diff options
Diffstat (limited to 'security/nss/lib/pk11wrap/pk11kea.c')
-rw-r--r-- | security/nss/lib/pk11wrap/pk11kea.c | 224 |
1 files changed, 224 insertions, 0 deletions
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c new file mode 100644 index 000000000..6006f6032 --- /dev/null +++ b/security/nss/lib/pk11wrap/pk11kea.c @@ -0,0 +1,224 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ +/* + * This file implements the Symkey wrapper and the PKCS context + * Interfaces. + */ + +#include "seccomon.h" +#include "secmod.h" +#include "nssilock.h" +#include "secmodi.h" +#include "pkcs11.h" +#include "pk11func.h" +#include "secitem.h" +#include "key.h" +#include "secasn1.h" +#include "sechash.h" +#include "cert.h" +#include "secerr.h" + +/* + * find an RSA public key on a card + */ +static CK_OBJECT_HANDLE +pk11_FindRSAPubKey(PK11SlotInfo *slot) +{ + CK_KEY_TYPE key_type = CKK_RSA; + CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY; + CK_ATTRIBUTE theTemplate[2]; + int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]); + CK_ATTRIBUTE *attrs = theTemplate; + + PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++; + PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++; + template_count = attrs - theTemplate; + PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE)); + + return pk11_FindObjectByTemplate(slot,theTemplate,template_count); +} + +SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, + CK_OBJECT_HANDLE id); + +PK11SymKey * +pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey) +{ + PK11SymKey *newSymKey = NULL; + SECStatus rv; + /* performance improvement can go here --- use a generated key to as a + * per startup wrapping key. If it exists, use it, otherwise do a full + * key exchange. */ + + /* find a common Key Exchange algorithm */ + /* RSA */ + if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && + PK11_DoesMechanism(slot,CKM_RSA_PKCS)) { + CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_KEY; + CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_KEY; + SECKEYPublicKey *pubKey = NULL; + SECKEYPrivateKey *privKey = NULL; + SECItem wrapData; + + wrapData.data = NULL; + + /* find RSA Public Key on target */ + pubKeyHandle = pk11_FindRSAPubKey(slot); + if (pubKeyHandle != CK_INVALID_KEY) { + privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY); + } + + /* if no key exits, generate a key pair */ + if (privKeyHandle == CK_INVALID_KEY) { + unsigned int keyLength = PK11_GetKeyLength(symKey); + PK11RSAGenParams rsaParams; + + rsaParams.keySizeInBits = + ((keyLength == 0) || (keyLength > 16)) ? 512 : 256; + rsaParams.pe = 0x10001; + privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, + &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx); + } else { + /* if key's exist, build SECKEY data structures for them */ + privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle, + symKey->cx); + if (privKey != NULL) { + pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); + if (pubKey && pubKey->pkcs11Slot) { + PK11_FreeSlot(pubKey->pkcs11Slot); + pubKey->pkcs11Slot = NULL; + pubKey->pkcs11ID = CK_INVALID_KEY; + } + } + } + if (privKey == NULL) goto rsa_failed; + if (pubKey == NULL) goto rsa_failed; + + wrapData.len = SECKEY_PublicKeyStrength(pubKey); + if (!wrapData.len) goto rsa_failed; + wrapData.data = PORT_Alloc(wrapData.len); + if (wrapData.data == NULL) goto rsa_failed; + + /* now wrap the keys in and out */ + rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); + if (rv == SECSuccess) { + newSymKey = PK11_PubUnwrapSymKey(privKey,&wrapData,type,operation, + symKey->size); + } +rsa_failed: + if (wrapData.data != NULL) PORT_Free(wrapData.data); + if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey); + if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey); + + return newSymKey; + } + /* KEA */ + if (PK11_DoesMechanism(symKey->slot, CKM_KEA_KEY_DERIVE) && + PK11_DoesMechanism(slot,CKM_KEA_KEY_DERIVE)) { + CERTCertificate *certSource = NULL; + CERTCertificate *certTarget = NULL; + SECKEYPublicKey *pubKeySource = NULL; + SECKEYPublicKey *pubKeyTarget = NULL; + SECKEYPrivateKey *privKeySource = NULL; + SECKEYPrivateKey *privKeyTarget = NULL; + PK11SymKey *tekSource = NULL; + PK11SymKey *tekTarget = NULL; + SECItem Ra,wrap; + + /* can only exchange skipjack keys */ + if (type != CKM_SKIPJACK_CBC64) { + PORT_SetError( SEC_ERROR_NO_MODULE ); + goto kea_failed; + } + + /* find a pair of certs we can use */ + rv = PK11_GetKEAMatchedCerts(symKey->slot,slot,&certSource,&certTarget); + if (rv != SECSuccess) goto kea_failed; + + /* get all the key pairs */ + pubKeyTarget = CERT_ExtractPublicKey(certSource); + pubKeySource = CERT_ExtractPublicKey(certTarget); + privKeySource = + PK11_FindKeyByDERCert(symKey->slot,certSource,symKey->cx); + privKeyTarget = + PK11_FindKeyByDERCert(slot,certTarget,symKey->cx); + + if ((pubKeySource == NULL) || (pubKeyTarget == NULL) || + (privKeySource == NULL) || (privKeyTarget == NULL)) goto kea_failed; + + /* generate the wrapping TEK's */ + Ra.data = (unsigned char*)PORT_Alloc(128 /* FORTEZZA RA MAGIC */); + Ra.len = 128; + if (Ra.data == NULL) goto kea_failed; + + tekSource = PK11_PubDerive(privKeySource,pubKeyTarget,PR_TRUE,&Ra,NULL, + CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); + tekTarget = PK11_PubDerive(privKeyTarget,pubKeySource,PR_FALSE,&Ra,NULL, + CKM_SKIPJACK_WRAP, CKM_KEA_KEY_DERIVE,CKA_WRAP,0,symKey->cx); + PORT_Free(Ra.data); + + if ((tekSource == NULL) || (tekTarget == NULL)) { goto kea_failed; } + + /* wrap the key out of Source into target */ + wrap.data = (unsigned char*)PORT_Alloc(12); /* MAGIC SKIPJACK LEN */ + wrap.len = 12; + + /* paranoia to prevent infinite recursion on bugs */ + PORT_Assert(tekSource->slot == symKey->slot); + if (tekSource->slot != symKey->slot) { + PORT_SetError( SEC_ERROR_NO_MODULE ); + goto kea_failed; + } + + rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP,NULL,tekSource,symKey,&wrap); + if (rv == SECSuccess) { + newSymKey = PK11_UnwrapSymKey(tekTarget, CKM_SKIPJACK_WRAP, NULL, + &wrap, type, operation, symKey->size); + } + PORT_Free(wrap.data); +kea_failed: + if (certSource == NULL) CERT_DestroyCertificate(certSource); + if (certTarget == NULL) CERT_DestroyCertificate(certTarget); + if (pubKeySource == NULL) SECKEY_DestroyPublicKey(pubKeySource); + if (pubKeyTarget == NULL) SECKEY_DestroyPublicKey(pubKeyTarget); + if (privKeySource == NULL) SECKEY_DestroyPrivateKey(privKeySource); + if (privKeyTarget == NULL) SECKEY_DestroyPrivateKey(privKeyTarget); + if (tekSource == NULL) PK11_FreeSymKey(tekSource); + if (tekTarget == NULL) PK11_FreeSymKey(tekTarget); + return newSymKey; + } + PORT_SetError( SEC_ERROR_NO_MODULE ); + return NULL; +} + |