File: | s/lib/softoken/pkcs11.c |
Warning: | line 4327, column 13 Value stored to 'rv' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | /* |
5 | * This file implements PKCS 11 on top of our existing security modules |
6 | * |
7 | * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. |
8 | * This implementation has two slots: |
9 | * slot 1 is our generic crypto support. It does not require login. |
10 | * It supports Public Key ops, and all they bulk ciphers and hashes. |
11 | * It can also support Private Key ops for imported Private keys. It does |
12 | * not have any token storage. |
13 | * slot 2 is our private key support. It requires a login before use. It |
14 | * can store Private Keys and Certs as token objects. Currently only private |
15 | * keys and their associated Certificates are saved on the token. |
16 | * |
17 | * In this implementation, session objects are only visible to the session |
18 | * that created or generated them. |
19 | */ |
20 | #include "seccomon.h" |
21 | #include "secitem.h" |
22 | #include "pkcs11.h" |
23 | #include "pkcs11i.h" |
24 | #include "softoken.h" |
25 | #include "lowkeyi.h" |
26 | #include "blapi.h" |
27 | #include "secder.h" |
28 | #include "secport.h" |
29 | #include "secrng.h" |
30 | #include "prtypes.h" |
31 | #include "nspr.h" |
32 | #include "softkver.h" |
33 | #include "secoid.h" |
34 | #include "sftkdb.h" |
35 | #include "utilpars.h" |
36 | #include "ec.h" |
37 | #include "secasn1.h" |
38 | #include "secerr.h" |
39 | #include "lgglue.h" |
40 | #include "kem.h" |
41 | |
42 | PRBool parentForkedAfterC_Initialize; |
43 | |
44 | #ifndef NO_FORK_CHECK |
45 | |
46 | PRBool sftkForkCheckDisabled; |
47 | |
48 | #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) |
49 | PRBool forked = PR_FALSE0; |
50 | #endif |
51 | |
52 | #if defined(CHECK_FORK_GETPID) || defined(CHECK_FORK_MIXED) |
53 | #include <unistd.h> |
54 | pid_t myPid; |
55 | #endif |
56 | |
57 | #ifdef CHECK_FORK_MIXED |
58 | #include <sys/systeminfo.h> |
59 | PRBool usePthread_atfork; |
60 | #endif |
61 | |
62 | #endif |
63 | |
64 | #ifdef XP_UNIX1 |
65 | #define LIB_PARAM_DEFAULT_FILE_LOCATION"/etc/nss/params.config" "/etc/nss/params.config" |
66 | #endif |
67 | |
68 | #define LIB_PARAM_DEFAULT" configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB " " configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB " |
69 | /* |
70 | * ******************** Static data ******************************* |
71 | */ |
72 | |
73 | /* The next three strings must be exactly 32 characters long */ |
74 | static char *manufacturerID = "Mozilla Foundation "; |
75 | static char manufacturerID_space[33]; |
76 | static char *libraryDescription = "NSS Internal Crypto Services "; |
77 | static char libraryDescription_space[33]; |
78 | |
79 | /* |
80 | * In FIPS mode, we disallow login attempts for 1 second after a login |
81 | * failure so that there are at most 60 login attempts per minute. |
82 | */ |
83 | static PRIntervalTime loginWaitTime; |
84 | |
85 | #define __PASTE(x, y) x##y |
86 | |
87 | /* |
88 | * we renamed all our internal functions, get the correct |
89 | * definitions for them... |
90 | */ |
91 | #undef CK_PKCS11_FUNCTION_INFO |
92 | #undef CK_NEED_ARG_LIST |
93 | |
94 | #define CK_PKCS11_3_0 1 |
95 | #define CK_EXTERNextern extern |
96 | #define CK_PKCS11_FUNCTION_INFO(func) \ |
97 | CK_RV __PASTE(NS, func) |
98 | #define CK_NEED_ARG_LIST 1 |
99 | |
100 | #include "pkcs11f.h" |
101 | |
102 | #ifndef NSS_FIPS_DISABLE |
103 | /* ------------- forward declare all the FIPS functions ------------- */ |
104 | #undef CK_NEED_ARG_LIST |
105 | #undef CK_PKCS11_FUNCTION_INFO |
106 | |
107 | #define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name) |
108 | #define CK_NEED_ARG_LIST 1 |
109 | |
110 | #include "pkcs11f.h" |
111 | #endif |
112 | |
113 | /* build the crypto module table */ |
114 | static CK_FUNCTION_LIST_3_0 sftk_funcList = { |
115 | { CRYPTOKI_VERSION_MAJOR3, CRYPTOKI_VERSION_MINOR0 }, |
116 | |
117 | #undef CK_PKCS11_FUNCTION_INFO |
118 | #undef CK_NEED_ARG_LIST |
119 | |
120 | #define CK_PKCS11_FUNCTION_INFO(func) \ |
121 | __PASTE(NS, func) \ |
122 | , |
123 | #include "pkcs11f.h" |
124 | |
125 | }; |
126 | |
127 | /* need a special version of get info for version 2 which returns the version |
128 | * 2.4 version number */ |
129 | CK_RV NSC_GetInfoV2(CK_INFO_PTR pInfo); |
130 | CK_RV NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, |
131 | CK_MECHANISM_INFO_PTR pInfo); |
132 | |
133 | /* build the crypto module table */ |
134 | static CK_FUNCTION_LIST sftk_funcList_v2 = { |
135 | { 2, 40 }, |
136 | |
137 | #undef CK_PKCS11_3_0 |
138 | #define CK_PKCS_11_2_0_ONLY 1 |
139 | #undef CK_PKCS11_FUNCTION_INFO |
140 | #undef CK_NEED_ARG_LIST |
141 | #define C_GetInfo C_GetInfoV2 |
142 | #define C_GetMechanismInfo C_GetMechanismInfoV2 |
143 | |
144 | #define CK_PKCS11_FUNCTION_INFO(func) \ |
145 | __PASTE(NS, func) \ |
146 | , |
147 | #include "pkcs11f.h" |
148 | |
149 | }; |
150 | |
151 | #undef C_GetInfo |
152 | #undef C_GetMechanismInfo |
153 | #undef CK_PKCS_11_2_0_ONLY |
154 | #undef CK_PKCS11_FUNCTION_INFO |
155 | #undef CK_NEED_ARG_LIST |
156 | |
157 | #undef __PASTE |
158 | |
159 | CK_NSS_MODULE_FUNCTIONS sftk_module_funcList = { |
160 | { 1, 0 }, |
161 | NSC_ModuleDBFunc |
162 | }; |
163 | |
164 | static CK_RV |
165 | nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession, |
166 | CK_OBJECT_HANDLE hObject, |
167 | CK_ULONG ulOperationType, |
168 | CK_ULONG *pulFIPSStatus); |
169 | CK_NSS_FIPS_FUNCTIONS sftk_fips_funcList = { |
170 | { 1, 0 }, |
171 | nsc_NSSGetFIPSStatus |
172 | }; |
173 | |
174 | CK_NSS_KEM_FUNCTIONS sftk_kem_funcList = { |
175 | { 1, 0 }, |
176 | NSC_Encapsulate, |
177 | NSC_Decapsulate |
178 | }; |
179 | |
180 | /* |
181 | * Array is orderd by default first |
182 | */ |
183 | static CK_INTERFACE nss_interfaces[] = { |
184 | { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList, NSS_INTERFACE_FLAGS0x00000001UL }, |
185 | { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList_v2, NSS_INTERFACE_FLAGS0x00000001UL }, |
186 | { (CK_UTF8CHAR_PTR) "Vendor NSS Module Interface", &sftk_module_funcList, NSS_INTERFACE_FLAGS0x00000001UL }, |
187 | { (CK_UTF8CHAR_PTR) "Vendor NSS FIPS Interface", &sftk_fips_funcList, NSS_INTERFACE_FLAGS0x00000001UL }, |
188 | { (CK_UTF8CHAR_PTR) "Vendor NSS KEM Interface", &sftk_kem_funcList, NSS_INTERFACE_FLAGS0x00000001UL } |
189 | }; |
190 | /* must match the count of interfaces in nss_interfaces above */ |
191 | #define NSS_INTERFACE_COUNT5 5 |
192 | |
193 | /* List of DES Weak Keys */ |
194 | typedef unsigned char desKey[8]; |
195 | static const desKey sftk_desWeakTable[] = { |
196 | #ifdef noParity |
197 | /* weak */ |
198 | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, |
199 | { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, |
200 | { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, |
201 | { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }, |
202 | /* semi-weak */ |
203 | { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, |
204 | { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe }, |
205 | |
206 | { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, |
207 | { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, |
208 | |
209 | { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f }, |
210 | { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, |
211 | |
212 | { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, |
213 | { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, |
214 | |
215 | { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, |
216 | { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, |
217 | |
218 | { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, |
219 | { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, |
220 | #else |
221 | /* weak */ |
222 | { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, |
223 | { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e }, |
224 | { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 }, |
225 | { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }, |
226 | |
227 | /* semi-weak */ |
228 | { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe }, |
229 | { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 }, |
230 | |
231 | { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 }, |
232 | { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e }, |
233 | |
234 | { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 }, |
235 | { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 }, |
236 | |
237 | { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, |
238 | { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e }, |
239 | |
240 | { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e }, |
241 | { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 }, |
242 | |
243 | { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe }, |
244 | { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 } |
245 | #endif |
246 | }; |
247 | |
248 | static const int sftk_desWeakTableSize = sizeof(sftk_desWeakTable) / |
249 | sizeof(sftk_desWeakTable[0]); |
250 | |
251 | /* DES KEY Parity conversion table. Takes each byte/2 as an index, returns |
252 | * that byte with the proper parity bit set */ |
253 | static const unsigned char parityTable[256] = { |
254 | /* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */ |
255 | /* E */ 0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e, |
256 | /* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */ |
257 | /* O */ 0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f, |
258 | /* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */ |
259 | /* O */ 0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f, |
260 | /* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */ |
261 | /* E */ 0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e, |
262 | /* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */ |
263 | /* O */ 0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f, |
264 | /* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */ |
265 | /* E */ 0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e, |
266 | /* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */ |
267 | /* E */ 0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e, |
268 | /* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */ |
269 | /* O */ 0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f, |
270 | /* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */ |
271 | /* O */ 0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f, |
272 | /* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */ |
273 | /* E */ 0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e, |
274 | /* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */ |
275 | /* E */ 0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae, |
276 | /* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */ |
277 | /* O */ 0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf, |
278 | /* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */ |
279 | /* E */ 0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce, |
280 | /* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */ |
281 | /* O */ 0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf, |
282 | /* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */ |
283 | /* O */ 0xe0, 0xe3, 0xe5, 0xe6, 0xe9, 0xea, 0xec, 0xef, |
284 | /* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */ |
285 | /* E */ 0xf1, 0xf2, 0xf4, 0xf7, 0xf8, 0xfb, 0xfd, 0xfe |
286 | }; |
287 | |
288 | /* Mechanisms */ |
289 | struct mechanismList { |
290 | CK_MECHANISM_TYPE type; |
291 | CK_MECHANISM_INFO info; |
292 | PRBool privkey; |
293 | }; |
294 | |
295 | /* |
296 | * the following table includes a complete list of mechanism defined by |
297 | * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11 |
298 | * module are ifdef'ed out. |
299 | */ |
300 | #define CKF_EN_DE0x00000100UL | 0x00000200UL CKF_ENCRYPT0x00000100UL | CKF_DECRYPT0x00000200UL |
301 | #define CKF_WR_UN0x00020000UL | 0x00040000UL CKF_WRAP0x00020000UL | CKF_UNWRAP0x00040000UL |
302 | #define CKF_SN_VR0x00000800UL | 0x00002000 CKF_SIGN0x00000800UL | CKF_VERIFY0x00002000 |
303 | #define CKF_SN_RE0x00001000UL | 0x00004000UL CKF_SIGN_RECOVER0x00001000UL | CKF_VERIFY_RECOVER0x00004000UL |
304 | #define CKF_EN_DE_MSG0x00000100UL | 0x00000200UL | 0x00000002UL | 0x00000004UL CKF_ENCRYPT0x00000100UL | CKF_DECRYPT0x00000200UL | CKF_MESSAGE_ENCRYPT0x00000002UL | CKF_MESSAGE_DECRYPT0x00000004UL |
305 | |
306 | #define CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL CKF_EN_DE0x00000100UL | 0x00000200UL | CKF_WR_UN0x00020000UL | 0x00040000UL |
307 | #define CKF_SN_VR_RE0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL CKF_SN_VR0x00000800UL | 0x00002000 | CKF_SN_RE0x00001000UL | 0x00004000UL |
308 | #define CKF_DUZ_IT_ALL0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL | 0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL | CKF_SN_VR_RE0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL |
309 | |
310 | #define CKF_EC_PNU0x00100000UL | 0x00800000UL | 0x01000000UL CKF_EC_F_P0x00100000UL | CKF_EC_NAMEDCURVE0x00800000UL | CKF_EC_UNCOMPRESS0x01000000UL |
311 | |
312 | #define CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL CKF_EC_F_2M0x00200000UL | CKF_EC_PNU0x00100000UL | 0x00800000UL | 0x01000000UL |
313 | #define CKF_EC_POC0x00100000UL | 0x00800000UL | 0x02000000UL CKF_EC_F_P0x00100000UL | CKF_EC_OID0x00800000UL | CKF_EC_COMPRESS0x02000000UL |
314 | |
315 | #define CK_MAX0xffffffff 0xffffffff |
316 | |
317 | static const struct mechanismList mechanisms[] = { |
318 | |
319 | /* |
320 | * PKCS #11 Mechanism List. |
321 | * |
322 | * The first argument is the PKCS #11 Mechanism we support. |
323 | * The second argument is Mechanism info structure. It includes: |
324 | * The minimum key size, |
325 | * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs. |
326 | * in bytes for RC5, AES, Camellia, and CAST* |
327 | * ignored for DES*, IDEA and FORTEZZA based |
328 | * The maximum key size, |
329 | * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs. |
330 | * in bytes for RC5, AES, Camellia, and CAST* |
331 | * ignored for DES*, IDEA and FORTEZZA based |
332 | * Flags |
333 | * What operations are supported by this mechanism. |
334 | * The third argument is a bool which tells if this mechanism is |
335 | * supported in the database token. |
336 | * |
337 | */ |
338 | |
339 | /* ------------------------- RSA Operations ---------------------------*/ |
340 | { CKM_RSA_PKCS_KEY_PAIR_GEN0x00000000UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_GENERATE_KEY_PAIR0x00010000UL }, PR_TRUE1 }, |
341 | { CKM_RSA_PKCS0x00000001UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_DUZ_IT_ALL0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL | 0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL }, PR_TRUE1 }, |
342 | { CKM_RSA_PKCS_PSS0x0000000DUL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
343 | { CKM_RSA_PKCS_OAEP0x00000009UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
344 | #ifdef SFTK_RSA9796_SUPPORTED |
345 | { CKM_RSA_97960x00000002UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_DUZ_IT_ALL0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL | 0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL }, PR_TRUE1 }, |
346 | #endif |
347 | { CKM_RSA_X_5090x00000003UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_DUZ_IT_ALL0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL | 0x00000800UL | 0x00002000 | 0x00001000UL | 0x00004000UL }, PR_TRUE1 }, |
348 | /* -------------- RSA Multipart Signing Operations -------------------- */ |
349 | { CKM_MD2_RSA_PKCS0x00000004UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
350 | { CKM_MD5_RSA_PKCS0x00000005UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
351 | { CKM_SHA1_RSA_PKCS0x00000006UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
352 | { CKM_SHA224_RSA_PKCS0x00000046UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
353 | { CKM_SHA256_RSA_PKCS0x00000040UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
354 | { CKM_SHA384_RSA_PKCS0x00000041UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
355 | { CKM_SHA512_RSA_PKCS0x00000042UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
356 | { CKM_SHA1_RSA_PKCS_PSS0x0000000EUL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
357 | { CKM_SHA224_RSA_PKCS_PSS0x00000047UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
358 | { CKM_SHA256_RSA_PKCS_PSS0x00000043UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
359 | { CKM_SHA384_RSA_PKCS_PSS0x00000044UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
360 | { CKM_SHA512_RSA_PKCS_PSS0x00000045UL, { RSA_MIN_MODULUS_BITS128, CK_MAX0xffffffff, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
361 | /* ------------------------- DSA Operations --------------------------- */ |
362 | { CKM_DSA_KEY_PAIR_GEN0x00000010UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_GENERATE_KEY_PAIR0x00010000UL }, PR_TRUE1 }, |
363 | { CKM_DSA0x00000011UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
364 | { CKM_DSA_PARAMETER_GEN0x00002000UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
365 | { CKM_DSA_SHA10x00000012UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
366 | { CKM_DSA_SHA2240x00000013UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
367 | { CKM_DSA_SHA2560x00000014UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
368 | { CKM_DSA_SHA3840x00000015UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
369 | { CKM_DSA_SHA5120x00000016UL, { DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
370 | /* -------------------- Diffie Hellman Operations --------------------- */ |
371 | /* no diffie hellman yet */ |
372 | { CKM_DH_PKCS_KEY_PAIR_GEN0x00000020UL, { DH_MIN_P_BITS128, DH_MAX_P_BITS16384, CKF_GENERATE_KEY_PAIR0x00010000UL }, PR_TRUE1 }, |
373 | { CKM_DH_PKCS_DERIVE0x00000021UL, { DH_MIN_P_BITS128, DH_MAX_P_BITS16384, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
374 | /* -------------------- Elliptic Curve Operations --------------------- */ |
375 | { CKM_EC_KEY_PAIR_GEN0x00001040UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_GENERATE_KEY_PAIR0x00010000UL | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
376 | { CKM_ECDH1_DERIVE0x00001050UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_DERIVE0x00080000UL | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
377 | { CKM_ECDSA0x00001041UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
378 | { CKM_ECDSA_SHA10x00001042UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
379 | { CKM_ECDSA_SHA2240x00001043UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
380 | { CKM_ECDSA_SHA2560x00001044UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
381 | { CKM_ECDSA_SHA3840x00001045UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
382 | { CKM_ECDSA_SHA5120x00001046UL, { EC_MIN_KEY_BITS256, EC_MAX_KEY_BITS521, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_BPNU0x00200000UL | 0x00100000UL | 0x00800000UL | 0x01000000UL }, PR_TRUE1 }, |
383 | { CKM_EC_EDWARDS_KEY_PAIR_GEN0x00001055UL, { ECD_MIN_KEY_BITS255, ECD_MAX_KEY_BITS255, CKF_GENERATE_KEY_PAIR0x00010000UL }, PR_TRUE1 }, |
384 | { CKM_EDDSA0x00001057UL, { ECD_MIN_KEY_BITS255, ECD_MAX_KEY_BITS255, CKF_SN_VR0x00000800UL | 0x00002000 | CKF_EC_POC0x00100000UL | 0x00800000UL | 0x02000000UL }, PR_TRUE1 }, |
385 | /* ------------------------- RC2 Operations --------------------------- */ |
386 | { CKM_RC2_KEY_GEN0x00000100UL, { 1, 128, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
387 | { CKM_RC2_ECB0x00000101UL, { 1, 128, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
388 | { CKM_RC2_CBC0x00000102UL, { 1, 128, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
389 | { CKM_RC2_MAC0x00000103UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
390 | { CKM_RC2_MAC_GENERAL0x00000104UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
391 | { CKM_RC2_CBC_PAD0x00000105UL, { 1, 128, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
392 | /* ------------------------- RC4 Operations --------------------------- */ |
393 | { CKM_RC4_KEY_GEN0x00000110UL, { 1, 256, CKF_GENERATE0x00008000UL }, PR_FALSE0 }, |
394 | { CKM_RC40x00000111UL, { 1, 256, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_FALSE0 }, |
395 | /* ------------------------- DES Operations --------------------------- */ |
396 | { CKM_DES_KEY_GEN0x00000120UL, { 8, 8, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
397 | { CKM_DES_ECB0x00000121UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
398 | { CKM_DES_CBC0x00000122UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
399 | { CKM_DES_MAC0x00000123UL, { 8, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
400 | { CKM_DES_MAC_GENERAL0x00000124UL, { 8, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
401 | { CKM_DES_CBC_PAD0x00000125UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
402 | { CKM_DES2_KEY_GEN0x00000130UL, { 24, 24, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
403 | { CKM_DES3_KEY_GEN0x00000131UL, { 24, 24, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
404 | { CKM_DES3_ECB0x00000132UL, { 24, 24, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
405 | { CKM_DES3_CBC0x00000133UL, { 24, 24, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
406 | { CKM_DES3_MAC0x00000134UL, { 24, 24, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
407 | { CKM_DES3_MAC_GENERAL0x00000135UL, { 24, 24, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
408 | { CKM_DES3_CBC_PAD0x00000136UL, { 24, 24, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
409 | /* ------------------------- CDMF Operations --------------------------- */ |
410 | { CKM_CDMF_KEY_GEN0x00000140UL, { 8, 8, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
411 | { CKM_CDMF_ECB0x00000141UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
412 | { CKM_CDMF_CBC0x00000142UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
413 | { CKM_CDMF_MAC0x00000143UL, { 8, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
414 | { CKM_CDMF_MAC_GENERAL0x00000144UL, { 8, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
415 | { CKM_CDMF_CBC_PAD0x00000145UL, { 8, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
416 | /* ------------------------- AES Operations --------------------------- */ |
417 | { CKM_AES_KEY_GEN0x00001080UL, { 16, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
418 | { CKM_AES_ECB0x00001081UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
419 | { CKM_AES_CBC0x00001082UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
420 | { CKM_AES_MAC0x00001083UL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
421 | { CKM_AES_MAC_GENERAL0x00001084UL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
422 | { CKM_AES_CMAC0x0000108AUL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
423 | { CKM_AES_CMAC_GENERAL0x0000108BUL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
424 | { CKM_AES_CBC_PAD0x00001085UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
425 | { CKM_AES_CTS0x00001089UL, { 16, 32, CKF_EN_DE0x00000100UL | 0x00000200UL }, PR_TRUE1 }, |
426 | { CKM_AES_CTR0x00001086UL, { 16, 32, CKF_EN_DE0x00000100UL | 0x00000200UL }, PR_TRUE1 }, |
427 | { CKM_AES_GCM0x00001087UL, { 16, 32, CKF_EN_DE_MSG0x00000100UL | 0x00000200UL | 0x00000002UL | 0x00000004UL }, PR_TRUE1 }, |
428 | { CKM_AES_XCBC_MAC_960x0000108DUL, { 12, 12, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
429 | { CKM_AES_XCBC_MAC0x0000108CUL, { 16, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
430 | /* ------------------------- Camellia Operations --------------------- */ |
431 | { CKM_CAMELLIA_KEY_GEN0x00000550UL, { 16, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
432 | { CKM_CAMELLIA_ECB0x00000551UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
433 | { CKM_CAMELLIA_CBC0x00000552UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
434 | { CKM_CAMELLIA_MAC0x00000553UL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
435 | { CKM_CAMELLIA_MAC_GENERAL0x00000554UL, { 16, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
436 | { CKM_CAMELLIA_CBC_PAD0x00000555UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
437 | /* ------------------------- SEED Operations --------------------------- */ |
438 | #ifndef NSS_DISABLE_DEPRECATED_SEED |
439 | { CKM_SEED_KEY_GEN0x00000650UL, { 16, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
440 | { CKM_SEED_ECB0x00000651UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
441 | { CKM_SEED_CBC0x00000652UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
442 | { CKM_SEED_MAC0x00000653UL, { 16, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
443 | { CKM_SEED_MAC_GENERAL0x00000654UL, { 16, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
444 | { CKM_SEED_CBC_PAD0x00000655UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
445 | #endif |
446 | /* ------------------------- ChaCha20 Operations ---------------------- */ |
447 | #ifndef NSS_DISABLE_CHACHAPOLY |
448 | { CKM_NSS_CHACHA20_KEY_GEN((0x80000000UL | 0x4E534350) + 27), { 32, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
449 | { CKM_NSS_CHACHA20_POLY1305((0x80000000UL | 0x4E534350) + 28), { 32, 32, CKF_EN_DE0x00000100UL | 0x00000200UL }, PR_TRUE1 }, |
450 | { CKM_NSS_CHACHA20_CTR((0x80000000UL | 0x4E534350) + 33), { 32, 32, CKF_EN_DE0x00000100UL | 0x00000200UL }, PR_TRUE1 }, |
451 | { CKM_CHACHA20_KEY_GEN0x00001225UL, { 32, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
452 | { CKM_CHACHA200x00001226UL, { 32, 32, CKF_EN_DE0x00000100UL | 0x00000200UL }, PR_TRUE1 }, |
453 | { CKM_CHACHA20_POLY13050x00004021UL, { 32, 32, CKF_EN_DE_MSG0x00000100UL | 0x00000200UL | 0x00000002UL | 0x00000004UL }, PR_TRUE1 }, |
454 | #endif /* NSS_DISABLE_CHACHAPOLY */ |
455 | /* ------------------------- Hashing Operations ----------------------- */ |
456 | { CKM_MD20x00000200UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
457 | { CKM_MD2_HMAC0x00000201UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
458 | { CKM_MD2_HMAC_GENERAL0x00000202UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
459 | { CKM_MD50x00000210UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
460 | { CKM_MD5_HMAC0x00000211UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
461 | { CKM_MD5_HMAC_GENERAL0x00000212UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
462 | { CKM_SHA_10x00000220UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
463 | { CKM_SHA_1_HMAC0x00000221UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
464 | { CKM_SHA_1_HMAC_GENERAL0x00000222UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
465 | { CKM_SHA2240x00000255UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
466 | { CKM_SHA224_HMAC0x00000256UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
467 | { CKM_SHA224_HMAC_GENERAL0x00000257UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
468 | { CKM_SHA2560x00000250UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
469 | { CKM_SHA256_HMAC0x00000251UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
470 | { CKM_SHA256_HMAC_GENERAL0x00000252UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
471 | { CKM_SHA3840x00000260UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
472 | { CKM_SHA384_HMAC0x00000261UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
473 | { CKM_SHA384_HMAC_GENERAL0x00000262UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
474 | { CKM_SHA5120x00000270UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
475 | { CKM_SHA512_HMAC0x00000271UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
476 | { CKM_SHA512_HMAC_GENERAL0x00000272UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
477 | { CKM_SHA3_2240x000002B5UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
478 | { CKM_SHA3_224_HMAC0x000002B6UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
479 | { CKM_SHA3_224_HMAC_GENERAL0x000002B7UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
480 | { CKM_SHA3_2560x000002B0UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
481 | { CKM_SHA3_256_HMAC0x000002B1UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
482 | { CKM_SHA3_256_HMAC_GENERAL0x000002B2UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
483 | { CKM_SHA3_3840x000002C0UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
484 | { CKM_SHA3_384_HMAC0x000002C1UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
485 | { CKM_SHA3_384_HMAC_GENERAL0x000002C2UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
486 | { CKM_SHA3_5120x000002D0UL, { 0, 0, CKF_DIGEST0x00000400UL }, PR_FALSE0 }, |
487 | { CKM_SHA3_512_HMAC0x000002D1UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
488 | { CKM_SHA3_512_HMAC_GENERAL0x000002D2UL, { 1, 128, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
489 | { CKM_TLS_PRF_GENERAL0x80000373UL, { 0, 512, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_FALSE0 }, |
490 | { CKM_TLS_MAC0x000003E4UL, { 0, 512, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_FALSE0 }, |
491 | { CKM_NSS_TLS_PRF_GENERAL_SHA256((0x80000000UL | 0x4E534350) + 21), |
492 | { 0, 512, CKF_SN_VR0x00000800UL | 0x00002000 }, |
493 | PR_FALSE0 }, |
494 | /* ------------------------- HKDF Operations -------------------------- */ |
495 | { CKM_HKDF_DERIVE0x0000402aUL, { 1, 255 * 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
496 | { CKM_HKDF_DATA0x0000402bUL, { 1, 255 * 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
497 | { CKM_HKDF_KEY_GEN0x0000402cUL, { 20, 64, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
498 | { CKM_NSS_HKDF_SHA1((0x80000000UL | 0x4E534350) + 3), { 1, 128, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
499 | { CKM_NSS_HKDF_SHA256((0x80000000UL | 0x4E534350) + 4), { 1, 128, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
500 | { CKM_NSS_HKDF_SHA384((0x80000000UL | 0x4E534350) + 5), { 1, 128, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
501 | { CKM_NSS_HKDF_SHA512((0x80000000UL | 0x4E534350) + 6), { 1, 128, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
502 | /* ------------------------- CAST Operations --------------------------- */ |
503 | #ifdef NSS_SOFTOKEN_DOES_CAST |
504 | /* Cast operations are not supported ( yet? ) */ |
505 | { CKM_CAST_KEY_GEN0x00000300UL, { 1, 8, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
506 | { CKM_CAST_ECB0x00000301UL, { 1, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
507 | { CKM_CAST_CBC0x00000302UL, { 1, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
508 | { CKM_CAST_MAC0x00000303UL, { 1, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
509 | { CKM_CAST_MAC_GENERAL0x00000304UL, { 1, 8, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
510 | { CKM_CAST_CBC_PAD0x00000305UL, { 1, 8, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
511 | { CKM_CAST3_KEY_GEN0x00000310UL, { 1, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
512 | { CKM_CAST3_ECB0x00000311UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
513 | { CKM_CAST3_CBC0x00000312UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
514 | { CKM_CAST3_MAC0x00000313UL, { 1, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
515 | { CKM_CAST3_MAC_GENERAL0x00000314UL, { 1, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
516 | { CKM_CAST3_CBC_PAD0x00000315UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
517 | { CKM_CAST5_KEY_GEN0x00000320UL, { 1, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
518 | { CKM_CAST5_ECB0x00000321UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
519 | { CKM_CAST5_CBC0x00000322UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
520 | { CKM_CAST5_MAC0x00000323UL, { 1, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
521 | { CKM_CAST5_MAC_GENERAL0x00000324UL, { 1, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
522 | { CKM_CAST5_CBC_PAD0x00000325UL, { 1, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
523 | #endif |
524 | #if NSS_SOFTOKEN_DOES_RC5 |
525 | /* ------------------------- RC5 Operations --------------------------- */ |
526 | { CKM_RC5_KEY_GEN0x00000330UL, { 1, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
527 | { CKM_RC5_ECB0x00000331UL, { 1, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
528 | { CKM_RC5_CBC0x00000332UL, { 1, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
529 | { CKM_RC5_MAC0x00000333UL, { 1, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
530 | { CKM_RC5_MAC_GENERAL0x00000334UL, { 1, 32, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
531 | { CKM_RC5_CBC_PAD0x00000335UL, { 1, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
532 | #endif |
533 | #ifdef NSS_SOFTOKEN_DOES_IDEA |
534 | /* ------------------------- IDEA Operations -------------------------- */ |
535 | { CKM_IDEA_KEY_GEN0x00000340UL, { 16, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
536 | { CKM_IDEA_ECB0x00000341UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
537 | { CKM_IDEA_CBC0x00000342UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
538 | { CKM_IDEA_MAC0x00000343UL, { 16, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
539 | { CKM_IDEA_MAC_GENERAL0x00000344UL, { 16, 16, CKF_SN_VR0x00000800UL | 0x00002000 }, PR_TRUE1 }, |
540 | { CKM_IDEA_CBC_PAD0x00000345UL, { 16, 16, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
541 | #endif |
542 | /* --------------------- Secret Key Operations ------------------------ */ |
543 | { CKM_GENERIC_SECRET_KEY_GEN0x00000350UL, { 1, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
544 | { CKM_CONCATENATE_BASE_AND_KEY0x00000360UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
545 | { CKM_CONCATENATE_BASE_AND_DATA0x00000362UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
546 | { CKM_CONCATENATE_DATA_AND_BASE0x00000363UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
547 | { CKM_XOR_BASE_AND_DATA0x00000364UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
548 | { CKM_EXTRACT_KEY_FROM_KEY0x00000365UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
549 | { CKM_DES3_ECB_ENCRYPT_DATA0x00001102UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
550 | { CKM_DES3_CBC_ENCRYPT_DATA0x00001103UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
551 | { CKM_AES_ECB_ENCRYPT_DATA0x00001104UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
552 | { CKM_AES_CBC_ENCRYPT_DATA0x00001105UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
553 | { CKM_CAMELLIA_ECB_ENCRYPT_DATA0x00000556UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
554 | { CKM_CAMELLIA_CBC_ENCRYPT_DATA0x00000557UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
555 | #ifndef NSS_DISABLE_DEPRECATED_SEED |
556 | { CKM_SEED_ECB_ENCRYPT_DATA0x00000656UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
557 | { CKM_SEED_CBC_ENCRYPT_DATA0x00000657UL, { 1, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
558 | #endif |
559 | /* ---------------------- SSL Key Derivations ------------------------- */ |
560 | { CKM_SSL3_PRE_MASTER_KEY_GEN0x00000370UL, { 48, 48, CKF_GENERATE0x00008000UL }, PR_FALSE0 }, |
561 | { CKM_SSL3_MASTER_KEY_DERIVE0x00000371UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
562 | { CKM_SSL3_MASTER_KEY_DERIVE_DH0x00000373UL, { 8, 128, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
563 | { CKM_SSL3_KEY_AND_MAC_DERIVE0x00000372UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
564 | { CKM_SSL3_MD5_MAC0x00000380UL, { 0, 16, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
565 | { CKM_SSL3_SHA1_MAC0x00000381UL, { 0, 20, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
566 | { CKM_MD5_KEY_DERIVATION0x00000390UL, { 0, 16, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
567 | { CKM_MD2_KEY_DERIVATION0x00000391UL, { 0, 16, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
568 | { CKM_SHA1_KEY_DERIVATION0x00000392UL, { 0, 20, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
569 | { CKM_SHA224_KEY_DERIVATION0x00000396UL, { 0, 28, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
570 | { CKM_SHA256_KEY_DERIVATION0x00000393UL, { 0, 32, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
571 | { CKM_SHA384_KEY_DERIVATION0x00000394UL, { 0, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
572 | { CKM_SHA512_KEY_DERIVATION0x00000395UL, { 0, 64, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
573 | { CKM_TLS_MASTER_KEY_DERIVE0x00000375UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
574 | { CKM_TLS12_MASTER_KEY_DERIVE0x000003E0UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
575 | { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256((0x80000000UL | 0x4E534350) + 22), |
576 | { 48, 48, CKF_DERIVE0x00080000UL }, |
577 | PR_FALSE0 }, |
578 | { CKM_TLS_MASTER_KEY_DERIVE_DH0x00000377UL, { 8, 128, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
579 | { CKM_TLS12_MASTER_KEY_DERIVE_DH0x000003E2UL, { 8, 128, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
580 | { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256((0x80000000UL | 0x4E534350) + 24), |
581 | { 8, 128, CKF_DERIVE0x00080000UL }, |
582 | PR_FALSE0 }, |
583 | { CKM_TLS_KEY_AND_MAC_DERIVE0x00000376UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
584 | { CKM_TLS12_KEY_AND_MAC_DERIVE0x000003E1UL, { 48, 48, CKF_DERIVE0x00080000UL }, PR_FALSE0 }, |
585 | { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256((0x80000000UL | 0x4E534350) + 23), |
586 | { 48, 48, CKF_DERIVE0x00080000UL }, |
587 | PR_FALSE0 }, |
588 | { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE((0x80000000UL | 0x4E534350) + 25), |
589 | { 48, 128, CKF_DERIVE0x00080000UL }, |
590 | PR_FALSE0 }, |
591 | { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH((0x80000000UL | 0x4E534350) + 26), |
592 | { 48, 128, CKF_DERIVE0x00080000UL }, |
593 | PR_FALSE0 }, |
594 | /* ---------------------- PBE Key Derivations ------------------------ */ |
595 | { CKM_PBE_MD2_DES_CBC0x000003A0UL, { 8, 8, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
596 | { CKM_PBE_MD5_DES_CBC0x000003A1UL, { 8, 8, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
597 | /* ------------------ NSS PBE Key Derivations ------------------- */ |
598 | { CKM_NSS_PBE_SHA1_DES_CBC0x80000002UL, { 8, 8, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
599 | { CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC0x80000008UL, { 24, 24, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
600 | { CKM_PBE_SHA1_DES3_EDE_CBC0x000003A8UL, { 24, 24, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
601 | { CKM_PBE_SHA1_DES2_EDE_CBC0x000003A9UL, { 24, 24, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
602 | { CKM_PBE_SHA1_RC2_40_CBC0x000003ABUL, { 40, 40, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
603 | { CKM_PBE_SHA1_RC2_128_CBC0x000003AAUL, { 128, 128, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
604 | { CKM_PBE_SHA1_RC4_400x000003A7UL, { 40, 40, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
605 | { CKM_PBE_SHA1_RC4_1280x000003A6UL, { 128, 128, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
606 | { CKM_PBA_SHA1_WITH_SHA1_HMAC0x000003C0UL, { 20, 20, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
607 | { CKM_PKCS5_PBKD20x000003B0UL, { 1, 256, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
608 | { CKM_NSS_PBE_SHA1_HMAC_KEY_GEN0x80000009UL, { 20, 20, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
609 | { CKM_NSS_PBE_MD5_HMAC_KEY_GEN0x8000000aUL, { 16, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
610 | { CKM_NSS_PBE_MD2_HMAC_KEY_GEN0x8000000bUL, { 16, 16, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
611 | { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN((0x80000000UL | 0x4E534350) + 29), { 28, 28, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
612 | { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN((0x80000000UL | 0x4E534350) + 30), { 32, 32, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
613 | { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN((0x80000000UL | 0x4E534350) + 31), { 48, 48, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
614 | { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN((0x80000000UL | 0x4E534350) + 32), { 64, 64, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
615 | /* ------------------ NIST 800-108 Key Derivations ------------------- */ |
616 | { CKM_SP800_108_COUNTER_KDF0x000003acUL, { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
617 | { CKM_SP800_108_FEEDBACK_KDF0x000003adUL, { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
618 | { CKM_SP800_108_DOUBLE_PIPELINE_KDF0x000003aeUL, { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
619 | { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA((0x80000000UL | 0x4E534350) + 42), { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
620 | { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA((0x80000000UL | 0x4E534350) + 43), { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
621 | { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA((0x80000000UL | 0x4E534350) + 44), { 0, CK_MAX0xffffffff, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
622 | /* ------------------ AES Key Wrap (also encrypt) ------------------- */ |
623 | { CKM_NSS_AES_KEY_WRAP((0x80000000UL | 0x4E534350) + 1), { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
624 | { CKM_NSS_AES_KEY_WRAP_PAD((0x80000000UL | 0x4E534350) + 2), { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
625 | { CKM_AES_KEY_WRAP0x00002109UL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
626 | { CKM_AES_KEY_WRAP_PAD0x0000210AUL, { 16, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
627 | { CKM_AES_KEY_WRAP_KWP0x0000210BUL, { 1, 32, CKF_EN_DE_WR_UN0x00000100UL | 0x00000200UL | 0x00020000UL | 0x00040000UL }, PR_TRUE1 }, |
628 | /* --------------------------- J-PAKE -------------------------------- */ |
629 | { CKM_NSS_JPAKE_ROUND1_SHA1((0x80000000UL | 0x4E534350) + 7), { 0, 0, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
630 | { CKM_NSS_JPAKE_ROUND1_SHA256((0x80000000UL | 0x4E534350) + 8), { 0, 0, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
631 | { CKM_NSS_JPAKE_ROUND1_SHA384((0x80000000UL | 0x4E534350) + 9), { 0, 0, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
632 | { CKM_NSS_JPAKE_ROUND1_SHA512((0x80000000UL | 0x4E534350) + 10), { 0, 0, CKF_GENERATE0x00008000UL }, PR_TRUE1 }, |
633 | { CKM_NSS_JPAKE_ROUND2_SHA1((0x80000000UL | 0x4E534350) + 11), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
634 | { CKM_NSS_JPAKE_ROUND2_SHA256((0x80000000UL | 0x4E534350) + 12), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
635 | { CKM_NSS_JPAKE_ROUND2_SHA384((0x80000000UL | 0x4E534350) + 13), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
636 | { CKM_NSS_JPAKE_ROUND2_SHA512((0x80000000UL | 0x4E534350) + 14), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
637 | { CKM_NSS_JPAKE_FINAL_SHA1((0x80000000UL | 0x4E534350) + 15), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
638 | { CKM_NSS_JPAKE_FINAL_SHA256((0x80000000UL | 0x4E534350) + 16), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
639 | { CKM_NSS_JPAKE_FINAL_SHA384((0x80000000UL | 0x4E534350) + 17), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
640 | { CKM_NSS_JPAKE_FINAL_SHA512((0x80000000UL | 0x4E534350) + 18), { 0, 0, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
641 | /* -------------------- Constant Time TLS MACs ----------------------- */ |
642 | { CKM_NSS_HMAC_CONSTANT_TIME((0x80000000UL | 0x4E534350) + 19), { 0, 0, CKF_DIGEST0x00000400UL }, PR_TRUE1 }, |
643 | { CKM_NSS_SSL3_MAC_CONSTANT_TIME((0x80000000UL | 0x4E534350) + 20), { 0, 0, CKF_DIGEST0x00000400UL }, PR_TRUE1 }, |
644 | /* -------------------- IPSEC ----------------------- */ |
645 | { CKM_NSS_IKE_PRF_PLUS_DERIVE((0x80000000UL | 0x4E534350) + 34), { 8, 255 * 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
646 | { CKM_NSS_IKE_PRF_DERIVE((0x80000000UL | 0x4E534350) + 35), { 8, 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
647 | { CKM_NSS_IKE1_PRF_DERIVE((0x80000000UL | 0x4E534350) + 36), { 8, 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
648 | { CKM_NSS_IKE1_APP_B_PRF_DERIVE((0x80000000UL | 0x4E534350) + 37), { 8, 255 * 64, CKF_DERIVE0x00080000UL }, PR_TRUE1 }, |
649 | /* -------------------- Kyber Operations ----------------------- */ |
650 | { CKM_NSS_KYBER_KEY_PAIR_GEN((0x80000000UL | 0x4E534350) + 45), { 0, 0, CKF_GENERATE_KEY_PAIR0x00010000UL }, PR_TRUE1 }, |
651 | { CKM_NSS_KYBER((0x80000000UL | 0x4E534350) + 46), { 0, 0, 0 }, PR_TRUE1 }, |
652 | }; |
653 | static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); |
654 | |
655 | /* sigh global so fipstokn can read it */ |
656 | PRBool nsc_init = PR_FALSE0; |
657 | |
658 | #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) |
659 | |
660 | #include <pthread.h> |
661 | |
662 | static void |
663 | ForkedChild(void) |
664 | { |
665 | if (nsc_init || nsf_init) { |
666 | forked = PR_TRUE1; |
667 | } |
668 | } |
669 | |
670 | #endif |
671 | |
672 | static char * |
673 | sftk_setStringName(const char *inString, char *buffer, int buffer_length, PRBool nullTerminate) |
674 | { |
675 | int full_length, string_length; |
676 | |
677 | full_length = nullTerminate ? buffer_length - 1 : buffer_length; |
678 | string_length = PORT_Strlen(inString)strlen(inString); |
679 | /* |
680 | * shorten the string, respecting utf8 encoding |
681 | * to do so, we work backward from the end |
682 | * bytes looking from the end are either: |
683 | * - ascii [0x00,0x7f] |
684 | * - the [2-n]th byte of a multibyte sequence |
685 | * [0x3F,0xBF], i.e, most significant 2 bits are '10' |
686 | * - the first byte of a multibyte sequence [0xC0,0xFD], |
687 | * i.e, most significant 2 bits are '11' |
688 | * |
689 | * When the string is too long, we lop off any trailing '10' bytes, |
690 | * if any. When these are all eliminated we lop off |
691 | * one additional byte. Thus if we lopped any '10' |
692 | * we'll be lopping a '11' byte (the first byte of the multibyte sequence), |
693 | * otherwise we're lopping off an ascii character. |
694 | * |
695 | * To test for '10' bytes, we first AND it with |
696 | * 11000000 (0xc0) so that we get 10000000 (0x80) if and only if |
697 | * the byte starts with 10. We test for equality. |
698 | */ |
699 | while (string_length > full_length) { |
700 | /* need to shorten */ |
701 | while (string_length > 0 && |
702 | ((inString[string_length - 1] & (char)0xc0) == (char)0x80)) { |
703 | /* lop off '10' byte */ |
704 | string_length--; |
705 | } |
706 | /* |
707 | * test string_length in case bad data is received |
708 | * and string consisted of all '10' bytes, |
709 | * avoiding any infinite loop |
710 | */ |
711 | if (string_length) { |
712 | /* remove either '11' byte or an asci byte */ |
713 | string_length--; |
714 | } |
715 | } |
716 | PORT_Memsetmemset(buffer, ' ', full_length); |
717 | if (nullTerminate) { |
718 | buffer[full_length] = 0; |
719 | } |
720 | PORT_Memcpymemcpy(buffer, inString, string_length); |
721 | return buffer; |
722 | } |
723 | /* |
724 | * Configuration utils |
725 | */ |
726 | static CK_RV |
727 | sftk_configure(const char *man, const char *libdes) |
728 | { |
729 | |
730 | /* make sure the internationalization was done correctly... */ |
731 | if (man) { |
732 | manufacturerID = sftk_setStringName(man, manufacturerID_space, |
733 | sizeof(manufacturerID_space), PR_TRUE1); |
734 | } |
735 | if (libdes) { |
736 | libraryDescription = sftk_setStringName(libdes, |
737 | libraryDescription_space, sizeof(libraryDescription_space), |
738 | PR_TRUE1); |
739 | } |
740 | |
741 | return CKR_OK0x00000000UL; |
742 | } |
743 | |
744 | /* |
745 | * ******************** Password Utilities ******************************* |
746 | */ |
747 | |
748 | /* |
749 | * see if the key DB password is enabled |
750 | */ |
751 | static PRBool |
752 | sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb) |
753 | { |
754 | PRBool pwenabled; |
755 | |
756 | pwenabled = PR_FALSE0; |
757 | if (sftkdb_HasPasswordSet(keydb) == SECSuccess) { |
758 | PRBool tokenRemoved = PR_FALSE0; |
759 | SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved); |
760 | if (tokenRemoved) { |
761 | sftk_CloseAllSessions(slot, PR_FALSE0); |
762 | } |
763 | return (rv == SECSuccess); |
764 | } |
765 | |
766 | return pwenabled; |
767 | } |
768 | |
769 | /* |
770 | * ******************** Object Creation Utilities *************************** |
771 | */ |
772 | |
773 | /* Make sure a given attribute exists. If it doesn't, initialize it to |
774 | * value and len |
775 | */ |
776 | CK_RV |
777 | sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, |
778 | const void *value, unsigned int len) |
779 | { |
780 | if (!sftk_hasAttribute(object, type)) { |
781 | return sftk_AddAttributeType(object, type, value, len); |
782 | } |
783 | return CKR_OK0x00000000UL; |
784 | } |
785 | |
786 | /* |
787 | * check the consistancy and initialize a Data Object |
788 | */ |
789 | static CK_RV |
790 | sftk_handleDataObject(SFTKSession *session, SFTKObject *object) |
791 | { |
792 | CK_RV crv; |
793 | |
794 | /* first reject private and token data objects */ |
795 | if (sftk_isTrue(object, CKA_PRIVATE0x00000002UL) || sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
796 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
797 | } |
798 | |
799 | /* now just verify the required date fields */ |
800 | crv = sftk_defaultAttribute(object, CKA_APPLICATION0x00000010UL, NULL((void*)0), 0); |
801 | if (crv != CKR_OK0x00000000UL) |
802 | return crv; |
803 | crv = sftk_defaultAttribute(object, CKA_VALUE0x00000011UL, NULL((void*)0), 0); |
804 | if (crv != CKR_OK0x00000000UL) |
805 | return crv; |
806 | |
807 | return CKR_OK0x00000000UL; |
808 | } |
809 | |
810 | /* |
811 | * check the consistancy and initialize a Certificate Object |
812 | */ |
813 | static CK_RV |
814 | sftk_handleCertObject(SFTKSession *session, SFTKObject *object) |
815 | { |
816 | CK_CERTIFICATE_TYPE type; |
817 | SFTKAttribute *attribute; |
818 | CK_RV crv; |
819 | |
820 | /* certificates must have a type */ |
821 | if (!sftk_hasAttribute(object, CKA_CERTIFICATE_TYPE0x00000080UL)) { |
822 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
823 | } |
824 | |
825 | /* we can't store any certs private */ |
826 | if (sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
827 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
828 | } |
829 | |
830 | /* We only support X.509 Certs for now */ |
831 | attribute = sftk_FindAttribute(object, CKA_CERTIFICATE_TYPE0x00000080UL); |
832 | if (attribute == NULL((void*)0)) |
833 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
834 | type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue; |
835 | sftk_FreeAttribute(attribute); |
836 | |
837 | if (type != CKC_X_5090x00000000UL) { |
838 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
839 | } |
840 | |
841 | /* X.509 Certificate */ |
842 | |
843 | /* make sure we have a cert */ |
844 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
845 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
846 | } |
847 | |
848 | /* in PKCS #11, Subject is a required field */ |
849 | if (!sftk_hasAttribute(object, CKA_SUBJECT0x00000101UL)) { |
850 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
851 | } |
852 | |
853 | /* in PKCS #11, Issuer is a required field */ |
854 | if (!sftk_hasAttribute(object, CKA_ISSUER0x00000081UL)) { |
855 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
856 | } |
857 | |
858 | /* in PKCS #11, Serial is a required field */ |
859 | if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER0x00000082UL)) { |
860 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
861 | } |
862 | |
863 | /* add it to the object */ |
864 | object->objectInfo = NULL((void*)0); |
865 | object->infoFree = (SFTKFree)NULL((void*)0); |
866 | |
867 | /* now just verify the required date fields */ |
868 | crv = sftk_defaultAttribute(object, CKA_ID0x00000102UL, NULL((void*)0), 0); |
869 | if (crv != CKR_OK0x00000000UL) { |
870 | return crv; |
871 | } |
872 | |
873 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
874 | SFTKSlot *slot = session->slot; |
875 | SFTKDBHandle *certHandle = sftk_getCertDB(slot); |
876 | |
877 | if (certHandle == NULL((void*)0)) { |
878 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
879 | } |
880 | |
881 | crv = sftkdb_write(certHandle, object, &object->handle); |
882 | sftk_freeDB(certHandle); |
883 | return crv; |
884 | } |
885 | |
886 | return CKR_OK0x00000000UL; |
887 | } |
888 | |
889 | /* |
890 | * check the consistancy and initialize a Trust Object |
891 | */ |
892 | static CK_RV |
893 | sftk_handleTrustObject(SFTKSession *session, SFTKObject *object) |
894 | { |
895 | /* we can't store any certs private */ |
896 | if (sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
897 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
898 | } |
899 | |
900 | /* certificates must have a type */ |
901 | if (!sftk_hasAttribute(object, CKA_ISSUER0x00000081UL)) { |
902 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
903 | } |
904 | if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER0x00000082UL)) { |
905 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
906 | } |
907 | if (!sftk_hasAttribute(object, CKA_CERT_SHA1_HASH(((0x80000000UL | 0x4E534350) + 0x2000) + 100))) { |
908 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
909 | } |
910 | if (!sftk_hasAttribute(object, CKA_CERT_MD5_HASH(((0x80000000UL | 0x4E534350) + 0x2000) + 101))) { |
911 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
912 | } |
913 | |
914 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
915 | SFTKSlot *slot = session->slot; |
916 | SFTKDBHandle *certHandle = sftk_getCertDB(slot); |
917 | CK_RV crv; |
918 | |
919 | if (certHandle == NULL((void*)0)) { |
920 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
921 | } |
922 | |
923 | crv = sftkdb_write(certHandle, object, &object->handle); |
924 | sftk_freeDB(certHandle); |
925 | return crv; |
926 | } |
927 | |
928 | return CKR_OK0x00000000UL; |
929 | } |
930 | |
931 | /* |
932 | * check the consistancy and initialize a Trust Object |
933 | */ |
934 | static CK_RV |
935 | sftk_handleSMimeObject(SFTKSession *session, SFTKObject *object) |
936 | { |
937 | |
938 | /* we can't store any certs private */ |
939 | if (sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
940 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
941 | } |
942 | |
943 | /* certificates must have a type */ |
944 | if (!sftk_hasAttribute(object, CKA_SUBJECT0x00000101UL)) { |
945 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
946 | } |
947 | if (!sftk_hasAttribute(object, CKA_NSS_EMAIL((0x80000000UL | 0x4E534350) + 2))) { |
948 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
949 | } |
950 | |
951 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
952 | SFTKSlot *slot = session->slot; |
953 | SFTKDBHandle *certHandle; |
954 | CK_RV crv; |
955 | |
956 | PORT_Assert(slot)((slot)?((void)0):PR_Assert("slot","pkcs11.c",956)); |
957 | if (slot == NULL((void*)0)) { |
958 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
959 | } |
960 | |
961 | certHandle = sftk_getCertDB(slot); |
962 | if (certHandle == NULL((void*)0)) { |
963 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
964 | } |
965 | |
966 | crv = sftkdb_write(certHandle, object, &object->handle); |
967 | sftk_freeDB(certHandle); |
968 | return crv; |
969 | } |
970 | |
971 | return CKR_OK0x00000000UL; |
972 | } |
973 | |
974 | /* |
975 | * check the consistancy and initialize a Trust Object |
976 | */ |
977 | static CK_RV |
978 | sftk_handleCrlObject(SFTKSession *session, SFTKObject *object) |
979 | { |
980 | |
981 | /* we can't store any certs private */ |
982 | if (sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
983 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
984 | } |
985 | |
986 | /* certificates must have a type */ |
987 | if (!sftk_hasAttribute(object, CKA_SUBJECT0x00000101UL)) { |
988 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
989 | } |
990 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
991 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
992 | } |
993 | |
994 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
995 | SFTKSlot *slot = session->slot; |
996 | SFTKDBHandle *certHandle = sftk_getCertDB(slot); |
997 | CK_RV crv; |
998 | |
999 | if (certHandle == NULL((void*)0)) { |
1000 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
1001 | } |
1002 | |
1003 | crv = sftkdb_write(certHandle, object, &object->handle); |
1004 | sftk_freeDB(certHandle); |
1005 | return crv; |
1006 | } |
1007 | |
1008 | return CKR_OK0x00000000UL; |
1009 | } |
1010 | |
1011 | /* |
1012 | * check the consistancy and initialize a Public Key Object |
1013 | */ |
1014 | static CK_RV |
1015 | sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object, |
1016 | CK_KEY_TYPE key_type) |
1017 | { |
1018 | CK_BBOOL encrypt = CK_TRUE1; |
1019 | CK_BBOOL recover = CK_TRUE1; |
1020 | CK_BBOOL wrap = CK_TRUE1; |
1021 | CK_BBOOL derive = CK_FALSE0; |
1022 | CK_BBOOL verify = CK_TRUE1; |
1023 | CK_RV crv; |
1024 | |
1025 | switch (key_type) { |
1026 | case CKK_RSA0x00000000UL: |
1027 | crv = sftk_ConstrainAttribute(object, CKA_MODULUS0x00000120UL, |
1028 | RSA_MIN_MODULUS_BITS128, 0, 0); |
1029 | if (crv != CKR_OK0x00000000UL) { |
1030 | return crv; |
1031 | } |
1032 | crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT0x00000122UL, 2, 0, 0); |
1033 | if (crv != CKR_OK0x00000000UL) { |
1034 | return crv; |
1035 | } |
1036 | break; |
1037 | case CKK_DSA0x00000001UL: |
1038 | crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME0x00000131UL, |
1039 | DSA_MIN_Q_BITS160, DSA_MAX_Q_BITS256, 0); |
1040 | if (crv != CKR_OK0x00000000UL) { |
1041 | return crv; |
1042 | } |
1043 | crv = sftk_ConstrainAttribute(object, CKA_PRIME0x00000130UL, |
1044 | DSA_MIN_P_BITS512, DSA_MAX_P_BITS3072, 64); |
1045 | if (crv != CKR_OK0x00000000UL) { |
1046 | return crv; |
1047 | } |
1048 | crv = sftk_ConstrainAttribute(object, CKA_BASE0x00000132UL, 2, DSA_MAX_P_BITS3072, 0); |
1049 | if (crv != CKR_OK0x00000000UL) { |
1050 | return crv; |
1051 | } |
1052 | crv = sftk_ConstrainAttribute(object, CKA_VALUE0x00000011UL, 2, DSA_MAX_P_BITS3072, 0); |
1053 | if (crv != CKR_OK0x00000000UL) { |
1054 | return crv; |
1055 | } |
1056 | encrypt = CK_FALSE0; |
1057 | recover = CK_FALSE0; |
1058 | wrap = CK_FALSE0; |
1059 | break; |
1060 | case CKK_DH0x00000002UL: |
1061 | crv = sftk_ConstrainAttribute(object, CKA_PRIME0x00000130UL, |
1062 | DH_MIN_P_BITS128, DH_MAX_P_BITS16384, 0); |
1063 | if (crv != CKR_OK0x00000000UL) { |
1064 | return crv; |
1065 | } |
1066 | crv = sftk_ConstrainAttribute(object, CKA_BASE0x00000132UL, 2, DH_MAX_P_BITS16384, 0); |
1067 | if (crv != CKR_OK0x00000000UL) { |
1068 | return crv; |
1069 | } |
1070 | crv = sftk_ConstrainAttribute(object, CKA_VALUE0x00000011UL, 2, DH_MAX_P_BITS16384, 0); |
1071 | if (crv != CKR_OK0x00000000UL) { |
1072 | return crv; |
1073 | } |
1074 | verify = CK_FALSE0; |
1075 | derive = CK_TRUE1; |
1076 | encrypt = CK_FALSE0; |
1077 | recover = CK_FALSE0; |
1078 | wrap = CK_FALSE0; |
1079 | break; |
1080 | case CKK_EC_MONTGOMERY0x00000041UL: |
1081 | case CKK_EC_EDWARDS0x00000040UL: |
1082 | case CKK_EC0x00000003UL: |
1083 | if (!sftk_hasAttribute(object, CKA_EC_PARAMS0x00000180UL)) { |
1084 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1085 | } |
1086 | if (!sftk_hasAttribute(object, CKA_EC_POINT0x00000181UL)) { |
1087 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1088 | } |
1089 | /* for ECDSA and EDDSA. Change if the structure of any of them is modified. */ |
1090 | derive = (key_type == CKK_EC_EDWARDS0x00000040UL) ? CK_FALSE0 : CK_TRUE1; /* CK_TRUE for ECDH */ |
1091 | verify = CK_TRUE1; /* for ECDSA and EDDSA */ |
1092 | encrypt = CK_FALSE0; |
1093 | recover = CK_FALSE0; |
1094 | wrap = CK_FALSE0; |
1095 | break; |
1096 | case CKK_NSS_KYBER((0x80000000UL | 0x4E534350) + 5): |
1097 | if (!sftk_hasAttribute(object, CKA_NSS_PARAMETER_SET((0x80000000UL | 0x4E534350) + 40))) { |
1098 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1099 | } |
1100 | derive = CK_FALSE0; |
1101 | verify = CK_FALSE0; |
1102 | encrypt = CK_FALSE0; |
1103 | recover = CK_FALSE0; |
1104 | wrap = CK_FALSE0; |
1105 | break; |
1106 | default: |
1107 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1108 | } |
1109 | |
1110 | /* make sure the required fields exist */ |
1111 | crv = sftk_defaultAttribute(object, CKA_SUBJECT0x00000101UL, NULL((void*)0), 0); |
1112 | if (crv != CKR_OK0x00000000UL) |
1113 | return crv; |
1114 | crv = sftk_defaultAttribute(object, CKA_ENCRYPT0x00000104UL, &encrypt, sizeof(CK_BBOOL)); |
1115 | if (crv != CKR_OK0x00000000UL) |
1116 | return crv; |
1117 | crv = sftk_defaultAttribute(object, CKA_VERIFY0x0000010AUL, &verify, sizeof(CK_BBOOL)); |
1118 | if (crv != CKR_OK0x00000000UL) |
1119 | return crv; |
1120 | crv = sftk_defaultAttribute(object, CKA_VERIFY_RECOVER0x0000010BUL, |
1121 | &recover, sizeof(CK_BBOOL)); |
1122 | if (crv != CKR_OK0x00000000UL) |
1123 | return crv; |
1124 | crv = sftk_defaultAttribute(object, CKA_WRAP0x00000106UL, &wrap, sizeof(CK_BBOOL)); |
1125 | if (crv != CKR_OK0x00000000UL) |
1126 | return crv; |
1127 | crv = sftk_defaultAttribute(object, CKA_DERIVE0x0000010CUL, &derive, sizeof(CK_BBOOL)); |
1128 | if (crv != CKR_OK0x00000000UL) |
1129 | return crv; |
1130 | |
1131 | object->objectInfo = sftk_GetPubKey(object, key_type, &crv); |
1132 | if (object->objectInfo == NULL((void*)0)) { |
1133 | return crv; |
1134 | } |
1135 | object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey; |
1136 | |
1137 | /* Check that an imported EC key is valid */ |
1138 | if (key_type == CKK_EC0x00000003UL || key_type == CKK_EC_EDWARDS0x00000040UL || key_type == CKK_EC_MONTGOMERY0x00000041UL) { |
1139 | NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey *)object->objectInfo; |
1140 | SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams, |
1141 | &pubKey->u.ec.publicValue); |
1142 | |
1143 | if (rv != SECSuccess) { |
1144 | return CKR_TEMPLATE_INCONSISTENT0x000000D1UL; |
1145 | } |
1146 | } |
1147 | |
1148 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
1149 | SFTKSlot *slot = session->slot; |
1150 | SFTKDBHandle *certHandle = sftk_getCertDB(slot); |
1151 | |
1152 | if (certHandle == NULL((void*)0)) { |
1153 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
1154 | } |
1155 | |
1156 | crv = sftkdb_write(certHandle, object, &object->handle); |
1157 | sftk_freeDB(certHandle); |
1158 | return crv; |
1159 | } |
1160 | |
1161 | return CKR_OK0x00000000UL; |
1162 | } |
1163 | |
1164 | static NSSLOWKEYPrivateKey * |
1165 | sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key, CK_RV *rvp); |
1166 | |
1167 | static SECStatus |
1168 | sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded); |
1169 | |
1170 | /* |
1171 | * check the consistancy and initialize a Private Key Object |
1172 | */ |
1173 | static CK_RV |
1174 | sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYPE key_type) |
1175 | { |
1176 | CK_BBOOL cktrue = CK_TRUE1; |
1177 | CK_BBOOL encrypt = CK_TRUE1; |
1178 | CK_BBOOL sign = CK_FALSE0; |
1179 | CK_BBOOL recover = CK_TRUE1; |
1180 | CK_BBOOL wrap = CK_TRUE1; |
1181 | CK_BBOOL derive = CK_TRUE1; |
1182 | CK_BBOOL ckfalse = CK_FALSE0; |
1183 | PRBool createObjectInfo = PR_TRUE1; |
1184 | PRBool fillPrivateKey = PR_FALSE0; |
1185 | int missing_rsa_mod_component = 0; |
1186 | int missing_rsa_exp_component = 0; |
1187 | int missing_rsa_crt_component = 0; |
1188 | |
1189 | SECItem mod; |
1190 | CK_RV crv; |
1191 | SECStatus rv; |
1192 | |
1193 | switch (key_type) { |
1194 | case CKK_RSA0x00000000UL: |
1195 | if (!sftk_hasAttribute(object, CKA_MODULUS0x00000120UL)) { |
1196 | missing_rsa_mod_component++; |
1197 | } |
1198 | if (!sftk_hasAttribute(object, CKA_PUBLIC_EXPONENT0x00000122UL)) { |
1199 | missing_rsa_exp_component++; |
1200 | } |
1201 | if (!sftk_hasAttribute(object, CKA_PRIVATE_EXPONENT0x00000123UL)) { |
1202 | missing_rsa_exp_component++; |
1203 | } |
1204 | if (!sftk_hasAttribute(object, CKA_PRIME_10x00000124UL)) { |
1205 | missing_rsa_mod_component++; |
1206 | } |
1207 | if (!sftk_hasAttribute(object, CKA_PRIME_20x00000125UL)) { |
1208 | missing_rsa_mod_component++; |
1209 | } |
1210 | if (!sftk_hasAttribute(object, CKA_EXPONENT_10x00000126UL)) { |
1211 | missing_rsa_crt_component++; |
1212 | } |
1213 | if (!sftk_hasAttribute(object, CKA_EXPONENT_20x00000127UL)) { |
1214 | missing_rsa_crt_component++; |
1215 | } |
1216 | if (!sftk_hasAttribute(object, CKA_COEFFICIENT0x00000128UL)) { |
1217 | missing_rsa_crt_component++; |
1218 | } |
1219 | if (missing_rsa_mod_component || missing_rsa_exp_component || |
1220 | missing_rsa_crt_component) { |
1221 | /* we are missing a component, see if we have enough to rebuild |
1222 | * the rest */ |
1223 | int have_exp = 2 - missing_rsa_exp_component; |
1224 | int have_component = 5 - |
1225 | (missing_rsa_exp_component + missing_rsa_mod_component); |
1226 | |
1227 | if ((have_exp == 0) || (have_component < 3)) { |
1228 | /* nope, not enough to reconstruct the private key */ |
1229 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1230 | } |
1231 | fillPrivateKey = PR_TRUE1; |
1232 | } |
1233 | /*verify the parameters for consistency*/ |
1234 | rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey); |
1235 | if (rv != SECSuccess) { |
1236 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1237 | } |
1238 | |
1239 | /* make sure Netscape DB attribute is set correctly */ |
1240 | crv = sftk_Attribute2SSecItem(NULL((void*)0), &mod, object, CKA_MODULUS0x00000120UL); |
1241 | if (crv != CKR_OK0x00000000UL) |
1242 | return crv; |
1243 | crv = sftk_forceAttribute(object, CKA_NSS_DB0xD5A0DB00L, |
1244 | sftk_item_expand(&mod)(&mod)->data, (&mod)->len); |
1245 | if (mod.data) |
1246 | SECITEM_ZfreeItemSECITEM_ZfreeItem_Util(&mod, PR_FALSE0); |
1247 | if (crv != CKR_OK0x00000000UL) |
1248 | return crv; |
1249 | |
1250 | sign = CK_TRUE1; |
1251 | derive = CK_FALSE0; |
1252 | break; |
1253 | case CKK_DSA0x00000001UL: |
1254 | if (!sftk_hasAttribute(object, CKA_SUBPRIME0x00000131UL)) { |
1255 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1256 | } |
1257 | sign = CK_TRUE1; |
1258 | derive = CK_FALSE0; |
1259 | /* fall through */ |
1260 | case CKK_DH0x00000002UL: |
1261 | if (!sftk_hasAttribute(object, CKA_PRIME0x00000130UL)) { |
1262 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1263 | } |
1264 | if (!sftk_hasAttribute(object, CKA_BASE0x00000132UL)) { |
1265 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1266 | } |
1267 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
1268 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1269 | } |
1270 | /* allow subprime to be set after the fact */ |
1271 | crv = sftk_defaultAttribute(object, CKA_SUBPRIME0x00000131UL, NULL((void*)0), 0); |
1272 | if (crv != CKR_OK0x00000000UL) { |
1273 | return crv; |
1274 | } |
1275 | encrypt = CK_FALSE0; |
1276 | recover = CK_FALSE0; |
1277 | wrap = CK_FALSE0; |
1278 | break; |
1279 | case CKK_EC0x00000003UL: |
1280 | case CKK_EC_EDWARDS0x00000040UL: |
1281 | case CKK_EC_MONTGOMERY0x00000041UL: |
1282 | if (!sftk_hasAttribute(object, CKA_EC_PARAMS0x00000180UL)) { |
1283 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1284 | } |
1285 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
1286 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1287 | } |
1288 | /* for ECDSA and EDDSA. Change if the structure of any of them is modified. */ |
1289 | derive = (key_type == CKK_EC_EDWARDS0x00000040UL) ? CK_FALSE0 : CK_TRUE1; /* CK_TRUE for ECDH */ |
1290 | sign = CK_TRUE1; /* for ECDSA and EDDSA */ |
1291 | encrypt = CK_FALSE0; |
1292 | recover = CK_FALSE0; |
1293 | wrap = CK_FALSE0; |
1294 | break; |
1295 | case CKK_NSS_JPAKE_ROUND1((0x80000000UL | 0x4E534350) + 2): |
1296 | if (!sftk_hasAttribute(object, CKA_PRIME0x00000130UL) || |
1297 | !sftk_hasAttribute(object, CKA_SUBPRIME0x00000131UL) || |
1298 | !sftk_hasAttribute(object, CKA_BASE0x00000132UL)) { |
1299 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1300 | } |
1301 | /* fall through */ |
1302 | case CKK_NSS_JPAKE_ROUND2((0x80000000UL | 0x4E534350) + 3): |
1303 | /* CKA_NSS_JPAKE_SIGNERID and CKA_NSS_JPAKE_PEERID are checked in |
1304 | the J-PAKE code. */ |
1305 | encrypt = sign = recover = wrap = CK_FALSE0; |
1306 | derive = CK_TRUE1; |
1307 | createObjectInfo = PR_FALSE0; |
1308 | break; |
1309 | case CKK_NSS_KYBER((0x80000000UL | 0x4E534350) + 5): |
1310 | if (!sftk_hasAttribute(object, CKA_KEY_TYPE0x00000100UL)) { |
1311 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1312 | } |
1313 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
1314 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1315 | } |
1316 | encrypt = sign = recover = wrap = CK_FALSE0; |
1317 | break; |
1318 | default: |
1319 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1320 | } |
1321 | crv = sftk_defaultAttribute(object, CKA_SUBJECT0x00000101UL, NULL((void*)0), 0); |
1322 | if (crv != CKR_OK0x00000000UL) |
1323 | return crv; |
1324 | crv = sftk_defaultAttribute(object, CKA_SENSITIVE0x00000103UL, &cktrue, sizeof(CK_BBOOL)); |
1325 | if (crv != CKR_OK0x00000000UL) |
1326 | return crv; |
1327 | crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE0x00000162UL, &cktrue, sizeof(CK_BBOOL)); |
1328 | if (crv != CKR_OK0x00000000UL) |
1329 | return crv; |
1330 | crv = sftk_defaultAttribute(object, CKA_DECRYPT0x00000105UL, &encrypt, sizeof(CK_BBOOL)); |
1331 | if (crv != CKR_OK0x00000000UL) |
1332 | return crv; |
1333 | crv = sftk_defaultAttribute(object, CKA_SIGN0x00000108UL, &sign, sizeof(CK_BBOOL)); |
1334 | if (crv != CKR_OK0x00000000UL) |
1335 | return crv; |
1336 | crv = sftk_defaultAttribute(object, CKA_SIGN_RECOVER0x00000109UL, &recover, |
1337 | sizeof(CK_BBOOL)); |
1338 | if (crv != CKR_OK0x00000000UL) |
1339 | return crv; |
1340 | crv = sftk_defaultAttribute(object, CKA_UNWRAP0x00000107UL, &wrap, sizeof(CK_BBOOL)); |
1341 | if (crv != CKR_OK0x00000000UL) |
1342 | return crv; |
1343 | crv = sftk_defaultAttribute(object, CKA_DERIVE0x0000010CUL, &derive, sizeof(CK_BBOOL)); |
1344 | if (crv != CKR_OK0x00000000UL) |
1345 | return crv; |
1346 | /* the next two bits get modified only in the key gen and token cases */ |
1347 | crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE0x00000165UL, |
1348 | &ckfalse, sizeof(CK_BBOOL)); |
1349 | if (crv != CKR_OK0x00000000UL) |
1350 | return crv; |
1351 | crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE0x00000164UL, |
1352 | &ckfalse, sizeof(CK_BBOOL)); |
1353 | if (crv != CKR_OK0x00000000UL) |
1354 | return crv; |
1355 | |
1356 | /* should we check the non-token RSA private keys? */ |
1357 | |
1358 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
1359 | SFTKSlot *slot = session->slot; |
1360 | SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); |
1361 | |
1362 | if (keyHandle == NULL((void*)0)) { |
1363 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
1364 | } |
1365 | |
1366 | crv = sftkdb_write(keyHandle, object, &object->handle); |
1367 | sftk_freeDB(keyHandle); |
1368 | return crv; |
1369 | } else if (createObjectInfo) { |
1370 | object->objectInfo = sftk_mkPrivKey(object, key_type, &crv); |
1371 | if (object->objectInfo == NULL((void*)0)) |
1372 | return crv; |
1373 | object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey; |
1374 | } |
1375 | return CKR_OK0x00000000UL; |
1376 | } |
1377 | |
1378 | /* forward declare the DES formating function for handleSecretKey */ |
1379 | void sftk_FormatDESKey(unsigned char *key, int length); |
1380 | |
1381 | /* Validate secret key data, and set defaults */ |
1382 | static CK_RV |
1383 | validateSecretKey(SFTKSession *session, SFTKObject *object, |
1384 | CK_KEY_TYPE key_type, PRBool isFIPS) |
1385 | { |
1386 | CK_RV crv; |
1387 | CK_BBOOL cktrue = CK_TRUE1; |
1388 | CK_BBOOL ckfalse = CK_FALSE0; |
1389 | SFTKAttribute *attribute = NULL((void*)0); |
1390 | unsigned long requiredLen; |
1391 | |
1392 | crv = sftk_defaultAttribute(object, CKA_SENSITIVE0x00000103UL, |
1393 | isFIPS ? &cktrue : &ckfalse, sizeof(CK_BBOOL)); |
1394 | if (crv != CKR_OK0x00000000UL) |
1395 | return crv; |
1396 | crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE0x00000162UL, |
1397 | &cktrue, sizeof(CK_BBOOL)); |
1398 | if (crv != CKR_OK0x00000000UL) |
1399 | return crv; |
1400 | crv = sftk_defaultAttribute(object, CKA_ENCRYPT0x00000104UL, &cktrue, sizeof(CK_BBOOL)); |
1401 | if (crv != CKR_OK0x00000000UL) |
1402 | return crv; |
1403 | crv = sftk_defaultAttribute(object, CKA_DECRYPT0x00000105UL, &cktrue, sizeof(CK_BBOOL)); |
1404 | if (crv != CKR_OK0x00000000UL) |
1405 | return crv; |
1406 | crv = sftk_defaultAttribute(object, CKA_SIGN0x00000108UL, &ckfalse, sizeof(CK_BBOOL)); |
1407 | if (crv != CKR_OK0x00000000UL) |
1408 | return crv; |
1409 | crv = sftk_defaultAttribute(object, CKA_VERIFY0x0000010AUL, &ckfalse, sizeof(CK_BBOOL)); |
1410 | if (crv != CKR_OK0x00000000UL) |
1411 | return crv; |
1412 | crv = sftk_defaultAttribute(object, CKA_WRAP0x00000106UL, &cktrue, sizeof(CK_BBOOL)); |
1413 | if (crv != CKR_OK0x00000000UL) |
1414 | return crv; |
1415 | crv = sftk_defaultAttribute(object, CKA_UNWRAP0x00000107UL, &cktrue, sizeof(CK_BBOOL)); |
1416 | if (crv != CKR_OK0x00000000UL) |
1417 | return crv; |
1418 | |
1419 | if (!sftk_hasAttribute(object, CKA_VALUE0x00000011UL)) { |
1420 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1421 | } |
1422 | /* the next two bits get modified only in the key gen and token cases */ |
1423 | crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE0x00000165UL, |
1424 | &ckfalse, sizeof(CK_BBOOL)); |
1425 | if (crv != CKR_OK0x00000000UL) |
1426 | return crv; |
1427 | crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE0x00000164UL, |
1428 | &ckfalse, sizeof(CK_BBOOL)); |
1429 | if (crv != CKR_OK0x00000000UL) |
1430 | return crv; |
1431 | |
1432 | /* some types of keys have a value length */ |
1433 | crv = CKR_OK0x00000000UL; |
1434 | switch (key_type) { |
1435 | /* force CKA_VALUE_LEN to be set */ |
1436 | case CKK_GENERIC_SECRET0x00000010UL: |
1437 | case CKK_RC20x00000011UL: |
1438 | case CKK_RC40x00000012UL: |
1439 | #if NSS_SOFTOKEN_DOES_RC5 |
1440 | case CKK_RC50x00000019UL: |
1441 | #endif |
1442 | #ifdef NSS_SOFTOKEN_DOES_CAST |
1443 | case CKK_CAST0x00000016UL: |
1444 | case CKK_CAST30x00000017UL: |
1445 | case CKK_CAST50x00000018UL: |
1446 | #endif |
1447 | #if NSS_SOFTOKEN_DOES_IDEA |
1448 | case CKK_IDEA0x0000001AUL: |
1449 | #endif |
1450 | attribute = sftk_FindAttribute(object, CKA_VALUE0x00000011UL); |
1451 | /* shouldn't happen */ |
1452 | if (attribute == NULL((void*)0)) |
1453 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1454 | crv = sftk_forceAttribute(object, CKA_VALUE_LEN0x00000161UL, |
1455 | &attribute->attrib.ulValueLen, sizeof(CK_ULONG)); |
1456 | sftk_FreeAttribute(attribute); |
1457 | break; |
1458 | /* force the value to have the correct parity */ |
1459 | case CKK_DES0x00000013UL: |
1460 | case CKK_DES20x00000014UL: |
1461 | case CKK_DES30x00000015UL: |
1462 | case CKK_CDMF0x0000001EUL: |
1463 | attribute = sftk_FindAttribute(object, CKA_VALUE0x00000011UL); |
1464 | /* shouldn't happen */ |
1465 | if (attribute == NULL((void*)0)) |
1466 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1467 | requiredLen = sftk_MapKeySize(key_type); |
1468 | if (attribute->attrib.ulValueLen != requiredLen) { |
1469 | sftk_FreeAttribute(attribute); |
1470 | return CKR_KEY_SIZE_RANGE0x00000062UL; |
1471 | } |
1472 | sftk_FormatDESKey((unsigned char *)attribute->attrib.pValue, |
1473 | attribute->attrib.ulValueLen); |
1474 | sftk_FreeAttribute(attribute); |
1475 | break; |
1476 | case CKK_AES0x0000001FUL: |
1477 | attribute = sftk_FindAttribute(object, CKA_VALUE0x00000011UL); |
1478 | /* shouldn't happen */ |
1479 | if (attribute == NULL((void*)0)) |
1480 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1481 | if (attribute->attrib.ulValueLen != 16 && |
1482 | attribute->attrib.ulValueLen != 24 && |
1483 | attribute->attrib.ulValueLen != 32) { |
1484 | sftk_FreeAttribute(attribute); |
1485 | return CKR_KEY_SIZE_RANGE0x00000062UL; |
1486 | } |
1487 | crv = sftk_forceAttribute(object, CKA_VALUE_LEN0x00000161UL, |
1488 | &attribute->attrib.ulValueLen, sizeof(CK_ULONG)); |
1489 | sftk_FreeAttribute(attribute); |
1490 | break; |
1491 | default: |
1492 | break; |
1493 | } |
1494 | |
1495 | return crv; |
1496 | } |
1497 | |
1498 | /* |
1499 | * check the consistancy and initialize a Secret Key Object |
1500 | */ |
1501 | static CK_RV |
1502 | sftk_handleSecretKeyObject(SFTKSession *session, SFTKObject *object, |
1503 | CK_KEY_TYPE key_type, PRBool isFIPS) |
1504 | { |
1505 | CK_RV crv; |
1506 | |
1507 | /* First validate and set defaults */ |
1508 | crv = validateSecretKey(session, object, key_type, isFIPS); |
1509 | if (crv != CKR_OK0x00000000UL) |
1510 | goto loser; |
1511 | |
1512 | /* If the object is a TOKEN object, store in the database */ |
1513 | if (sftk_isTrue(object, CKA_TOKEN0x00000001UL)) { |
1514 | SFTKSlot *slot = session->slot; |
1515 | SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); |
1516 | |
1517 | if (keyHandle == NULL((void*)0)) { |
1518 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
1519 | } |
1520 | |
1521 | crv = sftkdb_write(keyHandle, object, &object->handle); |
1522 | sftk_freeDB(keyHandle); |
1523 | return crv; |
1524 | } |
1525 | |
1526 | loser: |
1527 | |
1528 | return crv; |
1529 | } |
1530 | |
1531 | /* |
1532 | * check the consistancy and initialize a Key Object |
1533 | */ |
1534 | static CK_RV |
1535 | sftk_handleKeyObject(SFTKSession *session, SFTKObject *object) |
1536 | { |
1537 | SFTKAttribute *attribute; |
1538 | CK_KEY_TYPE key_type; |
1539 | CK_BBOOL ckfalse = CK_FALSE0; |
1540 | CK_RV crv; |
1541 | |
1542 | /* verify the required fields */ |
1543 | if (!sftk_hasAttribute(object, CKA_KEY_TYPE0x00000100UL)) { |
1544 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1545 | } |
1546 | |
1547 | /* now verify the common fields */ |
1548 | crv = sftk_defaultAttribute(object, CKA_ID0x00000102UL, NULL((void*)0), 0); |
1549 | if (crv != CKR_OK0x00000000UL) |
1550 | return crv; |
1551 | crv = sftk_defaultAttribute(object, CKA_START_DATE0x00000110UL, NULL((void*)0), 0); |
1552 | if (crv != CKR_OK0x00000000UL) |
1553 | return crv; |
1554 | crv = sftk_defaultAttribute(object, CKA_END_DATE0x00000111UL, NULL((void*)0), 0); |
1555 | if (crv != CKR_OK0x00000000UL) |
1556 | return crv; |
1557 | /* CKA_DERIVE is common to all keys, but it's default value is |
1558 | * key dependent */ |
1559 | crv = sftk_defaultAttribute(object, CKA_LOCAL0x00000163UL, &ckfalse, sizeof(CK_BBOOL)); |
1560 | if (crv != CKR_OK0x00000000UL) |
1561 | return crv; |
1562 | |
1563 | /* get the key type */ |
1564 | attribute = sftk_FindAttribute(object, CKA_KEY_TYPE0x00000100UL); |
1565 | if (!attribute) { |
1566 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1567 | } |
1568 | key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; |
1569 | sftk_FreeAttribute(attribute); |
1570 | |
1571 | switch (object->objclass) { |
1572 | case CKO_PUBLIC_KEY0x00000002UL: |
1573 | return sftk_handlePublicKeyObject(session, object, key_type); |
1574 | case CKO_PRIVATE_KEY0x00000003UL: |
1575 | return sftk_handlePrivateKeyObject(session, object, key_type); |
1576 | case CKO_SECRET_KEY0x00000004UL: |
1577 | /* make sure the required fields exist */ |
1578 | return sftk_handleSecretKeyObject(session, object, key_type, |
1579 | (PRBool)(sftk_isFIPS(session->slot->slotID)(((session->slot->slotID) == 3) || ((session->slot-> slotID) >= 101)))); |
1580 | default: |
1581 | break; |
1582 | } |
1583 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1584 | } |
1585 | |
1586 | /* |
1587 | * check the consistancy and Verify a DSA Parameter Object |
1588 | */ |
1589 | static CK_RV |
1590 | sftk_handleDSAParameterObject(SFTKSession *session, SFTKObject *object) |
1591 | { |
1592 | SFTKAttribute *primeAttr = NULL((void*)0); |
1593 | SFTKAttribute *subPrimeAttr = NULL((void*)0); |
1594 | SFTKAttribute *baseAttr = NULL((void*)0); |
1595 | SFTKAttribute *seedAttr = NULL((void*)0); |
1596 | SFTKAttribute *hAttr = NULL((void*)0); |
1597 | SFTKAttribute *attribute; |
1598 | CK_RV crv = CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1599 | PQGParams params; |
1600 | PQGVerify vfy, *verify = NULL((void*)0); |
1601 | SECStatus result, rv; |
1602 | /* This bool keeps track of whether or not we need verify parameters. |
1603 | * If a P, Q and G or supplied, we dont' need verify parameters, as we |
1604 | * have PQ and G. |
1605 | * - If G is not supplied, the presumption is that we want to |
1606 | * verify P and Q only. |
1607 | * - If counter is supplied, it is presumed we want to verify PQ because |
1608 | * the counter is only used in verification. |
1609 | * - If H is supplied, is is presumed we want to verify G because H is |
1610 | * only used to verify G. |
1611 | * - Any verification step must have the SEED (counter or H could be |
1612 | * missing depending on exactly what we want to verify). If SEED is supplied, |
1613 | * the code just goes ahead and runs verify (other errors are parameter |
1614 | * errors are detected by the PQG_VerifyParams function). If SEED is not |
1615 | * supplied, but we determined that we are trying to verify (because needVfy |
1616 | * is set, go ahead and return CKR_TEMPLATE_INCOMPLETE. |
1617 | */ |
1618 | PRBool needVfy = PR_FALSE0; |
1619 | |
1620 | primeAttr = sftk_FindAttribute(object, CKA_PRIME0x00000130UL); |
1621 | if (primeAttr == NULL((void*)0)) |
1622 | goto loser; |
1623 | params.prime.data = primeAttr->attrib.pValue; |
1624 | params.prime.len = primeAttr->attrib.ulValueLen; |
1625 | |
1626 | subPrimeAttr = sftk_FindAttribute(object, CKA_SUBPRIME0x00000131UL); |
1627 | if (subPrimeAttr == NULL((void*)0)) |
1628 | goto loser; |
1629 | params.subPrime.data = subPrimeAttr->attrib.pValue; |
1630 | params.subPrime.len = subPrimeAttr->attrib.ulValueLen; |
1631 | |
1632 | baseAttr = sftk_FindAttribute(object, CKA_BASE0x00000132UL); |
1633 | if (baseAttr != NULL((void*)0)) { |
1634 | params.base.data = baseAttr->attrib.pValue; |
1635 | params.base.len = baseAttr->attrib.ulValueLen; |
1636 | } else { |
1637 | params.base.data = NULL((void*)0); |
1638 | params.base.len = 0; |
1639 | needVfy = PR_TRUE1; /* presumably only including PQ so we can verify |
1640 | * them. */ |
1641 | } |
1642 | |
1643 | attribute = sftk_FindAttribute(object, CKA_NSS_PQG_COUNTER((0x80000000UL | 0x4E534350) + 20)); |
1644 | if (attribute != NULL((void*)0)) { |
1645 | vfy.counter = *(CK_ULONG *)attribute->attrib.pValue; |
1646 | sftk_FreeAttribute(attribute); |
1647 | needVfy = PR_TRUE1; /* included a count so we can verify PQ */ |
1648 | } else { |
1649 | vfy.counter = -1; |
1650 | } |
1651 | |
1652 | hAttr = sftk_FindAttribute(object, CKA_NSS_PQG_H((0x80000000UL | 0x4E534350) + 22)); |
1653 | if (hAttr != NULL((void*)0)) { |
1654 | vfy.h.data = hAttr->attrib.pValue; |
1655 | vfy.h.len = hAttr->attrib.ulValueLen; |
1656 | needVfy = PR_TRUE1; /* included H so we can verify G */ |
1657 | } else { |
1658 | vfy.h.data = NULL((void*)0); |
1659 | vfy.h.len = 0; |
1660 | } |
1661 | seedAttr = sftk_FindAttribute(object, CKA_NSS_PQG_SEED((0x80000000UL | 0x4E534350) + 21)); |
1662 | if (seedAttr != NULL((void*)0)) { |
1663 | vfy.seed.data = seedAttr->attrib.pValue; |
1664 | vfy.seed.len = seedAttr->attrib.ulValueLen; |
1665 | |
1666 | verify = &vfy; |
1667 | } else if (needVfy) { |
1668 | goto loser; /* Verify always needs seed, if we need verify and not seed |
1669 | * then fail */ |
1670 | } |
1671 | |
1672 | crv = CKR_FUNCTION_FAILED0x00000006UL; |
1673 | rv = PQG_VerifyParams(¶ms, verify, &result); |
1674 | if (rv == SECSuccess) { |
1675 | crv = (result == SECSuccess) ? CKR_OK0x00000000UL : CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1676 | } |
1677 | |
1678 | loser: |
1679 | if (hAttr) |
1680 | sftk_FreeAttribute(hAttr); |
1681 | if (seedAttr) |
1682 | sftk_FreeAttribute(seedAttr); |
1683 | if (baseAttr) |
1684 | sftk_FreeAttribute(baseAttr); |
1685 | if (subPrimeAttr) |
1686 | sftk_FreeAttribute(subPrimeAttr); |
1687 | if (primeAttr) |
1688 | sftk_FreeAttribute(primeAttr); |
1689 | |
1690 | return crv; |
1691 | } |
1692 | |
1693 | /* |
1694 | * check the consistancy and initialize a Key Parameter Object |
1695 | */ |
1696 | static CK_RV |
1697 | sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object) |
1698 | { |
1699 | SFTKAttribute *attribute; |
1700 | CK_KEY_TYPE key_type; |
1701 | CK_BBOOL ckfalse = CK_FALSE0; |
1702 | CK_RV crv; |
1703 | |
1704 | /* verify the required fields */ |
1705 | if (!sftk_hasAttribute(object, CKA_KEY_TYPE0x00000100UL)) { |
1706 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1707 | } |
1708 | |
1709 | /* now verify the common fields */ |
1710 | crv = sftk_defaultAttribute(object, CKA_LOCAL0x00000163UL, &ckfalse, sizeof(CK_BBOOL)); |
1711 | if (crv != CKR_OK0x00000000UL) |
1712 | return crv; |
1713 | |
1714 | /* get the key type */ |
1715 | attribute = sftk_FindAttribute(object, CKA_KEY_TYPE0x00000100UL); |
1716 | if (!attribute) { |
1717 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1718 | } |
1719 | key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue; |
1720 | sftk_FreeAttribute(attribute); |
1721 | |
1722 | switch (key_type) { |
1723 | case CKK_DSA0x00000001UL: |
1724 | return sftk_handleDSAParameterObject(session, object); |
1725 | |
1726 | default: |
1727 | break; |
1728 | } |
1729 | return CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
1730 | } |
1731 | |
1732 | /* |
1733 | * Handle Object does all the object consistancy checks, automatic attribute |
1734 | * generation, attribute defaulting, etc. If handleObject succeeds, the object |
1735 | * will be assigned an object handle, and the object installed in the session |
1736 | * or stored in the DB. |
1737 | */ |
1738 | CK_RV |
1739 | sftk_handleObject(SFTKObject *object, SFTKSession *session) |
1740 | { |
1741 | SFTKSlot *slot = session->slot; |
1742 | SFTKAttribute *attribute; |
1743 | CK_BBOOL ckfalse = CK_FALSE0; |
1744 | CK_BBOOL cktrue = CK_TRUE1; |
1745 | PRBool isLoggedIn, needLogin; |
1746 | CK_RV crv; |
1747 | |
1748 | /* make sure all the base object types are defined. If not set the |
1749 | * defaults */ |
1750 | crv = sftk_defaultAttribute(object, CKA_TOKEN0x00000001UL, &ckfalse, sizeof(CK_BBOOL)); |
1751 | if (crv != CKR_OK0x00000000UL) |
1752 | return crv; |
1753 | crv = sftk_defaultAttribute(object, CKA_PRIVATE0x00000002UL, &ckfalse, sizeof(CK_BBOOL)); |
1754 | if (crv != CKR_OK0x00000000UL) |
1755 | return crv; |
1756 | crv = sftk_defaultAttribute(object, CKA_LABEL0x00000003UL, NULL((void*)0), 0); |
1757 | if (crv != CKR_OK0x00000000UL) |
1758 | return crv; |
1759 | crv = sftk_defaultAttribute(object, CKA_MODIFIABLE0x00000170UL, &cktrue, sizeof(CK_BBOOL)); |
1760 | if (crv != CKR_OK0x00000000UL) |
1761 | return crv; |
1762 | |
1763 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
1764 | isLoggedIn = slot->isLoggedIn; |
1765 | needLogin = slot->needLogin; |
1766 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
1767 | |
1768 | /* don't create a private object if we aren't logged in */ |
1769 | if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
1770 | return CKR_USER_NOT_LOGGED_IN0x00000101UL; |
1771 | } |
1772 | |
1773 | if (((session->info.flags & CKF_RW_SESSION0x00000002UL) == 0) && |
1774 | (sftk_isTrue(object, CKA_TOKEN0x00000001UL))) { |
1775 | return CKR_SESSION_READ_ONLY0x000000B5UL; |
1776 | } |
1777 | |
1778 | /* Assign a unique SESSION object handle to every new object, |
1779 | * whether it is a session object or a token object. |
1780 | * At this point, all new objects are structured as session objects. |
1781 | * Objects with the CKA_TOKEN attribute true will be turned into |
1782 | * token objects and will have a token object handle assigned to |
1783 | * them by a call to sftk_mkHandle in the handler for each object |
1784 | * class, invoked below. |
1785 | * |
1786 | * It may be helpful to note/remember that |
1787 | * sftk_narrowToXxxObject uses sftk_isToken, |
1788 | * sftk_isToken examines the sign bit of the object's handle, but |
1789 | * sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute. |
1790 | */ |
1791 | object->handle = sftk_getNextHandle(slot); |
1792 | |
1793 | /* get the object class */ |
1794 | attribute = sftk_FindAttribute(object, CKA_CLASS0x00000000UL); |
1795 | if (attribute == NULL((void*)0)) { |
1796 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
1797 | } |
1798 | object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue; |
1799 | sftk_FreeAttribute(attribute); |
1800 | |
1801 | /* Now handle the specific object class. |
1802 | * At this point, all objects are session objects, and the session |
1803 | * number must be passed to the object class handlers. |
1804 | */ |
1805 | switch (object->objclass) { |
1806 | case CKO_DATA0x00000000UL: |
1807 | crv = sftk_handleDataObject(session, object); |
1808 | break; |
1809 | case CKO_CERTIFICATE0x00000001UL: |
1810 | crv = sftk_handleCertObject(session, object); |
1811 | break; |
1812 | case CKO_NSS_TRUST((0x80000000UL | 0x4E534350) + 3): |
1813 | crv = sftk_handleTrustObject(session, object); |
1814 | break; |
1815 | case CKO_NSS_CRL((0x80000000UL | 0x4E534350) + 1): |
1816 | crv = sftk_handleCrlObject(session, object); |
1817 | break; |
1818 | case CKO_NSS_SMIME((0x80000000UL | 0x4E534350) + 2): |
1819 | crv = sftk_handleSMimeObject(session, object); |
1820 | break; |
1821 | case CKO_PRIVATE_KEY0x00000003UL: |
1822 | case CKO_PUBLIC_KEY0x00000002UL: |
1823 | case CKO_SECRET_KEY0x00000004UL: |
1824 | crv = sftk_handleKeyObject(session, object); |
1825 | break; |
1826 | case CKO_DOMAIN_PARAMETERS0x00000006UL: |
1827 | crv = sftk_handleKeyParameterObject(session, object); |
1828 | break; |
1829 | default: |
1830 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1831 | break; |
1832 | } |
1833 | |
1834 | /* can't fail from here on out unless the pk_handlXXX functions have |
1835 | * failed the request */ |
1836 | if (crv != CKR_OK0x00000000UL) { |
1837 | return crv; |
1838 | } |
1839 | |
1840 | /* Now link the object into the slot and session structures. |
1841 | * If the object has a true CKA_TOKEN attribute, the above object |
1842 | * class handlers will have set the sign bit in the object handle, |
1843 | * causing the following test to be true. |
1844 | */ |
1845 | if (sftk_isToken(object->handle)(((object->handle)&0x80000000L) == 0x80000000L)) { |
1846 | sftk_convertSessionToToken(object); |
1847 | } else { |
1848 | object->slot = slot; |
1849 | sftk_AddObject(session, object); |
1850 | } |
1851 | |
1852 | return CKR_OK0x00000000UL; |
1853 | } |
1854 | |
1855 | /* |
1856 | * ******************** Public Key Utilities *************************** |
1857 | */ |
1858 | /* Generate a low public key structure from an object */ |
1859 | NSSLOWKEYPublicKey * |
1860 | sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type, |
1861 | CK_RV *crvp) |
1862 | { |
1863 | NSSLOWKEYPublicKey *pubKey; |
1864 | PLArenaPool *arena; |
1865 | CK_RV crv; |
1866 | |
1867 | if (object->objclass != CKO_PUBLIC_KEY0x00000002UL) { |
1868 | *crvp = CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
1869 | return NULL((void*)0); |
1870 | } |
1871 | |
1872 | if (sftk_isToken(object->handle)(((object->handle)&0x80000000L) == 0x80000000L)) { |
1873 | /* ferret out the token object handle */ |
1874 | } |
1875 | |
1876 | /* If we already have a key, use it */ |
1877 | if (object->objectInfo) { |
1878 | *crvp = CKR_OK0x00000000UL; |
1879 | return (NSSLOWKEYPublicKey *)object->objectInfo; |
1880 | } |
1881 | |
1882 | /* allocate the structure */ |
1883 | arena = PORT_NewArenaPORT_NewArena_Util(DER_DEFAULT_CHUNKSIZE(2048)); |
1884 | if (arena == NULL((void*)0)) { |
1885 | *crvp = CKR_HOST_MEMORY0x00000002UL; |
1886 | return NULL((void*)0); |
1887 | } |
1888 | |
1889 | pubKey = (NSSLOWKEYPublicKey *) |
1890 | PORT_ArenaAllocPORT_ArenaAlloc_Util(arena, sizeof(NSSLOWKEYPublicKey)); |
1891 | if (pubKey == NULL((void*)0)) { |
1892 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_FALSE0); |
1893 | *crvp = CKR_HOST_MEMORY0x00000002UL; |
1894 | return NULL((void*)0); |
1895 | } |
1896 | |
1897 | /* fill in the structure */ |
1898 | pubKey->arena = arena; |
1899 | switch (key_type) { |
1900 | case CKK_RSA0x00000000UL: |
1901 | pubKey->keyType = NSSLOWKEYRSAKey; |
1902 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.modulus, |
1903 | object, CKA_MODULUS0x00000120UL); |
1904 | if (crv != CKR_OK0x00000000UL) |
1905 | break; |
1906 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.publicExponent, |
1907 | object, CKA_PUBLIC_EXPONENT0x00000122UL); |
1908 | break; |
1909 | case CKK_DSA0x00000001UL: |
1910 | pubKey->keyType = NSSLOWKEYDSAKey; |
1911 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.prime, |
1912 | object, CKA_PRIME0x00000130UL); |
1913 | if (crv != CKR_OK0x00000000UL) |
1914 | break; |
1915 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.subPrime, |
1916 | object, CKA_SUBPRIME0x00000131UL); |
1917 | if (crv != CKR_OK0x00000000UL) |
1918 | break; |
1919 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.base, |
1920 | object, CKA_BASE0x00000132UL); |
1921 | if (crv != CKR_OK0x00000000UL) |
1922 | break; |
1923 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.publicValue, |
1924 | object, CKA_VALUE0x00000011UL); |
1925 | break; |
1926 | case CKK_DH0x00000002UL: |
1927 | pubKey->keyType = NSSLOWKEYDHKey; |
1928 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.prime, |
1929 | object, CKA_PRIME0x00000130UL); |
1930 | if (crv != CKR_OK0x00000000UL) |
1931 | break; |
1932 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.base, |
1933 | object, CKA_BASE0x00000132UL); |
1934 | if (crv != CKR_OK0x00000000UL) |
1935 | break; |
1936 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue, |
1937 | object, CKA_VALUE0x00000011UL); |
1938 | break; |
1939 | case CKK_EC_EDWARDS0x00000040UL: |
1940 | case CKK_EC_MONTGOMERY0x00000041UL: |
1941 | case CKK_EC0x00000003UL: |
1942 | pubKey->keyType = NSSLOWKEYECKey; |
1943 | crv = sftk_Attribute2SSecItem(arena, |
1944 | &pubKey->u.ec.ecParams.DEREncoding, |
1945 | object, CKA_EC_PARAMS0x00000180UL); |
1946 | if (crv != CKR_OK0x00000000UL) |
1947 | break; |
1948 | |
1949 | /* Fill out the rest of the ecParams structure |
1950 | * based on the encoded params |
1951 | */ |
1952 | if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding, |
1953 | &pubKey->u.ec.ecParams) != SECSuccess) { |
1954 | crv = CKR_DOMAIN_PARAMS_INVALID0x00000130UL; |
1955 | break; |
1956 | } |
1957 | |
1958 | crv = sftk_Attribute2SSecItem(arena, &pubKey->u.ec.publicValue, |
1959 | object, CKA_EC_POINT0x00000181UL); |
1960 | if (crv == CKR_OK0x00000000UL) { |
1961 | unsigned int keyLen = EC_GetPointSize(&pubKey->u.ec.ecParams); |
1962 | |
1963 | /* special note: We can't just use the first byte to distinguish |
1964 | * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. |
1965 | * Both are 0x04. */ |
1966 | |
1967 | /* Handle the non-DER encoded case. |
1968 | * Some curves are always pressumed to be non-DER. |
1969 | */ |
1970 | if (pubKey->u.ec.ecParams.type != ec_params_named || |
1971 | (pubKey->u.ec.publicValue.len == keyLen && |
1972 | pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED0x04)) { |
1973 | break; /* key was not DER encoded, no need to unwrap */ |
1974 | } |
1975 | |
1976 | /* handle the encoded case */ |
1977 | if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING0x04) && |
1978 | pubKey->u.ec.publicValue.len > keyLen) { |
1979 | SECItem publicValue; |
1980 | SECStatus rv; |
1981 | |
1982 | rv = SEC_QuickDERDecodeItemSEC_QuickDERDecodeItem_Util(arena, &publicValue, |
1983 | SEC_ASN1_GET(SEC_OctetStringTemplate)SEC_OctetStringTemplate_Util, |
1984 | &pubKey->u.ec.publicValue); |
1985 | /* nope, didn't decode correctly */ |
1986 | if ((rv != SECSuccess) || (publicValue.len != keyLen)) { |
1987 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1988 | break; |
1989 | } |
1990 | /* we don't handle compressed points except in the case of ECCurve25519 */ |
1991 | if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED0x04) { |
1992 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
1993 | break; |
1994 | } |
1995 | /* replace our previous with the decoded key */ |
1996 | pubKey->u.ec.publicValue = publicValue; |
1997 | break; |
1998 | } |
1999 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
2000 | } |
2001 | break; |
2002 | case CKK_NSS_KYBER((0x80000000UL | 0x4E534350) + 5): |
2003 | crv = CKR_OK0x00000000UL; |
2004 | break; |
2005 | default: |
2006 | crv = CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
2007 | break; |
2008 | } |
2009 | *crvp = crv; |
2010 | if (crv != CKR_OK0x00000000UL) { |
2011 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_TRUE1); |
2012 | return NULL((void*)0); |
2013 | } |
2014 | |
2015 | object->objectInfo = pubKey; |
2016 | object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey; |
2017 | return pubKey; |
2018 | } |
2019 | |
2020 | /* make a private key from a verified object */ |
2021 | static NSSLOWKEYPrivateKey * |
2022 | sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) |
2023 | { |
2024 | NSSLOWKEYPrivateKey *privKey; |
2025 | SFTKItemTemplate itemTemplate[SFTK_MAX_ITEM_TEMPLATE10]; |
2026 | int itemTemplateCount = 0; |
2027 | PLArenaPool *arena; |
2028 | CK_RV crv = CKR_OK0x00000000UL; |
2029 | SECStatus rv; |
2030 | |
2031 | arena = PORT_NewArenaPORT_NewArena_Util(DER_DEFAULT_CHUNKSIZE(2048)); |
2032 | if (arena == NULL((void*)0)) { |
2033 | *crvp = CKR_HOST_MEMORY0x00000002UL; |
2034 | return NULL((void*)0); |
2035 | } |
2036 | |
2037 | privKey = (NSSLOWKEYPrivateKey *) |
2038 | PORT_ArenaZAllocPORT_ArenaZAlloc_Util(arena, sizeof(NSSLOWKEYPrivateKey)); |
2039 | if (privKey == NULL((void*)0)) { |
2040 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_FALSE0); |
2041 | *crvp = CKR_HOST_MEMORY0x00000002UL; |
2042 | return NULL((void*)0); |
2043 | } |
2044 | |
2045 | /* in future this would be a switch on key_type */ |
2046 | privKey->arena = arena; |
2047 | switch (key_type) { |
2048 | case CKK_RSA0x00000000UL: |
2049 | privKey->keyType = NSSLOWKEYRSAKey; |
2050 | |
2051 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000120UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.modulus |
2052 | &privKey->u.rsa.modulus, CKA_MODULUS)itemTemplate[itemTemplateCount].type = 0x00000120UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.modulus; |
2053 | itemTemplateCount++; |
2054 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000122UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.publicExponent |
2055 | &privKey->u.rsa.publicExponent, CKA_PUBLIC_EXPONENT)itemTemplate[itemTemplateCount].type = 0x00000122UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.publicExponent; |
2056 | itemTemplateCount++; |
2057 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000123UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.privateExponent |
2058 | &privKey->u.rsa.privateExponent, CKA_PRIVATE_EXPONENT)itemTemplate[itemTemplateCount].type = 0x00000123UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.privateExponent; |
2059 | itemTemplateCount++; |
2060 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000124UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.prime1 |
2061 | &privKey->u.rsa.prime1, CKA_PRIME_1)itemTemplate[itemTemplateCount].type = 0x00000124UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.prime1; |
2062 | itemTemplateCount++; |
2063 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000125UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.prime2 |
2064 | &privKey->u.rsa.prime2, CKA_PRIME_2)itemTemplate[itemTemplateCount].type = 0x00000125UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.prime2; |
2065 | itemTemplateCount++; |
2066 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000126UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.exponent1 |
2067 | &privKey->u.rsa.exponent1, CKA_EXPONENT_1)itemTemplate[itemTemplateCount].type = 0x00000126UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.exponent1; |
2068 | itemTemplateCount++; |
2069 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000127UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.exponent2 |
2070 | &privKey->u.rsa.exponent2, CKA_EXPONENT_2)itemTemplate[itemTemplateCount].type = 0x00000127UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.exponent2; |
2071 | itemTemplateCount++; |
2072 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000128UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.coefficient |
2073 | &privKey->u.rsa.coefficient, CKA_COEFFICIENT)itemTemplate[itemTemplateCount].type = 0x00000128UL; itemTemplate [itemTemplateCount].item = &privKey->u.rsa.coefficient; |
2074 | itemTemplateCount++; |
2075 | rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version, |
2076 | NSSLOWKEY_PRIVATE_KEY_INFO_VERSION0); |
2077 | if (rv != SECSuccess) |
2078 | crv = CKR_HOST_MEMORY0x00000002UL; |
2079 | break; |
2080 | |
2081 | case CKK_DSA0x00000001UL: |
2082 | privKey->keyType = NSSLOWKEYDSAKey; |
2083 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000130UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.prime |
2084 | &privKey->u.dsa.params.prime, CKA_PRIME)itemTemplate[itemTemplateCount].type = 0x00000130UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.prime; |
2085 | itemTemplateCount++; |
2086 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000131UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.subPrime |
2087 | &privKey->u.dsa.params.subPrime, CKA_SUBPRIME)itemTemplate[itemTemplateCount].type = 0x00000131UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.subPrime; |
2088 | itemTemplateCount++; |
2089 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000132UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.base |
2090 | &privKey->u.dsa.params.base, CKA_BASE)itemTemplate[itemTemplateCount].type = 0x00000132UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.params.base; |
2091 | itemTemplateCount++; |
2092 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000011UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.privateValue |
2093 | &privKey->u.dsa.privateValue, CKA_VALUE)itemTemplate[itemTemplateCount].type = 0x00000011UL; itemTemplate [itemTemplateCount].item = &privKey->u.dsa.privateValue; |
2094 | itemTemplateCount++; |
2095 | /* privKey was zero'd so public value is already set to NULL, 0 |
2096 | * if we don't set it explicitly */ |
2097 | break; |
2098 | |
2099 | case CKK_DH0x00000002UL: |
2100 | privKey->keyType = NSSLOWKEYDHKey; |
2101 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000130UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.prime |
2102 | &privKey->u.dh.prime, CKA_PRIME)itemTemplate[itemTemplateCount].type = 0x00000130UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.prime; |
2103 | itemTemplateCount++; |
2104 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000132UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.base |
2105 | &privKey->u.dh.base, CKA_BASE)itemTemplate[itemTemplateCount].type = 0x00000132UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.base; |
2106 | itemTemplateCount++; |
2107 | SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,itemTemplate[itemTemplateCount].type = 0x00000011UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.privateValue |
2108 | &privKey->u.dh.privateValue, CKA_VALUE)itemTemplate[itemTemplateCount].type = 0x00000011UL; itemTemplate [itemTemplateCount].item = &privKey->u.dh.privateValue; |
2109 | itemTemplateCount++; |
2110 | /* privKey was zero'd so public value is already set to NULL, 0 |
2111 | * if we don't set it explicitly */ |
2112 | break; |
2113 | case CKK_EC_EDWARDS0x00000040UL: |
2114 | case CKK_EC_MONTGOMERY0x00000041UL: |
2115 | case CKK_EC0x00000003UL: |
2116 | privKey->keyType = NSSLOWKEYECKey; |
2117 | crv = sftk_Attribute2SSecItem(arena, |
2118 | &privKey->u.ec.ecParams.DEREncoding, |
2119 | object, CKA_EC_PARAMS0x00000180UL); |
2120 | if (crv != CKR_OK0x00000000UL) |
2121 | break; |
2122 | |
2123 | /* Fill out the rest of the ecParams structure |
2124 | * based on the encoded params |
2125 | */ |
2126 | if (EC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding, |
2127 | &privKey->u.ec.ecParams) != SECSuccess) { |
2128 | crv = CKR_DOMAIN_PARAMS_INVALID0x00000130UL; |
2129 | break; |
2130 | } |
2131 | crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.privateValue, |
2132 | object, CKA_VALUE0x00000011UL); |
2133 | if (crv != CKR_OK0x00000000UL) |
2134 | break; |
2135 | |
2136 | if (sftk_hasAttribute(object, CKA_NSS_DB0xD5A0DB00L)) { |
2137 | crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.publicValue, |
2138 | object, CKA_NSS_DB0xD5A0DB00L); |
2139 | if (crv != CKR_OK0x00000000UL) |
2140 | break; |
2141 | /* privKey was zero'd so public value is already set to NULL, 0 |
2142 | * if we don't set it explicitly */ |
2143 | } |
2144 | rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version, |
2145 | NSSLOWKEY_EC_PRIVATE_KEY_VERSION1); |
2146 | if (rv != SECSuccess) { |
2147 | crv = CKR_HOST_MEMORY0x00000002UL; |
2148 | /* The following ifdef is needed for Linux arm distros and |
2149 | * Android as gcc 4.6 has a bug when targeting arm (but not |
2150 | * thumb). The bug has been fixed in gcc 4.7. |
2151 | * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561 |
2152 | */ |
2153 | #if defined(__arm__) && !defined(__thumb__) && defined(__GNUC__4) |
2154 | *crvp = CKR_HOST_MEMORY0x00000002UL; |
2155 | break; |
2156 | #endif |
2157 | } |
2158 | break; |
2159 | |
2160 | case CKK_NSS_KYBER((0x80000000UL | 0x4E534350) + 5): |
2161 | break; |
2162 | |
2163 | default: |
2164 | crv = CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
2165 | break; |
2166 | } |
2167 | if (crv == CKR_OK0x00000000UL && itemTemplateCount != 0) { |
2168 | PORT_Assert(itemTemplateCount > 0)((itemTemplateCount > 0)?((void)0):PR_Assert("itemTemplateCount > 0" ,"pkcs11.c",2168)); |
2169 | PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE)((itemTemplateCount <= 10)?((void)0):PR_Assert("itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE" ,"pkcs11.c",2169)); |
2170 | crv = sftk_MultipleAttribute2SecItem(arena, object, itemTemplate, |
2171 | itemTemplateCount); |
2172 | } |
2173 | *crvp = crv; |
2174 | if (crv != CKR_OK0x00000000UL) { |
2175 | PORT_FreeArenaPORT_FreeArena_Util(arena, PR_TRUE1); |
2176 | return NULL((void*)0); |
2177 | } |
2178 | return privKey; |
2179 | } |
2180 | |
2181 | /* |
2182 | * If a partial RSA private key is present, fill in the rest if necessary, |
2183 | * and then verify the parameters are well-formed |
2184 | */ |
2185 | static SECStatus |
2186 | sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded) |
2187 | { |
2188 | RSAPrivateKey tmpKey = { 0 }; |
2189 | SFTKAttribute *modulus = NULL((void*)0); |
2190 | SFTKAttribute *prime1 = NULL((void*)0); |
2191 | SFTKAttribute *prime2 = NULL((void*)0); |
2192 | SFTKAttribute *privateExponent = NULL((void*)0); |
2193 | SFTKAttribute *publicExponent = NULL((void*)0); |
2194 | SFTKAttribute *exponent1 = NULL((void*)0); |
2195 | SFTKAttribute *exponent2 = NULL((void*)0); |
2196 | SFTKAttribute *coefficient = NULL((void*)0); |
2197 | SECStatus rv; |
2198 | CK_RV crv; |
2199 | |
2200 | /* first fill in the components that we have. Populate only uses |
2201 | * the non-crt components, so only fill those in */ |
2202 | tmpKey.arena = NULL((void*)0); |
2203 | modulus = sftk_FindAttribute(object, CKA_MODULUS0x00000120UL); |
2204 | if (modulus) { |
2205 | tmpKey.modulus.data = modulus->attrib.pValue; |
2206 | tmpKey.modulus.len = modulus->attrib.ulValueLen; |
2207 | } |
2208 | prime1 = sftk_FindAttribute(object, CKA_PRIME_10x00000124UL); |
2209 | if (prime1) { |
2210 | tmpKey.prime1.data = prime1->attrib.pValue; |
2211 | tmpKey.prime1.len = prime1->attrib.ulValueLen; |
2212 | } |
2213 | prime2 = sftk_FindAttribute(object, CKA_PRIME_20x00000125UL); |
2214 | if (prime2) { |
2215 | tmpKey.prime2.data = prime2->attrib.pValue; |
2216 | tmpKey.prime2.len = prime2->attrib.ulValueLen; |
2217 | } |
2218 | privateExponent = sftk_FindAttribute(object, CKA_PRIVATE_EXPONENT0x00000123UL); |
2219 | if (privateExponent) { |
2220 | tmpKey.privateExponent.data = privateExponent->attrib.pValue; |
2221 | tmpKey.privateExponent.len = privateExponent->attrib.ulValueLen; |
2222 | } |
2223 | publicExponent = sftk_FindAttribute(object, CKA_PUBLIC_EXPONENT0x00000122UL); |
2224 | if (publicExponent) { |
2225 | tmpKey.publicExponent.data = publicExponent->attrib.pValue; |
2226 | tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen; |
2227 | } |
2228 | exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_10x00000126UL); |
2229 | if (exponent1) { |
2230 | tmpKey.exponent1.data = exponent1->attrib.pValue; |
2231 | tmpKey.exponent1.len = exponent1->attrib.ulValueLen; |
2232 | } |
2233 | exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_20x00000127UL); |
2234 | if (exponent2) { |
2235 | tmpKey.exponent2.data = exponent2->attrib.pValue; |
2236 | tmpKey.exponent2.len = exponent2->attrib.ulValueLen; |
2237 | } |
2238 | coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT0x00000128UL); |
2239 | if (coefficient) { |
2240 | tmpKey.coefficient.data = coefficient->attrib.pValue; |
2241 | tmpKey.coefficient.len = coefficient->attrib.ulValueLen; |
2242 | } |
2243 | |
2244 | if (fillIfNeeded) { |
2245 | /* |
2246 | * populate requires one exponent plus 2 other components to work. |
2247 | * we expected our caller to check that first. If that didn't happen, |
2248 | * populate will simply return an error here. |
2249 | */ |
2250 | rv = RSA_PopulatePrivateKey(&tmpKey); |
2251 | if (rv != SECSuccess) { |
2252 | goto loser; |
2253 | } |
2254 | } |
2255 | rv = RSA_PrivateKeyCheck(&tmpKey); |
2256 | if (rv != SECSuccess) { |
2257 | goto loser; |
2258 | } |
2259 | /* now that we have a fully populated key, set all our attribute values */ |
2260 | rv = SECFailure; |
2261 | if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) { |
2262 | crv = sftk_forceAttribute(object, CKA_MODULUS0x00000120UL, |
2263 | sftk_item_expand(&tmpKey.modulus)(&tmpKey.modulus)->data, (&tmpKey.modulus)->len); |
2264 | if (crv != CKR_OK0x00000000UL) |
2265 | goto loser; |
2266 | } |
2267 | if (!publicExponent || |
2268 | publicExponent->attrib.pValue != tmpKey.publicExponent.data) { |
2269 | crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT0x00000122UL, |
2270 | sftk_item_expand(&tmpKey.publicExponent)(&tmpKey.publicExponent)->data, (&tmpKey.publicExponent )->len); |
2271 | if (crv != CKR_OK0x00000000UL) |
2272 | goto loser; |
2273 | } |
2274 | if (!privateExponent || |
2275 | privateExponent->attrib.pValue != tmpKey.privateExponent.data) { |
2276 | crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT0x00000123UL, |
2277 | sftk_item_expand(&tmpKey.privateExponent)(&tmpKey.privateExponent)->data, (&tmpKey.privateExponent )->len); |
2278 | if (crv != CKR_OK0x00000000UL) |
2279 | goto loser; |
2280 | } |
2281 | if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) { |
2282 | crv = sftk_forceAttribute(object, CKA_PRIME_10x00000124UL, |
2283 | sftk_item_expand(&tmpKey.prime1)(&tmpKey.prime1)->data, (&tmpKey.prime1)->len); |
2284 | if (crv != CKR_OK0x00000000UL) |
2285 | goto loser; |
2286 | } |
2287 | if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) { |
2288 | crv = sftk_forceAttribute(object, CKA_PRIME_20x00000125UL, |
2289 | sftk_item_expand(&tmpKey.prime2)(&tmpKey.prime2)->data, (&tmpKey.prime2)->len); |
2290 | if (crv != CKR_OK0x00000000UL) |
2291 | goto loser; |
2292 | } |
2293 | if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) { |
2294 | crv = sftk_forceAttribute(object, CKA_EXPONENT_10x00000126UL, |
2295 | sftk_item_expand(&tmpKey.exponent1)(&tmpKey.exponent1)->data, (&tmpKey.exponent1)-> len); |
2296 | if (crv != CKR_OK0x00000000UL) |
2297 | goto loser; |
2298 | } |
2299 | if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) { |
2300 | crv = sftk_forceAttribute(object, CKA_EXPONENT_20x00000127UL, |
2301 | sftk_item_expand(&tmpKey.exponent2)(&tmpKey.exponent2)->data, (&tmpKey.exponent2)-> len); |
2302 | if (crv != CKR_OK0x00000000UL) |
2303 | goto loser; |
2304 | } |
2305 | if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) { |
2306 | crv = sftk_forceAttribute(object, CKA_COEFFICIENT0x00000128UL, |
2307 | sftk_item_expand(&tmpKey.coefficient)(&tmpKey.coefficient)->data, (&tmpKey.coefficient) ->len); |
2308 | if (crv != CKR_OK0x00000000UL) |
2309 | goto loser; |
2310 | } |
2311 | rv = SECSuccess; |
2312 | |
2313 | /* we're done (one way or the other), clean up all our stuff */ |
2314 | loser: |
2315 | if (tmpKey.arena) { |
2316 | PORT_FreeArenaPORT_FreeArena_Util(tmpKey.arena, PR_TRUE1); |
2317 | } |
2318 | if (modulus) { |
2319 | sftk_FreeAttribute(modulus); |
2320 | } |
2321 | if (prime1) { |
2322 | sftk_FreeAttribute(prime1); |
2323 | } |
2324 | if (prime2) { |
2325 | sftk_FreeAttribute(prime2); |
2326 | } |
2327 | if (privateExponent) { |
2328 | sftk_FreeAttribute(privateExponent); |
2329 | } |
2330 | if (publicExponent) { |
2331 | sftk_FreeAttribute(publicExponent); |
2332 | } |
2333 | if (exponent1) { |
2334 | sftk_FreeAttribute(exponent1); |
2335 | } |
2336 | if (exponent2) { |
2337 | sftk_FreeAttribute(exponent2); |
2338 | } |
2339 | if (coefficient) { |
2340 | sftk_FreeAttribute(coefficient); |
2341 | } |
2342 | return rv; |
2343 | } |
2344 | |
2345 | /* Generate a low private key structure from an object */ |
2346 | NSSLOWKEYPrivateKey * |
2347 | sftk_GetPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp) |
2348 | { |
2349 | NSSLOWKEYPrivateKey *priv = NULL((void*)0); |
2350 | |
2351 | if (object->objclass != CKO_PRIVATE_KEY0x00000003UL) { |
2352 | *crvp = CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
2353 | return NULL((void*)0); |
2354 | } |
2355 | if (object->objectInfo) { |
2356 | *crvp = CKR_OK0x00000000UL; |
2357 | return (NSSLOWKEYPrivateKey *)object->objectInfo; |
2358 | } |
2359 | |
2360 | priv = sftk_mkPrivKey(object, key_type, crvp); |
2361 | object->objectInfo = priv; |
2362 | object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey; |
2363 | return priv; |
2364 | } |
2365 | |
2366 | /* populate a public key object from a lowpublic keys structure */ |
2367 | CK_RV |
2368 | sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey) |
2369 | { |
2370 | CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY0x00000002UL; |
2371 | CK_BBOOL cktrue = CK_TRUE1; |
2372 | CK_RV crv = CKR_OK0x00000000UL; |
2373 | sftk_DeleteAttributeType(publicKey, CKA_CLASS0x00000000UL); |
2374 | sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE0x00000100UL); |
2375 | sftk_DeleteAttributeType(publicKey, CKA_VALUE0x00000011UL); |
2376 | |
2377 | switch (keyType) { |
2378 | case CKK_RSA0x00000000UL: |
2379 | sftk_DeleteAttributeType(publicKey, CKA_MODULUS0x00000120UL); |
2380 | sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT0x00000122UL); |
2381 | /* format the keys */ |
2382 | /* fill in the RSA dependent paramenters in the public key */ |
2383 | crv = sftk_AddAttributeType(publicKey, CKA_MODULUS0x00000120UL, |
2384 | sftk_item_expand(&pubKey->u.rsa.modulus)(&pubKey->u.rsa.modulus)->data, (&pubKey->u. rsa.modulus)->len); |
2385 | if (crv != CKR_OK0x00000000UL) { |
2386 | break; |
2387 | } |
2388 | crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT0x00000122UL, |
2389 | sftk_item_expand(&pubKey->u.rsa.publicExponent)(&pubKey->u.rsa.publicExponent)->data, (&pubKey ->u.rsa.publicExponent)->len); |
2390 | break; |
2391 | case CKK_DSA0x00000001UL: |
2392 | sftk_DeleteAttributeType(publicKey, CKA_PRIME0x00000130UL); |
2393 | sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME0x00000131UL); |
2394 | sftk_DeleteAttributeType(publicKey, CKA_BASE0x00000132UL); |
2395 | crv = sftk_AddAttributeType(publicKey, CKA_PRIME0x00000130UL, |
2396 | sftk_item_expand(&pubKey->u.dsa.params.prime)(&pubKey->u.dsa.params.prime)->data, (&pubKey-> u.dsa.params.prime)->len); |
2397 | if (crv != CKR_OK0x00000000UL) { |
2398 | break; |
2399 | } |
2400 | crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME0x00000131UL, |
2401 | sftk_item_expand(&pubKey->u.dsa.params.subPrime)(&pubKey->u.dsa.params.subPrime)->data, (&pubKey ->u.dsa.params.subPrime)->len); |
2402 | if (crv != CKR_OK0x00000000UL) { |
2403 | break; |
2404 | } |
2405 | crv = sftk_AddAttributeType(publicKey, CKA_BASE0x00000132UL, |
2406 | sftk_item_expand(&pubKey->u.dsa.params.base)(&pubKey->u.dsa.params.base)->data, (&pubKey-> u.dsa.params.base)->len); |
2407 | if (crv != CKR_OK0x00000000UL) { |
2408 | break; |
2409 | } |
2410 | crv = sftk_AddAttributeType(publicKey, CKA_VALUE0x00000011UL, |
2411 | sftk_item_expand(&pubKey->u.dsa.publicValue)(&pubKey->u.dsa.publicValue)->data, (&pubKey-> u.dsa.publicValue)->len); |
2412 | break; |
2413 | case CKK_DH0x00000002UL: |
2414 | sftk_DeleteAttributeType(publicKey, CKA_PRIME0x00000130UL); |
2415 | sftk_DeleteAttributeType(publicKey, CKA_BASE0x00000132UL); |
2416 | crv = sftk_AddAttributeType(publicKey, CKA_PRIME0x00000130UL, |
2417 | sftk_item_expand(&pubKey->u.dh.prime)(&pubKey->u.dh.prime)->data, (&pubKey->u.dh. prime)->len); |
2418 | if (crv != CKR_OK0x00000000UL) { |
2419 | break; |
2420 | } |
2421 | crv = sftk_AddAttributeType(publicKey, CKA_BASE0x00000132UL, |
2422 | sftk_item_expand(&pubKey->u.dh.base)(&pubKey->u.dh.base)->data, (&pubKey->u.dh.base )->len); |
2423 | if (crv != CKR_OK0x00000000UL) { |
2424 | break; |
2425 | } |
2426 | crv = sftk_AddAttributeType(publicKey, CKA_VALUE0x00000011UL, |
2427 | sftk_item_expand(&pubKey->u.dh.publicValue)(&pubKey->u.dh.publicValue)->data, (&pubKey-> u.dh.publicValue)->len); |
2428 | break; |
2429 | case CKK_EC0x00000003UL: |
2430 | case CKK_EC_MONTGOMERY0x00000041UL: |
2431 | case CKK_EC_EDWARDS0x00000040UL: |
2432 | sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS0x00000180UL); |
2433 | sftk_DeleteAttributeType(publicKey, CKA_EC_POINT0x00000181UL); |
2434 | crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS0x00000180UL, |
2435 | sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding)(&pubKey->u.ec.ecParams.DEREncoding)->data, (&pubKey ->u.ec.ecParams.DEREncoding)->len); |
2436 | if (crv != CKR_OK0x00000000UL) { |
2437 | break; |
2438 | } |
2439 | crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT0x00000181UL, |
2440 | sftk_item_expand(&pubKey->u.ec.publicValue)(&pubKey->u.ec.publicValue)->data, (&pubKey-> u.ec.publicValue)->len); |
2441 | break; |
2442 | default: |
2443 | return CKR_KEY_TYPE_INCONSISTENT0x00000063UL; |
2444 | } |
2445 | if (crv != CKR_OK0x00000000UL) { |
2446 | return crv; |
2447 | } |
2448 | crv = sftk_AddAttributeType(publicKey, CKA_CLASS0x00000000UL, &classType, |
2449 | sizeof(CK_OBJECT_CLASS)); |
2450 | if (crv != CKR_OK0x00000000UL) { |
2451 | return crv; |
2452 | } |
2453 | crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE0x00000100UL, &keyType, |
2454 | sizeof(CK_KEY_TYPE)); |
2455 | if (crv != CKR_OK0x00000000UL) { |
2456 | return crv; |
2457 | } |
2458 | /* now handle the operator attributes */ |
2459 | if (sftk_isTrue(privateKey, CKA_DECRYPT0x00000105UL)) { |
2460 | crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT0x00000104UL, &cktrue, sizeof(CK_BBOOL)); |
2461 | if (crv != CKR_OK0x00000000UL) { |
2462 | return crv; |
2463 | } |
2464 | } |
2465 | if (sftk_isTrue(privateKey, CKA_SIGN0x00000108UL)) { |
2466 | crv = sftk_forceAttribute(publicKey, CKA_VERIFY0x0000010AUL, &cktrue, sizeof(CK_BBOOL)); |
2467 | if (crv != CKR_OK0x00000000UL) { |
2468 | return crv; |
2469 | } |
2470 | } |
2471 | if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER0x00000109UL)) { |
2472 | crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER0x0000010BUL, &cktrue, sizeof(CK_BBOOL)); |
2473 | if (crv != CKR_OK0x00000000UL) { |
2474 | return crv; |
2475 | } |
2476 | } |
2477 | if (sftk_isTrue(privateKey, CKA_DERIVE0x0000010CUL)) { |
2478 | crv = sftk_forceAttribute(publicKey, CKA_DERIVE0x0000010CUL, &cktrue, sizeof(CK_BBOOL)); |
2479 | if (crv != CKR_OK0x00000000UL) { |
2480 | return crv; |
2481 | } |
2482 | } |
2483 | return crv; |
2484 | } |
2485 | |
2486 | /* |
2487 | **************************** Symetric Key utils ************************ |
2488 | */ |
2489 | /* |
2490 | * set the DES key with parity bits correctly |
2491 | */ |
2492 | void |
2493 | sftk_FormatDESKey(unsigned char *key, int length) |
2494 | { |
2495 | int i; |
2496 | |
2497 | /* format the des key */ |
2498 | for (i = 0; i < length; i++) { |
2499 | key[i] = parityTable[key[i] >> 1]; |
2500 | } |
2501 | } |
2502 | |
2503 | /* |
2504 | * check a des key (des2 or des3 subkey) for weak keys. |
2505 | */ |
2506 | PRBool |
2507 | sftk_CheckDESKey(unsigned char *key) |
2508 | { |
2509 | int i; |
2510 | |
2511 | /* format the des key with parity */ |
2512 | sftk_FormatDESKey(key, 8); |
2513 | |
2514 | for (i = 0; i < sftk_desWeakTableSize; i++) { |
2515 | if (PORT_Memcmpmemcmp(key, sftk_desWeakTable[i], 8) == 0) { |
2516 | return PR_TRUE1; |
2517 | } |
2518 | } |
2519 | return PR_FALSE0; |
2520 | } |
2521 | |
2522 | /* |
2523 | * check if a des or triple des key is weak. |
2524 | */ |
2525 | PRBool |
2526 | sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type) |
2527 | { |
2528 | |
2529 | switch (key_type) { |
2530 | case CKK_DES0x00000013UL: |
2531 | return sftk_CheckDESKey(key); |
2532 | case CKM_DES2_KEY_GEN0x00000130UL: |
2533 | if (sftk_CheckDESKey(key)) |
2534 | return PR_TRUE1; |
2535 | return sftk_CheckDESKey(&key[8]); |
2536 | case CKM_DES3_KEY_GEN0x00000131UL: |
2537 | if (sftk_CheckDESKey(key)) |
2538 | return PR_TRUE1; |
2539 | if (sftk_CheckDESKey(&key[8])) |
2540 | return PR_TRUE1; |
2541 | return sftk_CheckDESKey(&key[16]); |
2542 | default: |
2543 | break; |
2544 | } |
2545 | return PR_FALSE0; |
2546 | } |
2547 | |
2548 | /********************************************************************** |
2549 | * |
2550 | * Start of PKCS 11 functions |
2551 | * |
2552 | **********************************************************************/ |
2553 | |
2554 | /* return the function list */ |
2555 | CK_RV |
2556 | NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) |
2557 | { |
2558 | *pFunctionList = (CK_FUNCTION_LIST_PTR)&sftk_funcList_v2; |
2559 | return CKR_OK0x00000000UL; |
2560 | } |
2561 | |
2562 | /* return the function list */ |
2563 | CK_RV |
2564 | C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) |
2565 | { |
2566 | #ifdef NSS_FIPS_DISABLED |
2567 | return NSC_GetFunctionList(pFunctionList); |
2568 | #else |
2569 | if (NSS_GetSystemFIPSEnabled()) { |
2570 | return FC_GetFunctionList(pFunctionList); |
2571 | } else { |
2572 | return NSC_GetFunctionList(pFunctionList); |
2573 | } |
2574 | #endif |
2575 | } |
2576 | |
2577 | CK_RV |
2578 | NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) |
2579 | { |
2580 | CK_ULONG count = *pulCount; |
2581 | *pulCount = NSS_INTERFACE_COUNT5; |
2582 | if (interfaces == NULL((void*)0)) { |
2583 | return CKR_OK0x00000000UL; |
2584 | } |
2585 | if (count < NSS_INTERFACE_COUNT5) { |
2586 | return CKR_BUFFER_TOO_SMALL0x00000150UL; |
2587 | } |
2588 | PORT_Memcpymemcpy(interfaces, nss_interfaces, sizeof(nss_interfaces)); |
2589 | return CKR_OK0x00000000UL; |
2590 | } |
2591 | |
2592 | CK_RV |
2593 | C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount) |
2594 | { |
2595 | #ifdef NSS_FIPS_DISABLED |
2596 | return NSC_GetInterfaceList(interfaces, pulCount); |
2597 | #else |
2598 | if (NSS_GetSystemFIPSEnabled()) { |
2599 | return FC_GetInterfaceList(interfaces, pulCount); |
2600 | } else { |
2601 | return NSC_GetInterfaceList(interfaces, pulCount); |
2602 | } |
2603 | #endif |
2604 | } |
2605 | |
2606 | /* |
2607 | * Get the requested interface, use the nss_interfaces array so we can |
2608 | * easily add new interfaces as they occur. |
2609 | */ |
2610 | CK_RV |
2611 | NSC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, |
2612 | CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) |
2613 | { |
2614 | int i; |
2615 | for (i = 0; i < NSS_INTERFACE_COUNT5; i++) { |
2616 | CK_INTERFACE_PTR interface = &nss_interfaces[i]; |
2617 | if (pInterfaceName && PORT_Strcmpstrcmp((char *)pInterfaceName, (char *)interface->pInterfaceName) != 0) { |
2618 | continue; |
2619 | } |
2620 | if (pVersion && PORT_Memcmpmemcmp(pVersion, (CK_VERSION *)interface->pFunctionList, sizeof(CK_VERSION)) != 0) { |
2621 | continue; |
2622 | } |
2623 | if (flags & ((interface->flags & flags) != flags)) { |
2624 | continue; |
2625 | } |
2626 | *ppInterface = interface; |
2627 | return CKR_OK0x00000000UL; |
2628 | } |
2629 | return CKR_ARGUMENTS_BAD0x00000007UL; |
2630 | } |
2631 | |
2632 | CK_RV |
2633 | C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion, |
2634 | CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags) |
2635 | { |
2636 | #ifdef NSS_FIPS_DISABLED |
2637 | return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); |
2638 | #else |
2639 | if (NSS_GetSystemFIPSEnabled()) { |
2640 | return FC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); |
2641 | } else { |
2642 | return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags); |
2643 | } |
2644 | #endif |
2645 | } |
2646 | |
2647 | static PLHashNumber |
2648 | sftk_HashNumber(const void *key) |
2649 | { |
2650 | return (PLHashNumber)((char *)key - (char *)NULL((void*)0)); |
2651 | } |
2652 | |
2653 | /* |
2654 | * eventually I'd like to expunge all occurances of XXX_SLOT_ID and |
2655 | * just go with the info in the slot. This is one place, however, |
2656 | * where it might be a little difficult. |
2657 | */ |
2658 | const char * |
2659 | sftk_getDefTokName(CK_SLOT_ID slotID) |
2660 | { |
2661 | static char buf[33]; |
2662 | |
2663 | switch (slotID) { |
2664 | case NETSCAPE_SLOT_ID1: |
2665 | return "NSS Generic Crypto Services "; |
2666 | case PRIVATE_KEY_SLOT_ID2: |
2667 | return "NSS Certificate DB "; |
2668 | case FIPS_SLOT_ID3: |
2669 | return "NSS FIPS 140-2 Certificate DB "; |
2670 | default: |
2671 | break; |
2672 | } |
2673 | snprintf(buf, sizeof(buf), "NSS Application Token %08x ", (unsigned int)slotID); |
2674 | return buf; |
2675 | } |
2676 | |
2677 | const char * |
2678 | sftk_getDefSlotName(CK_SLOT_ID slotID) |
2679 | { |
2680 | static char buf[65]; |
2681 | |
2682 | switch (slotID) { |
2683 | case NETSCAPE_SLOT_ID1: |
2684 | return "NSS Internal Cryptographic Services "; |
2685 | case PRIVATE_KEY_SLOT_ID2: |
2686 | return "NSS User Private Key and Certificate Services "; |
2687 | case FIPS_SLOT_ID3: |
2688 | return "NSS FIPS 140-2 User Private Key Services "; |
2689 | default: |
2690 | break; |
2691 | } |
2692 | snprintf(buf, sizeof(buf), |
2693 | "NSS Application Slot %08x ", |
2694 | (unsigned int)slotID); |
2695 | return buf; |
2696 | } |
2697 | |
2698 | static CK_ULONG nscSlotCount[2] = { 0, 0 }; |
2699 | static CK_SLOT_ID_PTR nscSlotList[2] = { NULL((void*)0), NULL((void*)0) }; |
2700 | static CK_ULONG nscSlotListSize[2] = { 0, 0 }; |
2701 | static PLHashTable *nscSlotHashTable[2] = { NULL((void*)0), NULL((void*)0) }; |
2702 | |
2703 | static unsigned int |
2704 | sftk_GetModuleIndex(CK_SLOT_ID slotID) |
2705 | { |
2706 | if (sftk_isFIPS(slotID)(((slotID) == 3) || ((slotID) >= 101))) { |
2707 | return NSC_FIPS_MODULE1; |
2708 | } |
2709 | return NSC_NON_FIPS_MODULE0; |
2710 | } |
2711 | |
2712 | /* look up a slot structure from the ID (used to be a macro when we only |
2713 | * had two slots) */ |
2714 | /* if all is true, return the slot even if it has been 'unloaded' */ |
2715 | /* if all is false, only return the slots which are present */ |
2716 | SFTKSlot * |
2717 | sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all) |
2718 | { |
2719 | SFTKSlot *slot; |
2720 | unsigned int index = sftk_GetModuleIndex(slotID); |
2721 | |
2722 | if (nscSlotHashTable[index] == NULL((void*)0)) |
2723 | return NULL((void*)0); |
2724 | slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], |
2725 | (void *)(uintptr_t)slotID); |
2726 | /* cleared slots shouldn't 'show up' */ |
2727 | if (slot && !all && !slot->present) |
2728 | slot = NULL((void*)0); |
2729 | return slot; |
2730 | } |
2731 | |
2732 | CK_SLOT_ID |
2733 | sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle) |
2734 | { |
2735 | CK_ULONG slotIDIndex = (handle >> 24) & 0x7f; |
2736 | CK_ULONG moduleIndex = (handle >> 31) & 1; |
2737 | |
2738 | if (slotIDIndex >= nscSlotCount[moduleIndex]) { |
2739 | return (CK_SLOT_ID)-1; |
2740 | } |
2741 | return nscSlotList[moduleIndex][slotIDIndex]; |
2742 | } |
2743 | |
2744 | SFTKSlot * |
2745 | sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) |
2746 | { |
2747 | return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE0); |
2748 | } |
2749 | |
2750 | static CK_RV |
2751 | sftk_RegisterSlot(SFTKSlot *slot, unsigned int moduleIndex) |
2752 | { |
2753 | PLHashEntry *entry; |
2754 | unsigned int index; |
2755 | |
2756 | index = sftk_GetModuleIndex(slot->slotID); |
2757 | |
2758 | /* make sure the slotID for this module is valid */ |
2759 | if (moduleIndex != index) { |
2760 | return CKR_SLOT_ID_INVALID0x00000003UL; |
2761 | } |
2762 | |
2763 | if (nscSlotList[index] == NULL((void*)0)) { |
2764 | nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE10; |
2765 | nscSlotList[index] = (CK_SLOT_ID *) |
2766 | PORT_ZAllocPORT_ZAlloc_Util(nscSlotListSize[index] * sizeof(CK_SLOT_ID)); |
2767 | if (nscSlotList[index] == NULL((void*)0)) { |
2768 | return CKR_HOST_MEMORY0x00000002UL; |
2769 | } |
2770 | } |
2771 | if (nscSlotCount[index] >= nscSlotListSize[index]) { |
2772 | CK_SLOT_ID *oldNscSlotList = nscSlotList[index]; |
2773 | CK_ULONG oldNscSlotListSize = nscSlotListSize[index]; |
2774 | nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE10; |
2775 | nscSlotList[index] = (CK_SLOT_ID *)PORT_ReallocPORT_Realloc_Util(oldNscSlotList, |
2776 | nscSlotListSize[index] * sizeof(CK_SLOT_ID)); |
2777 | if (nscSlotList[index] == NULL((void*)0)) { |
2778 | /* evidently coverity doesn't know realloc does not |
2779 | * free var if it fails ! */ |
2780 | /* coverity [use_after_free : FALSE] */ |
2781 | nscSlotList[index] = oldNscSlotList; |
2782 | nscSlotListSize[index] = oldNscSlotListSize; |
2783 | return CKR_HOST_MEMORY0x00000002UL; |
2784 | } |
2785 | } |
2786 | |
2787 | if (nscSlotHashTable[index] == NULL((void*)0)) { |
2788 | nscSlotHashTable[index] = PL_NewHashTable(64, sftk_HashNumber, |
2789 | PL_CompareValues, PL_CompareValues, NULL((void*)0), 0); |
2790 | if (nscSlotHashTable[index] == NULL((void*)0)) { |
2791 | return CKR_HOST_MEMORY0x00000002UL; |
2792 | } |
2793 | } |
2794 | |
2795 | entry = PL_HashTableAdd(nscSlotHashTable[index], (void *)(uintptr_t)slot->slotID, slot); |
2796 | if (entry == NULL((void*)0)) { |
2797 | return CKR_HOST_MEMORY0x00000002UL; |
2798 | } |
2799 | slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80); |
2800 | nscSlotList[index][nscSlotCount[index]++] = slot->slotID; |
2801 | |
2802 | return CKR_OK0x00000000UL; |
2803 | } |
2804 | |
2805 | /* |
2806 | * ths function has all the common initialization that happens whenever we |
2807 | * create a new slot or repurpose an old slot (only valid for slotID's 4 |
2808 | * and greater). |
2809 | * |
2810 | * things that are not reinitialized are: |
2811 | * slotID (can't change) |
2812 | * slotDescription (can't change once defined) |
2813 | * the locks and hash tables (difficult to change in running code, and |
2814 | * unnecessary. hash tables and list are cleared on shutdown, but they |
2815 | * are cleared in a 'friendly' way). |
2816 | * session and object ID counters -- so any old sessions and objects in the |
2817 | * application will get properly notified that the world has changed. |
2818 | * |
2819 | * things that are reinitialized: |
2820 | * database (otherwise what would the point be;). |
2821 | * state variables related to databases. |
2822 | * session count stat info. |
2823 | * tokenDescription. |
2824 | * |
2825 | * NOTE: slotID's 4 and greater show up as removable devices. |
2826 | * |
2827 | */ |
2828 | CK_RV |
2829 | SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir, |
2830 | char *updateID, sftk_token_parameters *params, |
2831 | unsigned int moduleIndex) |
2832 | { |
2833 | PRBool needLogin = !params->noKeyDB; |
2834 | CK_RV crv; |
2835 | |
2836 | slot->hasTokens = PR_FALSE0; |
2837 | slot->sessionIDConflict = 0; |
2838 | slot->sessionCount = 0; |
2839 | slot->rwSessionCount = 0; |
2840 | slot->needLogin = PR_FALSE0; |
2841 | slot->isLoggedIn = PR_FALSE0; |
2842 | slot->ssoLoggedIn = PR_FALSE0; |
2843 | slot->DB_loaded = PR_FALSE0; |
2844 | slot->certDB = NULL((void*)0); |
2845 | slot->keyDB = NULL((void*)0); |
2846 | slot->minimumPinLen = 0; |
2847 | slot->readOnly = params->readOnly; |
2848 | sftk_setStringName(params->tokdes ? params->tokdes : sftk_getDefTokName(slot->slotID), slot->tokDescription, |
2849 | sizeof(slot->tokDescription), PR_TRUE1); |
2850 | sftk_setStringName(params->updtokdes ? params->updtokdes : " ", |
2851 | slot->updateTokDescription, |
2852 | sizeof(slot->updateTokDescription), PR_TRUE1); |
2853 | |
2854 | if ((!params->noCertDB) || (!params->noKeyDB)) { |
2855 | SFTKDBHandle *certHandle = NULL((void*)0); |
2856 | SFTKDBHandle *keyHandle = NULL((void*)0); |
2857 | crv = sftk_DBInit(params->configdir ? params->configdir : configdir, |
2858 | params->certPrefix, params->keyPrefix, |
2859 | params->updatedir ? params->updatedir : updatedir, |
2860 | params->updCertPrefix, params->updKeyPrefix, |
2861 | params->updateID ? params->updateID : updateID, |
2862 | params->readOnly, params->noCertDB, params->noKeyDB, |
2863 | params->forceOpen, |
2864 | moduleIndex == NSC_FIPS_MODULE1, |
2865 | &certHandle, &keyHandle); |
2866 | if (crv != CKR_OK0x00000000UL) { |
2867 | goto loser; |
2868 | } |
2869 | |
2870 | slot->certDB = certHandle; |
2871 | slot->keyDB = keyHandle; |
2872 | } |
2873 | if (needLogin) { |
2874 | /* if the data base is initialized with a null password,remember that */ |
2875 | slot->needLogin = |
2876 | (PRBool)!sftk_hasNullPassword(slot, slot->keyDB); |
2877 | if ((params->minPW >= 0) && (params->minPW <= SFTK_MAX_PIN500)) { |
2878 | slot->minimumPinLen = params->minPW; |
2879 | } |
2880 | if ((slot->minimumPinLen == 0) && (params->pwRequired)) { |
2881 | slot->minimumPinLen = 1; |
2882 | } |
2883 | /* Make sure the pin len is set to the Minimum allowed value for fips |
2884 | * when in FIPS mode. NOTE: we don't set it if the database has not |
2885 | * been initialized yet so that we can init into level1 mode if needed |
2886 | */ |
2887 | if ((sftkdb_HasPasswordSet(slot->keyDB) == SECSuccess) && |
2888 | (moduleIndex == NSC_FIPS_MODULE1) && |
2889 | (slot->minimumPinLen < FIPS_MIN_PIN7)) { |
2890 | slot->minimumPinLen = FIPS_MIN_PIN7; |
2891 | } |
2892 | } |
2893 | |
2894 | slot->present = PR_TRUE1; |
2895 | return CKR_OK0x00000000UL; |
2896 | |
2897 | loser: |
2898 | SFTK_ShutdownSlot(slot); |
2899 | return crv; |
2900 | } |
2901 | |
2902 | /* |
2903 | * initialize one of the slot structures. figure out which by the ID |
2904 | */ |
2905 | CK_RV |
2906 | SFTK_SlotInit(char *configdir, char *updatedir, char *updateID, |
2907 | sftk_token_parameters *params, unsigned int moduleIndex) |
2908 | { |
2909 | unsigned int i; |
2910 | CK_SLOT_ID slotID = params->slotID; |
2911 | SFTKSlot *slot; |
2912 | CK_RV crv = CKR_HOST_MEMORY0x00000002UL; |
2913 | |
2914 | /* |
2915 | * first we initialize everything that is 'permanent' with this slot. |
2916 | * that is everything we aren't going to shutdown if we close this slot |
2917 | * and open it up again with different databases */ |
2918 | |
2919 | slot = PORT_ZNew(SFTKSlot)(SFTKSlot *)PORT_ZAlloc_Util(sizeof(SFTKSlot)); |
2920 | |
2921 | if (slot == NULL((void*)0)) { |
2922 | return CKR_HOST_MEMORY0x00000002UL; |
2923 | } |
2924 | |
2925 | slot->optimizeSpace = params->optimizeSpace; |
2926 | if (slot->optimizeSpace) { |
2927 | slot->sessObjHashSize = SPACE_SESSION_OBJECT_HASH_SIZE32; |
2928 | slot->sessHashSize = SPACE_SESSION_HASH_SIZE32; |
2929 | slot->numSessionLocks = 1; |
2930 | } else { |
2931 | slot->sessObjHashSize = TIME_SESSION_OBJECT_HASH_SIZE1024; |
2932 | slot->sessHashSize = TIME_SESSION_HASH_SIZE1024; |
2933 | slot->numSessionLocks = slot->sessHashSize / BUCKETS_PER_SESSION_LOCK(1 << (1)); |
2934 | } |
2935 | slot->sessionLockMask = slot->numSessionLocks - 1; |
2936 | |
2937 | slot->slotLock = PZ_NewLock(nssILockSession)PR_NewLock(); |
2938 | if (slot->slotLock == NULL((void*)0)) |
2939 | goto mem_loser; |
2940 | slot->sessionLock = PORT_ZNewArray(PZLock *, slot->numSessionLocks)(PRLock * *)PORT_ZAlloc_Util(sizeof(PRLock *) * (slot->numSessionLocks )); |
2941 | if (slot->sessionLock == NULL((void*)0)) |
2942 | goto mem_loser; |
2943 | for (i = 0; i < slot->numSessionLocks; i++) { |
2944 | slot->sessionLock[i] = PZ_NewLock(nssILockSession)PR_NewLock(); |
2945 | if (slot->sessionLock[i] == NULL((void*)0)) |
2946 | goto mem_loser; |
2947 | } |
2948 | slot->objectLock = PZ_NewLock(nssILockObject)PR_NewLock(); |
2949 | if (slot->objectLock == NULL((void*)0)) |
2950 | goto mem_loser; |
2951 | slot->pwCheckLock = PR_NewLock(); |
2952 | if (slot->pwCheckLock == NULL((void*)0)) |
2953 | goto mem_loser; |
2954 | slot->head = PORT_ZNewArray(SFTKSession *, slot->sessHashSize)(SFTKSession * *)PORT_ZAlloc_Util(sizeof(SFTKSession *) * (slot ->sessHashSize)); |
2955 | if (slot->head == NULL((void*)0)) |
2956 | goto mem_loser; |
2957 | slot->sessObjHashTable = PORT_ZNewArray(SFTKObject *, slot->sessObjHashSize)(SFTKObject * *)PORT_ZAlloc_Util(sizeof(SFTKObject *) * (slot ->sessObjHashSize)); |
2958 | if (slot->sessObjHashTable == NULL((void*)0)) |
2959 | goto mem_loser; |
2960 | slot->tokObjHashTable = PL_NewHashTable(64, sftk_HashNumber, PL_CompareValues, |
2961 | SECITEM_HashCompare, NULL((void*)0), 0); |
2962 | if (slot->tokObjHashTable == NULL((void*)0)) |
2963 | goto mem_loser; |
2964 | |
2965 | slot->sessionIDCount = 0; |
2966 | slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE1U; |
2967 | slot->slotID = slotID; |
2968 | sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription, |
2969 | sizeof(slot->slotDescription), PR_TRUE1); |
2970 | crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL((void*)0), NULL((void*)0), |
2971 | CKF_SERIAL_SESSION0x00000004UL); |
2972 | if (crv != CKR_OK0x00000000UL) { |
2973 | goto loser; |
2974 | } |
2975 | |
2976 | /* call the reinit code to set everything that changes between token |
2977 | * init calls */ |
2978 | crv = SFTK_SlotReInit(slot, configdir, updatedir, updateID, |
2979 | params, moduleIndex); |
2980 | if (crv != CKR_OK0x00000000UL) { |
2981 | goto loser; |
2982 | } |
2983 | if (sftk_isFIPS(slotID)(((slotID) == 3) || ((slotID) >= 101))) { |
2984 | crv = sftk_CreateValidationObjects(slot); |
2985 | if (crv != CKR_OK0x00000000UL) { |
2986 | goto loser; |
2987 | } |
2988 | } |
2989 | crv = sftk_RegisterSlot(slot, moduleIndex); |
2990 | if (crv != CKR_OK0x00000000UL) { |
2991 | goto loser; |
2992 | } |
2993 | return CKR_OK0x00000000UL; |
2994 | |
2995 | mem_loser: |
2996 | crv = CKR_HOST_MEMORY0x00000002UL; |
2997 | loser: |
2998 | SFTK_DestroySlotData(slot); |
2999 | return crv; |
3000 | } |
3001 | |
3002 | CK_RV |
3003 | sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout) |
3004 | { |
3005 | SFTKSession *session; |
3006 | unsigned int i; |
3007 | SFTKDBHandle *handle; |
3008 | |
3009 | /* first log out the card */ |
3010 | /* special case - if we are in a middle of upgrade, we want to close the |
3011 | * sessions to fake a token removal to tell the upper level code we have |
3012 | * switched from one database to another, but we don't want to |
3013 | * explicity logout in case we can continue the upgrade with the |
3014 | * existing password if possible. |
3015 | */ |
3016 | if (logout) { |
3017 | handle = sftk_getKeyDB(slot); |
3018 | SKIP_AFTER_FORK(PZ_Lock(slot->slotLock))PR_Lock((slot->slotLock)); |
3019 | slot->isLoggedIn = PR_FALSE0; |
3020 | if (slot->needLogin && handle) { |
3021 | sftkdb_ClearPassword(handle); |
3022 | } |
3023 | SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock))PR_Unlock((slot->slotLock)); |
3024 | if (handle) { |
3025 | sftk_freeDB(handle); |
3026 | } |
3027 | } |
3028 | |
3029 | /* now close all the current sessions */ |
3030 | /* NOTE: If you try to open new sessions before NSC_CloseAllSessions |
3031 | * completes, some of those new sessions may or may not be closed by |
3032 | * NSC_CloseAllSessions... but any session running when this code starts |
3033 | * will guarrenteed be close, and no session will be partially closed */ |
3034 | for (i = 0; i < slot->sessHashSize; i++) { |
3035 | PZLockPRLock *lock = SFTK_SESSION_LOCK(slot, i)((slot)->sessionLock[(i) & (slot)->sessionLockMask] ); |
3036 | do { |
3037 | SKIP_AFTER_FORK(PZ_Lock(lock))PR_Lock((lock)); |
3038 | session = slot->head[i]; |
3039 | /* hand deque */ |
3040 | /* this duplicates function of NSC_close session functions, but |
3041 | * because we know that we are freeing all the sessions, we can |
3042 | * do more efficient processing */ |
3043 | if (session) { |
3044 | slot->head[i] = session->next; |
3045 | if (session->next) |
3046 | session->next->prev = NULL((void*)0); |
3047 | session->next = session->prev = NULL((void*)0); |
3048 | SKIP_AFTER_FORK(PZ_Unlock(lock))PR_Unlock((lock)); |
3049 | SKIP_AFTER_FORK(PZ_Lock(slot->slotLock))PR_Lock((slot->slotLock)); |
3050 | --slot->sessionCount; |
3051 | SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock))PR_Unlock((slot->slotLock)); |
3052 | if (session->info.flags & CKF_RW_SESSION0x00000002UL) { |
3053 | (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount)__sync_sub_and_fetch(&slot->rwSessionCount, 1); |
3054 | } |
3055 | } else { |
3056 | SKIP_AFTER_FORK(PZ_Unlock(lock))PR_Unlock((lock)); |
3057 | } |
3058 | if (session) { |
3059 | sftk_DestroySession(session); |
3060 | } |
3061 | } while (session != NULL((void*)0)); |
3062 | } |
3063 | return CKR_OK0x00000000UL; |
3064 | } |
3065 | |
3066 | /* |
3067 | * shut down the databases. |
3068 | * we get the slot lock (which also protects slot->certDB and slot->keyDB) |
3069 | * and clear the values so the new users will not find the databases. |
3070 | * once things are clear, we can release our references to the databases. |
3071 | * The databases will close when the last reference is released. |
3072 | * |
3073 | * We use reference counts so that we don't crash if someone shuts down |
3074 | * a token that another thread is actively using. |
3075 | */ |
3076 | static void |
3077 | sftk_DBShutdown(SFTKSlot *slot) |
3078 | { |
3079 | SFTKDBHandle *certHandle; |
3080 | SFTKDBHandle *keyHandle; |
3081 | SKIP_AFTER_FORK(PZ_Lock(slot->slotLock))PR_Lock((slot->slotLock)); |
3082 | certHandle = slot->certDB; |
3083 | slot->certDB = NULL((void*)0); |
3084 | keyHandle = slot->keyDB; |
3085 | slot->keyDB = NULL((void*)0); |
3086 | SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock))PR_Unlock((slot->slotLock)); |
3087 | if (certHandle) { |
3088 | sftk_freeDB(certHandle); |
3089 | } |
3090 | if (keyHandle) { |
3091 | sftk_freeDB(keyHandle); |
3092 | } |
3093 | } |
3094 | |
3095 | CK_RV |
3096 | SFTK_ShutdownSlot(SFTKSlot *slot) |
3097 | { |
3098 | /* make sure no new PK11 calls work except C_GetSlotInfo */ |
3099 | slot->present = PR_FALSE0; |
3100 | |
3101 | /* close all outstanding sessions |
3102 | * the sessHashSize variable guarentees we have all the session |
3103 | * mechanism set up */ |
3104 | if (slot->head) { |
3105 | sftk_CloseAllSessions(slot, PR_TRUE1); |
3106 | } |
3107 | |
3108 | /* clear all objects.. session objects are cleared as a result of |
3109 | * closing all the sessions. We just need to clear the token object |
3110 | * cache. slot->tokObjHashTable guarentees we have the token |
3111 | * infrastructure set up. */ |
3112 | if (slot->tokObjHashTable) { |
3113 | SFTK_ClearTokenKeyHashTable(slot); |
3114 | } |
3115 | |
3116 | /* clear the slot description for the next guy */ |
3117 | PORT_Memsetmemset(slot->tokDescription, 0, sizeof(slot->tokDescription)); |
3118 | |
3119 | /* now shut down the databases. */ |
3120 | sftk_DBShutdown(slot); |
3121 | return CKR_OK0x00000000UL; |
3122 | } |
3123 | |
3124 | /* |
3125 | * initialize one of the slot structures. figure out which by the ID |
3126 | */ |
3127 | CK_RV |
3128 | SFTK_DestroySlotData(SFTKSlot *slot) |
3129 | { |
3130 | unsigned int i; |
3131 | |
3132 | SFTK_ShutdownSlot(slot); |
3133 | |
3134 | sftk_ClearSession(&slot->moduleObjects); |
3135 | |
3136 | if (slot->tokObjHashTable) { |
3137 | PL_HashTableDestroy(slot->tokObjHashTable); |
3138 | slot->tokObjHashTable = NULL((void*)0); |
3139 | } |
3140 | |
3141 | if (slot->sessObjHashTable) { |
3142 | PORT_FreePORT_Free_Util(slot->sessObjHashTable); |
3143 | slot->sessObjHashTable = NULL((void*)0); |
3144 | } |
3145 | slot->sessObjHashSize = 0; |
3146 | |
3147 | if (slot->head) { |
3148 | PORT_FreePORT_Free_Util(slot->head); |
3149 | slot->head = NULL((void*)0); |
3150 | } |
3151 | slot->sessHashSize = 0; |
3152 | |
3153 | /* OK everything has been disassembled, now we can finally get rid |
3154 | * of the locks */ |
3155 | SKIP_AFTER_FORK(PZ_DestroyLock(slot->slotLock))PR_DestroyLock((slot->slotLock)); |
3156 | slot->slotLock = NULL((void*)0); |
3157 | if (slot->sessionLock) { |
3158 | for (i = 0; i < slot->numSessionLocks; i++) { |
3159 | if (slot->sessionLock[i]) { |
3160 | SKIP_AFTER_FORK(PZ_DestroyLock(slot->sessionLock[i]))PR_DestroyLock((slot->sessionLock[i])); |
3161 | slot->sessionLock[i] = NULL((void*)0); |
3162 | } |
3163 | } |
3164 | PORT_FreePORT_Free_Util(slot->sessionLock); |
3165 | slot->sessionLock = NULL((void*)0); |
3166 | } |
3167 | if (slot->objectLock) { |
3168 | SKIP_AFTER_FORK(PZ_DestroyLock(slot->objectLock))PR_DestroyLock((slot->objectLock)); |
3169 | slot->objectLock = NULL((void*)0); |
3170 | } |
3171 | if (slot->pwCheckLock) { |
3172 | SKIP_AFTER_FORK(PR_DestroyLock(slot->pwCheckLock))PR_DestroyLock(slot->pwCheckLock); |
3173 | slot->pwCheckLock = NULL((void*)0); |
3174 | } |
3175 | PORT_FreePORT_Free_Util(slot); |
3176 | return CKR_OK0x00000000UL; |
3177 | } |
3178 | |
3179 | /* |
3180 | * handle the SECMOD.db |
3181 | */ |
3182 | char ** |
3183 | NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) |
3184 | { |
3185 | #ifndef NSS_DISABLE_DBM |
3186 | char *secmod = NULL((void*)0); |
3187 | char *appName = NULL((void*)0); |
3188 | char *filename = NULL((void*)0); |
3189 | NSSDBType dbType = NSS_DB_TYPE_NONE; |
3190 | PRBool rw; |
3191 | static char *success = "Success"; |
3192 | #endif /* NSS_DISABLE_DBM */ |
3193 | char **rvstr = NULL((void*)0); |
3194 | |
3195 | rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); |
3196 | if (rvstr != NULL((void*)0)) { |
3197 | return rvstr; |
3198 | } |
3199 | |
3200 | if (PORT_GetErrorPORT_GetError_Util() != SEC_ERROR_LEGACY_DATABASE) { |
3201 | return NULL((void*)0); |
3202 | } |
3203 | |
3204 | #ifndef NSS_DISABLE_DBM |
3205 | /* The legacy database uses the old dbm, which is only linked with the |
3206 | * legacy DB handler, which is only callable from softoken */ |
3207 | |
3208 | secmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &appName, |
3209 | &filename, &rw); |
3210 | |
3211 | switch (function) { |
3212 | case SECMOD_MODULE_DB_FUNCTION_FIND0: |
3213 | if (secmod == NULL((void*)0)) { |
3214 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3215 | goto loser; |
3216 | } |
3217 | if (rw && (dbType != NSS_DB_TYPE_LEGACY) && |
3218 | (dbType != NSS_DB_TYPE_MULTIACCESS)) { |
3219 | /* if we get here, we are trying to update the local database */ |
3220 | /* force data from the legacy DB */ |
3221 | char *oldSecmod = NULL((void*)0); |
3222 | char *oldAppName = NULL((void*)0); |
3223 | char *oldFilename = NULL((void*)0); |
3224 | PRBool oldrw; |
3225 | char **strings = NULL((void*)0); |
3226 | int i; |
3227 | |
3228 | dbType = NSS_DB_TYPE_LEGACY; |
3229 | oldSecmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &oldAppName, |
3230 | &oldFilename, &oldrw); |
3231 | strings = sftkdbCall_ReadSecmodDB(appName, oldFilename, oldSecmod, |
3232 | (char *)parameters, oldrw); |
3233 | if (strings) { |
3234 | /* write out the strings */ |
3235 | for (i = 0; strings[i]; i++) { |
3236 | NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD1, |
3237 | parameters, strings[i]); |
3238 | } |
3239 | sftkdbCall_ReleaseSecmodDBData(oldAppName, oldFilename, oldSecmod, |
3240 | (char **)strings, oldrw); |
3241 | } else { |
3242 | /* write out a dummy record */ |
3243 | NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD1, |
3244 | parameters, " "); |
3245 | } |
3246 | if (oldSecmod) { |
3247 | PR_smprintf_free(oldSecmod); |
3248 | } |
3249 | if (oldAppName) { |
3250 | PORT_FreePORT_Free_Util(oldAppName); |
3251 | } |
3252 | if (oldFilename) { |
3253 | PORT_FreePORT_Free_Util(oldFilename); |
3254 | } |
3255 | rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); |
3256 | break; |
3257 | } |
3258 | rvstr = sftkdbCall_ReadSecmodDB(appName, filename, secmod, |
3259 | (char *)parameters, rw); |
3260 | break; |
3261 | case SECMOD_MODULE_DB_FUNCTION_ADD1: |
3262 | if (secmod == NULL((void*)0)) { |
3263 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3264 | goto loser; |
3265 | } |
3266 | rvstr = (sftkdbCall_AddSecmodDB(appName, filename, secmod, |
3267 | (char *)args, rw) == SECSuccess) |
3268 | ? &success |
3269 | : NULL((void*)0); |
3270 | break; |
3271 | case SECMOD_MODULE_DB_FUNCTION_DEL2: |
3272 | if (secmod == NULL((void*)0)) { |
3273 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
3274 | goto loser; |
3275 | } |
3276 | rvstr = (sftkdbCall_DeleteSecmodDB(appName, filename, secmod, |
3277 | (char *)args, rw) == SECSuccess) |
3278 | ? &success |
3279 | : NULL((void*)0); |
3280 | break; |
3281 | case SECMOD_MODULE_DB_FUNCTION_RELEASE3: |
3282 | rvstr = (sftkdbCall_ReleaseSecmodDBData(appName, filename, secmod, |
3283 | (char **)args, rw) == SECSuccess) |
3284 | ? &success |
3285 | : NULL((void*)0); |
3286 | break; |
3287 | } |
3288 | |
3289 | loser: |
3290 | if (secmod) |
3291 | PR_smprintf_free(secmod); |
3292 | if (appName) |
3293 | PORT_FreePORT_Free_Util(appName); |
3294 | if (filename) |
3295 | PORT_FreePORT_Free_Util(filename); |
3296 | #endif /* NSS_DISABLE_DBM */ |
3297 | return rvstr; |
3298 | } |
3299 | |
3300 | static void |
3301 | nscFreeAllSlots(unsigned int moduleIndex) |
3302 | { |
3303 | /* free all the slots */ |
3304 | SFTKSlot *slot = NULL((void*)0); |
3305 | CK_SLOT_ID slotID; |
3306 | int i; |
3307 | |
3308 | if (nscSlotList[moduleIndex]) { |
3309 | CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex]; |
3310 | CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex]; |
3311 | PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex]; |
3312 | |
3313 | /* first close all the session */ |
3314 | for (i = 0; i < (int)tmpSlotCount; i++) { |
3315 | slotID = tmpSlotList[i]; |
3316 | (void)NSC_CloseAllSessions(slotID); |
3317 | } |
3318 | |
3319 | /* now clear out the statics */ |
3320 | nscSlotList[moduleIndex] = NULL((void*)0); |
3321 | nscSlotCount[moduleIndex] = 0; |
3322 | nscSlotHashTable[moduleIndex] = NULL((void*)0); |
3323 | nscSlotListSize[moduleIndex] = 0; |
3324 | |
3325 | for (i = 0; i < (int)tmpSlotCount; i++) { |
3326 | slotID = tmpSlotList[i]; |
3327 | slot = (SFTKSlot *) |
3328 | PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID); |
3329 | PORT_Assert(slot)((slot)?((void)0):PR_Assert("slot","pkcs11.c",3329)); |
3330 | if (!slot) |
3331 | continue; |
3332 | SFTK_DestroySlotData(slot); |
3333 | PL_HashTableRemove(tmpSlotHashTable, (void *)(uintptr_t)slotID); |
3334 | } |
3335 | PORT_FreePORT_Free_Util(tmpSlotList); |
3336 | PL_HashTableDestroy(tmpSlotHashTable); |
3337 | } |
3338 | } |
3339 | |
3340 | static void |
3341 | sftk_closePeer(PRBool isFIPS) |
3342 | { |
3343 | CK_SLOT_ID slotID = isFIPS ? PRIVATE_KEY_SLOT_ID2 : FIPS_SLOT_ID3; |
3344 | SFTKSlot *slot; |
3345 | unsigned int moduleIndex = isFIPS ? NSC_NON_FIPS_MODULE0 : NSC_FIPS_MODULE1; |
3346 | PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex]; |
3347 | |
3348 | slot = (SFTKSlot *)PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID); |
3349 | if (slot == NULL((void*)0)) { |
3350 | return; |
3351 | } |
3352 | sftk_DBShutdown(slot); |
3353 | return; |
3354 | } |
3355 | |
3356 | extern void sftk_PBELockInit(void); |
3357 | extern void sftk_PBELockShutdown(void); |
3358 | |
3359 | /* Parse the library parameters from the first occurance in the following src.: |
3360 | * 1. C_INITIALIZED_ARGS - lib params are included in LibraryParameters field |
3361 | * 2. NSS_LIB_PARAMS - env. var. containing the lib. params. |
3362 | * 3. NSS_LIB_PARAMS_FILE - env. var. pointion to a file with lib. params. |
3363 | * 4. /etc/nss/params.config - default lib. param. file location [Linux only] |
3364 | * 5. LIB_PARAM_DEFAULT - string ensureing the pressence at all times |
3365 | * "configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB" |
3366 | */ |
3367 | static CK_RV |
3368 | sftk_getParameters(CK_C_INITIALIZE_ARGS *init_args, PRBool isFIPS, |
3369 | sftk_parameters *paramStrings) |
3370 | { |
3371 | CK_RV crv; |
3372 | char *libParams; |
3373 | const char *filename; |
3374 | PRFileDesc *file_dc; |
3375 | PRBool free_mem = PR_FALSE0; |
3376 | |
3377 | if (!init_args || !init_args->LibraryParameters) { |
3378 | /* Library parameters were not provided via C_Initialize_args*/ |
3379 | |
3380 | /* Enviromental value has precedence to configuration filename */ |
3381 | libParams = PR_GetEnvSecure("NSS_LIB_PARAMS"); |
3382 | |
3383 | if (!libParams) { |
3384 | /* Load from config filename or use default */ |
3385 | filename = PR_GetEnvSecure("NSS_LIB_PARAMS_FILE"); |
3386 | #ifdef XP_UNIX1 |
3387 | /* Use default configuration file for Linux only */ |
3388 | if (!filename) |
3389 | filename = LIB_PARAM_DEFAULT_FILE_LOCATION"/etc/nss/params.config"; |
3390 | #endif |
3391 | if (filename) { |
3392 | file_dc = PR_OpenFile(filename, PR_RDONLY0x01, 444); |
3393 | if (file_dc) { |
3394 | /* file opened */ |
3395 | PRInt32 len = PR_Available(file_dc); |
3396 | libParams = PORT_NewArray(char, len + 1)(char *)PORT_Alloc_Util(sizeof(char) * (len + 1)); |
3397 | if (libParams) { |
3398 | /* memory allocated */ |
3399 | if (PR_Read(file_dc, libParams, len) == -1) { |
3400 | PORT_FreePORT_Free_Util(libParams); |
3401 | libParams = NULL((void*)0); |
3402 | } else { |
3403 | free_mem = PR_TRUE1; |
3404 | libParams[len] = '\0'; |
3405 | } |
3406 | } |
3407 | |
3408 | PR_Close(file_dc); |
3409 | } |
3410 | } |
3411 | } |
3412 | |
3413 | if (libParams == NULL((void*)0)) |
3414 | libParams = LIB_PARAM_DEFAULT" configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB "; |
3415 | |
3416 | } else { |
3417 | /* Use parameters provided with C_Initialize_args */ |
3418 | libParams = (char *)init_args->LibraryParameters; |
3419 | } |
3420 | |
3421 | crv = sftk_parseParameters(libParams, paramStrings, isFIPS); |
3422 | if (crv != CKR_OK0x00000000UL) { |
3423 | crv = CKR_ARGUMENTS_BAD0x00000007UL; |
3424 | goto loser; |
3425 | } |
3426 | |
3427 | crv = CKR_OK0x00000000UL; |
3428 | loser: |
3429 | if (free_mem) |
3430 | PORT_FreePORT_Free_Util(libParams); |
3431 | |
3432 | return crv; |
3433 | } |
3434 | |
3435 | /* NSC_Initialize initializes the Cryptoki library. */ |
3436 | CK_RV |
3437 | nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) |
3438 | { |
3439 | CK_RV crv = CKR_OK0x00000000UL; |
3440 | SECStatus rv; |
3441 | CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved; |
3442 | PRBool destroy_freelist_on_error = PR_TRUE1; |
3443 | int i; |
3444 | unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE1 : NSC_NON_FIPS_MODULE0; |
3445 | |
3446 | if (isFIPS) { |
3447 | loginWaitTime = PR_SecondsToInterval(1); |
3448 | } |
3449 | |
3450 | ENABLE_FORK_CHECK(); |
3451 | |
3452 | sftk_PBELockInit(); |
3453 | |
3454 | rv = SECOID_Init(); |
3455 | if (rv != SECSuccess) { |
3456 | crv = CKR_DEVICE_ERROR0x00000030UL; |
3457 | return crv; |
3458 | } |
3459 | |
3460 | rv = RNG_RNGInit(); /* initialize random number generator */ |
3461 | if (rv != SECSuccess) { |
3462 | crv = CKR_DEVICE_ERROR0x00000030UL; |
3463 | return crv; |
3464 | } |
3465 | rv = BL_Init(); /* initialize freebl engine */ |
3466 | if (rv != SECSuccess) { |
3467 | crv = CKR_DEVICE_ERROR0x00000030UL; |
3468 | return crv; |
3469 | } |
3470 | |
3471 | /* NOTE: |
3472 | * we should be getting out mutexes from this list, not statically binding |
3473 | * them from NSPR. This should happen before we allow the internal to split |
3474 | * off from the rest on NSS. |
3475 | */ |
3476 | |
3477 | /* initialize the key and cert db's */ |
3478 | if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK0x00000002UL))) { |
3479 | if (init_args->CreateMutex && init_args->DestroyMutex && |
3480 | init_args->LockMutex && init_args->UnlockMutex) { |
3481 | /* softoken always uses NSPR (ie. OS locking), and doesn't know how |
3482 | * to use the lock functions provided by the application. |
3483 | */ |
3484 | crv = CKR_CANT_LOCK0x0000000AUL; |
3485 | return crv; |
3486 | } |
3487 | if (init_args->CreateMutex || init_args->DestroyMutex || |
3488 | init_args->LockMutex || init_args->UnlockMutex) { |
3489 | /* only some of the lock functions were provided by the |
3490 | * application. This is invalid per PKCS#11 spec. |
3491 | */ |
3492 | crv = CKR_ARGUMENTS_BAD0x00000007UL; |
3493 | return crv; |
3494 | } |
3495 | } |
3496 | |
3497 | sftk_parameters paramStrings; |
3498 | |
3499 | /* load and parse the library parameters */ |
3500 | crv = sftk_getParameters(init_args, isFIPS, ¶mStrings); |
3501 | if (crv != CKR_OK0x00000000UL) { |
3502 | goto loser; |
3503 | } |
3504 | |
3505 | crv = sftk_configure(paramStrings.man, paramStrings.libdes); |
3506 | if (crv != CKR_OK0x00000000UL) { |
3507 | goto loser; |
3508 | } |
3509 | |
3510 | /* if we have a peer already open, have him close his DB's so we |
3511 | * don't clobber each other. */ |
3512 | if ((isFIPS && nsc_init) || (!isFIPS && nsf_init)) { |
3513 | sftk_closePeer(isFIPS); |
3514 | if (sftk_audit_enabled) { |
3515 | if (isFIPS && nsc_init) { |
3516 | sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, |
3517 | "enabled FIPS mode"); |
3518 | } else { |
3519 | sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE, |
3520 | "disabled FIPS mode"); |
3521 | } |
3522 | } |
3523 | /* if we have a peer open, we don't want to destroy the freelist |
3524 | * from under the peer if we fail, the free list will be |
3525 | * destroyed in that case when the C_Finalize is called for |
3526 | * the peer */ |
3527 | destroy_freelist_on_error = PR_FALSE0; |
3528 | } |
3529 | /* allow us to create objects in SFTK_SlotInit */ |
3530 | sftk_InitFreeLists(); |
3531 | |
3532 | for (i = 0; i < paramStrings.token_count; i++) { |
3533 | crv = SFTK_SlotInit(paramStrings.configdir, |
3534 | paramStrings.updatedir, paramStrings.updateID, |
3535 | ¶mStrings.tokens[i], moduleIndex); |
3536 | if (crv != CKR_OK0x00000000UL) { |
3537 | nscFreeAllSlots(moduleIndex); |
3538 | break; |
3539 | } |
3540 | } |
3541 | |
3542 | loser: |
3543 | |
3544 | sftk_freeParams(¶mStrings); |
3545 | |
3546 | if (destroy_freelist_on_error && (CKR_OK0x00000000UL != crv)) { |
3547 | /* idempotent. If the list are already freed, this is a noop */ |
3548 | sftk_CleanupFreeLists(); |
3549 | } |
3550 | |
3551 | #ifndef NO_FORK_CHECK |
3552 | if (CKR_OK0x00000000UL == crv) { |
3553 | #if defined(CHECK_FORK_MIXED) |
3554 | /* Before Solaris 10, fork handlers are not unregistered at dlclose() |
3555 | * time. So, we only use pthread_atfork on Solaris 10 and later. For |
3556 | * earlier versions, we use PID checks. |
3557 | */ |
3558 | char buf[200]; |
3559 | int major = 0, minor = 0; |
3560 | |
3561 | long rv = sysinfo(SI_RELEASE, buf, sizeof(buf)); |
3562 | if (rv > 0 && rv < sizeof(buf)) { |
3563 | if (2 == sscanf(buf, "%d.%d", &major, &minor)) { |
3564 | /* Are we on Solaris 10 or greater ? */ |
3565 | if (major > 5 || (5 == major && minor >= 10)) { |
3566 | /* we are safe to use pthread_atfork */ |
3567 | usePthread_atfork = PR_TRUE1; |
3568 | } |
3569 | } |
3570 | } |
3571 | if (usePthread_atfork) { |
3572 | pthread_atfork(NULL((void*)0), NULL((void*)0), ForkedChild); |
3573 | } else { |
3574 | myPid = getpid(); |
3575 | } |
3576 | |
3577 | #elif defined(CHECK_FORK_PTHREAD) |
3578 | pthread_atfork(NULL((void*)0), NULL((void*)0), ForkedChild); |
3579 | #elif defined(CHECK_FORK_GETPID) |
3580 | myPid = getpid(); |
3581 | #else |
3582 | #error Incorrect fork check method. |
3583 | #endif |
3584 | } |
3585 | #endif |
3586 | return crv; |
3587 | } |
3588 | |
3589 | CK_RV |
3590 | NSC_Initialize(CK_VOID_PTR pReserved) |
3591 | { |
3592 | CK_RV crv; |
3593 | |
3594 | sftk_ForkReset(pReserved, &crv); |
3595 | |
3596 | if (nsc_init) { |
3597 | return CKR_CRYPTOKI_ALREADY_INITIALIZED0x00000191UL; |
3598 | } |
3599 | crv = nsc_CommonInitialize(pReserved, PR_FALSE0); |
3600 | nsc_init = (PRBool)(crv == CKR_OK0x00000000UL); |
3601 | return crv; |
3602 | } |
3603 | |
3604 | /* NSC_Finalize indicates that an application is done with the |
3605 | * Cryptoki library.*/ |
3606 | CK_RV |
3607 | nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS) |
3608 | { |
3609 | /* propagate the fork status to freebl and util */ |
3610 | BL_SetForkState(parentForkedAfterC_Initialize); |
3611 | UTIL_SetForkState(parentForkedAfterC_Initialize); |
3612 | |
3613 | nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE1 : NSC_NON_FIPS_MODULE0); |
3614 | |
3615 | /* don't muck with the globals if our peer is still initialized */ |
3616 | if (isFIPS && nsc_init) { |
3617 | return CKR_OK0x00000000UL; |
3618 | } |
3619 | if (!isFIPS && nsf_init) { |
3620 | return CKR_OK0x00000000UL; |
3621 | } |
3622 | |
3623 | sftk_CleanupFreeLists(); |
3624 | sftkdb_Shutdown(); |
3625 | |
3626 | /* This function does not discard all our previously aquired entropy. */ |
3627 | RNG_RNGShutdown(); |
3628 | |
3629 | /* tell freeBL to clean up after itself */ |
3630 | BL_Cleanup(); |
3631 | |
3632 | /* reset fork status in freebl. We must do this before BL_Unload so that |
3633 | * this call doesn't force freebl to be reloaded. */ |
3634 | BL_SetForkState(PR_FALSE0); |
3635 | |
3636 | #ifndef NSS_STATIC_SOFTOKEN |
3637 | /* unload freeBL shared library from memory. This may only decrement the |
3638 | * OS refcount if it's been loaded multiple times, eg. by libssl */ |
3639 | BL_Unload(); |
3640 | #endif |
3641 | |
3642 | /* clean up the default OID table */ |
3643 | SECOID_Shutdown(); |
3644 | |
3645 | sftk_PBELockShutdown(); |
3646 | |
3647 | /* reset fork status in util */ |
3648 | UTIL_SetForkState(PR_FALSE0); |
3649 | |
3650 | nsc_init = PR_FALSE0; |
3651 | |
3652 | #ifndef NO_FORK_CHECK |
3653 | #ifdef CHECK_FORK_MIXED |
3654 | if (!usePthread_atfork) { |
3655 | myPid = 0; /* allow CHECK_FORK in the next softoken initialization to |
3656 | * succeed */ |
3657 | } else { |
3658 | forked = PR_FALSE0; /* allow reinitialization */ |
3659 | } |
3660 | #elif defined(CHECK_FORK_GETPID) |
3661 | myPid = 0; /* allow reinitialization */ |
3662 | #elif defined(CHECK_FORK_PTHREAD) |
3663 | forked = PR_FALSE0; /* allow reinitialization */ |
3664 | #endif |
3665 | #endif |
3666 | return CKR_OK0x00000000UL; |
3667 | } |
3668 | |
3669 | /* Hard-reset the entire softoken PKCS#11 module if the parent process forked |
3670 | * while it was initialized. */ |
3671 | PRBool |
3672 | sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv) |
3673 | { |
3674 | #ifndef NO_FORK_CHECK |
3675 | if (PARENT_FORKED()) { |
3676 | parentForkedAfterC_Initialize = PR_TRUE1; |
3677 | if (nsc_init) { |
3678 | /* finalize non-FIPS token */ |
3679 | *crv = nsc_CommonFinalize(pReserved, PR_FALSE0); |
3680 | PORT_Assert(CKR_OK == *crv)((0x00000000UL == *crv)?((void)0):PR_Assert("CKR_OK == *crv", "pkcs11.c",3680)); |
3681 | nsc_init = (PRBool) !(*crv == CKR_OK0x00000000UL); |
3682 | } |
3683 | if (nsf_init) { |
3684 | /* finalize FIPS token */ |
3685 | *crv = nsc_CommonFinalize(pReserved, PR_TRUE1); |
3686 | PORT_Assert(CKR_OK == *crv)((0x00000000UL == *crv)?((void)0):PR_Assert("CKR_OK == *crv", "pkcs11.c",3686)); |
3687 | nsf_init = (PRBool) !(*crv == CKR_OK0x00000000UL); |
3688 | } |
3689 | parentForkedAfterC_Initialize = PR_FALSE0; |
3690 | return PR_TRUE1; |
3691 | } |
3692 | #endif |
3693 | return PR_FALSE0; |
3694 | } |
3695 | |
3696 | /* NSC_Finalize indicates that an application is done with the |
3697 | * Cryptoki library.*/ |
3698 | CK_RV |
3699 | NSC_Finalize(CK_VOID_PTR pReserved) |
3700 | { |
3701 | CK_RV crv; |
3702 | |
3703 | /* reset entire PKCS#11 module upon fork */ |
3704 | if (sftk_ForkReset(pReserved, &crv)) { |
3705 | return crv; |
3706 | } |
3707 | |
3708 | if (!nsc_init) { |
3709 | return CKR_OK0x00000000UL; |
3710 | } |
3711 | |
3712 | crv = nsc_CommonFinalize(pReserved, PR_FALSE0); |
3713 | |
3714 | nsc_init = (PRBool) !(crv == CKR_OK0x00000000UL); |
3715 | |
3716 | return crv; |
3717 | } |
3718 | |
3719 | extern const char __nss_softokn_version[]; |
3720 | |
3721 | /* NSC_GetInfo returns general information about Cryptoki. */ |
3722 | CK_RV |
3723 | NSC_GetInfo(CK_INFO_PTR pInfo) |
3724 | { |
3725 | #define NSS_VERSION_VARIABLE __nss_softokn_version |
3726 | #include "verref.h" |
3727 | |
3728 | CHECK_FORK(); |
3729 | |
3730 | pInfo->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR3; |
3731 | pInfo->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR0; |
3732 | PORT_Memcpymemcpy(pInfo->manufacturerID, manufacturerID, 32); |
3733 | pInfo->libraryVersion.major = SOFTOKEN_VMAJOR3; |
3734 | pInfo->libraryVersion.minor = SOFTOKEN_VMINOR101; |
3735 | PORT_Memcpymemcpy(pInfo->libraryDescription, libraryDescription, 32); |
3736 | pInfo->flags = 0; |
3737 | return CKR_OK0x00000000UL; |
3738 | } |
3739 | |
3740 | /* NSC_GetInfo returns general information about Cryptoki. */ |
3741 | CK_RV |
3742 | NSC_GetInfoV2(CK_INFO_PTR pInfo) |
3743 | { |
3744 | CHECK_FORK(); |
3745 | |
3746 | pInfo->cryptokiVersion.major = 2; |
3747 | pInfo->cryptokiVersion.minor = 40; |
3748 | PORT_Memcpymemcpy(pInfo->manufacturerID, manufacturerID, 32); |
3749 | pInfo->libraryVersion.major = SOFTOKEN_VMAJOR3; |
3750 | pInfo->libraryVersion.minor = SOFTOKEN_VMINOR101; |
3751 | PORT_Memcpymemcpy(pInfo->libraryDescription, libraryDescription, 32); |
3752 | pInfo->flags = 0; |
3753 | return CKR_OK0x00000000UL; |
3754 | } |
3755 | |
3756 | /* NSC_GetSlotList obtains a list of slots in the system. */ |
3757 | CK_RV |
3758 | nsc_CommonGetSlotList(CK_BBOOL tokenPresent, |
3759 | CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount, |
3760 | unsigned int moduleIndex) |
3761 | { |
3762 | *pulCount = nscSlotCount[moduleIndex]; |
3763 | if (pSlotList != NULL((void*)0)) { |
3764 | PORT_Memcpymemcpy(pSlotList, nscSlotList[moduleIndex], |
3765 | nscSlotCount[moduleIndex] * sizeof(CK_SLOT_ID)); |
3766 | } |
3767 | return CKR_OK0x00000000UL; |
3768 | } |
3769 | |
3770 | /* NSC_GetSlotList obtains a list of slots in the system. */ |
3771 | CK_RV |
3772 | NSC_GetSlotList(CK_BBOOL tokenPresent, |
3773 | CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) |
3774 | { |
3775 | CHECK_FORK(); |
3776 | return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount, |
3777 | NSC_NON_FIPS_MODULE0); |
3778 | } |
3779 | |
3780 | /* NSC_GetSlotInfo obtains information about a particular slot in the system. */ |
3781 | CK_RV |
3782 | NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) |
3783 | { |
3784 | SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE1); |
3785 | |
3786 | CHECK_FORK(); |
3787 | |
3788 | if (slot == NULL((void*)0)) |
3789 | return CKR_SLOT_ID_INVALID0x00000003UL; |
3790 | |
3791 | PORT_Memcpymemcpy(pInfo->manufacturerID, manufacturerID, |
3792 | sizeof(pInfo->manufacturerID)); |
3793 | PORT_Memcpymemcpy(pInfo->slotDescription, slot->slotDescription, |
3794 | sizeof(pInfo->slotDescription)); |
3795 | pInfo->flags = (slot->present) ? CKF_TOKEN_PRESENT0x00000001UL : 0; |
3796 | |
3797 | /* all user defined slots are defined as removable */ |
3798 | if (slotID >= SFTK_MIN_USER_SLOT_ID4) { |
3799 | pInfo->flags |= CKF_REMOVABLE_DEVICE0x00000002UL; |
3800 | } else { |
3801 | /* In the case where we are doing a merge update, we need |
3802 | * the DB slot to be removable so the token name can change |
3803 | * appropriately. */ |
3804 | SFTKDBHandle *handle = sftk_getKeyDB(slot); |
3805 | if (handle) { |
3806 | if (sftkdb_InUpdateMerge(handle)) { |
3807 | pInfo->flags |= CKF_REMOVABLE_DEVICE0x00000002UL; |
3808 | } |
3809 | sftk_freeDB(handle); |
3810 | } |
3811 | } |
3812 | |
3813 | /* If there is no key database, this is for example the case when NSS was |
3814 | * initialized with NSS_NoDbInit(), then there won't be any point in |
3815 | * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that |
3816 | * PK11_NeedUserInit() doesn't indicate that a PIN is needed. |
3817 | */ |
3818 | if (slot->keyDB == NULL((void*)0)) { |
3819 | pInfo->flags |= CKF_USER_PIN_INITIALIZED0x00000008UL; |
3820 | } |
3821 | |
3822 | /* ok we really should read it out of the keydb file. */ |
3823 | /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ |
3824 | pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR3; |
3825 | pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR101; |
3826 | pInfo->firmwareVersion.major = SOFTOKEN_VPATCH0; |
3827 | pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD0; |
3828 | return CKR_OK0x00000000UL; |
3829 | } |
3830 | |
3831 | /* |
3832 | * check the current state of the 'needLogin' flag in case the database has |
3833 | * been changed underneath us. |
3834 | */ |
3835 | static PRBool |
3836 | sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle) |
3837 | { |
3838 | PRBool needLogin; |
3839 | if (sftkdb_PWCached(keyHandle) == SECSuccess) { |
3840 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
3841 | needLogin = slot->needLogin; |
3842 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
3843 | } else { |
3844 | needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle); |
3845 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
3846 | slot->needLogin = needLogin; |
3847 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
3848 | } |
3849 | return needLogin; |
3850 | } |
3851 | |
3852 | static PRBool |
3853 | sftk_isBlank(const char *s, int len) |
3854 | { |
3855 | int i; |
3856 | for (i = 0; i < len; i++) { |
3857 | if (s[i] != ' ') { |
3858 | return PR_FALSE0; |
3859 | } |
3860 | } |
3861 | return PR_TRUE1; |
3862 | } |
3863 | |
3864 | /* NSC_GetTokenInfo obtains information about a particular token in |
3865 | * the system. */ |
3866 | CK_RV |
3867 | NSC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) |
3868 | { |
3869 | SFTKSlot *slot; |
3870 | SFTKDBHandle *handle; |
3871 | |
3872 | CHECK_FORK(); |
3873 | |
3874 | if (!nsc_init && !nsf_init) |
3875 | return CKR_CRYPTOKI_NOT_INITIALIZED0x00000190UL; |
3876 | slot = sftk_SlotFromID(slotID, PR_FALSE0); |
3877 | if (slot == NULL((void*)0)) |
3878 | return CKR_SLOT_ID_INVALID0x00000003UL; |
3879 | |
3880 | PORT_Memcpymemcpy(pInfo->manufacturerID, manufacturerID, 32); |
3881 | PORT_Memcpymemcpy(pInfo->model, "NSS 3 ", 16); |
3882 | PORT_Memcpymemcpy(pInfo->serialNumber, "0000000000000000", 16); |
3883 | PORT_Memcpymemcpy(pInfo->utcTime, "0000000000000000", 16); |
3884 | pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ |
3885 | pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */ |
3886 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); /* Protect sessionCount / rwSessioncount */ |
3887 | pInfo->ulSessionCount = slot->sessionCount; |
3888 | pInfo->ulRwSessionCount = slot->rwSessionCount; |
3889 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); /* Unlock before sftk_getKeyDB */ |
3890 | pInfo->firmwareVersion.major = 0; |
3891 | pInfo->firmwareVersion.minor = 0; |
3892 | PORT_Memcpymemcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label)); |
3893 | handle = sftk_getKeyDB(slot); |
3894 | pInfo->flags = CKF_RNG0x00000001UL | CKF_DUAL_CRYPTO_OPERATIONS0x00000200UL; |
3895 | if (handle == NULL((void*)0)) { |
3896 | pInfo->flags |= CKF_WRITE_PROTECTED0x00000002UL; |
3897 | pInfo->ulMaxPinLen = 0; |
3898 | pInfo->ulMinPinLen = 0; |
3899 | pInfo->ulTotalPublicMemory = 0; |
3900 | pInfo->ulFreePublicMemory = 0; |
3901 | pInfo->ulTotalPrivateMemory = 0; |
3902 | pInfo->ulFreePrivateMemory = 0; |
3903 | pInfo->hardwareVersion.major = 4; |
3904 | pInfo->hardwareVersion.minor = 0; |
3905 | } else { |
3906 | /* |
3907 | * we have three possible states which we may be in: |
3908 | * (1) No DB password has been initialized. This also means we |
3909 | * have no keys in the key db. |
3910 | * (2) Password initialized to NULL. This means we have keys, but |
3911 | * the user has chosen not use a password. |
3912 | * (3) Finally we have an initialized password whicn is not NULL, and |
3913 | * we will need to prompt for it. |
3914 | */ |
3915 | if (sftkdb_HasPasswordSet(handle) == SECFailure) { |
3916 | pInfo->flags |= CKF_LOGIN_REQUIRED0x00000004UL; |
3917 | } else if (!sftk_checkNeedLogin(slot, handle)) { |
3918 | pInfo->flags |= CKF_USER_PIN_INITIALIZED0x00000008UL; |
3919 | } else { |
3920 | pInfo->flags |= CKF_LOGIN_REQUIRED0x00000004UL | CKF_USER_PIN_INITIALIZED0x00000008UL; |
3921 | /* |
3922 | * if we are doing a merge style update, and we need to get the password |
3923 | * of our source database (the database we are updating from), make sure we |
3924 | * return a token name that will match the database we are prompting for. |
3925 | */ |
3926 | if (sftkdb_NeedUpdateDBPassword(handle)) { |
3927 | /* if we have an update tok description, use it. otherwise |
3928 | * use the updateID for this database */ |
3929 | if (!sftk_isBlank(slot->updateTokDescription, |
3930 | sizeof(pInfo->label))) { |
3931 | PORT_Memcpymemcpy(pInfo->label, slot->updateTokDescription, |
3932 | sizeof(pInfo->label)); |
3933 | } else { |
3934 | /* build from updateID */ |
3935 | const char *updateID = sftkdb_GetUpdateID(handle); |
3936 | if (updateID) { |
3937 | sftk_setStringName(updateID, (char *)pInfo->label, |
3938 | sizeof(pInfo->label), PR_FALSE0); |
3939 | } |
3940 | } |
3941 | } |
3942 | } |
3943 | pInfo->ulMaxPinLen = SFTK_MAX_PIN500; |
3944 | pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen; |
3945 | pInfo->ulTotalPublicMemory = 1; |
3946 | pInfo->ulFreePublicMemory = 1; |
3947 | pInfo->ulTotalPrivateMemory = 1; |
3948 | pInfo->ulFreePrivateMemory = 1; |
3949 | #ifdef SHDB_FIXME |
3950 | pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION; |
3951 | pInfo->hardwareVersion.minor = handle->version; |
3952 | #else |
3953 | pInfo->hardwareVersion.major = 0; |
3954 | pInfo->hardwareVersion.minor = 0; |
3955 | #endif |
3956 | sftk_freeDB(handle); |
3957 | } |
3958 | /* |
3959 | * CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED how CKF_TOKEN_INITIALIZED |
3960 | * should be set |
3961 | * 0 0 1 |
3962 | * 1 0 0 |
3963 | * 0 1 1 |
3964 | * 1 1 1 |
3965 | */ |
3966 | if (!(pInfo->flags & CKF_LOGIN_REQUIRED0x00000004UL) || |
3967 | (pInfo->flags & CKF_USER_PIN_INITIALIZED0x00000008UL)) { |
3968 | pInfo->flags |= CKF_TOKEN_INITIALIZED0x00000400UL; |
3969 | } |
3970 | return CKR_OK0x00000000UL; |
3971 | } |
3972 | |
3973 | /* NSC_GetMechanismList obtains a list of mechanism types |
3974 | * supported by a token. */ |
3975 | CK_RV |
3976 | NSC_GetMechanismList(CK_SLOT_ID slotID, |
3977 | CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) |
3978 | { |
3979 | CK_ULONG i; |
3980 | |
3981 | CHECK_FORK(); |
3982 | |
3983 | switch (slotID) { |
3984 | /* default: */ |
3985 | case NETSCAPE_SLOT_ID1: |
3986 | *pulCount = mechanismCount; |
3987 | if (pMechanismList != NULL((void*)0)) { |
3988 | for (i = 0; i < mechanismCount; i++) { |
3989 | pMechanismList[i] = mechanisms[i].type; |
3990 | } |
3991 | } |
3992 | break; |
3993 | default: |
3994 | *pulCount = 0; |
3995 | for (i = 0; i < mechanismCount; i++) { |
3996 | if (mechanisms[i].privkey) { |
3997 | (*pulCount)++; |
3998 | if (pMechanismList != NULL((void*)0)) { |
3999 | *pMechanismList++ = mechanisms[i].type; |
4000 | } |
4001 | } |
4002 | } |
4003 | break; |
4004 | } |
4005 | return CKR_OK0x00000000UL; |
4006 | } |
4007 | |
4008 | /* NSC_GetMechanismInfo obtains information about a particular mechanism |
4009 | * possibly supported by a token. */ |
4010 | CK_RV |
4011 | NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, |
4012 | CK_MECHANISM_INFO_PTR pInfo) |
4013 | { |
4014 | PRBool isPrivateKey; |
4015 | CK_ULONG i; |
4016 | |
4017 | CHECK_FORK(); |
4018 | |
4019 | switch (slotID) { |
4020 | case NETSCAPE_SLOT_ID1: |
4021 | isPrivateKey = PR_FALSE0; |
4022 | break; |
4023 | default: |
4024 | isPrivateKey = PR_TRUE1; |
4025 | break; |
4026 | } |
4027 | for (i = 0; i < mechanismCount; i++) { |
4028 | if (type == mechanisms[i].type) { |
4029 | if (isPrivateKey && !mechanisms[i].privkey) { |
4030 | return CKR_MECHANISM_INVALID0x00000070UL; |
4031 | } |
4032 | PORT_Memcpymemcpy(pInfo, &mechanisms[i].info, sizeof(CK_MECHANISM_INFO)); |
4033 | return CKR_OK0x00000000UL; |
4034 | } |
4035 | } |
4036 | return CKR_MECHANISM_INVALID0x00000070UL; |
4037 | } |
4038 | |
4039 | /* |
4040 | * If we are using the V2 interface, strip out the message flags |
4041 | */ |
4042 | #define SFTK_MESSAGE_FLAGS(0x00000002UL | 0x00000004UL | 0x00000008UL | 0x00000010UL) (CKF_MESSAGE_ENCRYPT0x00000002UL | CKF_MESSAGE_DECRYPT0x00000004UL | CKF_MESSAGE_SIGN0x00000008UL | CKF_MESSAGE_VERIFY0x00000010UL) |
4043 | CK_RV |
4044 | NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, |
4045 | CK_MECHANISM_INFO_PTR pInfo) |
4046 | { |
4047 | CK_RV crv; |
4048 | crv = NSC_GetMechanismInfo(slotID, type, pInfo); |
4049 | if (crv == CKR_OK0x00000000UL) { |
4050 | pInfo->flags = pInfo->flags & ~SFTK_MESSAGE_FLAGS(0x00000002UL | 0x00000004UL | 0x00000008UL | 0x00000010UL); |
4051 | } |
4052 | return crv; |
4053 | } |
4054 | |
4055 | CK_RV |
4056 | sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op) |
4057 | { |
4058 | CK_ULONG i; |
4059 | CK_FLAGS flags = sftk_AttributeToFlags(op); |
4060 | |
4061 | if (flags == 0) { |
4062 | return CKR_ARGUMENTS_BAD0x00000007UL; |
4063 | } |
4064 | for (i = 0; i < mechanismCount; i++) { |
4065 | if (type == mechanisms[i].type) { |
4066 | return (flags & mechanisms[i].info.flags) ? CKR_OK0x00000000UL |
4067 | : CKR_MECHANISM_INVALID0x00000070UL; |
4068 | } |
4069 | } |
4070 | return CKR_MECHANISM_INVALID0x00000070UL; |
4071 | } |
4072 | |
4073 | /* NSC_InitToken initializes a token. */ |
4074 | CK_RV |
4075 | NSC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin, |
4076 | CK_ULONG ulPinLen, CK_CHAR_PTR pLabel) |
4077 | { |
4078 | SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE0); |
4079 | SFTKDBHandle *handle; |
4080 | SECStatus rv; |
4081 | unsigned int i; |
4082 | SFTKObject *object; |
4083 | |
4084 | CHECK_FORK(); |
4085 | |
4086 | if (slot == NULL((void*)0)) |
4087 | return CKR_SLOT_ID_INVALID0x00000003UL; |
4088 | |
4089 | /* don't initialize the database if we aren't talking to a token |
4090 | * that uses the key database. |
4091 | */ |
4092 | if (slotID == NETSCAPE_SLOT_ID1) { |
4093 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
4094 | } |
4095 | |
4096 | /* first, delete all our loaded key and cert objects from our |
4097 | * internal list. */ |
4098 | PZ_Lock(slot->objectLock)PR_Lock((slot->objectLock)); |
4099 | for (i = 0; i < slot->sessObjHashSize; i++) { |
4100 | do { |
4101 | object = slot->sessObjHashTable[i]; |
4102 | /* hand deque */ |
4103 | /* this duplicates function of NSC_close session functions, but |
4104 | * because we know that we are freeing all the sessions, we can |
4105 | * do more efficient processing */ |
4106 | if (object) { |
4107 | slot->sessObjHashTable[i] = object->next; |
4108 | |
4109 | if (object->next) |
4110 | object->next->prev = NULL((void*)0); |
4111 | object->next = object->prev = NULL((void*)0); |
4112 | } |
4113 | if (object) |
4114 | sftk_FreeObject(object); |
4115 | } while (object != NULL((void*)0)); |
4116 | } |
4117 | slot->DB_loaded = PR_FALSE0; |
4118 | PZ_Unlock(slot->objectLock)PR_Unlock((slot->objectLock)); |
4119 | |
4120 | /* then clear out the key database */ |
4121 | handle = sftk_getKeyDB(slot); |
4122 | if (handle == NULL((void*)0)) { |
4123 | return CKR_TOKEN_WRITE_PROTECTED0x000000E2UL; |
4124 | } |
4125 | |
4126 | rv = sftkdb_ResetKeyDB(handle); |
4127 | /* clear the password */ |
4128 | sftkdb_ClearPassword(handle); |
4129 | /* update slot->needLogin (should be true now since no password is set) */ |
4130 | sftk_checkNeedLogin(slot, handle); |
4131 | sftk_freeDB(handle); |
4132 | if (rv != SECSuccess) { |
4133 | return CKR_DEVICE_ERROR0x00000030UL; |
4134 | } |
4135 | |
4136 | return CKR_OK0x00000000UL; |
4137 | } |
4138 | |
4139 | /* NSC_InitPIN initializes the normal user's PIN. */ |
4140 | CK_RV |
4141 | NSC_InitPIN(CK_SESSION_HANDLE hSession, |
4142 | CK_CHAR_PTR pPin, CK_ULONG ulPinLen) |
4143 | { |
4144 | SFTKSession *sp = NULL((void*)0); |
4145 | SFTKSlot *slot; |
4146 | SFTKDBHandle *handle = NULL((void*)0); |
4147 | char newPinStr[SFTK_MAX_PIN500 + 1]; |
4148 | SECStatus rv; |
4149 | CK_RV crv = CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4150 | PRBool tokenRemoved = PR_FALSE0; |
4151 | |
4152 | CHECK_FORK(); |
4153 | |
4154 | sp = sftk_SessionFromHandle(hSession); |
4155 | if (sp == NULL((void*)0)) { |
4156 | goto loser; |
4157 | } |
4158 | |
4159 | slot = sftk_SlotFromSession(sp)((sp)->slot); |
4160 | if (slot == NULL((void*)0)) { |
4161 | goto loser; |
4162 | } |
4163 | |
4164 | handle = sftk_getKeyDB(slot); |
4165 | if (handle == NULL((void*)0)) { |
4166 | crv = CKR_PIN_LEN_RANGE0x000000A2UL; |
4167 | goto loser; |
4168 | } |
4169 | |
4170 | if (sp->info.state != CKS_RW_SO_FUNCTIONS4) { |
4171 | crv = CKR_USER_NOT_LOGGED_IN0x00000101UL; |
4172 | goto loser; |
4173 | } |
4174 | |
4175 | sftk_FreeSession(sp); |
4176 | sp = NULL((void*)0); |
4177 | |
4178 | /* make sure the pins aren't too long */ |
4179 | if (ulPinLen > SFTK_MAX_PIN500) { |
4180 | crv = CKR_PIN_LEN_RANGE0x000000A2UL; |
4181 | goto loser; |
4182 | } |
4183 | if (ulPinLen < (CK_ULONG)slot->minimumPinLen) { |
4184 | crv = CKR_PIN_LEN_RANGE0x000000A2UL; |
4185 | goto loser; |
4186 | } |
4187 | |
4188 | if (sftkdb_HasPasswordSet(handle) != SECFailure) { |
4189 | crv = CKR_DEVICE_ERROR0x00000030UL; |
4190 | goto loser; |
4191 | } |
4192 | |
4193 | /* convert to null terminated string */ |
4194 | PORT_Memcpymemcpy(newPinStr, pPin, ulPinLen); |
4195 | newPinStr[ulPinLen] = 0; |
4196 | |
4197 | /* build the hashed pins which we pass around */ |
4198 | |
4199 | /* change the data base */ |
4200 | rv = sftkdb_ChangePassword(handle, NULL((void*)0), newPinStr, &tokenRemoved); |
4201 | if (tokenRemoved) { |
4202 | sftk_CloseAllSessions(slot, PR_FALSE0); |
4203 | } |
4204 | PORT_Memsetmemset(newPinStr, 0, ulPinLen); |
4205 | sftk_freeDB(handle); |
4206 | handle = NULL((void*)0); |
4207 | |
4208 | /* Now update our local copy of the pin */ |
4209 | if (rv == SECSuccess) { |
4210 | if (ulPinLen == 0) { |
4211 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4212 | slot->needLogin = PR_FALSE0; |
4213 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4214 | } |
4215 | /* database has been initialized, now force min password in FIPS |
4216 | * mode. NOTE: if we are in level1, we may not have a password, but |
4217 | * forcing it now will prevent an insufficient password from being set. |
4218 | */ |
4219 | if ((sftk_GetModuleIndex(slot->slotID) == NSC_FIPS_MODULE1) && |
4220 | (slot->minimumPinLen < FIPS_MIN_PIN7)) { |
4221 | slot->minimumPinLen = FIPS_MIN_PIN7; |
4222 | } |
4223 | return CKR_OK0x00000000UL; |
4224 | } |
4225 | crv = CKR_PIN_INCORRECT0x000000A0UL; |
4226 | |
4227 | loser: |
4228 | if (sp) { |
4229 | sftk_FreeSession(sp); |
4230 | } |
4231 | if (handle) { |
4232 | sftk_freeDB(handle); |
4233 | } |
4234 | return crv; |
4235 | } |
4236 | |
4237 | /* NSC_SetPIN modifies the PIN of user that is currently logged in. */ |
4238 | /* NOTE: This is only valid for the PRIVATE_KEY_SLOT */ |
4239 | CK_RV |
4240 | NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, |
4241 | CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen) |
4242 | { |
4243 | SFTKSession *sp = NULL((void*)0); |
4244 | SFTKSlot *slot; |
4245 | SFTKDBHandle *handle = NULL((void*)0); |
4246 | char newPinStr[SFTK_MAX_PIN500 + 1], oldPinStr[SFTK_MAX_PIN500 + 1]; |
4247 | SECStatus rv; |
4248 | CK_RV crv = CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4249 | PRBool needLogin; |
4250 | PRBool tokenRemoved = PR_FALSE0; |
4251 | |
4252 | CHECK_FORK(); |
4253 | |
4254 | sp = sftk_SessionFromHandle(hSession); |
4255 | if (sp == NULL((void*)0)) { |
4256 | goto loser; |
4257 | } |
4258 | |
4259 | slot = sftk_SlotFromSession(sp)((sp)->slot); |
4260 | if (!slot) { |
4261 | goto loser; |
4262 | } |
4263 | |
4264 | handle = sftk_getKeyDB(slot); |
4265 | if (handle == NULL((void*)0)) { |
4266 | sftk_FreeSession(sp); |
4267 | return CKR_PIN_LEN_RANGE0x000000A2UL; /* XXX FIXME wrong return value */ |
4268 | } |
4269 | |
4270 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4271 | needLogin = slot->needLogin; |
4272 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4273 | if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS3) { |
4274 | crv = CKR_USER_NOT_LOGGED_IN0x00000101UL; |
4275 | goto loser; |
4276 | } |
4277 | |
4278 | sftk_FreeSession(sp); |
4279 | sp = NULL((void*)0); |
4280 | |
4281 | /* make sure the pins aren't too long */ |
4282 | if ((ulNewLen > SFTK_MAX_PIN500) || (ulOldLen > SFTK_MAX_PIN500)) { |
4283 | crv = CKR_PIN_LEN_RANGE0x000000A2UL; |
4284 | goto loser; |
4285 | } |
4286 | /* check the length of new pin, unless both old and new passwords |
4287 | * are empty */ |
4288 | if ((ulNewLen != 0 || ulOldLen != 0) && |
4289 | ulNewLen < (CK_ULONG)slot->minimumPinLen) { |
4290 | crv = CKR_PIN_LEN_RANGE0x000000A2UL; |
4291 | goto loser; |
4292 | } |
4293 | |
4294 | /* convert to null terminated string */ |
4295 | PORT_Memcpymemcpy(newPinStr, pNewPin, ulNewLen); |
4296 | newPinStr[ulNewLen] = 0; |
4297 | PORT_Memcpymemcpy(oldPinStr, pOldPin, ulOldLen); |
4298 | oldPinStr[ulOldLen] = 0; |
4299 | |
4300 | /* change the data base password */ |
4301 | PR_Lock(slot->pwCheckLock); |
4302 | rv = sftkdb_ChangePassword(handle, oldPinStr, newPinStr, &tokenRemoved); |
4303 | PORT_Memsetmemset(newPinStr, 0, ulNewLen); |
4304 | PORT_Memsetmemset(oldPinStr, 0, ulOldLen); |
4305 | if (tokenRemoved) { |
4306 | sftk_CloseAllSessions(slot, PR_FALSE0); |
4307 | } |
4308 | if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID)(((slot->slotID) == 3) || ((slot->slotID) >= 101)))) { |
4309 | PR_Sleep(loginWaitTime); |
4310 | } |
4311 | PR_Unlock(slot->pwCheckLock); |
4312 | |
4313 | /* Now update our local copy of the pin */ |
4314 | if (rv == SECSuccess) { |
4315 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4316 | slot->needLogin = (PRBool)(ulNewLen != 0); |
4317 | slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess); |
4318 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4319 | /* Reset login flags. */ |
4320 | if (ulNewLen == 0) { |
4321 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4322 | slot->isLoggedIn = PR_FALSE0; |
4323 | slot->ssoLoggedIn = PR_FALSE0; |
4324 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4325 | |
4326 | tokenRemoved = PR_FALSE0; |
4327 | rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved); |
Value stored to 'rv' is never read | |
4328 | if (tokenRemoved) { |
4329 | sftk_CloseAllSessions(slot, PR_FALSE0); |
4330 | } |
4331 | } |
4332 | sftk_update_all_states(slot); |
4333 | sftk_freeDB(handle); |
4334 | return CKR_OK0x00000000UL; |
4335 | } |
4336 | crv = CKR_PIN_INCORRECT0x000000A0UL; |
4337 | loser: |
4338 | if (sp) { |
4339 | sftk_FreeSession(sp); |
4340 | } |
4341 | if (handle) { |
4342 | sftk_freeDB(handle); |
4343 | } |
4344 | return crv; |
4345 | } |
4346 | |
4347 | /* NSC_OpenSession opens a session between an application and a token. */ |
4348 | CK_RV |
4349 | NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, |
4350 | CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession) |
4351 | { |
4352 | SFTKSlot *slot; |
4353 | CK_SESSION_HANDLE sessionID; |
4354 | SFTKSession *session; |
4355 | SFTKSession *sameID; |
4356 | |
4357 | CHECK_FORK(); |
4358 | |
4359 | slot = sftk_SlotFromID(slotID, PR_FALSE0); |
4360 | if (slot == NULL((void*)0)) |
4361 | return CKR_SLOT_ID_INVALID0x00000003UL; |
4362 | |
4363 | /* new session (we only have serial sessions) */ |
4364 | session = sftk_NewSession(slotID, Notify, pApplication, |
4365 | flags | CKF_SERIAL_SESSION0x00000004UL); |
4366 | if (session == NULL((void*)0)) |
4367 | return CKR_HOST_MEMORY0x00000002UL; |
4368 | |
4369 | if (slot->readOnly && (flags & CKF_RW_SESSION0x00000002UL)) { |
4370 | /* NETSCAPE_SLOT_ID is Read ONLY */ |
4371 | session->info.flags &= ~CKF_RW_SESSION0x00000002UL; |
4372 | } |
4373 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4374 | ++slot->sessionCount; |
4375 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4376 | if (session->info.flags & CKF_RW_SESSION0x00000002UL) { |
4377 | (void)PR_ATOMIC_INCREMENT(&slot->rwSessionCount)__sync_add_and_fetch(&slot->rwSessionCount, 1); |
4378 | } |
4379 | |
4380 | do { |
4381 | PZLockPRLock *lock; |
4382 | do { |
4383 | sessionID = (PR_ATOMIC_INCREMENT(&slot->sessionIDCount)__sync_add_and_fetch(&slot->sessionIDCount, 1) & 0xffffff) | (slot->index << 24); |
4384 | } while (sessionID == CK_INVALID_HANDLE0); |
4385 | lock = SFTK_SESSION_LOCK(slot, sessionID)((slot)->sessionLock[(sessionID) & (slot)->sessionLockMask ]); |
4386 | PZ_Lock(lock)PR_Lock((lock)); |
4387 | sftkqueue_find(sameID, sessionID, slot->head, slot->sessHashSize)for ((sameID) = (slot->head)[((PRUint32)((sessionID)*1791398085 ) & (slot->sessHashSize - 1))]; (sameID) != ((void*)0) ; (sameID) = (sameID)->next) { if ((sameID)->handle == ( sessionID)) { break; } }; |
4388 | if (sameID == NULL((void*)0)) { |
4389 | session->handle = sessionID; |
4390 | sftk_update_state(slot, session); |
4391 | sftkqueue_add(session, sessionID, slot->head, slot->sessHashSize){ int tmp = ((PRUint32)((sessionID)*1791398085) & (slot-> sessHashSize - 1)); (session)->next = (slot->head)[tmp] ; (session)->prev = ((void*)0); if ((slot->head)[tmp]) ( slot->head)[tmp]->prev = (session); (slot->head)[tmp ] = (session); }; |
4392 | } else { |
4393 | slot->sessionIDConflict++; /* for debugging */ |
4394 | } |
4395 | PZ_Unlock(lock)PR_Unlock((lock)); |
4396 | } while (sameID != NULL((void*)0)); |
4397 | |
4398 | *phSession = sessionID; |
4399 | return CKR_OK0x00000000UL; |
4400 | } |
4401 | |
4402 | /* NSC_CloseSession closes a session between an application and a token. */ |
4403 | CK_RV |
4404 | NSC_CloseSession(CK_SESSION_HANDLE hSession) |
4405 | { |
4406 | SFTKSlot *slot; |
4407 | SFTKSession *session; |
4408 | PRBool sessionFound; |
4409 | PZLockPRLock *lock; |
4410 | |
4411 | CHECK_FORK(); |
4412 | |
4413 | session = sftk_SessionFromHandle(hSession); |
4414 | if (session == NULL((void*)0)) |
4415 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4416 | slot = sftk_SlotFromSession(session)((session)->slot); |
4417 | sessionFound = PR_FALSE0; |
4418 | |
4419 | /* lock */ |
4420 | lock = SFTK_SESSION_LOCK(slot, hSession)((slot)->sessionLock[(hSession) & (slot)->sessionLockMask ]); |
4421 | PZ_Lock(lock)PR_Lock((lock)); |
4422 | if (sftkqueue_is_queued(session, hSession, slot->head, slot->sessHashSize)(((session)->next) || ((session)->prev) || ((slot->head )[((PRUint32)((hSession)*1791398085) & (slot->sessHashSize - 1))] == (session)))) { |
4423 | sessionFound = PR_TRUE1; |
4424 | sftkqueue_delete(session, hSession, slot->head, slot->sessHashSize)if ((session)->next) (session)->next->prev = (session )->prev; if ((session)->prev) (session)->prev->next = (session)->next; else (slot->head)[((PRUint32)((hSession )*1791398085) & (slot->sessHashSize - 1))] = ((session )->next); (session)->next = ((void*)0); (session)->prev = ((void*)0);; |
4425 | } |
4426 | PZ_Unlock(lock)PR_Unlock((lock)); |
4427 | |
4428 | if (sessionFound) { |
4429 | SFTKDBHandle *handle; |
4430 | handle = sftk_getKeyDB(slot); |
4431 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4432 | if (--slot->sessionCount == 0) { |
4433 | slot->isLoggedIn = PR_FALSE0; |
4434 | if (slot->needLogin && handle) { |
4435 | sftkdb_ClearPassword(handle); |
4436 | } |
4437 | } |
4438 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4439 | if (handle) { |
4440 | sftk_freeDB(handle); |
4441 | } |
4442 | if (session->info.flags & CKF_RW_SESSION0x00000002UL) { |
4443 | (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount)__sync_sub_and_fetch(&slot->rwSessionCount, 1); |
4444 | } |
4445 | sftk_DestroySession(session); |
4446 | session = NULL((void*)0); |
4447 | } |
4448 | |
4449 | return CKR_OK0x00000000UL; |
4450 | } |
4451 | |
4452 | /* NSC_CloseAllSessions closes all sessions with a token. */ |
4453 | CK_RV |
4454 | NSC_CloseAllSessions(CK_SLOT_ID slotID) |
4455 | { |
4456 | SFTKSlot *slot; |
4457 | |
4458 | #ifndef NO_FORK_CHECK |
4459 | /* skip fork check if we are being called from C_Initialize or C_Finalize */ |
4460 | if (!parentForkedAfterC_Initialize) { |
4461 | CHECK_FORK(); |
4462 | } |
4463 | #endif |
4464 | |
4465 | slot = sftk_SlotFromID(slotID, PR_FALSE0); |
4466 | if (slot == NULL((void*)0)) |
4467 | return CKR_SLOT_ID_INVALID0x00000003UL; |
4468 | |
4469 | return sftk_CloseAllSessions(slot, PR_TRUE1); |
4470 | } |
4471 | |
4472 | /* NSC_GetSessionInfo obtains information about the session. */ |
4473 | CK_RV |
4474 | NSC_GetSessionInfo(CK_SESSION_HANDLE hSession, |
4475 | CK_SESSION_INFO_PTR pInfo) |
4476 | { |
4477 | SFTKSession *session; |
4478 | |
4479 | CHECK_FORK(); |
4480 | |
4481 | session = sftk_SessionFromHandle(hSession); |
4482 | if (session == NULL((void*)0)) |
4483 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4484 | |
4485 | PORT_Memcpymemcpy(pInfo, &session->info, sizeof(CK_SESSION_INFO)); |
4486 | sftk_FreeSession(session); |
4487 | return CKR_OK0x00000000UL; |
4488 | } |
4489 | |
4490 | /* NSC_Login logs a user into a token. */ |
4491 | CK_RV |
4492 | NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, |
4493 | CK_CHAR_PTR pPin, CK_ULONG ulPinLen) |
4494 | { |
4495 | SFTKSlot *slot; |
4496 | SFTKSession *session; |
4497 | SFTKDBHandle *handle; |
4498 | CK_FLAGS sessionFlags; |
4499 | SECStatus rv; |
4500 | CK_RV crv; |
4501 | char pinStr[SFTK_MAX_PIN500 + 1]; |
4502 | PRBool tokenRemoved = PR_FALSE0; |
4503 | PRBool isLoggedIn; |
4504 | PRBool needLogin; |
4505 | |
4506 | CHECK_FORK(); |
4507 | |
4508 | /* get the slot */ |
4509 | slot = sftk_SlotFromSessionHandle(hSession); |
4510 | if (slot == NULL((void*)0)) { |
4511 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4512 | } |
4513 | |
4514 | /* make sure the session is valid */ |
4515 | session = sftk_SessionFromHandle(hSession); |
4516 | if (session == NULL((void*)0)) { |
4517 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4518 | } |
4519 | sessionFlags = session->info.flags; |
4520 | sftk_FreeSession(session); |
4521 | session = NULL((void*)0); |
4522 | |
4523 | /* can't log into the Netscape Slot */ |
4524 | if (slot->slotID == NETSCAPE_SLOT_ID1) { |
4525 | return CKR_USER_TYPE_INVALID0x00000103UL; |
4526 | } |
4527 | |
4528 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4529 | isLoggedIn = slot->isLoggedIn; |
4530 | needLogin = slot->needLogin; |
4531 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4532 | |
4533 | if (isLoggedIn) |
4534 | return CKR_USER_ALREADY_LOGGED_IN0x00000100UL; |
4535 | if (!needLogin) { |
4536 | return ulPinLen ? CKR_PIN_INCORRECT0x000000A0UL : CKR_OK0x00000000UL; |
4537 | } |
4538 | slot->ssoLoggedIn = PR_FALSE0; |
4539 | |
4540 | if (ulPinLen > SFTK_MAX_PIN500) |
4541 | return CKR_PIN_LEN_RANGE0x000000A2UL; |
4542 | |
4543 | /* convert to null terminated string */ |
4544 | if (ulPinLen) { |
4545 | PORT_Memcpymemcpy(pinStr, pPin, ulPinLen); |
4546 | } |
4547 | pinStr[ulPinLen] = 0; |
4548 | |
4549 | handle = sftk_getKeyDB(slot); |
4550 | if (handle == NULL((void*)0)) { |
4551 | PORT_Memsetmemset(pinStr, 0, ulPinLen); |
4552 | return CKR_USER_TYPE_INVALID0x00000103UL; |
4553 | } |
4554 | |
4555 | /* |
4556 | * Deal with bootstrap. We allow the SSO to login in with a NULL |
4557 | * password if and only if we haven't initialized the KEY DB yet. |
4558 | * We only allow this on a RW session. |
4559 | */ |
4560 | rv = sftkdb_HasPasswordSet(handle); |
4561 | if (rv == SECFailure) { |
4562 | /* allow SSO's to log in only if there is not password on the |
4563 | * key database */ |
4564 | if (((userType == CKU_SO0) && (sessionFlags & CKF_RW_SESSION0x00000002UL)) |
4565 | /* fips always needs to authenticate, even if there isn't a db */ |
4566 | || (sftk_isFIPS(slot->slotID)(((slot->slotID) == 3) || ((slot->slotID) >= 101)))) { |
4567 | /* should this be a fixed password? */ |
4568 | if (ulPinLen == 0) { |
4569 | sftkdb_ClearPassword(handle); |
4570 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4571 | slot->isLoggedIn = PR_TRUE1; |
4572 | slot->ssoLoggedIn = (PRBool)(userType == CKU_SO0); |
4573 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4574 | sftk_update_all_states(slot); |
4575 | crv = CKR_OK0x00000000UL; |
4576 | goto done; |
4577 | } |
4578 | crv = CKR_PIN_INCORRECT0x000000A0UL; |
4579 | goto done; |
4580 | } |
4581 | crv = CKR_USER_TYPE_INVALID0x00000103UL; |
4582 | goto done; |
4583 | } |
4584 | |
4585 | /* don't allow the SSO to log in if the user is already initialized */ |
4586 | if (userType != CKU_USER1) { |
4587 | crv = CKR_USER_TYPE_INVALID0x00000103UL; |
4588 | goto done; |
4589 | } |
4590 | |
4591 | /* build the hashed pins which we pass around */ |
4592 | PR_Lock(slot->pwCheckLock); |
4593 | rv = sftkdb_CheckPassword(handle, pinStr, &tokenRemoved); |
4594 | if (tokenRemoved) { |
4595 | sftk_CloseAllSessions(slot, PR_FALSE0); |
4596 | } |
4597 | if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID)(((slot->slotID) == 3) || ((slot->slotID) >= 101)))) { |
4598 | PR_Sleep(loginWaitTime); |
4599 | } |
4600 | PR_Unlock(slot->pwCheckLock); |
4601 | if (rv == SECSuccess) { |
4602 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4603 | /* make sure the login state matches the underlying |
4604 | * database state */ |
4605 | slot->isLoggedIn = sftkdb_PWCached(handle) == SECSuccess ? PR_TRUE1 : PR_FALSE0; |
4606 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4607 | |
4608 | sftk_freeDB(handle); |
4609 | handle = NULL((void*)0); |
4610 | |
4611 | /* update all sessions */ |
4612 | sftk_update_all_states(slot); |
4613 | return CKR_OK0x00000000UL; |
4614 | } |
4615 | |
4616 | crv = CKR_PIN_INCORRECT0x000000A0UL; |
4617 | done: |
4618 | PORT_Memsetmemset(pinStr, 0, ulPinLen); |
4619 | if (handle) { |
4620 | sftk_freeDB(handle); |
4621 | } |
4622 | return crv; |
4623 | } |
4624 | |
4625 | CK_RV |
4626 | NSC_LoginUser(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, |
4627 | CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pUsername, |
4628 | CK_ULONG ulUsernameLen) |
4629 | { |
4630 | /* softoken currently does not support additional users */ |
4631 | return CKR_OPERATION_NOT_INITIALIZED0x00000091UL; |
4632 | } |
4633 | |
4634 | /* NSC_Logout logs a user out from a token. */ |
4635 | CK_RV |
4636 | NSC_Logout(CK_SESSION_HANDLE hSession) |
4637 | { |
4638 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
4639 | SFTKSession *session; |
4640 | SFTKDBHandle *handle; |
4641 | |
4642 | CHECK_FORK(); |
4643 | |
4644 | if (slot == NULL((void*)0)) { |
4645 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4646 | } |
4647 | session = sftk_SessionFromHandle(hSession); |
4648 | if (session == NULL((void*)0)) |
4649 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4650 | sftk_FreeSession(session); |
4651 | session = NULL((void*)0); |
4652 | |
4653 | if (!slot->isLoggedIn) |
4654 | return CKR_USER_NOT_LOGGED_IN0x00000101UL; |
4655 | |
4656 | handle = sftk_getKeyDB(slot); |
4657 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
4658 | slot->isLoggedIn = PR_FALSE0; |
4659 | slot->ssoLoggedIn = PR_FALSE0; |
4660 | if (slot->needLogin && handle) { |
4661 | sftkdb_ClearPassword(handle); |
4662 | } |
4663 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
4664 | if (handle) { |
4665 | sftk_freeDB(handle); |
4666 | } |
4667 | |
4668 | sftk_update_all_states(slot); |
4669 | return CKR_OK0x00000000UL; |
4670 | } |
4671 | |
4672 | /* |
4673 | * Create or remove a new slot on the fly. |
4674 | * When creating a slot, "slot" is the slot that the request came from. The |
4675 | * resulting slot will live in the same module as "slot". |
4676 | * When removing a slot, "slot" is the slot to be removed. |
4677 | * "object" is the creation object that specifies the module spec for the slot |
4678 | * to add or remove. |
4679 | */ |
4680 | static CK_RV |
4681 | sftk_CreateNewSlot(SFTKSlot *slot, CK_OBJECT_CLASS class, |
4682 | SFTKObject *object) |
4683 | { |
4684 | PRBool isValidUserSlot = PR_FALSE0; |
4685 | PRBool isValidFIPSUserSlot = PR_FALSE0; |
4686 | PRBool isValidSlot = PR_FALSE0; |
4687 | PRBool isFIPS = PR_FALSE0; |
4688 | unsigned int moduleIndex = NSC_NON_FIPS_MODULE0; |
4689 | SFTKAttribute *attribute; |
4690 | sftk_parameters paramStrings; |
4691 | char *paramString; |
4692 | CK_SLOT_ID slotID = 0; |
4693 | SFTKSlot *newSlot = NULL((void*)0); |
4694 | CK_RV crv = CKR_OK0x00000000UL; |
4695 | |
4696 | if (class != CKO_NSS_DELSLOT((0x80000000UL | 0x4E534350) + 6) && class != CKO_NSS_NEWSLOT((0x80000000UL | 0x4E534350) + 5)) { |
4697 | return CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
4698 | } |
4699 | if (class == CKO_NSS_NEWSLOT((0x80000000UL | 0x4E534350) + 5) && slot->slotID == FIPS_SLOT_ID3) { |
4700 | isFIPS = PR_TRUE1; |
4701 | } |
4702 | attribute = sftk_FindAttribute(object, CKA_NSS_MODULE_SPEC((0x80000000UL | 0x4E534350) + 24)); |
4703 | if (attribute == NULL((void*)0)) { |
4704 | return CKR_TEMPLATE_INCOMPLETE0x000000D0UL; |
4705 | } |
4706 | paramString = (char *)attribute->attrib.pValue; |
4707 | crv = sftk_parseParameters(paramString, ¶mStrings, isFIPS); |
4708 | if (crv != CKR_OK0x00000000UL) { |
4709 | goto loser; |
4710 | } |
4711 | |
4712 | /* enforce only one at a time */ |
4713 | if (paramStrings.token_count != 1) { |
4714 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
4715 | goto loser; |
4716 | } |
4717 | |
4718 | slotID = paramStrings.tokens[0].slotID; |
4719 | |
4720 | /* stay within the valid ID space */ |
4721 | isValidUserSlot = (slotID >= SFTK_MIN_USER_SLOT_ID4 && |
4722 | slotID <= SFTK_MAX_USER_SLOT_ID100); |
4723 | isValidFIPSUserSlot = (slotID >= SFTK_MIN_FIPS_USER_SLOT_ID101 && |
4724 | slotID <= SFTK_MAX_FIPS_USER_SLOT_ID127); |
4725 | |
4726 | if (class == CKO_NSS_DELSLOT((0x80000000UL | 0x4E534350) + 6)) { |
4727 | if (slot->slotID == slotID) { |
4728 | isValidSlot = isValidUserSlot || isValidFIPSUserSlot; |
4729 | } |
4730 | } else { |
4731 | /* only the crypto or FIPS slots can create new slot objects */ |
4732 | if (slot->slotID == NETSCAPE_SLOT_ID1) { |
4733 | isValidSlot = isValidUserSlot; |
4734 | moduleIndex = NSC_NON_FIPS_MODULE0; |
4735 | } else if (slot->slotID == FIPS_SLOT_ID3) { |
4736 | isValidSlot = isValidFIPSUserSlot; |
4737 | moduleIndex = NSC_FIPS_MODULE1; |
4738 | } |
4739 | } |
4740 | |
4741 | if (!isValidSlot) { |
4742 | crv = CKR_ATTRIBUTE_VALUE_INVALID0x00000013UL; |
4743 | goto loser; |
4744 | } |
4745 | |
4746 | /* unload any existing slot at this id */ |
4747 | newSlot = sftk_SlotFromID(slotID, PR_TRUE1); |
4748 | if (newSlot && newSlot->present) { |
4749 | crv = SFTK_ShutdownSlot(newSlot); |
4750 | if (crv != CKR_OK0x00000000UL) { |
4751 | goto loser; |
4752 | } |
4753 | } |
4754 | |
4755 | /* if we were just planning on deleting the slot, then do so now */ |
4756 | if (class == CKO_NSS_DELSLOT((0x80000000UL | 0x4E534350) + 6)) { |
4757 | /* sort of a unconventional use of this error code, be we are |
4758 | * overusing CKR_ATTRIBUTE_VALUE_INVALID, and it does apply */ |
4759 | crv = newSlot ? CKR_OK0x00000000UL : CKR_SLOT_ID_INVALID0x00000003UL; |
4760 | goto loser; /* really exit */ |
4761 | } |
4762 | |
4763 | if (newSlot) { |
4764 | crv = SFTK_SlotReInit(newSlot, paramStrings.configdir, |
4765 | paramStrings.updatedir, paramStrings.updateID, |
4766 | ¶mStrings.tokens[0], moduleIndex); |
4767 | } else { |
4768 | crv = SFTK_SlotInit(paramStrings.configdir, |
4769 | paramStrings.updatedir, paramStrings.updateID, |
4770 | ¶mStrings.tokens[0], moduleIndex); |
4771 | } |
4772 | |
4773 | loser: |
4774 | sftk_freeParams(¶mStrings); |
4775 | sftk_FreeAttribute(attribute); |
4776 | |
4777 | return crv; |
4778 | } |
4779 | |
4780 | /* NSC_CreateObject creates a new object. */ |
4781 | CK_RV |
4782 | NSC_CreateObject(CK_SESSION_HANDLE hSession, |
4783 | CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, |
4784 | CK_OBJECT_HANDLE_PTR phObject) |
4785 | { |
4786 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
4787 | SFTKSession *session; |
4788 | SFTKObject *object; |
4789 | /* make sure class isn't randomly CKO_NSS_NEWSLOT or |
4790 | * CKO_NETSCPE_DELSLOT. */ |
4791 | CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED0x80000000UL; |
4792 | CK_RV crv; |
4793 | int i; |
4794 | |
4795 | CHECK_FORK(); |
4796 | |
4797 | *phObject = CK_INVALID_HANDLE0; |
4798 | |
4799 | if (slot == NULL((void*)0)) { |
4800 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4801 | } |
4802 | /* |
4803 | * now lets create an object to hang the attributes off of |
4804 | */ |
4805 | object = sftk_NewObject(slot); /* fill in the handle later */ |
4806 | if (object == NULL((void*)0)) { |
4807 | return CKR_HOST_MEMORY0x00000002UL; |
4808 | } |
4809 | |
4810 | /* |
4811 | * sftk_NewObject will set object->isFIPS to PR_TRUE if the slot is FIPS. |
4812 | * We don't need to worry about that here, as FC_CreateObject will always |
4813 | * disallow the import of secret and private keys, regardless of isFIPS |
4814 | * approval status. Therefore, at this point we know that the key is a |
4815 | * public key, which is acceptable to be imported in plaintext. |
4816 | */ |
4817 | |
4818 | /* |
4819 | * load the template values into the object |
4820 | */ |
4821 | for (i = 0; i < (int)ulCount; i++) { |
4822 | crv = sftk_AddAttributeType(object, sftk_attr_expand(&pTemplate[i])(&pTemplate[i])->type, (&pTemplate[i])->pValue, (&pTemplate[i])->ulValueLen); |
4823 | if (crv != CKR_OK0x00000000UL) { |
4824 | sftk_FreeObject(object); |
4825 | return crv; |
4826 | } |
4827 | if ((pTemplate[i].type == CKA_CLASS0x00000000UL) && pTemplate[i].pValue) { |
4828 | class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue; |
4829 | } |
4830 | } |
4831 | |
4832 | /* get the session */ |
4833 | session = sftk_SessionFromHandle(hSession); |
4834 | if (session == NULL((void*)0)) { |
4835 | sftk_FreeObject(object); |
4836 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4837 | } |
4838 | |
4839 | /* |
4840 | * handle pseudo objects (CKO_NEWSLOT) |
4841 | */ |
4842 | if ((class == CKO_NSS_NEWSLOT((0x80000000UL | 0x4E534350) + 5)) || (class == CKO_NSS_DELSLOT((0x80000000UL | 0x4E534350) + 6))) { |
4843 | crv = sftk_CreateNewSlot(slot, class, object); |
4844 | goto done; |
4845 | } |
4846 | |
4847 | /* |
4848 | * handle the base object stuff |
4849 | */ |
4850 | crv = sftk_handleObject(object, session); |
4851 | *phObject = object->handle; |
4852 | done: |
4853 | sftk_FreeSession(session); |
4854 | sftk_FreeObject(object); |
4855 | |
4856 | return crv; |
4857 | } |
4858 | |
4859 | /* NSC_CopyObject copies an object, creating a new object for the copy. */ |
4860 | CK_RV |
4861 | NSC_CopyObject(CK_SESSION_HANDLE hSession, |
4862 | CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, |
4863 | CK_OBJECT_HANDLE_PTR phNewObject) |
4864 | { |
4865 | SFTKObject *destObject, *srcObject; |
4866 | SFTKSession *session; |
4867 | CK_RV crv = CKR_OK0x00000000UL; |
4868 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
4869 | int i; |
4870 | |
4871 | CHECK_FORK(); |
4872 | |
4873 | if (slot == NULL((void*)0)) { |
4874 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4875 | } |
4876 | /* Get srcObject so we can find the class */ |
4877 | session = sftk_SessionFromHandle(hSession); |
4878 | if (session == NULL((void*)0)) { |
4879 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
4880 | } |
4881 | srcObject = sftk_ObjectFromHandle(hObject, session); |
4882 | if (srcObject == NULL((void*)0)) { |
4883 | sftk_FreeSession(session); |
4884 | return CKR_OBJECT_HANDLE_INVALID0x00000082UL; |
4885 | } |
4886 | /* |
4887 | * create an object to hang the attributes off of |
4888 | */ |
4889 | destObject = sftk_NewObject(slot); /* fill in the handle later */ |
4890 | if (destObject == NULL((void*)0)) { |
4891 | sftk_FreeSession(session); |
4892 | sftk_FreeObject(srcObject); |
4893 | return CKR_HOST_MEMORY0x00000002UL; |
4894 | } |
4895 | |
4896 | /* |
4897 | * load the template values into the object |
4898 | */ |
4899 | for (i = 0; i < (int)ulCount; i++) { |
4900 | if (sftk_modifyType(pTemplate[i].type, srcObject->objclass) == SFTK_NEVER) { |
4901 | crv = CKR_ATTRIBUTE_READ_ONLY0x00000010UL; |
4902 | break; |
4903 | } |
4904 | crv = sftk_AddAttributeType(destObject, sftk_attr_expand(&pTemplate[i])(&pTemplate[i])->type, (&pTemplate[i])->pValue, (&pTemplate[i])->ulValueLen); |
4905 | if (crv != CKR_OK0x00000000UL) { |
4906 | break; |
4907 | } |
4908 | } |
4909 | if (crv != CKR_OK0x00000000UL) { |
4910 | sftk_FreeSession(session); |
4911 | sftk_FreeObject(srcObject); |
4912 | sftk_FreeObject(destObject); |
4913 | return crv; |
4914 | } |
4915 | |
4916 | /* sensitive can only be changed to CK_TRUE */ |
4917 | if (sftk_hasAttribute(destObject, CKA_SENSITIVE0x00000103UL)) { |
4918 | if (!sftk_isTrue(destObject, CKA_SENSITIVE0x00000103UL)) { |
4919 | sftk_FreeSession(session); |
4920 | sftk_FreeObject(srcObject); |
4921 | sftk_FreeObject(destObject); |
4922 | return CKR_ATTRIBUTE_READ_ONLY0x00000010UL; |
4923 | } |
4924 | } |
4925 | |
4926 | /* |
4927 | * now copy the old attributes from the new attributes |
4928 | */ |
4929 | /* don't create a token object if we aren't in a rw session */ |
4930 | /* we need to hold the lock to copy a consistant version of |
4931 | * the object. */ |
4932 | crv = sftk_CopyObject(destObject, srcObject); |
4933 | |
4934 | destObject->objclass = srcObject->objclass; |
4935 | sftk_FreeObject(srcObject); |
4936 | if (crv != CKR_OK0x00000000UL) { |
4937 | sftk_FreeObject(destObject); |
4938 | sftk_FreeSession(session); |
4939 | return crv; |
4940 | } |
4941 | |
4942 | crv = sftk_handleObject(destObject, session); |
4943 | *phNewObject = destObject->handle; |
4944 | sftk_FreeSession(session); |
4945 | sftk_FreeObject(destObject); |
4946 | |
4947 | return crv; |
4948 | } |
4949 | |
4950 | /* NSC_GetObjectSize gets the size of an object in bytes. */ |
4951 | CK_RV |
4952 | NSC_GetObjectSize(CK_SESSION_HANDLE hSession, |
4953 | CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) |
4954 | { |
4955 | CHECK_FORK(); |
4956 | |
4957 | *pulSize = 0; |
4958 | return CKR_OK0x00000000UL; |
4959 | } |
4960 | |
4961 | static CK_RV |
4962 | nsc_GetTokenAttributeValue(SFTKSession *session, CK_OBJECT_HANDLE hObject, |
4963 | CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
4964 | { |
4965 | SFTKSlot *slot = sftk_SlotFromSession(session)((session)->slot); |
4966 | SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject); |
4967 | SFTKDBHandle *keydb = NULL((void*)0); |
4968 | CK_RV crv; |
4969 | |
4970 | if (dbHandle == NULL((void*)0)) { |
4971 | return CKR_OBJECT_HANDLE_INVALID0x00000082UL; |
4972 | } |
4973 | |
4974 | crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount); |
4975 | |
4976 | /* make sure we don't export any sensitive information */ |
4977 | keydb = sftk_getKeyDB(slot); |
4978 | if (dbHandle == keydb) { |
4979 | CK_ULONG i; |
4980 | for (i = 0; i < ulCount; i++) { |
4981 | if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY0x00000003UL)) { |
4982 | crv = CKR_ATTRIBUTE_SENSITIVE0x00000011UL; |
4983 | if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) { |
4984 | PORT_Memsetmemset(pTemplate[i].pValue, 0, |
4985 | pTemplate[i].ulValueLen); |
4986 | } |
4987 | pTemplate[i].ulValueLen = -1; |
4988 | } |
4989 | } |
4990 | } |
4991 | |
4992 | sftk_freeDB(dbHandle); |
4993 | if (keydb) { |
4994 | sftk_freeDB(keydb); |
4995 | } |
4996 | return crv; |
4997 | } |
4998 | |
4999 | /* NSC_GetAttributeValue obtains the value of one or more object attributes. */ |
5000 | CK_RV |
5001 | NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, |
5002 | CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
5003 | { |
5004 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
5005 | SFTKSession *session; |
5006 | SFTKObject *object; |
5007 | SFTKAttribute *attribute; |
5008 | PRBool sensitive, isLoggedIn, needLogin; |
5009 | CK_RV crv; |
5010 | int i; |
5011 | |
5012 | CHECK_FORK(); |
5013 | |
5014 | if (slot == NULL((void*)0)) { |
5015 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5016 | } |
5017 | /* |
5018 | * make sure we're allowed |
5019 | */ |
5020 | session = sftk_SessionFromHandle(hSession); |
5021 | if (session == NULL((void*)0)) { |
5022 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5023 | } |
5024 | |
5025 | /* short circuit everything for token objects */ |
5026 | if (sftk_isToken(hObject)(((hObject)&0x80000000L) == 0x80000000L)) { |
5027 | crv = nsc_GetTokenAttributeValue(session, hObject, pTemplate, ulCount); |
5028 | sftk_FreeSession(session); |
5029 | return crv; |
5030 | } |
5031 | |
5032 | /* handle the session object */ |
5033 | object = sftk_ObjectFromHandle(hObject, session); |
5034 | sftk_FreeSession(session); |
5035 | if (object == NULL((void*)0)) { |
5036 | return CKR_OBJECT_HANDLE_INVALID0x00000082UL; |
5037 | } |
5038 | |
5039 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
5040 | isLoggedIn = slot->isLoggedIn; |
5041 | needLogin = slot->needLogin; |
5042 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
5043 | |
5044 | /* don't read a private object if we aren't logged in */ |
5045 | if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
5046 | sftk_FreeObject(object); |
5047 | return CKR_USER_NOT_LOGGED_IN0x00000101UL; |
5048 | } |
5049 | |
5050 | crv = CKR_OK0x00000000UL; |
5051 | sensitive = sftk_isTrue(object, CKA_SENSITIVE0x00000103UL); |
5052 | for (i = 0; i < (int)ulCount; i++) { |
5053 | /* Make sure that this attribute is retrievable */ |
5054 | if (sensitive && sftk_isSensitive(pTemplate[i].type, object->objclass)) { |
5055 | crv = CKR_ATTRIBUTE_SENSITIVE0x00000011UL; |
5056 | pTemplate[i].ulValueLen = -1; |
5057 | continue; |
5058 | } |
5059 | attribute = sftk_FindAttribute(object, pTemplate[i].type); |
5060 | if (attribute == NULL((void*)0)) { |
5061 | crv = CKR_ATTRIBUTE_TYPE_INVALID0x00000012UL; |
5062 | pTemplate[i].ulValueLen = -1; |
5063 | continue; |
5064 | } |
5065 | if (pTemplate[i].pValue != NULL((void*)0)) { |
5066 | PORT_Memcpymemcpy(pTemplate[i].pValue, attribute->attrib.pValue, |
5067 | attribute->attrib.ulValueLen); |
5068 | } |
5069 | pTemplate[i].ulValueLen = attribute->attrib.ulValueLen; |
5070 | sftk_FreeAttribute(attribute); |
5071 | } |
5072 | |
5073 | sftk_FreeObject(object); |
5074 | return crv; |
5075 | } |
5076 | |
5077 | /* NSC_SetAttributeValue modifies the value of one or more object attributes */ |
5078 | CK_RV |
5079 | NSC_SetAttributeValue(CK_SESSION_HANDLE hSession, |
5080 | CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
5081 | { |
5082 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
5083 | SFTKSession *session; |
5084 | SFTKAttribute *attribute; |
5085 | SFTKObject *object; |
5086 | PRBool isToken, isLoggedIn, needLogin; |
5087 | CK_RV crv = CKR_OK0x00000000UL; |
5088 | CK_BBOOL legal; |
5089 | int i; |
5090 | |
5091 | CHECK_FORK(); |
5092 | |
5093 | if (slot == NULL((void*)0)) { |
5094 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5095 | } |
5096 | /* |
5097 | * make sure we're allowed |
5098 | */ |
5099 | session = sftk_SessionFromHandle(hSession); |
5100 | if (session == NULL((void*)0)) { |
5101 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5102 | } |
5103 | |
5104 | object = sftk_ObjectFromHandle(hObject, session); |
5105 | if (object == NULL((void*)0)) { |
5106 | sftk_FreeSession(session); |
5107 | return CKR_OBJECT_HANDLE_INVALID0x00000082UL; |
5108 | } |
5109 | |
5110 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
5111 | isLoggedIn = slot->isLoggedIn; |
5112 | needLogin = slot->needLogin; |
5113 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
5114 | |
5115 | /* don't modify a private object if we aren't logged in */ |
5116 | if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE0x00000002UL)) { |
5117 | sftk_FreeSession(session); |
5118 | sftk_FreeObject(object); |
5119 | return CKR_USER_NOT_LOGGED_IN0x00000101UL; |
5120 | } |
5121 | |
5122 | /* don't modify a token object if we aren't in a rw session */ |
5123 | isToken = sftk_isTrue(object, CKA_TOKEN0x00000001UL); |
5124 | if (((session->info.flags & CKF_RW_SESSION0x00000002UL) == 0) && isToken) { |
5125 | sftk_FreeSession(session); |
5126 | sftk_FreeObject(object); |
5127 | return CKR_SESSION_READ_ONLY0x000000B5UL; |
5128 | } |
5129 | sftk_FreeSession(session); |
5130 | |
5131 | /* only change modifiable objects */ |
5132 | if (!sftk_isTrue(object, CKA_MODIFIABLE0x00000170UL)) { |
5133 | sftk_FreeObject(object); |
5134 | return CKR_ATTRIBUTE_READ_ONLY0x00000010UL; |
5135 | } |
5136 | |
5137 | for (i = 0; i < (int)ulCount; i++) { |
5138 | /* Make sure that this attribute is changeable */ |
5139 | switch (sftk_modifyType(pTemplate[i].type, object->objclass)) { |
5140 | case SFTK_NEVER: |
5141 | case SFTK_ONCOPY: |
5142 | default: |
5143 | crv = CKR_ATTRIBUTE_READ_ONLY0x00000010UL; |
5144 | break; |
5145 | |
5146 | case SFTK_SENSITIVE: |
5147 | legal = (pTemplate[i].type == CKA_EXTRACTABLE0x00000162UL) ? CK_FALSE0 : CK_TRUE1; |
5148 | if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) { |
5149 | crv = CKR_ATTRIBUTE_READ_ONLY0x00000010UL; |
5150 | } |
5151 | break; |
5152 | case SFTK_ALWAYS: |
5153 | break; |
5154 | } |
5155 | if (crv != CKR_OK0x00000000UL) |
5156 | break; |
5157 | |
5158 | /* find the old attribute */ |
5159 | attribute = sftk_FindAttribute(object, pTemplate[i].type); |
5160 | if (attribute == NULL((void*)0)) { |
5161 | crv = CKR_ATTRIBUTE_TYPE_INVALID0x00000012UL; |
5162 | break; |
5163 | } |
5164 | sftk_FreeAttribute(attribute); |
5165 | crv = sftk_forceAttribute(object, sftk_attr_expand(&pTemplate[i])(&pTemplate[i])->type, (&pTemplate[i])->pValue, (&pTemplate[i])->ulValueLen); |
5166 | if (crv != CKR_OK0x00000000UL) |
5167 | break; |
5168 | } |
5169 | |
5170 | sftk_FreeObject(object); |
5171 | return crv; |
5172 | } |
5173 | |
5174 | static CK_RV |
5175 | sftk_expandSearchList(SFTKSearchResults *search, int count) |
5176 | { |
5177 | search->array_size += count; |
5178 | search->handles = (CK_OBJECT_HANDLE *)PORT_ReallocPORT_Realloc_Util(search->handles, |
5179 | sizeof(CK_OBJECT_HANDLE) * search->array_size); |
5180 | return search->handles ? CKR_OK0x00000000UL : CKR_HOST_MEMORY0x00000002UL; |
5181 | } |
5182 | |
5183 | static CK_RV |
5184 | sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search, |
5185 | const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) |
5186 | { |
5187 | CK_RV crv; |
5188 | int objectListSize = search->array_size - search->size; |
5189 | CK_OBJECT_HANDLE *array = &search->handles[search->size]; |
5190 | SDBFind *find; |
5191 | CK_ULONG count; |
5192 | |
5193 | crv = sftkdb_FindObjectsInit(handle, pTemplate, ulCount, &find); |
5194 | if (crv != CKR_OK0x00000000UL) |
5195 | return crv; |
5196 | do { |
5197 | crv = sftkdb_FindObjects(handle, find, array, objectListSize, &count); |
5198 | if ((crv != CKR_OK0x00000000UL) || (count == 0)) |
5199 | break; |
5200 | search->size += count; |
5201 | objectListSize -= count; |
5202 | if (objectListSize > 0) |
5203 | break; |
5204 | crv = sftk_expandSearchList(search, NSC_SEARCH_BLOCK_SIZE5); |
5205 | objectListSize = NSC_SEARCH_BLOCK_SIZE5; |
5206 | array = &search->handles[search->size]; |
5207 | } while (crv == CKR_OK0x00000000UL); |
5208 | sftkdb_FindObjectsFinal(handle, find); |
5209 | |
5210 | return crv; |
5211 | } |
5212 | |
5213 | /* softoken used to search the SMimeEntries automatically instead of |
5214 | * doing this in pk11wrap. This code should really be up in |
5215 | * pk11wrap so that it will work with other tokens other than softoken. |
5216 | */ |
5217 | CK_RV |
5218 | sftk_emailhack(SFTKSlot *slot, SFTKDBHandle *handle, |
5219 | SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount) |
5220 | { |
5221 | PRBool isCert = PR_FALSE0; |
5222 | int emailIndex = -1; |
5223 | unsigned int i; |
5224 | SFTKSearchResults smime_search; |
5225 | CK_ATTRIBUTE smime_template[2]; |
5226 | CK_OBJECT_CLASS smime_class = CKO_NSS_SMIME((0x80000000UL | 0x4E534350) + 2); |
5227 | SFTKAttribute *attribute = NULL((void*)0); |
5228 | SFTKObject *object = NULL((void*)0); |
5229 | CK_RV crv = CKR_OK0x00000000UL; |
5230 | |
5231 | smime_search.handles = NULL((void*)0); /* paranoia, some one is bound to add a goto |
5232 | * loser before this gets initialized */ |
5233 | |
5234 | /* see if we are looking for email certs */ |
5235 | for (i = 0; i < ulCount; i++) { |
5236 | if (pTemplate[i].type == CKA_CLASS0x00000000UL) { |
5237 | if ((pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS) || |
5238 | (*(CK_OBJECT_CLASS *)pTemplate[i].pValue) != CKO_CERTIFICATE0x00000001UL)) { |
5239 | /* not a cert, skip out */ |
5240 | break; |
5241 | } |
5242 | isCert = PR_TRUE1; |
5243 | } else if (pTemplate[i].type == CKA_NSS_EMAIL((0x80000000UL | 0x4E534350) + 2)) { |
5244 | emailIndex = i; |
5245 | } |
5246 | if (isCert && (emailIndex != -1)) |
5247 | break; |
5248 | } |
5249 | |
5250 | if (!isCert || (emailIndex == -1)) { |
5251 | return CKR_OK0x00000000UL; |
5252 | } |
5253 | |
5254 | /* we are doing a cert and email search, find the SMimeEntry */ |
5255 | smime_template[0].type = CKA_CLASS0x00000000UL; |
5256 | smime_template[0].pValue = &smime_class; |
5257 | smime_template[0].ulValueLen = sizeof(smime_class); |
5258 | smime_template[1] = pTemplate[emailIndex]; |
5259 | |
5260 | smime_search.handles = (CK_OBJECT_HANDLE *) |
5261 | PORT_AllocPORT_Alloc_Util(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE5); |
5262 | if (smime_search.handles == NULL((void*)0)) { |
5263 | crv = CKR_HOST_MEMORY0x00000002UL; |
5264 | goto loser; |
5265 | } |
5266 | smime_search.index = 0; |
5267 | smime_search.size = 0; |
5268 | smime_search.array_size = NSC_SEARCH_BLOCK_SIZE5; |
5269 | |
5270 | crv = sftk_searchDatabase(handle, &smime_search, smime_template, 2); |
5271 | if (crv != CKR_OK0x00000000UL || smime_search.size == 0) { |
5272 | goto loser; |
5273 | } |
5274 | |
5275 | /* get the SMime subject */ |
5276 | object = sftk_NewTokenObject(slot, NULL((void*)0), smime_search.handles[0]); |
5277 | if (object == NULL((void*)0)) { |
5278 | crv = CKR_HOST_MEMORY0x00000002UL; /* is there any other reason for this failure? */ |
5279 | goto loser; |
5280 | } |
5281 | attribute = sftk_FindAttribute(object, CKA_SUBJECT0x00000101UL); |
5282 | if (attribute == NULL((void*)0)) { |
5283 | crv = CKR_ATTRIBUTE_TYPE_INVALID0x00000012UL; |
5284 | goto loser; |
5285 | } |
5286 | |
5287 | /* now find the certs with that subject */ |
5288 | pTemplate[emailIndex] = attribute->attrib; |
5289 | /* now add the appropriate certs to the search list */ |
5290 | crv = sftk_searchDatabase(handle, search, pTemplate, ulCount); |
5291 | pTemplate[emailIndex] = smime_template[1]; /* restore the user's template*/ |
5292 | |
5293 | loser: |
5294 | if (attribute) { |
5295 | sftk_FreeAttribute(attribute); |
5296 | } |
5297 | if (object) { |
5298 | sftk_FreeObject(object); |
5299 | } |
5300 | if (smime_search.handles) { |
5301 | PORT_FreePORT_Free_Util(smime_search.handles); |
5302 | } |
5303 | |
5304 | return crv; |
5305 | } |
5306 | |
5307 | static void |
5308 | sftk_pruneSearch(CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, |
5309 | PRBool *searchCertDB, PRBool *searchKeyDB) |
5310 | { |
5311 | CK_ULONG i; |
5312 | |
5313 | *searchCertDB = PR_TRUE1; |
5314 | *searchKeyDB = PR_TRUE1; |
5315 | for (i = 0; i < ulCount; i++) { |
5316 | if (pTemplate[i].type == CKA_CLASS0x00000000UL && pTemplate[i].pValue != NULL((void*)0)) { |
5317 | CK_OBJECT_CLASS class = *((CK_OBJECT_CLASS *)pTemplate[i].pValue); |
5318 | if (class == CKO_PRIVATE_KEY0x00000003UL || class == CKO_SECRET_KEY0x00000004UL) { |
5319 | *searchCertDB = PR_FALSE0; |
5320 | } else { |
5321 | *searchKeyDB = PR_FALSE0; |
5322 | } |
5323 | break; |
5324 | } |
5325 | } |
5326 | } |
5327 | |
5328 | static CK_RV |
5329 | sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search, |
5330 | CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount, |
5331 | PRBool isLoggedIn) |
5332 | { |
5333 | CK_RV crv = CKR_OK0x00000000UL; |
5334 | CK_RV crv2; |
5335 | PRBool searchCertDB; |
5336 | PRBool searchKeyDB; |
5337 | |
5338 | sftk_pruneSearch(pTemplate, ulCount, &searchCertDB, &searchKeyDB); |
5339 | |
5340 | if (searchCertDB) { |
5341 | SFTKDBHandle *certHandle = sftk_getCertDB(slot); |
5342 | crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount); |
5343 | crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount); |
5344 | if (crv == CKR_OK0x00000000UL) |
5345 | crv = crv2; |
5346 | sftk_freeDB(certHandle); |
5347 | } |
5348 | |
5349 | if (crv == CKR_OK0x00000000UL && isLoggedIn && searchKeyDB) { |
5350 | SFTKDBHandle *keyHandle = sftk_getKeyDB(slot); |
5351 | crv = sftk_searchDatabase(keyHandle, search, pTemplate, ulCount); |
5352 | sftk_freeDB(keyHandle); |
5353 | } |
5354 | return crv; |
5355 | } |
5356 | |
5357 | /* NSC_FindObjectsInit initializes a search for token and session objects |
5358 | * that match a template. */ |
5359 | CK_RV |
5360 | NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, |
5361 | CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) |
5362 | { |
5363 | SFTKSearchResults *search = NULL((void*)0), *freeSearch = NULL((void*)0); |
5364 | SFTKSession *session = NULL((void*)0); |
5365 | SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); |
5366 | CK_RV crv = CKR_OK0x00000000UL; |
5367 | PRBool isLoggedIn; |
5368 | |
5369 | CHECK_FORK(); |
5370 | |
5371 | if (slot == NULL((void*)0)) { |
5372 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5373 | } |
5374 | session = sftk_SessionFromHandle(hSession); |
5375 | if (session == NULL((void*)0)) { |
5376 | crv = CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5377 | goto loser; |
5378 | } |
5379 | |
5380 | search = (SFTKSearchResults *)PORT_AllocPORT_Alloc_Util(sizeof(SFTKSearchResults)); |
5381 | if (search == NULL((void*)0)) { |
5382 | crv = CKR_HOST_MEMORY0x00000002UL; |
5383 | goto loser; |
5384 | } |
5385 | search->handles = (CK_OBJECT_HANDLE *) |
5386 | PORT_AllocPORT_Alloc_Util(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE5); |
5387 | if (search->handles == NULL((void*)0)) { |
5388 | crv = CKR_HOST_MEMORY0x00000002UL; |
5389 | goto loser; |
5390 | } |
5391 | search->index = 0; |
5392 | search->size = 0; |
5393 | search->array_size = NSC_SEARCH_BLOCK_SIZE5; |
5394 | |
5395 | PZ_Lock(slot->slotLock)PR_Lock((slot->slotLock)); |
5396 | isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn); |
5397 | PZ_Unlock(slot->slotLock)PR_Unlock((slot->slotLock)); |
5398 | |
5399 | crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn); |
5400 | if (crv != CKR_OK0x00000000UL) { |
5401 | goto loser; |
5402 | } |
5403 | |
5404 | /* build list of found objects in the session */ |
5405 | crv = sftk_searchObjectList(search, slot->sessObjHashTable, |
5406 | slot->sessObjHashSize, slot->objectLock, |
5407 | pTemplate, ulCount, isLoggedIn); |
5408 | if (crv != CKR_OK0x00000000UL) { |
5409 | goto loser; |
5410 | } |
5411 | |
5412 | if ((freeSearch = session->search) != NULL((void*)0)) { |
5413 | session->search = NULL((void*)0); |
5414 | sftk_FreeSearch(freeSearch); |
5415 | } |
5416 | session->search = search; |
5417 | sftk_FreeSession(session); |
5418 | return CKR_OK0x00000000UL; |
5419 | |
5420 | loser: |
5421 | if (search) { |
5422 | sftk_FreeSearch(search); |
5423 | } |
5424 | if (session) { |
5425 | sftk_FreeSession(session); |
5426 | } |
5427 | return crv; |
5428 | } |
5429 | |
5430 | /* NSC_FindObjects continues a search for token and session objects |
5431 | * that match a template, obtaining additional object handles. */ |
5432 | CK_RV |
5433 | NSC_FindObjects(CK_SESSION_HANDLE hSession, |
5434 | CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, |
5435 | CK_ULONG_PTR pulObjectCount) |
5436 | { |
5437 | SFTKSession *session; |
5438 | SFTKSearchResults *search; |
5439 | int transfer; |
5440 | int left; |
5441 | |
5442 | CHECK_FORK(); |
5443 | |
5444 | *pulObjectCount = 0; |
5445 | session = sftk_SessionFromHandle(hSession); |
5446 | if (session == NULL((void*)0)) |
5447 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5448 | if (session->search == NULL((void*)0)) { |
5449 | sftk_FreeSession(session); |
5450 | return CKR_OK0x00000000UL; |
5451 | } |
5452 | search = session->search; |
5453 | left = session->search->size - session->search->index; |
5454 | transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount; |
5455 | if (transfer > 0) { |
5456 | PORT_Memcpymemcpy(phObject, &search->handles[search->index], |
5457 | transfer * sizeof(CK_OBJECT_HANDLE)); |
5458 | } else { |
5459 | *phObject = CK_INVALID_HANDLE0; |
5460 | } |
5461 | |
5462 | search->index += transfer; |
5463 | if (search->index == search->size) { |
5464 | session->search = NULL((void*)0); |
5465 | sftk_FreeSearch(search); |
5466 | } |
5467 | *pulObjectCount = transfer; |
5468 | sftk_FreeSession(session); |
5469 | return CKR_OK0x00000000UL; |
5470 | } |
5471 | |
5472 | /* NSC_FindObjectsFinal finishes a search for token and session objects. */ |
5473 | CK_RV |
5474 | NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession) |
5475 | { |
5476 | SFTKSession *session; |
5477 | SFTKSearchResults *search; |
5478 | |
5479 | CHECK_FORK(); |
5480 | |
5481 | session = sftk_SessionFromHandle(hSession); |
5482 | if (session == NULL((void*)0)) |
5483 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5484 | search = session->search; |
5485 | session->search = NULL((void*)0); |
5486 | sftk_FreeSession(session); |
5487 | if (search != NULL((void*)0)) { |
5488 | sftk_FreeSearch(search); |
5489 | } |
5490 | return CKR_OK0x00000000UL; |
5491 | } |
5492 | |
5493 | CK_RV |
5494 | NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, |
5495 | CK_VOID_PTR pReserved) |
5496 | { |
5497 | CHECK_FORK(); |
5498 | |
5499 | return CKR_FUNCTION_NOT_SUPPORTED0x00000054UL; |
5500 | } |
5501 | |
5502 | static CK_RV |
5503 | nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession, |
5504 | CK_OBJECT_HANDLE hObject, |
5505 | CK_ULONG ulOperationType, |
5506 | CK_ULONG *pulFIPSStatus) |
5507 | { |
5508 | CK_ULONG sessionState = CKS_NSS_UNINITIALIZED0xffffffffUL; |
5509 | CK_ULONG objectState = CKS_NSS_UNINITIALIZED0xffffffffUL; |
5510 | PRBool needSession = PR_FALSE0; |
5511 | PRBool needObject = PR_FALSE0; |
5512 | SFTKSession *session; |
5513 | SFTKObject *object; |
5514 | |
5515 | *pulFIPSStatus = CKS_NSS_FIPS_NOT_OK0UL; |
5516 | |
5517 | /* first determine what we need to look up */ |
5518 | switch (ulOperationType) { |
5519 | case CKT_NSS_SESSION_CHECK1UL: |
5520 | case CKT_NSS_SESSION_LAST_CHECK4UL: |
5521 | needSession = PR_TRUE1; |
5522 | needObject = PR_FALSE0; |
5523 | break; |
5524 | case CKT_NSS_OBJECT_CHECK2UL: |
5525 | needSession = PR_FALSE0; |
5526 | needObject = PR_TRUE1; |
5527 | break; |
5528 | case CKT_NSS_BOTH_CHECK3UL: |
5529 | needSession = PR_TRUE1; |
5530 | needObject = PR_TRUE1; |
5531 | break; |
5532 | default: |
5533 | return CKR_ARGUMENTS_BAD0x00000007UL; |
5534 | } |
5535 | |
5536 | /* we always need the session handle, the object handle is only |
5537 | * meaningful if there is a session */ |
5538 | session = sftk_SessionFromHandle(hSession); |
5539 | if (!session) { |
5540 | return CKR_SESSION_HANDLE_INVALID0x000000B3UL; |
5541 | } |
5542 | if (needSession) { |
5543 | if (CKT_NSS_SESSION_LAST_CHECK4UL == ulOperationType) { |
5544 | sessionState = session->lastOpWasFIPS ? CKS_NSS_FIPS_OK1UL : CKS_NSS_FIPS_NOT_OK0UL; |
5545 | } else { |
5546 | if (session->enc_context) { |
5547 | sessionState = session->enc_context->isFIPS ? CKS_NSS_FIPS_OK1UL : CKS_NSS_FIPS_NOT_OK0UL; |
5548 | } |
5549 | if (sessionState != CKS_NSS_FIPS_NOT_OK0UL && session->hash_context) { |
5550 | sessionState = session->hash_context->isFIPS ? CKS_NSS_FIPS_OK1UL : CKS_NSS_FIPS_NOT_OK0UL; |
5551 | } |
5552 | /* sessionState is set to CKS_NSS_UNINITIALIZED if neither |
5553 | * context exists */ |
5554 | } |
5555 | } |
5556 | |
5557 | if (needObject) { |
5558 | object = sftk_ObjectFromHandle(hObject, session); |
5559 | if (!object) { |
5560 | sftk_FreeSession(session); |
5561 | return CKR_OBJECT_HANDLE_INVALID0x00000082UL; |
5562 | } |
5563 | objectState = object->isFIPS ? CKS_NSS_FIPS_OK1UL : CKS_NSS_FIPS_NOT_OK0UL; |
5564 | sftk_FreeObject(object); |
5565 | } |
5566 | |
5567 | sftk_FreeSession(session); |
5568 | |
5569 | /* If we didn't fetch the state, then it is uninitialized. |
5570 | * The session state can also be uninitialized if there are no active |
5571 | * crypto operations on the session. Turns out the rules for combining |
5572 | * the states are the same whether or not the state was uninitialzed |
5573 | * because we didn't fetch it or because there wasn't a state to fetch. |
5574 | */ |
5575 | |
5576 | /* if the object State is uninitialized, return the state of the session. */ |
5577 | if (objectState == CKS_NSS_UNINITIALIZED0xffffffffUL) { |
5578 | /* if they are both uninitalized, return CKS_FIPS_NOT_OK */ |
5579 | if (sessionState == CKS_NSS_UNINITIALIZED0xffffffffUL) { |
5580 | /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */ |
5581 | return CKR_OK0x00000000UL; |
5582 | } |
5583 | *pulFIPSStatus = sessionState; |
5584 | return CKR_OK0x00000000UL; |
5585 | } |
5586 | /* objectState is initialized, if sessionState is uninitialized, we can |
5587 | * just return objectState */ |
5588 | if (sessionState == CKS_NSS_UNINITIALIZED0xffffffffUL) { |
5589 | *pulFIPSStatus = objectState; |
5590 | return CKR_OK0x00000000UL; |
5591 | } |
5592 | |
5593 | /* they are are not equal, one must be CKS_FIPS_NOT_OK, so we return that |
5594 | * value CKS_FIPS_NOT_OK */ |
5595 | if (objectState != sessionState) { |
5596 | /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */ |
5597 | return CKR_OK0x00000000UL; |
5598 | } |
5599 | |
5600 | /* objectState and sessionState or the same, so we can return either */ |
5601 | *pulFIPSStatus = sessionState; |
5602 | return CKR_OK0x00000000UL; |
5603 | } |