diff options
| author | Robert Relyea <rrelyea@redhat.com> | 2020-02-18 11:47:29 -0800 |
|---|---|---|
| committer | Robert Relyea <rrelyea@redhat.com> | 2020-02-18 11:47:29 -0800 |
| commit | cba7139e8a83e94a3aa4c01b166269b09c66c4ea (patch) | |
| tree | 83e8b4ee327a1768650cf1106b0114138014e6b3 /cmd/lib | |
| parent | 6ea4341163d6bd979283116d880e92ea55709e2e (diff) | |
| download | nss-hg-cba7139e8a83e94a3aa4c01b166269b09c66c4ea.tar.gz | |
Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye
https://phabricator.services.mozilla.com/D63241
This patch implements the first phase: updating the headers.
lib/util/pkcs11.h
lib/util/pkcs11f.h
lib/util/pkcs11t.h
Were updated using the released OASIS PKCS #11 v3.0 header files.
lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?.
A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small
semantic changes (including the removal of deprecated defines) between the
NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of
the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in
favor of CK?_NSS_?.
One notable change was caused by an inconsistancy between the spec and the
released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in
the header that was not in the spec. OASIS considers the header file to be
normative, so PKCS #11 v3.0 resolved the issue in favor of the header file
definition. NSS had the spec definition, so now there are 2 defines for this
structure:
CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl.
CK_GCM_PARAMS_V3 - the new define.
CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as
CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.
Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.
One other semantic difference between the 3.0 version of pkcs11f.h and the
version here: In the oasis version of the header, you must define
CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you
must define CK_PKCS11_3 to get the PCKS #11 v3 defines.
Most of this patch is to handle changing the deprecated defines that have been
removed in PCKS #11 v3 from NSS.
Differential Revision: https://phabricator.services.mozilla.com/D63241
Diffstat (limited to 'cmd/lib')
| -rw-r--r-- | cmd/lib/pk11table.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/cmd/lib/pk11table.c b/cmd/lib/pk11table.c index ec5d88926..f7a45fa84 100644 --- a/cmd/lib/pk11table.c +++ b/cmd/lib/pk11table.c @@ -102,7 +102,7 @@ const Constant _consts[] = { mkEntry(CKF_WRAP, MechanismFlags), mkEntry(CKF_UNWRAP, MechanismFlags), mkEntry(CKF_DERIVE, MechanismFlags), - mkEntry(CKF_EC_FP, MechanismFlags), + mkEntry(CKF_EC_F_P, MechanismFlags), mkEntry(CKF_EC_F_2M, MechanismFlags), mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags), mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags), @@ -128,7 +128,6 @@ const Constant _consts[] = { mkEntry(CKO_SECRET_KEY, Object), mkEntry(CKO_HW_FEATURE, Object), mkEntry(CKO_DOMAIN_PARAMETERS, Object), - mkEntry(CKO_KG_PARAMETERS, Object), mkEntry(CKO_NSS_CRL, Object), mkEntry(CKO_NSS_SMIME, Object), mkEntry(CKO_NSS_TRUST, Object), @@ -255,8 +254,8 @@ const Constant _consts[] = { mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust), mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None), mkEntry2(CKA_CERT_MD5_HASH, Attribute, None), - mkEntry2(CKA_NETSCAPE_DB, Attribute, None), - mkEntry2(CKA_NETSCAPE_TRUST, Attribute, Trust), + mkEntry2(CKA_NSS_DB, Attribute, None), + mkEntry2(CKA_NSS_TRUST, Attribute, Trust), mkEntry(CKM_RSA_PKCS, Mechanism), mkEntry(CKM_RSA_9796, Mechanism), @@ -473,16 +472,16 @@ const Constant _consts[] = { mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism), mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism), mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_DES_CBC, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, Mechanism), - mkEntry(CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC4, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC4, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_NSS_PBE_MD5_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_NSS_PBE_MD2_HMAC_KEY_GEN, Mechanism), mkEntry(CKM_TLS_PRF_GENERAL, Mechanism), mkEntry(CKM_NSS_TLS_PRF_GENERAL_SHA256, Mechanism), @@ -520,7 +519,6 @@ const Constant _consts[] = { mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result), mkEntry(CKR_KEY_NOT_WRAPPABLE, Result), mkEntry(CKR_KEY_UNEXTRACTABLE, Result), - mkEntry(CKR_KEY_PARAMS_INVALID, Result), mkEntry(CKR_MECHANISM_INVALID, Result), mkEntry(CKR_MECHANISM_PARAM_INVALID, Result), mkEntry(CKR_OBJECT_HANDLE_INVALID, Result), |