diff options
author | relyea%netscape.com <devnull@localhost> | 2002-03-02 00:52:05 +0000 |
---|---|---|
committer | relyea%netscape.com <devnull@localhost> | 2002-03-02 00:52:05 +0000 |
commit | 133799d1c04dfd27483a514bfe5d9bec1fbc1a64 (patch) | |
tree | a3c8ae138dd48434079c8e50d2ec84cf3a85fdcc | |
parent | d9eef5f5f8bf7fdfe50129cb90ceebbc9a5176ec (diff) | |
download | nss-hg-133799d1c04dfd27483a514bfe5d9bec1fbc1a64.tar.gz |
Implement PKCS #11 2.11 DSA PQG Parameter generation.
-rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 105 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11c.c | 91 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11n.h | 7 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11t.h | 1 |
4 files changed, 198 insertions, 6 deletions
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 02d7bfb2e..d0bcac938 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1405,6 +1405,108 @@ pk11_handleKeyObject(PK11Session *session, PK11Object *object) return CKR_ATTRIBUTE_VALUE_INVALID; } +/* + * check the consistancy and Verify a DSA Parameter Object + */ +static CK_RV +pk11_handleDSAParameterObject(PK11Session *session, PK11Object *object) +{ + PK11Attribute *primeAttr = NULL; + PK11Attribute *subPrimeAttr = NULL; + PK11Attribute *baseAttr = NULL; + PK11Attribute *seedAttr = NULL; + PK11Attribute *hAttr = NULL; + PK11Attribute *attribute; + CK_RV crv = CKR_TEMPLATE_INCOMPLETE; + PQGParams params; + PQGVerify vfy, *verify = NULL; + SECStatus result,rv; + + primeAttr = pk11_FindAttribute(object,CKA_PRIME); + if (primeAttr == NULL) goto loser; + params.prime.data = primeAttr->attrib.pValue; + params.prime.len = primeAttr->attrib.ulValueLen; + + subPrimeAttr = pk11_FindAttribute(object,CKA_SUBPRIME); + if (subPrimeAttr == NULL) goto loser; + params.subPrime.data = subPrimeAttr->attrib.pValue; + params.subPrime.len = subPrimeAttr->attrib.ulValueLen; + + baseAttr = pk11_FindAttribute(object,CKA_BASE); + if (baseAttr == NULL) goto loser; + params.base.data = baseAttr->attrib.pValue; + params.base.len = baseAttr->attrib.ulValueLen; + + attribute = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER); + if (attribute != NULL) { + vfy.counter = *(CK_ULONG *) attribute->attrib.pValue; + pk11_FreeAttribute(attribute); + + seedAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_SEED); + if (seedAttr == NULL) goto loser; + vfy.seed.data = seedAttr->attrib.pValue; + vfy.seed.len = seedAttr->attrib.ulValueLen; + + hAttr = pk11_FindAttribute(object, CKA_NETSCAPE_PQG_H); + if (hAttr == NULL) goto loser; + vfy.h.data = hAttr->attrib.pValue; + vfy.h.len = hAttr->attrib.ulValueLen; + + verify = &vfy; + } + + crv = CKR_FUNCTION_FAILED; + rv = PQG_VerifyParams(¶ms,verify,&result); + if (rv == SECSuccess) { + crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID; + } + +loser: + if (hAttr) pk11_FreeAttribute(hAttr); + if (seedAttr) pk11_FreeAttribute(seedAttr); + if (baseAttr) pk11_FreeAttribute(baseAttr); + if (subPrimeAttr) pk11_FreeAttribute(subPrimeAttr); + if (primeAttr) pk11_FreeAttribute(primeAttr); + + return crv; +} + +/* + * check the consistancy and initialize a Key Parameter Object + */ +static CK_RV +pk11_handleKeyParameterObject(PK11Session *session, PK11Object *object) +{ + PK11Attribute *attribute; + CK_KEY_TYPE key_type; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_RV crv; + + /* verify the required fields */ + if ( !pk11_hasAttribute(object,CKA_KEY_TYPE) ) { + return CKR_TEMPLATE_INCOMPLETE; + } + + /* now verify the common fields */ + crv = pk11_defaultAttribute(object,CKA_LOCAL,&ckfalse,sizeof(CK_BBOOL)); + if (crv != CKR_OK) return crv; + + /* get the key type */ + attribute = pk11_FindAttribute(object,CKA_KEY_TYPE); + key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; + pk11_FreeAttribute(attribute); + + switch (key_type) { + case CKK_DSA: + return pk11_handleDSAParameterObject(session,object); + + default: + break; + } + return CKR_KEY_TYPE_INCONSISTENT; +} + /* * Handle Object does all the object consistancy checks, automatic attribute * generation, attribute defaulting, etc. If handleObject succeeds, the object @@ -1480,6 +1582,9 @@ pk11_handleObject(PK11Object *object, PK11Session *session) case CKO_SECRET_KEY: crv = pk11_handleKeyObject(session,object); break; + case CKO_KG_PARAMETERS: + crv = pk11_handleKeyParameterObject(session,object); + break; default: crv = CKR_ATTRIBUTE_VALUE_INVALID; break; diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 91d776f14..d4dfc1b75 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -2562,6 +2562,76 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism, } return CKR_OK; } +static CK_RV +nsc_parameter_gen(CK_KEY_TYPE key_type, PK11Object *key) +{ + PK11Attribute *attribute; + CK_ULONG counter; + unsigned int seedBits = 0; + unsigned int primeBits; + CK_RV crv = CKR_OK; + PQGParams *params = NULL; + PQGVerify *vfy = NULL; + SECStatus rv; + + attribute = pk11_FindAttribute(key, CKA_PRIME_BITS); + if (attribute == NULL) { + return CKR_TEMPLATE_INCOMPLETE; + } + primeBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue; + pk11_FreeAttribute(attribute); + + attribute = pk11_FindAttribute(key, CKA_NETSCAPE_PQG_SEED_BITS); + if (attribute != NULL) { + seedBits = (unsigned int) *(CK_ULONG *)attribute->attrib.pValue; + pk11_FreeAttribute(attribute); + } + + pk11_DeleteAttributeType(key,CKA_PRIME_BITS); + pk11_DeleteAttributeType(key,CKA_NETSCAPE_PQG_SEED_BITS); + + if (seedBits == 0) { + rv = PQG_ParamGen(primeBits, ¶ms, &vfy); + } else { + rv = PQG_ParamGenSeedLen(primeBits,seedBits/8, ¶ms, &vfy); + } + + if (rv != SECSuccess) { + return CKR_DEVICE_ERROR; + } + crv = pk11_AddAttributeType(key,CKA_PRIME, + params->prime.data, params->prime.len); + if (crv != CKR_OK) goto loser; + crv = pk11_AddAttributeType(key,CKA_SUBPRIME, + params->subPrime.data, params->subPrime.len); + if (crv != CKR_OK) goto loser; + crv = pk11_AddAttributeType(key,CKA_BASE, + params->base.data, params->base.len); + if (crv != CKR_OK) goto loser; + counter = vfy->counter; + crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_COUNTER, + &counter, sizeof(counter)); + crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_SEED, + vfy->seed.data, vfy->seed.len); + if (crv != CKR_OK) goto loser; + crv = pk11_AddAttributeType(key,CKA_NETSCAPE_PQG_H, + vfy->h.data, vfy->h.len); + if (crv != CKR_OK) goto loser; + +loser: + if (params) { + PQG_DestroyParams(params); + } + if (vfy) { + PQG_DestroyVerify(vfy); + } + return crv; +} + + + + + static CK_RV @@ -2747,7 +2817,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, int i; PK11Slot *slot = pk11_SlotFromSessionHandle(hSession); char buf[MAX_KEY_LEN]; - enum {nsc_pbe, nsc_ssl, nsc_bulk} key_gen_type; + enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type; NSSPKCS5PBEParameter *pbe_param; SSL3RSAPreMasterSecret *rsa_pms; CK_VERSION *version; @@ -2837,6 +2907,12 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, key_gen_type = nsc_pbe; crv = nsc_SetupPBEKeyGen(pMechanism,&pbe_param, &key_type); break; + case CKM_DSA_PARAMETER_GEN: + key_gen_type = nsc_param; + key_type = CKK_DSA; + objclass = CKO_KG_PARAMETERS; + crv = CKR_OK; + break; default: crv = CKR_MECHANISM_INVALID; break; @@ -2879,6 +2955,11 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, } while (crv == CKR_OK && checkWeak && pk11_IsWeakKey((unsigned char *)buf,key_type)); break; + case nsc_param: + /* generate parameters */ + *buf = 0; + crv = nsc_parameter_gen(key_type,key); + break; } if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } @@ -2888,10 +2969,10 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } crv = pk11_AddAttributeType(key,CKA_KEY_TYPE,&key_type,sizeof(CK_KEY_TYPE)); if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } - crv = pk11_AddAttributeType(key,CKA_CLASS,&objclass,sizeof(CK_OBJECT_CLASS)); - if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } - crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length); - if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } + if (key_length != 0) { + crv = pk11_AddAttributeType(key,CKA_VALUE,buf,key_length); + if (crv != CKR_OK) { pk11_FreeObject(key); return crv; } + } /* get the session */ session = pk11_SessionFromHandle(hSession); diff --git a/security/nss/lib/softoken/pkcs11n.h b/security/nss/lib/softoken/pkcs11n.h index 8ad69a3da..7ee4c6c34 100644 --- a/security/nss/lib/softoken/pkcs11n.h +++ b/security/nss/lib/softoken/pkcs11n.h @@ -97,7 +97,12 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$ $Name$"; #define CKA_NETSCAPE_PKCS8_SALT (CKA_NETSCAPE + 5) #define CKA_NETSCAPE_PASSWORD_CHECK (CKA_NETSCAPE + 6) #define CKA_NETSCAPE_EXPIRES (CKA_NETSCAPE + 7) -#define CKA_NETSCAPE_KRL (CKA_NETSCAPE + 7) +#define CKA_NETSCAPE_KRL (CKA_NETSCAPE + 8) + +#define CKA_NETSCAPE_PQG_COUNTER (CKA_NETSCAPE + 20) +#define CKA_NETSCAPE_PQG_SEED (CKA_NETSCAPE + 21) +#define CKA_NETSCAPE_PQG_H (CKA_NETSCAPE + 22) +#define CKA_NETSCAPE_PQG_SEED_BITS (CKA_NETSCAPE + 23) /* * Trust attributes: diff --git a/security/nss/lib/softoken/pkcs11t.h b/security/nss/lib/softoken/pkcs11t.h index 124a1bb27..9ebed9e85 100644 --- a/security/nss/lib/softoken/pkcs11t.h +++ b/security/nss/lib/softoken/pkcs11t.h @@ -360,6 +360,7 @@ typedef CK_ULONG CK_OBJECT_CLASS; #define CKO_SECRET_KEY 0x00000004 #define CKO_HW_FEATURE 0x00000005 #define CKO_DOMAIN_PARAMETERS 0x00000006 +#define CKO_KG_PARAMETERS 0x00000006 #define CKO_VENDOR_DEFINED 0x80000000 typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; |