diff options
author | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
---|---|---|
committer | John M. Schanck <jschanck@mozilla.com> | 2023-03-02 14:38:29 -0800 |
commit | fd8d15350f7560f35085b4b945eb3e34a0dfa708 (patch) | |
tree | c66b55dc65ee34047a03113a0e98c24266e57727 /lib/cryptohi | |
parent | 65aef21637ba6551e24933a4903f6e3b5c2e77a6 (diff) | |
download | nss-hg-fd8d15350f7560f35085b4b945eb3e34a0dfa708.tar.gz |
Backed out changeset 761e7d215e0a for causing gtest failuresNSS_3_89_BETA1
Diffstat (limited to 'lib/cryptohi')
-rw-r--r-- | lib/cryptohi/keyhi.h | 5 | ||||
-rw-r--r-- | lib/cryptohi/keyi.h | 4 | ||||
-rw-r--r-- | lib/cryptohi/seckey.c | 99 | ||||
-rw-r--r-- | lib/cryptohi/secsign.c | 23 | ||||
-rw-r--r-- | lib/cryptohi/secvfy.c | 13 |
5 files changed, 1 insertions, 143 deletions
diff --git a/lib/cryptohi/keyhi.h b/lib/cryptohi/keyhi.h index 173dbda90..180990049 100644 --- a/lib/cryptohi/keyhi.h +++ b/lib/cryptohi/keyhi.h @@ -53,11 +53,6 @@ extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk); extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk); /* -** Return the strength of the private key in bits -*/ -extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk); - -/* ** Return the length of the signature in bytes */ extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk); diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h index 5683afbeb..707e11ade 100644 --- a/lib/cryptohi/keyi.h +++ b/lib/cryptohi/keyi.h @@ -4,7 +4,6 @@ #ifndef _KEYI_H_ #define _KEYI_H_ -#include "secerr.h" SEC_BEGIN_PROTOS /* NSS private functions */ @@ -37,9 +36,6 @@ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, const SECItem *params, CK_RSA_PKCS_PSS_PARAMS *mech); -/* make sure the key length matches the policy for keyType */ -SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, - SECErrorCodes error); SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c index 656609e0d..fb353fa14 100644 --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -14,7 +14,6 @@ #include "secdig.h" #include "prtime.h" #include "keyi.h" -#include "nss.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) SEC_ASN1_MKSUB(SEC_IntegerTemplate) @@ -1041,59 +1040,6 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) return bitSize; } -unsigned -SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) -{ - unsigned bitSize = 0; - SECItem params = { siBuffer, NULL, 0 }; - SECStatus rv; - - if (!privk) { - PORT_SetError(SEC_ERROR_INVALID_KEY); - return 0; - } - - /* interpret modulus length as key strength */ - switch (privk->keyType) { - case rsaKey: - case rsaPssKey: - case rsaOaepKey: - /* some tokens don't export CKA_MODULUS on the private key, - * PK11_SignatureLen works around this if necessary */ - bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; - if (bitSize == -1) { - bitSize = 0; - } - return bitSize; - case dsaKey: - case fortezzaKey: - case dhKey: - case keaKey: - rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, - CKA_PRIME, NULL, ¶ms); - if ((rv != SECSuccess) || (params.data == NULL)) { - PORT_SetError(SEC_ERROR_INVALID_KEY); - return 0; - } - bitSize = SECKEY_BigIntegerBitLength(¶ms); - PORT_Free(params.data); - return bitSize; - case ecKey: - rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, - CKA_EC_PARAMS, NULL, ¶ms); - if ((rv != SECSuccess) || (params.data == NULL)) { - return 0; - } - bitSize = SECKEY_ECParamsToKeySize(¶ms); - PORT_Free(params.data); - return bitSize; - default: - break; - } - PORT_SetError(SEC_ERROR_INVALID_KEY); - return 0; -} - /* returns signature length in bytes (not bits) */ unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk) @@ -1268,51 +1214,6 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) } /* - * Check that a given key meets the policy limits for the given key - * size. - */ -SECStatus -seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) -{ - PRInt32 opt = -1; - PRInt32 optVal; - SECStatus rv; - - switch (keyType) { - case rsaKey: - case rsaPssKey: - case rsaOaepKey: - opt = NSS_RSA_MIN_KEY_SIZE; - break; - case dsaKey: - case fortezzaKey: - opt = NSS_DSA_MIN_KEY_SIZE; - break; - case dhKey: - case keaKey: - opt = NSS_DH_MIN_KEY_SIZE; - break; - case ecKey: - opt = NSS_ECC_MIN_KEY_SIZE; - break; - case nullKey: - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - return SECFailure; - } - PORT_Assert(opt != -1); - rv = NSS_OptionGet(opt, &optVal); - if (rv != SECSuccess) { - return rv; - } - if (optVal > keyLength) { - PORT_SetError(error); - return SECFailure; - } - return SECSuccess; -} - -/* * Use the private key to find a public key handle. The handle will be on * the same slot as the private key. */ diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c index 8779904d3..13a6d6c5e 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -15,7 +15,6 @@ #include "pk11func.h" #include "secerr.h" #include "keyi.h" -#include "nss.h" struct SGNContextStr { SECOidTag signalg; @@ -33,7 +32,6 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) SECOidTag hashalg, signalg; KeyType keyType; PRUint32 policyFlags; - PRInt32 optFlags; SECStatus rv; /* OK, map a PKCS #7 hash and encrypt algorithm into @@ -58,16 +56,6 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } - if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { - if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { - rv = seckey_EnforceKeySize(key->keyType, - SECKEY_PrivateKeyStrengthInBits(key), - SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); - if (rv != SECSuccess) { - return NULL; - } - } - } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { @@ -477,20 +465,9 @@ SGN_Digest(SECKEYPrivateKey *privKey, SGNDigestInfo *di = 0; SECOidTag enctag; PRUint32 policyFlags; - PRInt32 optFlags; result->data = 0; - if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { - if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { - rv = seckey_EnforceKeySize(privKey->keyType, - SECKEY_PrivateKeyStrengthInBits(privKey), - SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); - if (rv != SECSuccess) { - return SECFailure; - } - } - } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c index 8c9dc2d87..f6f5d72b8 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -16,7 +16,6 @@ #include "secdig.h" #include "secerr.h" #include "keyi.h" -#include "nss.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -467,7 +466,6 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, unsigned int sigLen; KeyType type; PRUint32 policyFlags; - PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ @@ -477,16 +475,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } - if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { - if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { - rv = seckey_EnforceKeySize(key->keyType, - SECKEY_PublicKeyStrengthInBits(key), - SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); - if (rv != SECSuccess) { - return NULL; - } - } - } + /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { |