diff options
author | nicolson%netscape.com <devnull@localhost> | 2001-06-12 20:57:20 +0000 |
---|---|---|
committer | nicolson%netscape.com <devnull@localhost> | 2001-06-12 20:57:20 +0000 |
commit | df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c (patch) | |
tree | 72d12614963c992350a7c44e7f8fa4b166e7d93c | |
parent | 7aa9d098c83a1fe90b888b6f598dc8e44b1a588a (diff) | |
download | nss-hg-df4ed6a694c7a10a0a07d38d3ce6ed51b4a08b6c.tar.gz |
Changes for NSS/JSS integration.
-rw-r--r-- | security/nss/lib/certdb/pcertdb.c | 4 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.def | 12 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.h | 7 | ||||
-rw-r--r-- | security/nss/lib/nss/nssinit.c | 10 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11cert.c | 63 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11func.h | 9 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11skey.c | 75 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/secmodt.h | 3 | ||||
-rw-r--r-- | security/nss/lib/smime/smime.def | 3 |
9 files changed, 169 insertions, 17 deletions
diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c index f4f6d3483..8dcedb410 100644 --- a/security/nss/lib/certdb/pcertdb.c +++ b/security/nss/lib/certdb/pcertdb.c @@ -7196,10 +7196,6 @@ CERT_SaveImportedCert(CERTCertificate *cert, SECCertUsage usage, break; } - if ( (trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) == 0 ){ - saveit = PR_FALSE; - } - if ( saveit ) { if ( cert->isperm ) { /* Cert already in the DB. Just adjust flags */ diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 631391ca2..6ecbc3db9 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -95,6 +95,7 @@ DER_GeneralizedTimeToTime; NSS_Init; NSS_Initialize; NSS_InitReadWrite; +NSS_IsInitialized; NSS_NoDB_Init; NSS_Shutdown; NSS_VersionCheck; @@ -113,6 +114,7 @@ PK11_DigestOp; PK11_DigestFinal; PK11_DoesMechanism; PK11_FindCertFromNickname; +PK11_FindCertsFromNickname; PK11_FindCertFromDERCert; PK11_FindCertByIssuerAndSN; PK11_FindKeyByAnyCert; @@ -307,6 +309,7 @@ PK11_GetKeyStrength; PK11_ImportCertForKeyToSlot; PK11_ImportEncryptedPrivateKeyInfo; PK11_ImportPrivateKeyInfo; +PK11_ImportDERPrivateKeyInfo; PK11_MapPBEMechanismToCryptoMechanism; PK11_PBEKeyGen; PK11_ParamFromAlgid; @@ -477,6 +480,10 @@ PBE_CreateContext; PBE_DestroyContext; PBE_GenerateBits; PK11_CheckSSOPassword; +PK11_CopySymKeyForSigning; +PK11_DeleteTokenCertAndKey; +PK11_DEREncodePublicKey; +PK11_FindKeyByKeyID; PK11_GetIVLength; PK11_GetKeyData; PK11_GetKeyType; @@ -486,6 +493,7 @@ PK11_ImportCertForKey; PK11_ImportDERCertForKey; PK11_IsLoggedIn; PK11_KeyForDERCertExists; +PK11_KeyForCertExists; PK11_Logout; PK11_NeedPWInit; PK11_MakeIDFromPubKey; @@ -510,6 +518,9 @@ PK11_ReferenceSlot; PK11_GetSlotPWValues; PK11_ImportSymKey; PK11_ExtractKeyValue; +PK11_TraversePrivateKeysInSlot; +PK11_TraverseCertsInSlot; +SEC_CertNicknameConflict; SECMOD_DeleteInternalModule; SECMOD_DestroyModule; SECMOD_GetDefaultModuleList; @@ -521,6 +532,7 @@ SECMOD_ReleaseReadLock; SECKEY_GetPrivateKeyType; SECKEY_EncodeDERSubjectPublicKeyInfo; SECKEY_ExtractPublicKey; +SECKEY_HashPassword; SEC_PKCS5GetIV; VFY_EndWithSignature; ;+ local: diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 51d4ae895..14c68974c 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -131,6 +131,13 @@ SECStatus NSS_NoDB_Init(const char *configdir); */ extern void NSS_Shutdown(void); +/* + * Returns PR_TRUE if NSS has already been successfully initialized, + * PR_FALSE otherwise. + */ +PRBool NSS_IsInitialized(); + + SEC_END_PROTOS #endif /* __nss_h_ */ diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index 2a51d7463..2cd4988a0 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -180,6 +180,8 @@ nss_OpenSecModDB(const char * configdir,const char *dbname) static CERTCertDBHandle certhandle = { 0 }; +static PRBool isInitialized = PR_FALSE; + static SECStatus nss_OpenVolatileCertDB() { SECStatus rv = SECSuccess; @@ -280,7 +282,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, } } rv = SECSuccess; - + isInitialized = PR_TRUE; loser: if (rv != SECSuccess) @@ -302,6 +304,12 @@ NSS_InitReadWrite(const char *configdir) PR_FALSE, PR_FALSE, PR_FALSE); } +PRBool +NSS_IsInitialized() +{ + return isInitialized; +} + /* * OK there are now lots of options here, lets go through them all: * diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c index e6774cac9..5aa8ed37e 100644 --- a/security/nss/lib/pk11wrap/pk11cert.c +++ b/security/nss/lib/pk11wrap/pk11cert.c @@ -842,7 +842,7 @@ typedef struct pk11TraverseSlotStr { void *callbackArg; CK_ATTRIBUTE *findTemplate; int templateCount; -} pk11TraverseSlotCert; +} pk11TraverseSlot; /* * Extract all the certs on a card from a slot. @@ -854,7 +854,7 @@ PK11_TraverseSlot(PK11SlotInfo *slot, void *arg) CK_OBJECT_HANDLE *objID = NULL; int object_count = 0; CK_ULONG returned_count = 0; - pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg; + pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg; objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate, slotcb->templateCount,&object_count); @@ -982,7 +982,7 @@ pk11_UpdateSlotPQG(PK11SlotInfo *slot) static SECStatus pk11_ExtractCertsFromSlot(PK11SlotInfo *slot, void *arg) { - pk11TraverseSlotCert *slotcb = (pk11TraverseSlotCert *) arg; + pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg; int object_count; SECStatus rv; @@ -1023,7 +1023,7 @@ PK11_ReadSlotCerts(PK11SlotInfo *slot) /* build slot list */ pk11CertCallback caller; pk11DoCertCallback saver; - pk11TraverseSlotCert creater; + pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; @@ -1083,7 +1083,7 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *), void *arg, void *wincx) { pk11CertCallback caller; pk11DoCertCallback saver; - pk11TraverseSlotCert creater; + pk11TraverseSlot creater; CK_ATTRIBUTE theTemplate; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; @@ -1103,6 +1103,48 @@ PK11_TraverseSlotCerts(SECStatus(* callback)(CERTCertificate*,SECItem *,void *), &creater, wincx); } +/*********************************************************************** + * PK11_TraversePrivateKeysInSlot + * + * Traverses all the private keys on a slot. + * + * INPUTS + * slot + * The PKCS #11 slot whose private keys you want to traverse. + * callback + * A callback function that will be called for each key. + * arg + * An argument that will be passed to the callback function. + */ +SECStatus +PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, + SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg) +{ + pk11KeyCallback perKeyCB; + pk11TraverseSlot perObjectCB; + CK_OBJECT_CLASS privkClass = CKO_PRIVATE_KEY; + CK_ATTRIBUTE theTemplate[1]; + int templateSize = 1; + + theTemplate[0].type = CKA_CLASS; + theTemplate[0].pValue = &privkClass; + theTemplate[0].ulValueLen = sizeof(privkClass); + + if(slot==NULL) { + return SECSuccess; + } + + perObjectCB.callback = pk11_DoKeys; + perObjectCB.callbackArg = &perKeyCB; + perObjectCB.findTemplate = theTemplate; + perObjectCB.templateCount = templateSize; + perKeyCB.callback = callback; + perKeyCB.callbackArg = arg; + perKeyCB.wincx = NULL; + + return PK11_TraverseSlot(slot, &perObjectCB); +} + CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) { @@ -2117,7 +2159,7 @@ PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, PK11SlotInfo *slot, SECStatus(* callback)(CERTCertificate*, void *), void *arg) { pk11DoCertCallback caller; - pk11TraverseSlotCert callarg; + pk11TraverseSlot callarg; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { { CKA_CLASS, NULL, 0 }, @@ -2148,7 +2190,7 @@ PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, PK11SlotInfo *slot, SECStatus(* callback)(CERTCertificate*, void *), void *arg) { pk11DoCertCallback caller; - pk11TraverseSlotCert callarg; + pk11TraverseSlot callarg; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { { CKA_CLASS, NULL, 0 }, @@ -2184,7 +2226,7 @@ PK11_TraverseCertsInSlot(PK11SlotInfo *slot, SECStatus(* callback)(CERTCertificate*, void *), void *arg) { pk11DoCertCallback caller; - pk11TraverseSlotCert callarg; + pk11TraverseSlot callarg; CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; CK_ATTRIBUTE theTemplate[] = { { CKA_CLASS, NULL, 0 }, @@ -2649,6 +2691,11 @@ pk11ListCertCallback(CERTCertificate *cert, SECItem *derCert, void *arg) return SECSuccess; } + /* if we want CA certs and it ain't one, skip it */ + if( type == PK11CertListCA && (!isCACert(newCert)) ) { + CERT_DestroyCertificate(newCert); + return SECSuccess; + } /* put slot certs at the end */ if (newCert->slot && !PK11_IsInternal(newCert->slot)) { diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h index 289db9207..e67246252 100644 --- a/security/nss/lib/pk11wrap/pk11func.h +++ b/security/nss/lib/pk11wrap/pk11func.h @@ -301,6 +301,10 @@ SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, SECItem *nickname, SECItem *publicValue, PRBool isPerm, PRBool isPrivate, unsigned int usage, void *wincx); +SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, + SECItem *derPKI, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, void *wincx); SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, SECItem *nickname, SECItem *publicValue, PRBool isPerm, @@ -329,6 +333,9 @@ PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx); SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx); +SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk); +PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey, + CK_MECHANISM_TYPE mech); /********************************************************************** * Certs @@ -338,6 +345,8 @@ CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey); SECStatus PK11_TraverseSlotCerts( SECStatus(* callback)(CERTCertificate*,SECItem *,void *), void *arg, void *wincx); +SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, + SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg); CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx); CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx); SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 6c54beeb7..618dce8dd 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -4244,6 +4244,37 @@ done: return rv; } +SECStatus +PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, unsigned int keyUsage, void *wincx) +{ + SECKEYPrivateKeyInfo *pki = NULL; + PRArenaPool *temparena = NULL; + SECStatus rv = SECFailure; + + temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + pki = PORT_ZNew(SECKEYPrivateKeyInfo); + + rv = SEC_ASN1DecodeItem(temparena, pki, SECKEY_PrivateKeyInfoTemplate, + derPKI); + if( rv != SECSuccess ) { + goto finish; + } + + rv = PK11_ImportPrivateKeyInfo(slot, pki, nickname, publicValue, + isPerm, isPrivate, keyUsage, wincx); + +finish: + if( pki != NULL ) { + SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE /*freeit*/); + } + if( temparena != NULL ) { + PORT_FreeArena(temparena, PR_TRUE); + } + return rv; +} + /* * import a private key info into the desired slot */ @@ -4293,9 +4324,6 @@ PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, keyType = CKK_RSA; break; case SEC_OID_ANSIX9_DSA_SIGNATURE: - if(!publicValue) { - goto loser; - } keyTemplate = SECKEY_DSAPrivateKeyExportTemplate; paramTemplate = SECKEY_PQGParamsTemplate; paramDest = &(lpk->u.dsa.params); @@ -4395,6 +4423,17 @@ PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, SECKEYPrivateKeyInfo *pki, * our database, we need to pass in the public key value for * this dsa key. We have a netscape only CKA_ value to do this. * Only send it to internal slots */ + if( publicValue == NULL ) { + /* + * Try to extract the public value out of the private key. + * This might not work, since the public value is not + * required to be in the private key. + */ + publicValue = &lpk->u.dsa.publicValue; + if( publicValue->data == NULL || publicValue->len == 0) { + goto loser; + } + } if (PK11_IsInternal(slot)) { PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, publicValue->data, publicValue->len); attrs++; @@ -4900,3 +4939,33 @@ PK11_SetFortezzaHack(PK11SymKey *symKey) { symKey->origin = PK11_OriginFortezzaHack; } +SECItem* +PK11_DEREncodePublicKey(SECKEYPublicKey *pubk) +{ + CERTSubjectPublicKeyInfo *spki=NULL; + SECItem *spkiDER = NULL; + + if( pubk == NULL ) { + return NULL; + } + + /* get the subjectpublickeyinfo */ + spki = SECKEY_CreateSubjectPublicKeyInfo(pubk); + if( spki == NULL ) { + goto finish; + } + + /* DER-encode the subjectpublickeyinfo */ + spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki, + CERT_SubjectPublicKeyInfoTemplate); + +finish: + return spkiDER; +} + +PK11SymKey* +PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech) +{ + return pk11_CopyToSlot(PK11_GetSlotFromKey(originalKey), mech, CKA_SIGN, + originalKey); +} diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h index b2d401e24..1996001e8 100644 --- a/security/nss/lib/pk11wrap/secmodt.h +++ b/security/nss/lib/pk11wrap/secmodt.h @@ -99,7 +99,8 @@ struct PK11RSAGenParamsStr { typedef enum { PK11CertListUnique = 0, PK11CertListUser = 1, - PK11CertListRootUnique = 2 + PK11CertListRootUnique = 2, + PK11CertListCA = 3 } PK11CertListType; /* diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def index 31bf8d4ae..ddcdc87a2 100644 --- a/security/nss/lib/smime/smime.def +++ b/security/nss/lib/smime/smime.def @@ -128,9 +128,11 @@ NSS_CMSSignerInfo_IncludeCerts; NSS_CMSUtil_VerificationStatusToString; NSS_SMIMEUtil_FindBulkAlgForRecipients; CERT_DecodeCertPackage; +SEC_PKCS7AddCertificate; SEC_PKCS7AddRecipient; SEC_PKCS7AddSigningTime; SEC_PKCS7ContentType; +SEC_PKCS7CreateCertsOnly; SEC_PKCS7CreateData; SEC_PKCS7CreateEncryptedData; SEC_PKCS7CreateEnvelopedData; @@ -141,6 +143,7 @@ SEC_PKCS7DecoderStart; SEC_PKCS7DecoderUpdate; SEC_PKCS7DecryptContents; SEC_PKCS7DestroyContentInfo; +SEC_PKCS7Encode; SEC_PKCS7EncoderFinish; SEC_PKCS7EncoderStart; SEC_PKCS7EncoderUpdate; |