diff options
Diffstat (limited to 'nss/lib/cryptohi')
| -rw-r--r-- | nss/lib/cryptohi/cryptohi.gyp | 27 | ||||
| -rw-r--r-- | nss/lib/cryptohi/cryptohi.h | 110 | ||||
| -rw-r--r-- | nss/lib/cryptohi/cryptoht.h | 1 | ||||
| -rw-r--r-- | nss/lib/cryptohi/dsautil.c | 138 | ||||
| -rw-r--r-- | nss/lib/cryptohi/exports.gyp | 37 | ||||
| -rw-r--r-- | nss/lib/cryptohi/keyhi.h | 80 | ||||
| -rw-r--r-- | nss/lib/cryptohi/keyi.h | 10 | ||||
| -rw-r--r-- | nss/lib/cryptohi/keythi.h | 91 | ||||
| -rw-r--r-- | nss/lib/cryptohi/manifest.mn | 3 | ||||
| -rw-r--r-- | nss/lib/cryptohi/sechash.c | 443 | ||||
| -rw-r--r-- | nss/lib/cryptohi/sechash.h | 44 | ||||
| -rw-r--r-- | nss/lib/cryptohi/seckey.c | 1998 | ||||
| -rw-r--r-- | nss/lib/cryptohi/secsign.c | 451 | ||||
| -rw-r--r-- | nss/lib/cryptohi/secvfy.c | 767 |
14 files changed, 2180 insertions, 2020 deletions
diff --git a/nss/lib/cryptohi/cryptohi.gyp b/nss/lib/cryptohi/cryptohi.gyp new file mode 100644 index 0000000..ef9e63f --- /dev/null +++ b/nss/lib/cryptohi/cryptohi.gyp @@ -0,0 +1,27 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'cryptohi', + 'type': 'static_library', + 'sources': [ + 'dsautil.c', + 'sechash.c', + 'seckey.c', + 'secsign.c', + 'secvfy.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'variables': { + 'module': 'nss' + } +}
\ No newline at end of file diff --git a/nss/lib/cryptohi/cryptohi.h b/nss/lib/cryptohi/cryptohi.h index 6661b66..f658daa 100644 --- a/nss/lib/cryptohi/cryptohi.h +++ b/nss/lib/cryptohi/cryptohi.h @@ -17,10 +17,8 @@ #include "keyt.h" #include "certt.h" - SEC_BEGIN_PROTOS - /****************************************/ /* ** DER encode/decode (EC)DSA signatures @@ -39,14 +37,14 @@ extern SECItem *DSAU_DecodeDerSig(const SECItem *item); * on the size of q or the EC key used for signing. * * We can reuse the DSAU_EncodeDerSig interface to DER encode - * raw ECDSA signature keeping in mind that the length of r + * raw ECDSA signature keeping in mind that the length of r * is the same as that of s and exactly half of src->len. * * For decoding, we need to pass the length of the desired * raw signature (twice the key size) explicitly. */ -extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, - unsigned int len); +extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, + unsigned int len); extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len); /****************************************/ @@ -81,7 +79,7 @@ extern SECStatus SGN_Begin(SGNContext *cx); ** "inputLen" the length of the input data */ extern SECStatus SGN_Update(SGNContext *cx, const unsigned char *input, - unsigned int inputLen); + unsigned int inputLen); /* ** Finish the signature process. Use either k0 or k1 to sign the data @@ -100,12 +98,12 @@ extern SECStatus SGN_End(SGNContext *cx, SECItem *result); ** "buf" the input data to sign ** "len" the amount of data to sign ** "pk" the private key to encrypt with -** "algid" the signature/hash algorithm to sign with +** "algid" the signature/hash algorithm to sign with ** (must be compatible with the key type). */ extern SECStatus SEC_SignData(SECItem *result, - const unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algid); + const unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algid); /* ** Sign a pre-digested block of data using private key encryption, encoding @@ -116,7 +114,7 @@ extern SECStatus SEC_SignData(SECItem *result, ** "algtag" The algorithm tag to encode (need for RSA only) */ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, - SECOidTag algtag, SECItem *result, SECItem *digest); + SECOidTag algtag, SECItem *result, SECItem *digest); /* ** DER sign a single block of data using private key encryption and the @@ -130,8 +128,8 @@ extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, ** "pk" the private key to encrypt with */ extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, - const unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algid); + const unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algid); /* ** Destroy a signed-data object. @@ -155,18 +153,18 @@ extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType, /* ** Create a signature verification context. This version is deprecated, -** This function is deprecated. Use VFY_CreateContextDirect or +** This function is deprecated. Use VFY_CreateContextDirect or ** VFY_CreateContextWithAlgorithmID instead. ** "key" the public key to verify with ** "sig" the encrypted signature data if sig is NULL then ** VFY_EndWithSignature must be called with the correct signature at ** the end of the processing. -** "sigAlg" specifies the signing algorithm to use (including the +** "sigAlg" specifies the signing algorithm to use (including the ** hash algorthim). This must match the key type. ** "wincx" void pointer to the window context */ extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, - SECOidTag sigAlg, void *wincx); + SECOidTag sigAlg, void *wincx); /* ** Create a signature verification context. ** "key" the public key to verify with @@ -174,9 +172,9 @@ extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, ** VFY_EndWithSignature must be called with the correct signature at ** the end of the processing. ** "pubkAlg" specifies the cryptographic signing algorithm to use (the -** raw algorithm without any hash specified. This must match the key +** raw algorithm without any hash specified. This must match the key ** type. -** "hashAlg" specifies the hashing algorithm used. If the key is an +** "hashAlg" specifies the hashing algorithm used. If the key is an ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. ** the hash is selected from data in the sig. ** "hash" optional pointer to return the actual hash algorithm used. @@ -186,10 +184,10 @@ extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, ** "wincx" void pointer to the window context */ extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key, - const SECItem *sig, - SECOidTag pubkAlg, - SECOidTag hashAlg, - SECOidTag *hash, void *wincx); + const SECItem *sig, + SECOidTag pubkAlg, + SECOidTag hashAlg, + SECOidTag *hash, void *wincx); /* ** Create a signature verification context from a algorithm ID. ** "key" the public key to verify with @@ -198,15 +196,15 @@ extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key, ** the end of the processing. ** "algid" specifies the signing algorithm and parameters to use. ** This must match the key type. -** "hash" optional pointer to return the oid of the actual hash used in +** "hash" optional pointer to return the oid of the actual hash used in ** the signature. If this value is NULL no, hash oid is returned. ** "wincx" void pointer to the window context */ -extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, - const SECItem *sig, - const SECAlgorithmID *algid, - SECOidTag *hash, - void *wincx); +extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, + const SECItem *sig, + const SECAlgorithmID *algid, + SECOidTag *hash, + void *wincx); /* ** Destroy a verification-context object. @@ -226,7 +224,7 @@ extern SECStatus VFY_Begin(VFYContext *cx); ** "inputLen" the amount of input data */ extern SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, - unsigned int inputLen); + unsigned int inputLen); /* ** Finish the verification process. The return value is a status which @@ -243,19 +241,18 @@ extern SECStatus VFY_End(VFYContext *cx); ** returned. Otherwise, SECFailure is returned and the error code found ** using PORT_GetError() indicates what failure occurred. If signature is ** supplied the verification uses this signature to verify, otherwise the -** signature passed in VFY_CreateContext() is used. +** signature passed in VFY_CreateContext() is used. ** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);. ** "cx" the context ** "sig" the encrypted signature data */ extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig); - /* ** Verify the signature on a block of data for which we already have ** the digest. The signature data is an RSA private key encrypted ** block of data formatted according to PKCS#1. -** This function is deprecated. Use VFY_VerifyDigestDirect or +** This function is deprecated. Use VFY_VerifyDigestDirect or ** VFY_VerifyDigestWithAlgorithmID instead. ** "dig" the digest ** "key" the public key to check the signature with @@ -265,7 +262,7 @@ extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig); ** "wincx" void pointer to the window context **/ extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key, - SECItem *sig, SECOidTag sigAlg, void *wincx); + SECItem *sig, SECOidTag sigAlg, void *wincx); /* ** Verify the signature on a block of data for which we already have ** the digest. The signature data is an RSA private key encrypted @@ -274,15 +271,15 @@ extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key, ** "key" the public key to check the signature with ** "sig" the encrypted signature data ** "pubkAlg" specifies the cryptographic signing algorithm to use (the -** raw algorithm without any hash specified. This must match the key +** raw algorithm without any hash specified. This must match the key ** type. ** "hashAlg" specifies the hashing algorithm used. ** "wincx" void pointer to the window context **/ -extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, - const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag pubkAlg, - SECOidTag hashAlg, void *wincx); +extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, + const SECKEYPublicKey *key, + const SECItem *sig, SECOidTag pubkAlg, + SECOidTag hashAlg, void *wincx); /* ** Verify the signature on a block of data for which we already have ** the digest. The signature data is an RSA private key encrypted @@ -297,15 +294,15 @@ extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, ** not set to SEC_OID_UNKNOWN, it must match the hash of the signature. ** "wincx" void pointer to the window context */ -extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, - const SECKEYPublicKey *key, const SECItem *sig, - const SECAlgorithmID *algid, SECOidTag hash, - void *wincx); +extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, + const SECKEYPublicKey *key, const SECItem *sig, + const SECAlgorithmID *algid, SECOidTag hash, + void *wincx); /* ** Verify the signature on a block of data. The signature data is an RSA ** private key encrypted block of data formatted according to PKCS#1. -** This function is deprecated. Use VFY_VerifyDataDirect or +** This function is deprecated. Use VFY_VerifyDataDirect or ** VFY_VerifyDataWithAlgorithmID instead. ** "buf" the input data ** "len" the length of the input data @@ -316,8 +313,8 @@ extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, ** "wincx" void pointer to the window context */ extern SECStatus VFY_VerifyData(const unsigned char *buf, int len, - const SECKEYPublicKey *key, const SECItem *sig, - SECOidTag sigAlg, void *wincx); + const SECKEYPublicKey *key, const SECItem *sig, + SECOidTag sigAlg, void *wincx); /* ** Verify the signature on a block of data. The signature data is an RSA ** private key encrypted block of data formatted according to PKCS#1. @@ -326,9 +323,9 @@ extern SECStatus VFY_VerifyData(const unsigned char *buf, int len, ** "key" the public key to check the signature with ** "sig" the encrypted signature data ** "pubkAlg" specifies the cryptographic signing algorithm to use (the -** raw algorithm without any hash specified. This must match the key +** raw algorithm without any hash specified. This must match the key ** type. -** "hashAlg" specifies the hashing algorithm used. If the key is an +** "hashAlg" specifies the hashing algorithm used. If the key is an ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. ** the hash is selected from data in the sig. ** "hash" optional pointer to return the actual hash algorithm used. @@ -338,10 +335,10 @@ extern SECStatus VFY_VerifyData(const unsigned char *buf, int len, ** "wincx" void pointer to the window context */ extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len, - const SECKEYPublicKey *key, - const SECItem *sig, - SECOidTag pubkAlg, SECOidTag hashAlg, - SECOidTag *hash, void *wincx); + const SECKEYPublicKey *key, + const SECItem *sig, + SECOidTag pubkAlg, SECOidTag hashAlg, + SECOidTag *hash, void *wincx); /* ** Verify the signature on a block of data. The signature data is an RSA @@ -352,16 +349,15 @@ extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len, ** "sig" the encrypted signature data ** "algid" specifies the signing algorithm and parameters to use. ** This must match the key type. -** "hash" optional pointer to return the oid of the actual hash used in +** "hash" optional pointer to return the oid of the actual hash used in ** the signature. If this value is NULL no, hash oid is returned. ** "wincx" void pointer to the window context */ -extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, - int len, const SECKEYPublicKey *key, - const SECItem *sig, - const SECAlgorithmID *algid, SECOidTag *hash, - void *wincx); - +extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, + int len, const SECKEYPublicKey *key, + const SECItem *sig, + const SECAlgorithmID *algid, SECOidTag *hash, + void *wincx); SEC_END_PROTOS diff --git a/nss/lib/cryptohi/cryptoht.h b/nss/lib/cryptohi/cryptoht.h index aca4899..5780bf4 100644 --- a/nss/lib/cryptohi/cryptoht.h +++ b/nss/lib/cryptohi/cryptoht.h @@ -11,5 +11,4 @@ typedef struct SGNContextStr SGNContext; typedef struct VFYContextStr VFYContext; - #endif /* _CRYPTOHT_H_ */ diff --git a/nss/lib/cryptohi/dsautil.c b/nss/lib/cryptohi/dsautil.c index 5606379..db397df 100644 --- a/nss/lib/cryptohi/dsautil.c +++ b/nss/lib/cryptohi/dsautil.c @@ -7,7 +7,7 @@ #include "prerr.h" #ifndef DSA1_SUBPRIME_LEN -#define DSA1_SUBPRIME_LEN 20 /* bytes */ +#define DSA1_SUBPRIME_LEN 20 /* bytes */ #endif typedef struct { @@ -16,16 +16,16 @@ typedef struct { } DSA_ASN1Signature; const SEC_ASN1Template DSA_SignatureTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) }, - { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,r) }, - { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature,s) }, - { 0, } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(DSA_ASN1Signature) }, + { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature, r) }, + { SEC_ASN1_INTEGER, offsetof(DSA_ASN1Signature, s) }, + { 0 } + }; /* Input is variable length multi-byte integer, MSB first (big endian). -** Most signficant bit of first byte is NOT treated as a sign bit. -** May be one or more leading bytes of zeros. +** Most signficant bit of first byte is NOT treated as a sign bit. +** May be one or more leading bytes of zeros. ** Output is variable length multi-byte integer, MSB first (big endian). ** Most significant bit of first byte will be zero (positive sign bit) ** No more than one leading zero byte. @@ -37,21 +37,21 @@ DSAU_ConvertUnsignedToSigned(SECItem *dest, SECItem *src) { unsigned char *pSrc = src->data; unsigned char *pDst = dest->data; - unsigned int cntSrc = src->len; + unsigned int cntSrc = src->len; /* skip any leading zeros. */ - while (cntSrc && !(*pSrc)) { - pSrc++; - cntSrc--; + while (cntSrc && !(*pSrc)) { + pSrc++; + cntSrc--; } if (!cntSrc) { - *pDst = 0; - dest->len = 1; - return; + *pDst = 0; + dest->len = 1; + return; } if (*pSrc & 0x80) - *pDst++ = 0; + *pDst++ = 0; PORT_Memcpy(pDst, pSrc, cntSrc); dest->len = (pDst - dest->data) + cntSrc; @@ -71,27 +71,27 @@ DSAU_ConvertSignedToFixedUnsigned(SECItem *dest, SECItem *src) { unsigned char *pSrc = src->data; unsigned char *pDst = dest->data; - unsigned int cntSrc = src->len; - unsigned int cntDst = dest->len; - int zCount = cntDst - cntSrc; + unsigned int cntSrc = src->len; + unsigned int cntDst = dest->len; + int zCount = cntDst - cntSrc; if (zCount > 0) { - PORT_Memset(pDst, 0, zCount); - PORT_Memcpy(pDst + zCount, pSrc, cntSrc); - return SECSuccess; + PORT_Memset(pDst, 0, zCount); + PORT_Memcpy(pDst + zCount, pSrc, cntSrc); + return SECSuccess; } if (zCount <= 0) { - /* Source is longer than destination. Check for leading zeros. */ - while (zCount++ < 0) { - if (*pSrc++ != 0) - goto loser; - } + /* Source is longer than destination. Check for leading zeros. */ + while (zCount++ < 0) { + if (*pSrc++ != 0) + goto loser; + } } PORT_Memcpy(pDst, pSrc, cntDst); return SECSuccess; loser: - PORT_SetError( PR_INVALID_ARGUMENT_ERROR ); + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); return SECFailure; } @@ -101,52 +101,56 @@ loser: static SECStatus common_EncodeDerSig(SECItem *dest, SECItem *src) { - SECItem * item; - SECItem srcItem; + SECItem *item; + SECItem srcItem; DSA_ASN1Signature sig; - unsigned char *signedR; - unsigned char *signedS; + unsigned char *signedR; + unsigned char *signedS; unsigned int len; /* Allocate memory with room for an extra byte that * may be required if the top bit in the first byte * is already set. */ - len = src->len/2; - signedR = (unsigned char *) PORT_Alloc(len + 1); - if (!signedR) return SECFailure; - signedS = (unsigned char *) PORT_ZAlloc(len + 1); + len = src->len / 2; + signedR = (unsigned char *)PORT_Alloc(len + 1); + if (!signedR) + return SECFailure; + signedS = (unsigned char *)PORT_ZAlloc(len + 1); if (!signedS) { - if (signedR) PORT_Free(signedR); - return SECFailure; + if (signedR) + PORT_Free(signedR); + return SECFailure; } PORT_Memset(&sig, 0, sizeof(sig)); /* Must convert r and s from "unsigned" integers to "signed" integers. ** If the high order bit of the first byte (MSB) is 1, then must - ** prepend with leading zero. + ** prepend with leading zero. ** Must remove all but one leading zero byte from numbers. */ sig.r.type = siUnsignedInteger; sig.r.data = signedR; - sig.r.len = sizeof signedR; + sig.r.len = sizeof signedR; sig.s.type = siUnsignedInteger; sig.s.data = signedS; - sig.s.len = sizeof signedR; + sig.s.len = sizeof signedR; srcItem.data = src->data; - srcItem.len = len; + srcItem.len = len; DSAU_ConvertUnsignedToSigned(&sig.r, &srcItem); srcItem.data += len; DSAU_ConvertUnsignedToSigned(&sig.s, &srcItem); item = SEC_ASN1EncodeItem(NULL, dest, &sig, DSA_SignatureTemplate); - if (signedR) PORT_Free(signedR); - if (signedS) PORT_Free(signedS); + if (signedR) + PORT_Free(signedR); + if (signedS) + PORT_Free(signedS); if (item == NULL) - return SECFailure; + return SECFailure; /* XXX leak item? */ return SECSuccess; @@ -161,54 +165,54 @@ common_EncodeDerSig(SECItem *dest, SECItem *src) static SECItem * common_DecodeDerSig(const SECItem *item, unsigned int len) { - SECItem * result = NULL; - SECStatus status; + SECItem *result = NULL; + SECStatus status; DSA_ASN1Signature sig; - SECItem dst; + SECItem dst; PORT_Memset(&sig, 0, sizeof(sig)); result = PORT_ZNew(SECItem); if (result == NULL) - goto loser; + goto loser; - result->len = 2 * len; - result->data = (unsigned char*)PORT_Alloc(2 * len); + result->len = 2 * len; + result->data = (unsigned char *)PORT_Alloc(2 * len); if (result->data == NULL) - goto loser; + goto loser; sig.r.type = siUnsignedInteger; sig.s.type = siUnsignedInteger; status = SEC_ASN1DecodeItem(NULL, &sig, DSA_SignatureTemplate, item); if (status != SECSuccess) - goto loser; + goto loser; - /* Convert sig.r and sig.s from variable length signed integers to + /* Convert sig.r and sig.s from variable length signed integers to ** fixed length unsigned integers. */ dst.data = result->data; - dst.len = len; + dst.len = len; status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.r); if (status != SECSuccess) - goto loser; + goto loser; dst.data += len; status = DSAU_ConvertSignedToFixedUnsigned(&dst, &sig.s); if (status != SECSuccess) - goto loser; + goto loser; done: if (sig.r.data != NULL) - PORT_Free(sig.r.data); + PORT_Free(sig.r.data); if (sig.s.data != NULL) - PORT_Free(sig.s.data); + PORT_Free(sig.s.data); return result; loser: if (result != NULL) { - SECITEM_FreeItem(result, PR_TRUE); - result = NULL; + SECITEM_FreeItem(result, PR_TRUE); + result = NULL; } goto done; } @@ -221,8 +225,8 @@ DSAU_EncodeDerSig(SECItem *dest, SECItem *src) { PORT_Assert(src->len == 2 * DSA1_SUBPRIME_LEN); if (src->len != 2 * DSA1_SUBPRIME_LEN) { - PORT_SetError( PR_INVALID_ARGUMENT_ERROR ); - return SECFailure; + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return SECFailure; } return common_EncodeDerSig(dest, src); @@ -237,8 +241,8 @@ DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, unsigned int len) PORT_Assert((src->len == len) && (len % 2 == 0)); if ((src->len != len) || (src->len % 2 != 0)) { - PORT_SetError( PR_INVALID_ARGUMENT_ERROR ); - return SECFailure; + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return SECFailure; } return common_EncodeDerSig(dest, src); @@ -263,5 +267,5 @@ DSAU_DecodeDerSig(const SECItem *item) SECItem * DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len) { - return common_DecodeDerSig(item, len/2); + return common_DecodeDerSig(item, len / 2); } diff --git a/nss/lib/cryptohi/exports.gyp b/nss/lib/cryptohi/exports.gyp new file mode 100644 index 0000000..bb91059 --- /dev/null +++ b/nss/lib/cryptohi/exports.gyp @@ -0,0 +1,37 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'variables': { + 'module': 'nss' + }, + 'targets': [ + { + 'target_name': 'lib_cryptohi_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'cryptohi.h', + 'cryptoht.h', + 'key.h', + 'keyhi.h', + 'keyt.h', + 'keythi.h', + 'sechash.h' + ], + 'destination': '<(nss_public_dist_dir)/<(module)' + }, + { + 'files': [ + 'keyi.h', + ], + 'destination': '<(nss_private_dist_dir)/<(module)' + } + ] + } + ], +} diff --git a/nss/lib/cryptohi/keyhi.h b/nss/lib/cryptohi/keyhi.h index 0ed3698..1809900 100644 --- a/nss/lib/cryptohi/keyhi.h +++ b/nss/lib/cryptohi/keyhi.h @@ -16,7 +16,6 @@ SEC_BEGIN_PROTOS - /* ** Destroy a subject-public-key-info object. */ @@ -27,15 +26,15 @@ extern void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki); ** appropriately (memory is allocated for each of the sub objects). */ extern SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena, - CERTSubjectPublicKeyInfo *dst, - CERTSubjectPublicKeyInfo *src); + CERTSubjectPublicKeyInfo *dst, + CERTSubjectPublicKeyInfo *src); /* ** Update the PQG parameters for a cert's public key. ** Only done for DSA certs */ extern SECStatus -SECKEY_UpdateCertPQG(CERTCertificate * subjectCert); +SECKEY_UpdateCertPQG(CERTCertificate *subjectCert); /* ** Return the number of bits in the provided big integer. This assumes that the @@ -77,19 +76,19 @@ extern SECKEYPublicKey *SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privateKey); * create a new RSA key pair. The private Key is returned... */ SECKEYPrivateKey *SECKEY_CreateRSAPrivateKey(int keySizeInBits, - SECKEYPublicKey **pubk, void *cx); - + SECKEYPublicKey **pubk, void *cx); + /* * create a new DH key pair. The private Key is returned... */ SECKEYPrivateKey *SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, - SECKEYPublicKey **pubk, void *cx); + SECKEYPublicKey **pubk, void *cx); /* * create a new EC key pair. The private Key is returned... */ SECKEYPrivateKey *SECKEY_CreateECPrivateKey(SECKEYECParams *param, - SECKEYPublicKey **pubk, void *cx); + SECKEYPublicKey **pubk, void *cx); /* ** Create a subject-public-key-info based on a public key. @@ -103,11 +102,11 @@ SECKEY_CreateSubjectPublicKeyInfo(const SECKEYPublicKey *k); */ extern CERTSubjectPublicKeyInfo * SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge, - void *cx); + void *cx); /* ** Encode a CERTSubjectPublicKeyInfo structure. into a -** DER encoded subject public key info. +** DER encoded subject public key info. */ SECItem * SECKEY_EncodeDERSubjectPublicKeyInfo(const SECKEYPublicKey *pubk); @@ -139,7 +138,6 @@ SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *); */ extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key); - /* ** Destroy a public key object. ** "key" the object @@ -147,54 +145,54 @@ extern void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *key); extern void SECKEY_DestroyPublicKey(SECKEYPublicKey *key); /* Destroy and zero out a private key info structure. for now this - * function zero's out memory allocated in an arena for the key - * since PORT_FreeArena does not currently do this. + * function zero's out memory allocated in an arena for the key + * since PORT_FreeArena does not currently do this. * - * NOTE -- If a private key info is allocated in an arena, one should - * not call this function with freeit = PR_FALSE. The function should - * destroy the arena. + * NOTE -- If a private key info is allocated in an arena, one should + * not call this function with freeit = PR_FALSE. The function should + * destroy the arena. */ extern void SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, PRBool freeit); /* Destroy and zero out an encrypted private key info. * - * NOTE -- If a encrypted private key info is allocated in an arena, one should - * not call this function with freeit = PR_FALSE. The function should - * destroy the arena. + * NOTE -- If a encrypted private key info is allocated in an arena, one should + * not call this function with freeit = PR_FALSE. The function should + * destroy the arena. */ extern void SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki, - PRBool freeit); + PRBool freeit); -/* Copy private key info structure. +/* Copy private key info structure. * poolp is the arena into which the contents of from is to be copied. * NULL is a valid entry. * to is the destination private key info * from is the source private key info - * if either from or to is NULL or an error occurs, SECFailure is + * if either from or to is NULL or an error occurs, SECFailure is * returned. otherwise, SECSuccess is returned. */ extern SECStatus SECKEY_CopyPrivateKeyInfo(PLArenaPool *poolp, - SECKEYPrivateKeyInfo *to, - const SECKEYPrivateKeyInfo *from); + SECKEYPrivateKeyInfo *to, + const SECKEYPrivateKeyInfo *from); extern SECStatus -SECKEY_CacheStaticFlags(SECKEYPrivateKey* key); +SECKEY_CacheStaticFlags(SECKEYPrivateKey *key); -/* Copy encrypted private key info structure. +/* Copy encrypted private key info structure. * poolp is the arena into which the contents of from is to be copied. * NULL is a valid entry. * to is the destination encrypted private key info * from is the source encrypted private key info - * if either from or to is NULL or an error occurs, SECFailure is + * if either from or to is NULL or an error occurs, SECFailure is * returned. otherwise, SECSuccess is returned. */ extern SECStatus SECKEY_CopyEncryptedPrivateKeyInfo(PLArenaPool *poolp, - SECKEYEncryptedPrivateKeyInfo *to, - const SECKEYEncryptedPrivateKeyInfo *from); + SECKEYEncryptedPrivateKeyInfo *to, + const SECKEYEncryptedPrivateKeyInfo *from); /* * Accessor functions for key type of public and private keys. */ @@ -205,10 +203,10 @@ KeyType SECKEY_GetPublicKeyType(const SECKEYPublicKey *pubKey); * Creates a PublicKey from its DER encoding. * Currently only supports RSA, DSA, and DH keys. */ -SECKEYPublicKey* +SECKEYPublicKey * SECKEY_ImportDERPublicKey(const SECItem *derKey, CK_KEY_TYPE type); -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * SECKEY_NewPrivateKeyList(void); void @@ -218,14 +216,14 @@ void SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node); SECStatus -SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list, - SECKEYPrivateKey *key); +SECKEY_AddPrivateKeyToListTail(SECKEYPrivateKeyList *list, + SECKEYPrivateKey *key); -#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode*)PR_LIST_HEAD(&l->list)) +#define PRIVKEY_LIST_HEAD(l) ((SECKEYPrivateKeyListNode *)PR_LIST_HEAD(&l->list)) #define PRIVKEY_LIST_NEXT(n) ((SECKEYPrivateKeyListNode *)n->links.next) -#define PRIVKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list)) +#define PRIVKEY_LIST_END(n, l) (((void *)n) == ((void *)&l->list)) -SECKEYPublicKeyList* +SECKEYPublicKeyList * SECKEY_NewPublicKeyList(void); void @@ -235,12 +233,12 @@ void SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node); SECStatus -SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list, - SECKEYPublicKey *key); +SECKEY_AddPublicKeyToListTail(SECKEYPublicKeyList *list, + SECKEYPublicKey *key); -#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode*)PR_LIST_HEAD(&l->list)) +#define PUBKEY_LIST_HEAD(l) ((SECKEYPublicKeyListNode *)PR_LIST_HEAD(&l->list)) #define PUBKEY_LIST_NEXT(n) ((SECKEYPublicKeyListNode *)n->links.next) -#define PUBKEY_LIST_END(n,l) (((void *)n) == ((void *)&l->list)) +#define PUBKEY_LIST_END(n, l) (((void *)n) == ((void *)&l->list)) /* * Length in bits of the EC's field size. This is also the length of @@ -266,7 +264,7 @@ extern int SECKEY_ECParamsToBasePointOrderLen(const SECItem *params); * * Return 0 on failure (unknown EC domain parameters). */ -SECOidTag SECKEY_GetECCOid(const SECKEYECParams * params); +SECOidTag SECKEY_GetECCOid(const SECKEYECParams *params); SEC_END_PROTOS diff --git a/nss/lib/cryptohi/keyi.h b/nss/lib/cryptohi/keyi.h index 7d0304e..374a4ad 100644 --- a/nss/lib/cryptohi/keyi.h +++ b/nss/lib/cryptohi/keyi.h @@ -5,7 +5,6 @@ #ifndef _KEYI_H_ #define _KEYI_H_ - SEC_BEGIN_PROTOS /* NSS private functions */ /* map an oid to a keytype... actually this function and it's converse @@ -16,7 +15,14 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid); * algorithm, key and parameters (parameters is the parameters field * of a algorithm ID structure (SECAlgorithmID)*/ SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg); + +/* + * Set the point encoding of a SECKEYPublicKey from the OID. + * This has to be called on any SECKEYPublicKey holding a SECKEYECPublicKey + * before it can be used. The encoding is used to dermine the public key size. + */ +SECStatus seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey); SEC_END_PROTOS diff --git a/nss/lib/cryptohi/keythi.h b/nss/lib/cryptohi/keythi.h index 9b9a278..1555ce2 100644 --- a/nss/lib/cryptohi/keythi.h +++ b/nss/lib/cryptohi/keythi.h @@ -4,6 +4,7 @@ #ifndef _KEYTHI_H_ #define _KEYTHI_H_ 1 +#include "eccutil.h" #include "plarena.h" #include "pkcs11t.h" #include "secmodt.h" @@ -21,14 +22,14 @@ ** ** rsaOaepKey maps to keys with SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION and may only ** be used for encryption with OAEP padding (PKCS #1 v2.1). -*/ +*/ -typedef enum { - nullKey = 0, - rsaKey = 1, - dsaKey = 2, +typedef enum { + nullKey = 0, + rsaKey = 1, + dsaKey = 2, fortezzaKey = 3, /* deprecated */ - dhKey = 4, + dhKey = 4, keaKey = 5, /* deprecated */ ecKey = 6, rsaPssKey = 7, @@ -54,20 +55,19 @@ SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPublicKeyTemplate) SEC_ASN1_CHOOSER_DECLARE(SECKEY_RSAPSSParamsTemplate) SEC_END_PROTOS - /* ** RSA Public Key structures -** member names from PKCS#1, section 7.1 +** member names from PKCS#1, section 7.1 */ struct SECKEYRSAPublicKeyStr { - PLArenaPool * arena; + PLArenaPool *arena; SECItem modulus; SECItem publicExponent; }; typedef struct SECKEYRSAPublicKeyStr SECKEYRSAPublicKey; -/* +/* ** RSA-PSS parameters */ struct SECKEYRSAPSSParamsStr { @@ -97,20 +97,19 @@ struct SECKEYDSAPublicKeyStr { }; typedef struct SECKEYDSAPublicKeyStr SECKEYDSAPublicKey; - /* ** Diffie-Hellman Public Key structure ** Structure member names suggested by PKCS#3. */ struct SECKEYDHParamsStr { - PLArenaPool * arena; + PLArenaPool *arena; SECItem prime; /* p */ - SECItem base; /* g */ + SECItem base; /* g */ }; typedef struct SECKEYDHParamsStr SECKEYDHParams; struct SECKEYDHPublicKeyStr { - PLArenaPool * arena; + PLArenaPool *arena; SECItem prime; SECItem base; SECItem publicValue; @@ -126,14 +125,9 @@ typedef SECItem SECKEYECParams; struct SECKEYECPublicKeyStr { SECKEYECParams DEREncodedParams; - int size; /* size in bits */ - SECItem publicValue; /* encoded point */ - /* XXX Even though the PKCS#11 interface takes encoded parameters, - * we may still wish to decode them above PKCS#11 for things like - * printing key information. For named curves, which is what - * we initially support, we ought to have the curve name at the - * very least. - */ + int size; /* size in bits */ + SECItem publicValue; /* encoded point */ + ECPointEncoding encoding; }; typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey; @@ -141,9 +135,9 @@ typedef struct SECKEYECPublicKeyStr SECKEYECPublicKey; ** FORTEZZA Public Key structures */ struct SECKEYFortezzaPublicKeyStr { - int KEAversion; - int DSSversion; - unsigned char KMID[8]; + int KEAversion; + int DSSversion; + unsigned char KMID[8]; SECItem clearance; SECItem KEApriviledge; SECItem DSSpriviledge; @@ -173,7 +167,7 @@ struct SECKEYKEAParamsStr { SECItem hash; }; typedef struct SECKEYKEAParamsStr SECKEYKEAParams; - + struct SECKEYKEAPublicKeyStr { SECKEYKEAParams params; SECItem publicValue; @@ -190,48 +184,44 @@ struct SECKEYPublicKeyStr { CK_OBJECT_HANDLE pkcs11ID; union { SECKEYRSAPublicKey rsa; - SECKEYDSAPublicKey dsa; - SECKEYDHPublicKey dh; + SECKEYDSAPublicKey dsa; + SECKEYDHPublicKey dh; SECKEYKEAPublicKey kea; SECKEYFortezzaPublicKey fortezza; - SECKEYECPublicKey ec; + SECKEYECPublicKey ec; } u; }; typedef struct SECKEYPublicKeyStr SECKEYPublicKey; /* bit flag definitions for staticflags */ -#define SECKEY_Attributes_Cached 0x1 /* bit 0 states - whether attributes are cached */ -#define SECKEY_CKA_PRIVATE (1U << 1) /* bit 1 is the value of CKA_PRIVATE */ -#define SECKEY_CKA_ALWAYS_AUTHENTICATE (1U << 2) +#define SECKEY_Attributes_Cached 0x1 /* bit 0 states \ + whether attributes are cached */ +#define SECKEY_CKA_PRIVATE (1U << 1) /* bit 1 is the value of CKA_PRIVATE */ +#define SECKEY_CKA_ALWAYS_AUTHENTICATE (1U << 2) #define SECKEY_ATTRIBUTES_CACHED(key) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) + (0 != (key->staticflags & SECKEY_Attributes_Cached)) -#define SECKEY_ATTRIBUTE_VALUE(key,attribute) \ - (0 != (key->staticflags & SECKEY_##attribute)) +#define SECKEY_ATTRIBUTE_VALUE(key, attribute) \ + (0 != (key->staticflags & SECKEY_##attribute)) -#define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \ - (0 != (key->staticflags & SECKEY_##attribute)) : \ - PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, PR_FALSE) +#define SECKEY_HAS_ATTRIBUTE_SET(key, attribute) \ + (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE) -#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key,attribute, haslock) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \ - (0 != (key->staticflags & SECKEY_##attribute)) : \ - PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, haslock) +#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \ + (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock) /* ** A generic key structure -*/ +*/ struct SECKEYPrivateKeyStr { PLArenaPool *arena; KeyType keyType; - PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */ - CK_OBJECT_HANDLE pkcs11ID; /* ID of pkcs11 object */ - PRBool pkcs11IsTemp; /* temp pkcs11 object, delete it when done */ - void *wincx; /* context for errors and pw prompts */ - PRUint32 staticflags; /* bit flag of cached PKCS#11 attributes */ + PK11SlotInfo *pkcs11Slot; /* pkcs11 slot this key lives in */ + CK_OBJECT_HANDLE pkcs11ID; /* ID of pkcs11 object */ + PRBool pkcs11IsTemp; /* temp pkcs11 object, delete it when done */ + void *wincx; /* context for errors and pw prompts */ + PRUint32 staticflags; /* bit flag of cached PKCS#11 attributes */ }; typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey; @@ -255,4 +245,3 @@ typedef struct { PLArenaPool *arena; } SECKEYPublicKeyList; #endif /* _KEYTHI_H_ */ - diff --git a/nss/lib/cryptohi/manifest.mn b/nss/lib/cryptohi/manifest.mn index 2050b15..896c7ad 100644 --- a/nss/lib/cryptohi/manifest.mn +++ b/nss/lib/cryptohi/manifest.mn @@ -6,6 +6,8 @@ CORE_DEPTH = ../.. MODULE = nss +REQUIRES = nssutil + LIBRARY_NAME = cryptohi EXPORTS = \ @@ -19,6 +21,7 @@ EXPORTS = \ $(NULL) PRIVATE_EXPORTS = \ + keyi.h \ $(NULL) CSRCS = \ diff --git a/nss/lib/cryptohi/sechash.c b/nss/lib/cryptohi/sechash.c index b9476c4..b126211 100644 --- a/nss/lib/cryptohi/sechash.c +++ b/nss/lib/cryptohi/sechash.c @@ -5,7 +5,7 @@ #include "secoidt.h" #include "secerr.h" #include "blapi.h" -#include "pk11func.h" /* for the PK11_ calls below. */ +#include "pk11func.h" /* for the PK11_ calls below. */ static void * null_hash_new_context(void) @@ -32,7 +32,7 @@ null_hash_update(void *v, const unsigned char *input, unsigned int length) static void null_hash_end(void *v, unsigned char *output, unsigned int *outLen, - unsigned int maxOut) + unsigned int maxOut) { *outLen = 0; } @@ -43,134 +43,132 @@ null_hash_destroy_context(void *v, PRBool b) PORT_Assert(v == NULL); } - static void * -md2_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_MD2); +md2_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_MD2); } static void * -md5_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_MD5); +md5_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_MD5); } static void * -sha1_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA1); +sha1_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_SHA1); } static void * -sha224_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA224); +sha224_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_SHA224); } static void * -sha256_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA256); +sha256_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_SHA256); } static void * -sha384_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA384); +sha384_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_SHA384); } static void * -sha512_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA512); +sha512_NewContext(void) +{ + return (void *)PK11_CreateDigestContext(SEC_OID_SHA512); } const SECHashObject SECHashObjects[] = { - { 0, - (void * (*)(void)) null_hash_new_context, - (void * (*)(void *)) null_hash_clone_context, - (void (*)(void *, PRBool)) null_hash_destroy_context, - (void (*)(void *)) null_hash_begin, - (void (*)(void *, const unsigned char *, unsigned int)) null_hash_update, - (void (*)(void *, unsigned char *, unsigned int *, - unsigned int)) null_hash_end, - 0, - HASH_AlgNULL - }, - { MD2_LENGTH, - (void * (*)(void)) md2_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - MD2_BLOCK_LENGTH, - HASH_AlgMD2 - }, - { MD5_LENGTH, - (void * (*)(void)) md5_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - MD5_BLOCK_LENGTH, - HASH_AlgMD5 - }, - { SHA1_LENGTH, - (void * (*)(void)) sha1_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - SHA1_BLOCK_LENGTH, - HASH_AlgSHA1 - }, - { SHA256_LENGTH, - (void * (*)(void)) sha256_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - SHA256_BLOCK_LENGTH, - HASH_AlgSHA256 - }, - { SHA384_LENGTH, - (void * (*)(void)) sha384_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - SHA384_BLOCK_LENGTH, - HASH_AlgSHA384 - }, - { SHA512_LENGTH, - (void * (*)(void)) sha512_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - SHA512_BLOCK_LENGTH, - HASH_AlgSHA512 - }, - { SHA224_LENGTH, - (void * (*)(void)) sha224_NewContext, - (void * (*)(void *)) PK11_CloneContext, - (void (*)(void *, PRBool)) PK11_DestroyContext, - (void (*)(void *)) PK11_DigestBegin, - (void (*)(void *, const unsigned char *, unsigned int)) PK11_DigestOp, - (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) - PK11_DigestFinal, - SHA224_BLOCK_LENGTH, - HASH_AlgSHA224 - }, + { 0, + (void *(*)(void))null_hash_new_context, + (void *(*)(void *))null_hash_clone_context, + (void (*)(void *, PRBool))null_hash_destroy_context, + (void (*)(void *))null_hash_begin, + (void (*)(void *, const unsigned char *, unsigned int))null_hash_update, + (void (*)(void *, unsigned char *, unsigned int *, + unsigned int))null_hash_end, + 0, + HASH_AlgNULL }, + { MD2_LENGTH, + (void *(*)(void))md2_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + MD2_BLOCK_LENGTH, + HASH_AlgMD2 }, + { MD5_LENGTH, + (void *(*)(void))md5_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + MD5_BLOCK_LENGTH, + HASH_AlgMD5 }, + { SHA1_LENGTH, + (void *(*)(void))sha1_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA1_BLOCK_LENGTH, + HASH_AlgSHA1 }, + { SHA256_LENGTH, + (void *(*)(void))sha256_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA256_BLOCK_LENGTH, + HASH_AlgSHA256 }, + { SHA384_LENGTH, + (void *(*)(void))sha384_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA384_BLOCK_LENGTH, + HASH_AlgSHA384 }, + { SHA512_LENGTH, + (void *(*)(void))sha512_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA512_BLOCK_LENGTH, + HASH_AlgSHA512 }, + { SHA224_LENGTH, + (void *(*)(void))sha224_NewContext, + (void *(*)(void *))PK11_CloneContext, + (void (*)(void *, PRBool))PK11_DestroyContext, + (void (*)(void *))PK11_DigestBegin, + (void (*)(void *, const unsigned char *, unsigned int))PK11_DigestOp, + (void (*)(void *, unsigned char *, unsigned int *, unsigned int)) + PK11_DigestFinal, + SHA224_BLOCK_LENGTH, + HASH_AlgSHA224 }, }; -const SECHashObject * +const SECHashObject * HASH_GetHashObject(HASH_HashType type) { return &SECHashObjects[type]; @@ -179,19 +177,34 @@ HASH_GetHashObject(HASH_HashType type) HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid) { - HASH_HashType ht = HASH_AlgNULL; - - switch(hashOid) { - case SEC_OID_MD2: ht = HASH_AlgMD2; break; - case SEC_OID_MD5: ht = HASH_AlgMD5; break; - case SEC_OID_SHA1: ht = HASH_AlgSHA1; break; - case SEC_OID_SHA224: ht = HASH_AlgSHA224; break; - case SEC_OID_SHA256: ht = HASH_AlgSHA256; break; - case SEC_OID_SHA384: ht = HASH_AlgSHA384; break; - case SEC_OID_SHA512: ht = HASH_AlgSHA512; break; - default: ht = HASH_AlgNULL; - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; + HASH_HashType ht = HASH_AlgNULL; + + switch (hashOid) { + case SEC_OID_MD2: + ht = HASH_AlgMD2; + break; + case SEC_OID_MD5: + ht = HASH_AlgMD5; + break; + case SEC_OID_SHA1: + ht = HASH_AlgSHA1; + break; + case SEC_OID_SHA224: + ht = HASH_AlgSHA224; + break; + case SEC_OID_SHA256: + ht = HASH_AlgSHA256; + break; + case SEC_OID_SHA384: + ht = HASH_AlgSHA384; + break; + case SEC_OID_SHA512: + ht = HASH_AlgSHA512; + break; + default: + ht = HASH_AlgNULL; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; } return ht; } @@ -201,17 +214,28 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) { SECOidTag hashOid = SEC_OID_UNKNOWN; - switch(hmacOid) { - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break; - case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break; - case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break; - case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break; - case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break; - default: hashOid = SEC_OID_UNKNOWN; - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; + switch (hmacOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_HMAC_SHA1: + hashOid = SEC_OID_SHA1; + break; + case SEC_OID_HMAC_SHA224: + hashOid = SEC_OID_SHA224; + break; + case SEC_OID_HMAC_SHA256: + hashOid = SEC_OID_SHA256; + break; + case SEC_OID_HMAC_SHA384: + hashOid = SEC_OID_SHA384; + break; + case SEC_OID_HMAC_SHA512: + hashOid = SEC_OID_SHA512; + break; + default: + hashOid = SEC_OID_UNKNOWN; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; } return hashOid; } @@ -221,25 +245,36 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) { SECOidTag hmacOid = SEC_OID_UNKNOWN; - switch(hashOid) { - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break; - case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break; - case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break; - case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break; - case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break; - default: hmacOid = SEC_OID_UNKNOWN; - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - break; + switch (hashOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_SHA1: + hmacOid = SEC_OID_HMAC_SHA1; + break; + case SEC_OID_SHA224: + hmacOid = SEC_OID_HMAC_SHA224; + break; + case SEC_OID_SHA256: + hmacOid = SEC_OID_HMAC_SHA256; + break; + case SEC_OID_SHA384: + hmacOid = SEC_OID_HMAC_SHA384; + break; + case SEC_OID_SHA512: + hmacOid = SEC_OID_HMAC_SHA512; + break; + default: + hmacOid = SEC_OID_UNKNOWN; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + break; } return hmacOid; } -const SECHashObject * +const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid) { - HASH_HashType ht = HASH_GetHashTypeByOidTag(hashOid); + HASH_HashType ht = HASH_GetHashTypeByOidTag(hashOid); return (ht == HASH_AlgNULL) ? NULL : &SECHashObjects[ht]; } @@ -248,11 +283,11 @@ HASH_GetHashObjectByOidTag(SECOidTag hashOid) unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid) { - const SECHashObject * hashObject = HASH_GetHashObjectByOidTag(hashOid); - unsigned int resultLen = 0; + const SECHashObject *hashObject = HASH_GetHashObjectByOidTag(hashOid); + unsigned int resultLen = 0; if (hashObject) - resultLen = hashObject->length; + resultLen = hashObject->length; return resultLen; } @@ -260,45 +295,43 @@ HASH_ResultLenByOidTag(SECOidTag hashOid) unsigned int HASH_ResultLen(HASH_HashType type) { - if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return(0); + if ((type < HASH_AlgNULL) || (type >= HASH_AlgTOTAL)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return (0); } - - return(SECHashObjects[type].length); + + return (SECHashObjects[type].length); } unsigned int HASH_ResultLenContext(HASHContext *context) { - return(context->hashobj->length); + return (context->hashobj->length); } - - SECStatus HASH_HashBuf(HASH_HashType type, - unsigned char *dest, - const unsigned char *src, - PRUint32 src_len) + unsigned char *dest, + const unsigned char *src, + PRUint32 src_len) { HASHContext *cx; unsigned int part; - - if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) { - return(SECFailure); + + if ((type < HASH_AlgNULL) || (type >= HASH_AlgTOTAL)) { + return (SECFailure); } - + cx = HASH_Create(type); - if ( cx == NULL ) { - return(SECFailure); + if (cx == NULL) { + return (SECFailure); } HASH_Begin(cx); HASH_Update(cx, src, src_len); HASH_End(cx, dest, &part, HASH_ResultLenContext(cx)); HASH_Destroy(cx); - return(SECSuccess); + return (SECSuccess); } HASHContext * @@ -306,104 +339,100 @@ HASH_Create(HASH_HashType type) { void *hash_context = NULL; HASHContext *ret = NULL; - - if ( ( type < HASH_AlgNULL ) || ( type >= HASH_AlgTOTAL ) ) { - return(NULL); + + if ((type < HASH_AlgNULL) || (type >= HASH_AlgTOTAL)) { + return (NULL); } - - hash_context = (* SECHashObjects[type].create)(); - if ( hash_context == NULL ) { - goto loser; + + hash_context = (*SECHashObjects[type].create)(); + if (hash_context == NULL) { + goto loser; } ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext)); - if ( ret == NULL ) { - goto loser; + if (ret == NULL) { + goto loser; } ret->hash_context = hash_context; ret->hashobj = &SECHashObjects[type]; - - return(ret); - + + return (ret); + loser: - if ( hash_context != NULL ) { - (* SECHashObjects[type].destroy)(hash_context, PR_TRUE); + if (hash_context != NULL) { + (*SECHashObjects[type].destroy)(hash_context, PR_TRUE); } - - return(NULL); -} + return (NULL); +} HASHContext * HASH_Clone(HASHContext *context) { void *hash_context = NULL; HASHContext *ret = NULL; - - hash_context = (* context->hashobj->clone)(context->hash_context); - if ( hash_context == NULL ) { - goto loser; + + hash_context = (*context->hashobj->clone)(context->hash_context); + if (hash_context == NULL) { + goto loser; } ret = (HASHContext *)PORT_Alloc(sizeof(HASHContext)); - if ( ret == NULL ) { - goto loser; + if (ret == NULL) { + goto loser; } ret->hash_context = hash_context; ret->hashobj = context->hashobj; - - return(ret); - + + return (ret); + loser: - if ( hash_context != NULL ) { - (* context->hashobj->destroy)(hash_context, PR_TRUE); + if (hash_context != NULL) { + (*context->hashobj->destroy)(hash_context, PR_TRUE); } - - return(NULL); + return (NULL); } void HASH_Destroy(HASHContext *context) { - (* context->hashobj->destroy)(context->hash_context, PR_TRUE); + (*context->hashobj->destroy)(context->hash_context, PR_TRUE); PORT_Free(context); return; } - void HASH_Begin(HASHContext *context) { - (* context->hashobj->begin)(context->hash_context); + (*context->hashobj->begin)(context->hash_context); return; } - void HASH_Update(HASHContext *context, - const unsigned char *src, - unsigned int len) + const unsigned char *src, + unsigned int len) { - (* context->hashobj->update)(context->hash_context, src, len); + (*context->hashobj->update)(context->hash_context, src, len); return; } void HASH_End(HASHContext *context, - unsigned char *result, - unsigned int *result_len, - unsigned int max_result_len) + unsigned char *result, + unsigned int *result_len, + unsigned int max_result_len) { - (* context->hashobj->end)(context->hash_context, result, result_len, - max_result_len); + (*context->hashobj->end)(context->hash_context, result, result_len, + max_result_len); return; } HASH_HashType HASH_GetType(HASHContext *context) { - return(context->hashobj->type); + return (context->hashobj->type); } diff --git a/nss/lib/cryptohi/sechash.h b/nss/lib/cryptohi/sechash.h index 5c58551..94ff7ed 100644 --- a/nss/lib/cryptohi/sechash.h +++ b/nss/lib/cryptohi/sechash.h @@ -12,42 +12,42 @@ SEC_BEGIN_PROTOS /* -** Generic hash api. +** Generic hash api. */ -extern unsigned int HASH_ResultLen(HASH_HashType type); +extern unsigned int HASH_ResultLen(HASH_HashType type); -extern unsigned int HASH_ResultLenContext(HASHContext *context); +extern unsigned int HASH_ResultLenContext(HASHContext *context); -extern unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid); +extern unsigned int HASH_ResultLenByOidTag(SECOidTag hashOid); -extern SECStatus HASH_HashBuf(HASH_HashType type, - unsigned char *dest, - const unsigned char *src, - PRUint32 src_len); +extern SECStatus HASH_HashBuf(HASH_HashType type, + unsigned char *dest, + const unsigned char *src, + PRUint32 src_len); -extern HASHContext * HASH_Create(HASH_HashType type); +extern HASHContext *HASH_Create(HASH_HashType type); -extern HASHContext * HASH_Clone(HASHContext *context); +extern HASHContext *HASH_Clone(HASHContext *context); -extern void HASH_Destroy(HASHContext *context); +extern void HASH_Destroy(HASHContext *context); -extern void HASH_Begin(HASHContext *context); +extern void HASH_Begin(HASHContext *context); -extern void HASH_Update(HASHContext *context, - const unsigned char *src, - unsigned int len); +extern void HASH_Update(HASHContext *context, + const unsigned char *src, + unsigned int len); + +extern void HASH_End(HASHContext *context, + unsigned char *result, + unsigned int *result_len, + unsigned int max_result_len); -extern void HASH_End(HASHContext *context, - unsigned char *result, - unsigned int *result_len, - unsigned int max_result_len); - extern HASH_HashType HASH_GetType(HASHContext *context); -extern const SECHashObject * HASH_GetHashObject(HASH_HashType type); +extern const SECHashObject *HASH_GetHashObject(HASH_HashType type); -extern const SECHashObject * HASH_GetHashObjectByOidTag(SECOidTag hashOid); +extern const SECHashObject *HASH_GetHashObjectByOidTag(SECOidTag hashOid); extern HASH_HashType HASH_GetHashTypeByOidTag(SECOidTag hashOid); extern SECOidTag HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid); diff --git a/nss/lib/cryptohi/seckey.c b/nss/lib/cryptohi/seckey.c index 1fcd408..1f053e5 100644 --- a/nss/lib/cryptohi/seckey.c +++ b/nss/lib/cryptohi/seckey.c @@ -20,28 +20,28 @@ SEC_ASN1_MKSUB(SEC_IntegerTemplate) const SEC_ASN1Template CERT_SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTSubjectPublicKeyInfo) }, + 0, NULL, sizeof(CERTSubjectPublicKeyInfo) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTSubjectPublicKeyInfo,algorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(CERTSubjectPublicKeyInfo, algorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_BIT_STRING, - offsetof(CERTSubjectPublicKeyInfo,subjectPublicKey), }, - { 0, } + offsetof(CERTSubjectPublicKeyInfo, subjectPublicKey) }, + { 0 } }; const SEC_ASN1Template CERT_PublicKeyAndChallengeTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) }, - { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge,spki) }, - { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge,challenge) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTPublicKeyAndChallenge) }, + { SEC_ASN1_ANY, offsetof(CERTPublicKeyAndChallenge, spki) }, + { SEC_ASN1_IA5_STRING, offsetof(CERTPublicKeyAndChallenge, challenge) }, + { 0 } + }; const SEC_ASN1Template SECKEY_RSAPublicKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.modulus), }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.rsa.publicExponent), }, - { 0, } + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.rsa.modulus) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.rsa.publicExponent) }, + { 0 } }; static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = { @@ -51,52 +51,52 @@ static const SEC_ASN1Template seckey_PointerToAlgorithmIDTemplate[] = { /* Parameters for SEC_OID_PKCS1_RSA_PSS_SIGNATURE */ const SEC_ASN1Template SECKEY_RSAPSSParamsTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(SECKEYRSAPSSParams, hashAlg), - seckey_PointerToAlgorithmIDTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(SECKEYRSAPSSParams, maskAlg), - seckey_PointerToAlgorithmIDTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(SECKEYRSAPSSParams, saltLength), - SEC_ASN1_SUB(SEC_IntegerTemplate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3, - offsetof(SECKEYRSAPSSParams, trailerField), - SEC_ASN1_SUB(SEC_IntegerTemplate) }, - { 0 } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRSAPSSParams) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SECKEYRSAPSSParams, hashAlg), + seckey_PointerToAlgorithmIDTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(SECKEYRSAPSSParams, maskAlg), + seckey_PointerToAlgorithmIDTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(SECKEYRSAPSSParams, saltLength), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_XTRN | SEC_ASN1_CONTEXT_SPECIFIC | 3, + offsetof(SECKEYRSAPSSParams, trailerField), + SEC_ASN1_SUB(SEC_IntegerTemplate) }, + { 0 } + }; const SEC_ASN1Template SECKEY_DSAPublicKeyTemplate[] = { - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dsa.publicValue), }, - { 0, } + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.dsa.publicValue) }, + { 0 } }; const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) }, - { 0, } + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams, prime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams, subPrime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams, base) }, + { 0 } }; const SEC_ASN1Template SECKEY_DHPublicKeyTemplate[] = { - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.publicValue), }, - { 0, } + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.dh.publicValue) }, + { 0 } }; const SEC_ASN1Template SECKEY_DHParamKeyTemplate[] = { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.prime), }, - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.dh.base), }, + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPublicKey) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.dh.prime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey, u.dh.base) }, /* XXX chrisk: this needs to be expanded for decoding of j and validationParms (RFC2459 7.3.2) */ { SEC_ASN1_SKIP_REST }, - { 0, } + { 0 } }; SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate) @@ -142,33 +142,33 @@ prepare_dh_pub_key_for_asn1(SECKEYPublicKey *pubk) } /* Create an RSA key pair is any slot able to do so. -** The created keys are "session" (temporary), not "token" (permanent), +** The created keys are "session" (temporary), not "token" (permanent), ** and they are "sensitive", which makes them costly to move to another token. */ SECKEYPrivateKey * -SECKEY_CreateRSAPrivateKey(int keySizeInBits,SECKEYPublicKey **pubk, void *cx) +SECKEY_CreateRSAPrivateKey(int keySizeInBits, SECKEYPublicKey **pubk, void *cx) { SECKEYPrivateKey *privk; PK11RSAGenParams param; - PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN,cx); + PK11SlotInfo *slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, cx); if (!slot) { - return NULL; + return NULL; } param.keySizeInBits = keySizeInBits; param.pe = 65537L; - - privk = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN,¶m,pubk, - PR_FALSE, PR_TRUE, cx); + + privk = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, ¶m, pubk, + PR_FALSE, PR_TRUE, cx); PK11_FreeSlot(slot); - return(privk); + return (privk); } -/* Create a DH key pair in any slot able to do so, -** This is a "session" (temporary), not "token" (permanent) key. +/* Create a DH key pair in any slot able to do so, +** This is a "session" (temporary), not "token" (permanent) key. ** Because of the high probability that this key will need to be moved to ** another token, and the high cost of moving "sensitive" keys, we attempt -** to create this key pair without the "sensitive" attribute, but revert to +** to create this key pair without the "sensitive" attribute, but revert to ** creating a "sensitive" key if necessary. */ SECKEYPrivateKey * @@ -180,72 +180,77 @@ SECKEY_CreateDHPrivateKey(SECKEYDHParams *param, SECKEYPublicKey **pubk, void *c if (!param || !param->base.data || !param->prime.data || SECKEY_BigIntegerBitLength(¶m->prime) < DH_MIN_P_BITS || param->base.len == 0 || param->base.len > param->prime.len + 1 || - (param->base.len == 1 && param->base.data[0] == 0)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + (param->base.len == 1 && param->base.data[0] == 0)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN,cx); + slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN, cx); if (!slot) { - return NULL; + return NULL; } - privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, + privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, pubk, PR_FALSE, PR_FALSE, cx); - if (!privk) - privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, - pubk, PR_FALSE, PR_TRUE, cx); + if (!privk) + privk = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, param, + pubk, PR_FALSE, PR_TRUE, cx); PK11_FreeSlot(slot); - return(privk); + return (privk); } -/* Create an EC key pair in any slot able to do so, -** This is a "session" (temporary), not "token" (permanent) key. +/* Create an EC key pair in any slot able to do so, +** This is a "session" (temporary), not "token" (permanent) key. ** Because of the high probability that this key will need to be moved to ** another token, and the high cost of moving "sensitive" keys, we attempt -** to create this key pair without the "sensitive" attribute, but revert to +** to create this key pair without the "sensitive" attribute, but revert to ** creating a "sensitive" key if necessary. */ SECKEYPrivateKey * SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx) { SECKEYPrivateKey *privk; - PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN,cx); + PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_KEY_PAIR_GEN, cx); if (!slot) { - return NULL; + return NULL; } - privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, - param, pubk, - PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | - PK11_ATTR_PUBLIC, - CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx); - if (!privk) - privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, - param, pubk, - PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | - PK11_ATTR_PRIVATE, - CKF_DERIVE, CKF_DERIVE|CKF_SIGN,cx); + privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, + param, pubk, + PK11_ATTR_SESSION | + PK11_ATTR_INSENSITIVE | + PK11_ATTR_PUBLIC, + CKF_DERIVE, CKF_DERIVE | + CKF_SIGN, + cx); + if (!privk) + privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_KEY_PAIR_GEN, + param, pubk, + PK11_ATTR_SESSION | + PK11_ATTR_SENSITIVE | + PK11_ATTR_PRIVATE, + CKF_DERIVE, CKF_DERIVE | + CKF_SIGN, + cx); PK11_FreeSlot(slot); - return(privk); + return (privk); } void SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk) { if (privk) { - if (privk->pkcs11Slot) { - if (privk->pkcs11IsTemp) { - PK11_DestroyObject(privk->pkcs11Slot,privk->pkcs11ID); - } - PK11_FreeSlot(privk->pkcs11Slot); - - } - if (privk->arena) { - PORT_FreeArena(privk->arena, PR_TRUE); - } + if (privk->pkcs11Slot) { + if (privk->pkcs11IsTemp) { + PK11_DestroyObject(privk->pkcs11Slot, privk->pkcs11ID); + } + PK11_FreeSlot(privk->pkcs11Slot); + } + if (privk->arena) { + PORT_FreeArena(privk->arena, PR_TRUE); + } } } @@ -253,39 +258,39 @@ void SECKEY_DestroyPublicKey(SECKEYPublicKey *pubk) { if (pubk) { - if (pubk->pkcs11Slot) { - if (!PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) { - PK11_DestroyObject(pubk->pkcs11Slot,pubk->pkcs11ID); - } - PK11_FreeSlot(pubk->pkcs11Slot); - } - if (pubk->arena) { - PORT_FreeArena(pubk->arena, PR_FALSE); - } + if (pubk->pkcs11Slot) { + if (!PK11_IsPermObject(pubk->pkcs11Slot, pubk->pkcs11ID)) { + PK11_DestroyObject(pubk->pkcs11Slot, pubk->pkcs11ID); + } + PK11_FreeSlot(pubk->pkcs11Slot); + } + if (pubk->arena) { + PORT_FreeArena(pubk->arena, PR_FALSE); + } } } SECStatus SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena, - CERTSubjectPublicKeyInfo *to, - CERTSubjectPublicKeyInfo *from) + CERTSubjectPublicKeyInfo *to, + CERTSubjectPublicKeyInfo *from) { SECStatus rv; SECItem spk; rv = SECOID_CopyAlgorithmID(arena, &to->algorithm, &from->algorithm); if (rv == SECSuccess) { - /* - * subjectPublicKey is a bit string, whose length is in bits. - * Convert the length from bits to bytes for SECITEM_CopyItem. - */ - spk = from->subjectPublicKey; - DER_ConvertBitString(&spk); - rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &spk); - /* Set the length back to bits. */ - if (rv == SECSuccess) { - to->subjectPublicKey.len = from->subjectPublicKey.len; - } + /* + * subjectPublicKey is a bit string, whose length is in bits. + * Convert the length from bits to bytes for SECITEM_CopyItem. + */ + spk = from->subjectPublicKey; + DER_ConvertBitString(&spk); + rv = SECITEM_CopyItem(arena, &to->subjectPublicKey, &spk); + /* Set the length back to bits. */ + if (rv == SECSuccess) { + to->subjectPublicKey.len = from->subjectPublicKey.len; + } } return rv; @@ -301,55 +306,53 @@ SECKEY_CopySubjectPublicKeyInfo(PLArenaPool *arena, * pqg parameters that has a parent that is not a DSA cert. */ static SECStatus -seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) +seckey_UpdateCertPQGChain(CERTCertificate *subjectCert, int count) { SECStatus rv; - SECOidData *oid=NULL; + SECOidData *oid = NULL; int tag; - CERTSubjectPublicKeyInfo * subjectSpki=NULL; - CERTSubjectPublicKeyInfo * issuerSpki=NULL; + CERTSubjectPublicKeyInfo *subjectSpki = NULL; + CERTSubjectPublicKeyInfo *issuerSpki = NULL; CERTCertificate *issuerCert = NULL; - rv = SECSuccess; - /* increment cert chain length counter*/ count++; /* check if cert chain length exceeds the maximum length*/ if (count > CERT_MAX_CERT_CHAIN) { - return SECFailure; + return SECFailure; } - oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm); - if (oid != NULL) { + oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm); + if (oid != NULL) { tag = oid->offset; - + /* Check if cert has a DSA or EC public key. If not, return * success since no PQG params need to be updated. - * - * Question: do we really need to do this for EC keys. They don't have - * PQG parameters, but they do have parameters. The question is does - * the child cert inherit thost parameters for EC from the parent, or - * do we always include those parameters in each cert. - */ - - if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && - (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) && - (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) && - (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_SDN702_DSA_SIGNATURE) && - (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) { - + * + * Question: do we really need to do this for EC keys. They don't have + * PQG parameters, but they do have parameters. The question is does + * the child cert inherit thost parameters for EC from the parent, or + * do we always include those parameters in each cert. + */ + + if ((tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && + (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) && + (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) && + (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_SDN702_DSA_SIGNATURE) && + (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { + return SECSuccess; } } else { - return SECFailure; /* return failure if oid is NULL */ + return SECFailure; /* return failure if oid is NULL */ } /* if cert has PQG parameters, return success */ - subjectSpki=&subjectCert->subjectPublicKeyInfo; + subjectSpki = &subjectCert->subjectPublicKeyInfo; if (subjectSpki->algorithm.parameters.len != 0) { return SECSuccess; @@ -357,42 +360,41 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) /* check if the cert is self-signed */ if (subjectCert->isRoot) { - /* fail since cert is self-signed and has no pqg params. */ - return SECFailure; + /* fail since cert is self-signed and has no pqg params. */ + return SECFailure; } - + /* get issuer cert */ issuerCert = CERT_FindCertIssuer(subjectCert, PR_Now(), certUsageAnyCA); - if ( ! issuerCert ) { - return SECFailure; + if (!issuerCert) { + return SECFailure; } /* if parent is not DSA, return failure since we don't allow this case. */ oid = SECOID_FindOID(&issuerCert->subjectPublicKeyInfo.algorithm.algorithm); - if (oid != NULL) { + if (oid != NULL) { tag = oid->offset; - + /* Check if issuer cert has a DSA public key. If not, * return failure. */ - if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && - (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) && - (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) && - (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_SDN702_DSA_SIGNATURE) && - (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) { + if ((tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && + (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) && + (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) && + (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_SDN702_DSA_SIGNATURE) && + (tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { rv = SECFailure; goto loser; } } else { - rv = SECFailure; /* return failure if oid is NULL */ + rv = SECFailure; /* return failure if oid is NULL */ goto loser; } - /* at this point the subject cert has no pqg parameters and the * issuer cert has a DSA public key. Update the issuer's * pqg parameters with a recursive call to this same function. */ @@ -405,9 +407,9 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) /* ensure issuer has pqg parameters */ - issuerSpki=&issuerCert->subjectPublicKeyInfo; + issuerSpki = &issuerCert->subjectPublicKeyInfo; if (issuerSpki->algorithm.parameters.len == 0) { - rv = SECFailure; + rv = SECFailure; } /* if update was successful and pqg params present, then copy the @@ -415,8 +417,8 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) if (rv == SECSuccess) { rv = SECITEM_CopyItem(subjectCert->arena, - &subjectSpki->algorithm.parameters, - &issuerSpki->algorithm.parameters); + &subjectSpki->algorithm.parameters, + &issuerSpki->algorithm.parameters); } loser: @@ -424,35 +426,35 @@ loser: CERT_DestroyCertificate(issuerCert); } return rv; - } - SECStatus -SECKEY_UpdateCertPQG(CERTCertificate * subjectCert) +SECKEY_UpdateCertPQG(CERTCertificate *subjectCert) { if (!subjectCert) { PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + return SECFailure; } - return seckey_UpdateCertPQGChain(subjectCert,0); + return seckey_UpdateCertPQGChain(subjectCert, 0); } - /* Decode the DSA PQG parameters. The params could be stored in two * possible formats, the old fortezza-only wrapped format or * the normal standard format. Store the decoded parameters in - * a V3 certificate data structure. */ + * a V3 certificate data structure. */ static SECStatus seckey_DSADecodePQG(PLArenaPool *arena, SECKEYPublicKey *pubk, - const SECItem *params) { + const SECItem *params) +{ SECStatus rv; SECItem newparams; - if (params == NULL) return SECFailure; - - if (params->data == NULL) return SECFailure; + if (params == NULL) + return SECFailure; + + if (params->data == NULL) + return SECFailure; PORT_Assert(arena); @@ -467,13 +469,13 @@ seckey_DSADecodePQG(PLArenaPool *arena, SECKEYPublicKey *pubk, if ((newparams.data[0] != 0xa1) && (newparams.data[0] != 0xa0)) { - + if (SECSuccess == rv) { - /* PQG params are in the standard format */ - prepare_pqg_params_for_asn1(&pubk->u.dsa.params); - rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params, - SECKEY_PQGParamsTemplate, - &newparams); + /* PQG params are in the standard format */ + prepare_pqg_params_for_asn1(&pubk->u.dsa.params); + rv = SEC_QuickDERDecodeItem(arena, &pubk->u.dsa.params, + SECKEY_PQGParamsTemplate, + &newparams); } } else { @@ -486,61 +488,61 @@ seckey_DSADecodePQG(PLArenaPool *arena, SECKEYPublicKey *pubk, return rv; } - /* Function used to make an oid tag to a key type */ -KeyType -seckey_GetKeyType (SECOidTag tag) { +KeyType +seckey_GetKeyType(SECOidTag tag) +{ KeyType keyType; switch (tag) { - case SEC_OID_X500_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_ENCRYPTION: - keyType = rsaKey; - break; - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - keyType = rsaPssKey; - break; - case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION: - keyType = rsaOaepKey; - break; - case SEC_OID_ANSIX9_DSA_SIGNATURE: - keyType = dsaKey; - break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keyType = fortezzaKey; - break; - case SEC_OID_MISSI_KEA: - case SEC_OID_MISSI_ALT_KEA: - keyType = keaKey; - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - keyType = dhKey; - break; - case SEC_OID_ANSIX962_EC_PUBLIC_KEY: - keyType = ecKey; - break; - /* accommodate applications that hand us a signature type when they - * should be handing us a cipher type */ - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - keyType = rsaKey; - break; - default: - keyType = nullKey; + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + keyType = rsaKey; + break; + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + keyType = rsaPssKey; + break; + case SEC_OID_PKCS1_RSA_OAEP_ENCRYPTION: + keyType = rsaOaepKey; + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + keyType = dsaKey; + break; + case SEC_OID_MISSI_KEA_DSS_OLD: + case SEC_OID_MISSI_KEA_DSS: + case SEC_OID_MISSI_DSS_OLD: + case SEC_OID_MISSI_DSS: + keyType = fortezzaKey; + break; + case SEC_OID_MISSI_KEA: + case SEC_OID_MISSI_ALT_KEA: + keyType = keaKey; + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + keyType = dhKey; + break; + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + keyType = ecKey; + break; + /* accommodate applications that hand us a signature type when they + * should be handing us a cipher type */ + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + keyType = rsaKey; + break; + default: + keyType = nullKey; } return keyType; } /* Function used to determine what kind of cert we are dealing with. */ -KeyType -CERT_GetCertKeyType (const CERTSubjectPublicKeyInfo *spki) +KeyType +CERT_GetCertKeyType(const CERTSubjectPublicKeyInfo *spki) { return seckey_GetKeyType(SECOID_GetAlgorithmTag(&spki->algorithm)); } @@ -554,95 +556,104 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) PLArenaPool *arena; SECOidTag tag; - arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) - return NULL; + return NULL; - pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); + pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (pubk == NULL) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } pubk->arena = arena; pubk->pkcs11Slot = 0; pubk->pkcs11ID = CK_INVALID_HANDLE; - /* Convert bit string length from bits to bytes */ os = spki->subjectPublicKey; - DER_ConvertBitString (&os); + DER_ConvertBitString(&os); tag = SECOID_GetAlgorithmTag(&spki->algorithm); /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newOs, &os); - if ( rv == SECSuccess ) - switch ( tag ) { - case SEC_OID_X500_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_ENCRYPTION: - pubk->keyType = rsaKey; - prepare_rsa_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &newOs); - if (rv == SECSuccess) - return pubk; - break; - case SEC_OID_ANSIX9_DSA_SIGNATURE: - case SEC_OID_SDN702_DSA_SIGNATURE: - pubk->keyType = dsaKey; - prepare_dsa_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &newOs); - if (rv != SECSuccess) break; - - rv = seckey_DSADecodePQG(arena, pubk, - &spki->algorithm.parameters); - - if (rv == SECSuccess) return pubk; - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - pubk->keyType = dhKey; - prepare_dh_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &newOs); - if (rv != SECSuccess) break; - - /* copy the DER into the arena, since Quick DER returns data that points - into the DER input, which may get freed by the caller */ - rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters); - if ( rv != SECSuccess ) - break; - - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate, - &newParms); - - if (rv == SECSuccess) return pubk; - break; - case SEC_OID_ANSIX962_EC_PUBLIC_KEY: - pubk->keyType = ecKey; - pubk->u.ec.size = 0; - - /* Since PKCS#11 directly takes the DER encoding of EC params - * and public value, we don't need any decoding here. - */ - rv = SECITEM_CopyItem(arena, &pubk->u.ec.DEREncodedParams, - &spki->algorithm.parameters); - if ( rv != SECSuccess ) - break; - rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs); - if (rv == SECSuccess) return pubk; - break; - - default: - PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); - rv = SECFailure; - break; - } + if (rv == SECSuccess) + switch (tag) { + case SEC_OID_X500_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + pubk->keyType = rsaKey; + prepare_rsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_RSAPublicKeyTemplate, &newOs); + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + case SEC_OID_SDN702_DSA_SIGNATURE: + pubk->keyType = dsaKey; + prepare_dsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &newOs); + if (rv != SECSuccess) + break; + + rv = seckey_DSADecodePQG(arena, pubk, + &spki->algorithm.parameters); + + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + pubk->keyType = dhKey; + prepare_dh_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHPublicKeyTemplate, &newOs); + if (rv != SECSuccess) + break; + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters); + if (rv != SECSuccess) + break; + + rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DHParamKeyTemplate, + &newParms); + + if (rv == SECSuccess) + return pubk; + break; + case SEC_OID_ANSIX962_EC_PUBLIC_KEY: + pubk->keyType = ecKey; + pubk->u.ec.size = 0; + + /* Since PKCS#11 directly takes the DER encoding of EC params + * and public value, we don't need any decoding here. + */ + rv = SECITEM_CopyItem(arena, &pubk->u.ec.DEREncodedParams, + &spki->algorithm.parameters); + if (rv != SECSuccess) { + break; + } + rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs); + if (rv != SECSuccess) { + break; + } + rv = seckey_SetPointEncoding(arena, pubk); + if (rv == SECSuccess) { + return pubk; + } + break; + + default: + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + break; + } - SECKEY_DestroyPublicKey (pubk); + SECKEY_DestroyPublicKey(pubk); return NULL; } - /* required for JSS */ SECKEYPublicKey * SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) @@ -653,15 +664,6 @@ SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) SECKEYPublicKey * CERT_ExtractPublicKey(CERTCertificate *cert) { - SECStatus rv; - - if (!cert) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - rv = SECKEY_UpdateCertPQG(cert); - if (rv != SECSuccess) return NULL; - return seckey_ExtractPublicKey(&cert->subjectPublicKeyInfo); } @@ -669,128 +671,131 @@ int SECKEY_ECParamsToKeySize(const SECItem *encodedParams) { SECOidTag tag; - SECItem oid = { siBuffer, NULL, 0}; - + SECItem oid = { siBuffer, NULL, 0 }; + /* The encodedParams data contains 0x06 (SEC_ASN1_OBJECT_ID), * followed by the length of the curve oid and the curve oid. */ oid.len = encodedParams->data[1]; oid.data = encodedParams->data + 2; if ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN) - return 0; + return 0; switch (tag) { - case SEC_OID_SECG_EC_SECP112R1: - case SEC_OID_SECG_EC_SECP112R2: - return 112; - - case SEC_OID_SECG_EC_SECT113R1: - case SEC_OID_SECG_EC_SECT113R2: - return 113; - - case SEC_OID_SECG_EC_SECP128R1: - case SEC_OID_SECG_EC_SECP128R2: - return 128; - - case SEC_OID_SECG_EC_SECT131R1: - case SEC_OID_SECG_EC_SECT131R2: - return 131; - - case SEC_OID_SECG_EC_SECP160K1: - case SEC_OID_SECG_EC_SECP160R1: - case SEC_OID_SECG_EC_SECP160R2: - return 160; - - case SEC_OID_SECG_EC_SECT163K1: - case SEC_OID_SECG_EC_SECT163R1: - case SEC_OID_SECG_EC_SECT163R2: - case SEC_OID_ANSIX962_EC_C2PNB163V1: - case SEC_OID_ANSIX962_EC_C2PNB163V2: - case SEC_OID_ANSIX962_EC_C2PNB163V3: - return 163; - - case SEC_OID_ANSIX962_EC_C2PNB176V1: - return 176; - - case SEC_OID_ANSIX962_EC_C2TNB191V1: - case SEC_OID_ANSIX962_EC_C2TNB191V2: - case SEC_OID_ANSIX962_EC_C2TNB191V3: - case SEC_OID_ANSIX962_EC_C2ONB191V4: - case SEC_OID_ANSIX962_EC_C2ONB191V5: - return 191; - - case SEC_OID_SECG_EC_SECP192K1: - case SEC_OID_ANSIX962_EC_PRIME192V1: - case SEC_OID_ANSIX962_EC_PRIME192V2: - case SEC_OID_ANSIX962_EC_PRIME192V3: - return 192; - - case SEC_OID_SECG_EC_SECT193R1: - case SEC_OID_SECG_EC_SECT193R2: - return 193; - - case SEC_OID_ANSIX962_EC_C2PNB208W1: - return 208; - - case SEC_OID_SECG_EC_SECP224K1: - case SEC_OID_SECG_EC_SECP224R1: - return 224; - - case SEC_OID_SECG_EC_SECT233K1: - case SEC_OID_SECG_EC_SECT233R1: - return 233; - - case SEC_OID_SECG_EC_SECT239K1: - case SEC_OID_ANSIX962_EC_C2TNB239V1: - case SEC_OID_ANSIX962_EC_C2TNB239V2: - case SEC_OID_ANSIX962_EC_C2TNB239V3: - case SEC_OID_ANSIX962_EC_C2ONB239V4: - case SEC_OID_ANSIX962_EC_C2ONB239V5: - case SEC_OID_ANSIX962_EC_PRIME239V1: - case SEC_OID_ANSIX962_EC_PRIME239V2: - case SEC_OID_ANSIX962_EC_PRIME239V3: - return 239; - - case SEC_OID_SECG_EC_SECP256K1: - case SEC_OID_ANSIX962_EC_PRIME256V1: - return 256; - - case SEC_OID_ANSIX962_EC_C2PNB272W1: - return 272; - - case SEC_OID_SECG_EC_SECT283K1: - case SEC_OID_SECG_EC_SECT283R1: - return 283; - - case SEC_OID_ANSIX962_EC_C2PNB304W1: - return 304; - - case SEC_OID_ANSIX962_EC_C2TNB359V1: - return 359; - - case SEC_OID_ANSIX962_EC_C2PNB368W1: - return 368; - - case SEC_OID_SECG_EC_SECP384R1: - return 384; - - case SEC_OID_SECG_EC_SECT409K1: - case SEC_OID_SECG_EC_SECT409R1: - return 409; - - case SEC_OID_ANSIX962_EC_C2TNB431R1: - return 431; - - case SEC_OID_SECG_EC_SECP521R1: - return 521; - - case SEC_OID_SECG_EC_SECT571K1: - case SEC_OID_SECG_EC_SECT571R1: - return 571; - - default: - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - return 0; + case SEC_OID_SECG_EC_SECP112R1: + case SEC_OID_SECG_EC_SECP112R2: + return 112; + + case SEC_OID_SECG_EC_SECT113R1: + case SEC_OID_SECG_EC_SECT113R2: + return 113; + + case SEC_OID_SECG_EC_SECP128R1: + case SEC_OID_SECG_EC_SECP128R2: + return 128; + + case SEC_OID_SECG_EC_SECT131R1: + case SEC_OID_SECG_EC_SECT131R2: + return 131; + + case SEC_OID_SECG_EC_SECP160K1: + case SEC_OID_SECG_EC_SECP160R1: + case SEC_OID_SECG_EC_SECP160R2: + return 160; + + case SEC_OID_SECG_EC_SECT163K1: + case SEC_OID_SECG_EC_SECT163R1: + case SEC_OID_SECG_EC_SECT163R2: + case SEC_OID_ANSIX962_EC_C2PNB163V1: + case SEC_OID_ANSIX962_EC_C2PNB163V2: + case SEC_OID_ANSIX962_EC_C2PNB163V3: + return 163; + + case SEC_OID_ANSIX962_EC_C2PNB176V1: + return 176; + + case SEC_OID_ANSIX962_EC_C2TNB191V1: + case SEC_OID_ANSIX962_EC_C2TNB191V2: + case SEC_OID_ANSIX962_EC_C2TNB191V3: + case SEC_OID_ANSIX962_EC_C2ONB191V4: + case SEC_OID_ANSIX962_EC_C2ONB191V5: + return 191; + + case SEC_OID_SECG_EC_SECP192K1: + case SEC_OID_ANSIX962_EC_PRIME192V1: + case SEC_OID_ANSIX962_EC_PRIME192V2: + case SEC_OID_ANSIX962_EC_PRIME192V3: + return 192; + + case SEC_OID_SECG_EC_SECT193R1: + case SEC_OID_SECG_EC_SECT193R2: + return 193; + + case SEC_OID_ANSIX962_EC_C2PNB208W1: + return 208; + + case SEC_OID_SECG_EC_SECP224K1: + case SEC_OID_SECG_EC_SECP224R1: + return 224; + + case SEC_OID_SECG_EC_SECT233K1: + case SEC_OID_SECG_EC_SECT233R1: + return 233; + + case SEC_OID_SECG_EC_SECT239K1: + case SEC_OID_ANSIX962_EC_C2TNB239V1: + case SEC_OID_ANSIX962_EC_C2TNB239V2: + case SEC_OID_ANSIX962_EC_C2TNB239V3: + case SEC_OID_ANSIX962_EC_C2ONB239V4: + case SEC_OID_ANSIX962_EC_C2ONB239V5: + case SEC_OID_ANSIX962_EC_PRIME239V1: + case SEC_OID_ANSIX962_EC_PRIME239V2: + case SEC_OID_ANSIX962_EC_PRIME239V3: + return 239; + + case SEC_OID_SECG_EC_SECP256K1: + case SEC_OID_ANSIX962_EC_PRIME256V1: + return 256; + + case SEC_OID_ANSIX962_EC_C2PNB272W1: + return 272; + + case SEC_OID_SECG_EC_SECT283K1: + case SEC_OID_SECG_EC_SECT283R1: + return 283; + + case SEC_OID_ANSIX962_EC_C2PNB304W1: + return 304; + + case SEC_OID_ANSIX962_EC_C2TNB359V1: + return 359; + + case SEC_OID_ANSIX962_EC_C2PNB368W1: + return 368; + + case SEC_OID_SECG_EC_SECP384R1: + return 384; + + case SEC_OID_SECG_EC_SECT409K1: + case SEC_OID_SECG_EC_SECT409R1: + return 409; + + case SEC_OID_ANSIX962_EC_C2TNB431R1: + return 431; + + case SEC_OID_SECG_EC_SECP521R1: + return 521; + + case SEC_OID_SECG_EC_SECT571K1: + case SEC_OID_SECG_EC_SECT571R1: + return 571; + + case SEC_OID_CURVE25519: + return 255; + + default: + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return 0; } } @@ -798,146 +803,149 @@ int SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams) { SECOidTag tag; - SECItem oid = { siBuffer, NULL, 0}; - + SECItem oid = { siBuffer, NULL, 0 }; + /* The encodedParams data contains 0x06 (SEC_ASN1_OBJECT_ID), * followed by the length of the curve oid and the curve oid. */ oid.len = encodedParams->data[1]; oid.data = encodedParams->data + 2; if ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN) - return 0; + return 0; switch (tag) { - case SEC_OID_SECG_EC_SECP112R1: - return 112; - case SEC_OID_SECG_EC_SECP112R2: - return 110; - - case SEC_OID_SECG_EC_SECT113R1: - case SEC_OID_SECG_EC_SECT113R2: - return 113; - - case SEC_OID_SECG_EC_SECP128R1: - return 128; - case SEC_OID_SECG_EC_SECP128R2: - return 126; - - case SEC_OID_SECG_EC_SECT131R1: - case SEC_OID_SECG_EC_SECT131R2: - return 131; - - case SEC_OID_SECG_EC_SECP160K1: - case SEC_OID_SECG_EC_SECP160R1: - case SEC_OID_SECG_EC_SECP160R2: - return 161; - - case SEC_OID_SECG_EC_SECT163K1: - return 163; - case SEC_OID_SECG_EC_SECT163R1: - return 162; - case SEC_OID_SECG_EC_SECT163R2: - case SEC_OID_ANSIX962_EC_C2PNB163V1: - return 163; - case SEC_OID_ANSIX962_EC_C2PNB163V2: - case SEC_OID_ANSIX962_EC_C2PNB163V3: - return 162; - - case SEC_OID_ANSIX962_EC_C2PNB176V1: - return 161; - - case SEC_OID_ANSIX962_EC_C2TNB191V1: - return 191; - case SEC_OID_ANSIX962_EC_C2TNB191V2: - return 190; - case SEC_OID_ANSIX962_EC_C2TNB191V3: - return 189; - case SEC_OID_ANSIX962_EC_C2ONB191V4: - return 191; - case SEC_OID_ANSIX962_EC_C2ONB191V5: - return 188; - - case SEC_OID_SECG_EC_SECP192K1: - case SEC_OID_ANSIX962_EC_PRIME192V1: - case SEC_OID_ANSIX962_EC_PRIME192V2: - case SEC_OID_ANSIX962_EC_PRIME192V3: - return 192; - - case SEC_OID_SECG_EC_SECT193R1: - case SEC_OID_SECG_EC_SECT193R2: - return 193; - - case SEC_OID_ANSIX962_EC_C2PNB208W1: - return 193; - - case SEC_OID_SECG_EC_SECP224K1: - return 225; - case SEC_OID_SECG_EC_SECP224R1: - return 224; - - case SEC_OID_SECG_EC_SECT233K1: - return 232; - case SEC_OID_SECG_EC_SECT233R1: - return 233; - - case SEC_OID_SECG_EC_SECT239K1: - case SEC_OID_ANSIX962_EC_C2TNB239V1: - return 238; - case SEC_OID_ANSIX962_EC_C2TNB239V2: - return 237; - case SEC_OID_ANSIX962_EC_C2TNB239V3: - return 236; - case SEC_OID_ANSIX962_EC_C2ONB239V4: - return 238; - case SEC_OID_ANSIX962_EC_C2ONB239V5: - return 237; - case SEC_OID_ANSIX962_EC_PRIME239V1: - case SEC_OID_ANSIX962_EC_PRIME239V2: - case SEC_OID_ANSIX962_EC_PRIME239V3: - return 239; - - case SEC_OID_SECG_EC_SECP256K1: - case SEC_OID_ANSIX962_EC_PRIME256V1: - return 256; - - case SEC_OID_ANSIX962_EC_C2PNB272W1: - return 257; - - case SEC_OID_SECG_EC_SECT283K1: - return 281; - case SEC_OID_SECG_EC_SECT283R1: - return 282; - - case SEC_OID_ANSIX962_EC_C2PNB304W1: - return 289; - - case SEC_OID_ANSIX962_EC_C2TNB359V1: - return 353; - - case SEC_OID_ANSIX962_EC_C2PNB368W1: - return 353; - - case SEC_OID_SECG_EC_SECP384R1: - return 384; - - case SEC_OID_SECG_EC_SECT409K1: - return 407; - case SEC_OID_SECG_EC_SECT409R1: - return 409; - - case SEC_OID_ANSIX962_EC_C2TNB431R1: - return 418; - - case SEC_OID_SECG_EC_SECP521R1: - return 521; - - case SEC_OID_SECG_EC_SECT571K1: - case SEC_OID_SECG_EC_SECT571R1: - return 570; - - default: - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); - return 0; + case SEC_OID_SECG_EC_SECP112R1: + return 112; + case SEC_OID_SECG_EC_SECP112R2: + return 110; + + case SEC_OID_SECG_EC_SECT113R1: + case SEC_OID_SECG_EC_SECT113R2: + return 113; + + case SEC_OID_SECG_EC_SECP128R1: + return 128; + case SEC_OID_SECG_EC_SECP128R2: + return 126; + + case SEC_OID_SECG_EC_SECT131R1: + case SEC_OID_SECG_EC_SECT131R2: + return 131; + + case SEC_OID_SECG_EC_SECP160K1: + case SEC_OID_SECG_EC_SECP160R1: + case SEC_OID_SECG_EC_SECP160R2: + return 161; + + case SEC_OID_SECG_EC_SECT163K1: + return 163; + case SEC_OID_SECG_EC_SECT163R1: + return 162; + case SEC_OID_SECG_EC_SECT163R2: + case SEC_OID_ANSIX962_EC_C2PNB163V1: + return 163; + case SEC_OID_ANSIX962_EC_C2PNB163V2: + case SEC_OID_ANSIX962_EC_C2PNB163V3: + return 162; + + case SEC_OID_ANSIX962_EC_C2PNB176V1: + return 161; + + case SEC_OID_ANSIX962_EC_C2TNB191V1: + return 191; + case SEC_OID_ANSIX962_EC_C2TNB191V2: + return 190; + case SEC_OID_ANSIX962_EC_C2TNB191V3: + return 189; + case SEC_OID_ANSIX962_EC_C2ONB191V4: + return 191; + case SEC_OID_ANSIX962_EC_C2ONB191V5: + return 188; + + case SEC_OID_SECG_EC_SECP192K1: + case SEC_OID_ANSIX962_EC_PRIME192V1: + case SEC_OID_ANSIX962_EC_PRIME192V2: + case SEC_OID_ANSIX962_EC_PRIME192V3: + return 192; + + case SEC_OID_SECG_EC_SECT193R1: + case SEC_OID_SECG_EC_SECT193R2: + return 193; + + case SEC_OID_ANSIX962_EC_C2PNB208W1: + return 193; + + case SEC_OID_SECG_EC_SECP224K1: + return 225; + case SEC_OID_SECG_EC_SECP224R1: + return 224; + + case SEC_OID_SECG_EC_SECT233K1: + return 232; + case SEC_OID_SECG_EC_SECT233R1: + return 233; + + case SEC_OID_SECG_EC_SECT239K1: + case SEC_OID_ANSIX962_EC_C2TNB239V1: + return 238; + case SEC_OID_ANSIX962_EC_C2TNB239V2: + return 237; + case SEC_OID_ANSIX962_EC_C2TNB239V3: + return 236; + case SEC_OID_ANSIX962_EC_C2ONB239V4: + return 238; + case SEC_OID_ANSIX962_EC_C2ONB239V5: + return 237; + case SEC_OID_ANSIX962_EC_PRIME239V1: + case SEC_OID_ANSIX962_EC_PRIME239V2: + case SEC_OID_ANSIX962_EC_PRIME239V3: + return 239; + + case SEC_OID_SECG_EC_SECP256K1: + case SEC_OID_ANSIX962_EC_PRIME256V1: + return 256; + + case SEC_OID_ANSIX962_EC_C2PNB272W1: + return 257; + + case SEC_OID_SECG_EC_SECT283K1: + return 281; + case SEC_OID_SECG_EC_SECT283R1: + return 282; + + case SEC_OID_ANSIX962_EC_C2PNB304W1: + return 289; + + case SEC_OID_ANSIX962_EC_C2TNB359V1: + return 353; + + case SEC_OID_ANSIX962_EC_C2PNB368W1: + return 353; + + case SEC_OID_SECG_EC_SECP384R1: + return 384; + + case SEC_OID_SECG_EC_SECT409K1: + return 407; + case SEC_OID_SECG_EC_SECT409R1: + return 409; + + case SEC_OID_ANSIX962_EC_C2TNB431R1: + return 418; + + case SEC_OID_SECG_EC_SECP521R1: + return 521; + + case SEC_OID_SECG_EC_SECT571K1: + case SEC_OID_SECG_EC_SECT571R1: + return 570; + + case SEC_OID_CURVE25519: + return 255; + + default: + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return 0; } } @@ -994,21 +1002,21 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) /* interpret modulus length as key strength */ switch (pubk->keyType) { - case rsaKey: - bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus); - break; - case dsaKey: - bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.publicValue); - break; - case dhKey: - bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.publicValue); - break; - case ecKey: - bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams); - break; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - break; + case rsaKey: + bitSize = SECKEY_BigIntegerBitLength(&pubk->u.rsa.modulus); + break; + case dsaKey: + bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dsa.params.prime); + break; + case dhKey: + bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.prime); + break; + case ecKey: + bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams); + break; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + break; } return bitSize; } @@ -1021,18 +1029,18 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk) unsigned size; switch (pubk->keyType) { - case rsaKey: - b0 = pubk->u.rsa.modulus.data[0]; - return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; - case dsaKey: - return pubk->u.dsa.params.subPrime.len * 2; - case ecKey: - /* Get the base point order length in bits and adjust */ - size = SECKEY_ECParamsToBasePointOrderLen( - &pubk->u.ec.DEREncodedParams); - return ((size + 7)/8) * 2; - default: - break; + case rsaKey: + b0 = pubk->u.rsa.modulus.data[0]; + return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1; + case dsaKey: + return pubk->u.dsa.params.subPrime.len * 2; + case ecKey: + /* Get the base point order length in bits and adjust */ + size = SECKEY_ECParamsToBasePointOrderLen( + &pubk->u.ec.DEREncodedParams); + return ((size + 7) / 8) * 2; + default: + break; } PORT_SetError(SEC_ERROR_INVALID_KEY); return 0; @@ -1043,44 +1051,45 @@ SECKEY_CopyPrivateKey(const SECKEYPrivateKey *privk) { SECKEYPrivateKey *copyk; PLArenaPool *arena; - + if (!privk || !privk->pkcs11Slot) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - return NULL; + return NULL; } - copyk = (SECKEYPrivateKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPrivateKey)); + copyk = (SECKEYPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey)); if (copyk) { - copyk->arena = arena; - copyk->keyType = privk->keyType; - - /* copy the PKCS #11 parameters */ - copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot); - /* if the key we're referencing was a temparary key we have just - * created, that we want to go away when we're through, we need - * to make a copy of it */ - if (privk->pkcs11IsTemp) { - copyk->pkcs11ID = - PK11_CopyKey(privk->pkcs11Slot,privk->pkcs11ID); - if (copyk->pkcs11ID == CK_INVALID_HANDLE) goto fail; - } else { - copyk->pkcs11ID = privk->pkcs11ID; - } - copyk->pkcs11IsTemp = privk->pkcs11IsTemp; - copyk->wincx = privk->wincx; - copyk->staticflags = privk->staticflags; - return copyk; + copyk->arena = arena; + copyk->keyType = privk->keyType; + + /* copy the PKCS #11 parameters */ + copyk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot); + /* if the key we're referencing was a temparary key we have just + * created, that we want to go away when we're through, we need + * to make a copy of it */ + if (privk->pkcs11IsTemp) { + copyk->pkcs11ID = + PK11_CopyKey(privk->pkcs11Slot, privk->pkcs11ID); + if (copyk->pkcs11ID == CK_INVALID_HANDLE) + goto fail; + } else { + copyk->pkcs11ID = privk->pkcs11ID; + } + copyk->pkcs11IsTemp = privk->pkcs11IsTemp; + copyk->wincx = privk->wincx; + copyk->staticflags = privk->staticflags; + return copyk; } else { - PORT_SetError (SEC_ERROR_NO_MEMORY); + PORT_SetError(SEC_ERROR_NO_MEMORY); } fail: - PORT_FreeArena (arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); return NULL; } @@ -1093,82 +1102,93 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError (SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } - copyk = (SECKEYPublicKey *) PORT_ArenaZAlloc (arena, sizeof (SECKEYPublicKey)); + copyk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (!copyk) { - PORT_FreeArena (arena, PR_FALSE); - PORT_SetError (SEC_ERROR_NO_MEMORY); + PORT_FreeArena(arena, PR_FALSE); + PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } copyk->arena = arena; copyk->keyType = pubk->keyType; - if (pubk->pkcs11Slot && - PK11_IsPermObject(pubk->pkcs11Slot,pubk->pkcs11ID)) { + if (pubk->pkcs11Slot && + PK11_IsPermObject(pubk->pkcs11Slot, pubk->pkcs11ID)) { copyk->pkcs11Slot = PK11_ReferenceSlot(pubk->pkcs11Slot); copyk->pkcs11ID = pubk->pkcs11ID; } else { - copyk->pkcs11Slot = NULL; /* go get own reference */ + copyk->pkcs11Slot = NULL; /* go get own reference */ copyk->pkcs11ID = CK_INVALID_HANDLE; } switch (pubk->keyType) { - case rsaKey: - rv = SECITEM_CopyItem(arena, ©k->u.rsa.modulus, - &pubk->u.rsa.modulus); - if (rv == SECSuccess) { - rv = SECITEM_CopyItem (arena, ©k->u.rsa.publicExponent, - &pubk->u.rsa.publicExponent); - if (rv == SECSuccess) - return copyk; - } - break; - case dsaKey: - rv = SECITEM_CopyItem(arena, ©k->u.dsa.publicValue, - &pubk->u.dsa.publicValue); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.prime, - &pubk->u.dsa.params.prime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.subPrime, - &pubk->u.dsa.params.subPrime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.base, - &pubk->u.dsa.params.base); - break; - case dhKey: - rv = SECITEM_CopyItem(arena,©k->u.dh.prime,&pubk->u.dh.prime); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena,©k->u.dh.base,&pubk->u.dh.base); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena, ©k->u.dh.publicValue, - &pubk->u.dh.publicValue); - break; - case ecKey: - copyk->u.ec.size = pubk->u.ec.size; - rv = SECITEM_CopyItem(arena,©k->u.ec.DEREncodedParams, - &pubk->u.ec.DEREncodedParams); - if (rv != SECSuccess) break; - rv = SECITEM_CopyItem(arena,©k->u.ec.publicValue, - &pubk->u.ec.publicValue); - break; - case nullKey: - return copyk; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - rv = SECFailure; - break; + case rsaKey: + rv = SECITEM_CopyItem(arena, ©k->u.rsa.modulus, + &pubk->u.rsa.modulus); + if (rv == SECSuccess) { + rv = SECITEM_CopyItem(arena, ©k->u.rsa.publicExponent, + &pubk->u.rsa.publicExponent); + if (rv == SECSuccess) + return copyk; + } + break; + case dsaKey: + rv = SECITEM_CopyItem(arena, ©k->u.dsa.publicValue, + &pubk->u.dsa.publicValue); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.prime, + &pubk->u.dsa.params.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.subPrime, + &pubk->u.dsa.params.subPrime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dsa.params.base, + &pubk->u.dsa.params.base); + break; + case dhKey: + rv = SECITEM_CopyItem(arena, ©k->u.dh.prime, &pubk->u.dh.prime); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dh.base, &pubk->u.dh.base); + if (rv != SECSuccess) + break; + rv = SECITEM_CopyItem(arena, ©k->u.dh.publicValue, + &pubk->u.dh.publicValue); + break; + case ecKey: + copyk->u.ec.size = pubk->u.ec.size; + rv = SECITEM_CopyItem(arena, ©k->u.ec.DEREncodedParams, + &pubk->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + break; + } + rv = seckey_SetPointEncoding(arena, copyk); + if (rv != SECSuccess) { + break; + } + PORT_Assert(copyk->u.ec.encoding == pubk->u.ec.encoding); + rv = SECITEM_CopyItem(arena, ©k->u.ec.publicValue, + &pubk->u.ec.publicValue); + break; + case nullKey: + return copyk; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + rv = SECFailure; + break; } if (rv == SECSuccess) return copyk; - SECKEY_DestroyPublicKey (copyk); + SECKEY_DestroyPublicKey(copyk); return NULL; } - SECKEYPublicKey * SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk) { @@ -1182,49 +1202,51 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk) */ cert = PK11_GetCertFromPrivateKey(privk); if (cert) { - pubk = CERT_ExtractPublicKey(cert); - CERT_DestroyCertificate(cert); - return pubk; + pubk = CERT_ExtractPublicKey(cert); + CERT_DestroyCertificate(cert); + return pubk; } /* couldn't find the cert, build pub key by hand */ - arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError (SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, - sizeof (SECKEYPublicKey)); + sizeof(SECKEYPublicKey)); if (pubk == NULL) { - PORT_FreeArena(arena,PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } pubk->keyType = privk->keyType; pubk->pkcs11Slot = NULL; pubk->pkcs11ID = CK_INVALID_HANDLE; pubk->arena = arena; - switch(privk->keyType) { - case nullKey: - case dhKey: - case dsaKey: - /* Nothing to query, if the cert isn't there, we're done -- no way - * to get the public key */ - break; - case rsaKey: - rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID, - CKA_MODULUS,arena,&pubk->u.rsa.modulus); - if (rv != SECSuccess) break; - rv = PK11_ReadAttribute(privk->pkcs11Slot,privk->pkcs11ID, - CKA_PUBLIC_EXPONENT,arena,&pubk->u.rsa.publicExponent); - if (rv != SECSuccess) break; - return pubk; - break; - default: - break; - } - - PORT_FreeArena (arena, PR_FALSE); + switch (privk->keyType) { + case nullKey: + case dhKey: + case dsaKey: + /* Nothing to query, if the cert isn't there, we're done -- no way + * to get the public key */ + break; + case rsaKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_MODULUS, arena, &pubk->u.rsa.modulus); + if (rv != SECSuccess) + break; + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_PUBLIC_EXPONENT, arena, &pubk->u.rsa.publicExponent); + if (rv != SECSuccess) + break; + return pubk; + break; + default: + break; + } + + PORT_FreeArena(arena, PR_FALSE); return NULL; } @@ -1237,105 +1259,107 @@ seckey_CreateSubjectPublicKeyInfo_helper(SECKEYPublicKey *pubk) arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } - spki = (CERTSubjectPublicKeyInfo *) PORT_ArenaZAlloc(arena, sizeof (*spki)); + spki = (CERTSubjectPublicKeyInfo *)PORT_ArenaZAlloc(arena, sizeof(*spki)); if (spki != NULL) { - SECStatus rv; - SECItem *rv_item; - - spki->arena = arena; - switch(pubk->keyType) { - case rsaKey: - rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_PKCS1_RSA_ENCRYPTION, 0); - if (rv == SECSuccess) { - /* - * DER encode the public key into the subjectPublicKeyInfo. - */ - prepare_rsa_pub_key_for_asn1(pubk); - rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, - pubk, SECKEY_RSAPublicKeyTemplate); - if (rv_item != NULL) { - /* - * The stored value is supposed to be a BIT_STRING, - * so convert the length. - */ - spki->subjectPublicKey.len <<= 3; - /* - * We got a good one; return it. - */ - return spki; - } - } - break; - case dsaKey: - /* DER encode the params. */ - prepare_pqg_params_for_asn1(&pubk->u.dsa.params); - rv_item = SEC_ASN1EncodeItem(arena, ¶ms, &pubk->u.dsa.params, - SECKEY_PQGParamsTemplate); - if (rv_item != NULL) { - rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_ANSIX9_DSA_SIGNATURE, - ¶ms); - if (rv == SECSuccess) { - /* - * DER encode the public key into the subjectPublicKeyInfo. - */ - prepare_dsa_pub_key_for_asn1(pubk); - rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, - pubk, - SECKEY_DSAPublicKeyTemplate); - if (rv_item != NULL) { - /* - * The stored value is supposed to be a BIT_STRING, - * so convert the length. - */ - spki->subjectPublicKey.len <<= 3; - /* - * We got a good one; return it. - */ - return spki; - } - } - } - SECITEM_FreeItem(¶ms, PR_FALSE); - break; - case ecKey: - rv = SECITEM_CopyItem(arena, ¶ms, - &pubk->u.ec.DEREncodedParams); - if (rv != SECSuccess) break; - - rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_ANSIX962_EC_PUBLIC_KEY, - ¶ms); - if (rv != SECSuccess) break; - - rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey, - &pubk->u.ec.publicValue); - - if (rv == SECSuccess) { - /* - * The stored value is supposed to be a BIT_STRING, - * so convert the length. - */ - spki->subjectPublicKey.len <<= 3; - /* - * We got a good one; return it. - */ - return spki; - } - break; - case dhKey: /* later... */ - - break; - default: - break; - } + SECStatus rv; + SECItem *rv_item; + + spki->arena = arena; + switch (pubk->keyType) { + case rsaKey: + rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, + SEC_OID_PKCS1_RSA_ENCRYPTION, 0); + if (rv == SECSuccess) { + /* + * DER encode the public key into the subjectPublicKeyInfo. + */ + prepare_rsa_pub_key_for_asn1(pubk); + rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, + pubk, SECKEY_RSAPublicKeyTemplate); + if (rv_item != NULL) { + /* + * The stored value is supposed to be a BIT_STRING, + * so convert the length. + */ + spki->subjectPublicKey.len <<= 3; + /* + * We got a good one; return it. + */ + return spki; + } + } + break; + case dsaKey: + /* DER encode the params. */ + prepare_pqg_params_for_asn1(&pubk->u.dsa.params); + rv_item = SEC_ASN1EncodeItem(arena, ¶ms, &pubk->u.dsa.params, + SECKEY_PQGParamsTemplate); + if (rv_item != NULL) { + rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, + SEC_OID_ANSIX9_DSA_SIGNATURE, + ¶ms); + if (rv == SECSuccess) { + /* + * DER encode the public key into the subjectPublicKeyInfo. + */ + prepare_dsa_pub_key_for_asn1(pubk); + rv_item = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, + pubk, + SECKEY_DSAPublicKeyTemplate); + if (rv_item != NULL) { + /* + * The stored value is supposed to be a BIT_STRING, + * so convert the length. + */ + spki->subjectPublicKey.len <<= 3; + /* + * We got a good one; return it. + */ + return spki; + } + } + } + SECITEM_FreeItem(¶ms, PR_FALSE); + break; + case ecKey: + rv = SECITEM_CopyItem(arena, ¶ms, + &pubk->u.ec.DEREncodedParams); + if (rv != SECSuccess) + break; + + rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, + SEC_OID_ANSIX962_EC_PUBLIC_KEY, + ¶ms); + if (rv != SECSuccess) + break; + + rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey, + &pubk->u.ec.publicValue); + + if (rv == SECSuccess) { + /* + * The stored value is supposed to be a BIT_STRING, + * so convert the length. + */ + spki->subjectPublicKey.len <<= 3; + /* + * We got a good one; return it. + */ + return spki; + } + break; + case dhKey: /* later... */ + + break; + default: + break; + } } else { - PORT_SetError(SEC_ERROR_NO_MEMORY); + PORT_SetError(SEC_ERROR_NO_MEMORY); } PORT_FreeArena(arena, PR_FALSE); @@ -1366,25 +1390,25 @@ void SECKEY_DestroySubjectPublicKeyInfo(CERTSubjectPublicKeyInfo *spki) { if (spki && spki->arena) { - PORT_FreeArena(spki->arena, PR_FALSE); + PORT_FreeArena(spki->arena, PR_FALSE); } } SECItem * SECKEY_EncodeDERSubjectPublicKeyInfo(const SECKEYPublicKey *pubk) { - CERTSubjectPublicKeyInfo *spki=NULL; - SECItem *spkiDER=NULL; + CERTSubjectPublicKeyInfo *spki = NULL; + SECItem *spkiDER = NULL; /* get the subjectpublickeyinfo */ spki = SECKEY_CreateSubjectPublicKeyInfo(pubk); - if( spki == NULL ) { - goto finish; + if (spki == NULL) { + goto finish; } /* DER-encode the subjectpublickeyinfo */ - spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL/*dest*/, spki, - CERT_SubjectPublicKeyInfoTemplate); + spkiDER = SEC_ASN1EncodeItem(NULL /*arena*/, NULL /*dest*/, spki, + CERT_SubjectPublicKeyInfoTemplate); SECKEY_DestroySubjectPublicKeyInfo(spki); @@ -1392,7 +1416,6 @@ finish: return spkiDER; } - CERTSubjectPublicKeyInfo * SECKEY_DecodeDERSubjectPublicKeyInfo(const SECItem *spkider) { @@ -1403,26 +1426,26 @@ SECKEY_DecodeDERSubjectPublicKeyInfo(const SECItem *spkider) arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } spki = (CERTSubjectPublicKeyInfo *) - PORT_ArenaZAlloc(arena, sizeof (CERTSubjectPublicKeyInfo)); + PORT_ArenaZAlloc(arena, sizeof(CERTSubjectPublicKeyInfo)); if (spki != NULL) { - spki->arena = arena; + spki->arena = arena; /* copy the DER into the arena, since Quick DER returns data that points into the DER input, which may get freed by the caller */ rv = SECITEM_CopyItem(arena, &newSpkider, spkider); - if ( rv == SECSuccess ) { - rv = SEC_QuickDERDecodeItem(arena,spki, - CERT_SubjectPublicKeyInfoTemplate, &newSpkider); + if (rv == SECSuccess) { + rv = SEC_QuickDERDecodeItem(arena, spki, + CERT_SubjectPublicKeyInfoTemplate, &newSpkider); } - if (rv == SECSuccess) - return spki; + if (rv == SECSuccess) + return spki; } else { - PORT_SetError(SEC_ERROR_NO_MEMORY); + PORT_SetError(SEC_ERROR_NO_MEMORY); } PORT_FreeArena(arena, PR_FALSE); @@ -1441,7 +1464,7 @@ SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(const char *spkistr) rv = ATOB_ConvertAsciiToItem(&der, spkistr); if (rv != SECSuccess) - return NULL; + return NULL; spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); @@ -1455,7 +1478,7 @@ SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(const char *spkistr) */ CERTSubjectPublicKeyInfo * SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge, - void *wincx) + void *wincx) { CERTSubjectPublicKeyInfo *spki = NULL; CERTPublicKeyAndChallenge pkac; @@ -1466,171 +1489,171 @@ SECKEY_ConvertAndDecodePublicKeyAndChallenge(char *pkacstr, char *challenge, SECItem sig; SECKEYPublicKey *pubKey = NULL; unsigned int len; - + signedItem.data = NULL; - + /* convert the base64 encoded data to binary */ rv = ATOB_ConvertAsciiToItem(&signedItem, pkacstr); if (rv != SECSuccess) { - goto loser; + goto loser; } /* create an arena */ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - goto loser; + goto loser; } /* decode the outer wrapping of signed data */ PORT_Memset(&sd, 0, sizeof(CERTSignedData)); - rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem ); - if ( rv ) { - goto loser; + rv = SEC_QuickDERDecodeItem(arena, &sd, CERT_SignedDataTemplate, &signedItem); + if (rv) { + goto loser; } /* decode the public key and challenge wrapper */ PORT_Memset(&pkac, 0, sizeof(CERTPublicKeyAndChallenge)); - rv = SEC_QuickDERDecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, - &sd.data); - if ( rv ) { - goto loser; + rv = SEC_QuickDERDecodeItem(arena, &pkac, CERT_PublicKeyAndChallengeTemplate, + &sd.data); + if (rv) { + goto loser; } /* decode the subject public key info */ spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&pkac.spki); - if ( spki == NULL ) { - goto loser; + if (spki == NULL) { + goto loser; } - + /* get the public key */ pubKey = seckey_ExtractPublicKey(spki); - if ( pubKey == NULL ) { - goto loser; + if (pubKey == NULL) { + goto loser; } /* check the signature */ sig = sd.signature; DER_ConvertBitString(&sig); rv = VFY_VerifyDataWithAlgorithmID(sd.data.data, sd.data.len, pubKey, &sig, - &(sd.signatureAlgorithm), NULL, wincx); - if ( rv != SECSuccess ) { - goto loser; + &(sd.signatureAlgorithm), NULL, wincx); + if (rv != SECSuccess) { + goto loser; } - + /* check the challenge */ - if ( challenge ) { - len = PORT_Strlen(challenge); - /* length is right */ - if ( len != pkac.challenge.len ) { - goto loser; - } - /* actual data is right */ - if ( PORT_Memcmp(challenge, pkac.challenge.data, len) != 0 ) { - goto loser; - } + if (challenge) { + len = PORT_Strlen(challenge); + /* length is right */ + if (len != pkac.challenge.len) { + goto loser; + } + /* actual data is right */ + if (PORT_Memcmp(challenge, pkac.challenge.data, len) != 0) { + goto loser; + } } goto done; loser: /* make sure that we return null if we got an error */ - if ( spki ) { - SECKEY_DestroySubjectPublicKeyInfo(spki); + if (spki) { + SECKEY_DestroySubjectPublicKeyInfo(spki); } spki = NULL; - + done: - if ( signedItem.data ) { - PORT_Free(signedItem.data); + if (signedItem.data) { + PORT_Free(signedItem.data); } - if ( arena ) { - PORT_FreeArena(arena, PR_FALSE); + if (arena) { + PORT_FreeArena(arena, PR_FALSE); } - if ( pubKey ) { - SECKEY_DestroyPublicKey(pubKey); + if (pubKey) { + SECKEY_DestroyPublicKey(pubKey); } - + return spki; } void SECKEY_DestroyPrivateKeyInfo(SECKEYPrivateKeyInfo *pvk, - PRBool freeit) + PRBool freeit) { PLArenaPool *poolp; - if(pvk != NULL) { - if(pvk->arena) { - poolp = pvk->arena; - /* zero structure since PORT_FreeArena does not support - * this yet. - */ - PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len); - PORT_Memset(pvk, 0, sizeof(*pvk)); - if(freeit == PR_TRUE) { - PORT_FreeArena(poolp, PR_TRUE); - } else { - pvk->arena = poolp; - } - } else { - SECITEM_ZfreeItem(&pvk->version, PR_FALSE); - SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE); - SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE); - PORT_Memset(pvk, 0, sizeof(*pvk)); - if(freeit == PR_TRUE) { - PORT_Free(pvk); - } - } + if (pvk != NULL) { + if (pvk->arena) { + poolp = pvk->arena; + /* zero structure since PORT_FreeArena does not support + * this yet. + */ + PORT_Memset(pvk->privateKey.data, 0, pvk->privateKey.len); + PORT_Memset(pvk, 0, sizeof(*pvk)); + if (freeit == PR_TRUE) { + PORT_FreeArena(poolp, PR_TRUE); + } else { + pvk->arena = poolp; + } + } else { + SECITEM_ZfreeItem(&pvk->version, PR_FALSE); + SECITEM_ZfreeItem(&pvk->privateKey, PR_FALSE); + SECOID_DestroyAlgorithmID(&pvk->algorithm, PR_FALSE); + PORT_Memset(pvk, 0, sizeof(*pvk)); + if (freeit == PR_TRUE) { + PORT_Free(pvk); + } + } } } void SECKEY_DestroyEncryptedPrivateKeyInfo(SECKEYEncryptedPrivateKeyInfo *epki, - PRBool freeit) + PRBool freeit) { PLArenaPool *poolp; - if(epki != NULL) { - if(epki->arena) { - poolp = epki->arena; - /* zero structure since PORT_FreeArena does not support - * this yet. - */ - PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len); - PORT_Memset(epki, 0, sizeof(*epki)); - if(freeit == PR_TRUE) { - PORT_FreeArena(poolp, PR_TRUE); - } else { - epki->arena = poolp; - } - } else { - SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE); - SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE); - PORT_Memset(epki, 0, sizeof(*epki)); - if(freeit == PR_TRUE) { - PORT_Free(epki); - } - } + if (epki != NULL) { + if (epki->arena) { + poolp = epki->arena; + /* zero structure since PORT_FreeArena does not support + * this yet. + */ + PORT_Memset(epki->encryptedData.data, 0, epki->encryptedData.len); + PORT_Memset(epki, 0, sizeof(*epki)); + if (freeit == PR_TRUE) { + PORT_FreeArena(poolp, PR_TRUE); + } else { + epki->arena = poolp; + } + } else { + SECITEM_ZfreeItem(&epki->encryptedData, PR_FALSE); + SECOID_DestroyAlgorithmID(&epki->algorithm, PR_FALSE); + PORT_Memset(epki, 0, sizeof(*epki)); + if (freeit == PR_TRUE) { + PORT_Free(epki); + } + } } } SECStatus SECKEY_CopyPrivateKeyInfo(PLArenaPool *poolp, - SECKEYPrivateKeyInfo *to, - const SECKEYPrivateKeyInfo *from) + SECKEYPrivateKeyInfo *to, + const SECKEYPrivateKeyInfo *from) { SECStatus rv = SECFailure; - if((to == NULL) || (from == NULL)) { - return SECFailure; + if ((to == NULL) || (from == NULL)) { + return SECFailure; } rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm); - if(rv != SECSuccess) { - return SECFailure; + if (rv != SECSuccess) { + return SECFailure; } rv = SECITEM_CopyItem(poolp, &to->privateKey, &from->privateKey); - if(rv != SECSuccess) { - return SECFailure; + if (rv != SECSuccess) { + return SECFailure; } rv = SECITEM_CopyItem(poolp, &to->version, &from->version); @@ -1639,18 +1662,18 @@ SECKEY_CopyPrivateKeyInfo(PLArenaPool *poolp, SECStatus SECKEY_CopyEncryptedPrivateKeyInfo(PLArenaPool *poolp, - SECKEYEncryptedPrivateKeyInfo *to, - const SECKEYEncryptedPrivateKeyInfo *from) + SECKEYEncryptedPrivateKeyInfo *to, + const SECKEYEncryptedPrivateKeyInfo *from) { SECStatus rv = SECFailure; - if((to == NULL) || (from == NULL)) { - return SECFailure; + if ((to == NULL) || (from == NULL)) { + return SECFailure; } rv = SECOID_CopyAlgorithmID(poolp, &to->algorithm, &from->algorithm); - if(rv != SECSuccess) { - return SECFailure; + if (rv != SECSuccess) { + return SECFailure; } rv = SECITEM_CopyItem(poolp, &to->encryptedData, &from->encryptedData); @@ -1660,16 +1683,16 @@ SECKEY_CopyEncryptedPrivateKeyInfo(PLArenaPool *poolp, KeyType SECKEY_GetPrivateKeyType(const SECKEYPrivateKey *privKey) { - return privKey->keyType; + return privKey->keyType; } KeyType SECKEY_GetPublicKeyType(const SECKEYPublicKey *pubKey) { - return pubKey->keyType; + return pubKey->keyType; } -SECKEYPublicKey* +SECKEYPublicKey * SECKEY_ImportDERPublicKey(const SECItem *derKey, CK_KEY_TYPE type) { SECKEYPublicKey *pubk = NULL; @@ -1679,11 +1702,11 @@ SECKEY_ImportDERPublicKey(const SECItem *derKey, CK_KEY_TYPE type) if (!derKey) { return NULL; - } + } arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); + PORT_SetError(SEC_ERROR_NO_MEMORY); goto finish; } @@ -1701,25 +1724,25 @@ SECKEY_ImportDERPublicKey(const SECItem *derKey, CK_KEY_TYPE type) pubk->pkcs11Slot = NULL; pubk->pkcs11ID = CK_INVALID_HANDLE; - switch( type ) { - case CKK_RSA: - prepare_rsa_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_RSAPublicKeyTemplate, &newDerKey); - pubk->keyType = rsaKey; - break; - case CKK_DSA: - prepare_dsa_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DSAPublicKeyTemplate, &newDerKey); - pubk->keyType = dsaKey; - break; - case CKK_DH: - prepare_dh_pub_key_for_asn1(pubk); - rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DHPublicKeyTemplate, &newDerKey); - pubk->keyType = dhKey; - break; - default: - rv = SECFailure; - break; + switch (type) { + case CKK_RSA: + prepare_rsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_RSAPublicKeyTemplate, &newDerKey); + pubk->keyType = rsaKey; + break; + case CKK_DSA: + prepare_dsa_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DSAPublicKeyTemplate, &newDerKey); + pubk->keyType = dsaKey; + break; + case CKK_DH: + prepare_dh_pub_key_for_asn1(pubk); + rv = SEC_QuickDERDecodeItem(pubk->arena, pubk, SECKEY_DHPublicKeyTemplate, &newDerKey); + pubk->keyType = dhKey; + break; + default: + rv = SECFailure; + break; } finish: @@ -1732,20 +1755,20 @@ finish: return pubk; } -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * SECKEY_NewPrivateKeyList(void) { PLArenaPool *arena = NULL; SECKEYPrivateKeyList *ret = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { + if (arena == NULL) { goto loser; } ret = (SECKEYPrivateKeyList *)PORT_ArenaZAlloc(arena, - sizeof(SECKEYPrivateKeyList)); - if ( ret == NULL ) { + sizeof(SECKEYPrivateKeyList)); + if (ret == NULL) { goto loser; } @@ -1753,22 +1776,22 @@ SECKEY_NewPrivateKeyList(void) PR_INIT_CLIST(&ret->list); - return(ret); + return (ret); loser: - if ( arena != NULL ) { + if (arena != NULL) { PORT_FreeArena(arena, PR_FALSE); } - return(NULL); + return (NULL); } void SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys) { - while( !PR_CLIST_IS_EMPTY(&keys->list) ) { + while (!PR_CLIST_IS_EMPTY(&keys->list)) { SECKEY_RemovePrivateKeyListNode( - (SECKEYPrivateKeyListNode*)(PR_LIST_HEAD(&keys->list)) ); + (SECKEYPrivateKeyListNode *)(PR_LIST_HEAD(&keys->list))); } PORT_FreeArena(keys->arena, PR_FALSE); @@ -1776,7 +1799,6 @@ SECKEY_DestroyPrivateKeyList(SECKEYPrivateKeyList *keys) return; } - void SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node) { @@ -1785,44 +1807,42 @@ SECKEY_RemovePrivateKeyListNode(SECKEYPrivateKeyListNode *node) node->key = NULL; PR_REMOVE_LINK(&node->links); return; - } SECStatus -SECKEY_AddPrivateKeyToListTail( SECKEYPrivateKeyList *list, - SECKEYPrivateKey *key) +SECKEY_AddPrivateKeyToListTail(SECKEYPrivateKeyList *list, + SECKEYPrivateKey *key) { SECKEYPrivateKeyListNode *node; node = (SECKEYPrivateKeyListNode *)PORT_ArenaZAlloc(list->arena, - sizeof(SECKEYPrivateKeyListNode)); - if ( node == NULL ) { + sizeof(SECKEYPrivateKeyListNode)); + if (node == NULL) { goto loser; } PR_INSERT_BEFORE(&node->links, &list->list); node->key = key; - return(SECSuccess); + return (SECSuccess); loser: - return(SECFailure); + return (SECFailure); } - -SECKEYPublicKeyList* +SECKEYPublicKeyList * SECKEY_NewPublicKeyList(void) { PLArenaPool *arena = NULL; SECKEYPublicKeyList *ret = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( arena == NULL ) { + if (arena == NULL) { goto loser; } ret = (SECKEYPublicKeyList *)PORT_ArenaZAlloc(arena, - sizeof(SECKEYPublicKeyList)); - if ( ret == NULL ) { + sizeof(SECKEYPublicKeyList)); + if (ret == NULL) { goto loser; } @@ -1830,22 +1850,22 @@ SECKEY_NewPublicKeyList(void) PR_INIT_CLIST(&ret->list); - return(ret); + return (ret); loser: - if ( arena != NULL ) { + if (arena != NULL) { PORT_FreeArena(arena, PR_FALSE); } - return(NULL); + return (NULL); } void SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys) { - while( !PR_CLIST_IS_EMPTY(&keys->list) ) { + while (!PR_CLIST_IS_EMPTY(&keys->list)) { SECKEY_RemovePublicKeyListNode( - (SECKEYPublicKeyListNode*)(PR_LIST_HEAD(&keys->list)) ); + (SECKEYPublicKeyListNode *)(PR_LIST_HEAD(&keys->list))); } PORT_FreeArena(keys->arena, PR_FALSE); @@ -1853,7 +1873,6 @@ SECKEY_DestroyPublicKeyList(SECKEYPublicKeyList *keys) return; } - void SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node) { @@ -1862,38 +1881,37 @@ SECKEY_RemovePublicKeyListNode(SECKEYPublicKeyListNode *node) node->key = NULL; PR_REMOVE_LINK(&node->links); return; - } SECStatus -SECKEY_AddPublicKeyToListTail( SECKEYPublicKeyList *list, - SECKEYPublicKey *key) +SECKEY_AddPublicKeyToListTail(SECKEYPublicKeyList *list, + SECKEYPublicKey *key) { SECKEYPublicKeyListNode *node; node = (SECKEYPublicKeyListNode *)PORT_ArenaZAlloc(list->arena, - sizeof(SECKEYPublicKeyListNode)); - if ( node == NULL ) { + sizeof(SECKEYPublicKeyListNode)); + if (node == NULL) { goto loser; } PR_INSERT_BEFORE(&node->links, &list->list); node->key = key; - return(SECSuccess); + return (SECSuccess); loser: - return(SECFailure); + return (SECFailure); } -#define SECKEY_CacheAttribute(key, attribute) \ +#define SECKEY_CacheAttribute(key, attribute) \ if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \ - key->staticflags |= SECKEY_##attribute; \ - } else { \ - key->staticflags &= (~SECKEY_##attribute); \ + key->staticflags |= SECKEY_##attribute; \ + } else { \ + key->staticflags &= (~SECKEY_##attribute); \ } SECStatus -SECKEY_CacheStaticFlags(SECKEYPrivateKey* key) +SECKEY_CacheStaticFlags(SECKEYPrivateKey *key) { SECStatus rv = SECFailure; if (key && key->pkcs11Slot && key->pkcs11ID) { @@ -1906,20 +1924,58 @@ SECKEY_CacheStaticFlags(SECKEYPrivateKey* key) } SECOidTag -SECKEY_GetECCOid(const SECKEYECParams * params) +SECKEY_GetECCOid(const SECKEYECParams *params) { - SECItem oid = { siBuffer, NULL, 0}; + SECItem oid = { siBuffer, NULL, 0 }; SECOidData *oidData = NULL; - /* + /* * params->data needs to contain the ASN encoding of an object ID (OID) * representing a named curve. Here, we strip away everything * before the actual OID and use the OID to look up a named curve. */ - if (params->data[0] != SEC_ASN1_OBJECT_ID) return 0; + if (params->data[0] != SEC_ASN1_OBJECT_ID) + return 0; oid.len = params->len - 2; oid.data = params->data + 2; - if ((oidData = SECOID_FindOID(&oid)) == NULL) return 0; + if ((oidData = SECOID_FindOID(&oid)) == NULL) + return 0; return oidData->offset; } + +/* Set curve encoding in SECKEYECPublicKey in pubKey from OID. + * If the encoding is not set, determining the key size of EC public keys will + * fail. + */ +SECStatus +seckey_SetPointEncoding(PLArenaPool *arena, SECKEYPublicKey *pubKey) +{ + SECItem oid; + SECOidTag tag; + SECStatus rv; + + /* decode the OID tag */ + rv = SEC_QuickDERDecodeItem(arena, &oid, SEC_ASN1_GET(SEC_ObjectIDTemplate), + &pubKey->u.ec.DEREncodedParams); + if (rv != SECSuccess) { + return SECFailure; + } + + tag = SECOID_FindOIDTag(&oid); + switch (tag) { + case SEC_OID_CURVE25519: + pubKey->u.ec.encoding = ECPoint_XOnly; + break; + case SEC_OID_SECG_EC_SECP256R1: + /* fall through */ + case SEC_OID_SECG_EC_SECP384R1: + /* fall through */ + case SEC_OID_SECG_EC_SECP521R1: + /* fall through */ + default: + /* unknown curve, default to uncompressed */ + pubKey->u.ec.encoding = ECPoint_Uncompressed; + } + return SECSuccess; +} diff --git a/nss/lib/cryptohi/secsign.c b/nss/lib/cryptohi/secsign.c index fa4bf5f..1bbdd53 100644 --- a/nss/lib/cryptohi/secsign.c +++ b/nss/lib/cryptohi/secsign.c @@ -40,25 +40,25 @@ SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS. */ /* we have a private key, not a public key, so don't pass it in */ - rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg); + rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg); if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return 0; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return 0; } keyType = seckey_GetKeyType(signalg); /* verify our key type */ if (key->keyType != keyType && - !((key->keyType == dsaKey) && (keyType == fortezzaKey)) ) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return 0; + !((key->keyType == dsaKey) && (keyType == fortezzaKey))) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return 0; } - cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext)); + cx = (SGNContext *)PORT_ZAlloc(sizeof(SGNContext)); if (cx) { - cx->hashalg = hashalg; - cx->signalg = signalg; - cx->key = key; + cx->hashalg = hashalg; + cx->signalg = signalg; + cx->key = key; } return cx; } @@ -67,13 +67,13 @@ void SGN_DestroyContext(SGNContext *cx, PRBool freeit) { if (cx) { - if (cx->hashcx != NULL) { - (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); - cx->hashcx = NULL; - } - if (freeit) { - PORT_ZFree(cx, sizeof(SGNContext)); - } + if (cx->hashcx != NULL) { + (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); + cx->hashcx = NULL; + } + if (freeit) { + PORT_ZFree(cx, sizeof(SGNContext)); + } } } @@ -81,17 +81,17 @@ SECStatus SGN_Begin(SGNContext *cx) { if (cx->hashcx != NULL) { - (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); - cx->hashcx = NULL; + (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); + cx->hashcx = NULL; } cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg); if (!cx->hashobj) - return SECFailure; /* error code is already set */ + return SECFailure; /* error code is already set */ cx->hashcx = (*cx->hashobj->create)(); if (cx->hashcx == NULL) - return SECFailure; + return SECFailure; (*cx->hashobj->begin)(cx->hashcx); return SECSuccess; @@ -101,8 +101,8 @@ SECStatus SGN_Update(SGNContext *cx, const unsigned char *input, unsigned int inputLen) { if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } (*cx->hashobj->update)(cx->hashcx, input, inputLen); return SECSuccess; @@ -111,12 +111,12 @@ SGN_Update(SGNContext *cx, const unsigned char *input, unsigned int inputLen) /* XXX Old template; want to expunge it eventually. */ static DERTemplate SECAlgorithmIDTemplate[] = { { DER_SEQUENCE, - 0, NULL, sizeof(SECAlgorithmID) }, + 0, NULL, sizeof(SECAlgorithmID) }, { DER_OBJECT_ID, - offsetof(SECAlgorithmID,algorithm), }, + offsetof(SECAlgorithmID, algorithm) }, { DER_OPTIONAL | DER_ANY, - offsetof(SECAlgorithmID,parameters), }, - { 0, } + offsetof(SECAlgorithmID, parameters) }, + { 0 } }; /* @@ -125,13 +125,13 @@ static DERTemplate SECAlgorithmIDTemplate[] = { */ static DERTemplate SGNDigestInfoTemplate[] = { { DER_SEQUENCE, - 0, NULL, sizeof(SGNDigestInfo) }, + 0, NULL, sizeof(SGNDigestInfo) }, { DER_INLINE, - offsetof(SGNDigestInfo,digestAlgorithm), - SECAlgorithmIDTemplate, }, + offsetof(SGNDigestInfo, digestAlgorithm), + SECAlgorithmIDTemplate }, { DER_OCTET_STRING, - offsetof(SGNDigestInfo,digest), }, - { 0, } + offsetof(SGNDigestInfo, digest) }, + { 0 } }; SECStatus @@ -151,36 +151,35 @@ SGN_End(SGNContext *cx, SECItem *result) /* Finish up digest function */ if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest)); - if (privKey->keyType == rsaKey) { - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( !arena ) { - rv = SECFailure; - goto loser; - } - - /* Construct digest info */ - di = SGN_CreateDigestInfo(cx->hashalg, digest, part1); - if (!di) { - rv = SECFailure; - goto loser; - } - - /* Der encode the digest as a DigestInfo */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + rv = SECFailure; + goto loser; + } + + /* Construct digest info */ + di = SGN_CreateDigestInfo(cx->hashalg, digest, part1); + if (!di) { + rv = SECFailure; + goto loser; + } + + /* Der encode the digest as a DigestInfo */ rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di); - if (rv != SECSuccess) { - goto loser; - } + if (rv != SECSuccess) { + goto loser; + } } else { - digder.data = digest; - digder.len = part1; + digder.data = digest; + digder.len = part1; } /* @@ -189,41 +188,41 @@ SGN_End(SGNContext *cx, SECItem *result) */ signatureLen = PK11_SignatureLen(privKey); if (signatureLen <= 0) { - PORT_SetError(SEC_ERROR_INVALID_KEY); - rv = SECFailure; - goto loser; + PORT_SetError(SEC_ERROR_INVALID_KEY); + rv = SECFailure; + goto loser; } sigitem.len = signatureLen; - sigitem.data = (unsigned char*) PORT_Alloc(signatureLen); + sigitem.data = (unsigned char *)PORT_Alloc(signatureLen); if (sigitem.data == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } rv = PK11_Sign(privKey, &sigitem, &digder); if (rv != SECSuccess) { - PORT_Free(sigitem.data); - sigitem.data = NULL; - goto loser; + PORT_Free(sigitem.data); + sigitem.data = NULL; + goto loser; } if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) || (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */ - rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); - PORT_Free(sigitem.data); - if (rv != SECSuccess) - goto loser; + rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); + PORT_Free(sigitem.data); + if (rv != SECSuccess) + goto loser; } else { - result->len = sigitem.len; - result->data = sigitem.data; + result->len = sigitem.len; + result->data = sigitem.data; } - loser: +loser: SGN_DestroyDigestInfo(di); if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -236,71 +235,69 @@ SGN_End(SGNContext *cx, SECItem *result) */ SECStatus SEC_SignData(SECItem *res, const unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algid) + SECKEYPrivateKey *pk, SECOidTag algid) { SECStatus rv; SGNContext *sgn; - sgn = SGN_NewContext(algid, pk); if (sgn == NULL) - return SECFailure; + return SECFailure; rv = SGN_Begin(sgn); if (rv != SECSuccess) - goto loser; + goto loser; rv = SGN_Update(sgn, buf, len); if (rv != SECSuccess) - goto loser; + goto loser; rv = SGN_End(sgn, res); - loser: +loser: SGN_DestroyContext(sgn, PR_TRUE); return rv; } /************************************************************************/ - + DERTemplate CERTSignedDataTemplate[] = -{ - { DER_SEQUENCE, - 0, NULL, sizeof(CERTSignedData) }, - { DER_ANY, - offsetof(CERTSignedData,data), }, - { DER_INLINE, - offsetof(CERTSignedData,signatureAlgorithm), - SECAlgorithmIDTemplate, }, - { DER_BIT_STRING, - offsetof(CERTSignedData,signature), }, - { 0, } -}; + { + { DER_SEQUENCE, + 0, NULL, sizeof(CERTSignedData) }, + { DER_ANY, + offsetof(CERTSignedData, data) }, + { DER_INLINE, + offsetof(CERTSignedData, signatureAlgorithm), + SECAlgorithmIDTemplate }, + { DER_BIT_STRING, + offsetof(CERTSignedData, signature) }, + { 0 } + }; SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) const SEC_ASN1Template CERT_SignedDataTemplate[] = -{ - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTSignedData) }, - { SEC_ASN1_ANY, - offsetof(CERTSignedData,data), }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(CERTSignedData,signatureAlgorithm), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), }, - { SEC_ASN1_BIT_STRING, - offsetof(CERTSignedData,signature), }, - { 0, } -}; + { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTSignedData) }, + { SEC_ASN1_ANY, + offsetof(CERTSignedData, data) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(CERTSignedData, signatureAlgorithm), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_BIT_STRING, + offsetof(CERTSignedData, signature) }, + { 0 } + }; SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate) - SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, - const unsigned char *buf, int len, SECKEYPrivateKey *pk, - SECOidTag algID) + const unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) { SECItem it; CERTSignedData sd; @@ -313,58 +310,60 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result, */ if (algID == SEC_OID_UNKNOWN) { - switch(pk->keyType) { - case rsaKey: - algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; - break; - case dsaKey: - /* get Signature length (= q_len*2) and work from there */ - switch (PK11_SignatureLen(pk)) { - case 448: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; - break; - case 512: - algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; - break; - default: - algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; - break; - } - break; - case ecKey: - algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_KEY); - return SECFailure; - } + switch (pk->keyType) { + case rsaKey: + algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + break; + case dsaKey: + /* get Signature length (= q_len*2) and work from there */ + switch (PK11_SignatureLen(pk)) { + case 448: + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; + break; + case 512: + algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; + break; + default: + algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + break; + } + break; + case ecKey: + algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } } /* Sign input buffer */ rv = SEC_SignData(&it, buf, len, pk, algID); - if (rv) goto loser; + if (rv) + goto loser; /* Fill out SignedData object */ PORT_Memset(&sd, 0, sizeof(sd)); - sd.data.data = (unsigned char*) buf; + sd.data.data = (unsigned char *)buf; sd.data.len = len; sd.signature.data = it.data; - sd.signature.len = it.len << 3; /* convert to bit string */ + sd.signature.len = it.len << 3; /* convert to bit string */ rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0); - if (rv) goto loser; + if (rv) + goto loser; /* DER encode the signed data object */ rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd); - /* FALL THROUGH */ +/* FALL THROUGH */ - loser: +loser: PORT_Free(it.data); return rv; } SECStatus SGN_Digest(SECKEYPrivateKey *privKey, - SECOidTag algtag, SECItem *result, SECItem *digest) + SECOidTag algtag, SECItem *result, SECItem *digest) { int modulusLen; SECStatus rv; @@ -372,33 +371,32 @@ SGN_Digest(SECKEYPrivateKey *privKey, PLArenaPool *arena = 0; SGNDigestInfo *di = 0; - result->data = 0; if (privKey->keyType == rsaKey) { - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if ( !arena ) { - rv = SECFailure; - goto loser; - } - - /* Construct digest info */ - di = SGN_CreateDigestInfo(algtag, digest->data, digest->len); - if (!di) { - rv = SECFailure; - goto loser; - } - - /* Der encode the digest as a DigestInfo */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + rv = SECFailure; + goto loser; + } + + /* Construct digest info */ + di = SGN_CreateDigestInfo(algtag, digest->data, digest->len); + if (!di) { + rv = SECFailure; + goto loser; + } + + /* Der encode the digest as a DigestInfo */ rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di); - if (rv != SECSuccess) { - goto loser; - } + if (rv != SECSuccess) { + goto loser; + } } else { - digder.data = digest->data; - digder.len = digest->len; + digder.data = digest->data; + digder.len = digest->len; } /* @@ -407,29 +405,29 @@ SGN_Digest(SECKEYPrivateKey *privKey, */ modulusLen = PK11_SignatureLen(privKey); if (modulusLen <= 0) { - PORT_SetError(SEC_ERROR_INVALID_KEY); - rv = SECFailure; - goto loser; + PORT_SetError(SEC_ERROR_INVALID_KEY); + rv = SECFailure; + goto loser; } result->len = modulusLen; - result->data = (unsigned char*) PORT_Alloc(modulusLen); + result->data = (unsigned char *)PORT_Alloc(modulusLen); result->type = siBuffer; if (result->data == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } rv = PK11_Sign(privKey, result, &digder); if (rv != SECSuccess) { - PORT_Free(result->data); - result->data = NULL; + PORT_Free(result->data); + result->data = NULL; } - loser: +loser: SGN_DestroyDigestInfo(di); if (arena != NULL) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return rv; } @@ -440,58 +438,73 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) SECOidTag sigTag = SEC_OID_UNKNOWN; switch (keyType) { - case rsaKey: - switch (hashAlgTag) { - case SEC_OID_MD2: - sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION; break; - case SEC_OID_MD5: - sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; break; - case SEC_OID_SHA1: - sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; break; - case SEC_OID_SHA224: - sigTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION; break; - case SEC_OID_UNKNOWN: /* default for RSA if not specified */ - case SEC_OID_SHA256: - sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; break; - case SEC_OID_SHA384: - sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION; break; - case SEC_OID_SHA512: - sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; break; - default: - break; - } - break; - case dsaKey: - switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for DSA if not specified */ - case SEC_OID_SHA1: - sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break; - case SEC_OID_SHA224: - sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; - case SEC_OID_SHA256: - sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; - default: - break; - } - break; - case ecKey: - switch (hashAlgTag) { - case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ - case SEC_OID_SHA1: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break; - case SEC_OID_SHA224: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break; - case SEC_OID_SHA256: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; - case SEC_OID_SHA384: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; break; - case SEC_OID_SHA512: - sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; break; - default: - break; - } - default: - break; + case rsaKey: + switch (hashAlgTag) { + case SEC_OID_MD2: + sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_MD5: + sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_SHA1: + sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_SHA224: + sigTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_UNKNOWN: /* default for RSA if not specified */ + case SEC_OID_SHA256: + sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_SHA384: + sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION; + break; + case SEC_OID_SHA512: + sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; + break; + default: + break; + } + break; + case dsaKey: + switch (hashAlgTag) { + case SEC_OID_UNKNOWN: /* default for DSA if not specified */ + case SEC_OID_SHA1: + sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; + break; + case SEC_OID_SHA224: + sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; + break; + case SEC_OID_SHA256: + sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; + break; + default: + break; + } + break; + case ecKey: + switch (hashAlgTag) { + case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ + case SEC_OID_SHA1: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; + break; + case SEC_OID_SHA224: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; + break; + case SEC_OID_SHA256: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; + break; + case SEC_OID_SHA384: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; + break; + case SEC_OID_SHA512: + sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; + break; + default: + break; + } + default: + break; } return sigTag; } diff --git a/nss/lib/cryptohi/secvfy.c b/nss/lib/cryptohi/secvfy.c index c869167..2ac21ab 100644 --- a/nss/lib/cryptohi/secvfy.c +++ b/nss/lib/cryptohi/secvfy.c @@ -35,13 +35,13 @@ */ static SECStatus recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, - /*out*/ SECOidTag* digestAlgOut, - /*out*/ unsigned char** digestInfo, - /*out*/ unsigned int* digestInfoLen, - SECKEYPublicKey* key, - const SECItem* sig, void* wincx) + /*out*/ SECOidTag *digestAlgOut, + /*out*/ unsigned char **digestInfo, + /*out*/ unsigned int *digestInfoLen, + SECKEYPublicKey *key, + const SECItem *sig, void *wincx) { - SGNDigestInfo* di = NULL; + SGNDigestInfo *di = NULL; SECItem it; PRBool rv = SECSuccess; @@ -53,11 +53,11 @@ recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, PORT_Assert(sig); it.data = NULL; - it.len = SECKEY_PublicKeyStrength(key); + it.len = SECKEY_PublicKeyStrength(key); if (it.len != 0) { it.data = (unsigned char *)PORT_Alloc(it.len); } - if (it.len == 0 || it.data == NULL ) { + if (it.len == 0 || it.data == NULL) { rv = SECFailure; } @@ -65,7 +65,7 @@ recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, /* decrypt the block */ rv = PK11_VerifyRecover(key, sig, &it, wincx); } - + if (rv == SECSuccess) { if (givenDigestAlg != SEC_OID_UNKNOWN) { /* We don't need to parse the DigestInfo if the caller gave us the @@ -74,7 +74,7 @@ recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, * that the DigestInfo is encoded absolutely correctly. */ *digestInfoLen = it.len; - *digestInfo = (unsigned char*)it.data; + *digestInfo = (unsigned char *)it.data; *digestAlgOut = givenDigestAlg; return SECSuccess; } @@ -104,7 +104,7 @@ recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, if (rv == SECSuccess) { *digestInfoLen = it.len; - *digestInfo = (unsigned char*)it.data; + *digestInfo = (unsigned char *)it.data; } else { if (it.data) { PORT_Free(it.data); @@ -118,7 +118,7 @@ recoverPKCS1DigestInfo(SECOidTag givenDigestAlg, } struct VFYContextStr { - SECOidTag hashAlg; /* the hash algorithm */ + SECOidTag hashAlg; /* the hash algorithm */ SECKEYPublicKey *key; /* * This buffer holds either the digest or the full signature @@ -130,35 +130,35 @@ struct VFYContextStr { * the size of the union or some other union member instead. */ union { - unsigned char buffer[1]; + unsigned char buffer[1]; - /* the full DSA signature... 40 bytes */ - unsigned char dsasig[DSA_MAX_SIGNATURE_LEN]; - /* the full ECDSA signature */ - unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; + /* the full DSA signature... 40 bytes */ + unsigned char dsasig[DSA_MAX_SIGNATURE_LEN]; + /* the full ECDSA signature */ + unsigned char ecdsasig[2 * MAX_ECKEY_LEN]; } u; unsigned int pkcs1RSADigestInfoLen; /* the encoded DigestInfo from a RSA PKCS#1 signature */ unsigned char *pkcs1RSADigestInfo; - void * wincx; + void *wincx; void *hashcx; const SECHashObject *hashobj; - SECOidTag encAlg; /* enc alg */ - PRBool hasSignature; /* true if the signature was provided in the - * VFY_CreateContext call. If false, the - * signature must be provided with a - * VFY_EndWithSignature call. */ + SECOidTag encAlg; /* enc alg */ + PRBool hasSignature; /* true if the signature was provided in the + * VFY_CreateContext call. If false, the + * signature must be provided with a + * VFY_EndWithSignature call. */ }; static SECStatus -verifyPKCS1DigestInfo(const VFYContext* cx, const SECItem* digest) +verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest) { - SECItem pkcs1DigestInfo; - pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; - pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; - return _SGN_VerifyPKCS1DigestInfo( - cx->hashAlg, digest, &pkcs1DigestInfo, - PR_TRUE /*XXX: unsafeAllowMissingParameters*/); + SECItem pkcs1DigestInfo; + pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo; + pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen; + return _SGN_VerifyPKCS1DigestInfo( + cx->hashAlg, digest, &pkcs1DigestInfo, + PR_TRUE /*XXX: unsafeAllowMissingParameters*/); } /* @@ -168,47 +168,50 @@ verifyPKCS1DigestInfo(const VFYContext* cx, const SECItem* digest) */ static SECStatus decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig, - unsigned int len) { + unsigned int len) +{ SECItem *dsasig = NULL; /* also used for ECDSA */ - SECStatus rv=SECSuccess; + SECStatus rv = SECSuccess; if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && - (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) { + (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { if (sig->len != len) { - PORT_SetError(SEC_ERROR_BAD_DER); - return SECFailure; - } + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } - PORT_Memcpy(dsig, sig->data, sig->len); - return SECSuccess; + PORT_Memcpy(dsig, sig->data, sig->len); + return SECSuccess; } - if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { - if (len > MAX_ECKEY_LEN * 2) { - PORT_SetError(SEC_ERROR_BAD_DER); - return SECFailure; - } + if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { + if (len > MAX_ECKEY_LEN * 2) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } } dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); if ((dsasig == NULL) || (dsasig->len != len)) { - rv = SECFailure; + rv = SECFailure; } else { - PORT_Memcpy(dsig, dsasig->data, dsasig->len); + PORT_Memcpy(dsig, dsasig->data, dsasig->len); } - if (dsasig != NULL) SECITEM_FreeItem(dsasig, PR_TRUE); - if (rv == SECFailure) PORT_SetError(SEC_ERROR_BAD_DER); + if (dsasig != NULL) + SECITEM_FreeItem(dsasig, PR_TRUE); + if (rv == SECFailure) + PORT_SetError(SEC_ERROR_BAD_DER); return rv; } const SEC_ASN1Template hashParameterTemplate[] = -{ - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, - { SEC_ASN1_OBJECT_ID, 0 }, - { SEC_ASN1_SKIP_REST }, - { 0, } -}; + { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) }, + { SEC_ASN1_OBJECT_ID, 0 }, + { SEC_ASN1_SKIP_REST }, + { 0 } + }; /* * Pulls the hash algorithm, signing algorithm, and key type out of a @@ -222,160 +225,160 @@ const SEC_ASN1Template hashParameterTemplate[] = * algorithm was not found or was not a signing algorithm. */ SECStatus -sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) +sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, + const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg) { int len; PLArenaPool *arena; SECStatus rv; SECItem oid; - PR_ASSERT(hashalg!=NULL); - PR_ASSERT(encalg!=NULL); + PR_ASSERT(hashalg != NULL); + PR_ASSERT(encalg != NULL); switch (sigAlg) { - /* We probably shouldn't be generating MD2 signatures either */ - case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_MD2; - break; - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_MD5; - break; - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: - case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: - *hashalg = SEC_OID_SHA1; - break; - case SEC_OID_PKCS1_RSA_ENCRYPTION: - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ - break; - - case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: - *hashalg = SEC_OID_SHA224; - break; - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: - *hashalg = SEC_OID_SHA256; - break; - case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_SHA384; - break; - case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_SHA512; - break; - - /* what about normal DSA? */ - case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: - *hashalg = SEC_OID_SHA1; - break; - case SEC_OID_MISSI_DSS: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_DSS_OLD: - *hashalg = SEC_OID_SHA1; - break; - case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: - /* This is an EC algorithm. Recommended means the largest - * hash algorithm that is not reduced by the keysize of - * the EC algorithm. Note that key strength is in bytes and - * algorithms are specified in bits. Never use an algorithm - * weaker than sha1. */ - len = SECKEY_PublicKeyStrength(key); - if (len < 28) { /* 28 bytes == 224 bits */ - *hashalg = SEC_OID_SHA1; - } else if (len < 32) { /* 32 bytes == 256 bits */ - *hashalg = SEC_OID_SHA224; - } else if (len < 48) { /* 48 bytes == 384 bits */ - *hashalg = SEC_OID_SHA256; - } else if (len < 64) { /* 48 bytes == 512 bits */ - *hashalg = SEC_OID_SHA384; - } else { - /* use the largest in this case */ - *hashalg = SEC_OID_SHA512; - } - break; - case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: - if (param == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) { - return SECFailure; - } - rv = SEC_QuickDERDecodeItem(arena, &oid, hashParameterTemplate, param); - if (rv == SECSuccess) { - *hashalg = SECOID_FindOIDTag(&oid); - } - PORT_FreeArena(arena, PR_FALSE); - if (rv != SECSuccess) { - return rv; - } - /* only accept hash algorithms */ - if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { - /* error set by HASH_GetHashTypeByOidTag */ - return SECFailure; - } - break; - /* we don't implement MD4 hashes */ - case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; - } - /* get the "encryption" algorithm */ + /* We probably shouldn't be generating MD2 signatures either */ + case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_MD2; + break; + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_MD5; + break; + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: + case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: + *hashalg = SEC_OID_SHA1; + break; + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ + break; + + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: + *hashalg = SEC_OID_SHA224; + break; + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: + *hashalg = SEC_OID_SHA256; + break; + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_SHA384; + break; + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_SHA512; + break; + + /* what about normal DSA? */ + case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: + *hashalg = SEC_OID_SHA1; + break; + case SEC_OID_MISSI_DSS: + case SEC_OID_MISSI_KEA_DSS: + case SEC_OID_MISSI_KEA_DSS_OLD: + case SEC_OID_MISSI_DSS_OLD: + *hashalg = SEC_OID_SHA1; + break; + case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: + /* This is an EC algorithm. Recommended means the largest + * hash algorithm that is not reduced by the keysize of + * the EC algorithm. Note that key strength is in bytes and + * algorithms are specified in bits. Never use an algorithm + * weaker than sha1. */ + len = SECKEY_PublicKeyStrength(key); + if (len < 28) { /* 28 bytes == 224 bits */ + *hashalg = SEC_OID_SHA1; + } else if (len < 32) { /* 32 bytes == 256 bits */ + *hashalg = SEC_OID_SHA224; + } else if (len < 48) { /* 48 bytes == 384 bits */ + *hashalg = SEC_OID_SHA256; + } else if (len < 64) { /* 48 bytes == 512 bits */ + *hashalg = SEC_OID_SHA384; + } else { + /* use the largest in this case */ + *hashalg = SEC_OID_SHA512; + } + break; + case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: + if (param == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } + rv = SEC_QuickDERDecodeItem(arena, &oid, hashParameterTemplate, param); + if (rv == SECSuccess) { + *hashalg = SECOID_FindOIDTag(&oid); + } + PORT_FreeArena(arena, PR_FALSE); + if (rv != SECSuccess) { + return rv; + } + /* only accept hash algorithms */ + if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) { + /* error set by HASH_GetHashTypeByOidTag */ + return SECFailure; + } + break; + /* we don't implement MD4 hashes */ + case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + /* get the "encryption" algorithm */ switch (sigAlg) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: - case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - *encalg = SEC_OID_PKCS1_RSA_ENCRYPTION; - break; - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - *encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE; - break; - - /* what about normal DSA? */ - case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: - case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: - *encalg = SEC_OID_ANSIX9_DSA_SIGNATURE; - break; - case SEC_OID_MISSI_DSS: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_DSS_OLD: - *encalg = SEC_OID_MISSI_DSS; - break; - case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: - case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: - *encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; - break; - /* we don't implement MD4 hashes */ - case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; + case SEC_OID_PKCS1_RSA_ENCRYPTION: + case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: + case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + *encalg = SEC_OID_PKCS1_RSA_ENCRYPTION; + break; + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + *encalg = SEC_OID_PKCS1_RSA_PSS_SIGNATURE; + break; + + /* what about normal DSA? */ + case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: + case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: + *encalg = SEC_OID_ANSIX9_DSA_SIGNATURE; + break; + case SEC_OID_MISSI_DSS: + case SEC_OID_MISSI_KEA_DSS: + case SEC_OID_MISSI_KEA_DSS_OLD: + case SEC_OID_MISSI_DSS_OLD: + *encalg = SEC_OID_MISSI_DSS; + break; + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST: + case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST: + *encalg = SEC_OID_ANSIX962_EC_PUBLIC_KEY; + break; + /* we don't implement MD4 hashes */ + case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; } return SECSuccess; } @@ -388,13 +391,13 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, * our base vfyCreate function takes. * * There is one noteworthy corner case, if we are using an RSA key, and the - * signature block is provided, then the hashAlg can be specified as + * signature block is provided, then the hashAlg can be specified as * SEC_OID_UNKNOWN. In this case, verify will use the hash oid supplied * in the RSA signature block. */ static VFYContext * -vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, - SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) +vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, + SECOidTag encAlg, SECOidTag hashAlg, SECOidTag *hash, void *wincx) { VFYContext *cx; SECStatus rv; @@ -405,14 +408,14 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ type = seckey_GetKeyType(encAlg); if ((key->keyType != type) && - ((key->keyType != rsaKey) || (type != rsaPssKey))) { - PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); - return NULL; + ((key->keyType != rsaKey) || (type != rsaPssKey))) { + PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); + return NULL; } - cx = (VFYContext*) PORT_ZAlloc(sizeof(VFYContext)); + cx = (VFYContext *)PORT_ZAlloc(sizeof(VFYContext)); if (cx == NULL) { - goto loser; + goto loser; } cx->wincx = wincx; @@ -423,81 +426,82 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, cx->pkcs1RSADigestInfo = NULL; rv = SECSuccess; if (sig) { - switch (type) { - case rsaKey: - rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, - &cx->pkcs1RSADigestInfo, - &cx->pkcs1RSADigestInfoLen, - cx->key, - sig, wincx); - break; - case dsaKey: - case ecKey: - sigLen = SECKEY_SignatureLen(key); - if (sigLen == 0) { - /* error set by SECKEY_SignatureLen */ - rv = SECFailure; - break; - } - rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); - break; - default: - rv = SECFailure; - PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); - break; - } - } - - if (rv) goto loser; + switch (type) { + case rsaKey: + rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, + &cx->pkcs1RSADigestInfo, + &cx->pkcs1RSADigestInfoLen, + cx->key, + sig, wincx); + break; + case dsaKey: + case ecKey: + sigLen = SECKEY_SignatureLen(key); + if (sigLen == 0) { + /* error set by SECKEY_SignatureLen */ + rv = SECFailure; + break; + } + rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); + break; + default: + rv = SECFailure; + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); + break; + } + } + + if (rv) + goto loser; /* check hash alg again, RSA may have changed it.*/ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { - /* error set by HASH_GetHashTypeByOidTag */ - goto loser; + /* error set by HASH_GetHashTypeByOidTag */ + goto loser; } if (hash) { - *hash = cx->hashAlg; + *hash = cx->hashAlg; } return cx; - loser: +loser: if (cx) { - VFY_DestroyContext(cx, PR_TRUE); + VFY_DestroyContext(cx, PR_TRUE); } return 0; } VFYContext * VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, SECOidTag sigAlg, - void *wincx) + void *wincx) { SECOidTag encAlg, hashAlg; SECStatus rv = sec_DecodeSigAlg(key, sigAlg, NULL, &encAlg, &hashAlg); if (rv != SECSuccess) { - return NULL; + return NULL; } return vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); } VFYContext * -VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, - SECOidTag encAlg, SECOidTag hashAlg, - SECOidTag *hash, void *wincx) +VFY_CreateContextDirect(const SECKEYPublicKey *key, const SECItem *sig, + SECOidTag encAlg, SECOidTag hashAlg, + SECOidTag *hash, void *wincx) { - return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); + return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); } VFYContext * VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, const SECItem *sig, - const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) + const SECAlgorithmID *sigAlgorithm, SECOidTag *hash, void *wincx) { SECOidTag encAlg, hashAlg; - SECStatus rv = sec_DecodeSigAlg(key, - SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), - &sigAlgorithm->parameters, &encAlg, &hashAlg); + SECStatus rv = sec_DecodeSigAlg(key, + SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), + &sigAlgorithm->parameters, &encAlg, &hashAlg); if (rv != SECSuccess) { - return NULL; + return NULL; } return vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); } @@ -506,19 +510,19 @@ void VFY_DestroyContext(VFYContext *cx, PRBool freeit) { if (cx) { - if (cx->hashcx != NULL) { - (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); - cx->hashcx = NULL; - } - if (cx->key) { - SECKEY_DestroyPublicKey(cx->key); - } - if (cx->pkcs1RSADigestInfo) { - PORT_Free(cx->pkcs1RSADigestInfo); - } - if (freeit) { - PORT_ZFree(cx, sizeof(VFYContext)); - } + if (cx->hashcx != NULL) { + (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); + cx->hashcx = NULL; + } + if (cx->key) { + SECKEY_DestroyPublicKey(cx->key); + } + if (cx->pkcs1RSADigestInfo) { + PORT_Free(cx->pkcs1RSADigestInfo); + } + if (freeit) { + PORT_ZFree(cx, sizeof(VFYContext)); + } } } @@ -526,17 +530,17 @@ SECStatus VFY_Begin(VFYContext *cx) { if (cx->hashcx != NULL) { - (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); - cx->hashcx = NULL; + (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); + cx->hashcx = NULL; } cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashAlg); - if (!cx->hashobj) - return SECFailure; /* error code is set */ + if (!cx->hashobj) + return SECFailure; /* error code is set */ cx->hashcx = (*cx->hashobj->create)(); if (cx->hashcx == NULL) - return SECFailure; + return SECFailure; (*cx->hashobj->begin)(cx->hashcx); return SECSuccess; @@ -546,8 +550,8 @@ SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, unsigned inputLen) { if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } (*cx->hashobj->update)(cx->hashcx, input, inputLen); return SECSuccess; @@ -558,65 +562,64 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) { unsigned char final[HASH_LENGTH_MAX]; unsigned part; - SECItem hash,dsasig; /* dsasig is also used for ECDSA */ + SECItem hash, dsasig; /* dsasig is also used for ECDSA */ SECStatus rv; if ((cx->hasSignature == PR_FALSE) && (sig == NULL)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } if (cx->hashcx == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final)); switch (cx->key->keyType) { - case ecKey: - case dsaKey: - dsasig.data = cx->u.buffer; - dsasig.len = SECKEY_SignatureLen(cx->key); - if (dsasig.len == 0) { - return SECFailure; - } - if (sig) { - rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, - dsasig.len); - if (rv != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - } - hash.data = final; - hash.len = part; - if (PK11_Verify(cx->key,&dsasig,&hash,cx->wincx) != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - break; - case rsaKey: - { - SECItem digest; - digest.data = final; - digest.len = part; - if (sig) { - SECOidTag hashid; - PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); - rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid, - &cx->pkcs1RSADigestInfo, - &cx->pkcs1RSADigestInfoLen, - cx->key, - sig, cx->wincx); - PORT_Assert(cx->hashAlg == hashid); - if (rv != SECSuccess) { - return SECFailure; - } - } - return verifyPKCS1DigestInfo(cx, &digest); - } - default: - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; /* shouldn't happen */ + case ecKey: + case dsaKey: + dsasig.data = cx->u.buffer; + dsasig.len = SECKEY_SignatureLen(cx->key); + if (dsasig.len == 0) { + return SECFailure; + } + if (sig) { + rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, + dsasig.len); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + } + hash.data = final; + hash.len = part; + if (PK11_Verify(cx->key, &dsasig, &hash, cx->wincx) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; + } + break; + case rsaKey: { + SECItem digest; + digest.data = final; + digest.len = part; + if (sig) { + SECOidTag hashid; + PORT_Assert(cx->hashAlg != SEC_OID_UNKNOWN); + rv = recoverPKCS1DigestInfo(cx->hashAlg, &hashid, + &cx->pkcs1RSADigestInfo, + &cx->pkcs1RSADigestInfoLen, + cx->key, + sig, cx->wincx); + PORT_Assert(cx->hashAlg == hashid); + if (rv != SECSuccess) { + return SECFailure; + } + } + return verifyPKCS1DigestInfo(cx, &digest); + } + default: + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; /* shouldn't happen */ } return SECSuccess; } @@ -624,7 +627,7 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig) SECStatus VFY_End(VFYContext *cx) { - return VFY_EndWithSignature(cx,NULL); + return VFY_EndWithSignature(cx, NULL); } /************************************************************************/ @@ -632,9 +635,9 @@ VFY_End(VFYContext *cx) * Verify that a previously-computed digest matches a signature. */ static SECStatus -vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - void *wincx) +vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, + const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, + void *wincx) { SECStatus rv; VFYContext *cx; @@ -644,48 +647,48 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key, cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); if (cx != NULL) { - switch (key->keyType) { - case rsaKey: - rv = verifyPKCS1DigestInfo(cx, digest); - break; - case dsaKey: - case ecKey: - dsasig.data = cx->u.buffer; - dsasig.len = SECKEY_SignatureLen(cx->key); - if (dsasig.len == 0) { - break; - } - if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) - != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - } else { - rv = SECSuccess; - } - break; - default: - break; - } - VFY_DestroyContext(cx, PR_TRUE); + switch (key->keyType) { + case rsaKey: + rv = verifyPKCS1DigestInfo(cx, digest); + break; + case dsaKey: + case ecKey: + dsasig.data = cx->u.buffer; + dsasig.len = SECKEY_SignatureLen(cx->key); + if (dsasig.len == 0) { + break; + } + if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != + SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + } else { + rv = SECSuccess; + } + break; + default: + break; + } + VFY_DestroyContext(cx, PR_TRUE); } return rv; } SECStatus -VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag encAlg, - SECOidTag hashAlg, void *wincx) +VFY_VerifyDigestDirect(const SECItem *digest, const SECKEYPublicKey *key, + const SECItem *sig, SECOidTag encAlg, + SECOidTag hashAlg, void *wincx) { return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); } SECStatus VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, - SECOidTag algid, void *wincx) + SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); } @@ -695,44 +698,44 @@ VFY_VerifyDigest(SECItem *digest, SECKEYPublicKey *key, SECItem *sig, * will be compared with our target hash value. */ SECStatus -VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, - const SECKEYPublicKey *key, const SECItem *sig, - const SECAlgorithmID *sigAlgorithm, - SECOidTag hashCmp, void *wincx) +VFY_VerifyDigestWithAlgorithmID(const SECItem *digest, + const SECKEYPublicKey *key, const SECItem *sig, + const SECAlgorithmID *sigAlgorithm, + SECOidTag hashCmp, void *wincx) { SECOidTag encAlg, hashAlg; - SECStatus rv = sec_DecodeSigAlg(key, - SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), - &sigAlgorithm->parameters, &encAlg, &hashAlg); + SECStatus rv = sec_DecodeSigAlg(key, + SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm), + &sigAlgorithm->parameters, &encAlg, &hashAlg); if (rv != SECSuccess) { - return rv; + return rv; } - if ( hashCmp != SEC_OID_UNKNOWN && - hashAlg != SEC_OID_UNKNOWN && - hashCmp != hashAlg) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; + if (hashCmp != SEC_OID_UNKNOWN && + hashAlg != SEC_OID_UNKNOWN && + hashCmp != hashAlg) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + return SECFailure; } return vfy_VerifyDigest(digest, key, sig, encAlg, hashAlg, wincx); } static SECStatus vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, - SECOidTag *hash, void *wincx) + const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg, + SECOidTag *hash, void *wincx) { SECStatus rv; VFYContext *cx; cx = vfy_CreateContext(key, sig, encAlg, hashAlg, hash, wincx); if (cx == NULL) - return SECFailure; + return SECFailure; rv = VFY_Begin(cx); if (rv == SECSuccess) { - rv = VFY_Update(cx, (unsigned char *)buf, len); - if (rv == SECSuccess) - rv = VFY_End(cx); + rv = VFY_Update(cx, (unsigned char *)buf, len); + if (rv == SECSuccess) + rv = VFY_End(cx); } VFY_DestroyContext(cx, PR_TRUE); @@ -740,39 +743,39 @@ vfy_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, } SECStatus -VFY_VerifyDataDirect(const unsigned char *buf, int len, - const SECKEYPublicKey *key, const SECItem *sig, - SECOidTag encAlg, SECOidTag hashAlg, - SECOidTag *hash, void *wincx) +VFY_VerifyDataDirect(const unsigned char *buf, int len, + const SECKEYPublicKey *key, const SECItem *sig, + SECOidTag encAlg, SECOidTag hashAlg, + SECOidTag *hash, void *wincx) { return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); } SECStatus VFY_VerifyData(const unsigned char *buf, int len, const SECKEYPublicKey *key, - const SECItem *sig, SECOidTag algid, void *wincx) + const SECItem *sig, SECOidTag algid, void *wincx) { SECOidTag encAlg, hashAlg; SECStatus rv = sec_DecodeSigAlg(key, algid, NULL, &encAlg, &hashAlg); if (rv != SECSuccess) { - return rv; + return rv; } return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, NULL, wincx); } SECStatus -VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, - const SECKEYPublicKey *key, - const SECItem *sig, - const SECAlgorithmID *sigAlgorithm, - SECOidTag *hash, void *wincx) +VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, int len, + const SECKEYPublicKey *key, + const SECItem *sig, + const SECAlgorithmID *sigAlgorithm, + SECOidTag *hash, void *wincx) { SECOidTag encAlg, hashAlg; SECOidTag sigAlg = SECOID_GetAlgorithmTag((SECAlgorithmID *)sigAlgorithm); - SECStatus rv = sec_DecodeSigAlg(key, sigAlg, - &sigAlgorithm->parameters, &encAlg, &hashAlg); + SECStatus rv = sec_DecodeSigAlg(key, sigAlg, + &sigAlgorithm->parameters, &encAlg, &hashAlg); if (rv != SECSuccess) { - return rv; + return rv; } return vfy_VerifyData(buf, len, key, sig, encAlg, hashAlg, hash, wincx); } |