Implement PKCS #11 2.11 DSA PQG Parameter generation.

4 files changed, 198 insertions, 6 deletions

diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 02d7bfb2e..d0bcac938 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -1405,6 +1405,108 @@ pk11_handleKeyObject(PK11Session *session, PK11Object *object)
     return CKR_ATTRIBUTE_VALUE_INVALID;
 }
 
+/*
+ * check the consistancy and Verify a DSA Parameter Object 
+ */
+static CK_RV
+pk11_handleDSAParameterObject(PK11Session *session, PK11Object *object)
+{
+    PK11Attribute *primeAttr = NULL;
+    PK11Attribute *subPrimeAttr = NULL;
+    PK11Attribute *baseAttr = NULL;
+    PK11Attribute *seedAttr = NULL;
+    PK11Attribute *hAttr = NULL;
+    PK11Attribute *attribute;
+    CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
+    PQGParams params;
+    PQGVerify vfy, *verify = NULL;
+    SECStatus result,rv;
+
+    primeAttr = pk11_FindAttribute(object,CKA_PRIME);
+    if (primeAttr == NULL) goto loser;
+    params.prime.data = primeAttr->attrib.pValue;
+    params.prime.len = primeAttr->attrib.ulValueLen;
+
+    subPrimeAttr = pk11_FindAttribute(object,CKA_SUBPRIME);
+    if (subPrimeAttr == NULL) goto loser;
+    params.subPrime.data = subPrimeAttr->attrib.pValue;
+    params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
+
+    baseAttr = pk11_FindAttribute(object,CKA_BASE);
+    if (baseAttr == NULL) goto loser;
+    params.base.data = baseAttr->attrib.pValue;
+    params.base.len = baseAttr->attrib.ulValueLen;
+
+    attribute = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER);
+    if (attribute != NULL) {
+	vfy.counter = *(CK_ULONG *) attribute->attrib.pValue;
+	pk11_FreeAttribute(attribute);
+
+	seedAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_SEED);
+	if (seedAttr == NULL) goto loser;
+	vfy.seed.data = seedAttr->attrib.pValue;
+	vfy.seed.len = seedAttr->attrib.ulValueLen;
+
+	hAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_H);
+	if (hAttr == NULL) goto loser;
+	vfy.h.data = hAttr->attrib.pValue;
+	vfy.h.len = hAttr->attrib.ulValueLen;
+
+	verify = &vfy;
+    }
+
+    crv = CKR_FUNCTION_FAILED;
+    rv = PQG_VerifyParams(&params,verify,&result);
+    if (rv == SECSuccess) {
+	crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
+    }
+
+loser:
+    if (hAttr) pk11_FreeAttribute(hAttr);
+    if (seedAttr) pk11_FreeAttribute(seedAttr);
+    if (baseAttr) pk11_FreeAttribute(baseAttr);
+    if (subPrimeAttr) pk11_FreeAttribute(subPrimeAttr);
+    if (primeAttr) pk11_FreeAttribute(primeAttr);
+
+    return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Parameter Object 
+ */
+static CK_RV
+pk11_handleKeyParameterObject(PK11Session *session, PK11Object *object)
+{
+    PK11Attribute *attribute;
+    CK_KEY_TYPE key_type;
+    CK_BBOOL cktrue = CK_TRUE;
+    CK_BBOOL ckfalse = CK_FALSE;
+    CK_RV crv;
+
+    /* verify the required fields */
+    if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+
+    /* now verify the common fields */
+    crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL));
+    if (crv != CKR_OK)  return crv; 
+
+    /* get the key type */
+    attribute = pk11_FindAttribute(object,CKA_KEY_TYPE);
+    key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    switch (key_type) {
+    case CKK_DSA:
+	return pk11_handleDSAParameterObject(session,object);
+	
+    default:
+	break;
+    }
+    return CKR_KEY_TYPE_INCONSISTENT;
+}
+
 /* 
  * Handle Object does all the object consistancy checks, automatic attribute
  * generation, attribute defaulting, etc. If handleObject succeeds, the object
@@ -1480,6 +1582,9 @@ pk11_handleObject(PK11Object *object, PK11Session *session)
     case CKO_SECRET_KEY:
 	crv = pk11_handleKeyObject(session,object);
 	break;
+    case CKO_KG_PARAMETERS:
+	crv = pk11_handleKeyParameterObject(session,object);
+	break;
     default:
 	crv = CKR_ATTRIBUTE_VALUE_INVALID;
 	break;
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 91d776f14..d4dfc1b75 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -2562,6 +2562,76 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
     }
     return CKR_OK;
 }
+static CK_RV
+nsc_parameter_gen(CK_KEY_TYPE key_type, PK11Object *key)
+{
+    PK11Attribute *attribute;
+    CK_ULONG counter;
+    unsigned int seedBits = 0;
+    unsigned int primeBits;
+    CK_RV crv = CKR_OK;
+    PQGParams *params = NULL;
+    PQGVerify *vfy = NULL;
+    SECStatus rv;
+
+    attribute = pk11_FindAttribute(key, CKA_PRIME_BITS);
+    if (attribute == NULL) {
+	return CKR_TEMPLATE_INCOMPLETE;
+    }
+    primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+    pk11_FreeAttribute(attribute);
+
+    attribute = pk11_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS);
+    if (attribute != NULL) {
+	seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue;
+	pk11_FreeAttribute(attribute);
+    }
+
+    pk11_DeleteAttributeType(key,CKA_PRIME_BITS);
+    pk11_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS);
+
+    if (seedBits == 0) {
+	rv = PQG_ParamGen(primeBits, &params, &vfy);
+    } else {
+	rv = PQG_ParamGenSeedLen(primeBits,seedBits/8, &params, &vfy);
+    }
+
+    if (rv != SECSuccess) {
+	return CKR_DEVICE_ERROR;
+    }
+    crv = pk11_AddAttributeType(key,CKA_PRIME,
+				 params->prime.data, params->prime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_SUBPRIME,
+				 params->subPrime.data, params->subPrime.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_BASE,
+				 params->base.data, params->base.len);
+    if (crv != CKR_OK) goto loser;
+    counter = vfy->counter;
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER,
+				 &counter, sizeof(counter));
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED,
+				 vfy->seed.data, vfy->seed.len);
+    if (crv != CKR_OK) goto loser;
+    crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_H,
+				 vfy->h.data, vfy->h.len);
+    if (crv != CKR_OK) goto loser;
+
+loser:
+    if (params) {
+	PQG_DestroyParams(params);
+    }
+    if (vfy) {
+	PQG_DestroyVerify(vfy);
+    }
+    return crv;
+}
+
+    
+
+    
+
 
 
 static CK_RV
@@ -2747,7 +2817,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
     int i;
     PK11Slot *slot = pk11_SlotFromSessionHandle(hSession);
     char buf[MAX_KEY_LEN];
-    enum {nsc_pbe, nsc_ssl, nsc_bulk} key_gen_type;
+    enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type;
     NSSPKCS5PBEParameter *pbe_param;
     SSL3RSAPreMasterSecret *rsa_pms;
     CK_VERSION *version;
@@ -2837,6 +2907,12 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
 	key_gen_type = nsc_pbe;
 	crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type);
 	break;
+    case CKM_DSA_PARAMETER_GEN:
+	key_gen_type = nsc_param;
+	key_type = CKK_DSA;
+	objclass = CKO_KG_PARAMETERS;
+	crv = CKR_OK;
+	break;
     default:
 	crv = CKR_MECHANISM_INVALID;
 	break;
@@ -2879,6 +2955,11 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
 	} while (crv == CKR_OK && checkWeak && 
 			pk11_IsWeakKey((unsigned char *)buf,key_type));
 	break;
+    case nsc_param:
+	/* generate parameters */
+	*buf = 0;
+	crv = nsc_parameter_gen(key_type,key);
+	break;
     }
 
     if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
@@ -2888,10 +2969,10 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
     if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
     crv = pk11_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE));
     if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-    crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS));
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
-    crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
-    if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+    if (key_length != 0) {
+	crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length);
+	if (crv != CKR_OK) { pk11_FreeObject(key); return crv; }
+    }
 
     /* get the session */
     session = pk11_SessionFromHandle(hSession);
diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h
index 8ad69a3da..7ee4c6c34 100644
--- a/security/nss/lib/softoken/pkcs11n.h
+++ b/security/nss/lib/softoken/pkcs11n.h
@@ -97,7 +97,12 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$";
 #define CKA_NETSCAPE_PKCS8_SALT         (CKA_NETSCAPE +  5)
 #define CKA_NETSCAPE_PASSWORD_CHECK     (CKA_NETSCAPE +  6)
 #define CKA_NETSCAPE_EXPIRES            (CKA_NETSCAPE +  7)
-#define CKA_NETSCAPE_KRL                (CKA_NETSCAPE +  7)
+#define CKA_NETSCAPE_KRL                (CKA_NETSCAPE +  8)
+
+#define CKA_NETSCAPE_PQG_COUNTER        (CKA_NETSCAPE +  20)
+#define CKA_NETSCAPE_PQG_SEED           (CKA_NETSCAPE +  21)
+#define CKA_NETSCAPE_PQG_H              (CKA_NETSCAPE +  22)
+#define CKA_NETSCAPE_PQG_SEED_BITS      (CKA_NETSCAPE +  23)
 
 /*
  * Trust attributes:
diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h
index 124a1bb27..9ebed9e85 100644
--- a/security/nss/lib/softoken/pkcs11t.h
+++ b/security/nss/lib/softoken/pkcs11t.h
@@ -360,6 +360,7 @@ typedef CK_ULONG          CK_OBJECT_CLASS;
 #define CKO_SECRET_KEY        0x00000004
 #define CKO_HW_FEATURE        0x00000005
 #define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_KG_PARAMETERS     0x00000006
 #define CKO_VENDOR_DEFINED    0x80000000
 
 typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;