diff options
| author | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-24 22:36:50 +0000 |
|---|---|---|
| committer | ian.mcgreer%sun.com <devnull@localhost> | 2003-01-24 22:36:50 +0000 |
| commit | 0afe5be6cd85ce9ed8f59d5d462057b41e2e794f (patch) | |
| tree | 95c0548aa2bfff6ce69540201a6f579c428c3437 | |
| parent | 7043bce21816795cf1c85455098a3424171ee414 (diff) | |
| download | nss-hg-0afe5be6cd85ce9ed8f59d5d462057b41e2e794f.tar.gz | |
convert selfserv, more methods needed by SSL
| -rw-r--r-- | security/nss/cmd/cipher/ciphertests.c | 15 | ||||
| -rw-r--r-- | security/nss/cmd/manifest.mn | 3 | ||||
| -rw-r--r-- | security/nss/cmd/pkiutil/pkiobject.c | 19 | ||||
| -rw-r--r-- | security/nss/cmd/platlibs.mk | 1 | ||||
| -rw-r--r-- | security/nss/cmd/selfserv/manifest.mn | 6 | ||||
| -rw-r--r-- | security/nss/cmd/selfserv/selfserv.c | 176 | ||||
| -rw-r--r-- | security/nss/lib/dev/algparam.c | 25 | ||||
| -rw-r--r-- | security/nss/lib/dev/dev.h | 18 | ||||
| -rw-r--r-- | security/nss/lib/dev/devtoken.c | 60 | ||||
| -rw-r--r-- | security/nss/lib/nss/nss.def | 8 | ||||
| -rw-r--r-- | security/nss/lib/pki/asymmkey.c | 132 | ||||
| -rw-r--r-- | security/nss/lib/pki/cryptocontext.c | 19 | ||||
| -rw-r--r-- | security/nss/lib/pki/pkim.h | 7 | ||||
| -rw-r--r-- | security/nss/lib/pki/volatiledomain.c | 71 | ||||
| -rw-r--r-- | security/nss/lib/ssl/sslcon.c | 16 |
15 files changed, 443 insertions, 133 deletions
diff --git a/security/nss/cmd/cipher/ciphertests.c b/security/nss/cmd/cipher/ciphertests.c index b1143cf0b..389ec6318 100644 --- a/security/nss/cmd/cipher/ciphertests.c +++ b/security/nss/cmd/cipher/ciphertests.c @@ -346,9 +346,8 @@ CreateASelfTest(char *cipher, int keysize, char *input) } /* import the cert into the volatile domain */ - wrapCert = NSSVolatileDomain_ImportEncodedCert(vd, - encodedCert, - NULL); + wrapCert = NSSVolatileDomain_ImportEncodedCert(vd, encodedCert, + NULL, NULL); NSSItem_Destroy(encodedCert); if (!wrapCert) { NSSVolatileDomain_Destroy(vd); @@ -389,17 +388,15 @@ CreateASelfTest(char *cipher, int keysize, char *input) return PR_FAILURE; } - ciphertext = NSSSymKey_Encrypt(symKey, ap, &plaintext, - NULL, NULL, NULL); + ciphertext = NSSSymKey_Encrypt(symKey, ap, &plaintext, NULL, NULL, NULL); if (!ciphertext) { CMD_PrintError("encryption failed\n"); return PR_FAILURE; } - wrappedKey = NSSCert_WrapSymKey(wrapCert, wrapAP, - symKey, - NSSTime_Now(), NULL, NULL, - NULL, NULL, NULL); + wrappedKey = NSSCert_WrapSymKey(wrapCert, wrapAP, symKey, + NSSTime_Now(), NULL, NULL, + NULL, NULL, NULL); algID = NSSAlgNParam_Encode(ap, NULL, NULL); diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index 99c1c4bf8..aa64c4b1a 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -40,9 +40,10 @@ DIRS = \ cmdlib \ atob \ btoa \ + cipher \ nssutil \ pkiutil \ - cipher \ + selfserv \ $(NULL) TEMPORARILY_DONT_BUILD = \ diff --git a/security/nss/cmd/pkiutil/pkiobject.c b/security/nss/cmd/pkiutil/pkiobject.c index 16c13ee0b..fdd850b80 100644 --- a/security/nss/cmd/pkiutil/pkiobject.c +++ b/security/nss/cmd/pkiutil/pkiobject.c @@ -236,16 +236,15 @@ print_rsa_key_info(NSSRSAPublicKeyInfo *rsaInfo, CMDRunTimeData *rtData) static PRStatus print_public_key_info(NSSPublicKey *pubKey, CMDRunTimeData *rtData) { - NSSPublicKeyInfo *pubKeyInfo = NSSPublicKey_GetInfo(pubKey); - if (pubKeyInfo) { - switch(pubKeyInfo->kind) { - case NSSKeyPairType_RSA: - return print_rsa_key_info(&pubKeyInfo->u.rsa, rtData); - case NSSKeyPairType_DSA: - case NSSKeyPairType_DH: - default: - return PR_FAILURE; - } + NSSPublicKeyInfo pubKeyInfo; + NSSPublicKey_GetKeyInfo(pubKey, &pubKeyInfo); + switch(pubKeyInfo.kind) { + case NSSKeyPairType_RSA: + return print_rsa_key_info(&pubKeyInfo.u.rsa, rtData); + case NSSKeyPairType_DSA: + case NSSKeyPairType_DH: + default: + return PR_FAILURE; } return PR_FAILURE; } diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 08608815d..fca21989c 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -69,6 +69,7 @@ endif # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. EXTRA_SHARED_LIBS += \ -L$(DIST)/lib/ \ + -lssl4 \ -lnsspkix4 \ -lnss4 \ -lsoftokn3 \ diff --git a/security/nss/cmd/selfserv/manifest.mn b/security/nss/cmd/selfserv/manifest.mn index f8050ed9e..7f6fb4612 100644 --- a/security/nss/cmd/selfserv/manifest.mn +++ b/security/nss/cmd/selfserv/manifest.mn @@ -33,16 +33,14 @@ CORE_DEPTH = ../../.. -DEFINES += -DNSPR20 - # MODULE public and private header directories are implicitly REQUIRED. -MODULE = security +MODULE = nss CSRCS = selfserv.c # The MODULE is always implicitly required. # Listing it here in REQUIRES makes it appear twice in the cc command line. -REQUIRES = seccmd dbm +REQUIRES = seccmd PROGRAM = selfserv diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index d83e55619..68f52b76f 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -40,8 +40,6 @@ #include <stdio.h> #include <string.h> -#include "secutil.h" - #if defined(XP_UNIX) #include <unistd.h> #endif @@ -65,12 +63,15 @@ #include "prnetdb.h" #include "prclist.h" #include "plgetopt.h" -#include "pk11func.h" -#include "secitem.h" + #include "nss.h" +#include "nssbase.h" + #include "ssl.h" #include "sslproto.h" +#include "cmdutil.h" + #ifndef PORT_Sprintf #define PORT_Sprintf sprintf #endif @@ -85,7 +86,8 @@ #define NUM_SID_CACHE_ENTRIES 1024 -static int handle_connection( PRFileDesc *, PRFileDesc *, int ); +static int handle_connection( PRFileDesc *, PRFileDesc *, + int, NSSTrustDomain * ); static const char envVarName[] = { SSL_ENV_VAR_NAME }; static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" }; @@ -140,28 +142,12 @@ static int stopping; static PRBool noDelay; static int requestCert; static int verbose; -static SECItem bigBuf; +static NSSItem bigBuf; static PRThread * acceptorThread; static PRLogModuleInfo *lm; -/* Add custom password handler because SECU_GetModulePassword - * makes automation of this program next to impossible. - */ - -char * -ownPasswd(PK11SlotInfo *info, PRBool retry, void *arg) -{ - char * passwd = NULL; - - if ( (!retry) && arg ) { - passwd = PL_strdup((char *)arg); - } - - return passwd; -} - #define PRINTF if (verbose) printf #define FPRINTF if (verbose) fprintf #define FLUSH if (verbose) { fflush(stdout); fflush(stderr); } @@ -219,15 +205,13 @@ Usage(const char *progName) ,progName); } -static const char * +static void errWarn(char * funcString) { PRErrorCode perr = PR_GetError(); - const char * errString = SECU_Strerror(perr); - fprintf(stderr, "selfserv: %s returned error %d:\n%s\n", - funcString, perr, errString); - return errString; + CMD_PrintError("selfserv: %s returned error %d:\n", + funcString, perr); } static void @@ -269,12 +253,20 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer) { SECStatus rv; - CERTCertificate * peerCert; + NSSCert *peerCert; + NSSUTF8 *subjectName, *issuerName; peerCert = SSL_PeerCertificate(fd); + if (NSSCert_GetNames(peerCert, &subjectName, 1, NULL) == NULL) { + return SECFailure; + } + if (NSSCert_GetIssuerNames(peerCert, &issuerName, 1, NULL) == NULL) { + return SECFailure; + } + PRINTF("selfserv: Subject: %s\nselfserv: Issuer : %s\n", - peerCert->subjectName, peerCert->issuerName); + subjectName, issuerName); rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); @@ -282,10 +274,10 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, PRINTF("selfserv: -- SSL3: Certificate Validated.\n"); } else { int err = PR_GetError(); - FPRINTF(stderr, "selfserv: -- SSL3: Certificate Invalid, err %d.\n%s\n", - err, SECU_Strerror(err)); + CMD_PrintError("selfserv: -- SSL3: Certificate Invalid, err %d.\n", + err); } - CERT_DestroyCertificate(peerCert); + NSSCert_Destroy(peerCert); FLUSH; return rv; } @@ -293,7 +285,7 @@ mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, void printSecurityInfo(PRFileDesc *fd) { - CERTCertificate * cert = NULL; + NSSCert * cert = NULL; SSL3Statistics * ssl3stats = SSL_GetStatistics(); SECStatus result; SSLChannelInfo channel; @@ -327,17 +319,19 @@ printSecurityInfo(PRFileDesc *fd) else cert = SSL_LocalCertificate(fd); if (cert) { - char * ip = CERT_NameToAscii(&cert->issuer); - char * sp = CERT_NameToAscii(&cert->subject); + NSSUTF8 * ip; + NSSUTF8 * sp; + (void)NSSCert_GetIssuerNames(cert, &ip, 1, NULL); + (void)NSSCert_GetNames(cert, &sp, 1, NULL); if (sp) { FPRINTF(stderr, "selfserv: subject DN: %s\n", sp); - PR_Free(sp); + NSSUTF8_Destroy(sp); } if (ip) { FPRINTF(stderr, "selfserv: issuer DN: %s\n", ip); - PR_Free(ip); + NSSUTF8_Destroy(ip); } - CERT_DestroyCertificate(cert); + NSSCert_Destroy(cert); cert = NULL; } FLUSH; @@ -350,9 +344,8 @@ myBadCertHandler( void *arg, PRFileDesc *fd) { int err = PR_GetError(); if (!MakeCertOK) - fprintf(stderr, - "selfserv: -- SSL: Client Certificate Invalid, err %d.\n%s\n", - err, SECU_Strerror(err)); + CMD_PrintError( + "selfserv: -- SSL: Client Certificate Invalid, err %d.\n", err); return (MakeCertOK ? SECSuccess : SECFailure); } @@ -371,6 +364,7 @@ typedef struct jobStr { PRFileDesc *tcp_sock; PRFileDesc *model_sock; int requestCert; + NSSTrustDomain *td; } JOB; static PZLock * qLock; /* this lock protects all data immediately below */ @@ -454,7 +448,7 @@ jobLoop(PRFileDesc *a, PRFileDesc *b, int c) if (!myJob) break; handle_connection( myJob->tcp_sock, myJob->model_sock, - myJob->requestCert); + myJob->requestCert, myJob->td); PZ_Lock(qLock); PR_APPEND_LINK(myLink, &freeJobs); PZ_NotifyCondVar(freeListNotEmptyCv); @@ -765,7 +759,8 @@ int handle_connection( PRFileDesc *tcp_sock, PRFileDesc *model_sock, - int requestCert + int requestCert, + NSSTrustDomain *td ) { PRFileDesc * ssl_sock = NULL; @@ -799,7 +794,7 @@ handle_connection( VLOG(("selfserv: handle_connection: starting\n")); if (useModelSocket && model_sock) { SECStatus rv; - ssl_sock = SSL_ImportFD(model_sock, tcp_sock); + ssl_sock = SSL_ImportFD(model_sock, td, tcp_sock); if (!ssl_sock) { errWarn("SSL_ImportFD with model"); goto cleanup; @@ -916,9 +911,9 @@ handle_connection( * do it here. */ if (requestCert > 2) { /* request cert was 3 or 4 */ - CERTCertificate * cert = SSL_PeerCertificate(ssl_sock); + NSSCert * cert = SSL_PeerCertificate(ssl_sock); if (cert) { - CERT_DestroyCertificate(cert); + NSSCert_Destroy(cert); } else { rv = SSL_OptionSet(ssl_sock, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) { @@ -964,29 +959,31 @@ handle_connection( bytes, fileName); break; } +#if 0 errString = errWarn("PR_TransmitFile"); - errLen = PORT_Strlen(errString); + errLen = strlen(errString); if (errLen > sizeof msgBuf - 1) errLen = sizeof msgBuf - 1; - PORT_Memcpy(msgBuf, errString, errLen); + memcpy(msgBuf, errString, errLen); msgBuf[errLen] = 0; +#endif iovs[numIOVs].iov_base = msgBuf; - iovs[numIOVs].iov_len = PORT_Strlen(msgBuf); + iovs[numIOVs].iov_len = strlen(msgBuf); numIOVs++; } else if (reqLen <= 0) { /* hit eof */ PORT_Sprintf(msgBuf, "Get or Post incomplete after %d bytes.\r\n", bufDat); iovs[numIOVs].iov_base = msgBuf; - iovs[numIOVs].iov_len = PORT_Strlen(msgBuf); + iovs[numIOVs].iov_len = strlen(msgBuf); numIOVs++; } else if (reqLen < bufDat) { PORT_Sprintf(msgBuf, "Discarded %d characters.\r\n", bufDat - reqLen); iovs[numIOVs].iov_base = msgBuf; - iovs[numIOVs].iov_len = PORT_Strlen(msgBuf); + iovs[numIOVs].iov_len = strlen(msgBuf); numIOVs++; } @@ -1150,8 +1147,10 @@ void server_main( PRFileDesc * listen_sock, int requestCert, - SECKEYPrivateKey ** privKey, - CERTCertificate ** cert) + NSSPrivateKey ** privKey, + NSSCert ** cert, + NSSTrustDomain * td + ) { PRFileDesc *model_sock = NULL; int rv; @@ -1163,12 +1162,12 @@ server_main( if (model_sock == NULL) { errExit("PR_NewTCPSocket on model socket"); } - model_sock = SSL_ImportFD(NULL, model_sock); + model_sock = SSL_ImportFD(NULL, td, model_sock); if (model_sock == NULL) { errExit("SSL_ImportFD"); } } else { - model_sock = listen_sock = SSL_ImportFD(NULL, listen_sock); + model_sock = listen_sock = SSL_ImportFD(NULL, td, listen_sock); if (listen_sock == NULL) { errExit("SSL_ImportFD"); } @@ -1203,7 +1202,7 @@ server_main( errExit("error enabling RollBack detection "); } - for (kea = kt_rsa; kea < kt_kea_size; kea++) { + for (kea = ssl_kea_rsa; kea < ssl_kea_size; kea++) { if (cert[kea] != NULL) { secStatus = SSL_ConfigSecureServer(model_sock, cert[kea], privKey[kea], kea); @@ -1230,8 +1229,7 @@ server_main( if (requestCert) { - SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); + SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, NULL); if (requestCert <= 2) { rv = SSL_OptionSet(model_sock, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) { @@ -1279,15 +1277,15 @@ readBigFile(const char * fileName) info.size > 0 && NULL != (local_file_fd = PR_Open(fileName, PR_RDONLY, 0))) { - hdrLen = PORT_Strlen(outHeader); - bigBuf.len = hdrLen + info.size; - bigBuf.data = PORT_Malloc(bigBuf.len + 4095); + hdrLen = strlen(outHeader); + bigBuf.size = hdrLen + info.size; + bigBuf.data = PORT_Malloc(bigBuf.size + 4095); if (!bigBuf.data) { errWarn("PORT_Malloc"); goto done; } - PORT_Memcpy(bigBuf.data, outHeader, hdrLen); + memcpy(bigBuf.data, outHeader, hdrLen); count = PR_Read(local_file_fd, bigBuf.data + hdrLen, info.size); if (count != info.size) { @@ -1401,8 +1399,8 @@ main(int argc, char **argv) char * tmp; char * envString; PRFileDesc * listen_sock; - CERTCertificate * cert [kt_kea_size] = { NULL }; - SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + NSSCert * cert [ssl_kea_size] = { NULL }; + NSSPrivateKey * privKey[ssl_kea_size] = { NULL }; int optionsFound = 0; int maxProcs = 1; unsigned short port = 0; @@ -1414,6 +1412,8 @@ main(int argc, char **argv) PLOptStatus status; PRThread *loggerThread; PRBool debugCache = PR_FALSE; /* bug 90518 */ + NSSTrustDomain * td = NULL; + NSSUsages serverUsage = { 0, NSSUsage_SSLServer }; #ifdef LINUX /* bug 119340 */ struct sigaction act; @@ -1450,12 +1450,12 @@ main(int argc, char **argv) case 'L': logStats = PR_TRUE; - logPeriod = PORT_Atoi(optstate->value); + logPeriod = atoi(optstate->value); if (logPeriod < 0) logPeriod = 30; break; case 'M': - maxProcs = PORT_Atoi(optstate->value); + maxProcs = atoi(optstate->value); if (maxProcs < 1) maxProcs = 1; if (maxProcs > MAX_PROCS) maxProcs = MAX_PROCS; break; @@ -1482,12 +1482,12 @@ main(int argc, char **argv) case 'o': MakeCertOK = 1; break; - case 'p': port = PORT_Atoi(optstate->value); break; + case 'p': port = atoi(optstate->value); break; case 'r': ++requestCert; break; case 't': - maxThreads = PORT_Atoi(optstate->value); + maxThreads = atoi(optstate->value); if ( maxThreads > MAX_THREADS ) maxThreads = MAX_THREADS; if ( maxThreads < MIN_THREADS ) maxThreads = MIN_THREADS; break; @@ -1593,9 +1593,6 @@ main(int argc, char **argv) if (fileName) readBigFile(fileName); - /* set our password function */ - PK11_SetPasswordFunc( passwd ? ownPasswd : SECU_GetModulePassword); - /* Call the libsec initialization routines */ rv = NSS_Init(dir); if (rv != SECSuccess) { @@ -1603,6 +1600,9 @@ main(int argc, char **argv) exit(8); } + /* set our password function */ + /* XXX */ + /* set the policy bits true for all the cipher suites. */ if (useExportPolicy) NSS_SetExportPolicy(); @@ -1632,31 +1632,39 @@ main(int argc, char **argv) SECStatus status; status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); if (status != SECSuccess) - SECU_PrintError(progName, "SSL_CipherPrefSet()"); + CMD_PrintError("SSL_CipherPrefSet()"); } } } if (nickName) { - cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); - if (cert[kt_rsa] == NULL) { + cert[ssl_kea_rsa] = NSSTrustDomain_FindBestCertByNickname(td, + nickName, + NSSTime_Now(), + &serverUsage, + NULL); + if (cert[ssl_kea_rsa] == NULL) { fprintf(stderr, "selfserv: Can't find certificate %s\n", nickName); exit(10); } - privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); - if (privKey[kt_rsa] == NULL) { + privKey[ssl_kea_rsa] = NSSCert_FindPrivateKey(cert[ssl_kea_rsa], NULL); + if (privKey[ssl_kea_rsa] == NULL) { fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n", nickName); exit(11); } } if (fNickName) { - cert[kt_fortezza] = PK11_FindCertFromNickname(fNickName, NULL); - if (cert[kt_fortezza] == NULL) { + cert[ssl_kea_fortezza] = NSSTrustDomain_FindBestCertByNickname(td, + fNickName, + NSSTime_Now(), + &serverUsage, + NULL); + if (cert[ssl_kea_fortezza] == NULL) { fprintf(stderr, "selfserv: Can't find certificate %s\n", fNickName); exit(12); } - privKey[kt_fortezza] = PK11_FindKeyByAnyCert(cert[kt_fortezza], NULL); + privKey[ssl_kea_fortezza] = NSSCert_FindPrivateKey(cert[ssl_kea_fortezza], NULL); } /* allocate the array of thread slots, and launch the worker threads. */ @@ -1674,26 +1682,28 @@ main(int argc, char **argv) } if (rv == SECSuccess) { - server_main(listen_sock, requestCert, privKey, cert); + server_main(listen_sock, requestCert, privKey, cert, td); } VLOG(("selfserv: server_thread: exiting")); { int i; - for (i=0; i<kt_kea_size; i++) { + for (i=0; i<ssl_kea_size; i++) { if (cert[i]) { - CERT_DestroyCertificate(cert[i]); + NSSCert_Destroy(cert[i]); } if (privKey[i]) { - SECKEY_DestroyPrivateKey(privKey[i]); + NSSPrivateKey_Destroy(privKey[i]); } } } +#if 0 if (debugCache) { nss_DumpCertificateCacheInfo(); } +#endif free(nickName); free(passwd); diff --git a/security/nss/lib/dev/algparam.c b/security/nss/lib/dev/algparam.c index ef00ebc64..f57731b3c 100644 --- a/security/nss/lib/dev/algparam.c +++ b/security/nss/lib/dev/algparam.c @@ -883,6 +883,31 @@ nssAlgNParam_CreateForKeyGen ( return finish_create_algparam(rvAP, rvAP->arena, mark, status); } +NSS_IMPLEMENT NSSAlgNParam * +nssAlgNParam_CreateDefaultForSymKey ( + NSSArena *arenaOpt, + NSSSymKeyType symKeyType +) +{ + NSSOID *alg; + NSSOIDTag algTag; + + switch(symKeyType) { + case NSSSymKeyType_RC4: algTag = NSS_OID_RC4; break; + case NSSSymKeyType_TripleDES: algTag = NSS_OID_DES_EDE; break; + case NSSSymKeyType_DES: algTag = NSS_OID_DES_ECB; break; + /* XXX default params for RC2, RC5, etc.? */ + default: + /* err=params required? */ + return (NSSAlgNParam *)NULL; + } + alg = nssOID_CreateFromTag(algTag); + if (!alg) { + return (NSSAlgNParam *)NULL; + } + return nssAlgNParam_Create(arenaOpt, alg, NULL); +} + typedef struct { NSSItem algorithmOID; NSSItem parameters; diff --git a/security/nss/lib/dev/dev.h b/security/nss/lib/dev/dev.h index 2d542cde7..39ae82fd6 100644 --- a/security/nss/lib/dev/dev.h +++ b/security/nss/lib/dev/dev.h @@ -606,6 +606,18 @@ nssToken_GenerateSymKey ( ); NSS_EXTERN nssCryptokiObject * +nssToken_ImportRawSymKey ( + NSSToken *token, + nssSession *session, + NSSItem *keyData, + NSSSymKeyType symKeyType, + PRBool asTokenObject, + const NSSUTF8 *labelOpt, + NSSOperations operations, + NSSProperties properties +); + +NSS_EXTERN nssCryptokiObject * nssToken_UnwrapPrivateKey ( NSSToken *token, nssSession *session, @@ -923,6 +935,12 @@ nssAlgNParam_Encode ( ); NSS_EXTERN NSSAlgNParam * +nssAlgNParam_CreateDefaultForSymKey ( + NSSArena *arenaOpt, + NSSSymKeyType symKeyType +); + +NSS_EXTERN NSSAlgNParam * nssAlgNParam_ConvertPBEToCrypto ( const NSSAlgNParam *ap, PRBool usePadding diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c index 186906da3..705c69a3e 100644 --- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -1672,6 +1672,66 @@ nssToken_GenerateSymKey ( return key; } +NSS_IMPLEMENT nssCryptokiObject * +nssToken_ImportRawSymKey ( + NSSToken *token, + nssSession *session, + NSSItem *keyData, + NSSSymKeyType symKeyType, + PRBool asTokenObject, + const NSSUTF8 *labelOpt, + NSSOperations operations, + NSSProperties properties +) +{ + CK_RV ckrv; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE keyTemplate[17]; + CK_ULONG tsize; + CK_OBJECT_HANDLE keyh; + void *epv = nssToken_GetCryptokiEPV(token); + nssCryptokiObject *key = NULL; + PRUint32 numLeft; + PRUint32 numkt = sizeof(keyTemplate) / sizeof(keyTemplate[0]); + CK_KEY_TYPE ckKeyType; + + /* Set up the symmetric key's template */ + NSS_CK_TEMPLATE_START(keyTemplate, attr, tsize); + if (asTokenObject) { + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_true); + } else { + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_TOKEN, &g_ck_false); + } + if (labelOpt) { + NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, labelOpt); + } + if (operations) { + numLeft = numkt - (attr - keyTemplate); + attr += nssCKTemplate_SetOperationAttributes(attr, numLeft, + operations); + } + if (properties) { + numLeft = numkt - (attr - keyTemplate); + attr += nssCKTemplate_SetPropertyAttributes(attr, numLeft, + properties); + } + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_VALUE, keyData); + ckKeyType = nssCK_GetSymKeyType(symKeyType); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_KEY_TYPE, ckKeyType); + NSS_CK_TEMPLATE_FINISH(keyTemplate, attr, tsize); + + /* Import the key */ + nssSession_EnterMonitor(session); + ckrv = CKAPI(epv)->C_CreateObject(session->handle, keyTemplate, tsize, + &keyh); + nssSession_ExitMonitor(session); + + if (ckrv == CKR_OK) { + key = nssCryptokiObject_Create(token, session, keyh); + } + return key; +} + static NSSItem * prepare_output_buffer(NSSArena *arenaOpt, NSSItem *rvOpt, CK_ULONG bufLen, PRBool *freeit) diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index d47687ab5..e6ea5ffc0 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -154,13 +154,13 @@ NSSPrivateKey_Encode; NSSPrivateKey_GetTokens; ;+#NSSPrivateKey_GetSlot; ;+#NSSPrivateKey_GetModule; -;+#NSSPrivateKey_Decrypt; +NSSPrivateKey_Decrypt; NSSPrivateKey_Sign; ;+#NSSPrivateKey_SignRecover; NSSPrivateKey_UnwrapSymKey; ;+#NSSPrivateKey_DeriveSymKey; NSSPrivateKey_FindPublicKey; -;+#NSSPrivateKey_CreateCryptoContext; +NSSPrivateKey_CreateCryptoContext; NSSPrivateKey_FindCerts; ;+#NSSPrivateKey_FindBestCert; NSSPublicKey_Destroy; @@ -174,7 +174,7 @@ NSSPublicKey_GetKeyInfo; NSSPublicKey_GetInfo; NSSPublicKey_GetKeyType; NSSPublicKey_GetKeyStrength; -;+#NSSPublicKey_Encrypt; +NSSPublicKey_Encrypt; NSSPublicKey_Verify; ;+#NSSPublicKey_VerifyRecover; NSSPublicKey_WrapSymKey; @@ -351,6 +351,7 @@ nss_ResumeErrorStack; nss_ZAlloc; nss_ZFreeIf; nss_ZRealloc; +nss_InitLock; nssArena_Mark; nssArena_Release; nssArena_Unmark; @@ -360,6 +361,7 @@ nssCert_AddRef; nssPublicKey_AddRef; nssPrivateKey_AddRef; nssSymKey_DeriveSSLSessionKeys; +NSSVolatileDomain_ImportRawSymKey; ;+ local: ;+ *; ;+}; diff --git a/security/nss/lib/pki/asymmkey.c b/security/nss/lib/pki/asymmkey.c index ad4ceb46f..19499b287 100644 --- a/security/nss/lib/pki/asymmkey.c +++ b/security/nss/lib/pki/asymmkey.c @@ -578,6 +578,52 @@ NSSPrivateKey_GetModule ( } NSS_IMPLEMENT NSSItem * +nssPrivateKey_Decrypt ( + NSSPrivateKey *vk, + const NSSAlgNParam *apOpt, + NSSItem *encryptedData, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt +) +{ + nssCryptokiObject *vko; + NSSAlgNParam *ap; + NSSItem *rvIt = NULL; + + if (apOpt) { + ap = apOpt; + } else { + NSSOIDTag alg; + /* XXX are these defaults reasonable? */ + switch (vk->kind) { + case NSSKeyPairType_RSA: alg = NSS_OID_PKCS1_RSA_ENCRYPTION; break; + default: + /* set invalid arg err */ + return (NSSItem *)NULL; + } + ap = nssOIDTag_CreateAlgNParam(alg, NULL, NULL); + if (!ap) { + return (NSSItem *)NULL; + } + } + + vko = nssPrivateKey_FindInstanceForAlgorithm(vk, ap); + if (!vko) { + if (!apOpt) nssAlgNParam_Destroy(ap); + return (NSSItem *)NULL; + } + + rvIt = nssToken_Decrypt(vko->token, vko->session, ap, vko, + encryptedData, rvOpt, arenaOpt); + + if (!apOpt) nssAlgNParam_Destroy(ap); + nssCryptokiObject_Destroy(vko); + + return rvIt; +} + +NSS_IMPLEMENT NSSItem * NSSPrivateKey_Decrypt ( NSSPrivateKey *vk, const NSSAlgNParam *apOpt, @@ -587,8 +633,8 @@ NSSPrivateKey_Decrypt ( NSSArena *arenaOpt ) { - nss_SetError(NSS_ERROR_NOT_FOUND); - return NULL; + return nssPrivateKey_Decrypt(vk, apOpt, encryptedData, + uhh, rvOpt, arenaOpt); } /* XXX in 3.x, only CKM_RSA_PKCS and CKM_DSA sigs were done */ @@ -768,17 +814,6 @@ NSSPrivateKey_FindPublicKey ( return nssPrivateKey_FindPublicKey(vk);; } -NSS_IMPLEMENT NSSCryptoContext * -NSSPrivateKey_CreateCryptoContext ( - NSSPrivateKey *vk, - const NSSAlgNParam *apOpt, - NSSCallback *uhh -) -{ - nss_SetError(NSS_ERROR_NOT_FOUND); - return NULL; -} - NSS_IMPLEMENT NSSCert ** nssPrivateKey_FindCerts ( NSSPrivateKey *vk, @@ -815,6 +850,28 @@ NSSPrivateKey_FindBestCert ( return NULL; } +NSS_IMPLEMENT NSSCryptoContext * +nssPrivateKey_CreateCryptoContext ( + NSSPrivateKey *vk, + const NSSAlgNParam *apOpt, + NSSCallback *uhh +) +{ + NSSCryptoContext *cc; + cc = nssCryptoContext_CreateForPrivateKey(vk, apOpt, uhh); + return cc; +} + +NSS_IMPLEMENT NSSCryptoContext * +NSSPrivateKey_CreateCryptoContext ( + NSSPrivateKey *vk, + const NSSAlgNParam *apOpt, + NSSCallback *uhh +) +{ + return nssPrivateKey_CreateCryptoContext(vk, apOpt, uhh); +} + NSS_IMPLEMENT void nssPrivateKeyArray_Destroy ( NSSPrivateKey **vkeys @@ -1205,6 +1262,52 @@ NSSPublicKey_GetKeyStrength ( } NSS_IMPLEMENT NSSItem * +nssPublicKey_Encrypt ( + NSSPublicKey *bk, + const NSSAlgNParam *apOpt, + NSSItem *data, + NSSCallback *uhh, + NSSItem *rvOpt, + NSSArena *arenaOpt +) +{ + nssCryptokiObject *bko; + NSSAlgNParam *ap; + NSSItem *rvIt = NULL; + + if (apOpt) { + ap = apOpt; + } else { + NSSOIDTag alg; + /* XXX are these defaults reasonable? */ + switch (bk->info.kind) { + case NSSKeyPairType_RSA: alg = NSS_OID_PKCS1_RSA_ENCRYPTION; break; + default: + /* set invalid arg err */ + return (NSSItem *)NULL; + } + ap = nssOIDTag_CreateAlgNParam(alg, NULL, NULL); + if (!ap) { + return (NSSItem *)NULL; + } + } + + bko = nssPublicKey_FindInstanceForAlgorithm(bk, ap); + if (!bko) { + if (!apOpt) nssAlgNParam_Destroy(ap); + return (NSSItem *)NULL; + } + + rvIt = nssToken_Decrypt(bko->token, bko->session, ap, bko, + data, rvOpt, arenaOpt); + + if (!apOpt) nssAlgNParam_Destroy(ap); + nssCryptokiObject_Destroy(bko); + + return rvIt; +} + +NSS_IMPLEMENT NSSItem * NSSPublicKey_Encrypt ( NSSPublicKey *bk, const NSSAlgNParam *apOpt, @@ -1214,8 +1317,7 @@ NSSPublicKey_Encrypt ( NSSArena *arenaOpt ) { - nss_SetError(NSS_ERROR_NOT_FOUND); - return NULL; + return nssPublicKey_Encrypt(bk, apOpt, data, uhh, rvOpt, arenaOpt); } NSS_IMPLEMENT PRStatus diff --git a/security/nss/lib/pki/cryptocontext.c b/security/nss/lib/pki/cryptocontext.c index f9f10c255..fed3f291e 100644 --- a/security/nss/lib/pki/cryptocontext.c +++ b/security/nss/lib/pki/cryptocontext.c @@ -136,6 +136,25 @@ nssCryptoContext_CreateForSymKey ( return rvCC; } +NSS_IMPLEMENT NSSCryptoContext * +nssCryptoContext_CreateForPrivateKey ( + NSSPrivateKey *vkey, + const NSSAlgNParam *apOpt, + NSSCallback *uhhOpt +) +{ + NSSCryptoContext *rvCC; + NSSTrustDomain *td = nssPrivateKey_GetTrustDomain(vkey, NULL); + NSSVolatileDomain *vd = nssPrivateKey_GetVolatileDomain(vkey, NULL); + + rvCC = nssCryptoContext_Create(td, vd, apOpt, uhhOpt); + if (rvCC) { + rvCC->which = a_privkey; + rvCC->u.vkey = nssPrivateKey_AddRef(vkey); + } + return rvCC; +} + NSS_IMPLEMENT PRStatus nssCryptoContext_Destroy ( NSSCryptoContext *cc diff --git a/security/nss/lib/pki/pkim.h b/security/nss/lib/pki/pkim.h index 235a1a293..0480c23dc 100644 --- a/security/nss/lib/pki/pkim.h +++ b/security/nss/lib/pki/pkim.h @@ -264,6 +264,13 @@ nssCryptoContext_CreateForSymKey ( NSSCallback *uhh ); +NSS_EXTERN NSSCryptoContext * +nssCryptoContext_CreateForPrivateKey ( + NSSPrivateKey *vkey, + const NSSAlgNParam *apOpt, + NSSCallback *uhhOpt +); + /* XXX for the collection */ NSS_EXTERN NSSCert * nssCert_Create ( diff --git a/security/nss/lib/pki/volatiledomain.c b/security/nss/lib/pki/volatiledomain.c index b5d8914ac..3d661619b 100644 --- a/security/nss/lib/pki/volatiledomain.c +++ b/security/nss/lib/pki/volatiledomain.c @@ -381,6 +381,77 @@ NSSVolatileDomain_ImportEncodedPrivateKey ( destination); } +NSS_IMPLEMENT NSSSymKey * +nssVolatileDomain_ImportRawSymKey ( + NSSVolatileDomain *vd, + NSSItem *keyData, + NSSSymKeyType symKeyType, + NSSUTF8 *nicknameOpt, + NSSOperations operations, + NSSProperties properties, + NSSCallback *uhhOpt, + NSSToken *destinationOpt +) +{ + NSSToken *token; + nssSession *session; + NSSAlgNParam *ap; + nssCryptokiObject *mko; + NSSSymKey *rvKey = NULL; + + ap = nssAlgNParam_CreateDefaultForSymKey(NULL, symKeyType); + if (!ap) { + return (NSSSymKey *)NULL; + } + + /* XXX should be vd */ + /* token = nssVolatileDomain_FindTokenForAlgNParam(vd, ap); */ + token = nssTrustDomain_FindTokenForAlgNParam(vd->td, ap); + nssAlgNParam_Destroy(ap); + if (!token) { + return (NSSSymKey *)NULL; + } + + session = nssTokenSessionHash_GetSession(vd->tokenSessionHash, + token, PR_FALSE); + if (!session) { + nssToken_Destroy(token); + return (NSSSymKey *)NULL; + } + + mko = nssToken_ImportRawSymKey(token, session, keyData, symKeyType, + PR_FALSE, nicknameOpt, + operations, properties); + + rvKey = nssSymKey_CreateFromInstance(mko, vd->td, vd); + if (!rvKey) { + nssCryptokiObject_Destroy(mko); + } + + nssToken_Destroy(token); + nssSession_Destroy(session); + + return rvKey; +} + +NSS_IMPLEMENT NSSSymKey * +NSSVolatileDomain_ImportRawSymKey ( + NSSVolatileDomain *vd, + NSSItem *keyData, + NSSSymKeyType symKeyType, + NSSUTF8 *nicknameOpt, + NSSOperations operations, + NSSProperties properties, + NSSCallback *uhhOpt, + NSSToken *destinationOpt +) +{ + return nssVolatileDomain_ImportRawSymKey(vd, keyData, symKeyType, + nicknameOpt, operations, + properties, uhhOpt, + destinationOpt); +} + #if 0 NSS_IMPLEMENT PRStatus nssVolatileDomain_ImportSMIMEProfile ( diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index de0dc4bd8..4a05c13f6 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -1522,10 +1522,10 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient) ap = NSSOIDTag_CreateAlgNParam(algorithm, ¶ms, NULL); if (ap == NULL) goto loser; - symKey = NSSVolatileDomain_ImportSymKey(ss->vd, rk, keyType, - NULL, - NSSOperations_DECRYPT, - 0, NULL, NULL); + symKey = NSSVolatileDomain_ImportRawSymKey(ss->vd, rk, keyType, + NULL, + NSSOperations_DECRYPT, + 0, NULL, NULL); if (symKey == NULL) goto loser; @@ -1535,10 +1535,10 @@ ssl2_CreateSessionCypher(sslSocket *ss, sslSessionID *sid, PRBool isClient) NSSSymKey_Destroy(symKey); symKey = NULL; /* build the client context */ - symKey = NSSVolatileDomain_ImportSymKey(ss->vd, wk, keyType, - NULL, - NSSOperations_ENCRYPT, - 0, NULL, NULL); + symKey = NSSVolatileDomain_ImportRawSymKey(ss->vd, wk, keyType, + NULL, + NSSOperations_ENCRYPT, + 0, NULL, NULL); if (!symKey) goto loser; |