diff options
| author | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-06-08 10:53:01 +0000 |
|---|---|---|
| committer | Lorry Tar Creator <lorry-tar-importer@lorry> | 2017-06-08 10:53:01 +0000 |
| commit | f95d45c36e7c7131747259956821d844e8952e5d (patch) | |
| tree | eee14f8b212c48f8597c2a4927a167fcc3a15ea5 /nss/lib/cryptohi | |
| parent | dc1565216a5d20ae0d75872151523252309a1292 (diff) | |
| download | nss-master.tar.gz | |
Diffstat (limited to 'nss/lib/cryptohi')
| -rw-r--r-- | nss/lib/cryptohi/dsautil.c | 11 | ||||
| -rw-r--r-- | nss/lib/cryptohi/keyi.h | 7 | ||||
| -rw-r--r-- | nss/lib/cryptohi/keythi.h | 8 | ||||
| -rw-r--r-- | nss/lib/cryptohi/seckey.c | 77 | ||||
| -rw-r--r-- | nss/lib/cryptohi/secsign.c | 15 |
5 files changed, 54 insertions, 64 deletions
diff --git a/nss/lib/cryptohi/dsautil.c b/nss/lib/cryptohi/dsautil.c index db397df..df4d9a9 100644 --- a/nss/lib/cryptohi/dsautil.c +++ b/nss/lib/cryptohi/dsautil.c @@ -166,12 +166,16 @@ static SECItem * common_DecodeDerSig(const SECItem *item, unsigned int len) { SECItem *result = NULL; + PORTCheapArenaPool arena; SECStatus status; DSA_ASN1Signature sig; SECItem dst; PORT_Memset(&sig, 0, sizeof(sig)); + /* Make enough room for r + s. */ + PORT_InitCheapArena(&arena, PR_MAX(2 * MAX_ECKEY_LEN, DSA_MAX_SIGNATURE_LEN)); + result = PORT_ZNew(SECItem); if (result == NULL) goto loser; @@ -183,7 +187,7 @@ common_DecodeDerSig(const SECItem *item, unsigned int len) sig.r.type = siUnsignedInteger; sig.s.type = siUnsignedInteger; - status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item); + status = SEC_QuickDERDecodeItem(&arena.arena, &sig, DSA_SignatureTemplate, item); if (status != SECSuccess) goto loser; @@ -202,10 +206,7 @@ common_DecodeDerSig(const SECItem *item, unsigned int len) goto loser; done: - if (sig.r.data != NULL) - PORT_Free(sig.r.data); - if (sig.s.data != NULL) - PORT_Free(sig.s.data); + PORT_DestroyCheapArena(&arena); return result; diff --git a/nss/lib/cryptohi/keyi.h b/nss/lib/cryptohi/keyi.h index 374a4ad..f8f5f7f 100644 --- a/nss/lib/cryptohi/keyi.h +++ b/nss/lib/cryptohi/keyi.h @@ -17,13 +17,6 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid); SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); -/* - * Set the point encoding of a SECKEYPublicKey from the OID. - * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey - * before it can be used. The encoding is used to dermine the public key size. - */ -SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey); - SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/nss/lib/cryptohi/keythi.h b/nss/lib/cryptohi/keythi.h index 1555ce2..f6170bb 100644 --- a/nss/lib/cryptohi/keythi.h +++ b/nss/lib/cryptohi/keythi.h @@ -125,9 +125,9 @@ typedef SECItem SECKEYECParams; struct SECKEYECPublicKeyStr { SECKEYECParams DEREncodedParams; - int size; /* size in bits */ - SECItem publicValue; /* encoded point */ - ECPointEncoding encoding; + int size; /* size in bits */ + SECItem publicValue; /* encoded point */ + ECPointEncoding encoding; /* deprecated, ignored */ }; typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey; @@ -209,7 +209,7 @@ typedef struct SECKEYPublicKeyStr SECKEYPublicKey; (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE) #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) + (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) /* ** A generic key structure diff --git a/nss/lib/cryptohi/seckey.c b/nss/lib/cryptohi/seckey.c index 1f053e5..9ea48b7 100644 --- a/nss/lib/cryptohi/seckey.c +++ b/nss/lib/cryptohi/seckey.c @@ -547,6 +547,23 @@ CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki) return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm)); } +/* Ensure pubKey contains an OID */ +static SECStatus +seckey_HasCurveOID(const SECKEYPublicKey *pubKey) +{ + SECItem oid; + SECStatus rv; + PORTCheapArenaPool tmpArena; + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + /* If we can decode it, an OID is available. */ + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, + SEC_ASN1_GET(SEC_ObjectIDTemplate), + &pubKey->u.ec.DEREncodedParams); + PORT_DestroyCheapArena(&tmpArena); + return rv; +} + static SECKEYPublicKey * seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) { @@ -639,7 +656,8 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) if (rv != SECSuccess) { break; } - rv = seckey_SetPointEncoding(arena, pubk); + pubk->u.ec.encoding = ECPoint_Undefined; + rv = seckey_HasCurveOID(pubk); if (rv == SECSuccess) { return pubk; } @@ -1162,16 +1180,16 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) break; case ecKey: copyk->u.ec.size = pubk->u.ec.size; - rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams, - &pubk->u.ec.DEREncodedParams); + rv = seckey_HasCurveOID(pubk); if (rv != SECSuccess) { break; } - rv = seckey_SetPointEncoding(arena, copyk); + rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams, + &pubk->u.ec.DEREncodedParams); if (rv != SECSuccess) { break; } - PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding); + copyk->u.ec.encoding = ECPoint_Undefined; rv = SECITEM_CopyItem(arena, ©k->u.ec.publicValue, &pubk->u.ec.publicValue); break; @@ -1242,6 +1260,19 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk) break; return pubk; break; + case ecKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + break; + } + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_POINT, arena, &pubk->u.ec.publicValue); + if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) { + break; + } + pubk->u.ec.encoding = ECPoint_Undefined; + return pubk; default: break; } @@ -1943,39 +1974,3 @@ SECKEY_GetECCOid(const SECKEYECParams *params) return oidData->offset; } - -/* Set curve encoding in SECKEYECPublicKey in pubKey from OID. - * If the encoding is not set, determining the key size of EC public keys will - * fail. - */ -SECStatus -seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey) -{ - SECItem oid; - SECOidTag tag; - SECStatus rv; - - /* decode the OID tag */ - rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate), - &pubKey->u.ec.DEREncodedParams); - if (rv != SECSuccess) { - return SECFailure; - } - - tag = SECOID_FindOIDTag(&oid); - switch (tag) { - case SEC_OID_CURVE25519: - pubKey->u.ec.encoding = ECPoint_XOnly; - break; - case SEC_OID_SECG_EC_SECP256R1: - /* fall through */ - case SEC_OID_SECG_EC_SECP384R1: - /* fall through */ - case SEC_OID_SECG_EC_SECP521R1: - /* fall through */ - default: - /* unknown curve, default to uncompressed */ - pubKey->u.ec.encoding = ECPoint_Uncompressed; - } - return SECSuccess; -} diff --git a/nss/lib/cryptohi/secsign.c b/nss/lib/cryptohi/secsign.c index 1bbdd53..d06cb2e 100644 --- a/nss/lib/cryptohi/secsign.c +++ b/nss/lib/cryptohi/secsign.c @@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, if (algID == SEC_OID_UNKNOWN) { switch (pk->keyType) { case rsaKey: - algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; break; case dsaKey: /* get Signature length (= q_len*2) and work from there */ switch (PK11_SignatureLen(pk)) { + case 320: + algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + break; case 448: algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; case 512: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; - break; default: - algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; } break; case ecKey: - algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; + algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; default: PORT_SetError(SEC_ERROR_INVALID_KEY); @@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) break; case dsaKey: switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for DSA if not specified */ case SEC_OID_SHA1: sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break; case SEC_OID_SHA224: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; + case SEC_OID_UNKNOWN: /* default for DSA if not specified */ case SEC_OID_SHA256: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; @@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) break; case ecKey: switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ case SEC_OID_SHA1: sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break; case SEC_OID_SHA224: sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break; + case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ case SEC_OID_SHA256: sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; |