diff options
Diffstat (limited to 'nss/lib/pk11wrap/pk11akey.c')
-rw-r--r-- | nss/lib/pk11wrap/pk11akey.c | 2872 |
1 files changed, 1503 insertions, 1369 deletions
diff --git a/nss/lib/pk11wrap/pk11akey.c b/nss/lib/pk11wrap/pk11akey.c index b0604de..d086ed4 100644 --- a/nss/lib/pk11wrap/pk11akey.c +++ b/nss/lib/pk11wrap/pk11akey.c @@ -14,53 +14,54 @@ #include "pk11func.h" #include "cert.h" #include "key.h" +#include "keyi.h" #include "secitem.h" -#include "secasn1.h" -#include "secoid.h" +#include "secasn1.h" +#include "secoid.h" #include "secerr.h" #include "sechash.h" -#include "secpkcs5.h" +#include "secpkcs5.h" #include "blapit.h" static SECItem * pk11_MakeIDFromPublicKey(SECKEYPublicKey *pubKey) { /* set the ID to the public key so we can find it again */ - SECItem *pubKeyIndex = NULL; + SECItem *pubKeyIndex = NULL; switch (pubKey->keyType) { - case rsaKey: - pubKeyIndex = &pubKey->u.rsa.modulus; - break; - case dsaKey: - pubKeyIndex = &pubKey->u.dsa.publicValue; - break; - case dhKey: - pubKeyIndex = &pubKey->u.dh.publicValue; - break; - case ecKey: - pubKeyIndex = &pubKey->u.ec.publicValue; - break; - default: - return NULL; + case rsaKey: + pubKeyIndex = &pubKey->u.rsa.modulus; + break; + case dsaKey: + pubKeyIndex = &pubKey->u.dsa.publicValue; + break; + case dhKey: + pubKeyIndex = &pubKey->u.dh.publicValue; + break; + case ecKey: + pubKeyIndex = &pubKey->u.ec.publicValue; + break; + default: + return NULL; } PORT_Assert(pubKeyIndex != NULL); return PK11_MakeIDFromPubKey(pubKeyIndex); -} +} /* * import a public key into the desired slot * - * This function takes a public key structure and creates a public key in a + * This function takes a public key structure and creates a public key in a * given slot. If isToken is set, then a persistant public key is created. * * Note: it is possible for this function to return a handle for a key which * is persistant, even if isToken is not set. */ CK_OBJECT_HANDLE -PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, - PRBool isToken) +PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, + PRBool isToken) { CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; @@ -78,139 +79,167 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey, /* if we already have an object in the desired slot, use it */ if (!isToken && pubKey->pkcs11Slot == slot) { - return pubKey->pkcs11ID; + return pubKey->pkcs11ID; } /* free the existing key */ if (pubKey->pkcs11Slot != NULL) { - PK11SlotInfo *oSlot = pubKey->pkcs11Slot; - if (!PK11_IsPermObject(pubKey->pkcs11Slot,pubKey->pkcs11ID)) { - PK11_EnterSlotMonitor(oSlot); - (void) PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session, - pubKey->pkcs11ID); - PK11_ExitSlotMonitor(oSlot); - } - PK11_FreeSlot(oSlot); - pubKey->pkcs11Slot = NULL; - } - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass) ); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType) ); attrs++; + PK11SlotInfo *oSlot = pubKey->pkcs11Slot; + if (!PK11_IsPermObject(pubKey->pkcs11Slot, pubKey->pkcs11ID)) { + PK11_EnterSlotMonitor(oSlot); + (void)PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session, + pubKey->pkcs11ID); + PK11_ExitSlotMonitor(oSlot); + } + PK11_FreeSlot(oSlot); + pubKey->pkcs11Slot = NULL; + } + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse, - sizeof(CK_BBOOL) ); attrs++; + sizeof(CK_BBOOL)); + attrs++; if (isToken) { - ckaId = pk11_MakeIDFromPublicKey(pubKey); - if (ckaId == NULL) { - PORT_SetError( SEC_ERROR_BAD_KEY ); - return CK_INVALID_HANDLE; - } - PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len); attrs++; + ckaId = pk11_MakeIDFromPublicKey(pubKey); + if (ckaId == NULL) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return CK_INVALID_HANDLE; + } + PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len); + attrs++; } /* now import the key */ { switch (pubKey->keyType) { - case rsaKey: - keyType = CKK_RSA; - PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, - sizeof(CK_BBOOL) ); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data, - pubKey->u.rsa.modulus.len); attrs++; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, - pubKey->u.rsa.publicExponent.data, - pubKey->u.rsa.publicExponent.len); attrs++; - break; - case dsaKey: - keyType = CKK_DSA; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dsa.params.prime.data, - pubKey->u.dsa.params.prime.len); attrs++; - PK11_SETATTRS(attrs,CKA_SUBPRIME,pubKey->u.dsa.params.subPrime.data, - pubKey->u.dsa.params.subPrime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dsa.params.base.data, - pubKey->u.dsa.params.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data, - pubKey->u.dsa.publicValue.len); attrs++; - break; - case fortezzaKey: - keyType = CKK_DSA; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data, - pubKey->u.fortezza.params.prime.len); attrs++; - PK11_SETATTRS(attrs,CKA_SUBPRIME, - pubKey->u.fortezza.params.subPrime.data, - pubKey->u.fortezza.params.subPrime.len);attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data, - pubKey->u.fortezza.params.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, - pubKey->u.fortezza.DSSKey.len); attrs++; - break; - case dhKey: - keyType = CKK_DH; - PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dh.prime.data, - pubKey->u.dh.prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dh.base.data, - pubKey->u.dh.base.len); attrs++; - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dh.publicValue.data, - pubKey->u.dh.publicValue.len); attrs++; - break; - case ecKey: - keyType = CKK_EC; - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; - PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++; - signedattr = attrs; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, - pubKey->u.ec.DEREncodedParams.data, - pubKey->u.ec.DEREncodedParams.len); attrs++; - if (PR_GetEnv("NSS_USE_DECODED_CKA_EC_POINT")) { - PK11_SETATTRS(attrs, CKA_EC_POINT, - pubKey->u.ec.publicValue.data, - pubKey->u.ec.publicValue.len); attrs++; - } else { - pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &pubKey->u.ec.publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (pubValue == NULL) { - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - return CK_INVALID_HANDLE; - } - PK11_SETATTRS(attrs, CKA_EC_POINT, - pubValue->data, pubValue->len); attrs++; - } - break; - default: - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - PORT_SetError( SEC_ERROR_BAD_KEY ); - return CK_INVALID_HANDLE; - } - - templateCount = attrs - theTemplate; - signedcount = attrs - signedattr; - PORT_Assert(templateCount <= (sizeof(theTemplate)/sizeof(CK_ATTRIBUTE))); - for (attrs=signedattr; signedcount; attrs++, signedcount--) { - pk11_SignedToUnsigned(attrs); - } + case rsaKey: + keyType = CKK_RSA; + PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data, + pubKey->u.rsa.modulus.len); + attrs++; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, + pubKey->u.rsa.publicExponent.data, + pubKey->u.rsa.publicExponent.len); + attrs++; + break; + case dsaKey: + keyType = CKK_DSA; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dsa.params.prime.data, + pubKey->u.dsa.params.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, pubKey->u.dsa.params.subPrime.data, + pubKey->u.dsa.params.subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dsa.params.base.data, + pubKey->u.dsa.params.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data, + pubKey->u.dsa.publicValue.len); + attrs++; + break; + case fortezzaKey: + keyType = CKK_DSA; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.fortezza.params.prime.data, + pubKey->u.fortezza.params.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, + pubKey->u.fortezza.params.subPrime.data, + pubKey->u.fortezza.params.subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data, + pubKey->u.fortezza.params.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, + pubKey->u.fortezza.DSSKey.len); + attrs++; + break; + case dhKey: + keyType = CKK_DH; + PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dh.prime.data, + pubKey->u.dh.prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dh.base.data, + pubKey->u.dh.base.len); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dh.publicValue.data, + pubKey->u.dh.publicValue.len); + attrs++; + break; + case ecKey: + keyType = CKK_EC; + PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); + attrs++; + signedattr = attrs; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, + pubKey->u.ec.DEREncodedParams.data, + pubKey->u.ec.DEREncodedParams.len); + attrs++; + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) { + PK11_SETATTRS(attrs, CKA_EC_POINT, + pubKey->u.ec.publicValue.data, + pubKey->u.ec.publicValue.len); + attrs++; + } else { + pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + return CK_INVALID_HANDLE; + } + PK11_SETATTRS(attrs, CKA_EC_POINT, + pubValue->data, pubValue->len); + attrs++; + } + break; + default: + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + PORT_SetError(SEC_ERROR_BAD_KEY); + return CK_INVALID_HANDLE; + } + + templateCount = attrs - theTemplate; + signedcount = attrs - signedattr; + PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE))); + for (attrs = signedattr; signedcount; attrs++, signedcount--) { + pk11_SignedToUnsigned(attrs); + } rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate, - templateCount, isToken, &objectID); - if (ckaId) { - SECITEM_FreeItem(ckaId,PR_TRUE); - } - if (pubValue) { - SECITEM_FreeItem(pubValue,PR_TRUE); - } - if ( rv != SECSuccess) { - return CK_INVALID_HANDLE; - } + templateCount, isToken, &objectID); + if (ckaId) { + SECITEM_FreeItem(ckaId, PR_TRUE); + } + if (pubValue) { + SECITEM_FreeItem(pubValue, PR_TRUE); + } + if (rv != SECSuccess) { + return CK_INVALID_HANDLE; + } } pubKey->pkcs11ID = objectID; @@ -229,22 +258,21 @@ pk11_Attr2SecItem(PLArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item) (void)SECITEM_AllocItem(arena, item, attr->ulValueLen); if (item->data == NULL) { - return CKR_HOST_MEMORY; - } + return CKR_HOST_MEMORY; + } PORT_Memcpy(item->data, attr->pValue, item->len); return CKR_OK; } - /* * get a curve length from a set of ecParams. - * + * * We need this so we can reliably determine if the ecPoint passed to us * was encoded or not. With out this, for many curves, we would incorrectly * identify an unencoded curve as an encoded curve 1 in 65536 times, and for - * a few we would make that same mistake 1 in 32768 times. These are bad + * a few we would make that same mistake 1 in 32768 times. These are bad * numbers since they are rare enough to pass tests, but common enough to - * be tripped over in the field. + * be tripped over in the field. * * This function will only work for curves we recognized as of March 2009. * The assumption is curves in use after March of 2009 would be supplied by @@ -253,127 +281,133 @@ pk11_Attr2SecItem(PLArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item) * Point length = (Roundup(curveLenInBits/8)*2+1) */ static int -pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams) +pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams, + PRBool *plain) { - SECItem oid; - SECOidTag tag; - SECStatus rv; - - /* decode the OID tag */ - rv = SEC_QuickDERDecodeItem(arena, &oid, - SEC_ASN1_GET(SEC_ObjectIDTemplate), ecParams); - if (rv != SECSuccess) { - /* could be explict curves, allow them to work if the - * PKCS #11 module support them. If we try to parse the - * explicit curve value in the future, we may return -1 here - * to indicate an invalid parameter if the explicit curve - * decode fails. */ - return 0; - } - - tag = SECOID_FindOIDTag(&oid); - switch (tag) { - case SEC_OID_SECG_EC_SECP112R1: - case SEC_OID_SECG_EC_SECP112R2: - return 29; /* curve len in bytes = 14 bytes */ - case SEC_OID_SECG_EC_SECT113R1: - case SEC_OID_SECG_EC_SECT113R2: - return 31; /* curve len in bytes = 15 bytes */ - case SEC_OID_SECG_EC_SECP128R1: - case SEC_OID_SECG_EC_SECP128R2: - return 33; /* curve len in bytes = 16 bytes */ - case SEC_OID_SECG_EC_SECT131R1: - case SEC_OID_SECG_EC_SECT131R2: - return 35; /* curve len in bytes = 17 bytes */ - case SEC_OID_SECG_EC_SECP160K1: - case SEC_OID_SECG_EC_SECP160R1: - case SEC_OID_SECG_EC_SECP160R2: - return 41; /* curve len in bytes = 20 bytes */ - case SEC_OID_SECG_EC_SECT163K1: - case SEC_OID_SECG_EC_SECT163R1: - case SEC_OID_SECG_EC_SECT163R2: - case SEC_OID_ANSIX962_EC_C2PNB163V1: - case SEC_OID_ANSIX962_EC_C2PNB163V2: - case SEC_OID_ANSIX962_EC_C2PNB163V3: - return 43; /* curve len in bytes = 21 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB176V1: - return 45; /* curve len in bytes = 22 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB191V1: - case SEC_OID_ANSIX962_EC_C2TNB191V2: - case SEC_OID_ANSIX962_EC_C2TNB191V3: - case SEC_OID_SECG_EC_SECP192K1: - case SEC_OID_ANSIX962_EC_PRIME192V1: - case SEC_OID_ANSIX962_EC_PRIME192V2: - case SEC_OID_ANSIX962_EC_PRIME192V3: - return 49; /*curve len in bytes = 24 bytes */ - case SEC_OID_SECG_EC_SECT193R1: - case SEC_OID_SECG_EC_SECT193R2: - return 51; /*curve len in bytes = 25 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB208W1: - return 53; /*curve len in bytes = 26 bytes */ - case SEC_OID_SECG_EC_SECP224K1: - case SEC_OID_SECG_EC_SECP224R1: - return 57; /*curve len in bytes = 28 bytes */ - case SEC_OID_SECG_EC_SECT233K1: - case SEC_OID_SECG_EC_SECT233R1: - case SEC_OID_SECG_EC_SECT239K1: - case SEC_OID_ANSIX962_EC_PRIME239V1: - case SEC_OID_ANSIX962_EC_PRIME239V2: - case SEC_OID_ANSIX962_EC_PRIME239V3: - case SEC_OID_ANSIX962_EC_C2TNB239V1: - case SEC_OID_ANSIX962_EC_C2TNB239V2: - case SEC_OID_ANSIX962_EC_C2TNB239V3: - return 61; /*curve len in bytes = 30 bytes */ - case SEC_OID_ANSIX962_EC_PRIME256V1: - case SEC_OID_SECG_EC_SECP256K1: - return 65; /*curve len in bytes = 32 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB272W1: - return 69; /*curve len in bytes = 34 bytes */ - case SEC_OID_SECG_EC_SECT283K1: - case SEC_OID_SECG_EC_SECT283R1: - return 73; /*curve len in bytes = 36 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB304W1: - return 77; /*curve len in bytes = 38 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB359V1: - return 91; /*curve len in bytes = 45 bytes */ - case SEC_OID_ANSIX962_EC_C2PNB368W1: - return 93; /*curve len in bytes = 46 bytes */ - case SEC_OID_SECG_EC_SECP384R1: - return 97; /*curve len in bytes = 48 bytes */ - case SEC_OID_SECG_EC_SECT409K1: - case SEC_OID_SECG_EC_SECT409R1: - return 105; /*curve len in bytes = 52 bytes */ - case SEC_OID_ANSIX962_EC_C2TNB431R1: - return 109; /*curve len in bytes = 54 bytes */ - case SEC_OID_SECG_EC_SECP521R1: - return 133; /*curve len in bytes = 66 bytes */ - case SEC_OID_SECG_EC_SECT571K1: - case SEC_OID_SECG_EC_SECT571R1: - return 145; /*curve len in bytes = 72 bytes */ - /* unknown or unrecognized OIDs. return unknown length */ - default: - break; - } - return 0; + SECItem oid; + SECOidTag tag; + SECStatus rv; + + /* decode the OID tag */ + rv = SEC_QuickDERDecodeItem(arena, &oid, + SEC_ASN1_GET(SEC_ObjectIDTemplate), ecParams); + if (rv != SECSuccess) { + /* could be explict curves, allow them to work if the + * PKCS #11 module support them. If we try to parse the + * explicit curve value in the future, we may return -1 here + * to indicate an invalid parameter if the explicit curve + * decode fails. */ + return 0; + } + + *plain = PR_FALSE; + tag = SECOID_FindOIDTag(&oid); + switch (tag) { + case SEC_OID_SECG_EC_SECP112R1: + case SEC_OID_SECG_EC_SECP112R2: + return 29; /* curve len in bytes = 14 bytes */ + case SEC_OID_SECG_EC_SECT113R1: + case SEC_OID_SECG_EC_SECT113R2: + return 31; /* curve len in bytes = 15 bytes */ + case SEC_OID_SECG_EC_SECP128R1: + case SEC_OID_SECG_EC_SECP128R2: + return 33; /* curve len in bytes = 16 bytes */ + case SEC_OID_SECG_EC_SECT131R1: + case SEC_OID_SECG_EC_SECT131R2: + return 35; /* curve len in bytes = 17 bytes */ + case SEC_OID_SECG_EC_SECP160K1: + case SEC_OID_SECG_EC_SECP160R1: + case SEC_OID_SECG_EC_SECP160R2: + return 41; /* curve len in bytes = 20 bytes */ + case SEC_OID_SECG_EC_SECT163K1: + case SEC_OID_SECG_EC_SECT163R1: + case SEC_OID_SECG_EC_SECT163R2: + case SEC_OID_ANSIX962_EC_C2PNB163V1: + case SEC_OID_ANSIX962_EC_C2PNB163V2: + case SEC_OID_ANSIX962_EC_C2PNB163V3: + return 43; /* curve len in bytes = 21 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB176V1: + return 45; /* curve len in bytes = 22 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB191V1: + case SEC_OID_ANSIX962_EC_C2TNB191V2: + case SEC_OID_ANSIX962_EC_C2TNB191V3: + case SEC_OID_SECG_EC_SECP192K1: + case SEC_OID_ANSIX962_EC_PRIME192V1: + case SEC_OID_ANSIX962_EC_PRIME192V2: + case SEC_OID_ANSIX962_EC_PRIME192V3: + return 49; /*curve len in bytes = 24 bytes */ + case SEC_OID_SECG_EC_SECT193R1: + case SEC_OID_SECG_EC_SECT193R2: + return 51; /*curve len in bytes = 25 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB208W1: + return 53; /*curve len in bytes = 26 bytes */ + case SEC_OID_SECG_EC_SECP224K1: + case SEC_OID_SECG_EC_SECP224R1: + return 57; /*curve len in bytes = 28 bytes */ + case SEC_OID_SECG_EC_SECT233K1: + case SEC_OID_SECG_EC_SECT233R1: + case SEC_OID_SECG_EC_SECT239K1: + case SEC_OID_ANSIX962_EC_PRIME239V1: + case SEC_OID_ANSIX962_EC_PRIME239V2: + case SEC_OID_ANSIX962_EC_PRIME239V3: + case SEC_OID_ANSIX962_EC_C2TNB239V1: + case SEC_OID_ANSIX962_EC_C2TNB239V2: + case SEC_OID_ANSIX962_EC_C2TNB239V3: + return 61; /*curve len in bytes = 30 bytes */ + case SEC_OID_ANSIX962_EC_PRIME256V1: + case SEC_OID_SECG_EC_SECP256K1: + return 65; /*curve len in bytes = 32 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB272W1: + return 69; /*curve len in bytes = 34 bytes */ + case SEC_OID_SECG_EC_SECT283K1: + case SEC_OID_SECG_EC_SECT283R1: + return 73; /*curve len in bytes = 36 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB304W1: + return 77; /*curve len in bytes = 38 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB359V1: + return 91; /*curve len in bytes = 45 bytes */ + case SEC_OID_ANSIX962_EC_C2PNB368W1: + return 93; /*curve len in bytes = 46 bytes */ + case SEC_OID_SECG_EC_SECP384R1: + return 97; /*curve len in bytes = 48 bytes */ + case SEC_OID_SECG_EC_SECT409K1: + case SEC_OID_SECG_EC_SECT409R1: + return 105; /*curve len in bytes = 52 bytes */ + case SEC_OID_ANSIX962_EC_C2TNB431R1: + return 109; /*curve len in bytes = 54 bytes */ + case SEC_OID_SECG_EC_SECP521R1: + return 133; /*curve len in bytes = 66 bytes */ + case SEC_OID_SECG_EC_SECT571K1: + case SEC_OID_SECG_EC_SECT571R1: + return 145; /*curve len in bytes = 72 bytes */ + case SEC_OID_CURVE25519: + *plain = PR_TRUE; + return 32; /* curve len in bytes = 32 bytes (only X) */ + /* unknown or unrecognized OIDs. return unknown length */ + default: + break; + } + return 0; } /* * returns the decoded point. In some cases the point may already be decoded. - * this function tries to detect those cases and return the point in + * this function tries to detect those cases and return the point in * publicKeyValue. In other cases it's DER encoded. In those cases the point - * is first decoded and returned. Space for the point is allocated out of + * is first decoded and returned. Space for the point is allocated out of * the passed in arena. */ static CK_RV pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, - const CK_ATTRIBUTE *ecPoint, SECItem *publicKeyValue) + const CK_ATTRIBUTE *ecPoint, SECItem *publicKeyValue) { SECItem encodedPublicValue; SECStatus rv; int keyLen; + PRBool plain = PR_FALSE; if (ecPoint->ulValueLen == 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; + return CKR_ATTRIBUTE_VALUE_INVALID; } /* @@ -381,7 +415,7 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * NSS has mistakenly passed unencoded values, and some PKCS #11 vendors * followed that mistake. Now we need to detect which encoding we were * passed in. The task is made more complicated by the fact the the - * DER encoding byte (SEC_ASN_OCTET_STRING) is the same as the + * DER encoding byte (SEC_ASN_OCTET_STRING) is the same as the * EC_POINT_FORM_UNCOMPRESSED byte (0x04), so we can't use that to * determine which curve we are using. */ @@ -393,134 +427,140 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * encoded or not heuristically. If the ecParams are invalid, it * will return -1 for the keyLen. */ - keyLen = pk11_get_EC_PointLenInBytes(arena, ecParams); + keyLen = pk11_get_EC_PointLenInBytes(arena, ecParams, &plain); if (keyLen < 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; + return CKR_ATTRIBUTE_VALUE_INVALID; } + /* + * Some curves are not encoded but we don't have the name here. + * Instead, pk11_get_EC_PointLenInBytes returns true plain if this is the + * case. + */ + if (plain && ecPoint->ulValueLen == (unsigned int)keyLen) { + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + } /* If the point is uncompressed and the lengths match, it * must be an unencoded point */ - if ((*((char *)ecPoint->pValue) == EC_POINT_FORM_UNCOMPRESSED) - && (ecPoint->ulValueLen == (unsigned int)keyLen)) { - return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + if ((*((char *)ecPoint->pValue) == EC_POINT_FORM_UNCOMPRESSED) && + (ecPoint->ulValueLen == (unsigned int)keyLen)) { + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); } /* now assume the key passed to us was encoded and decode it */ if (*((char *)ecPoint->pValue) == SEC_ASN1_OCTET_STRING) { - /* OK, now let's try to decode it and see if it's valid */ - encodedPublicValue.data = ecPoint->pValue; - encodedPublicValue.len = ecPoint->ulValueLen; - rv = SEC_QuickDERDecodeItem(arena, publicKeyValue, - SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedPublicValue); - - /* it coded correctly & we know the key length (and they match) - * then we are done, return the results. */ + /* OK, now let's try to decode it and see if it's valid */ + encodedPublicValue.data = ecPoint->pValue; + encodedPublicValue.len = ecPoint->ulValueLen; + rv = SEC_QuickDERDecodeItem(arena, publicKeyValue, + SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedPublicValue); + + /* it coded correctly & we know the key length (and they match) + * then we are done, return the results. */ if (keyLen && rv == SECSuccess && publicKeyValue->len == (unsigned int)keyLen) { - return CKR_OK; - } - - /* if we know the key length, one of the above tests should have - * succeded. If it doesn't the module gave us bad data */ - if (keyLen) { - return CKR_ATTRIBUTE_VALUE_INVALID; - } - - - /* We don't know the key length, so we don't know deterministically - * which encoding was used. We now will try to pick the most likely - * form that's correct, with a preference for the encoded form if we - * can't determine for sure. We do this by checking the key we got - * back from SEC_QuickDERDecodeItem for defects. If no defects are - * found, we assume the encoded parameter was was passed to us. - * our defect tests include: - * 1) it didn't decode. - * 2) The decode key had an invalid length (must be odd). - * 3) The decoded key wasn't an UNCOMPRESSED key. - * 4) The decoded key didn't include the entire encoded block - * except the DER encoding values. (fixing DER length to one - * particular value). - */ - if ((rv != SECSuccess) - || ((publicKeyValue->len & 1) != 1) - || (publicKeyValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) - || (PORT_Memcmp(&encodedPublicValue.data[encodedPublicValue.len - - publicKeyValue->len], publicKeyValue->data, - publicKeyValue->len) != 0)) { - /* The decoded public key was flawed, the original key must have - * already been in decoded form. Do a quick sanity check then - * return the original key value. - */ - if ((encodedPublicValue.len & 1) == 0) { - return CKR_ATTRIBUTE_VALUE_INVALID; - } - return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); - } - - /* as best we can figure, the passed in key was encoded, and we've - * now decoded it. Note: there is a chance this could be wrong if the - * following conditions hold: - * 1) The first byte or bytes of the X point looks like a valid length - * of precisely the right size (2*curveSize -1). this means for curves - * less than 512 bits (64 bytes), this will happen 1 in 256 times*. - * for curves between 512 and 1024, this will happen 1 in 65,536 times* - * for curves between 1024 and 256K this will happen 1 in 16 million* - * 2) The length of the 'DER length field' is odd - * (making both the encoded and decode - * values an odd length. this is true of all curves less than 512, - * as well as curves between 1024 and 256K). - * 3) The X[length of the 'DER length field'] == 0x04, 1 in 256. - * - * (* assuming all values are equally likely in the first byte, - * This isn't true if the curve length is not a multiple of 8. In these - * cases, if the DER length is possible, it's more likely, - * if it's not possible, then we have no false decodes). - * - * For reference here are the odds for the various curves we currently - * have support for (and the only curves SSL will negotiate at this - * time). NOTE: None of the supported curves will show up here - * because we return a valid length for all of these curves. - * The only way to get here is to have some application (not SSL) - * which supports some unknown curve and have some vendor supplied - * PKCS #11 module support that curve. NOTE: in this case, one - * presumes that that pkcs #11 module is likely to be using the - * correct encodings. - * - * Prime Curves (GFp): - * Bit False Odds of - * Size DER Len False Decode Positive - * 112 27 1 in 65536 - * 128 31 1 in 65536 - * 160 39 1 in 65536 - * 192 47 1 in 65536 - * 224 55 1 in 65536 - * 239 59 1 in 32768 (top byte can only be 0-127) - * 256 63 1 in 65536 - * 521 129,131 0 (decoded value would be even) - * - * Binary curves (GF2m). - * Bit False Odds of - * Size DER Len False Decode Positive - * 131 33 0 (top byte can only be 0-7) - * 163 41 0 (top byte can only be 0-7) - * 176 43 1 in 65536 - * 191 47 1 in 32768 (top byte can only be 0-127) - * 193 49 0 (top byte can only be 0-1) - * 208 51 1 in 65536 - * 233 59 0 (top byte can only be 0-1) - * 239 59 1 in 32768 (top byte can only be 0-127) - * 272 67 1 in 65536 - * 283 71 0 (top byte can only be 0-7) - * 304 75 1 in 65536 - * 359 89 1 in 32768 (top byte can only be 0-127) - * 368 91 1 in 65536 - * 409 103 0 (top byte can only be 0-1) - * 431 107 1 in 32768 (top byte can only be 0-127) - * 571 129,143 0 (decoded value would be even) - * - */ - - return CKR_OK; + return CKR_OK; + } + + /* if we know the key length, one of the above tests should have + * succeded. If it doesn't the module gave us bad data */ + if (keyLen) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + + /* We don't know the key length, so we don't know deterministically + * which encoding was used. We now will try to pick the most likely + * form that's correct, with a preference for the encoded form if we + * can't determine for sure. We do this by checking the key we got + * back from SEC_QuickDERDecodeItem for defects. If no defects are + * found, we assume the encoded parameter was was passed to us. + * our defect tests include: + * 1) it didn't decode. + * 2) The decode key had an invalid length (must be odd). + * 3) The decoded key wasn't an UNCOMPRESSED key. + * 4) The decoded key didn't include the entire encoded block + * except the DER encoding values. (fixing DER length to one + * particular value). + */ + if ((rv != SECSuccess) || ((publicKeyValue->len & 1) != 1) || + (publicKeyValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) || + (PORT_Memcmp(&encodedPublicValue.data[encodedPublicValue.len - publicKeyValue->len], + publicKeyValue->data, + publicKeyValue->len) != 0)) { + /* The decoded public key was flawed, the original key must have + * already been in decoded form. Do a quick sanity check then + * return the original key value. + */ + if ((encodedPublicValue.len & 1) == 0) { + return CKR_ATTRIBUTE_VALUE_INVALID; + } + return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue); + } + + /* as best we can figure, the passed in key was encoded, and we've + * now decoded it. Note: there is a chance this could be wrong if the + * following conditions hold: + * 1) The first byte or bytes of the X point looks like a valid length + * of precisely the right size (2*curveSize -1). this means for curves + * less than 512 bits (64 bytes), this will happen 1 in 256 times*. + * for curves between 512 and 1024, this will happen 1 in 65,536 times* + * for curves between 1024 and 256K this will happen 1 in 16 million* + * 2) The length of the 'DER length field' is odd + * (making both the encoded and decode + * values an odd length. this is true of all curves less than 512, + * as well as curves between 1024 and 256K). + * 3) The X[length of the 'DER length field'] == 0x04, 1 in 256. + * + * (* assuming all values are equally likely in the first byte, + * This isn't true if the curve length is not a multiple of 8. In these + * cases, if the DER length is possible, it's more likely, + * if it's not possible, then we have no false decodes). + * + * For reference here are the odds for the various curves we currently + * have support for (and the only curves SSL will negotiate at this + * time). NOTE: None of the supported curves will show up here + * because we return a valid length for all of these curves. + * The only way to get here is to have some application (not SSL) + * which supports some unknown curve and have some vendor supplied + * PKCS #11 module support that curve. NOTE: in this case, one + * presumes that that pkcs #11 module is likely to be using the + * correct encodings. + * + * Prime Curves (GFp): + * Bit False Odds of + * Size DER Len False Decode Positive + * 112 27 1 in 65536 + * 128 31 1 in 65536 + * 160 39 1 in 65536 + * 192 47 1 in 65536 + * 224 55 1 in 65536 + * 239 59 1 in 32768 (top byte can only be 0-127) + * 256 63 1 in 65536 + * 521 129,131 0 (decoded value would be even) + * + * Binary curves (GF2m). + * Bit False Odds of + * Size DER Len False Decode Positive + * 131 33 0 (top byte can only be 0-7) + * 163 41 0 (top byte can only be 0-7) + * 176 43 1 in 65536 + * 191 47 1 in 32768 (top byte can only be 0-127) + * 193 49 0 (top byte can only be 0-1) + * 208 51 1 in 65536 + * 233 59 0 (top byte can only be 0-1) + * 239 59 1 in 32768 (top byte can only be 0-127) + * 272 67 1 in 65536 + * 283 71 0 (top byte can only be 0-7) + * 304 75 1 in 65536 + * 359 89 1 in 32768 (top byte can only be 0-127) + * 368 91 1 in 65536 + * 409 103 0 (top byte can only be 0-1) + * 431 107 1 in 32768 (top byte can only be 0-127) + * 571 129,143 0 (decoded value would be even) + * + */ + + return CKR_OK; } /* In theory, we should handle the case where the curve == 0 and @@ -528,13 +568,13 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * handled by doing a santity check on the key length and returning * pk11_Attr2SecItem() to copy the ecPoint to the publicKeyValue). * - * This test is unnecessary, however, due to the fact that + * This test is unnecessary, however, due to the fact that * EC_POINT_FORM_UNCOMPRESSED == SEC_ASIN1_OCTET_STRING, that case is * handled in the above if. That means if we get here, the initial * byte of our ecPoint value was invalid, so we can safely return. * invalid attribute. */ - + return CKR_ATTRIBUTE_VALUE_INVALID; } @@ -542,7 +582,7 @@ pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams, * extract a public key from a slot and id */ SECKEYPublicKey * -PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) +PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id) { CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY; PLArenaPool *arena; @@ -552,171 +592,200 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) CK_KEY_TYPE pk11KeyType; CK_RV crv; CK_ATTRIBUTE template[8]; - CK_ATTRIBUTE *attrs= template; - CK_ATTRIBUTE *modulus,*exponent,*base,*prime,*subprime,*value; + CK_ATTRIBUTE *attrs = template; + CK_ATTRIBUTE *modulus, *exponent, *base, *prime, *subprime, *value; CK_ATTRIBUTE *ecparams; /* if we didn't know the key type, get it */ - if (keyType== nullKey) { - - pk11KeyType = PK11_ReadULongAttribute(slot,id,CKA_KEY_TYPE); - if (pk11KeyType == CK_UNAVAILABLE_INFORMATION) { - return NULL; - } - switch (pk11KeyType) { - case CKK_RSA: - keyType = rsaKey; - break; - case CKK_DSA: - keyType = dsaKey; - break; - case CKK_DH: - keyType = dhKey; - break; - case CKK_EC: - keyType = ecKey; - break; - default: - PORT_SetError( SEC_ERROR_BAD_KEY ); - return NULL; - } - } + if (keyType == nullKey) { + pk11KeyType = PK11_ReadULongAttribute(slot, id, CKA_KEY_TYPE); + if (pk11KeyType == CK_UNAVAILABLE_INFORMATION) { + return NULL; + } + switch (pk11KeyType) { + case CKK_RSA: + keyType = rsaKey; + break; + case CKK_DSA: + keyType = dsaKey; + break; + case CKK_DH: + keyType = dhKey; + break; + case CKK_EC: + keyType = ecKey; + break; + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; + } + } /* now we need to create space for the public key */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; - tmp_arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; + tmp_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (tmp_arena == NULL) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } - - pubKey = (SECKEYPublicKey *) - PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); + pubKey = (SECKEYPublicKey *) + PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (pubKey == NULL) { - PORT_FreeArena (arena, PR_FALSE); - PORT_FreeArena (tmp_arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(tmp_arena, PR_FALSE); + return NULL; } pubKey->arena = arena; pubKey->keyType = keyType; pubKey->pkcs11Slot = PK11_ReferenceSlot(slot); pubKey->pkcs11ID = id; - PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, - sizeof(keyClass)); attrs++; - PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, - sizeof(pk11KeyType) ); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, + sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType, + sizeof(pk11KeyType)); + attrs++; switch (pubKey->keyType) { - case rsaKey: - modulus = attrs; - PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); attrs++; - exponent = attrs; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); attrs++; - - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,modulus,&pubKey->u.rsa.modulus); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,exponent,&pubKey->u.rsa.publicExponent); - if (crv != CKR_OK) break; - break; - case dsaKey: - prime = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; - subprime = attrs; - PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); attrs++; - base = attrs; - PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; - value = attrs; - PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dsa.params.prime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,subprime,&pubKey->u.dsa.params.subPrime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dsa.params.base); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dsa.publicValue); - if (crv != CKR_OK) break; - break; - case dhKey: - prime = attrs; - PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); attrs++; - base = attrs; - PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); attrs++; - value =attrs; - PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(tmp_arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - crv = pk11_Attr2SecItem(arena,prime,&pubKey->u.dh.prime); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,base,&pubKey->u.dh.base); - if (crv != CKR_OK) break; - crv = pk11_Attr2SecItem(arena,value,&pubKey->u.dh.publicValue); - if (crv != CKR_OK) break; - break; - case ecKey: - pubKey->u.ec.size = 0; - ecparams = attrs; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); attrs++; - value =attrs; - PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); attrs++; - templateCount = attrs - template; - PR_ASSERT(templateCount <= sizeof(template)/sizeof(CK_ATTRIBUTE)); - crv = PK11_GetAttributes(arena,slot,id,template,templateCount); - if (crv != CKR_OK) break; - - if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) { - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - - crv = pk11_Attr2SecItem(arena,ecparams, - &pubKey->u.ec.DEREncodedParams); - if (crv != CKR_OK) break; - crv = pk11_get_Decoded_ECPoint(arena, - &pubKey->u.ec.DEREncodedParams, value, - &pubKey->u.ec.publicValue); - break; - case fortezzaKey: - case nullKey: - default: - crv = CKR_OBJECT_HANDLE_INVALID; - break; - } - - PORT_FreeArena(tmp_arena,PR_FALSE); + case rsaKey: + modulus = attrs; + PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0); + attrs++; + exponent = attrs; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0); + attrs++; + + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, modulus, &pubKey->u.rsa.modulus); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, exponent, &pubKey->u.rsa.publicExponent); + if (crv != CKR_OK) + break; + break; + case dsaKey: + prime = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); + attrs++; + subprime = attrs; + PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0); + attrs++; + base = attrs; + PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dsa.params.prime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, subprime, &pubKey->u.dsa.params.subPrime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dsa.params.base); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dsa.publicValue); + if (crv != CKR_OK) + break; + break; + case dhKey: + prime = attrs; + PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0); + attrs++; + base = attrs; + PK11_SETATTRS(attrs, CKA_BASE, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dh.prime); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dh.base); + if (crv != CKR_OK) + break; + crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dh.publicValue); + if (crv != CKR_OK) + break; + break; + case ecKey: + pubKey->u.ec.size = 0; + ecparams = attrs; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0); + attrs++; + value = attrs; + PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0); + attrs++; + templateCount = attrs - template; + PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE)); + crv = PK11_GetAttributes(arena, slot, id, template, templateCount); + if (crv != CKR_OK) + break; + + if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) { + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + + crv = pk11_Attr2SecItem(arena, ecparams, + &pubKey->u.ec.DEREncodedParams); + if (crv != CKR_OK) + break; + crv = pk11_get_Decoded_ECPoint(arena, + &pubKey->u.ec.DEREncodedParams, value, + &pubKey->u.ec.publicValue); + if (seckey_SetPointEncoding(arena, pubKey) != SECSuccess) { + crv |= CKR_GENERAL_ERROR; + } + break; + case fortezzaKey: + case nullKey: + default: + crv = CKR_OBJECT_HANDLE_INVALID; + break; + } + + PORT_FreeArena(tmp_arena, PR_FALSE); if (crv != CKR_OK) { - PORT_FreeArena(arena,PR_FALSE); - PK11_FreeSlot(slot); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + PK11_FreeSlot(slot); + PORT_SetError(PK11_MapError(crv)); + return NULL; } return pubKey; @@ -726,8 +795,8 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot,KeyType keyType,CK_OBJECT_HANDLE id) * Build a Private Key structure from raw PKCS #11 information. */ SECKEYPrivateKey * -PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, - PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx) +PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, + PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx) { PLArenaPool *arena; SECKEYPrivateKey *privKey; @@ -736,40 +805,51 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, /* don't know? look it up */ if (keyType == nullKey) { - CK_KEY_TYPE pk11Type = CKK_RSA; - - pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE); - isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN,PR_FALSE); - switch (pk11Type) { - case CKK_RSA: keyType = rsaKey; break; - case CKK_DSA: keyType = dsaKey; break; - case CKK_DH: keyType = dhKey; break; - case CKK_KEA: keyType = fortezzaKey; break; - case CKK_EC: keyType = ecKey; break; - default: - break; - } + CK_KEY_TYPE pk11Type = CKK_RSA; + + pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE); + isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE); + switch (pk11Type) { + case CKK_RSA: + keyType = rsaKey; + break; + case CKK_DSA: + keyType = dsaKey; + break; + case CKK_DH: + keyType = dhKey; + break; + case CKK_KEA: + keyType = fortezzaKey; + break; + case CKK_EC: + keyType = ecKey; + break; + default: + break; + } } /* if the key is private, make sure we are authenticated to the * token before we try to use it */ - isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE,PR_FALSE); + isPrivate = (PRBool)PK11_HasAttributeSet(slot, privID, CKA_PRIVATE, PR_FALSE); if (isPrivate) { - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { - return NULL; - } + rv = PK11_Authenticate(slot, PR_TRUE, wincx); + if (rv != SECSuccess) { + return NULL; + } } /* now we need to create space for the private key */ - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; - privKey = (SECKEYPrivateKey *) - PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey)); + privKey = (SECKEYPrivateKey *) + PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey)); if (privKey == NULL) { - PORT_FreeArena(arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } privKey->arena = arena; @@ -782,7 +862,6 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, return privKey; } - PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key) { @@ -803,34 +882,31 @@ PK11_GetPrivateModulusLen(SECKEYPrivateKey *key) int length; switch (key->keyType) { - case rsaKey: - crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return -1; - } - length = theTemplate.ulValueLen; - if ( *(unsigned char *)theTemplate.pValue == 0) { - length--; - } - if (theTemplate.pValue != NULL) - PORT_Free(theTemplate.pValue); - return (int) length; - - case fortezzaKey: - case dsaKey: - case dhKey: - default: - break; + case rsaKey: + crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return -1; + } + length = theTemplate.ulValueLen; + if (*(unsigned char *)theTemplate.pValue == 0) { + length--; + } + PORT_Free(theTemplate.pValue); + return (int)length; + + case fortezzaKey: + case dsaKey: + case dhKey: + default: + break; } if (theTemplate.pValue != NULL) - PORT_Free(theTemplate.pValue); - PORT_SetError( SEC_ERROR_INVALID_KEY ); + PORT_Free(theTemplate.pValue); + PORT_SetError(SEC_ERROR_INVALID_KEY); return -1; } - - /* * take a private key in one pkcs11 module and load it into another: * NOTE: the source private key is a rare animal... it can't be sensitive. @@ -838,43 +914,43 @@ PK11_GetPrivateModulusLen(SECKEYPrivateKey *key) * result into another. */ static SECKEYPrivateKey * -pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) +pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags) { CK_ATTRIBUTE privTemplate[] = { /* class must be first */ - { CKA_CLASS, NULL, 0 }, - { CKA_KEY_TYPE, NULL, 0 }, - { CKA_ID, NULL, 0 }, - /* RSA - the attributes below will be replaced for other - * key types. - */ - { CKA_MODULUS, NULL, 0 }, - { CKA_PRIVATE_EXPONENT, NULL, 0 }, - { CKA_PUBLIC_EXPONENT, NULL, 0 }, - { CKA_PRIME_1, NULL, 0 }, - { CKA_PRIME_2, NULL, 0 }, - { CKA_EXPONENT_1, NULL, 0 }, - { CKA_EXPONENT_2, NULL, 0 }, - { CKA_COEFFICIENT, NULL, 0 }, - { CKA_DECRYPT, NULL, 0 }, - { CKA_DERIVE, NULL, 0 }, - { CKA_SIGN, NULL, 0 }, - { CKA_SIGN_RECOVER, NULL, 0 }, - { CKA_UNWRAP, NULL, 0 }, - /* reserve space for the attributes that may be - * specified in attrFlags */ - { CKA_TOKEN, NULL, 0 }, - { CKA_PRIVATE, NULL, 0 }, - { CKA_MODIFIABLE, NULL, 0 }, - { CKA_SENSITIVE, NULL, 0 }, - { CKA_EXTRACTABLE, NULL, 0 }, -#define NUM_RESERVED_ATTRS 5 /* number of reserved attributes above */ + { CKA_CLASS, NULL, 0 }, + { CKA_KEY_TYPE, NULL, 0 }, + { CKA_ID, NULL, 0 }, + /* RSA - the attributes below will be replaced for other + * key types. + */ + { CKA_MODULUS, NULL, 0 }, + { CKA_PRIVATE_EXPONENT, NULL, 0 }, + { CKA_PUBLIC_EXPONENT, NULL, 0 }, + { CKA_PRIME_1, NULL, 0 }, + { CKA_PRIME_2, NULL, 0 }, + { CKA_EXPONENT_1, NULL, 0 }, + { CKA_EXPONENT_2, NULL, 0 }, + { CKA_COEFFICIENT, NULL, 0 }, + { CKA_DECRYPT, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_SIGN, NULL, 0 }, + { CKA_SIGN_RECOVER, NULL, 0 }, + { CKA_UNWRAP, NULL, 0 }, + /* reserve space for the attributes that may be + * specified in attrFlags */ + { CKA_TOKEN, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, + { CKA_SENSITIVE, NULL, 0 }, + { CKA_EXTRACTABLE, NULL, 0 }, +#define NUM_RESERVED_ATTRS 5 /* number of reserved attributes above */ }; CK_BBOOL cktrue = CK_TRUE; CK_BBOOL ckfalse = CK_FALSE; CK_ATTRIBUTE *attrs = NULL, *ap; - const int templateSize = sizeof(privTemplate)/sizeof(privTemplate[0]); + const int templateSize = sizeof(privTemplate) / sizeof(privTemplate[0]); PLArenaPool *arena; CK_OBJECT_HANDLE objectID; int i, count = 0; @@ -884,120 +960,160 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0); if (pk11_BadAttrFlags(attrFlags)) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } - for (i=0; i < templateSize; i++) { - if (privTemplate[i].type == CKA_MODULUS) { - attrs= &privTemplate[i]; - count = i; - break; - } + for (i = 0; i < templateSize; i++) { + if (privTemplate[i].type == CKA_MODULUS) { + attrs = &privTemplate[i]; + count = i; + break; + } } PORT_Assert(attrs != NULL); if (attrs == NULL) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; } ap = attrs; switch (privKey->keyType) { - case rsaKey: - count = templateSize - NUM_RESERVED_ATTRS; - extra_count = count - (attrs - privTemplate); - break; - case dsaKey: - ap->type = CKA_PRIME; ap++; count++; extra_count++; - ap->type = CKA_SUBPRIME; ap++; count++; extra_count++; - ap->type = CKA_BASE; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_SIGN; ap++; count++; extra_count++; - break; - case dhKey: - ap->type = CKA_PRIME; ap++; count++; extra_count++; - ap->type = CKA_BASE; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_DERIVE; ap++; count++; extra_count++; - break; - case ecKey: - ap->type = CKA_EC_PARAMS; ap++; count++; extra_count++; - ap->type = CKA_VALUE; ap++; count++; extra_count++; - ap->type = CKA_DERIVE; ap++; count++; extra_count++; - ap->type = CKA_SIGN; ap++; count++; extra_count++; - break; - default: - count = 0; - extra_count = 0; - break; - } - - if (count == 0) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } - - arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); - if (arena == NULL) return NULL; - /* + case rsaKey: + count = templateSize - NUM_RESERVED_ATTRS; + extra_count = count - (attrs - privTemplate); + break; + case dsaKey: + ap->type = CKA_PRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_SUBPRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_BASE; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_SIGN; + ap++; + count++; + extra_count++; + break; + case dhKey: + ap->type = CKA_PRIME; + ap++; + count++; + extra_count++; + ap->type = CKA_BASE; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_DERIVE; + ap++; + count++; + extra_count++; + break; + case ecKey: + ap->type = CKA_EC_PARAMS; + ap++; + count++; + extra_count++; + ap->type = CKA_VALUE; + ap++; + count++; + extra_count++; + ap->type = CKA_DERIVE; + ap++; + count++; + extra_count++; + ap->type = CKA_SIGN; + ap++; + count++; + extra_count++; + break; + default: + count = 0; + extra_count = 0; + break; + } + + if (count == 0) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) + return NULL; + /* * read out the old attributes. */ - crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, - privTemplate,count); - if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - PORT_FreeArena(arena, PR_TRUE); - return NULL; - } - - /* Set token, private, modifiable, sensitive, and extractable */ - count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count], - &cktrue, &ckfalse); - - /* Not everyone can handle zero padded key values, give + crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, + privTemplate, count); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + PORT_FreeArena(arena, PR_TRUE); + return NULL; + } + + /* Set token, private, modifiable, sensitive, and extractable */ + count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count], + &cktrue, &ckfalse); + + /* Not everyone can handle zero padded key values, give * them the raw data as unsigned */ - for (ap=attrs; extra_count; ap++, extra_count--) { - pk11_SignedToUnsigned(ap); - } - - /* now Store the puppies */ - rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, - count, token, &objectID); - PORT_FreeArena(arena, PR_TRUE); - if (rv != SECSuccess) { - return NULL; - } - - /* try loading the public key */ - if (pubKey) { - PK11_ImportPublicKey(slot, pubKey, token); - if (pubKey->pkcs11Slot) { - PK11_FreeSlot(pubKey->pkcs11Slot); - pubKey->pkcs11Slot = NULL; - pubKey->pkcs11ID = CK_INVALID_HANDLE; - } - } - - /* build new key structure */ - return PK11_MakePrivKey(slot, privKey->keyType, !token, - objectID, privKey->wincx); + for (ap = attrs; extra_count; ap++, extra_count--) { + pk11_SignedToUnsigned(ap); + } + + /* now Store the puppies */ + rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, privTemplate, + count, token, &objectID); + PORT_FreeArena(arena, PR_TRUE); + if (rv != SECSuccess) { + return NULL; + } + + /* try loading the public key */ + if (pubKey) { + PK11_ImportPublicKey(slot, pubKey, token); + if (pubKey->pkcs11Slot) { + PK11_FreeSlot(pubKey->pkcs11Slot); + pubKey->pkcs11Slot = NULL; + pubKey->pkcs11ID = CK_INVALID_HANDLE; + } + } + + /* build new key structure */ + return PK11_MakePrivKey(slot, privKey->keyType, !token, + objectID, privKey->wincx); } static SECKEYPrivateKey * -pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) +pk11_loadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) { PK11AttrFlags attrFlags = 0; if (token) { - attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); + attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); } else { - attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC); + attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC); } if (sensitive) { - attrFlags |= PK11_ATTR_SENSITIVE; + attrFlags |= PK11_ATTR_SENSITIVE; } else { - attrFlags |= PK11_ATTR_INSENSITIVE; + attrFlags |= PK11_ATTR_INSENSITIVE; } return pk11_loadPrivKeyWithFlags(slot, privKey, pubKey, attrFlags); } @@ -1006,20 +1122,19 @@ pk11_loadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, * export this for PSM */ SECKEYPrivateKey * -PK11_LoadPrivKey(PK11SlotInfo *slot,SECKEYPrivateKey *privKey, - SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) +PK11_LoadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive) { - return pk11_loadPrivKey(slot,privKey,pubKey,token,sensitive); + return pk11_loadPrivKey(slot, privKey, pubKey, token, sensitive); } - /* * Use the token to generate a key pair. */ SECKEYPrivateKey * -PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, - CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx) +PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, + CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx) { /* we have to use these native types because when we call PKCS 11 modules * we have to make sure that we are using the correct sizes for all the @@ -1029,61 +1144,61 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, CK_ULONG modulusBits; CK_BYTE publicExponent[4]; CK_ATTRIBUTE privTemplate[] = { - { CKA_SENSITIVE, NULL, 0}, - { CKA_TOKEN, NULL, 0}, - { CKA_PRIVATE, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_UNWRAP, NULL, 0}, - { CKA_SIGN, NULL, 0}, - { CKA_DECRYPT, NULL, 0}, - { CKA_EXTRACTABLE, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_SENSITIVE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_PRIVATE, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_UNWRAP, NULL, 0 }, + { CKA_SIGN, NULL, 0 }, + { CKA_DECRYPT, NULL, 0 }, + { CKA_EXTRACTABLE, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE rsaPubTemplate[] = { - { CKA_MODULUS_BITS, NULL, 0}, - { CKA_PUBLIC_EXPONENT, NULL, 0}, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_MODULUS_BITS, NULL, 0 }, + { CKA_PUBLIC_EXPONENT, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE dsaPubTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE dhPubTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_PRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; CK_ATTRIBUTE ecPubTemplate[] = { - { CKA_EC_PARAMS, NULL, 0 }, - { CKA_TOKEN, NULL, 0}, - { CKA_DERIVE, NULL, 0}, - { CKA_WRAP, NULL, 0}, - { CKA_VERIFY, NULL, 0}, - { CKA_VERIFY_RECOVER, NULL, 0}, - { CKA_ENCRYPT, NULL, 0}, - { CKA_MODIFIABLE, NULL, 0}, + { CKA_EC_PARAMS, NULL, 0 }, + { CKA_TOKEN, NULL, 0 }, + { CKA_DERIVE, NULL, 0 }, + { CKA_WRAP, NULL, 0 }, + { CKA_VERIFY, NULL, 0 }, + { CKA_VERIFY_RECOVER, NULL, 0 }, + { CKA_ENCRYPT, NULL, 0 }, + { CKA_MODIFIABLE, NULL, 0 }, }; - SECKEYECParams * ecParams; + SECKEYECParams *ecParams; /*CK_ULONG key_size = 0;*/ CK_ATTRIBUTE *pubTemplate; @@ -1091,17 +1206,17 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, int pubCount = 0; PK11RSAGenParams *rsaParams; SECKEYPQGParams *dsaParams; - SECKEYDHParams * dhParams; + SECKEYDHParams *dhParams; CK_MECHANISM mechanism; CK_MECHANISM test_mech; CK_MECHANISM test_mech2; CK_SESSION_HANDLE session_handle; CK_RV crv; - CK_OBJECT_HANDLE privID,pubID; + CK_OBJECT_HANDLE privID, pubID; SECKEYPrivateKey *privKey; KeyType keyType; PRBool restore; - int peCount,i; + int peCount, i; CK_ATTRIBUTE *attrs; CK_ATTRIBUTE *privattrs; CK_ATTRIBUTE setTemplate; @@ -1113,76 +1228,74 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0); /* subset of attrFlags applicable to the public key */ PK11AttrFlags pubKeyAttrFlags = attrFlags & - (PK11_ATTR_TOKEN | PK11_ATTR_SESSION - | PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE); + (PK11_ATTR_TOKEN | PK11_ATTR_SESSION | PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE); if (pk11_BadAttrFlags(attrFlags)) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } if (!param) { - PORT_SetError( SEC_ERROR_INVALID_ARGS ); + PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } /* * The opFlags and opFlagMask parameters allow us to control the * settings of the key usage attributes (CKA_ENCRYPT and friends). - * opFlagMask is set to one if the flag is specified in opFlags and - * zero if it is to take on a default value calculated by + * opFlagMask is set to one if the flag is specified in opFlags and + * zero if it is to take on a default value calculated by * PK11_GenerateKeyPairWithOpFlags. - * opFlags specifies the actual value of the flag 1 or 0. + * opFlags specifies the actual value of the flag 1 or 0. * Bits not corresponding to one bits in opFlagMask should be zero. */ /* if we are trying to turn on a flag, it better be in the mask */ - PORT_Assert ((opFlags & ~opFlagsMask) == 0); + PORT_Assert((opFlags & ~opFlagsMask) == 0); opFlags &= opFlagsMask; PORT_Assert(slot != NULL); if (slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE); - return NULL; + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; } /* if our slot really doesn't do this mechanism, Generate the key * in our internal token and write it out */ - if (!PK11_DoesMechanism(slot,type)) { - PK11SlotInfo *int_slot = PK11_GetInternalSlot(); - - /* don't loop forever looking for a slot */ - if (slot == int_slot) { - PK11_FreeSlot(int_slot); - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return NULL; - } - - /* if there isn't a suitable slot, then we can't do the keygen */ - if (int_slot == NULL) { - PORT_SetError( SEC_ERROR_NO_MODULE ); - return NULL; - } - - /* generate the temporary key to load */ - privKey = PK11_GenerateKeyPair(int_slot,type, param, pubKey, PR_FALSE, - PR_FALSE, wincx); - PK11_FreeSlot(int_slot); - - /* if successful, load the temp key into the new token */ - if (privKey != NULL) { - SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot, - privKey,*pubKey,attrFlags); - SECKEY_DestroyPrivateKey(privKey); - if (newPrivKey == NULL) { - SECKEY_DestroyPublicKey(*pubKey); - *pubKey = NULL; - } - return newPrivKey; - } - return NULL; - } - + if (!PK11_DoesMechanism(slot, type)) { + PK11SlotInfo *int_slot = PK11_GetInternalSlot(); + + /* don't loop forever looking for a slot */ + if (slot == int_slot) { + PK11_FreeSlot(int_slot); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + /* if there isn't a suitable slot, then we can't do the keygen */ + if (int_slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + + /* generate the temporary key to load */ + privKey = PK11_GenerateKeyPair(int_slot, type, param, pubKey, PR_FALSE, + PR_FALSE, wincx); + PK11_FreeSlot(int_slot); + + /* if successful, load the temp key into the new token */ + if (privKey != NULL) { + SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot, + privKey, *pubKey, attrFlags); + SECKEY_DestroyPrivateKey(privKey); + if (newPrivKey == NULL) { + SECKEY_DestroyPublicKey(*pubKey); + *pubKey = NULL; + } + return newPrivKey; + } + return NULL; + } mechanism.mechanism = type; mechanism.pParameter = NULL; @@ -1196,317 +1309,340 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, /* set up the private key template */ privattrs = privTemplate; privattrs += pk11_AttrFlagsToAttributes(attrFlags, privattrs, - &cktrue, &ckfalse); + &cktrue, &ckfalse); /* set up the mechanism specific info */ switch (type) { - case CKM_RSA_PKCS_KEY_PAIR_GEN: - case CKM_RSA_X9_31_KEY_PAIR_GEN: - rsaParams = (PK11RSAGenParams *)param; - if (rsaParams->pe == 0) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - modulusBits = rsaParams->keySizeInBits; - peCount = 0; - - /* convert pe to a PKCS #11 string */ - for (i=0; i < 4; i++) { - if (peCount || (rsaParams->pe & - ((unsigned long)0xff000000L >> (i*8)))) { - publicExponent[peCount] = - (CK_BYTE)((rsaParams->pe >> (3-i)*8) & 0xff); - peCount++; - } - } - PORT_Assert(peCount != 0); - attrs = rsaPubTemplate; - PK11_SETATTRS(attrs, CKA_MODULUS_BITS, - &modulusBits, sizeof(modulusBits)); attrs++; - PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, - publicExponent, peCount);attrs++; - pubTemplate = rsaPubTemplate; - keyType = rsaKey; - test_mech.mechanism = CKM_RSA_PKCS; - break; - case CKM_DSA_KEY_PAIR_GEN: - dsaParams = (SECKEYPQGParams *)param; - attrs = dsaPubTemplate; - PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data, - dsaParams->prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data, - dsaParams->subPrime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data, - dsaParams->base.len); attrs++; - pubTemplate = dsaPubTemplate; - keyType = dsaKey; - test_mech.mechanism = CKM_DSA; - break; - case CKM_DH_PKCS_KEY_PAIR_GEN: - dhParams = (SECKEYDHParams *)param; - attrs = dhPubTemplate; - PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data, - dhParams->prime.len); attrs++; - PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data, - dhParams->base.len); attrs++; - pubTemplate = dhPubTemplate; - keyType = dhKey; - test_mech.mechanism = CKM_DH_PKCS_DERIVE; - break; - case CKM_EC_KEY_PAIR_GEN: - ecParams = (SECKEYECParams *)param; - attrs = ecPubTemplate; - PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, - ecParams->len); attrs++; - pubTemplate = ecPubTemplate; - keyType = ecKey; - /* - * ECC supports 2 different mechanism types (unlike RSA, which - * supports different usages with the same mechanism). - * We may need to query both mechanism types and or the results - * together -- but we only do that if either the user has - * requested both usages, or not specified any usages. - */ - if ((opFlags & (CKF_SIGN|CKF_DERIVE)) == (CKF_SIGN|CKF_DERIVE)) { - /* We've explicitly turned on both flags, use both mechanism */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - test_mech2.mechanism = CKM_ECDSA; - } else if (opFlags & CKF_SIGN) { - /* just do signing */ - test_mech.mechanism = CKM_ECDSA; - } else if (opFlags & CKF_DERIVE) { - /* just do ECDH */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - } else { - /* neither was specified default to both */ - test_mech.mechanism = CKM_ECDH1_DERIVE; - test_mech2.mechanism = CKM_ECDSA; - } - break; - default: - PORT_SetError( SEC_ERROR_BAD_KEY ); - return NULL; + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_X9_31_KEY_PAIR_GEN: + rsaParams = (PK11RSAGenParams *)param; + if (rsaParams->pe == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + modulusBits = rsaParams->keySizeInBits; + peCount = 0; + + /* convert pe to a PKCS #11 string */ + for (i = 0; i < 4; i++) { + if (peCount || (rsaParams->pe & + ((unsigned long)0xff000000L >> (i * 8)))) { + publicExponent[peCount] = + (CK_BYTE)((rsaParams->pe >> (3 - i) * 8) & 0xff); + peCount++; + } + } + PORT_Assert(peCount != 0); + attrs = rsaPubTemplate; + PK11_SETATTRS(attrs, CKA_MODULUS_BITS, + &modulusBits, sizeof(modulusBits)); + attrs++; + PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, + publicExponent, peCount); + attrs++; + pubTemplate = rsaPubTemplate; + keyType = rsaKey; + test_mech.mechanism = CKM_RSA_PKCS; + break; + case CKM_DSA_KEY_PAIR_GEN: + dsaParams = (SECKEYPQGParams *)param; + attrs = dsaPubTemplate; + PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data, + dsaParams->prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data, + dsaParams->subPrime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data, + dsaParams->base.len); + attrs++; + pubTemplate = dsaPubTemplate; + keyType = dsaKey; + test_mech.mechanism = CKM_DSA; + break; + case CKM_DH_PKCS_KEY_PAIR_GEN: + dhParams = (SECKEYDHParams *)param; + attrs = dhPubTemplate; + PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data, + dhParams->prime.len); + attrs++; + PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data, + dhParams->base.len); + attrs++; + pubTemplate = dhPubTemplate; + keyType = dhKey; + test_mech.mechanism = CKM_DH_PKCS_DERIVE; + break; + case CKM_EC_KEY_PAIR_GEN: + ecParams = (SECKEYECParams *)param; + attrs = ecPubTemplate; + PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data, + ecParams->len); + attrs++; + pubTemplate = ecPubTemplate; + keyType = ecKey; + /* + * ECC supports 2 different mechanism types (unlike RSA, which + * supports different usages with the same mechanism). + * We may need to query both mechanism types and or the results + * together -- but we only do that if either the user has + * requested both usages, or not specified any usages. + */ + if ((opFlags & (CKF_SIGN | CKF_DERIVE)) == (CKF_SIGN | CKF_DERIVE)) { + /* We've explicitly turned on both flags, use both mechanism */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + test_mech2.mechanism = CKM_ECDSA; + } else if (opFlags & CKF_SIGN) { + /* just do signing */ + test_mech.mechanism = CKM_ECDSA; + } else if (opFlags & CKF_DERIVE) { + /* just do ECDH */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + } else { + /* neither was specified default to both */ + test_mech.mechanism = CKM_ECDH1_DERIVE; + test_mech2.mechanism = CKM_ECDSA; + } + break; + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; } /* now query the slot to find out how "good" a key we can generate */ - if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - test_mech.mechanism,&mechanism_info); + test_mech.mechanism, &mechanism_info); /* * EC keys are used in multiple different types of mechanism, if we * are using dual use keys, we need to query the second mechanism * as well. */ if (test_mech2.mechanism != CKM_INVALID_MECHANISM) { - CK_MECHANISM_INFO mechanism_info2; - CK_RV crv2; - - if (crv != CKR_OK) { - /* the first failed, make sure there is no trash in the - * mechanism flags when we or it below */ - mechanism_info.flags = 0; - } - crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, - test_mech2.mechanism, &mechanism_info2); - if (crv2 == CKR_OK) { - crv = CKR_OK; /* succeed if either mechnaism info succeeds */ - /* combine the 2 sets of mechnanism flags */ - mechanism_info.flags |= mechanism_info2.flags; - } - } - if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + CK_MECHANISM_INFO mechanism_info2; + CK_RV crv2; + + if (crv != CKR_OK) { + /* the first failed, make sure there is no trash in the + * mechanism flags when we or it below */ + mechanism_info.flags = 0; + } + crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, + test_mech2.mechanism, &mechanism_info2); + if (crv2 == CKR_OK) { + crv = CKR_OK; /* succeed if either mechnaism info succeeds */ + /* combine the 2 sets of mechnanism flags */ + mechanism_info.flags |= mechanism_info2.flags; + } + } + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); if ((crv != CKR_OK) || (mechanism_info.flags == 0)) { - /* must be old module... guess what it should be... */ - switch (test_mech.mechanism) { - case CKM_RSA_PKCS: - mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | - CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP); - break; - case CKM_DSA: - mechanism_info.flags = CKF_SIGN | CKF_VERIFY; - break; - case CKM_DH_PKCS_DERIVE: - mechanism_info.flags = CKF_DERIVE; - break; - case CKM_ECDH1_DERIVE: - mechanism_info.flags = CKF_DERIVE; - if (test_mech2.mechanism == CKM_ECDSA) { - mechanism_info.flags |= CKF_SIGN | CKF_VERIFY; - } - break; - case CKM_ECDSA: - mechanism_info.flags = CKF_SIGN | CKF_VERIFY; - break; - default: - break; - } + /* must be old module... guess what it should be... */ + switch (test_mech.mechanism) { + case CKM_RSA_PKCS: + mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT | + CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP); + break; + case CKM_DSA: + mechanism_info.flags = CKF_SIGN | CKF_VERIFY; + break; + case CKM_DH_PKCS_DERIVE: + mechanism_info.flags = CKF_DERIVE; + break; + case CKM_ECDH1_DERIVE: + mechanism_info.flags = CKF_DERIVE; + if (test_mech2.mechanism == CKM_ECDSA) { + mechanism_info.flags |= CKF_SIGN | CKF_VERIFY; + } + break; + case CKM_ECDSA: + mechanism_info.flags = CKF_SIGN | CKF_VERIFY; + break; + default: + break; + } } /* now adjust our flags according to the user's key usage passed to us */ mechanism_info.flags = (mechanism_info.flags & (~opFlagsMask)) | opFlags; /* set the public key attributes */ attrs += pk11_AttrFlagsToAttributes(pubKeyAttrFlags, attrs, - &cktrue, &ckfalse); - PK11_SETATTRS(attrs, CKA_DERIVE, - mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_WRAP, - mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY, - mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, - mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; - PK11_SETATTRS(attrs, CKA_ENCRYPT, - mechanism_info.flags & CKF_ENCRYPT? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); attrs++; + &cktrue, &ckfalse); + PK11_SETATTRS(attrs, CKA_DERIVE, + mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_WRAP, + mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY, + mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER, + mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; + PK11_SETATTRS(attrs, CKA_ENCRYPT, + mechanism_info.flags & CKF_ENCRYPT ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + attrs++; /* set the private key attributes */ - PK11_SETATTRS(privattrs, CKA_DERIVE, - mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_UNWRAP, - mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_SIGN, - mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; - PK11_SETATTRS(privattrs, CKA_DECRYPT, - mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse, - sizeof(CK_BBOOL)); privattrs++; + PK11_SETATTRS(privattrs, CKA_DERIVE, + mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_UNWRAP, + mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_SIGN, + mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; + PK11_SETATTRS(privattrs, CKA_DECRYPT, + mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse, + sizeof(CK_BBOOL)); + privattrs++; if (token) { - session_handle = PK11_GetRWSession(slot); - haslock = PK11_RWSessionHasLock(slot,session_handle); - restore = PR_TRUE; + session_handle = PK11_GetRWSession(slot); + haslock = PK11_RWSessionHasLock(slot, session_handle); + restore = PR_TRUE; } else { - session_handle = slot->session; - if (session_handle != CK_INVALID_SESSION) - PK11_EnterSlotMonitor(slot); - restore = PR_FALSE; - haslock = PR_TRUE; + session_handle = slot->session; + if (session_handle != CK_INVALID_SESSION) + PK11_EnterSlotMonitor(slot); + restore = PR_FALSE; + haslock = PR_TRUE; } if (session_handle == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; } privCount = privattrs - privTemplate; pubCount = attrs - pubTemplate; crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism, - pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID); + pubTemplate, pubCount, privTemplate, privCount, &pubID, &privID); if (crv != CKR_OK) { - if (restore) { - PK11_RestoreROSession(slot,session_handle); - } else PK11_ExitSlotMonitor(slot); - PORT_SetError( PK11_MapError(crv) ); - return NULL; + if (restore) { + PK11_RestoreROSession(slot, session_handle); + } else + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return NULL; } /* This locking code is dangerous and needs to be more thought * out... the real problem is that we're holding the mutex open this long */ - if (haslock) { PK11_ExitSlotMonitor(slot); } + if (haslock) { + PK11_ExitSlotMonitor(slot); + } /* swap around the ID's for older PKCS #11 modules */ - keyClass = PK11_ReadULongAttribute(slot,pubID,CKA_CLASS); + keyClass = PK11_ReadULongAttribute(slot, pubID, CKA_CLASS); if (keyClass != CKO_PUBLIC_KEY) { - CK_OBJECT_HANDLE tmp = pubID; - pubID = privID; - privID = tmp; + CK_OBJECT_HANDLE tmp = pubID; + pubID = privID; + privID = tmp; } *pubKey = PK11_ExtractPublicKey(slot, keyType, pubID); if (*pubKey == NULL) { - if (restore) { - /* we may have to restore the mutex so it get's exited properly - * in RestoreROSession */ - if (haslock) PK11_EnterSlotMonitor(slot); - PK11_RestoreROSession(slot,session_handle); - } - PK11_DestroyObject(slot,pubID); - PK11_DestroyObject(slot,privID); - return NULL; + if (restore) { + /* we may have to restore the mutex so it get's exited properly + * in RestoreROSession */ + if (haslock) + PK11_EnterSlotMonitor(slot); + PK11_RestoreROSession(slot, session_handle); + } + PK11_DestroyObject(slot, pubID); + PK11_DestroyObject(slot, privID); + return NULL; } /* set the ID to the public key so we can find it again */ cka_id = pk11_MakeIDFromPublicKey(*pubKey); - pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN,PR_FALSE); + pubIsToken = (PRBool)PK11_HasAttributeSet(slot, pubID, CKA_TOKEN, PR_FALSE); PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len); - if (haslock) { PK11_EnterSlotMonitor(slot); } + if (haslock) { + PK11_EnterSlotMonitor(slot); + } crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID, - &setTemplate, 1); - + &setTemplate, 1); + if (crv == CKR_OK && pubIsToken) { - crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID, - &setTemplate, 1); + crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID, + &setTemplate, 1); } - if (restore) { - PK11_RestoreROSession(slot,session_handle); + PK11_RestoreROSession(slot, session_handle); } else { - PK11_ExitSlotMonitor(slot); + PK11_ExitSlotMonitor(slot); } - SECITEM_FreeItem(cka_id,PR_TRUE); - + SECITEM_FreeItem(cka_id, PR_TRUE); if (crv != CKR_OK) { - PK11_DestroyObject(slot,pubID); - PK11_DestroyObject(slot,privID); - PORT_SetError( PK11_MapError(crv) ); - *pubKey = NULL; - return NULL; + PK11_DestroyObject(slot, pubID); + PK11_DestroyObject(slot, privID); + PORT_SetError(PK11_MapError(crv)); + *pubKey = NULL; + return NULL; } - privKey = PK11_MakePrivKey(slot,keyType,!token,privID,wincx); + privKey = PK11_MakePrivKey(slot, keyType, !token, privID, wincx); if (privKey == NULL) { - SECKEY_DestroyPublicKey(*pubKey); - PK11_DestroyObject(slot,privID); - *pubKey = NULL; - return NULL; + SECKEY_DestroyPublicKey(*pubKey); + PK11_DestroyObject(slot, privID); + *pubKey = NULL; + return NULL; } return privKey; } SECKEYPrivateKey * -PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx) +PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx) { - return PK11_GenerateKeyPairWithOpFlags(slot,type,param,pubKey,attrFlags, - 0, 0, wincx); + return PK11_GenerateKeyPairWithOpFlags(slot, type, param, pubKey, attrFlags, + 0, 0, wincx); } /* * Use the token to generate a key pair. */ SECKEYPrivateKey * -PK11_GenerateKeyPair(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, - void *param, SECKEYPublicKey **pubKey, PRBool token, - PRBool sensitive, void *wincx) +PK11_GenerateKeyPair(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + void *param, SECKEYPublicKey **pubKey, PRBool token, + PRBool sensitive, void *wincx) { PK11AttrFlags attrFlags = 0; if (token) { - attrFlags |= PK11_ATTR_TOKEN; + attrFlags |= PK11_ATTR_TOKEN; } else { - attrFlags |= PK11_ATTR_SESSION; + attrFlags |= PK11_ATTR_SESSION; } if (sensitive) { - attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE); + attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE); } else { - attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); + attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); } return PK11_GenerateKeyPairWithFlags(slot, type, param, pubKey, - attrFlags, wincx); + attrFlags, wincx); } /* build a public KEA key from the public value */ SECKEYPublicKey * -PK11_MakeKEAPubKey(unsigned char *keyData,int length) +PK11_MakeKEAPubKey(unsigned char *keyData, int length) { SECKEYPublicKey *pubk; SECItem pkData; @@ -1517,14 +1653,14 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) pkData.len = length; pkData.type = siBuffer; - arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) - return NULL; + return NULL; - pubk = (SECKEYPublicKey *) PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); + pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey)); if (pubk == NULL) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } pubk->arena = arena; @@ -1533,8 +1669,8 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) pubk->keyType = fortezzaKey; rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData); if (rv != SECSuccess) { - PORT_FreeArena (arena, PR_FALSE); - return NULL; + PORT_FreeArena(arena, PR_FALSE); + return NULL; } return pubk; } @@ -1545,29 +1681,29 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) * could later be looked up by its nickname, it would leak a SECKEYPrivateKey. * So isPerm must be true. */ -SECStatus +SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType keyType, - unsigned int keyUsage, void *wincx) + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType keyType, + unsigned int keyUsage, void *wincx) { if (!isPerm) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } return PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki, - pwitem, nickname, publicValue, isPerm, isPrivate, keyType, - keyUsage, NULL, wincx); + pwitem, nickname, publicValue, isPerm, isPrivate, keyType, + keyUsage, NULL, wincx); } SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, - SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, - SECItem *nickname, SECItem *publicValue, PRBool isPerm, - PRBool isPrivate, KeyType keyType, - unsigned int keyUsage, SECKEYPrivateKey **privk, - void *wincx) + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType keyType, + unsigned int keyUsage, SECKEYPrivateKey **privk, + void *wincx) { CK_MECHANISM_TYPE pbeMechType; SECItem *crypto_param = NULL; @@ -1580,131 +1716,131 @@ PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, CK_KEY_TYPE key_type; CK_ATTRIBUTE_TYPE *usage = NULL; CK_ATTRIBUTE_TYPE rsaUsage[] = { - CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER }; + CKA_UNWRAP, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER + }; CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN }; CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE }; CK_ATTRIBUTE_TYPE ecUsage[] = { CKA_SIGN, CKA_DERIVE }; - if((epki == NULL) || (pwitem == NULL)) - return SECFailure; + if ((epki == NULL) || (pwitem == NULL)) + return SECFailure; pbeMechType = PK11_AlgtagToMechanism(SECOID_FindOIDTag( - &epki->algorithm.algorithm)); + &epki->algorithm.algorithm)); switch (keyType) { - default: - case rsaKey: - key_type = CKK_RSA; - switch (keyUsage & (KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE)) { - case KU_KEY_ENCIPHERMENT: - usage = rsaUsage; - usageCount = 2; - break; - case KU_DIGITAL_SIGNATURE: - usage = &rsaUsage[2]; - usageCount = 2; - break; - case KU_KEY_ENCIPHERMENT|KU_DIGITAL_SIGNATURE: - case 0: /* default to everything */ - usage = rsaUsage; - usageCount = 4; - break; - } - break; - case dhKey: - key_type = CKK_DH; - usage = dhUsage; - usageCount = sizeof(dhUsage)/sizeof(dhUsage[0]); - break; - case dsaKey: - key_type = CKK_DSA; - usage = dsaUsage; - usageCount = sizeof(dsaUsage)/sizeof(dsaUsage[0]); - break; - case ecKey: - key_type = CKK_EC; - switch (keyUsage & (KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT)) { - case KU_DIGITAL_SIGNATURE: - usage = ecUsage; - usageCount = 1; - break; - case KU_KEY_AGREEMENT: - usage = &ecUsage[1]; - usageCount = 1; - break; - case KU_DIGITAL_SIGNATURE|KU_KEY_AGREEMENT: - default: /* default to everything */ - usage = ecUsage; - usageCount = 2; - break; - } - break; + default: + case rsaKey: + key_type = CKK_RSA; + switch (keyUsage & (KU_KEY_ENCIPHERMENT | KU_DIGITAL_SIGNATURE)) { + case KU_KEY_ENCIPHERMENT: + usage = rsaUsage; + usageCount = 2; + break; + case KU_DIGITAL_SIGNATURE: + usage = &rsaUsage[2]; + usageCount = 2; + break; + case KU_KEY_ENCIPHERMENT | KU_DIGITAL_SIGNATURE: + case 0: /* default to everything */ + usage = rsaUsage; + usageCount = 4; + break; + } + break; + case dhKey: + key_type = CKK_DH; + usage = dhUsage; + usageCount = sizeof(dhUsage) / sizeof(dhUsage[0]); + break; + case dsaKey: + key_type = CKK_DSA; + usage = dsaUsage; + usageCount = sizeof(dsaUsage) / sizeof(dsaUsage[0]); + break; + case ecKey: + key_type = CKK_EC; + switch (keyUsage & (KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) { + case KU_DIGITAL_SIGNATURE: + usage = ecUsage; + usageCount = 1; + break; + case KU_KEY_AGREEMENT: + usage = &ecUsage[1]; + usageCount = 1; + break; + case KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT: + default: /* default to everything */ + usage = ecUsage; + usageCount = 2; + break; + } + break; } try_faulty_3des: key = PK11_PBEKeyGen(slot, &epki->algorithm, pwitem, faulty3DES, wincx); if (key == NULL) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } cryptoMechType = pk11_GetPBECryptoMechanism(&epki->algorithm, - &crypto_param, pwitem, faulty3DES); + &crypto_param, pwitem, faulty3DES); if (cryptoMechType == CKM_INVALID_MECHANISM) { - rv = SECFailure; - goto done; + rv = SECFailure; + goto done; } - cryptoMechType = PK11_GetPadMechanism(cryptoMechType); PORT_Assert(usage != NULL); PORT_Assert(usageCount != 0); - privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, - crypto_param, &epki->encryptedData, - nickname, publicValue, isPerm, isPrivate, - key_type, usage, usageCount, wincx); - if(privKey) { - if (privk) { - *privk = privKey; - } else { - SECKEY_DestroyPrivateKey(privKey); - } - privKey = NULL; - rv = SECSuccess; - goto done; - } - - /* if we are unable to import the key and the pbeMechType is + privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, + crypto_param, &epki->encryptedData, + nickname, publicValue, isPerm, isPrivate, + key_type, usage, usageCount, wincx); + if (privKey) { + if (privk) { + *privk = privKey; + } else { + SECKEY_DestroyPrivateKey(privKey); + } + privKey = NULL; + rv = SECSuccess; + goto done; + } + + /* if we are unable to import the key and the pbeMechType is * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that * the encrypted blob was created with a buggy key generation method * which is described in the PKCS 12 implementation notes. So we * need to try importing via that method. - */ - if((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) { - /* clean up after ourselves before redoing the key generation. */ + */ + if ((pbeMechType == CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC) && (!faulty3DES)) { + /* clean up after ourselves before redoing the key generation. */ - PK11_FreeSymKey(key); - key = NULL; + PK11_FreeSymKey(key); + key = NULL; - if(crypto_param) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); - crypto_param = NULL; - } + if (crypto_param) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); + crypto_param = NULL; + } - faulty3DES = PR_TRUE; - goto try_faulty_3des; + faulty3DES = PR_TRUE; + goto try_faulty_3des; } /* key import really did fail */ rv = SECFailure; done: - if(crypto_param != NULL) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); + if (crypto_param != NULL) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); } - if(key != NULL) { - PK11_FreeSymKey(key); + if (key != NULL) { + PK11_FreeSymKey(key); } return rv; @@ -1714,82 +1850,81 @@ SECKEYPrivateKeyInfo * PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx) { SECKEYPrivateKeyInfo *pki = NULL; - SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); + SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); if (pk != NULL) { - pki = PK11_ExportPrivKeyInfo(pk, wincx); - SECKEY_DestroyPrivateKey(pk); + pki = PK11_ExportPrivKeyInfo(pk, wincx); + SECKEY_DestroyPrivateKey(pk); } return pki; } -SECKEYEncryptedPrivateKeyInfo * +SECKEYEncryptedPrivateKeyInfo * PK11_ExportEncryptedPrivKeyInfo( - PK11SlotInfo *slot, /* optional, encrypt key in this slot */ - SECOidTag algTag, /* encrypt key with this algorithm */ - SECItem *pwitem, /* password for PBE encryption */ - SECKEYPrivateKey *pk, /* encrypt this private key */ - int iteration, /* interations for PBE alg */ - void *wincx) /* context for password callback ? */ + PK11SlotInfo *slot, /* optional, encrypt key in this slot */ + SECOidTag algTag, /* encrypt key with this algorithm */ + SECItem *pwitem, /* password for PBE encryption */ + SECKEYPrivateKey *pk, /* encrypt this private key */ + int iteration, /* interations for PBE alg */ + void *wincx) /* context for password callback ? */ { - SECKEYEncryptedPrivateKeyInfo *epki = NULL; - PLArenaPool *arena = NULL; - SECAlgorithmID *algid; - SECOidTag pbeAlgTag = SEC_OID_UNKNOWN; - SECItem *crypto_param = NULL; - PK11SymKey *key = NULL; - SECKEYPrivateKey *tmpPK = NULL; - SECStatus rv = SECSuccess; - CK_RV crv; - CK_ULONG encBufLen; - CK_MECHANISM_TYPE pbeMechType; - CK_MECHANISM_TYPE cryptoMechType; - CK_MECHANISM cryptoMech; + SECKEYEncryptedPrivateKeyInfo *epki = NULL; + PLArenaPool *arena = NULL; + SECAlgorithmID *algid; + SECOidTag pbeAlgTag = SEC_OID_UNKNOWN; + SECItem *crypto_param = NULL; + PK11SymKey *key = NULL; + SECKEYPrivateKey *tmpPK = NULL; + SECStatus rv = SECSuccess; + CK_RV crv; + CK_ULONG encBufLen; + CK_MECHANISM_TYPE pbeMechType; + CK_MECHANISM_TYPE cryptoMechType; + CK_MECHANISM cryptoMech; if (!pwitem || !pk) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } algid = sec_pkcs5CreateAlgorithmID(algTag, SEC_OID_UNKNOWN, SEC_OID_UNKNOWN, - &pbeAlgTag, 0, NULL, iteration); + &pbeAlgTag, 0, NULL, iteration); if (algid == NULL) { - return NULL; + return NULL; } arena = PORT_NewArena(2048); if (arena) - epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo); - if(epki == NULL) { - rv = SECFailure; - goto loser; + epki = PORT_ArenaZNew(arena, SECKEYEncryptedPrivateKeyInfo); + if (epki == NULL) { + rv = SECFailure; + goto loser; } epki->arena = arena; - /* if we didn't specify a slot, use the slot the private key was in */ if (!slot) { - slot = pk->pkcs11Slot; + slot = pk->pkcs11Slot; } /* if we specified a different slot, and the private key slot can do the - * pbe key gen, generate the key in the private key slot so we don't have + * pbe key gen, generate the key in the private key slot so we don't have * to move it later */ pbeMechType = PK11_AlgtagToMechanism(pbeAlgTag); if (slot != pk->pkcs11Slot) { - if (PK11_DoesMechanism(pk->pkcs11Slot,pbeMechType)) { - slot = pk->pkcs11Slot; - } + if (PK11_DoesMechanism(pk->pkcs11Slot, pbeMechType)) { + slot = pk->pkcs11Slot; + } } key = PK11_PBEKeyGen(slot, algid, pwitem, PR_FALSE, wincx); if (key == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } cryptoMechType = PK11_GetPBECryptoMechanism(algid, &crypto_param, pwitem); if (cryptoMechType == CKM_INVALID_MECHANISM) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } cryptoMech.mechanism = PK11_GetPadMechanism(cryptoMechType); @@ -1798,24 +1933,24 @@ PK11_ExportEncryptedPrivKeyInfo( /* If the key isn't in the private key slot, move it */ if (key->slot != pk->pkcs11Slot) { - PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot, - key->type, CKA_WRAP, key); - if (newkey == NULL) { + PK11SymKey *newkey = pk11_CopyToSlot(pk->pkcs11Slot, + key->type, CKA_WRAP, key); + if (newkey == NULL) { /* couldn't import the wrapping key, try exporting the * private key */ - tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE); - if (tmpPK == NULL) { - rv = SECFailure; - goto loser; - } - pk = tmpPK; - } else { - /* free the old key and use the new key */ - PK11_FreeSymKey(key); - key = newkey; - } - } - + tmpPK = pk11_loadPrivKey(key->slot, pk, NULL, PR_FALSE, PR_TRUE); + if (tmpPK == NULL) { + rv = SECFailure; + goto loser; + } + pk = tmpPK; + } else { + /* free the old key and use the new key */ + PK11_FreeSymKey(key); + key = newkey; + } + } + /* we are extracting an encrypted privateKey structure. * which needs to be freed along with the buffer into which it is * returned. eventually, we should retrieve an encrypted key using @@ -1823,81 +1958,77 @@ PK11_ExportEncryptedPrivKeyInfo( */ encBufLen = 0; PK11_EnterSlotMonitor(pk->pkcs11Slot); - crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, - &cryptoMech, key->objectID, pk->pkcs11ID, NULL, - &encBufLen); + crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, &cryptoMech, key->objectID, pk->pkcs11ID, NULL, &encBufLen); PK11_ExitSlotMonitor(pk->pkcs11Slot); if (crv != CKR_OK) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } epki->encryptedData.data = PORT_ArenaAlloc(arena, encBufLen); if (!epki->encryptedData.data) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } PK11_EnterSlotMonitor(pk->pkcs11Slot); - crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, - &cryptoMech, key->objectID, pk->pkcs11ID, - epki->encryptedData.data, &encBufLen); + crv = PK11_GETTAB(pk->pkcs11Slot)->C_WrapKey(pk->pkcs11Slot->session, &cryptoMech, key->objectID, pk->pkcs11ID, epki->encryptedData.data, &encBufLen); PK11_ExitSlotMonitor(pk->pkcs11Slot); - epki->encryptedData.len = (unsigned int) encBufLen; - if(crv != CKR_OK) { - rv = SECFailure; - goto loser; + epki->encryptedData.len = (unsigned int)encBufLen; + if (crv != CKR_OK) { + rv = SECFailure; + goto loser; } - if(!epki->encryptedData.len) { - rv = SECFailure; - goto loser; + if (!epki->encryptedData.len) { + rv = SECFailure; + goto loser; } rv = SECOID_CopyAlgorithmID(arena, &epki->algorithm, algid); loser: - if(crypto_param != NULL) { - SECITEM_ZfreeItem(crypto_param, PR_TRUE); - crypto_param = NULL; + if (crypto_param != NULL) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); + crypto_param = NULL; } - if(key != NULL) { - PK11_FreeSymKey(key); + if (key != NULL) { + PK11_FreeSymKey(key); } if (tmpPK != NULL) { - SECKEY_DestroyPrivateKey(tmpPK); + SECKEY_DestroyPrivateKey(tmpPK); } SECOID_DestroyAlgorithmID(algid, PR_TRUE); - if(rv == SECFailure) { - if(arena != NULL) { - PORT_FreeArena(arena, PR_TRUE); - } - epki = NULL; + if (rv == SECFailure) { + if (arena != NULL) { + PORT_FreeArena(arena, PR_TRUE); + } + epki = NULL; } return epki; } -SECKEYEncryptedPrivateKeyInfo * +SECKEYEncryptedPrivateKeyInfo * PK11_ExportEncryptedPrivateKeyInfo( - PK11SlotInfo *slot, /* optional, encrypt key in this slot */ - SECOidTag algTag, /* encrypt key with this algorithm */ - SECItem *pwitem, /* password for PBE encryption */ - CERTCertificate *cert, /* wrap priv key for this user cert */ - int iteration, /* interations for PBE alg */ - void *wincx) /* context for password callback ? */ + PK11SlotInfo *slot, /* optional, encrypt key in this slot */ + SECOidTag algTag, /* encrypt key with this algorithm */ + SECItem *pwitem, /* password for PBE encryption */ + CERTCertificate *cert, /* wrap priv key for this user cert */ + int iteration, /* interations for PBE alg */ + void *wincx) /* context for password callback ? */ { SECKEYEncryptedPrivateKeyInfo *epki = NULL; - SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); + SECKEYPrivateKey *pk = PK11_FindKeyByAnyCert(cert, wincx); if (pk != NULL) { - epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, - iteration, wincx); - SECKEY_DestroyPrivateKey(pk); + epki = PK11_ExportEncryptedPrivKeyInfo(slot, algTag, pwitem, pk, + iteration, wincx); + SECKEY_DestroyPrivateKey(pk); } return epki; } -SECItem* +SECItem * PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk) { return SECKEY_EncodeDERSubjectPublicKeyInfo(pubk); @@ -1906,57 +2037,56 @@ PK11_DEREncodePublicKey(const SECKEYPublicKey *pubk) char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey) { - return PK11_GetObjectNickname(privKey->pkcs11Slot,privKey->pkcs11ID); + return PK11_GetObjectNickname(privKey->pkcs11Slot, privKey->pkcs11ID); } char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey) { - return PK11_GetObjectNickname(pubKey->pkcs11Slot,pubKey->pkcs11ID); + return PK11_GetObjectNickname(pubKey->pkcs11Slot, pubKey->pkcs11ID); } SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, const char *nickname) { return PK11_SetObjectNickname(privKey->pkcs11Slot, - privKey->pkcs11ID,nickname); + privKey->pkcs11ID, nickname); } SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, const char *nickname) { return PK11_SetObjectNickname(pubKey->pkcs11Slot, - pubKey->pkcs11ID,nickname); + pubKey->pkcs11ID, nickname); } SECKEYPQGParams * PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey) { CK_ATTRIBUTE pTemplate[] = { - { CKA_PRIME, NULL, 0 }, - { CKA_SUBPRIME, NULL, 0 }, - { CKA_BASE, NULL, 0 }, + { CKA_PRIME, NULL, 0 }, + { CKA_SUBPRIME, NULL, 0 }, + { CKA_BASE, NULL, 0 }, }; - int pTemplateLen = sizeof(pTemplate)/sizeof(pTemplate[0]); + int pTemplateLen = sizeof(pTemplate) / sizeof(pTemplate[0]); PLArenaPool *arena = NULL; SECKEYPQGParams *params; CK_RV crv; - arena = PORT_NewArena(2048); if (arena == NULL) { - goto loser; + goto loser; } - params=(SECKEYPQGParams *)PORT_ArenaZAlloc(arena,sizeof(SECKEYPQGParams)); + params = (SECKEYPQGParams *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams)); if (params == NULL) { - goto loser; + goto loser; } - crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, - pTemplate, pTemplateLen); + crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID, + pTemplate, pTemplateLen); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - goto loser; + PORT_SetError(PK11_MapError(crv)); + goto loser; } params->arena = arena; @@ -1971,55 +2101,55 @@ PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey) loser: if (arena != NULL) { - PORT_FreeArena(arena,PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } return NULL; } -SECKEYPrivateKey* +SECKEYPrivateKey * PK11_CopyTokenPrivKeyToSessionPrivKey(PK11SlotInfo *destSlot, - SECKEYPrivateKey *privKey) + SECKEYPrivateKey *privKey) { - CK_RV crv; - CK_OBJECT_HANDLE newKeyID; + CK_RV crv; + CK_OBJECT_HANDLE newKeyID; - static const CK_BBOOL ckfalse = CK_FALSE; - static const CK_ATTRIBUTE template[1] = { - { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse } + static const CK_BBOOL ckfalse = CK_FALSE; + static const CK_ATTRIBUTE template[1] = { + { CKA_TOKEN, (CK_BBOOL *)&ckfalse, sizeof ckfalse } }; if (destSlot && destSlot != privKey->pkcs11Slot) { - SECKEYPrivateKey *newKey = - pk11_loadPrivKey(destSlot, - privKey, - NULL, /* pubKey */ - PR_FALSE, /* token */ - PR_FALSE);/* sensitive */ - if (newKey) - return newKey; + SECKEYPrivateKey *newKey = + pk11_loadPrivKey(destSlot, + privKey, + NULL, /* pubKey */ + PR_FALSE, /* token */ + PR_FALSE); /* sensitive */ + if (newKey) + return newKey; } destSlot = privKey->pkcs11Slot; PK11_Authenticate(destSlot, PR_TRUE, privKey->wincx); PK11_EnterSlotMonitor(destSlot); - crv = PK11_GETTAB(destSlot)->C_CopyObject( destSlot->session, - privKey->pkcs11ID, - (CK_ATTRIBUTE *)template, - 1, &newKeyID); + crv = PK11_GETTAB(destSlot)->C_CopyObject(destSlot->session, + privKey->pkcs11ID, + (CK_ATTRIBUTE *)template, + 1, &newKeyID); PK11_ExitSlotMonitor(destSlot); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); - return NULL; + PORT_SetError(PK11_MapError(crv)); + return NULL; } - return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, - newKeyID, privKey->wincx); + return PK11_MakePrivKey(destSlot, privKey->keyType, PR_TRUE /*isTemp*/, + newKeyID, privKey->wincx); } -SECKEYPrivateKey* -PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) +SECKEYPrivateKey * +PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void *wincx) { - PK11SlotInfo* slot = privk->pkcs11Slot; + PK11SlotInfo *slot = privk->pkcs11Slot; CK_ATTRIBUTE template[1]; CK_ATTRIBUTE *attrs = template; CK_BBOOL cktrue = CK_TRUE; @@ -2027,25 +2157,26 @@ PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) CK_OBJECT_HANDLE newKeyID; CK_SESSION_HANDLE rwsession; - PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; PK11_Authenticate(slot, PR_TRUE, wincx); rwsession = PK11_GetRWSession(slot); if (rwsession == CK_INVALID_SESSION) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return NULL; + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; } crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, privk->pkcs11ID, - template, 1, &newKeyID); + template, 1, &newKeyID); PK11_RestoreROSession(slot, rwsession); if (crv != CKR_OK) { - PORT_SetError( PK11_MapError(crv) ); + PORT_SetError(PK11_MapError(crv)); return NULL; } return PK11_MakePrivKey(slot, nullKey /*KeyType*/, PR_FALSE /*isTemp*/, - newKeyID, NULL /*wincx*/); + newKeyID, NULL /*wincx*/); } /* @@ -2055,15 +2186,15 @@ PK11_ConvertSessionPrivKeyToTokenPrivKey(SECKEYPrivateKey *privk, void* wincx) SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force) { - CERTCertificate *cert=PK11_GetCertFromPrivateKey(privKey); + CERTCertificate *cert = PK11_GetCertFromPrivateKey(privKey); SECStatus rv = SECWouldBlock; if (!cert || force) { - /* now, then it's safe for the key to go away */ - rv = PK11_DestroyTokenObject(privKey->pkcs11Slot,privKey->pkcs11ID); + /* now, then it's safe for the key to go away */ + rv = PK11_DestroyTokenObject(privKey->pkcs11Slot, privKey->pkcs11ID); } if (cert) { - CERT_DestroyCertificate(cert); + CERT_DestroyCertificate(cert); } SECKEY_DestroyPrivateKey(privKey); return rv; @@ -2078,9 +2209,9 @@ PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey) { /* now, then it's safe for the key to go away */ if (pubKey->pkcs11Slot == NULL) { - return SECFailure; + return SECFailure; } - PK11_DestroyTokenObject(pubKey->pkcs11Slot,pubKey->pkcs11ID); + PK11_DestroyTokenObject(pubKey->pkcs11Slot, pubKey->pkcs11ID); SECKEY_DestroyPublicKey(pubKey); return SECSuccess; } @@ -2089,9 +2220,9 @@ PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey) * key call back structure. */ typedef struct pk11KeyCallbackStr { - SECStatus (* callback)(SECKEYPrivateKey *,void *); - void *callbackArg; - void *wincx; + SECStatus (*callback)(SECKEYPrivateKey *, void *); + void *callbackArg; + void *wincx; } pk11KeyCallback; /* @@ -2102,22 +2233,22 @@ pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg) { SECStatus rv = SECSuccess; SECKEYPrivateKey *privKey; - pk11KeyCallback *keycb = (pk11KeyCallback *) arg; + pk11KeyCallback *keycb = (pk11KeyCallback *)arg; if (!arg) { return SECFailure; } - privKey = PK11_MakePrivKey(slot,nullKey,PR_TRUE,keyHandle,keycb->wincx); + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, keycb->wincx); if (privKey == NULL) { - return SECFailure; + return SECFailure; } if (keycb->callback) { - rv = (*keycb->callback)(privKey,keycb->callbackArg); + rv = (*keycb->callback)(privKey, keycb->callbackArg); } - SECKEY_DestroyPrivateKey(privKey); + SECKEY_DestroyPrivateKey(privKey); return rv; } @@ -2135,8 +2266,8 @@ pk11_DoKeys(PK11SlotInfo *slot, CK_OBJECT_HANDLE keyHandle, void *arg) * An argument that will be passed to the callback function. */ SECStatus -PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, - SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg) +PK11_TraversePrivateKeysInSlot(PK11SlotInfo *slot, + SECStatus (*callback)(SECKEYPrivateKey *, void *), void *arg) { pk11KeyCallback perKeyCB; pk11TraverseSlot perObjectCB; @@ -2152,7 +2283,7 @@ PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, theTemplate[1].pValue = &ckTrue; theTemplate[1].ulValueLen = sizeof(ckTrue); - if(slot==NULL) { + if (slot == NULL) { return SECSuccess; } @@ -2175,19 +2306,19 @@ pk11_FindPrivateKeyFromCertID(PK11SlotInfo *slot, SECItem *keyID) { CK_OBJECT_CLASS privKey = CKO_PRIVATE_KEY; CK_ATTRIBUTE theTemplate[] = { - { CKA_ID, NULL, 0 }, - { CKA_CLASS, NULL, 0 }, + { CKA_ID, NULL, 0 }, + { CKA_CLASS, NULL, 0 }, }; /* if you change the array, change the variable below as well */ - int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); + int tsize = sizeof(theTemplate) / sizeof(theTemplate[0]); CK_ATTRIBUTE *attrs = theTemplate; - PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len ); attrs++; + PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); + attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &privKey, sizeof(privKey)); - return pk11_FindObjectByTemplate(slot,theTemplate,tsize); -} - + return pk11_FindObjectByTemplate(slot, theTemplate, tsize); +} SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) @@ -2196,10 +2327,10 @@ PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) SECKEYPrivateKey *privKey; keyHandle = pk11_FindPrivateKeyFromCertID(slot, keyID); - if (keyHandle == CK_INVALID_HANDLE) { - return NULL; + if (keyHandle == CK_INVALID_HANDLE) { + return NULL; } - privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, keyHandle, wincx); return privKey; } @@ -2209,55 +2340,55 @@ PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, void *wincx) * smart cards happy. */ SECItem * -PK11_MakeIDFromPubKey(SECItem *pubKeyData) +PK11_MakeIDFromPubKey(SECItem *pubKeyData) { PK11Context *context; SECItem *certCKA_ID; SECStatus rv; if (pubKeyData->len <= SHA1_LENGTH) { - /* probably an already hashed value. The strongest known public - * key values <= 160 bits would be less than 40 bit symetric in - * strength. Don't hash them, just return the value. There are - * none at the time of this writing supported by previous versions - * of NSS, so change is binary compatible safe */ - return SECITEM_DupItem(pubKeyData); + /* probably an already hashed value. The strongest known public + * key values <= 160 bits would be less than 40 bit symetric in + * strength. Don't hash them, just return the value. There are + * none at the time of this writing supported by previous versions + * of NSS, so change is binary compatible safe */ + return SECITEM_DupItem(pubKeyData); } context = PK11_CreateDigestContext(SEC_OID_SHA1); if (context == NULL) { - return NULL; + return NULL; } rv = PK11_DigestBegin(context); if (rv == SECSuccess) { - rv = PK11_DigestOp(context,pubKeyData->data,pubKeyData->len); + rv = PK11_DigestOp(context, pubKeyData->data, pubKeyData->len); } if (rv != SECSuccess) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } certCKA_ID = (SECItem *)PORT_Alloc(sizeof(SECItem)); if (certCKA_ID == NULL) { - PK11_DestroyContext(context,PR_TRUE); - return NULL; + PK11_DestroyContext(context, PR_TRUE); + return NULL; } certCKA_ID->len = SHA1_LENGTH; - certCKA_ID->data = (unsigned char*)PORT_Alloc(certCKA_ID->len); + certCKA_ID->data = (unsigned char *)PORT_Alloc(certCKA_ID->len); if (certCKA_ID->data == NULL) { - PORT_Free(certCKA_ID); - PK11_DestroyContext(context,PR_TRUE); + PORT_Free(certCKA_ID); + PK11_DestroyContext(context, PR_TRUE); return NULL; } - rv = PK11_DigestFinal(context,certCKA_ID->data,&certCKA_ID->len, - SHA1_LENGTH); - PK11_DestroyContext(context,PR_TRUE); + rv = PK11_DigestFinal(context, certCKA_ID->data, &certCKA_ID->len, + SHA1_LENGTH); + PK11_DestroyContext(context, PR_TRUE); if (rv != SECSuccess) { - SECITEM_FreeItem(certCKA_ID,PR_TRUE); - return NULL; + SECITEM_FreeItem(certCKA_ID, PR_TRUE); + return NULL; } return certCKA_ID; @@ -2267,41 +2398,41 @@ PK11_MakeIDFromPubKey(SECItem *pubKeyData) * Call PK11_GetLowLevelKeyIDForPrivateKey instead. */ - SECItem * PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *privKey) { - return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot,privKey->pkcs11ID); + return pk11_GetLowLevelKeyFromHandle(privKey->pkcs11Slot, privKey->pkcs11ID); } static SECStatus privateKeyListCallback(SECKEYPrivateKey *key, void *arg) { - SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList*)arg; + SECKEYPrivateKeyList *list = (SECKEYPrivateKeyList *)arg; return SECKEY_AddPrivateKeyToListTail(list, SECKEY_CopyPrivateKey(key)); } -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot) { SECStatus status; SECKEYPrivateKeyList *keys; keys = SECKEY_NewPrivateKeyList(); - if(keys == NULL) return NULL; + if (keys == NULL) + return NULL; status = PK11_TraversePrivateKeysInSlot(slot, privateKeyListCallback, - (void*)keys); + (void *)keys); - if( status != SECSuccess ) { - SECKEY_DestroyPrivateKeyList(keys); - keys = NULL; + if (status != SECSuccess) { + SECKEY_DestroyPrivateKeyList(keys); + keys = NULL; } return keys; } -SECKEYPublicKeyList* +SECKEYPublicKeyList * PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname) { CK_ATTRIBUTE findTemp[4]; @@ -2312,42 +2443,44 @@ PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, char *nickname) int objCount = 0; CK_OBJECT_HANDLE *key_ids; SECKEYPublicKeyList *keys; - int i,len; - + int i, len; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (nickname) { - len = PORT_Strlen(nickname); - PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++; + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount); + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (key_ids == NULL) { - return NULL; + return NULL; } keys = SECKEY_NewPublicKeyList(); if (keys == NULL) { - PORT_Free(key_ids); - return NULL; + PORT_Free(key_ids); + return NULL; } - for (i=0; i < objCount ; i++) { - SECKEYPublicKey *pubKey = - PK11_ExtractPublicKey(slot,nullKey,key_ids[i]); - if (pubKey) { - SECKEY_AddPublicKeyToListTail(keys, pubKey); - } - } + for (i = 0; i < objCount; i++) { + SECKEYPublicKey *pubKey = + PK11_ExtractPublicKey(slot, nullKey, key_ids[i]); + if (pubKey) { + SECKEY_AddPublicKeyToListTail(keys, pubKey); + } + } - PORT_Free(key_ids); - return keys; + PORT_Free(key_ids); + return keys; } -SECKEYPrivateKeyList* +SECKEYPrivateKeyList * PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) { CK_ATTRIBUTE findTemp[4]; @@ -2358,36 +2491,37 @@ PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) int objCount = 0; CK_OBJECT_HANDLE *key_ids; SECKEYPrivateKeyList *keys; - int i,len; - + int i, len; attrs = findTemp; - PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); attrs++; - PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); attrs++; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; if (nickname) { - len = PORT_Strlen(nickname); - PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); attrs++; + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; } tsize = attrs - findTemp; - PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); - key_ids = pk11_FindObjectsByTemplate(slot,findTemp,tsize,&objCount); + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (key_ids == NULL) { - return NULL; + return NULL; } keys = SECKEY_NewPrivateKeyList(); if (keys == NULL) { - PORT_Free(key_ids); - return NULL; + PORT_Free(key_ids); + return NULL; } - for (i=0; i < objCount ; i++) { - SECKEYPrivateKey *privKey = - PK11_MakePrivKey(slot,nullKey,PR_TRUE,key_ids[i],wincx); - SECKEY_AddPrivateKeyToListTail(keys, privKey); - } + for (i = 0; i < objCount; i++) { + SECKEYPrivateKey *privKey = + PK11_MakePrivKey(slot, nullKey, PR_TRUE, key_ids[i], wincx); + SECKEY_AddPrivateKeyToListTail(keys, privKey); + } - PORT_Free(key_ids); - return keys; + PORT_Free(key_ids); + return keys; } - |