diff options
Diffstat (limited to 'chromium/third_party/nss/nss/lib/softoken/pkcs11.c')
-rw-r--r-- | chromium/third_party/nss/nss/lib/softoken/pkcs11.c | 175 |
1 files changed, 111 insertions, 64 deletions
diff --git a/chromium/third_party/nss/nss/lib/softoken/pkcs11.c b/chromium/third_party/nss/nss/lib/softoken/pkcs11.c index e1c2442babc..c5419466280 100644 --- a/chromium/third_party/nss/nss/lib/softoken/pkcs11.c +++ b/chromium/third_party/nss/nss/lib/softoken/pkcs11.c @@ -266,6 +266,8 @@ static const struct mechanismList mechanisms[] = { CKF_DUZ_IT_ALL}, PR_TRUE}, {CKM_RSA_PKCS_PSS, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_SN_VR}, PR_TRUE}, + {CKM_RSA_PKCS_OAEP, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_EN_DE_WR_UN}, PR_TRUE}, #ifdef SFTK_RSA9796_SUPPORTED {CKM_RSA_9796, {RSA_MIN_MODULUS_BITS,CK_MAX, CKF_DUZ_IT_ALL}, PR_TRUE}, @@ -302,7 +304,7 @@ static const struct mechanismList mechanisms[] = { CKF_GENERATE_KEY_PAIR}, PR_TRUE}, {CKM_DH_PKCS_DERIVE, {DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE}, PR_TRUE}, -#ifdef NSS_ENABLE_ECC +#ifndef NSS_DISABLE_ECC /* -------------------- Elliptic Curve Operations --------------------- */ {CKM_EC_KEY_PAIR_GEN, {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, @@ -312,7 +314,7 @@ static const struct mechanismList mechanisms[] = { CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, {CKM_ECDSA_SHA1, {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, -#endif /* NSS_ENABLE_ECC */ +#endif /* NSS_DISABLE_ECC */ /* ------------------------- RC2 Operations --------------------------- */ {CKM_RC2_KEY_GEN, {1, 128, CKF_GENERATE}, PR_TRUE}, {CKM_RC2_ECB, {1, 128, CKF_EN_DE_WR_UN}, PR_TRUE}, @@ -930,7 +932,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, recover = CK_FALSE; wrap = CK_FALSE; break; -#ifdef NSS_ENABLE_ECC +#ifndef NSS_DISABLE_ECC case CKK_EC: if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) { return CKR_TEMPLATE_INCOMPLETE; @@ -944,7 +946,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, recover = CK_FALSE; wrap = CK_FALSE; break; -#endif /* NSS_ENABLE_ECC */ +#endif /* NSS_DISABLE_ECC */ default: return CKR_ATTRIBUTE_VALUE_INVALID; } @@ -990,7 +992,7 @@ static NSSLOWKEYPrivateKey * sftk_mkPrivKey(SFTKObject *object,CK_KEY_TYPE key, CK_RV *rvp); static SECStatus -sftk_fillRSAPrivateKey(SFTKObject *object); +sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded); /* * check the consistancy and initialize a Private Key Object @@ -1006,12 +1008,14 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE CK_BBOOL derive = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; PRBool createObjectInfo = PR_TRUE; + PRBool fillPrivateKey = PR_FALSE; int missing_rsa_mod_component = 0; int missing_rsa_exp_component = 0; int missing_rsa_crt_component = 0; - + SECItem mod; CK_RV crv; + SECStatus rv; switch (key_type) { case CKK_RSA: @@ -1046,19 +1050,19 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE int have_exp = 2- missing_rsa_exp_component; int have_component = 5- (missing_rsa_exp_component+missing_rsa_mod_component); - SECStatus rv; if ((have_exp == 0) || (have_component < 3)) { /* nope, not enough to reconstruct the private key */ return CKR_TEMPLATE_INCOMPLETE; } - /*fill in the missing parameters */ - rv = sftk_fillRSAPrivateKey(object); - if (rv != SECSuccess) { + fillPrivateKey = PR_TRUE; + } + /*verify the parameters for consistency*/ + rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey); + if (rv != SECSuccess) { return CKR_TEMPLATE_INCOMPLETE; - } } - + /* make sure Netscape DB attribute is set correctly */ crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS); if (crv != CKR_OK) return crv; @@ -1091,7 +1095,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE recover = CK_FALSE; wrap = CK_FALSE; break; -#ifdef NSS_ENABLE_ECC +#ifndef NSS_DISABLE_ECC case CKK_EC: if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) { return CKR_TEMPLATE_INCOMPLETE; @@ -1104,11 +1108,11 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE recover = CK_FALSE; wrap = CK_FALSE; break; -#endif /* NSS_ENABLE_ECC */ +#endif /* NSS_DISABLE_ECC */ case CKK_NSS_JPAKE_ROUND1: - if (!sftk_hasAttribute(object, CKA_PRIME || + if (!sftk_hasAttribute(object, CKA_PRIME) || !sftk_hasAttribute(object, CKA_SUBPRIME) || - !sftk_hasAttribute(object, CKA_BASE))) { + !sftk_hasAttribute(object, CKA_BASE)) { return CKR_TEMPLATE_INCOMPLETE; } /* fall through */ @@ -1152,7 +1156,6 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE if (sftk_isTrue(object,CKA_TOKEN)) { SFTKSlot *slot = session->slot; SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); - CK_RV crv; if (keyHandle == NULL) { return CKR_TOKEN_WRITE_PROTECTED; @@ -1711,7 +1714,7 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type, crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.publicValue, object,CKA_VALUE); break; -#ifdef NSS_ENABLE_ECC +#ifndef NSS_DISABLE_ECC case CKK_EC: pubKey->keyType = NSSLOWKEYECKey; crv = sftk_Attribute2SSecItem(arena, @@ -1771,7 +1774,7 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,CK_KEY_TYPE key_type, crv = CKR_ATTRIBUTE_VALUE_INVALID; } break; -#endif /* NSS_ENABLE_ECC */ +#endif /* NSS_DISABLE_ECC */ default: crv = CKR_KEY_TYPE_INCONSISTENT; break; @@ -1880,7 +1883,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) * if we don't set it explicitly */ break; -#ifdef NSS_ENABLE_ECC +#ifndef NSS_DISABLE_ECC case CKK_EC: privKey->keyType = NSSLOWKEYECKey; crv = sftk_Attribute2SSecItem(arena, @@ -1922,7 +1925,7 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) #endif } break; -#endif /* NSS_ENABLE_ECC */ +#endif /* NSS_DISABLE_ECC */ default: crv = CKR_KEY_TYPE_INCONSISTENT; @@ -1943,10 +1946,11 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) } /* - * we have a partial rsa private key, fill in the rest + * If a partial RSA private key is present, fill in the rest if necessary, + * and then verify the parameters are well-formed */ static SECStatus -sftk_fillRSAPrivateKey(SFTKObject *object) +sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded) { RSAPrivateKey tmpKey = { 0 }; SFTKAttribute *modulus = NULL; @@ -1954,6 +1958,9 @@ sftk_fillRSAPrivateKey(SFTKObject *object) SFTKAttribute *prime2 = NULL; SFTKAttribute *privateExponent = NULL; SFTKAttribute *publicExponent = NULL; + SFTKAttribute *exponent1 = NULL; + SFTKAttribute *exponent2 = NULL; + SFTKAttribute *coefficient = NULL; SECStatus rv; CK_RV crv; @@ -1984,44 +1991,82 @@ sftk_fillRSAPrivateKey(SFTKObject *object) if (publicExponent) { tmpKey.publicExponent.data = publicExponent->attrib.pValue; tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen; - } + } + exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_1); + if (exponent1) { + tmpKey.exponent1.data = exponent1->attrib.pValue; + tmpKey.exponent1.len = exponent1->attrib.ulValueLen; + } + exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_2); + if (exponent2) { + tmpKey.exponent2.data = exponent2->attrib.pValue; + tmpKey.exponent2.len = exponent2->attrib.ulValueLen; + } + coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT); + if (coefficient) { + tmpKey.coefficient.data = coefficient->attrib.pValue; + tmpKey.coefficient.len = coefficient->attrib.ulValueLen; + } - /* - * populate requires one exponent plus 2 other components to work. - * we expected our caller to check that first. If that didn't happen, - * populate will simply return an error here. - */ - rv = RSA_PopulatePrivateKey(&tmpKey); + if (fillIfNeeded) { + /* + * populate requires one exponent plus 2 other components to work. + * we expected our caller to check that first. If that didn't happen, + * populate will simply return an error here. + */ + rv = RSA_PopulatePrivateKey(&tmpKey); + if (rv != SECSuccess) { + goto loser; + } + } + rv = RSA_PrivateKeyCheck(&tmpKey); if (rv != SECSuccess) { goto loser; } - /* now that we have a fully populated key, set all our attribute values */ rv = SECFailure; - crv = sftk_forceAttribute(object,CKA_MODULUS, - sftk_item_expand(&tmpKey.modulus)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_PUBLIC_EXPONENT, - sftk_item_expand(&tmpKey.publicExponent)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_PRIVATE_EXPONENT, - sftk_item_expand(&tmpKey.privateExponent)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_PRIME_1, - sftk_item_expand(&tmpKey.prime1)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_PRIME_2, - sftk_item_expand(&tmpKey.prime2)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_EXPONENT_1, - sftk_item_expand(&tmpKey.exponent1)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_EXPONENT_2, - sftk_item_expand(&tmpKey.exponent2)); - if (crv != CKR_OK) goto loser; - crv = sftk_forceAttribute(object,CKA_COEFFICIENT, - sftk_item_expand(&tmpKey.coefficient)); - if (crv != CKR_OK) goto loser; + if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) { + crv = sftk_forceAttribute(object,CKA_MODULUS, + sftk_item_expand(&tmpKey.modulus)); + if (crv != CKR_OK) goto loser; + } + if (!publicExponent || + publicExponent->attrib.pValue != tmpKey.publicExponent.data) { + crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT, + sftk_item_expand(&tmpKey.publicExponent)); + if (crv != CKR_OK) goto loser; + } + if (!privateExponent || + privateExponent->attrib.pValue != tmpKey.privateExponent.data) { + crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT, + sftk_item_expand(&tmpKey.privateExponent)); + if (crv != CKR_OK) goto loser; + } + if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) { + crv = sftk_forceAttribute(object, CKA_PRIME_1, + sftk_item_expand(&tmpKey.prime1)); + if (crv != CKR_OK) goto loser; + } + if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) { + crv = sftk_forceAttribute(object, CKA_PRIME_2, + sftk_item_expand(&tmpKey.prime2)); + if (crv != CKR_OK) goto loser; + } + if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) { + crv = sftk_forceAttribute(object, CKA_EXPONENT_1, + sftk_item_expand(&tmpKey.exponent1)); + if (crv != CKR_OK) goto loser; + } + if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) { + crv = sftk_forceAttribute(object, CKA_EXPONENT_2, + sftk_item_expand(&tmpKey.exponent2)); + if (crv != CKR_OK) goto loser; + } + if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) { + crv = sftk_forceAttribute(object, CKA_COEFFICIENT, + sftk_item_expand(&tmpKey.coefficient)); + if (crv != CKR_OK) goto loser; + } rv = SECSuccess; /* we're done (one way or the other), clean up all our stuff */ @@ -2044,15 +2089,18 @@ loser: if (publicExponent) { sftk_FreeAttribute(publicExponent); } + if (exponent1) { + sftk_FreeAttribute(exponent1); + } + if (exponent2) { + sftk_FreeAttribute(exponent2); + } + if (coefficient) { + sftk_FreeAttribute(coefficient); + } return rv; } - - - - - - /* Generate a low private key structure from an object */ NSSLOWKEYPrivateKey * sftk_GetPrivKey(SFTKObject *object,CK_KEY_TYPE key_type, CK_RV *crvp) @@ -3131,9 +3179,6 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) if (slot == NULL) return CKR_SLOT_ID_INVALID; - pInfo->firmwareVersion.major = 0; - pInfo->firmwareVersion.minor = 0; - PORT_Memcpy(pInfo->manufacturerID,manufacturerID, sizeof(pInfo->manufacturerID)); PORT_Memcpy(pInfo->slotDescription,slot->slotDescription, @@ -3160,6 +3205,8 @@ CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR; pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR; + pInfo->firmwareVersion.major = SOFTOKEN_VPATCH; + pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD; return CKR_OK; } |