert.h" /* for DER_INTEGER */ +#include "string.h" + +/* asn1 encoder (to build pkcs#8 blobs) */ +#include +#include +#include +#include +#include + +/* for importing the keys */ +#include +#include + +/* + * nssmkey/mobject.c + * + * This file implements the NSSCKMDObject object for the + * "nssmkey" cryptoki module. + */ + +const CK_ATTRIBUTE_TYPE certAttrs[] = { + CKA_CLASS, + CKA_TOKEN, + CKA_PRIVATE, + CKA_MODIFIABLE, + CKA_LABEL, + CKA_CERTIFICATE_TYPE, + CKA_SUBJECT, + CKA_ISSUER, + CKA_SERIAL_NUMBER, + CKA_VALUE +}; +const PRUint32 certAttrsCount = NSS_CKMK_ARRAY_SIZE(certAttrs); + +/* private keys, for now only support RSA */ +const CK_ATTRIBUTE_TYPE privKeyAttrs[] = { + CKA_CLASS, + CKA_TOKEN, + CKA_PRIVATE, + CKA_MODIFIABLE, + CKA_LABEL, + CKA_KEY_TYPE, + CKA_DERIVE, + CKA_LOCAL, + CKA_SUBJECT, + CKA_SENSITIVE, + CKA_DECRYPT, + CKA_SIGN, + CKA_SIGN_RECOVER, + CKA_UNWRAP, + CKA_EXTRACTABLE, + CKA_ALWAYS_SENSITIVE, + CKA_NEVER_EXTRACTABLE, + CKA_MODULUS, + CKA_PUBLIC_EXPONENT, +}; +const PRUint32 privKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(privKeyAttrs); + +/* public keys, for now only support RSA */ +const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = { + CKA_CLASS, + CKA_TOKEN, + CKA_PRIVATE, + CKA_MODIFIABLE, + CKA_LABEL, + CKA_KEY_TYPE, + CKA_DERIVE, + CKA_LOCAL, + CKA_SUBJECT, + CKA_ENCRYPT, + CKA_VERIFY, + CKA_VERIFY_RECOVER, + CKA_WRAP, + CKA_MODULUS, + CKA_PUBLIC_EXPONENT, +}; +const PRUint32 pubKeyAttrsCount = NSS_CKMK_ARRAY_SIZE(pubKeyAttrs); +static const CK_BBOOL ck_true = CK_TRUE; +static const CK_BBOOL ck_false = CK_FALSE; +static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509; +static const CK_KEY_TYPE ckk_rsa = CKK_RSA; +static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE; +static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY; +static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY; +static const NSSItem ckmk_trueItem = { + (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }; +static const NSSItem ckmk_falseItem = { + (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }; +static const NSSItem ckmk_x509Item = { + (void *)&ckc_x509, (PRUint32)sizeof(CKC_X_509) }; +static const NSSItem ckmk_rsaItem = { + (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) }; +static const NSSItem ckmk_certClassItem = { + (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }; +static const NSSItem ckmk_privKeyClassItem = { + (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) }; +static const NSSItem ckmk_pubKeyClassItem = { + (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) }; +static const NSSItem ckmk_emptyItem = { + (void *)&ck_true, 0}; + +/* + * these are utilities. The chould be moved to a new utilities file. + */ +#ifdef DEBUG +static void +itemdump(char *str, void *data, int size, CK_RV error) +{ + unsigned char *ptr = (unsigned char *)data; + int i; + fprintf(stderr,str); + for (i=0; i < size; i++) { + fprintf(stderr,"%02x ",(unsigned int) ptr[i]); + } + fprintf(stderr," (error = %d)\n", (int ) error); +} +#endif + +/* + * unwrap a single DER value + * now that we have util linked in, we should probably use + * the ANS1_Decoder for this work... + */ +unsigned char * +nss_ckmk_DERUnwrap +( + unsigned char *src, + int size, + int *outSize, + unsigned char **next +) +{ + unsigned char *start = src; + unsigned int len = 0; + + /* initialize error condition return values */ + *outSize = 0; + if (next) { + *next = src; + } + + if (size < 2) { + return start; + } + src ++ ; /* skip the tag -- should check it against an expected value! */ + len = (unsigned) *src++; + if (len & 0x80) { + int count = len & 0x7f; + len =0; + + if (count+2 > size) { + return start; + } + while (count-- > 0) { + len = (len << 8) | (unsigned) *src++; + } + } + if (len + (src-start) > (unsigned int)size) { + return start; + } + if (next) { + *next = src+len; + } + *outSize = len; + + return src; +} + +/* + * get an attribute from a template. Value is returned in NSS item. + * data for the item is owned by the template. + */ +CK_RV +nss_ckmk_GetAttribute +( + CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *template, + CK_ULONG templateSize, + NSSItem *item +) +{ + CK_ULONG i; + + for (i=0; i < templateSize; i++) { + if (template[i].type == type) { + item->data = template[i].pValue; + item->size = template[i].ulValueLen; + return CKR_OK; + } + } + return CKR_TEMPLATE_INCOMPLETE; +} + +/* + * get an attribute which is type CK_ULONG. + */ +CK_ULONG +nss_ckmk_GetULongAttribute +( + CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *template, + CK_ULONG templateSize, + CK_RV *pError +) +{ + NSSItem item; + + *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item); + if (CKR_OK != *pError) { + return (CK_ULONG) 0; + } + if (item.size != sizeof(CK_ULONG)) { + *pError = CKR_ATTRIBUTE_VALUE_INVALID; + return (CK_ULONG) 0; + } + return *(CK_ULONG *)item.data; +} + +/* + * get an attribute which is type CK_BBOOL. + */ +CK_BBOOL +nss_ckmk_GetBoolAttribute +( + CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *template, + CK_ULONG templateSize, + CK_BBOOL defaultBool +) +{ + NSSItem item; + CK_RV error; + + error = nss_ckmk_GetAttribute(type, template, templateSize, &item); + if (CKR_OK != error) { + return defaultBool; + } + if (item.size != sizeof(CK_BBOOL)) { + return defaultBool; + } + return *(CK_BBOOL *)item.data; +} + +/* + * get an attribute as a NULL terminated string. Caller is responsible to + * free the string. + */ +char * +nss_ckmk_GetStringAttribute +( + CK_ATTRIBUTE_TYPE type, + CK_ATTRIBUTE *template, + CK_ULONG templateSize, + CK_RV *pError +) +{ + NSSItem item; + char *str; + + /* get the attribute */ + *pError = nss_ckmk_GetAttribute(type, template, templateSize, &item); + if (CKR_OK != *pError) { + return (char *)NULL; + } + /* make sure it is null terminated */ + str = nss_ZNEWARRAY(NULL, char, item.size+1); + if ((char *)NULL == str) { + *pError = CKR_HOST_MEMORY; + return (char *)NULL; + } + + nsslibc_memcpy(str, item.data, item.size); + str[item.size] = 0; + + return str; +} + +/* + * Apple doesn't seem to have a public interface to the DER encoder, + * wip out a quick one for integers only (anything more complicated, + * we should use one of the 3 in lib/util). -- especially since we + * now link with it. + */ +static CK_RV +ckmk_encodeInt(NSSItem *dest, void *src, int srcLen) +{ + int dataLen = srcLen; + int lenLen = 1; + int encLen; + int isSigned = 0; + int offset = 0; + unsigned char *data = NULL; + int i; + + if (*(unsigned char *)src & 0x80) { + dataLen++; + isSigned = 1; + } + + /* calculate the length of the length specifier */ + /* (NOTE: destroys dataLen value) */ + if (dataLen > 0x7f) { + do { + lenLen++; + dataLen >>= 8; + } while (dataLen); + } + + /* calculate our total length */ + dataLen = isSigned + srcLen; + encLen = 1 + lenLen + dataLen; + data = nss_ZNEWARRAY(NULL, unsigned char, encLen); + if ((unsigned char *)NULL == data) { + return CKR_HOST_MEMORY; + } + data[0] = DER_INTEGER; + if (1 == lenLen) { + data[1] = dataLen; + } else { + data[1] = 0x80 + lenLen; + for (i=0; i < lenLen; i++) { + data[i+1] = ((dataLen >> ((lenLen-i-1)*8)) & 0xff); + } + } + offset = lenLen+1; + + if (isSigned) { + data[offset++] = 0; + } + nsslibc_memcpy(&data[offset], src, srcLen); + dest->data = data; + dest->size = encLen; + return CKR_OK; +} + + +/* + * Get a Keyring attribute. If content is set to true, then we get the + * content, not the attribute. + */ +static CK_RV +ckmk_GetCommonAttribute +( + ckmkInternalObject *io, + SecItemAttr itemAttr, + PRBool content, + NSSItem *item, + char *dbString +) +{ + SecKeychainAttributeList *attrList = NULL; + SecKeychainAttributeInfo attrInfo; + uint32 len = 0; + uint32 dataLen = 0; + uint32 attrFormat = 0; + void *dataVal = 0; + void *out = NULL; + CK_RV error = CKR_OK; + OSStatus macErr; + + attrInfo.count = 1; + attrInfo.tag = &itemAttr; + attrInfo.format = &attrFormat; + + macErr = SecKeychainItemCopyAttributesAndData(io->u.item.itemRef, + &attrInfo, NULL, &attrList, &len, &out); + if (noErr != macErr) { + CKMK_MACERR(dbString, macErr); + return CKR_ATTRIBUTE_TYPE_INVALID; + } + dataLen = content ? len : attrList->attr->length; + dataVal = content ? out : attrList->attr->data; + + /* Apple's documentation says this value is DER Encoded, but it clearly isn't + * der encode it before we ship it back off to NSS + */ + if ( kSecSerialNumberItemAttr == itemAttr ) { + error = ckmk_encodeInt(item, dataVal, dataLen); + goto loser; /* logically 'done' if error == CKR_OK */ + } + item->data = nss_ZNEWARRAY(NULL, char, dataLen); + if (NULL == item->data) { + error = CKR_HOST_MEMORY; + goto loser; + } + nsslibc_memcpy(item->data, dataVal, dataLen); + item->size = dataLen; + +loser: + SecKeychainItemFreeAttributesAndData(attrList, out); + return error; +} + +/* + * change an attribute (does not operate on the content). + */ +static CK_RV +ckmk_updateAttribute +( + SecKeychainItemRef itemRef, + SecItemAttr itemAttr, + void *data, + uint32 len, + char *dbString +) +{ + SecKeychainAttributeList attrList; + SecKeychainAttribute attrAttr; + OSStatus macErr; + CK_RV error = CKR_OK; + + attrList.count = 1; + attrList.attr = &attrAttr; + attrAttr.tag = itemAttr; + attrAttr.data = data; + attrAttr.length = len; + macErr = SecKeychainItemModifyAttributesAndData(itemRef, &attrList, 0, NULL); + if (noErr != macErr) { + CKMK_MACERR(dbString, macErr); + error = CKR_ATTRIBUTE_TYPE_INVALID; + } + return error; +} + +/* + * get an attribute (does not operate on the content) + */ +static CK_RV +ckmk_GetDataAttribute +( + ckmkInternalObject *io, + SecItemAttr itemAttr, + NSSItem *item, + char *dbString +) +{ + return ckmk_GetCommonAttribute(io, itemAttr, PR_FALSE, item, dbString); +} + +/* + * get an attribute we know is a BOOL. + */ +static CK_RV +ckmk_GetBoolAttribute +( + ckmkInternalObject *io, + SecItemAttr itemAttr, + NSSItem *item, + char *dbString +) +{ + SecKeychainAttribute attr; + SecKeychainAttributeList attrList; + CK_BBOOL *boolp = NULL; + uint32 len = 0;; + void *out = NULL; + CK_RV error = CKR_OK; + OSStatus macErr; + + attr.tag = itemAttr; + attr.length = 0; + attr.data = NULL; + attrList.count = 1; + attrList.attr = &attr; + + boolp = nss_ZNEW(NULL, CK_BBOOL); + if ((CK_BBOOL *)NULL == boolp) { + error = CKR_HOST_MEMORY; + goto loser; + } + + macErr = SecKeychainItemCopyContent(io->u.item.itemRef, NULL, + &attrList, &len, &out); + if (noErr != macErr) { + CKMK_MACERR(dbString, macErr); + error = CKR_ATTRIBUTE_TYPE_INVALID; + goto loser; + } + if (sizeof(uint32) != attr.length) { + error = CKR_ATTRIBUTE_TYPE_INVALID; + goto loser; + } + *boolp = *(uint32 *)attr.data ? 1 : 0; + item->data = boolp; + boolp = NULL; + item->size = sizeof(CK_BBOOL); + +loser: + nss_ZFreeIf(boolp); + SecKeychainItemFreeContent(&attrList, out); + return error; +} + + +/* + * macros for fetching attributes into a cache and returning the + * appropriate value. These operate inside switch statements + */ +#define CKMK_HANDLE_ITEM(func, io, type, loc, item, error, str) \ + if (0 == (item)->loc.size) { \ + error = func(io, type, &(item)->loc, str); \ + } \ + return (CKR_OK == (error)) ? &(item)->loc : NULL; + +#define CKMK_HANDLE_OPT_ITEM(func, io, type, loc, item, error, str) \ + if (0 == (item)->loc.size) { \ + (void) func(io, type, &(item)->loc, str); \ + } \ + return &(item)->loc ; + +#define CKMK_HANDLE_BOOL_ITEM(io, type, loc, item, error, str) \ + CKMK_HANDLE_ITEM(ckmk_GetBoolAttribute, io, type, loc, item, error, str) +#define CKMK_HANDLE_DATA_ITEM(io, type, loc, item, error, str) \ + CKMK_HANDLE_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str) +#define CKMK_HANDLE_OPT_DATA_ITEM(io, type, loc, item, error, str) \ + CKMK_HANDLE_OPT_ITEM(ckmk_GetDataAttribute, io, type, loc, item, error, str) + +/* + * fetch the unique identifier for each object type. + */ +static void +ckmk_FetchHashKey +( + ckmkInternalObject *io +) +{ + NSSItem *key = &io->hashKey; + + if (io->objClass == CKO_CERTIFICATE) { + ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr, + PR_TRUE, key, "Fetching HashKey (cert)"); + } else { + ckmk_GetCommonAttribute(io, kSecKeyLabel, + PR_FALSE, key, "Fetching HashKey (key)"); + } +} + +/* + * Apple mucks with the actual subject and issuer, so go fetch + * the real ones ourselves. + */ +static void +ckmk_fetchCert +( + ckmkInternalObject *io +) +{ + CK_RV error; + unsigned char * cert, *next; + int certSize, thisEntrySize; + + error = ckmk_GetCommonAttribute(io, kSecCertEncodingItemAttr, PR_TRUE, + &io->u.item.derCert, "Fetching Value (cert)"); + if (CKR_OK != error) { + return; + } + /* unwrap the cert bundle */ + cert = nss_ckmk_DERUnwrap((unsigned char *)io->u.item.derCert.data, + io->u.item.derCert.size, + &certSize, NULL); + /* unwrap the cert itself */ + /* cert == certdata */ + cert = nss_ckmk_DERUnwrap(cert, certSize, &certSize, NULL); + + /* skip the optional version */ + if ((cert[0] & 0xa0) == 0xa0) { + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + certSize -= next - cert; + cert = next; + } + /* skip the serial number */ + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + certSize -= next - cert; + cert = next; + + /* skip the OID */ + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + certSize -= next - cert; + cert = next; + + /* save the (wrapped) issuer */ + io->u.item.issuer.data = cert; + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + io->u.item.issuer.size = next - cert; + certSize -= io->u.item.issuer.size; + cert = next; + + /* skip the OID */ + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + certSize -= next - cert; + cert = next; + + /* save the (wrapped) subject */ + io->u.item.subject.data = cert; + nss_ckmk_DERUnwrap(cert, certSize, &thisEntrySize, &next); + io->u.item.subject.size = next - cert; + certSize -= io->u.item.subject.size; + cert = next; +} + +static void +ckmk_fetchModulus +( + ckmkInternalObject *io +) +{ + NSSItem item; + int32 modLen; + CK_RV error; + + /* we can't reliably get the modulus for private keys through CSSM (sigh). + * For NSS this is OK because we really only use this to get the modulus + * length (unless we are trying to get a public key from a private keys, + * something CSSM ALSO does not do!). + */ + error = ckmk_GetDataAttribute(io, kSecKeyKeySizeInBits, &item, + "Key Fetch Modulus"); + if (CKR_OK != error) { + return; + } + + modLen = *(int32 *)item.data; + modLen = modLen/8; /* convert from bits to bytes */ + + nss_ZFreeIf(item.data); + io->u.item.modulus.data = nss_ZNEWARRAY(NULL, char, modLen); + if (NULL == io->u.item.modulus.data) { + return; + } + *(char *)io->u.item.modulus.data = 0x80; /* fake NSS out or it will + * drop the first byte */ + io->u.item.modulus.size = modLen; + return; +} + +const NSSItem * +ckmk_FetchCertAttribute +( + ckmkInternalObject *io, + CK_ATTRIBUTE_TYPE type, + CK_RV *pError +) +{ + ckmkItemObject *item = &io->u.item; + *pError = CKR_OK; + switch(type) { + case CKA_CLASS: + return &ckmk_certClassItem; + case CKA_TOKEN: + case CKA_MODIFIABLE: + return &ckmk_trueItem; + case CKA_PRIVATE: + return &ckmk_falseItem; + case CKA_CERTIFICATE_TYPE: + return &ckmk_x509Item; + case CKA_LABEL: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecLabelItemAttr, label, item, *pError, + "Cert:Label attr") + case CKA_SUBJECT: + /* OK, well apple does provide an subject and issuer attribute, but they + * decided to cannonicalize that value. Probably a good move for them, + * but makes it useless for most users of PKCS #11.. Get the real subject + * from the certificate */ + if (0 == item->derCert.size) { + ckmk_fetchCert(io); + } + return &item->subject; + case CKA_ISSUER: + if (0 == item->derCert.size) { + ckmk_fetchCert(io); + } + return &item->issuer; + case CKA_SERIAL_NUMBER: + CKMK_HANDLE_DATA_ITEM(io, kSecSerialNumberItemAttr, serial, item, *pError, + "Cert:Serial Number attr") + case CKA_VALUE: + if (0 == item->derCert.size) { + ckmk_fetchCert(io); + } + return &item->derCert; + case CKA_ID: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecPublicKeyHashItemAttr, id, item, *pError, + "Cert:ID attr") + default: + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + break; + } + return NULL; +} + +const NSSItem * +ckmk_FetchPubKeyAttribute +( + ckmkInternalObject *io, + CK_ATTRIBUTE_TYPE type, + CK_RV *pError +) +{ + ckmkItemObject *item = &io->u.item; + *pError = CKR_OK; + + switch(type) { + case CKA_CLASS: + return &ckmk_pubKeyClassItem; + case CKA_TOKEN: + case CKA_LOCAL: + return &ckmk_trueItem; + case CKA_KEY_TYPE: + return &ckmk_rsaItem; + case CKA_LABEL: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError, + "PubKey:Label attr") + case CKA_ENCRYPT: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyEncrypt, encrypt, item, *pError, + "PubKey:Encrypt attr") + case CKA_VERIFY: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerify, verify, item, *pError, + "PubKey:Verify attr") + case CKA_VERIFY_RECOVER: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyVerifyRecover, verifyRecover, + item, *pError, "PubKey:VerifyRecover attr") + case CKA_PRIVATE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError, + "PubKey:Private attr") + case CKA_MODIFIABLE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError, + "PubKey:Modify attr") + case CKA_DERIVE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError, + "PubKey:Derive attr") + case CKA_WRAP: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyWrap, wrap, item, *pError, + "PubKey:Wrap attr") + case CKA_SUBJECT: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError, + "PubKey:Subect attr") + case CKA_MODULUS: + return &ckmk_emptyItem; + case CKA_PUBLIC_EXPONENT: + return &ckmk_emptyItem; + case CKA_ID: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError, + "PubKey:ID attr") + default: + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + break; + } + return NULL; +} + +const NSSItem * +ckmk_FetchPrivKeyAttribute +( + ckmkInternalObject *io, + CK_ATTRIBUTE_TYPE type, + CK_RV *pError +) +{ + ckmkItemObject *item = &io->u.item; + *pError = CKR_OK; + + switch(type) { + case CKA_CLASS: + return &ckmk_privKeyClassItem; + case CKA_TOKEN: + case CKA_LOCAL: + return &ckmk_trueItem; + case CKA_SENSITIVE: + case CKA_EXTRACTABLE: /* will probably move in the future */ + case CKA_ALWAYS_SENSITIVE: + case CKA_NEVER_EXTRACTABLE: + return &ckmk_falseItem; + case CKA_KEY_TYPE: + return &ckmk_rsaItem; + case CKA_LABEL: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyPrintName, label, item, *pError, + "PrivateKey:Label attr") + case CKA_DECRYPT: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDecrypt, decrypt, item, *pError, + "PrivateKey:Decrypt attr") + case CKA_SIGN: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeySign, sign, item, *pError, + "PrivateKey:Sign attr") + case CKA_SIGN_RECOVER: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeySignRecover, signRecover, item, *pError, + "PrivateKey:Sign Recover attr") + case CKA_PRIVATE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyPrivate, private, item, *pError, + "PrivateKey:Private attr") + case CKA_MODIFIABLE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyModifiable, modify, item, *pError, + "PrivateKey:Modify attr") + case CKA_DERIVE: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyDerive, derive, item, *pError, + "PrivateKey:Derive attr") + case CKA_UNWRAP: + CKMK_HANDLE_BOOL_ITEM(io, kSecKeyUnwrap, unwrap, item, *pError, + "PrivateKey:Unwrap attr") + case CKA_SUBJECT: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecSubjectItemAttr, subject, item, *pError, + "PrivateKey:Subject attr") + case CKA_MODULUS: + if (0 == item->modulus.size) { + ckmk_fetchModulus(io); + } + return &item->modulus; + case CKA_PUBLIC_EXPONENT: + return &ckmk_emptyItem; +#ifdef notdef + /* the following are sensitive attributes. We could implment them for + * sensitive keys using the key export function, but it's better to + * just support wrap through this token. That will more reliably allow us + * to export any private key that is truly exportable. + */ + case CKA_PRIVATE_EXPONENT: + CKMK_HANDLE_DATA_ITEM(io, kSecPrivateExponentItemAttr, privateExponent, + item, *pError) + case CKA_PRIME_1: + CKMK_HANDLE_DATA_ITEM(io, kSecPrime1ItemAttr, prime1, item, *pError) + case CKA_PRIME_2: + CKMK_HANDLE_DATA_ITEM(io, kSecPrime2ItemAttr, prime2, item, *pError) + case CKA_EXPONENT_1: + CKMK_HANDLE_DATA_ITEM(io, kSecExponent1ItemAttr, exponent1, item, *pError) + case CKA_EXPONENT_2: + CKMK_HANDLE_DATA_ITEM(io, kSecExponent2ItemAttr, exponent2, item, *pError) + case CKA_COEFFICIENT: + CKMK_HANDLE_DATA_ITEM(io, kSecCoefficientItemAttr, coefficient, + item, *pError) +#endif + case CKA_ID: + CKMK_HANDLE_OPT_DATA_ITEM(io, kSecKeyLabel, id, item, *pError, + "PrivateKey:ID attr") + default: + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + return NULL; + } +} + +const NSSItem * +nss_ckmk_FetchAttribute +( + ckmkInternalObject *io, + CK_ATTRIBUTE_TYPE type, + CK_RV *pError +) +{ + CK_ULONG i; + const NSSItem * value = NULL; + + if (io->type == ckmkRaw) { + for( i = 0; i < io->u.raw.n; i++ ) { + if( type == io->u.raw.types[i] ) { + return &io->u.raw.items[i]; + } + } + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + return NULL; + } + /* deal with the common attributes */ + switch (io->objClass) { + case CKO_CERTIFICATE: + value = ckmk_FetchCertAttribute(io, type, pError); + break; + case CKO_PRIVATE_KEY: + value = ckmk_FetchPrivKeyAttribute(io, type, pError); + break; + case CKO_PUBLIC_KEY: + value = ckmk_FetchPubKeyAttribute(io, type, pError); + break; + default: + *pError = CKR_OBJECT_HANDLE_INVALID; + return NULL; + } + +#ifdef DEBUG + if (CKA_ID == type) { + itemdump("id: ", value->data, value->size, *pError); + } +#endif + return value; +} + +static void +ckmk_removeObjectFromHash +( + ckmkInternalObject *io +); + +/* + * + * These are the MSObject functions we need to implement + * + * Finalize - unneeded (actually we should clean up the hashtables) + * Destroy + * IsTokenObject - CK_TRUE + * GetAttributeCount + * GetAttributeTypes + * GetAttributeSize + * GetAttribute + * SetAttribute + * GetObjectSize + */ + +static CK_RV +ckmk_mdObject_Destroy +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + OSStatus macErr; + + if (ckmkRaw == io->type) { + /* there is not 'object write protected' error, use the next best thing */ + return CKR_TOKEN_WRITE_PROTECTED; + } + + /* This API is done well. The following 4 lines are the complete apple + * specific part of this implementation */ + macErr = SecKeychainItemDelete(io->u.item.itemRef); + if (noErr != macErr) { + CKMK_MACERR("Delete object", macErr); + } + + /* remove it from the hash */ + ckmk_removeObjectFromHash(io); + + /* free the puppy.. */ + nss_ckmk_DestroyInternalObject(io); + + return CKR_OK; +} + +static CK_BBOOL +ckmk_mdObject_IsTokenObject +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return CK_TRUE; +} + +static CK_ULONG +ckmk_mdObject_GetAttributeCount +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + + if (ckmkRaw == io->type) { + return io->u.raw.n; + } + switch (io->objClass) { + case CKO_CERTIFICATE: + return certAttrsCount; + case CKO_PUBLIC_KEY: + return pubKeyAttrsCount; + case CKO_PRIVATE_KEY: + return privKeyAttrsCount; + default: + break; + } + return 0; +} + +static CK_RV +ckmk_mdObject_GetAttributeTypes +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE_PTR typeArray, + CK_ULONG ulCount +) +{ + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + CK_ULONG i; + CK_RV error = CKR_OK; + const CK_ATTRIBUTE_TYPE *attrs = NULL; + CK_ULONG size = ckmk_mdObject_GetAttributeCount( + mdObject, fwObject, mdSession, fwSession, + mdToken, fwToken, mdInstance, fwInstance, &error); + + if( size != ulCount ) { + return CKR_BUFFER_TOO_SMALL; + } + if (io->type == ckmkRaw) { + attrs = io->u.raw.types; + } else switch(io->objClass) { + case CKO_CERTIFICATE: + attrs = certAttrs; + break; + case CKO_PUBLIC_KEY: + attrs = pubKeyAttrs; + break; + case CKO_PRIVATE_KEY: + attrs = privKeyAttrs; + break; + default: + return CKR_OK; + } + + for( i = 0; i < size; i++) { + typeArray[i] = attrs[i]; + } + + return CKR_OK; +} + +static CK_ULONG +ckmk_mdObject_GetAttributeSize +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE attribute, + CK_RV *pError +) +{ + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + + const NSSItem *b; + + b = nss_ckmk_FetchAttribute(io, attribute, pError); + + if ((const NSSItem *)NULL == b) { + return 0; + } + return b->size; +} + +static CK_RV +ckmk_mdObject_SetAttribute +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE attribute, + NSSItem *value +) +{ + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + SecKeychainItemRef itemRef; + + if (io->type == ckmkRaw) { + return CKR_TOKEN_WRITE_PROTECTED; + } + itemRef = io->u.item.itemRef; + + switch (io->objClass) { + case CKO_PRIVATE_KEY: + case CKO_PUBLIC_KEY: + switch (attribute) { + case CKA_ID: + ckmk_updateAttribute(itemRef, kSecKeyLabel, + value->data, value->size, "Set Attr Key ID"); +#ifdef DEBUG + itemdump("key id: ", value->data, value->size, CKR_OK); +#endif + break; + case CKA_LABEL: + ckmk_updateAttribute(itemRef, kSecKeyPrintName, value->data, + value->size, "Set Attr Key Label"); + break; + default: + break; + } + break; + + case CKO_CERTIFICATE: + switch (attribute) { + case CKA_ID: + ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr, + value->data, value->size, "Set Attr Cert ID"); + break; + case CKA_LABEL: + ckmk_updateAttribute(itemRef, kSecLabelItemAttr, value->data, + value->size, "Set Attr Cert Label"); + break; + default: + break; + } + break; + + default: + break; + } + return CKR_OK; +} + +static NSSCKFWItem +ckmk_mdObject_GetAttribute +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE attribute, + CK_RV *pError +) +{ + NSSCKFWItem mdItem; + ckmkInternalObject *io = (ckmkInternalObject *)mdObject->etc; + + mdItem.needsFreeing = PR_FALSE; + mdItem.item = (NSSItem*)nss_ckmk_FetchAttribute(io, attribute, pError); + + + return mdItem; +} + +static CK_ULONG +ckmk_mdObject_GetObjectSize +( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + CK_ULONG rv = 1; + + /* size is irrelevant to this token */ + return rv; +} + +static const NSSCKMDObject +ckmk_prototype_mdObject = { + (void *)NULL, /* etc */ + NULL, /* Finalize */ + ckmk_mdObject_Destroy, + ckmk_mdObject_IsTokenObject, + ckmk_mdObject_GetAttributeCount, + ckmk_mdObject_GetAttributeTypes, + ckmk_mdObject_GetAttributeSize, + ckmk_mdObject_GetAttribute, + NULL, /* FreeAttribute */ + ckmk_mdObject_SetAttribute, + ckmk_mdObject_GetObjectSize, + (void *)NULL /* null terminator */ +}; + +static nssHash *ckmkInternalObjectHash = NULL; + +NSS_IMPLEMENT NSSCKMDObject * +nss_ckmk_CreateMDObject +( + NSSArena *arena, + ckmkInternalObject *io, + CK_RV *pError +) +{ + if ((nssHash *)NULL == ckmkInternalObjectHash) { + ckmkInternalObjectHash = nssHash_CreateItem(NULL, 10); + } + if (ckmkItem == io->type) { + /* the hash key, not a cryptographic key */ + NSSItem *key = &io->hashKey; + ckmkInternalObject *old_o = NULL; + + if (key->size == 0) { + ckmk_FetchHashKey(io); + } + old_o = (ckmkInternalObject *) + nssHash_Lookup(ckmkInternalObjectHash, key); + if (!old_o) { + nssHash_Add(ckmkInternalObjectHash, key, io); + } else if (old_o != io) { + nss_ckmk_DestroyInternalObject(io); + io = old_o; + } + } + + if ( (void*)NULL == io->mdObject.etc) { + (void) nsslibc_memcpy(&io->mdObject,&ckmk_prototype_mdObject, + sizeof(ckmk_prototype_mdObject)); + io->mdObject.etc = (void *)io; + } + return &io->mdObject; +} + +static void +ckmk_removeObjectFromHash +( + ckmkInternalObject *io +) +{ + NSSItem *key = &io->hashKey; + + if ((nssHash *)NULL == ckmkInternalObjectHash) { + return; + } + if (key->size == 0) { + ckmk_FetchHashKey(io); + } + nssHash_Remove(ckmkInternalObjectHash, key); + return; +} + + +void +nss_ckmk_DestroyInternalObject +( + ckmkInternalObject *io +) +{ + switch (io->type) { + case ckmkRaw: + return; + case ckmkItem: + nss_ZFreeIf(io->u.item.modify.data); + nss_ZFreeIf(io->u.item.private.data); + nss_ZFreeIf(io->u.item.encrypt.data); + nss_ZFreeIf(io->u.item.decrypt.data); + nss_ZFreeIf(io->u.item.derive.data); + nss_ZFreeIf(io->u.item.sign.data); + nss_ZFreeIf(io->u.item.signRecover.data); + nss_ZFreeIf(io->u.item.verify.data); + nss_ZFreeIf(io->u.item.verifyRecover.data); + nss_ZFreeIf(io->u.item.wrap.data); + nss_ZFreeIf(io->u.item.unwrap.data); + nss_ZFreeIf(io->u.item.label.data); + /*nss_ZFreeIf(io->u.item.subject.data); */ + /*nss_ZFreeIf(io->u.item.issuer.data); */ + nss_ZFreeIf(io->u.item.serial.data); + nss_ZFreeIf(io->u.item.modulus.data); + nss_ZFreeIf(io->u.item.exponent.data); + nss_ZFreeIf(io->u.item.privateExponent.data); + nss_ZFreeIf(io->u.item.prime1.data); + nss_ZFreeIf(io->u.item.prime2.data); + nss_ZFreeIf(io->u.item.exponent1.data); + nss_ZFreeIf(io->u.item.exponent2.data); + nss_ZFreeIf(io->u.item.coefficient.data); + break; + } + nss_ZFreeIf(io); + return; +} + + +static ckmkInternalObject * +nss_ckmk_NewInternalObject +( + CK_OBJECT_CLASS objClass, + SecKeychainItemRef itemRef, + SecItemClass itemClass, + CK_RV *pError +) +{ + ckmkInternalObject *io = nss_ZNEW(NULL, ckmkInternalObject); + + if ((ckmkInternalObject *)NULL == io) { + *pError = CKR_HOST_MEMORY; + return io; + } + io->type = ckmkItem; + io->objClass = objClass; + io->u.item.itemRef = itemRef; + io->u.item.itemClass = itemClass; + return io; +} + +/* + * Apple doesn't alway have a default keyChain set by the OS, use the + * SearchList to try to find one. + */ +static CK_RV +ckmk_GetSafeDefaultKeychain +( + SecKeychainRef *keychainRef +) +{ + OSStatus macErr; + CFArrayRef searchList = 0; + CK_RV error = CKR_OK; + + macErr = SecKeychainCopyDefault(keychainRef); + if (noErr != macErr) { + int searchCount = 0; + if (errSecNoDefaultKeychain != macErr) { + CKMK_MACERR("Getting default key chain", macErr); + error = CKR_GENERAL_ERROR; + goto loser; + } + /* ok, we don't have a default key chain, find one */ + macErr = SecKeychainCopySearchList(&searchList); + if (noErr != macErr) { + CKMK_MACERR("failed to find a keyring searchList", macErr); + error = CKR_DEVICE_REMOVED; + goto loser; + } + searchCount = CFArrayGetCount(searchList); + if (searchCount < 1) { + error = CKR_DEVICE_REMOVED; + goto loser; + } + *keychainRef = + (SecKeychainRef)CFRetain(CFArrayGetValueAtIndex(searchList, 0)); + if (0 == *keychainRef) { + error = CKR_DEVICE_REMOVED; + goto loser; + } + /* should we set it as default? */ + } +loser: + if (0 != searchList) { + CFRelease(searchList); + } + return error; +} +static ckmkInternalObject * +nss_ckmk_CreateCertificate +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + NSSItem value; + ckmkInternalObject *io = NULL; + OSStatus macErr; + SecCertificateRef certRef; + SecKeychainItemRef itemRef; + SecKeychainRef keychainRef; + CSSM_DATA certData; + + *pError = nss_ckmk_GetAttribute(CKA_VALUE, pTemplate, + ulAttributeCount, &value); + if (CKR_OK != *pError) { + goto loser; + } + + certData.Data = value.data; + certData.Length = value.size; + macErr = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, + CSSM_CERT_ENCODING_BER, &certRef); + if (noErr != macErr) { + CKMK_MACERR("Create cert from data Failed", macErr); + *pError = CKR_GENERAL_ERROR; /* need to map macErr */ + goto loser; + } + + *pError = ckmk_GetSafeDefaultKeychain(&keychainRef); + if (CKR_OK != *pError) { + goto loser; + } + + macErr = SecCertificateAddToKeychain( certRef, keychainRef); + itemRef = (SecKeychainItemRef) certRef; + if (errSecDuplicateItem != macErr) { + NSSItem keyID = { NULL, 0 }; + char *nickname = NULL; + CK_RV dummy; + + if (noErr != macErr) { + CKMK_MACERR("Add cert to keychain Failed", macErr); + *pError = CKR_GENERAL_ERROR; /* need to map macErr */ + goto loser; + } + /* these two are optional */ + nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate, + ulAttributeCount, &dummy); + /* we've added a new one, update the attributes in the key ring */ + if (nickname) { + ckmk_updateAttribute(itemRef, kSecLabelItemAttr, nickname, + strlen(nickname)+1, "Modify Cert Label"); + nss_ZFreeIf(nickname); + } + dummy = nss_ckmk_GetAttribute(CKA_ID, pTemplate, + ulAttributeCount, &keyID); + if (CKR_OK == dummy) { + dummy = ckmk_updateAttribute(itemRef, kSecPublicKeyHashItemAttr, + keyID.data, keyID.size, "Modify Cert ID"); + } + } + + io = nss_ckmk_NewInternalObject(CKO_CERTIFICATE, itemRef, + kSecCertificateItemClass, pError); + if ((ckmkInternalObject *)NULL != io) { + itemRef = 0; + } + +loser: + if (0 != itemRef) { + CFRelease(itemRef); + } + if (0 != keychainRef) { + CFRelease(keychainRef); + } + + return io; +} + +/* + * PKCS #8 attributes + */ +struct ckmk_AttributeStr { + SECItem attrType; + SECItem *attrValue; +}; +typedef struct ckmk_AttributeStr ckmk_Attribute; + +/* +** A PKCS#8 private key info object +*/ +struct PrivateKeyInfoStr { + PLArenaPool *arena; + SECItem version; + SECAlgorithmID algorithm; + SECItem privateKey; + ckmk_Attribute **attributes; +}; +typedef struct PrivateKeyInfoStr PrivateKeyInfo; + +const SEC_ASN1Template ckmk_RSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(RSAPrivateKey) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,version) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,modulus) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,publicExponent) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,privateExponent) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,prime1) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,prime2) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,exponent1) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,exponent2) }, + { SEC_ASN1_INTEGER, offsetof(RSAPrivateKey,coefficient) }, + { 0 } +}; + +const SEC_ASN1Template ckmk_AttributeTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(ckmk_Attribute) }, + { SEC_ASN1_OBJECT_ID, offsetof(ckmk_Attribute, attrType) }, + { SEC_ASN1_SET_OF, offsetof(ckmk_Attribute, attrValue), + SEC_AnyTemplate }, + { 0 } +}; + +const SEC_ASN1Template ckmk_SetOfAttributeTemplate[] = { + { SEC_ASN1_SET_OF, 0, ckmk_AttributeTemplate }, +}; + +/* ASN1 Templates for new decoder/encoder */ +const SEC_ASN1Template ckmk_PrivateKeyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PrivateKeyInfo) }, + { SEC_ASN1_INTEGER, offsetof(PrivateKeyInfo,version) }, + { SEC_ASN1_INLINE, offsetof(PrivateKeyInfo,algorithm), + SECOID_AlgorithmIDTemplate }, + { SEC_ASN1_OCTET_STRING, offsetof(PrivateKeyInfo,privateKey) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(PrivateKeyInfo, attributes), ckmk_SetOfAttributeTemplate }, + { 0 } +}; + +#define CKMK_PRIVATE_KEY_INFO_VERSION 0 +static CK_RV +ckmk_CreateRSAKeyBlob +( + RSAPrivateKey *lk, + NSSItem *keyBlob +) +{ + PrivateKeyInfo *pki = NULL; + PLArenaPool *arena = NULL; + SECOidTag algorithm = SEC_OID_UNKNOWN; + void *dummy; + SECStatus rv; + SECItem *encodedKey = NULL; + CK_RV error = CKR_OK; + + arena = PORT_NewArena(2048); /* XXX different size? */ + if(!arena) { + error = CKR_HOST_MEMORY; + goto loser; + } + + pki = (PrivateKeyInfo*)PORT_ArenaZAlloc(arena, sizeof(PrivateKeyInfo)); + if(!pki) { + error = CKR_HOST_MEMORY; + goto loser; + } + pki->arena = arena; + + dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk, + ckmk_RSAPrivateKeyTemplate); + algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION; + + if (!dummy) { + error = CKR_DEVICE_ERROR; /* should map NSS SECError */ + goto loser; + } + + rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm, + (SECItem*)NULL); + if (rv != SECSuccess) { + error = CKR_DEVICE_ERROR; /* should map NSS SECError */ + goto loser; + } + + dummy = SEC_ASN1EncodeInteger(arena, &pki->version, + CKMK_PRIVATE_KEY_INFO_VERSION); + if (!dummy) { + error = CKR_DEVICE_ERROR; /* should map NSS SECError */ + goto loser; + } + + encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, + ckmk_PrivateKeyInfoTemplate); + if (!encodedKey) { + error = CKR_DEVICE_ERROR; + goto loser; + } + + keyBlob->data = nss_ZNEWARRAY(NULL, char, encodedKey->len); + if (NULL == keyBlob->data) { + error = CKR_HOST_MEMORY; + goto loser; + } + nsslibc_memcpy(keyBlob->data, encodedKey->data, encodedKey->len); + keyBlob->size = encodedKey->len; + +loser: + if(arena) { + PORT_FreeArena(arena, PR_TRUE); + } + if (encodedKey) { + SECITEM_FreeItem(encodedKey, PR_TRUE); + } + + return error; +} +/* + * There MUST be a better way to do this. For now, find the key based on the + * default name Apple gives it once we import. + */ +#define IMPORTED_NAME "Imported Private Key" +static CK_RV +ckmk_FindImportedKey +( + SecKeychainRef keychainRef, + SecItemClass itemClass, + SecKeychainItemRef *outItemRef +) +{ + OSStatus macErr; + SecKeychainSearchRef searchRef = 0; + SecKeychainItemRef newItemRef; + + macErr = SecKeychainSearchCreateFromAttributes(keychainRef, itemClass, + NULL, &searchRef); + if (noErr != macErr) { + CKMK_MACERR("Can't search for Key", macErr); + return CKR_GENERAL_ERROR; + } + while (noErr == SecKeychainSearchCopyNext(searchRef, &newItemRef)) { + SecKeychainAttributeList *attrList = NULL; + SecKeychainAttributeInfo attrInfo; + SecItemAttr itemAttr = kSecKeyPrintName; + uint32 attrFormat = 0; + OSStatus macErr; + + attrInfo.count = 1; + attrInfo.tag = &itemAttr; + attrInfo.format = &attrFormat; + + macErr = SecKeychainItemCopyAttributesAndData(newItemRef, + &attrInfo, NULL, &attrList, NULL, NULL); + if (noErr == macErr) { + if (nsslibc_memcmp(attrList->attr->data, IMPORTED_NAME, + attrList->attr->length, NULL) == 0) { + *outItemRef = newItemRef; + CFRelease (searchRef); + SecKeychainItemFreeAttributesAndData(attrList, NULL); + return CKR_OK; + } + SecKeychainItemFreeAttributesAndData(attrList, NULL); + } + CFRelease(newItemRef); + } + CFRelease (searchRef); + return CKR_GENERAL_ERROR; /* we can come up with something better! */ +} + +static ckmkInternalObject * +nss_ckmk_CreatePrivateKey +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + NSSItem attribute; + RSAPrivateKey lk; + NSSItem keyID; + char *nickname = NULL; + ckmkInternalObject *io = NULL; + CK_KEY_TYPE keyType; + OSStatus macErr; + SecKeychainItemRef itemRef = 0; + NSSItem keyBlob = { NULL, 0 }; + CFDataRef dataRef = 0; + SecExternalFormat inputFormat = kSecFormatBSAFE; + /*SecExternalFormat inputFormat = kSecFormatOpenSSL; */ + SecExternalItemType itemType = kSecItemTypePrivateKey; + SecKeyImportExportParameters keyParams ; + SecKeychainRef targetKeychain = 0; + unsigned char zero = 0; + CK_RV error; + + keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION; + keyParams.flags = 0; + keyParams.passphrase = 0; + keyParams.alertTitle = 0; + keyParams.alertPrompt = 0; + keyParams.accessRef = 0; /* default */ + keyParams.keyUsage = 0; /* will get filled in */ + keyParams.keyAttributes = CSSM_KEYATTR_PERMANENT; /* will get filled in */ + keyType = nss_ckmk_GetULongAttribute + (CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + if (CKK_RSA != keyType) { + *pError = CKR_ATTRIBUTE_VALUE_INVALID; + return (ckmkInternalObject *)NULL; + } + if (nss_ckmk_GetBoolAttribute(CKA_DECRYPT, + pTemplate, ulAttributeCount, CK_TRUE)) { + keyParams.keyUsage |= CSSM_KEYUSE_DECRYPT; + } + if (nss_ckmk_GetBoolAttribute(CKA_UNWRAP, + pTemplate, ulAttributeCount, CK_TRUE)) { + keyParams.keyUsage |= CSSM_KEYUSE_UNWRAP; + } + if (nss_ckmk_GetBoolAttribute(CKA_SIGN, + pTemplate, ulAttributeCount, CK_TRUE)) { + keyParams.keyUsage |= CSSM_KEYUSE_SIGN; + } + if (nss_ckmk_GetBoolAttribute(CKA_DERIVE, + pTemplate, ulAttributeCount, CK_FALSE)) { + keyParams.keyUsage |= CSSM_KEYUSE_DERIVE; + } + if (nss_ckmk_GetBoolAttribute(CKA_SENSITIVE, + pTemplate, ulAttributeCount, CK_TRUE)) { + keyParams.keyAttributes |= CSSM_KEYATTR_SENSITIVE; + } + if (nss_ckmk_GetBoolAttribute(CKA_EXTRACTABLE, + pTemplate, ulAttributeCount, CK_TRUE)) { + keyParams.keyAttributes |= CSSM_KEYATTR_EXTRACTABLE; + } + + lk.version.type = siUnsignedInteger; + lk.version.data = &zero; + lk.version.len = 1; + + *pError = nss_ckmk_GetAttribute(CKA_MODULUS, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.modulus.type = siUnsignedInteger; + lk.modulus.data = attribute.data; + lk.modulus.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.publicExponent.type = siUnsignedInteger; + lk.publicExponent.data = attribute.data; + lk.publicExponent.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.privateExponent.type = siUnsignedInteger; + lk.privateExponent.data = attribute.data; + lk.privateExponent.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_PRIME_1, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.prime1.type = siUnsignedInteger; + lk.prime1.data = attribute.data; + lk.prime1.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_PRIME_2, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.prime2.type = siUnsignedInteger; + lk.prime2.data = attribute.data; + lk.prime2.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_1, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.exponent1.type = siUnsignedInteger; + lk.exponent1.data = attribute.data; + lk.exponent1.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_EXPONENT_2, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.exponent2.type = siUnsignedInteger; + lk.exponent2.data = attribute.data; + lk.exponent2.len = attribute.size; + + *pError = nss_ckmk_GetAttribute(CKA_COEFFICIENT, pTemplate, + ulAttributeCount, &attribute); + if (CKR_OK != *pError) { + return (ckmkInternalObject *)NULL; + } + lk.coefficient.type = siUnsignedInteger; + lk.coefficient.data = attribute.data; + lk.coefficient.len = attribute.size; + + /* ASN1 Encode the pkcs8 structure... look at softoken to see how this + * is done... */ + error = ckmk_CreateRSAKeyBlob(&lk, &keyBlob); + if (CKR_OK != error) { + goto loser; + } + + dataRef = CFDataCreate(NULL, (UInt8 *)keyBlob.data, keyBlob.size); + if (0 == dataRef) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + *pError == ckmk_GetSafeDefaultKeychain(&targetKeychain); + if (CKR_OK != *pError) { + goto loser; + } + + + /* the itemArray that is returned is useless. the item does not + * is 'not on the key chain' so none of the modify calls work on it. + * It also has a key that isn't the same key as the one in the actual + * key chain. In short it isn't the item we want, and it gives us zero + * information about the item we want, so don't even bother with it... + */ + macErr = SecKeychainItemImport(dataRef, NULL, &inputFormat, &itemType, 0, + &keyParams, targetKeychain, NULL); + if (noErr != macErr) { + CKMK_MACERR("Import Private Key", macErr); + *pError = CKR_GENERAL_ERROR; + goto loser; + } + + *pError = ckmk_FindImportedKey(targetKeychain, + CSSM_DL_DB_RECORD_PRIVATE_KEY, + &itemRef); + if (CKR_OK != *pError) { +#ifdef DEBUG + fprintf(stderr,"couldn't find key in keychain \n"); +#endif + goto loser; + } + + + /* set the CKA_ID and the CKA_LABEL */ + error = nss_ckmk_GetAttribute(CKA_ID, pTemplate, + ulAttributeCount, &keyID); + if (CKR_OK == error) { + error = ckmk_updateAttribute(itemRef, kSecKeyLabel, + keyID.data, keyID.size, "Modify Key ID"); +#ifdef DEBUG + itemdump("key id: ", keyID.data, keyID.size, error); +#endif + } + nickname = nss_ckmk_GetStringAttribute(CKA_LABEL, pTemplate, + ulAttributeCount, &error); + if (nickname) { + ckmk_updateAttribute(itemRef, kSecKeyPrintName, nickname, + strlen(nickname)+1, "Modify Key Label"); + } else { +#define DEFAULT_NICKNAME "NSS Imported Key" + ckmk_updateAttribute(itemRef, kSecKeyPrintName, DEFAULT_NICKNAME, + sizeof(DEFAULT_NICKNAME), "Modify Key Label"); + } + + io = nss_ckmk_NewInternalObject(CKO_PRIVATE_KEY, itemRef, + CSSM_DL_DB_RECORD_PRIVATE_KEY, pError); + if ((ckmkInternalObject *)NULL == io) { + CFRelease(itemRef); + } + + return io; + +loser: + /* free the key blob */ + if (keyBlob.data) { + nss_ZFreeIf(keyBlob.data); + } + if (0 != targetKeychain) { + CFRelease(targetKeychain); + } + if (0 != dataRef) { + CFRelease(dataRef); + } + return io; +} + + +NSS_EXTERN NSSCKMDObject * +nss_ckmk_CreateObject +( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + CK_OBJECT_CLASS objClass; + ckmkInternalObject *io; + CK_BBOOL isToken; + + /* + * only create token objects + */ + isToken = nss_ckmk_GetBoolAttribute(CKA_TOKEN, pTemplate, + ulAttributeCount, CK_FALSE); + if (!isToken) { + *pError = CKR_ATTRIBUTE_VALUE_INVALID; + return (NSSCKMDObject *) NULL; + } + + /* + * only create keys and certs. + */ + objClass = nss_ckmk_GetULongAttribute(CKA_CLASS, pTemplate, + ulAttributeCount, pError); + if (CKR_OK != *pError) { + return (NSSCKMDObject *) NULL; + } +#ifdef notdef + if (objClass == CKO_PUBLIC_KEY) { + return CKR_OK; /* fake public key creation, happens as a side effect of + * private key creation */ + } +#endif + if (objClass == CKO_CERTIFICATE) { + io = nss_ckmk_CreateCertificate(fwSession, pTemplate, + ulAttributeCount, pError); + } else if (objClass == CKO_PRIVATE_KEY) { + io = nss_ckmk_CreatePrivateKey(fwSession, pTemplate, + ulAttributeCount, pError); + } else { + *pError = CKR_ATTRIBUTE_VALUE_INVALID; + } + + if ((ckmkInternalObject *)NULL == io) { + return (NSSCKMDObject *) NULL; + } + return nss_ckmk_CreateMDObject(NULL, io, pError); +} diff --git a/security/nss/lib/ckfw/nssmkey/mrsa.c b/security/nss/lib/ckfw/nssmkey/mrsa.c new file mode 100644 index 000000000000..91552eea3a77 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mrsa.c @@ -0,0 +1,547 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Red Hat, Inc. + * Portions created by the Initial Developer are Copyright (C) 2005 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mrsa.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" + +/* Sigh, For all the talk about 'ease of use', apple has hidden the interfaces + * needed to be able to truly use CSSM. These came from their modification + * to NSS's S/MIME code. The following two functions currently are not + * part of the SecKey.h interface. + */ +OSStatus +SecKeyGetCredentials +( + SecKeyRef keyRef, + CSSM_ACL_AUTHORIZATION_TAG authTag, + int type, + const CSSM_ACCESS_CREDENTIALS **creds +); + +/* this function could be implemented using 'SecKeychainItemCopyKeychain' and + * 'SecKeychainGetCSPHandle' */ +OSStatus +SecKeyGetCSPHandle +( + SecKeyRef keyRef, + CSSM_CSP_HANDLE *cspHandle +); + + +typedef struct ckmkInternalCryptoOperationRSAPrivStr + ckmkInternalCryptoOperationRSAPriv; +struct ckmkInternalCryptoOperationRSAPrivStr +{ + NSSCKMDCryptoOperation mdOperation; + NSSCKMDMechanism *mdMechanism; + ckmkInternalObject *iKey; + NSSItem *buffer; + CSSM_CC_HANDLE cssmContext; +}; + +typedef enum { + CKMK_DECRYPT, + CKMK_SIGN +} ckmkRSAOpType; + +/* + * ckmk_mdCryptoOperationRSAPriv_Create + */ +static NSSCKMDCryptoOperation * +ckmk_mdCryptoOperationRSAPriv_Create +( + const NSSCKMDCryptoOperation *proto, + NSSCKMDMechanism *mdMechanism, + NSSCKMDObject *mdKey, + ckmkRSAOpType type, + CK_RV *pError +) +{ + ckmkInternalObject *iKey = (ckmkInternalObject *)mdKey->etc; + const NSSItem *classItem = nss_ckmk_FetchAttribute(iKey, CKA_CLASS, pError); + const NSSItem *keyType = nss_ckmk_FetchAttribute(iKey, CKA_KEY_TYPE, pError); + ckmkInternalCryptoOperationRSAPriv *iOperation; + SecKeyRef privateKey; + OSStatus macErr; + CSSM_RETURN cssmErr; + const CSSM_KEY *cssmKey; + CSSM_CSP_HANDLE cspHandle; + const CSSM_ACCESS_CREDENTIALS *creds = NULL; + CSSM_CC_HANDLE cssmContext; + CSSM_ACL_AUTHORIZATION_TAG authType; + + /* make sure we have the right objects */ + if (((const NSSItem *)NULL == classItem) || + (sizeof(CK_OBJECT_CLASS) != classItem->size) || + (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) || + ((const NSSItem *)NULL == keyType) || + (sizeof(CK_KEY_TYPE) != keyType->size) || + (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) { + *pError = CKR_KEY_TYPE_INCONSISTENT; + return (NSSCKMDCryptoOperation *)NULL; + } + + privateKey = (SecKeyRef) iKey->u.item.itemRef; + macErr = SecKeyGetCSSMKey(privateKey, &cssmKey); + if (noErr != macErr) { + CKMK_MACERR("Getting CSSM Key", macErr); + *pError = CKR_KEY_HANDLE_INVALID; + return (NSSCKMDCryptoOperation *)NULL; + } + macErr = SecKeyGetCSPHandle(privateKey, &cspHandle); + if (noErr != macErr) { + CKMK_MACERR("Getting CSP for Key", macErr); + *pError = CKR_KEY_HANDLE_INVALID; + return (NSSCKMDCryptoOperation *)NULL; + } + switch (type) { + case CKMK_DECRYPT: + authType = CSSM_ACL_AUTHORIZATION_DECRYPT; + break; + case CKMK_SIGN: + authType = CSSM_ACL_AUTHORIZATION_SIGN; + break; + default: + *pError = CKR_GENERAL_ERROR; +#ifdef DEBUG + fprintf(stderr,"RSAPriv_Create: bad type = %d\n", type); +#endif + return (NSSCKMDCryptoOperation *)NULL; + } + + macErr = SecKeyGetCredentials(privateKey, authType, 0, &creds); + if (noErr != macErr) { + CKMK_MACERR("Getting Credentials for Key", macErr); + *pError = CKR_KEY_HANDLE_INVALID; + return (NSSCKMDCryptoOperation *)NULL; + } + + switch (type) { + case CKMK_DECRYPT: + cssmErr = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, + creds, cssmKey, CSSM_PADDING_PKCS1, &cssmContext); + break; + case CKMK_SIGN: + cssmErr = CSSM_CSP_CreateSignatureContext(cspHandle, CSSM_ALGID_RSA, + creds, cssmKey, &cssmContext); + break; + default: + *pError = CKR_GENERAL_ERROR; +#ifdef DEBUG + fprintf(stderr,"RSAPriv_Create: bad type = %d\n", type); +#endif + return (NSSCKMDCryptoOperation *)NULL; + } + if (noErr != cssmErr) { + CKMK_MACERR("Getting Context for Key", cssmErr); + *pError = CKR_GENERAL_ERROR; + return (NSSCKMDCryptoOperation *)NULL; + } + + iOperation = nss_ZNEW(NULL, ckmkInternalCryptoOperationRSAPriv); + if ((ckmkInternalCryptoOperationRSAPriv *)NULL == iOperation) { + *pError = CKR_HOST_MEMORY; + return (NSSCKMDCryptoOperation *)NULL; + } + iOperation->mdMechanism = mdMechanism; + iOperation->iKey = iKey; + iOperation->cssmContext = cssmContext; + + nsslibc_memcpy(&iOperation->mdOperation, + proto, sizeof(NSSCKMDCryptoOperation)); + iOperation->mdOperation.etc = iOperation; + + return &iOperation->mdOperation; +} + +static void +ckmk_mdCryptoOperationRSAPriv_Destroy +( + NSSCKMDCryptoOperation *mdOperation, + NSSCKFWCryptoOperation *fwOperation, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + ckmkInternalCryptoOperationRSAPriv *iOperation = + (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; + + if (iOperation->buffer) { + nssItem_Destroy(iOperation->buffer); + } + if (iOperation->cssmContext) { + CSSM_DeleteContext(iOperation->cssmContext); + } + nss_ZFreeIf(iOperation); + return; +} + +static CK_ULONG +ckmk_mdCryptoOperationRSA_GetFinalLength +( + NSSCKMDCryptoOperation *mdOperation, + NSSCKFWCryptoOperation *fwOperation, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + ckmkInternalCryptoOperationRSAPriv *iOperation = + (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; + const NSSItem *modulus = + nss_ckmk_FetchAttribute(iOperation->iKey, CKA_MODULUS, pError); + + return modulus->size; +} + + +/* + * ckmk_mdCryptoOperationRSADecrypt_GetOperationLength + * we won't know the length until we actually decrypt the + * input block. Since we go to all the work to decrypt the + * the block, we'll save if for when the block is asked for + */ +static CK_ULONG +ckmk_mdCryptoOperationRSADecrypt_GetOperationLength +( + NSSCKMDCryptoOperation *mdOperation, + NSSCKFWCryptoOperation *fwOperation, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + const NSSItem *input, + CK_RV *pError +) +{ + ckmkInternalCryptoOperationRSAPriv *iOperation = + (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; + CSSM_DATA cssmInput; + CSSM_DATA cssmOutput = { 0, NULL }; + uint32 bytesDecrypted; + CSSM_DATA remainder = { 0, NULL }; + NSSItem output; + CSSM_RETURN cssmErr; + + if (iOperation->buffer) { + return iOperation->buffer->size; + } + + cssmInput.Data = input->data; + cssmInput.Length = input->size; + + cssmErr = CSSM_DecryptData(iOperation->cssmContext, + &cssmInput, 1, &cssmOutput, 1, + &bytesDecrypted, &remainder); + if (CSSM_OK != cssmErr) { + CKMK_MACERR("Decrypt Failed", cssmErr); + *pError = CKR_DATA_INVALID; + return 0; + } + /* we didn't suppy any buffers, so it should all be in remainder */ + output.data = nss_ZNEWARRAY(NULL, char, bytesDecrypted + remainder.Length); + if (NULL == output.data) { + free(cssmOutput.Data); + free(remainder.Data); + *pError = CKR_HOST_MEMORY; + return 0; + } + output.size = bytesDecrypted + remainder.Length; + + if (0 != bytesDecrypted) { + nsslibc_memcpy(output.data, cssmOutput.Data, bytesDecrypted); + free(cssmOutput.Data); + } + if (0 != remainder.Length) { + nsslibc_memcpy(((char *)output.data)+bytesDecrypted, + remainder.Data, remainder.Length); + free(remainder.Data); + } + + iOperation->buffer = nssItem_Duplicate(&output, NULL, NULL); + nss_ZFreeIf(output.data); + if ((NSSItem *) NULL == iOperation->buffer) { + *pError = CKR_HOST_MEMORY; + return 0; + } + + return iOperation->buffer->size; +} + +/* + * ckmk_mdCryptoOperationRSADecrypt_UpdateFinal + * + * NOTE: ckmk_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to + * have been called previously. + */ +static CK_RV +ckmk_mdCryptoOperationRSADecrypt_UpdateFinal +( + NSSCKMDCryptoOperation *mdOperation, + NSSCKFWCryptoOperation *fwOperation, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + const NSSItem *input, + NSSItem *output +) +{ + ckmkInternalCryptoOperationRSAPriv *iOperation = + (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; + NSSItem *buffer = iOperation->buffer; + + if ((NSSItem *)NULL == buffer) { + return CKR_GENERAL_ERROR; + } + nsslibc_memcpy(output->data, buffer->data, buffer->size); + output->size = buffer->size; + return CKR_OK; +} + +/* + * ckmk_mdCryptoOperationRSASign_UpdateFinal + * + */ +static CK_RV +ckmk_mdCryptoOperationRSASign_UpdateFinal +( + NSSCKMDCryptoOperation *mdOperation, + NSSCKFWCryptoOperation *fwOperation, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + const NSSItem *input, + NSSItem *output +) +{ + ckmkInternalCryptoOperationRSAPriv *iOperation = + (ckmkInternalCryptoOperationRSAPriv *)mdOperation->etc; + CSSM_DATA cssmInput; + CSSM_DATA cssmOutput = { 0, NULL }; + CSSM_RETURN cssmErr; + + cssmInput.Data = input->data; + cssmInput.Length = input->size; + + cssmErr = CSSM_SignData(iOperation->cssmContext, &cssmInput, 1, + CSSM_ALGID_NONE, &cssmOutput); + if (CSSM_OK != cssmErr) { + CKMK_MACERR("Signed Failed", cssmErr); + return CKR_FUNCTION_FAILED; + } + if (cssmOutput.Length > output->size) { + free(cssmOutput.Data); + return CKR_BUFFER_TOO_SMALL; + } + nsslibc_memcpy(output->data, cssmOutput.Data, cssmOutput.Length); + free(cssmOutput.Data); + output->size = cssmOutput.Length; + + return CKR_OK; +} + + +NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation +ckmk_mdCryptoOperationRSADecrypt_proto = { + NULL, /* etc */ + ckmk_mdCryptoOperationRSAPriv_Destroy, + NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */ + ckmk_mdCryptoOperationRSADecrypt_GetOperationLength, + NULL, /* Final - not needed for one shot operation */ + NULL, /* Update - not needed for one shot operation */ + NULL, /* DigetUpdate - not needed for one shot operation */ + ckmk_mdCryptoOperationRSADecrypt_UpdateFinal, + NULL, /* UpdateCombo - not needed for one shot operation */ + NULL, /* DigetKey - not needed for one shot operation */ + (void *)NULL /* null terminator */ +}; + +NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation +ckmk_mdCryptoOperationRSASign_proto = { + NULL, /* etc */ + ckmk_mdCryptoOperationRSAPriv_Destroy, + ckmk_mdCryptoOperationRSA_GetFinalLength, + NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */ + NULL, /* Final - not needed for one shot operation */ + NULL, /* Update - not needed for one shot operation */ + NULL, /* DigetUpdate - not needed for one shot operation */ + ckmk_mdCryptoOperationRSASign_UpdateFinal, + NULL, /* UpdateCombo - not needed for one shot operation */ + NULL, /* DigetKey - not needed for one shot operation */ + (void *)NULL /* null terminator */ +}; + +/********** NSSCKMDMechansim functions ***********************/ +/* + * ckmk_mdMechanismRSA_Destroy + */ +static void +ckmk_mdMechanismRSA_Destroy +( + NSSCKMDMechanism *mdMechanism, + NSSCKFWMechanism *fwMechanism, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + nss_ZFreeIf(fwMechanism); +} + +/* + * ckmk_mdMechanismRSA_GetMinKeySize + */ +static CK_ULONG +ckmk_mdMechanismRSA_GetMinKeySize +( + NSSCKMDMechanism *mdMechanism, + NSSCKFWMechanism *fwMechanism, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return 384; +} + +/* + * ckmk_mdMechanismRSA_GetMaxKeySize + */ +static CK_ULONG +ckmk_mdMechanismRSA_GetMaxKeySize +( + NSSCKMDMechanism *mdMechanism, + NSSCKFWMechanism *fwMechanism, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return 16384; +} + +/* + * ckmk_mdMechanismRSA_DecryptInit + */ +static NSSCKMDCryptoOperation * +ckmk_mdMechanismRSA_DecryptInit +( + NSSCKMDMechanism *mdMechanism, + NSSCKFWMechanism *fwMechanism, + CK_MECHANISM *pMechanism, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKMDObject *mdKey, + NSSCKFWObject *fwKey, + CK_RV *pError +) +{ + return ckmk_mdCryptoOperationRSAPriv_Create( + &ckmk_mdCryptoOperationRSADecrypt_proto, + mdMechanism, mdKey, CKMK_DECRYPT, pError); +} + +/* + * ckmk_mdMechanismRSA_SignInit + */ +static NSSCKMDCryptoOperation * +ckmk_mdMechanismRSA_SignInit +( + NSSCKMDMechanism *mdMechanism, + NSSCKFWMechanism *fwMechanism, + CK_MECHANISM *pMechanism, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKMDObject *mdKey, + NSSCKFWObject *fwKey, + CK_RV *pError +) +{ + return ckmk_mdCryptoOperationRSAPriv_Create( + &ckmk_mdCryptoOperationRSASign_proto, + mdMechanism, mdKey, CKMK_SIGN, pError); +} + + +NSS_IMPLEMENT_DATA const NSSCKMDMechanism +nss_ckmk_mdMechanismRSA = { + (void *)NULL, /* etc */ + ckmk_mdMechanismRSA_Destroy, + ckmk_mdMechanismRSA_GetMinKeySize, + ckmk_mdMechanismRSA_GetMaxKeySize, + NULL, /* GetInHardware - default false */ + NULL, /* EncryptInit - default errs */ + ckmk_mdMechanismRSA_DecryptInit, + NULL, /* DigestInit - default errs*/ + ckmk_mdMechanismRSA_SignInit, + NULL, /* VerifyInit - default errs */ + ckmk_mdMechanismRSA_SignInit, /* SignRecoverInit */ + NULL, /* VerifyRecoverInit - default errs */ + NULL, /* GenerateKey - default errs */ + NULL, /* GenerateKeyPair - default errs */ + NULL, /* GetWrapKeyLength - default errs */ + NULL, /* WrapKey - default errs */ + NULL, /* UnwrapKey - default errs */ + NULL, /* DeriveKey - default errs */ + (void *)NULL /* null terminator */ +}; diff --git a/security/nss/lib/ckfw/nssmkey/msession.c b/security/nss/lib/ckfw/nssmkey/msession.c new file mode 100644 index 000000000000..cae819a4985f --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/msession.c @@ -0,0 +1,131 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: msession.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" + +/* + * nssmkey/msession.c + * + * This file implements the NSSCKMDSession object for the + * "nssmkey" cryptoki module. + */ + +static NSSCKMDFindObjects * +ckmk_mdSession_FindObjectsInit +( + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + return nss_ckmk_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError); +} + +static NSSCKMDObject * +ckmk_mdSession_CreateObject +( + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSArena *arena, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError +) +{ + return nss_ckmk_CreateObject(fwSession, pTemplate, ulAttributeCount, pError); +} + +NSS_IMPLEMENT NSSCKMDSession * +nss_ckmk_CreateSession +( + NSSCKFWSession *fwSession, + CK_RV *pError +) +{ + NSSArena *arena; + NSSCKMDSession *rv; + + arena = NSSCKFWSession_GetArena(fwSession, pError); + if( (NSSArena *)NULL == arena ) { + return (NSSCKMDSession *)NULL; + } + + rv = nss_ZNEW(arena, NSSCKMDSession); + if( (NSSCKMDSession *)NULL == rv ) { + *pError = CKR_HOST_MEMORY; + return (NSSCKMDSession *)NULL; + } + + /* + * rv was zeroed when allocated, so we only + * need to set the non-zero members. + */ + + rv->etc = (void *)fwSession; + /* rv->Close */ + /* rv->GetDeviceError */ + /* rv->Login */ + /* rv->Logout */ + /* rv->InitPIN */ + /* rv->SetPIN */ + /* rv->GetOperationStateLen */ + /* rv->GetOperationState */ + /* rv->SetOperationState */ + rv->CreateObject = ckmk_mdSession_CreateObject; + /* rv->CopyObject */ + rv->FindObjectsInit = ckmk_mdSession_FindObjectsInit; + /* rv->SeedRandom */ + /* rv->GetRandom */ + /* rv->null */ + + return rv; +} diff --git a/security/nss/lib/ckfw/nssmkey/mslot.c b/security/nss/lib/ckfw/nssmkey/mslot.c new file mode 100644 index 000000000000..1c58d0688751 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mslot.c @@ -0,0 +1,129 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mslot.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" + +/* + * nssmkey/mslot.c + * + * This file implements the NSSCKMDSlot object for the + * "nssmkey" cryptoki module. + */ + +static NSSUTF8 * +ckmk_mdSlot_GetSlotDescription +( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_SlotDescription; +} + +static NSSUTF8 * +ckmk_mdSlot_GetManufacturerID +( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_ManufacturerID; +} + +static CK_VERSION +ckmk_mdSlot_GetHardwareVersion +( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_HardwareVersion; +} + +static CK_VERSION +ckmk_mdSlot_GetFirmwareVersion +( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_FirmwareVersion; +} + +static NSSCKMDToken * +ckmk_mdSlot_GetToken +( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSCKMDToken *)&nss_ckmk_mdToken; +} + +NSS_IMPLEMENT_DATA const NSSCKMDSlot +nss_ckmk_mdSlot = { + (void *)NULL, /* etc */ + NULL, /* Initialize */ + NULL, /* Destroy */ + ckmk_mdSlot_GetSlotDescription, + ckmk_mdSlot_GetManufacturerID, + NULL, /* GetTokenPresent -- defaults to true */ + NULL, /* GetRemovableDevice -- defaults to false */ + NULL, /* GetHardwareSlot -- defaults to false */ + ckmk_mdSlot_GetHardwareVersion, + ckmk_mdSlot_GetFirmwareVersion, + ckmk_mdSlot_GetToken, + (void *)NULL /* null terminator */ +}; diff --git a/security/nss/lib/ckfw/nssmkey/mtoken.c b/security/nss/lib/ckfw/nssmkey/mtoken.c new file mode 100644 index 000000000000..bd4c5deebe24 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/mtoken.c @@ -0,0 +1,246 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: mtoken.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#include "ckmk.h" + +/* + * nssmkey/mtoken.c + * + * This file implements the NSSCKMDToken object for the + * "nssmkey" cryptoki module. + */ + +static NSSUTF8 * +ckmk_mdToken_GetLabel +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_TokenLabel; +} + +static NSSUTF8 * +ckmk_mdToken_GetManufacturerID +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_ManufacturerID; +} + +static NSSUTF8 * +ckmk_mdToken_GetModel +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_TokenModel; +} + +static NSSUTF8 * +ckmk_mdToken_GetSerialNumber +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError +) +{ + return (NSSUTF8 *)nss_ckmk_TokenSerialNumber; +} + +static CK_BBOOL +ckmk_mdToken_GetIsWriteProtected +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return CK_FALSE; +} + +/* fake out Mozilla so we don't try to initialize the token */ +static CK_BBOOL +ckmk_mdToken_GetUserPinInitialized +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return CK_TRUE; +} + +static CK_VERSION +ckmk_mdToken_GetHardwareVersion +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_HardwareVersion; +} + +static CK_VERSION +ckmk_mdToken_GetFirmwareVersion +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return nss_ckmk_FirmwareVersion; +} + +static NSSCKMDSession * +ckmk_mdToken_OpenSession +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKFWSession *fwSession, + CK_BBOOL rw, + CK_RV *pError +) +{ + return nss_ckmk_CreateSession(fwSession, pError); +} + +static CK_ULONG +ckmk_mdToken_GetMechanismCount +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance +) +{ + return (CK_ULONG)1; +} + +static CK_RV +ckmk_mdToken_GetMechanismTypes +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_MECHANISM_TYPE types[] +) +{ + types[0] = CKM_RSA_PKCS; + return CKR_OK; +} + +static NSSCKMDMechanism * +ckmk_mdToken_GetMechanism +( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_MECHANISM_TYPE which, + CK_RV *pError +) +{ + if (which != CKM_RSA_PKCS) { + *pError = CKR_MECHANISM_INVALID; + return (NSSCKMDMechanism *)NULL; + } + return (NSSCKMDMechanism *)&nss_ckmk_mdMechanismRSA; +} + +NSS_IMPLEMENT_DATA const NSSCKMDToken +nss_ckmk_mdToken = { + (void *)NULL, /* etc */ + NULL, /* Setup */ + NULL, /* Invalidate */ + NULL, /* InitToken -- default errs */ + ckmk_mdToken_GetLabel, + ckmk_mdToken_GetManufacturerID, + ckmk_mdToken_GetModel, + ckmk_mdToken_GetSerialNumber, + NULL, /* GetHasRNG -- default is false */ + ckmk_mdToken_GetIsWriteProtected, + NULL, /* GetLoginRequired -- default is false */ + ckmk_mdToken_GetUserPinInitialized, + NULL, /* GetRestoreKeyNotNeeded -- irrelevant */ + NULL, /* GetHasClockOnToken -- default is false */ + NULL, /* GetHasProtectedAuthenticationPath -- default is false */ + NULL, /* GetSupportsDualCryptoOperations -- default is false */ + NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetMaxPinLen -- irrelevant */ + NULL, /* GetMinPinLen -- irrelevant */ + NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */ + ckmk_mdToken_GetHardwareVersion, + ckmk_mdToken_GetFirmwareVersion, + NULL, /* GetUTCTime -- no clock */ + ckmk_mdToken_OpenSession, + ckmk_mdToken_GetMechanismCount, + ckmk_mdToken_GetMechanismTypes, + ckmk_mdToken_GetMechanism, + (void *)NULL /* null terminator */ +}; diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.def b/security/nss/lib/ckfw/nssmkey/nssmkey.def new file mode 100644 index 000000000000..054fbd82aabd --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/nssmkey.def @@ -0,0 +1,58 @@ +;+# +;+# ***** BEGIN LICENSE BLOCK ***** +;+# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +;+# +;+# The contents of this file are subject to the Mozilla Public License Version +;+# 1.1 (the "License"); you may not use this file except in compliance with +;+# the License. You may obtain a copy of the License at +;+# http://www.mozilla.org/MPL/ +;+# +;+# Software distributed under the License is distributed on an "AS IS" basis, +;+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +;+# for the specific language governing rights and limitations under the +;+# License. +;+# +;+# The Original Code is the Netscape security libraries. +;+# +;+# The Initial Developer of the Original Code is +;+# Netscape Communications Corporation. +;+# Portions created by the Initial Developer are Copyright (C) 2003 +;+# the Initial Developer. All Rights Reserved. +;+# +;+# Contributor(s): +;+# +;+# Alternatively, the contents of this file may be used under the terms of +;+# either the GNU General Public License Version 2 or later (the "GPL"), or +;+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +;+# in which case the provisions of the GPL or the LGPL are applicable instead +;+# of those above. If you wish to allow use of your version of this file only +;+# under the terms of either the GPL or the LGPL, and not to allow others to +;+# use your version of this file under the terms of the MPL, indicate your +;+# decision by deleting the provisions above and replace them with the notice +;+# and other provisions required by the GPL or the LGPL. If you do not delete +;+# the provisions above, a recipient may use your version of this file under +;+# the terms of any one of the MPL, the GPL or the LGPL. +;+# +;+# ***** END LICENSE BLOCK ***** +;+# +;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS +;+# 1. For all unix platforms, the string ";-" means "remove this line" +;+# 2. For all unix platforms, the string " DATA " will be removed from any +;+# line on which it occurs. +;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. +;+# On AIX, lines containing ";+" will be removed. +;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. +;+# 5. For all unix platforms, after the above processing has taken place, +;+# all characters after the first ";" on the line will be removed. +;+# And for AIX, the first ";" will also be removed. +;+# This file is passed directly to windows. Since ';' is a comment, all UNIX +;+# directives are hidden behind ";", ";+", and ";-" +;+ +;+NSSMKEY_3.0 { # First release of nssmkey +;+ global: +LIBRARY nssmkey ;- +EXPORTS ;- +C_GetFunctionList; +;+ local: +;+*; +;+}; diff --git a/security/nss/lib/ckfw/nssmkey/nssmkey.h b/security/nss/lib/ckfw/nssmkey/nssmkey.h new file mode 100644 index 000000000000..5bf181222c46 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/nssmkey.h @@ -0,0 +1,75 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef NSSMKEY_H +#define NSSMKEY_H + +/* + * NSS CKMK Version numbers. + * + * These are the version numbers for the nssmkey module packaged with + * this release on NSS. To determine the version numbers of the builtin + * module you are using, use the appropriate PKCS #11 calls. + * + * These version numbers detail changes to the PKCS #11 interface. They map + * to the PKCS #11 spec versions. + */ +#define NSS_CKMK_CRYPTOKI_VERSION_MAJOR 2 +#define NSS_CKMK_CRYPTOKI_VERSION_MINOR 20 + +/* These version numbers detail the changes + * to the list of trusted certificates. + * + * NSS_CKMK_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear + * whether we may use its full range (0-255) or only 0-99 because + * of the comment in the CK_VERSION type definition. + */ +#define NSS_CKMK_LIBRARY_VERSION_MAJOR 1 +#define NSS_CKMK_LIBRARY_VERSION_MINOR 1 +#define NSS_CKMK_LIBRARY_VERSION "1.1" + +/* These version numbers detail the semantic changes to the ckfw engine. */ +#define NSS_CKMK_HARDWARE_VERSION_MAJOR 1 +#define NSS_CKMK_HARDWARE_VERSION_MINOR 0 + +/* These version numbers detail the semantic changes to ckbi itself + * (new PKCS #11 objects), etc. */ +#define NSS_CKMK_FIRMWARE_VERSION_MAJOR 1 +#define NSS_CKMK_FIRMWARE_VERSION_MINOR 0 + +#endif /* NSSMKEY_H */ diff --git a/security/nss/lib/ckfw/nssmkey/staticobj.c b/security/nss/lib/ckfw/nssmkey/staticobj.c new file mode 100644 index 000000000000..e35c093ac5e6 --- /dev/null +++ b/security/nss/lib/ckfw/nssmkey/staticobj.c @@ -0,0 +1,74 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * Portions created by Red Hat, Inc, are Copyright (C) 2005 + * + * Contributor(s): + * Bob Relyea (rrelyea@redhat.com) + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef DEBUG +static const char CVS_ID[] = "@(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $""; @(#) $RCSfile: staticobj.c,v $ $Revision: 1.1 $ $Date: 2005/11/23 23:04:08 $"; +#endif /* DEBUG */ + +#ifndef CKMK_H +#include "ckmk.h" +#endif /* CKMK_H */ + +static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID; +static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE; +static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR; +static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST; +static const CK_BBOOL ck_true = CK_TRUE; +static const CK_OBJECT_CLASS cko_data = CKO_DATA; +static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509; +static const CK_BBOOL ck_false = CK_FALSE; +static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + +/* example of a static object */ +static const CK_ATTRIBUTE_TYPE nss_ckmk_types_1 [] = { + CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL +}; + +static const NSSItem nss_ckmk_items_1 [] = { + { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) }, + { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }, + { (void *)"Mozilla Mac Key Ring Access", (PRUint32)28 } +}; + +PR_IMPLEMENT_DATA(ckmkInternalObject) nss_ckmk_data[] = { + { ckmkRaw, {{ 5, nss_ckmk_types_1, nss_ckmk_items_1}} , CKO_DATA, {NULL} }, +}; + +PR_IMPLEMENT_DATA(const PRUint32) nss_ckmk_nObjects = 1;