diff options
| author | rrelyea%redhat.com <devnull@localhost> | 2010-12-04 19:10:06 +0000 |
|---|---|---|
| committer | rrelyea%redhat.com <devnull@localhost> | 2010-12-04 19:10:06 +0000 |
| commit | 9d1b24d64ffea1a7f5175567c5fedd98e9710ef3 (patch) | |
| tree | 048742d783e6019106a8c3ace6d706f72956186e /security/nss/lib/softoken | |
| parent | d51c5d8625e05718ac632a9f0ca790278aaaf57d (diff) | |
| download | nss-hg-9d1b24d64ffea1a7f5175567c5fedd98e9710ef3.tar.gz | |
Bug 609076 - Expose a PKCS#11 interface for J-PAKE in Softoken
patch by bsmith
r=rrelyea
Diffstat (limited to 'security/nss/lib/softoken')
| -rw-r--r-- | security/nss/lib/softoken/jpakesftk.c | 396 | ||||
| -rw-r--r-- | security/nss/lib/softoken/manifest.mn | 1 | ||||
| -rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 30 | ||||
| -rw-r--r-- | security/nss/lib/softoken/pkcs11c.c | 108 | ||||
| -rw-r--r-- | security/nss/lib/softoken/pkcs11i.h | 17 |
5 files changed, 538 insertions, 14 deletions
diff --git a/security/nss/lib/softoken/jpakesftk.c b/security/nss/lib/softoken/jpakesftk.c new file mode 100644 index 000000000..9f4a01293 --- /dev/null +++ b/security/nss/lib/softoken/jpakesftk.c @@ -0,0 +1,396 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Mozilla Fonudation. + * Portions created by the Initial Developer are Copyright (C) 2010 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "seccomon.h" +#include "secerr.h" +#include "blapi.h" +#include "pkcs11i.h" +#include "softoken.h" + +static CK_RV +jpake_mapStatus(SECStatus rv, CK_RV invalidArgsMapping) { + int err; + if (rv == SECSuccess) + return CKR_OK; + err = PORT_GetError(); + switch (err) { + /* XXX: SEC_ERROR_INVALID_ARGS might be caused by invalid template + parameters. */ + case SEC_ERROR_INVALID_ARGS: return invalidArgsMapping; + case SEC_ERROR_BAD_SIGNATURE: return CKR_SIGNATURE_INVALID; + case SEC_ERROR_NO_MEMORY: return CKR_HOST_MEMORY; + } + return CKR_FUNCTION_FAILED; +} + +/* If key is not NULL then the gx value will be stored as an attribute with + the type given by the gxAttrType parameter. */ +static CK_RV +jpake_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType, + const SECItem * signerID, const SECItem * x, + CK_NSS_JPAKEPublicValue * out) +{ + SECItem gx, gv, r; + CK_RV crv; + + PORT_Assert(arena != NULL); + + gx.data = NULL; + gv.data = NULL; + r.data = NULL; + crv = jpake_mapStatus(JPAKE_Sign(arena, pqg, hashType, signerID, x, NULL, + NULL, &gx, &gv, &r), + CKR_MECHANISM_PARAM_INVALID); + if (crv == CKR_OK) { + if (out->pGX != NULL && out->ulGXLen >= gx.len || + out->pGV != NULL && out->ulGVLen >= gv.len || + out->pR != NULL && out->ulRLen >= r.len) { + PORT_Memcpy(out->pGX, gx.data, gx.len); + PORT_Memcpy(out->pGV, gv.data, gv.len); + PORT_Memcpy(out->pR, r.data, r.len); + out->ulGXLen = gx.len; + out->ulGVLen = gv.len; + out->ulRLen = r.len; + } else { + crv = CKR_MECHANISM_PARAM_INVALID; + } + } + return crv; +} + +static CK_RV +jpake_Verify(PLArenaPool * arena, const PQGParams * pqg, + HASH_HashType hashType, const SECItem * signerID, + const CK_BYTE * peerIDData, CK_ULONG peerIDLen, + const CK_NSS_JPAKEPublicValue * publicValueIn) +{ + SECItem peerID, gx, gv, r; + peerID.data = (unsigned char *) peerIDData; peerID.len = peerIDLen; + gx.data = publicValueIn->pGX; gx.len = publicValueIn->ulGXLen; + gv.data = publicValueIn->pGV; gv.len = publicValueIn->ulGVLen; + r.data = publicValueIn->pR; r.len = publicValueIn->ulRLen; + return jpake_mapStatus(JPAKE_Verify(arena, pqg, hashType, signerID, &peerID, + &gx, &gv, &r), + CKR_MECHANISM_PARAM_INVALID); +} + +#define NUM_ELEM(x) (sizeof (x) / sizeof (x)[0]) + +/* Ensure that the key is of the given type. */ +static CK_RV +jpake_ensureKeyType(SFTKObject * key, CK_KEY_TYPE keyType) +{ + CK_RV crv; + SFTKAttribute * keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE); + crv = keyTypeAttr != NULL && + *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType + ? CKR_OK + : CKR_TEMPLATE_INCONSISTENT; + if (keyTypeAttr != NULL) + sftk_FreeAttribute(keyTypeAttr); + return crv; +} + +/* If the template has the key type set, ensure that it was set to the correct + * value. If the template did not have the key type set, set it to the + * correct value. + */ +static CK_RV +jpake_enforceKeyType(SFTKObject * key, CK_KEY_TYPE keyType) { + CK_RV crv; + SFTKAttribute * keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE); + if (keyTypeAttr != NULL) { + crv = *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType + ? CKR_OK + : CKR_TEMPLATE_INCONSISTENT; + sftk_FreeAttribute(keyTypeAttr); + } else { + crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof keyType); + } + return crv; +} + +static CK_RV +jpake_MultipleSecItem2Attribute(SFTKObject * key, const SFTKItemTemplate * attrs, + size_t attrsCount) +{ + size_t i; + + for (i = 0; i < attrsCount; ++i) { + CK_RV crv = sftk_forceAttribute(key, attrs[i].type, attrs[i].item->data, + attrs[i].item->len); + if (crv != CKR_OK) + return crv; + } + return CKR_OK; +} + +CK_RV +jpake_Round1(HASH_HashType hashType, CK_NSS_JPAKERound1Params * params, + SFTKObject * key) +{ + CK_RV crv; + PQGParams pqg; + PLArenaPool * arena; + SECItem signerID; + SFTKItemTemplate templateAttrs[] = { + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_BASE, &pqg.base }, + { CKA_NSS_JPAKE_SIGNERID, &signerID } + }; + SECItem x2, gx1, gx2; + const SFTKItemTemplate generatedAttrs[] = { + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + }; + SECItem x1; + + PORT_Assert(params != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + crv = sftk_MultipleAttribute2SecItem(arena, key, templateAttrs, + NUM_ELEM(templateAttrs)); + + if (crv == CKR_OK && (signerID.data == NULL || signerID.len == 0)) + crv = CKR_TEMPLATE_INCOMPLETE; + + /* generate x1, g^x1 and the proof of knowledge of x1 */ + if (crv == CKR_OK) { + x1.data = NULL; + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x1), + CKR_TEMPLATE_INCONSISTENT); + } + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x1, ¶ms->gx1); + + /* generate x2, g^x2 and the proof of knowledge of x2 */ + if (crv == CKR_OK) { + x2.data = NULL; + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x2), + CKR_TEMPLATE_INCONSISTENT); + } + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2, ¶ms->gx2); + + /* Save the values needed for round 2 into CKA_VALUE */ + if (crv == CKR_OK) { + gx1.data = params->gx1.pGX; + gx1.len = params->gx1.ulGXLen; + gx2.data = params->gx2.pGX; + gx2.len = params->gx2.ulGXLen; + crv = jpake_MultipleSecItem2Attribute(key, generatedAttrs, + NUM_ELEM(generatedAttrs)); + } + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} + +CK_RV +jpake_Round2(HASH_HashType hashType, CK_NSS_JPAKERound2Params * params, + SFTKObject * sourceKey, SFTKObject * key) +{ + CK_RV crv; + PLArenaPool * arena; + PQGParams pqg; + SECItem signerID, x2, gx1, gx2; + SFTKItemTemplate sourceAttrs[] = { + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_BASE, &pqg.base }, + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + }; + SECItem x2s, gx3, gx4; + const SFTKItemTemplate copiedAndGeneratedAttrs[] = { + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_X2S, &x2s }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + { CKA_NSS_JPAKE_GX3, &gx3 }, + { CKA_NSS_JPAKE_GX4, &gx4 } + }; + SECItem peerID; + + PORT_Assert(params != NULL); + PORT_Assert(sourceKey != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + /* TODO: check CKK_NSS_JPAKE_ROUND1 */ + + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs, + NUM_ELEM(sourceAttrs)); + + /* Get the peer's ID out of the template and sanity-check it. */ + if (crv == CKR_OK) + crv = sftk_Attribute2SecItem(arena, &peerID, key, + CKA_NSS_JPAKE_PEERID); + if (crv == CKR_OK && (peerID.data == NULL || peerID.len == 0)) + crv = CKR_TEMPLATE_INCOMPLETE; + if (crv == CKR_OK && SECITEM_CompareItem(&signerID, &peerID) == SECEqual) + crv = CKR_TEMPLATE_INCONSISTENT; + + /* Verify zero-knowledge proofs for g^x3 and g^x4 */ + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶ms->gx3); + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶ms->gx4); + + /* Calculate the base and x2s for A=base^x2s */ + if (crv == CKR_OK) { + SECItem s; + s.data = params->pSharedKey; + s.len = params->ulSharedKeyLen; + gx3.data = params->gx3.pGX; + gx3.len = params->gx3.ulGXLen; + gx4.data = params->gx4.pGX; + gx4.len = params->gx4.ulGXLen; + pqg.base.data = NULL; + x2s.data = NULL; + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime, + &gx1, &gx3, &gx4, &pqg.base, + &x2, &s, &x2s), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Generate A=base^x2s and its zero-knowledge proof. */ + if (crv == CKR_OK) + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2s, ¶ms->A); + + /* Copy P and Q from the ROUND1 key to the ROUND2 key and save the values + needed for the final key material derivation into CKA_VALUE. */ + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_PRIME, pqg.prime.data, + pqg.prime.len); + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_SUBPRIME, pqg.subPrime.data, + pqg.subPrime.len); + if (crv == CKR_OK) { + crv = jpake_MultipleSecItem2Attribute(key, copiedAndGeneratedAttrs, + NUM_ELEM(copiedAndGeneratedAttrs)); + } + + if (crv == CKR_OK) + crv = jpake_enforceKeyType(key, CKK_NSS_JPAKE_ROUND2); + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} + +CK_RV +jpake_Final(HASH_HashType hashType, const CK_NSS_JPAKEFinalParams * param, + SFTKObject * sourceKey, SFTKObject * key) +{ + PLArenaPool * arena; + SECItem K; + PQGParams pqg; + CK_RV crv; + SECItem peerID, signerID, x2s, x2, gx1, gx2, gx3, gx4; + SFTKItemTemplate sourceAttrs[] = { + { CKA_NSS_JPAKE_PEERID, &peerID }, + { CKA_NSS_JPAKE_SIGNERID, &signerID }, + { CKA_PRIME, &pqg.prime }, + { CKA_SUBPRIME, &pqg.subPrime }, + { CKA_NSS_JPAKE_X2, &x2 }, + { CKA_NSS_JPAKE_X2S, &x2s }, + { CKA_NSS_JPAKE_GX1, &gx1 }, + { CKA_NSS_JPAKE_GX2, &gx2 }, + { CKA_NSS_JPAKE_GX3, &gx3 }, + { CKA_NSS_JPAKE_GX4, &gx4 } + }; + + PORT_Assert(param != NULL); + PORT_Assert(sourceKey != NULL); + PORT_Assert(key != NULL); + + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE); + if (arena == NULL) + crv = CKR_HOST_MEMORY; + + /* TODO: verify key type CKK_NSS_JPAKE_ROUND2 */ + + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs, + NUM_ELEM(sourceAttrs)); + + /* Calculate base for B=base^x4s */ + if (crv == CKR_OK) { + pqg.base.data = NULL; + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime, + &gx1, &gx2, &gx3, &pqg.base, + NULL, NULL, NULL), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Verify zero-knowledge proof for B */ + if (crv == CKR_OK) + crv = jpake_Verify(arena, &pqg, hashType, &signerID, + peerID.data, peerID.len, ¶m->B); + if (crv == CKR_OK) { + SECItem B; + B.data = param->B.pGX; + B.len = param->B.ulGXLen; + K.data = NULL; + crv = jpake_mapStatus(JPAKE_Final(arena, &pqg.prime, &pqg.subPrime, + &x2, &gx4, &x2s, &B, &K), + CKR_MECHANISM_PARAM_INVALID); + } + + /* Save key material into CKA_VALUE. */ + if (crv == CKR_OK) + crv = sftk_forceAttribute(key, CKA_VALUE, K.data, K.len); + + if (crv == CKR_OK) + crv = jpake_enforceKeyType(key, CKK_GENERIC_SECRET); + + PORT_FreeArena(arena, PR_TRUE); + return crv; +} diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn index 1d475b123..8f5c3f6d8 100644 --- a/security/nss/lib/softoken/manifest.mn +++ b/security/nss/lib/softoken/manifest.mn @@ -87,6 +87,7 @@ CSRCS = \ sftkpwd.c \ softkver.c \ tlsprf.c \ + jpakesftk.c \ $(NULL) ifdef SQLITE_UNSAFE_THREADS diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 4d052ea2a..b65700649 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -499,6 +499,19 @@ static const struct mechanismList mechanisms[] = { /* ------------------ AES Key Wrap (also encrypt) ------------------- */ {CKM_NETSCAPE_AES_KEY_WRAP, {16, 32, CKF_EN_DE_WR_UN}, PR_TRUE}, {CKM_NETSCAPE_AES_KEY_WRAP_PAD, {16, 32, CKF_EN_DE_WR_UN}, PR_TRUE}, + /* --------------------------- J-PAKE -------------------------------- */ + {CKM_NSS_JPAKE_ROUND1_SHA1, {0, 0, CKF_GENERATE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND1_SHA256, {0, 0, CKF_GENERATE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND1_SHA384, {0, 0, CKF_GENERATE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND1_SHA512, {0, 0, CKF_GENERATE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND2_SHA1, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND2_SHA256, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND2_SHA384, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_ROUND2_SHA512, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_FINAL_SHA1, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_FINAL_SHA256, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_FINAL_SHA384, {0, 0, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_JPAKE_FINAL_SHA512, {0, 0, CKF_DERIVE}, PR_TRUE} }; static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]); @@ -997,6 +1010,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE CK_BBOOL wrap = CK_TRUE; CK_BBOOL derive = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; + PRBool createObjectInfo = PR_TRUE; int missing_rsa_mod_component = 0; int missing_rsa_exp_component = 0; int missing_rsa_crt_component = 0; @@ -1096,6 +1110,20 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE wrap = CK_FALSE; break; #endif /* NSS_ENABLE_ECC */ + case CKK_NSS_JPAKE_ROUND1: + if (!sftk_hasAttribute(object, CKA_PRIME || + !sftk_hasAttribute(object, CKA_SUBPRIME) || + !sftk_hasAttribute(object, CKA_BASE))) { + return CKR_TEMPLATE_INCOMPLETE; + } + /* fall through */ + case CKK_NSS_JPAKE_ROUND2: + /* CKA_NSS_JPAKE_SIGNERID and CKA_NSS_JPAKE_PEERID are checked in + the J-PAKE code. */ + encrypt = sign = recover = wrap = CK_FALSE; + derive = CK_TRUE; + createObjectInfo = PR_FALSE; + break; default: return CKR_ATTRIBUTE_VALUE_INVALID; } @@ -1138,7 +1166,7 @@ sftk_handlePrivateKeyObject(SFTKSession *session,SFTKObject *object,CK_KEY_TYPE crv = sftkdb_write(keyHandle, object, &object->handle); sftk_freeDB(keyHandle); return crv; - } else { + } else if (createObjectInfo) { object->objectInfo = sftk_mkPrivKey(object,key_type,&crv); if (object->objectInfo == NULL) return crv; object->infoFree = (SFTKFree) nsslowkey_DestroyPrivateKey; diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 4e1c36275..d9179f278 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -3213,7 +3213,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, int i; SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); unsigned char buf[MAX_KEY_LEN]; - enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param} key_gen_type; + enum {nsc_pbe, nsc_ssl, nsc_bulk, nsc_param, nsc_jpake} key_gen_type; NSSPKCS5PBEParameter *pbe_param; SSL3RSAPreMasterSecret *rsa_pms; CK_VERSION *version; @@ -3222,6 +3222,7 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, * produce them any more. The affected algorithm was 3DES. */ PRBool faultyPBE3DES = PR_FALSE; + HASH_HashType hashType; CHECK_FORK(); @@ -3321,6 +3322,24 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, objclass = CKO_KG_PARAMETERS; crv = CKR_OK; break; + case CKM_NSS_JPAKE_ROUND1_SHA1: hashType = HASH_AlgSHA1; goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA256: hashType = HASH_AlgSHA256; goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA384: hashType = HASH_AlgSHA384; goto jpake1; + case CKM_NSS_JPAKE_ROUND1_SHA512: hashType = HASH_AlgSHA512; goto jpake1; +jpake1: + key_gen_type = nsc_jpake; + key_type = CKK_NSS_JPAKE_ROUND1; + objclass = CKO_PRIVATE_KEY; + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound1Params)) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + if (sftk_isTrue(key, CKA_TOKEN)) { + crv = CKR_TEMPLATE_INCONSISTENT; + } + crv = CKR_OK; + break; default: crv = CKR_MECHANISM_INVALID; break; @@ -3367,6 +3386,11 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession, *buf = 0; crv = nsc_parameter_gen(key_type,key); break; + case nsc_jpake: + crv = jpake_Round1(hashType, + (CK_NSS_JPAKERound1Params *) pMechanism->pParameter, + key); + break; } if (crv != CKR_OK) { sftk_FreeObject(key); return crv; } @@ -5072,8 +5096,8 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, SFTKSlot * slot = sftk_SlotFromSessionHandle(hSession); SFTKObject * key; SFTKObject * sourceKey; - SFTKAttribute * att; - SFTKAttribute * att2; + SFTKAttribute * att = NULL; + SFTKAttribute * att2 = NULL; unsigned char * buf; SHA1Context * sha; MD5Context * md5; @@ -5097,6 +5121,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, unsigned char key_block2[MD5_LENGTH]; PRBool isFIPS; HASH_HashType hashType; + PRBool extractValue = PR_TRUE; CHECK_FORK(); @@ -5134,8 +5159,24 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, keySize = sftk_MapKeySize(keyType); } - /* Derive can only create SECRET KEY's currently... */ - classType = CKO_SECRET_KEY; + switch (pMechanism->mechanism) { + case CKM_NSS_JPAKE_ROUND2_SHA1: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA256: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA384: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA512: + extractValue = PR_FALSE; + classType = CKO_PRIVATE_KEY; + break; + case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA512: + extractValue = PR_FALSE; + /* fall through */ + default: + classType = CKO_SECRET_KEY; + } + crv = sftk_forceAttribute (key,CKA_CLASS,&classType,sizeof(classType)); if (crv != CKR_OK) { sftk_FreeObject(key); @@ -5156,12 +5197,14 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, return CKR_KEY_HANDLE_INVALID; } - /* get the value of the base key */ - att = sftk_FindAttribute(sourceKey,CKA_VALUE); - if (att == NULL) { - sftk_FreeObject(key); - sftk_FreeObject(sourceKey); - return CKR_KEY_HANDLE_INVALID; + if (extractValue) { + /* get the value of the base key */ + att = sftk_FindAttribute(sourceKey,CKA_VALUE); + if (att == NULL) { + sftk_FreeObject(key); + sftk_FreeObject(sourceKey); + return CKR_KEY_HANDLE_INVALID; + } } switch (pMechanism->mechanism) { @@ -6187,10 +6230,51 @@ hkdf: { break; } /* end of CKM_NSS_HKDF_* */ + case CKM_NSS_JPAKE_ROUND2_SHA1: hashType = HASH_AlgSHA1; goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA256: hashType = HASH_AlgSHA256; goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA384: hashType = HASH_AlgSHA384; goto jpake2; + case CKM_NSS_JPAKE_ROUND2_SHA512: hashType = HASH_AlgSHA512; goto jpake2; +jpake2: + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound2Params)) + crv = CKR_MECHANISM_PARAM_INVALID; + if (crv == CKR_OK && sftk_isTrue(key, CKA_TOKEN)) + crv = CKR_TEMPLATE_INCONSISTENT; + if (crv == CKR_OK) + crv = sftk_DeriveSensitiveCheck(sourceKey, key); + if (crv == CKR_OK) + crv = jpake_Round2(hashType, + (CK_NSS_JPAKERound2Params *) pMechanism->pParameter, + sourceKey, key); + break; + + case CKM_NSS_JPAKE_FINAL_SHA1: hashType = HASH_AlgSHA1; goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA256: hashType = HASH_AlgSHA256; goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA384: hashType = HASH_AlgSHA384; goto jpakeFinal; + case CKM_NSS_JPAKE_FINAL_SHA512: hashType = HASH_AlgSHA512; goto jpakeFinal; +jpakeFinal: + if (pMechanism->pParameter == NULL || + pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKEFinalParams)) + crv = CKR_MECHANISM_PARAM_INVALID; + /* We purposely do not do the derive sensitivity check; we want to be + able to derive non-sensitive keys while allowing the ROUND1 and + ROUND2 keys to be sensitive (which they always are, since they are + in the CKO_PRIVATE_KEY class). The caller must include CKA_SENSITIVE + in the template in order for the resultant keyblock key to be + sensitive. + */ + if (crv == CKR_OK) + crv = jpake_Final(hashType, + (CK_NSS_JPAKEFinalParams *) pMechanism->pParameter, + sourceKey, key); + break; + default: crv = CKR_MECHANISM_INVALID; } - sftk_FreeAttribute(att); + if (att) { + sftk_FreeAttribute(att); + } sftk_FreeObject(sourceKey); if (crv != CKR_OK) { if (key) sftk_FreeObject(key); diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index 07001ebb9..289fb02a0 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -46,7 +46,7 @@ #include "pkcs11t.h" #include "sftkdbt.h" - +#include "hasht.h" /* * Configuration Defines @@ -697,6 +697,21 @@ SFTKObject * sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle); SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so); + +/* J-PAKE (jpakesftk.c) */ +extern +CK_RV jpake_Round1(HASH_HashType hashType, + CK_NSS_JPAKERound1Params * params, + SFTKObject * key); +extern +CK_RV jpake_Round2(HASH_HashType hashType, + CK_NSS_JPAKERound2Params * params, + SFTKObject * sourceKey, SFTKObject * key); +extern +CK_RV jpake_Final(HASH_HashType hashType, + const CK_NSS_JPAKEFinalParams * params, + SFTKObject * sourceKey, SFTKObject * key); + /**************************************** * implement TLS Pseudo Random Function (PRF) */ |