diff options
author | ian.mcgreer%sun.com <devnull@localhost> | 2002-01-29 17:30:22 +0000 |
---|---|---|
committer | ian.mcgreer%sun.com <devnull@localhost> | 2002-01-29 17:30:22 +0000 |
commit | 4245a9b3e922dce039074bdaa1a82025104412ea (patch) | |
tree | c973c1e39e04da20b4d2d9d91974e51b32e92cc3 | |
parent | 930a24b641c2b02553272bbe1fe787e154064961 (diff) | |
download | nss-hg-4245a9b3e922dce039074bdaa1a82025104412ea.tar.gz |
changes related to bug 115660
* fipstoken will only force authentication for object-related functions when the object is a private or secret key
* certutil does not authenticate to token when in FIPS and only doing cert-related operations
* QA does not provide password to certutil when doing cert-related operations in FIPS tests
-rw-r--r-- | security/nss/cmd/certutil/certutil.c | 7 | ||||
-rw-r--r-- | security/nss/lib/softoken/fipstokn.c | 53 | ||||
-rwxr-xr-x | security/nss/tests/fips/fips.sh | 20 |
3 files changed, 61 insertions, 19 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index dc3c15721..31a755eec 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -642,8 +642,7 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, } else { #endif /* List certs on a non-internal slot. */ - if ( PK11_IsFIPS() || - (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) ) + if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) PK11_Authenticate(slot, PR_TRUE, pwarg); if (name) { CERTCertificate *the_cert; @@ -937,6 +936,7 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg) struct secuCBData { FILE *file; int keycount; + void *wincx; }; /* callback for listing certs through pkcs11 */ @@ -949,7 +949,7 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data) cbdata = (struct secuCBData *)data; out = cbdata->file; - key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL); + key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, cbdata->wincx); if (!key) { fprintf(out, "XXX could not extract key for %s.\n", cert->nickname); return SECFailure; @@ -970,6 +970,7 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg) cbdata.keycount = 0; cbdata.file = stdout; + cbdata.wincx = pwarg; #ifdef notdef if (PK11_IsInternal(slot)) { diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c index 20e6ba9fa..e3abfaf88 100644 --- a/security/nss/lib/softoken/fipstokn.c +++ b/security/nss/lib/softoken/fipstokn.c @@ -134,6 +134,24 @@ static CK_FUNCTION_LIST pk11_fipsTable = { #undef __PASTE +static CK_RV +fips_login_if_key_object(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) +{ + CK_RV rv; + CK_OBJECT_CLASS objClass; + CK_ATTRIBUTE class; + class.type = CKA_CLASS; + class.pValue = &objClass; + class.ulValueLen = sizeof(objClass); + rv = NSC_GetAttributeValue(hSession, hObject, &class, 1); + if (rv == CKR_OK) { + if ((objClass == CKO_PRIVATE_KEY) || (objClass == CKO_SECRET_KEY)) { + rv = pk11_fipsCheck(); + } + } + return rv; +} + /********************************************************************** * @@ -352,7 +370,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { CK_RV FC_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount, CK_OBJECT_HANDLE_PTR phNewObject) { - PK11_FIPSCHECK(); + CK_RV rv; + PK11_FIPSFATALCHECK(); + rv = fips_login_if_key_object(hSession, hObject); + if (rv != CKR_OK) { + return rv; + } return NSC_CopyObject(hSession,hObject,pTemplate,usCount,phNewObject); } @@ -360,7 +383,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_DestroyObject destroys an object. */ CK_RV FC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) { - PK11_FIPSCHECK(); + CK_RV rv; + PK11_FIPSFATALCHECK(); + rv = fips_login_if_key_object(hSession, hObject); + if (rv != CKR_OK) { + return rv; + } return NSC_DestroyObject(hSession,hObject); } @@ -368,7 +396,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_GetObjectSize gets the size of an object in bytes. */ CK_RV FC_GetObjectSize(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pusSize) { - PK11_FIPSCHECK(); + CK_RV rv; + PK11_FIPSFATALCHECK(); + rv = fips_login_if_key_object(hSession, hObject); + if (rv != CKR_OK) { + return rv; + } return NSC_GetObjectSize(hSession, hObject, pusSize); } @@ -376,9 +409,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_GetAttributeValue obtains the value of one or more object attributes. */ CK_RV FC_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) { - /* depend on the normal soft token to protect sensitive objects and - * data */ + CK_RV rv; PK11_FIPSFATALCHECK(); + rv = fips_login_if_key_object(hSession, hObject); + if (rv != CKR_OK) { + return rv; + } return NSC_GetAttributeValue(hSession,hObject,pTemplate,usCount); } @@ -386,7 +422,12 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { /* FC_SetAttributeValue modifies the value of one or more object attributes */ CK_RV FC_SetAttributeValue (CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG usCount) { - PK11_FIPSCHECK(); + CK_RV rv; + PK11_FIPSFATALCHECK(); + rv = fips_login_if_key_object(hSession, hObject); + if (rv != CKR_OK) { + return rv; + } return NSC_SetAttributeValue(hSession,hObject,pTemplate,usCount); } diff --git a/security/nss/tests/fips/fips.sh b/security/nss/tests/fips/fips.sh index 99f8c1de1..1f8144468 100755 --- a/security/nss/tests/fips/fips.sh +++ b/security/nss/tests/fips/fips.sh @@ -91,8 +91,8 @@ fips_init() fips_140_1() { echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}" - certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1 + echo "certutil -d ${R_FIPSDIR} -L" + certutil -d ${R_FIPSDIR} -L 2>&1 html_msg $? 0 "List the FIPS module certificates (certutil -L)" echo "$SCRIPTNAME: List the FIPS module keys -------------------------" @@ -118,13 +118,13 @@ fips_140_1() html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" - echo "certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt -f ${R_FIPSPWFILE}" - certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt -f ${R_FIPSPWFILE} 2>&1 + echo "certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" + certutil -d ${R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}" - certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1 + echo "certutil -d ${R_FIPSDIR} -L" + certutil -d ${R_FIPSDIR} -L 2>&1 html_msg $? 0 "List the FIPS module certificates (certutil -L)" echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" @@ -134,8 +134,8 @@ fips_140_1() echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}" - certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1 + echo "certutil -d ${R_FIPSDIR} -L" + certutil -d ${R_FIPSDIR} -L 2>&1 html_msg $? 0 "List the FIPS module certificates (certutil -L)" echo "$SCRIPTNAME: List the FIPS module keys." @@ -151,8 +151,8 @@ fips_140_1() html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" echo "$SCRIPTNAME: List the FIPS module certificates -----------------" - echo "certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE}" - certutil -d ${R_FIPSDIR} -L -f ${R_FIPSPWFILE} 2>&1 + echo "certutil -d ${R_FIPSDIR} -L" + certutil -d ${R_FIPSDIR} -L 2>&1 html_msg $? 0 "List the FIPS module certificates (certutil -L)" echo "$SCRIPTNAME: List the FIPS module keys --------------------------" |