diff options
Diffstat (limited to 'security/nss/lib/pk11wrap/pk11kea.c')
-rw-r--r-- | security/nss/lib/pk11wrap/pk11kea.c | 224 |
1 files changed, 0 insertions, 224 deletions
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c deleted file mode 100644 index ef9fe2aef..000000000 --- a/security/nss/lib/pk11wrap/pk11kea.c +++ /dev/null @@ -1,224 +0,0 @@ -/* - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - */ -/* - * This file implements the Symkey wrapper and the PKCS context - * Interfaces. - */ - -#include "seccomon.h" -#include "secmod.h" -#include "prlock.h" -#include "secmodi.h" -#include "pkcs11.h" -#include "pk11func.h" -#include "secitem.h" -#include "key.h" -#include "secasn1.h" -#include "sechash.h" -#include "cert.h" -#include "secerr.h" - -/* - * find an RSA public key on a card - */ -static CK_OBJECT_HANDLE -pk11_FindRSAPubKey(PK11SlotInfo *slot) -{ - CK_KEY_TYPE key_type = CKK_RSA; - CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY; - CK_ATTRIBUTE theTemplate[2]; - int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]); - CK_ATTRIBUTE *attrs = theTemplate; - - PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++; - PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++; - template_count = attrs - theTemplate; - PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)); - - return pk11_FindObjectByTemplate(slot,theTemplate,template_count); -} - -SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, - CK_OBJECT_HANDLE id); - -PK11SymKey * -pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey) -{ - PK11SymKey *newSymKey = NULL; - SECStatus rv; - /* performance improvement can go here --- use a generated key to as a - * per startup wrapping key. If it exists, use it, otherwise do a full - * key exchange. */ - - /* find a common Key Exchange algorithm */ - /* RSA */ - if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && - PK11_DoesMechanism(slot,CKM_RSA_PKCS)) { - CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_KEY; - CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_KEY; - SECKEYPublicKey *pubKey = NULL; - SECKEYPrivateKey *privKey = NULL; - SECItem wrapData; - - wrapData.data = NULL; - - /* find RSA Public Key on target */ - pubKeyHandle = pk11_FindRSAPubKey(slot); - if (pubKeyHandle != CK_INVALID_KEY) { - privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY); - } - - /* if no key exits, generate a key pair */ - if (privKeyHandle == CK_INVALID_KEY) { - unsigned int keyLength = PK11_GetKeyLength(symKey); - PK11RSAGenParams rsaParams; - - rsaParams.keySizeInBits = - ((keyLength == 0) || (keyLength > 16)) ? 512 : 256; - rsaParams.pe = 0x10001; - privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, - &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx); - } else { - /* if key's exist, build SECKEY data structures for them */ - privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle, - symKey->cx); - if (privKey != NULL) { - pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); - if (pubKey && pubKey->pkcs11Slot) { - PK11_FreeSlot(pubKey->pkcs11Slot); - pubKey->pkcs11Slot = NULL; - pubKey->pkcs11ID = CK_INVALID_KEY; - } - } - } - if (privKey == NULL) goto rsa_failed; - if (pubKey == NULL) goto rsa_failed; - - wrapData.len = SECKEY_PublicKeyStrength(pubKey); - if (!wrapData.len) goto rsa_failed; - wrapData.data = PORT_Alloc(wrapData.len); - if (wrapData.data == NULL) goto rsa_failed; - - /* now wrap the keys in and out */ - rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); - if (rv == SECSuccess) { - newSymKey = PK11_PubUnwrapSymKey(privKey,&wrapData,type,operation, - symKey->size); - } -rsa_failed: - if (wrapData.data != NULL) PORT_Free(wrapData.data); - if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey); - if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey); - - return newSymKey; - } - /* KEA */ - if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && - PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) { - CERTCertificate *certSource = NULL; - CERTCertificate *certTarget = NULL; - SECKEYPublicKey *pubKeySource = NULL; - SECKEYPublicKey *pubKeyTarget = NULL; - SECKEYPrivateKey *privKeySource = NULL; - SECKEYPrivateKey *privKeyTarget = NULL; - PK11SymKey *tekSource = NULL; - PK11SymKey *tekTarget = NULL; - SECItem Ra,wrap; - - /* can only exchange skipjack keys */ - if (type != CKM_SKIPJACK_CBC64) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - goto kea_failed; - } - - /* find a pair of certs we can use */ - rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget); - if (rv != SECSuccess) goto kea_failed; - - /* get all the key pairs */ - pubKeyTarget = CERT_ExtractPublicKey(certSource); - pubKeySource = CERT_ExtractPublicKey(certTarget); - privKeySource = - PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx); - privKeyTarget = - PK11_FindKeyByDERCert(slot,certTarget,symKey->cx); - - if ((pubKeySource == NULL) || (pubKeyTarget == NULL) || - (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed; - - /* generate the wrapping TEK's */ - Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */); - Ra.len = 128; - if (Ra.data == NULL) goto kea_failed; - - tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL, - CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); - tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL, - CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); - PORT_Free(Ra.data); - - if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; } - - /* wrap the key out of Source into target */ - wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */ - wrap.len = 12; - - /* paranoia to prevent infinite recursion on bugs */ - PORT_Assert(tekSource->slot == symKey->slot); - if (tekSource->slot != symKey->slot) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - goto kea_failed; - } - - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap); - if (rv == SECSuccess) { - newSymKey = PK11_UnwrapSymKey(tekTarget, CKM_SKIPJACK_WRAP, NULL, - &wrap, type, operation, symKey->size); - } - PORT_Free(wrap.data); -kea_failed: - if (certSource == NULL) CERT_DestroyCertificate(certSource); - if (certTarget == NULL) CERT_DestroyCertificate(certTarget); - if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource); - if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget); - if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource); - if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget); - if (tekSource == NULL) PK11_FreeSymKey(tekSource); - if (tekTarget == NULL) PK11_FreeSymKey(tekTarget); - return newSymKey; - } - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; -} - |