summaryrefslogtreecommitdiffstats
path: root/chromium/third_party/nss/nss/lib/softoken/pkcs11.c
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/third_party/nss/nss/lib/softoken/pkcs11.c')
-rw-r--r--chromium/third_party/nss/nss/lib/softoken/pkcs11.c175
1 files changed, 111 insertions, 64 deletions
diff --git a/chromium/third_party/nss/nss/lib/softoken/pkcs11.c b/chromium/third_party/nss/nss/lib/softoken/pkcs11.c
index e1c2442babc..c5419466280 100644
--- a/chromium/third_party/nss/nss/lib/softoken/pkcs11.c
+++ b/chromium/third_party/nss/nss/lib/softoken/pkcs11.c
@@ -266,6 +266,8 @@ static const struct mechanismList mechanisms[] = {
CKF_DUZ_IT_ALL}, PR_TRUE},
{CKM_RSA_PKCS_PSS, {RSA_MIN_MODULUS_BITS,CK_MAX,
CKF_SN_VR}, PR_TRUE},
+ {CKM_RSA_PKCS_OAEP, {RSA_MIN_MODULUS_BITS,CK_MAX,
+ CKF_EN_DE_WR_UN}, PR_TRUE},
#ifdef SFTK_RSA9796_SUPPORTED
{CKM_RSA_9796, {RSA_MIN_MODULUS_BITS,CK_MAX,
CKF_DUZ_IT_ALL}, PR_TRUE},
@@ -302,7 +304,7 @@ static const struct mechanismList mechanisms[] = {
CKF_GENERATE_KEY_PAIR}, PR_TRUE},
{CKM_DH_PKCS_DERIVE, {DH_MIN_P_BITS, DH_MAX_P_BITS,
CKF_DERIVE}, PR_TRUE},
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
/* -------------------- Elliptic Curve Operations --------------------- */
{CKM_EC_KEY_PAIR_GEN, {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE},
@@ -312,7 +314,7 @@ static const struct mechanismList mechanisms[] = {
CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
{CKM_ECDSA_SHA1, {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE},
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
/* ------------------------- RC2 Operations --------------------------- */
{CKM_RC2_KEY_GEN, {1, 128, CKF_GENERATE}, PR_TRUE},
{CKM_RC2_ECB, {1, 128, CKF_EN_DE_WR_UN}, PR_TRUE},
@@ -930,7 +932,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
@@ -944,7 +946,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
default:
return CKR_ATTRIBUTE_VALUE_INVALID;
}
@@ -990,7 +992,7 @@ static NSSLOWKEYPrivateKey *
sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp);
static SECStatus
-sftk_fillRSAPrivateKey(SFTKObject *object);
+sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded);
/*
* check the consistancy and initialize a Private Key Object
@@ -1006,12 +1008,14 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
CK_BBOOL derive = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
PRBool createObjectInfo = PR_TRUE;
+ PRBool fillPrivateKey = PR_FALSE;
int missing_rsa_mod_component = 0;
int missing_rsa_exp_component = 0;
int missing_rsa_crt_component = 0;
-
+
SECItem mod;
CK_RV crv;
+ SECStatus rv;
switch (key_type) {
case CKK_RSA:
@@ -1046,19 +1050,19 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
int have_exp = 2- missing_rsa_exp_component;
int have_component = 5-
(missing_rsa_exp_component+missing_rsa_mod_component);
- SECStatus rv;
if ((have_exp == 0) || (have_component < 3)) {
/* nope, not enough to reconstruct the private key */
return CKR_TEMPLATE_INCOMPLETE;
}
- /*fill in the missing parameters */
- rv = sftk_fillRSAPrivateKey(object);
- if (rv != SECSuccess) {
+ fillPrivateKey = PR_TRUE;
+ }
+ /*verify the parameters for consistency*/
+ rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey);
+ if (rv != SECSuccess) {
return CKR_TEMPLATE_INCOMPLETE;
- }
}
-
+
/* make sure Netscape DB attribute is set correctly */
crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
if (crv != CKR_OK) return crv;
@@ -1091,7 +1095,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
@@ -1104,11 +1108,11 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
case CKK_NSS_JPAKE_ROUND1:
- if (!sftk_hasAttribute(object, CKA_PRIME ||
+ if (!sftk_hasAttribute(object, CKA_PRIME) ||
!sftk_hasAttribute(object, CKA_SUBPRIME) ||
- !sftk_hasAttribute(object, CKA_BASE))) {
+ !sftk_hasAttribute(object, CKA_BASE)) {
return CKR_TEMPLATE_INCOMPLETE;
}
/* fall through */
@@ -1152,7 +1156,6 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE
if (sftk_isTrue(object,CKA_TOKEN)) {
SFTKSlot *slot = session->slot;
SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
- CK_RV crv;
if (keyHandle == NULL) {
return CKR_TOKEN_WRITE_PROTECTED;
@@ -1711,7 +1714,7 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type,
crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.publicValue,
object,CKA_VALUE);
break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
pubKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -1771,7 +1774,7 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type,
crv = CKR_ATTRIBUTE_VALUE_INVALID;
}
break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
@@ -1880,7 +1883,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
* if we don't set it explicitly */
break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -1922,7 +1925,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
#endif
}
break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -1943,10 +1946,11 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
}
/*
- * we have a partial rsa private key, fill in the rest
+ * If a partial RSA private key is present, fill in the rest if necessary,
+ * and then verify the parameters are well-formed
*/
static SECStatus
-sftk_fillRSAPrivateKey(SFTKObject *object)
+sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded)
{
RSAPrivateKey tmpKey = { 0 };
SFTKAttribute *modulus = NULL;
@@ -1954,6 +1958,9 @@ sftk_fillRSAPrivateKey(SFTKObject *object)
SFTKAttribute *prime2 = NULL;
SFTKAttribute *privateExponent = NULL;
SFTKAttribute *publicExponent = NULL;
+ SFTKAttribute *exponent1 = NULL;
+ SFTKAttribute *exponent2 = NULL;
+ SFTKAttribute *coefficient = NULL;
SECStatus rv;
CK_RV crv;
@@ -1984,44 +1991,82 @@ sftk_fillRSAPrivateKey(SFTKObject *object)
if (publicExponent) {
tmpKey.publicExponent.data = publicExponent->attrib.pValue;
tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen;
- }
+ }
+ exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_1);
+ if (exponent1) {
+ tmpKey.exponent1.data = exponent1->attrib.pValue;
+ tmpKey.exponent1.len = exponent1->attrib.ulValueLen;
+ }
+ exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_2);
+ if (exponent2) {
+ tmpKey.exponent2.data = exponent2->attrib.pValue;
+ tmpKey.exponent2.len = exponent2->attrib.ulValueLen;
+ }
+ coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT);
+ if (coefficient) {
+ tmpKey.coefficient.data = coefficient->attrib.pValue;
+ tmpKey.coefficient.len = coefficient->attrib.ulValueLen;
+ }
- /*
- * populate requires one exponent plus 2 other components to work.
- * we expected our caller to check that first. If that didn't happen,
- * populate will simply return an error here.
- */
- rv = RSA_PopulatePrivateKey(&tmpKey);
+ if (fillIfNeeded) {
+ /*
+ * populate requires one exponent plus 2 other components to work.
+ * we expected our caller to check that first. If that didn't happen,
+ * populate will simply return an error here.
+ */
+ rv = RSA_PopulatePrivateKey(&tmpKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ rv = RSA_PrivateKeyCheck(&tmpKey);
if (rv != SECSuccess) {
goto loser;
}
-
/* now that we have a fully populated key, set all our attribute values */
rv = SECFailure;
- crv = sftk_forceAttribute(object,CKA_MODULUS,
- sftk_item_expand(&tmpKey.modulus));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_PUBLIC_EXPONENT,
- sftk_item_expand(&tmpKey.publicExponent));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_PRIVATE_EXPONENT,
- sftk_item_expand(&tmpKey.privateExponent));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_PRIME_1,
- sftk_item_expand(&tmpKey.prime1));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_PRIME_2,
- sftk_item_expand(&tmpKey.prime2));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_EXPONENT_1,
- sftk_item_expand(&tmpKey.exponent1));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_EXPONENT_2,
- sftk_item_expand(&tmpKey.exponent2));
- if (crv != CKR_OK) goto loser;
- crv = sftk_forceAttribute(object,CKA_COEFFICIENT,
- sftk_item_expand(&tmpKey.coefficient));
- if (crv != CKR_OK) goto loser;
+ if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) {
+ crv = sftk_forceAttribute(object,CKA_MODULUS,
+ sftk_item_expand(&tmpKey.modulus));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!publicExponent ||
+ publicExponent->attrib.pValue != tmpKey.publicExponent.data) {
+ crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&tmpKey.publicExponent));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!privateExponent ||
+ privateExponent->attrib.pValue != tmpKey.privateExponent.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT,
+ sftk_item_expand(&tmpKey.privateExponent));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIME_1,
+ sftk_item_expand(&tmpKey.prime1));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIME_2,
+ sftk_item_expand(&tmpKey.prime2));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) {
+ crv = sftk_forceAttribute(object, CKA_EXPONENT_1,
+ sftk_item_expand(&tmpKey.exponent1));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) {
+ crv = sftk_forceAttribute(object, CKA_EXPONENT_2,
+ sftk_item_expand(&tmpKey.exponent2));
+ if (crv != CKR_OK) goto loser;
+ }
+ if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) {
+ crv = sftk_forceAttribute(object, CKA_COEFFICIENT,
+ sftk_item_expand(&tmpKey.coefficient));
+ if (crv != CKR_OK) goto loser;
+ }
rv = SECSuccess;
/* we're done (one way or the other), clean up all our stuff */
@@ -2044,15 +2089,18 @@ loser:
if (publicExponent) {
sftk_FreeAttribute(publicExponent);
}
+ if (exponent1) {
+ sftk_FreeAttribute(exponent1);
+ }
+ if (exponent2) {
+ sftk_FreeAttribute(exponent2);
+ }
+ if (coefficient) {
+ sftk_FreeAttribute(coefficient);
+ }
return rv;
}
-
-
-
-
-
-
/* Generate a low private key structure from an object */
NSSLOWKEYPrivateKey *
sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp)
@@ -3131,9 +3179,6 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
if (slot == NULL) return CKR_SLOT_ID_INVALID;
- pInfo->firmwareVersion.major = 0;
- pInfo->firmwareVersion.minor = 0;
-
PORT_Memcpy(pInfo->manufacturerID,manufacturerID,
sizeof(pInfo->manufacturerID));
PORT_Memcpy(pInfo->slotDescription,slot->slotDescription,
@@ -3160,6 +3205,8 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
/* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR;
+ pInfo->firmwareVersion.major = SOFTOKEN_VPATCH;
+ pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD;
return CKR_OK;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 09:30:16 +0000