Source code

Revision control

Copy as Markdown

Other Tools

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
* This file contains functions to manage asymetric keys, (public and
* private keys).
*/
#include <stddef.h>
#include "seccomon.h"
#include "secmod.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pkcs11t.h"
#include "pk11func.h"
#include "cert.h"
#include "keyhi.h"
#include "keyi.h"
#include "secitem.h"
#include "secasn1.h"
#include "secoid.h"
#include "secerr.h"
#include "sechash.h"
#include "secpkcs5.h"
#include "blapit.h"
static SECItem *
pk11_MakeIDFromPublicKey(SECKEYPublicKey *pubKey)
{
/* set the ID to the public key so we can find it again */
SECItem *pubKeyIndex = NULL;
switch (pubKey->keyType) {
case rsaKey:
pubKeyIndex = &pubKey->u.rsa.modulus;
break;
case dsaKey:
pubKeyIndex = &pubKey->u.dsa.publicValue;
break;
case dhKey:
pubKeyIndex = &pubKey->u.dh.publicValue;
break;
case edKey:
case ecKey:
pubKeyIndex = &pubKey->u.ec.publicValue;
break;
case kyberKey:
pubKeyIndex = &pubKey->u.kyber.publicValue;
break;
default:
return NULL;
}
PORT_Assert(pubKeyIndex != NULL);
return PK11_MakeIDFromPubKey(pubKeyIndex);
}
/*
* import a public key into the desired slot
*
* This function takes a public key structure and creates a public key in a
* given slot. If isToken is set, then a persistant public key is created.
*
* Note: it is possible for this function to return a handle for a key which
* is persistant, even if isToken is not set.
*/
CK_OBJECT_HANDLE
PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
PRBool isToken)
{
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
CK_OBJECT_HANDLE objectID;
CK_ATTRIBUTE theTemplate[11];
CK_ATTRIBUTE *signedattr = NULL;
CK_ATTRIBUTE *attrs = theTemplate;
CK_NSS_KEM_PARAMETER_SET_TYPE kemParams;
SECItem *ckaId = NULL;
SECItem *pubValue = NULL;
int signedcount = 0;
unsigned int templateCount = 0;
SECStatus rv;
/* if we already have an object in the desired slot, use it */
if (!isToken && pubKey->pkcs11Slot == slot) {
return pubKey->pkcs11ID;
}
/* free the existing key */
if (pubKey->pkcs11Slot != NULL) {
PK11SlotInfo *oSlot = pubKey->pkcs11Slot;
if (!PK11_IsPermObject(pubKey->pkcs11Slot, pubKey->pkcs11ID)) {
PK11_EnterSlotMonitor(oSlot);
(void)PK11_GETTAB(oSlot)->C_DestroyObject(oSlot->session,
pubKey->pkcs11ID);
PK11_ExitSlotMonitor(oSlot);
}
PK11_FreeSlot(oSlot);
pubKey->pkcs11Slot = NULL;
}
PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass));
attrs++;
PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType));
attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, isToken ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
if (isToken) {
ckaId = pk11_MakeIDFromPublicKey(pubKey);
if (ckaId == NULL) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return CK_INVALID_HANDLE;
}
PK11_SETATTRS(attrs, CKA_ID, ckaId->data, ckaId->len);
attrs++;
}
/* now import the key */
{
switch (pubKey->keyType) {
case rsaKey:
keyType = CKK_RSA;
PK11_SETATTRS(attrs, CKA_WRAP, &cktrue, sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_ENCRYPT, &cktrue,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_MODULUS, pubKey->u.rsa.modulus.data,
pubKey->u.rsa.modulus.len);
attrs++;
PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT,
pubKey->u.rsa.publicExponent.data,
pubKey->u.rsa.publicExponent.len);
attrs++;
break;
case dsaKey:
keyType = CKK_DSA;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dsa.params.prime.data,
pubKey->u.dsa.params.prime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_SUBPRIME, pubKey->u.dsa.params.subPrime.data,
pubKey->u.dsa.params.subPrime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dsa.params.base.data,
pubKey->u.dsa.params.base.len);
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data,
pubKey->u.dsa.publicValue.len);
attrs++;
break;
case fortezzaKey:
keyType = CKK_DSA;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.fortezza.params.prime.data,
pubKey->u.fortezza.params.prime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_SUBPRIME,
pubKey->u.fortezza.params.subPrime.data,
pubKey->u.fortezza.params.subPrime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data,
pubKey->u.fortezza.params.base.len);
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data,
pubKey->u.fortezza.DSSKey.len);
attrs++;
break;
case dhKey:
keyType = CKK_DH;
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
attrs++;
signedattr = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, pubKey->u.dh.prime.data,
pubKey->u.dh.prime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.dh.base.data,
pubKey->u.dh.base.len);
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dh.publicValue.data,
pubKey->u.dh.publicValue.len);
attrs++;
break;
case edKey:
keyType = CKK_EC_EDWARDS;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
pubKey->u.ec.DEREncodedParams.data,
pubKey->u.ec.DEREncodedParams.len);
attrs++;
PK11_SETATTRS(attrs, CKA_EC_POINT,
pubKey->u.ec.publicValue.data,
pubKey->u.ec.publicValue.len);
attrs++;
break;
case ecKey:
keyType = CKK_EC;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
pubKey->u.ec.DEREncodedParams.data,
pubKey->u.ec.DEREncodedParams.len);
attrs++;
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
PK11_SETATTRS(attrs, CKA_EC_POINT,
pubKey->u.ec.publicValue.data,
pubKey->u.ec.publicValue.len);
attrs++;
} else {
pubValue = SEC_ASN1EncodeItem(NULL, NULL,
&pubKey->u.ec.publicValue,
SEC_ASN1_GET(SEC_OctetStringTemplate));
if (pubValue == NULL) {
if (ckaId) {
SECITEM_FreeItem(ckaId, PR_TRUE);
}
return CK_INVALID_HANDLE;
}
PK11_SETATTRS(attrs, CKA_EC_POINT,
pubValue->data, pubValue->len);
attrs++;
}
break;
case kyberKey:
keyType = CKK_NSS_KYBER;
switch (pubKey->u.kyber.params) {
case params_kyber768_round3:
case params_kyber768_round3_test_mode:
kemParams = CKP_NSS_KYBER_768_ROUND3;
break;
default:
kemParams = CKP_INVALID_ID;
break;
}
PK11_SETATTRS(attrs, CKA_NSS_PARAMETER_SET,
&kemParams,
sizeof(CK_NSS_KEM_PARAMETER_SET_TYPE));
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.kyber.publicValue.data,
pubKey->u.kyber.publicValue.len);
attrs++;
break;
default:
if (ckaId) {
SECITEM_FreeItem(ckaId, PR_TRUE);
}
PORT_SetError(SEC_ERROR_BAD_KEY);
return CK_INVALID_HANDLE;
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
if (pubKey->keyType != ecKey && pubKey->keyType != kyberKey && pubKey->keyType != edKey) {
PORT_Assert(signedattr);
signedcount = attrs - signedattr;
for (attrs = signedattr; signedcount; attrs++, signedcount--) {
pk11_SignedToUnsigned(attrs);
}
}
rv = PK11_CreateNewObject(slot, CK_INVALID_HANDLE, theTemplate,
templateCount, isToken, &objectID);
if (ckaId) {
SECITEM_FreeItem(ckaId, PR_TRUE);
}
if (pubValue) {
SECITEM_FreeItem(pubValue, PR_TRUE);
}
if (rv != SECSuccess) {
return CK_INVALID_HANDLE;
}
}
pubKey->pkcs11ID = objectID;
pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
return objectID;
}
/*
* take an attribute and copy it into a secitem
*/
static CK_RV
pk11_Attr2SecItem(PLArenaPool *arena, const CK_ATTRIBUTE *attr, SECItem *item)
{
item->data = NULL;
(void)SECITEM_AllocItem(arena, item, attr->ulValueLen);
if (item->data == NULL) {
return CKR_HOST_MEMORY;
}
PORT_Memcpy(item->data, attr->pValue, item->len);
return CKR_OK;
}
/*
* get a curve length from a set of ecParams.
*
* We need this so we can reliably determine if the ecPoint passed to us
* was encoded or not. With out this, for many curves, we would incorrectly
* identify an unencoded curve as an encoded curve 1 in 65536 times, and for
* a few we would make that same mistake 1 in 32768 times. These are bad
* numbers since they are rare enough to pass tests, but common enough to
* be tripped over in the field.
*
* This function will only work for curves we recognized as of March 2009.
* The assumption is curves in use after March of 2009 would be supplied by
* PKCS #11 modules that already pass the correct encoding to us.
*
* Point length = (Roundup(curveLenInBits/8)*2+1)
*/
static int
pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams,
PRBool *plain)
{
SECItem oid;
SECOidTag tag;
SECStatus rv;
/* decode the OID tag */
rv = SEC_QuickDERDecodeItem(arena, &oid,
SEC_ASN1_GET(SEC_ObjectIDTemplate), ecParams);
if (rv != SECSuccess) {
/* could be explict curves, allow them to work if the
* PKCS #11 module support them. If we try to parse the
* explicit curve value in the future, we may return -1 here
* to indicate an invalid parameter if the explicit curve
* decode fails. */
return 0;
}
*plain = PR_FALSE;
tag = SECOID_FindOIDTag(&oid);
switch (tag) {
case SEC_OID_SECG_EC_SECP112R1:
case SEC_OID_SECG_EC_SECP112R2:
return 29; /* curve len in bytes = 14 bytes */
case SEC_OID_SECG_EC_SECT113R1:
case SEC_OID_SECG_EC_SECT113R2:
return 31; /* curve len in bytes = 15 bytes */
case SEC_OID_SECG_EC_SECP128R1:
case SEC_OID_SECG_EC_SECP128R2:
return 33; /* curve len in bytes = 16 bytes */
case SEC_OID_SECG_EC_SECT131R1:
case SEC_OID_SECG_EC_SECT131R2:
return 35; /* curve len in bytes = 17 bytes */
case SEC_OID_SECG_EC_SECP160K1:
case SEC_OID_SECG_EC_SECP160R1:
case SEC_OID_SECG_EC_SECP160R2:
return 41; /* curve len in bytes = 20 bytes */
case SEC_OID_SECG_EC_SECT163K1:
case SEC_OID_SECG_EC_SECT163R1:
case SEC_OID_SECG_EC_SECT163R2:
case SEC_OID_ANSIX962_EC_C2PNB163V1:
case SEC_OID_ANSIX962_EC_C2PNB163V2:
case SEC_OID_ANSIX962_EC_C2PNB163V3:
return 43; /* curve len in bytes = 21 bytes */
case SEC_OID_ANSIX962_EC_C2PNB176V1:
return 45; /* curve len in bytes = 22 bytes */
case SEC_OID_ANSIX962_EC_C2TNB191V1:
case SEC_OID_ANSIX962_EC_C2TNB191V2:
case SEC_OID_ANSIX962_EC_C2TNB191V3:
case SEC_OID_SECG_EC_SECP192K1:
case SEC_OID_ANSIX962_EC_PRIME192V1:
case SEC_OID_ANSIX962_EC_PRIME192V2:
case SEC_OID_ANSIX962_EC_PRIME192V3:
return 49; /*curve len in bytes = 24 bytes */
case SEC_OID_SECG_EC_SECT193R1:
case SEC_OID_SECG_EC_SECT193R2:
return 51; /*curve len in bytes = 25 bytes */
case SEC_OID_ANSIX962_EC_C2PNB208W1:
return 53; /*curve len in bytes = 26 bytes */
case SEC_OID_SECG_EC_SECP224K1:
case SEC_OID_SECG_EC_SECP224R1:
return 57; /*curve len in bytes = 28 bytes */
case SEC_OID_SECG_EC_SECT233K1:
case SEC_OID_SECG_EC_SECT233R1:
case SEC_OID_SECG_EC_SECT239K1:
case SEC_OID_ANSIX962_EC_PRIME239V1:
case SEC_OID_ANSIX962_EC_PRIME239V2:
case SEC_OID_ANSIX962_EC_PRIME239V3:
case SEC_OID_ANSIX962_EC_C2TNB239V1:
case SEC_OID_ANSIX962_EC_C2TNB239V2:
case SEC_OID_ANSIX962_EC_C2TNB239V3:
return 61; /*curve len in bytes = 30 bytes */
case SEC_OID_ANSIX962_EC_PRIME256V1:
case SEC_OID_SECG_EC_SECP256K1:
return 65; /*curve len in bytes = 32 bytes */
case SEC_OID_ANSIX962_EC_C2PNB272W1:
return 69; /*curve len in bytes = 34 bytes */
case SEC_OID_SECG_EC_SECT283K1:
case SEC_OID_SECG_EC_SECT283R1:
return 73; /*curve len in bytes = 36 bytes */
case SEC_OID_ANSIX962_EC_C2PNB304W1:
return 77; /*curve len in bytes = 38 bytes */
case SEC_OID_ANSIX962_EC_C2TNB359V1:
return 91; /*curve len in bytes = 45 bytes */
case SEC_OID_ANSIX962_EC_C2PNB368W1:
return 93; /*curve len in bytes = 46 bytes */
case SEC_OID_SECG_EC_SECP384R1:
return 97; /*curve len in bytes = 48 bytes */
case SEC_OID_SECG_EC_SECT409K1:
case SEC_OID_SECG_EC_SECT409R1:
return 105; /*curve len in bytes = 52 bytes */
case SEC_OID_ANSIX962_EC_C2TNB431R1:
return 109; /*curve len in bytes = 54 bytes */
case SEC_OID_SECG_EC_SECP521R1:
return 133; /*curve len in bytes = 66 bytes */
case SEC_OID_SECG_EC_SECT571K1:
case SEC_OID_SECG_EC_SECT571R1:
return 145; /*curve len in bytes = 72 bytes */
case SEC_OID_CURVE25519:
case SEC_OID_ED25519_PUBLIC_KEY:
*plain = PR_TRUE;
return 32; /* curve len in bytes = 32 bytes (only X) */
/* unknown or unrecognized OIDs. return unknown length */
default:
break;
}
return 0;
}
/*
* returns the decoded point. In some cases the point may already be decoded.
* this function tries to detect those cases and return the point in
* publicKeyValue. In other cases it's DER encoded. In those cases the point
* is first decoded and returned. Space for the point is allocated out of
* the passed in arena.
*/
static CK_RV
pk11_get_Decoded_ECPoint(PLArenaPool *arena, const SECItem *ecParams,
const CK_ATTRIBUTE *ecPoint, SECItem *publicKeyValue)
{
SECItem encodedPublicValue;
SECStatus rv;
int keyLen;
PRBool plain = PR_FALSE;
if (ecPoint->ulValueLen == 0) {
return CKR_ATTRIBUTE_VALUE_INVALID;
}
/*
* The PKCS #11 spec requires ecPoints to be encoded as a DER OCTET String.
* NSS has mistakenly passed unencoded values, and some PKCS #11 vendors
* followed that mistake. Now we need to detect which encoding we were
* passed in. The task is made more complicated by the fact the the
* DER encoding byte (SEC_ASN_OCTET_STRING) is the same as the
* EC_POINT_FORM_UNCOMPRESSED byte (0x04), so we can't use that to
* determine which curve we are using.
*/
/* get the expected key length for the passed in curve.
* pk11_get_EC_PointLenInBytes only returns valid values for curves
* NSS has traditionally recognized. If the curve is not recognized,
* it will return '0', and we have to figure out if the key was
* encoded or not heuristically. If the ecParams are invalid, it
* will return -1 for the keyLen.
*/
keyLen = pk11_get_EC_PointLenInBytes(arena, ecParams, &plain);
if (keyLen < 0) {
return CKR_ATTRIBUTE_VALUE_INVALID;
}
/*
* Some curves are not encoded but we don't have the name here.
* Instead, pk11_get_EC_PointLenInBytes returns true plain if this is the
* case.
*/
if (plain && ecPoint->ulValueLen == (unsigned int)keyLen) {
return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue);
}
/* If the point is uncompressed and the lengths match, it
* must be an unencoded point */
if ((*((char *)ecPoint->pValue) == EC_POINT_FORM_UNCOMPRESSED) &&
(ecPoint->ulValueLen == (unsigned int)keyLen)) {
return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue);
}
/* now assume the key passed to us was encoded and decode it */
if (*((char *)ecPoint->pValue) == SEC_ASN1_OCTET_STRING) {
/* OK, now let's try to decode it and see if it's valid */
encodedPublicValue.data = ecPoint->pValue;
encodedPublicValue.len = ecPoint->ulValueLen;
rv = SEC_QuickDERDecodeItem(arena, publicKeyValue,
SEC_ASN1_GET(SEC_OctetStringTemplate), &encodedPublicValue);
/* it coded correctly & we know the key length (and they match)
* then we are done, return the results. */
if (keyLen && rv == SECSuccess && publicKeyValue->len == (unsigned int)keyLen) {
return CKR_OK;
}
/* if we know the key length, one of the above tests should have
* succeded. If it doesn't the module gave us bad data */
if (keyLen) {
return CKR_ATTRIBUTE_VALUE_INVALID;
}
/* We don't know the key length, so we don't know deterministically
* which encoding was used. We now will try to pick the most likely
* form that's correct, with a preference for the encoded form if we
* can't determine for sure. We do this by checking the key we got
* back from SEC_QuickDERDecodeItem for defects. If no defects are
* found, we assume the encoded parameter was was passed to us.
* our defect tests include:
* 1) it didn't decode.
* 2) The decode key had an invalid length (must be odd).
* 3) The decoded key wasn't an UNCOMPRESSED key.
* 4) The decoded key didn't include the entire encoded block
* except the DER encoding values. (fixing DER length to one
* particular value).
*/
if ((rv != SECSuccess) || ((publicKeyValue->len & 1) != 1) ||
(publicKeyValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) ||
(PORT_Memcmp(&encodedPublicValue.data[encodedPublicValue.len - publicKeyValue->len],
publicKeyValue->data,
publicKeyValue->len) != 0)) {
/* The decoded public key was flawed, the original key must have
* already been in decoded form. Do a quick sanity check then
* return the original key value.
*/
if ((encodedPublicValue.len & 1) == 0) {
return CKR_ATTRIBUTE_VALUE_INVALID;
}
return pk11_Attr2SecItem(arena, ecPoint, publicKeyValue);
}
/* as best we can figure, the passed in key was encoded, and we've
* now decoded it. Note: there is a chance this could be wrong if the
* following conditions hold:
* 1) The first byte or bytes of the X point looks like a valid length
* of precisely the right size (2*curveSize -1). this means for curves
* less than 512 bits (64 bytes), this will happen 1 in 256 times*.
* for curves between 512 and 1024, this will happen 1 in 65,536 times*
* for curves between 1024 and 256K this will happen 1 in 16 million*
* 2) The length of the 'DER length field' is odd
* (making both the encoded and decode
* values an odd length. this is true of all curves less than 512,
* as well as curves between 1024 and 256K).
* 3) The X[length of the 'DER length field'] == 0x04, 1 in 256.
*
* (* assuming all values are equally likely in the first byte,
* This isn't true if the curve length is not a multiple of 8. In these
* cases, if the DER length is possible, it's more likely,
* if it's not possible, then we have no false decodes).
*
* For reference here are the odds for the various curves we currently
* have support for (and the only curves SSL will negotiate at this
* time). NOTE: None of the supported curves will show up here
* because we return a valid length for all of these curves.
* The only way to get here is to have some application (not SSL)
* which supports some unknown curve and have some vendor supplied
* PKCS #11 module support that curve. NOTE: in this case, one
* presumes that that pkcs #11 module is likely to be using the
* correct encodings.
*
* Prime Curves (GFp):
* Bit False Odds of
* Size DER Len False Decode Positive
* 112 27 1 in 65536
* 128 31 1 in 65536
* 160 39 1 in 65536
* 192 47 1 in 65536
* 224 55 1 in 65536
* 239 59 1 in 32768 (top byte can only be 0-127)
* 256 63 1 in 65536
* 521 129,131 0 (decoded value would be even)
*
* Binary curves (GF2m).
* Bit False Odds of
* Size DER Len False Decode Positive
* 131 33 0 (top byte can only be 0-7)
* 163 41 0 (top byte can only be 0-7)
* 176 43 1 in 65536
* 191 47 1 in 32768 (top byte can only be 0-127)
* 193 49 0 (top byte can only be 0-1)
* 208 51 1 in 65536
* 233 59 0 (top byte can only be 0-1)
* 239 59 1 in 32768 (top byte can only be 0-127)
* 272 67 1 in 65536
* 283 71 0 (top byte can only be 0-7)
* 304 75 1 in 65536
* 359 89 1 in 32768 (top byte can only be 0-127)
* 368 91 1 in 65536
* 409 103 0 (top byte can only be 0-1)
* 431 107 1 in 32768 (top byte can only be 0-127)
* 571 129,143 0 (decoded value would be even)
*
*/
return CKR_OK;
}
/* In theory, we should handle the case where the curve == 0 and
* the first byte is EC_POINT_FORM_UNCOMPRESSED, (which would be
* handled by doing a santity check on the key length and returning
* pk11_Attr2SecItem() to copy the ecPoint to the publicKeyValue).
*
* This test is unnecessary, however, due to the fact that
* EC_POINT_FORM_UNCOMPRESSED == SEC_ASIN1_OCTET_STRING, that case is
* handled in the above if. That means if we get here, the initial
* byte of our ecPoint value was invalid, so we can safely return.
* invalid attribute.
*/
return CKR_ATTRIBUTE_VALUE_INVALID;
}
/*
* extract a public key from a slot and id
*/
SECKEYPublicKey *
PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id)
{
CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
PLArenaPool *arena;
PLArenaPool *tmp_arena;
SECKEYPublicKey *pubKey;
unsigned int templateCount = 0;
CK_KEY_TYPE pk11KeyType;
CK_RV crv;
CK_ATTRIBUTE template[8];
CK_ATTRIBUTE *attrs = template;
CK_ATTRIBUTE *modulus, *exponent, *base, *prime, *subprime, *value;
CK_ATTRIBUTE *ecparams, *kemParams;
/* if we didn't know the key type, get it */
if (keyType == nullKey) {
pk11KeyType = PK11_ReadULongAttribute(slot, id, CKA_KEY_TYPE);
if (pk11KeyType == CK_UNAVAILABLE_INFORMATION) {
return NULL;
}
switch (pk11KeyType) {
case CKK_RSA:
keyType = rsaKey;
break;
case CKK_DSA:
keyType = dsaKey;
break;
case CKK_DH:
keyType = dhKey;
break;
case CKK_EC:
keyType = ecKey;
break;
case CKK_EC_EDWARDS:
keyType = edKey;
break;
case CKK_NSS_KYBER:
keyType = kyberKey;
break;
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
return NULL;
}
}
/* now we need to create space for the public key */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
return NULL;
tmp_arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (tmp_arena == NULL) {
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
pubKey = (SECKEYPublicKey *)
PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey));
if (pubKey == NULL) {
PORT_FreeArena(arena, PR_FALSE);
PORT_FreeArena(tmp_arena, PR_FALSE);
return NULL;
}
pubKey->arena = arena;
pubKey->keyType = keyType;
pubKey->pkcs11Slot = PK11_ReferenceSlot(slot);
pubKey->pkcs11ID = id;
PK11_SETATTRS(attrs, CKA_CLASS, &keyClass,
sizeof(keyClass));
attrs++;
PK11_SETATTRS(attrs, CKA_KEY_TYPE, &pk11KeyType,
sizeof(pk11KeyType));
attrs++;
switch (pubKey->keyType) {
case rsaKey:
modulus = attrs;
PK11_SETATTRS(attrs, CKA_MODULUS, NULL, 0);
attrs++;
exponent = attrs;
PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT, NULL, 0);
attrs++;
templateCount = attrs - template;
PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE));
crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount);
if (crv != CKR_OK)
break;
if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_RSA)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
crv = pk11_Attr2SecItem(arena, modulus, &pubKey->u.rsa.modulus);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, exponent, &pubKey->u.rsa.publicExponent);
if (crv != CKR_OK)
break;
break;
case dsaKey:
prime = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0);
attrs++;
subprime = attrs;
PK11_SETATTRS(attrs, CKA_SUBPRIME, NULL, 0);
attrs++;
base = attrs;
PK11_SETATTRS(attrs, CKA_BASE, NULL, 0);
attrs++;
value = attrs;
PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0);
attrs++;
templateCount = attrs - template;
PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE));
crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount);
if (crv != CKR_OK)
break;
if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DSA)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dsa.params.prime);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, subprime, &pubKey->u.dsa.params.subPrime);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dsa.params.base);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dsa.publicValue);
if (crv != CKR_OK)
break;
break;
case dhKey:
prime = attrs;
PK11_SETATTRS(attrs, CKA_PRIME, NULL, 0);
attrs++;
base = attrs;
PK11_SETATTRS(attrs, CKA_BASE, NULL, 0);
attrs++;
value = attrs;
PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0);
attrs++;
templateCount = attrs - template;
PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE));
crv = PK11_GetAttributes(tmp_arena, slot, id, template, templateCount);
if (crv != CKR_OK)
break;
if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_DH)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
crv = pk11_Attr2SecItem(arena, prime, &pubKey->u.dh.prime);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, base, &pubKey->u.dh.base);
if (crv != CKR_OK)
break;
crv = pk11_Attr2SecItem(arena, value, &pubKey->u.dh.publicValue);
if (crv != CKR_OK)
break;
break;
case edKey:
case ecKey:
pubKey->u.ec.size = 0;
ecparams = attrs;
PK11_SETATTRS(attrs, CKA_EC_PARAMS, NULL, 0);
attrs++;
value = attrs;
PK11_SETATTRS(attrs, CKA_EC_POINT, NULL, 0);
attrs++;
templateCount = attrs - template;
PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE));
crv = PK11_GetAttributes(arena, slot, id, template, templateCount);
if (crv != CKR_OK)
break;
if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC && pk11KeyType != CKK_EC_EDWARDS)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
crv = pk11_Attr2SecItem(arena, ecparams,
&pubKey->u.ec.DEREncodedParams);
if (crv != CKR_OK)
break;
pubKey->u.ec.encoding = ECPoint_Undefined;
crv = pk11_get_Decoded_ECPoint(arena,
&pubKey->u.ec.DEREncodedParams, value,
&pubKey->u.ec.publicValue);
break;
case kyberKey:
value = attrs;
PK11_SETATTRS(attrs, CKA_VALUE, NULL, 0);
attrs++;
kemParams = attrs;
PK11_SETATTRS(attrs, CKA_NSS_PARAMETER_SET, NULL, 0);
attrs++;
templateCount = attrs - template;
PR_ASSERT(templateCount <= sizeof(template) / sizeof(CK_ATTRIBUTE));
crv = PK11_GetAttributes(arena, slot, id, template, templateCount);
if (crv != CKR_OK)
break;
if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_NSS_KYBER)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
if (kemParams->ulValueLen != sizeof(CK_NSS_KEM_PARAMETER_SET_TYPE)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
CK_NSS_KEM_PARAMETER_SET_TYPE *pPK11Params = kemParams->pValue;
switch (*pPK11Params) {
case CKP_NSS_KYBER_768_ROUND3:
pubKey->u.kyber.params = params_kyber768_round3;
break;
default:
pubKey->u.kyber.params = params_kyber_invalid;
break;
}
crv = pk11_Attr2SecItem(arena, value, &pubKey->u.kyber.publicValue);
break;
case fortezzaKey:
case nullKey:
default:
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
PORT_FreeArena(tmp_arena, PR_FALSE);
if (crv != CKR_OK) {
PORT_FreeArena(arena, PR_FALSE);
PK11_FreeSlot(slot);
PORT_SetError(PK11_MapError(crv));
return NULL;
}
return pubKey;
}
/*
* Build a Private Key structure from raw PKCS #11 information.
*/
SECKEYPrivateKey *
PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx)
{
PLArenaPool *arena;
SECKEYPrivateKey *privKey;
PRBool isPrivate;
SECStatus rv;
/* don't know? look it up */
if (keyType == nullKey) {
CK_KEY_TYPE pk11Type = CKK_RSA;
pk11Type = PK11_ReadULongAttribute(slot, privID, CKA_KEY_TYPE);
isTemp = (PRBool)!PK11_HasAttributeSet(slot, privID, CKA_TOKEN, PR_FALSE);
switch (pk11Type) {
case CKK_RSA:
keyType = rsaKey;
break;
case CKK_DSA:
keyType = dsaKey;
break;
case CKK_DH:
keyType = dhKey;
break;
case CKK_KEA:
keyType = fortezzaKey;
break;
case CKK_EC:
keyType = ecKey;
break;
case CKK_EC_EDWARDS:
keyType = edKey;
break;
case CKK_NSS_KYBER:
keyType = kyberKey;
break;
default:
break;
}
}
/* if the key is private, make sure we are authenticated to the
* token before we try to use it */
isPrivate = (PRBool)PK11_HasAttributeSet(slot, privID, CKA_PRIVATE, PR_FALSE);
if (isPrivate) {
rv = PK11_Authenticate(slot, PR_TRUE, wincx);
if (rv != SECSuccess) {
return NULL;
}
}
/* now we need to create space for the private key */
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
return NULL;
privKey = (SECKEYPrivateKey *)
PORT_ArenaZAlloc(arena, sizeof(SECKEYPrivateKey));
if (privKey == NULL) {
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
privKey->arena = arena;
privKey->keyType = keyType;
privKey->pkcs11Slot = PK11_ReferenceSlot(slot);
privKey->pkcs11ID = privID;
privKey->pkcs11IsTemp = isTemp;
privKey->wincx = wincx;
return privKey;
}
PK11SlotInfo *
PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key)
{
PK11SlotInfo *slot = key->pkcs11Slot;
slot = PK11_ReferenceSlot(slot);
return slot;
}
/*
* Get the modulus length for raw parsing
*/
int
PK11_GetPrivateModulusLen(SECKEYPrivateKey *key)
{
CK_ATTRIBUTE theTemplate = { CKA_MODULUS, NULL, 0 };
PK11SlotInfo *slot = key->pkcs11Slot;
CK_RV crv;
int length;
switch (key->keyType) {
case rsaKey:
crv = PK11_GetAttributes(NULL, slot, key->pkcs11ID, &theTemplate, 1);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
return -1;
}
if (theTemplate.pValue == NULL) {
PORT_SetError(PK11_MapError(CKR_ATTRIBUTE_VALUE_INVALID));
return -1;
}
length = theTemplate.ulValueLen;
if (*(unsigned char *)theTemplate.pValue == 0) {
length--;
}
PORT_Free(theTemplate.pValue);
return (int)length;
case fortezzaKey:
case dsaKey:
case dhKey:
default:
break;
}
if (theTemplate.pValue != NULL)
PORT_Free(theTemplate.pValue);
PORT_SetError(SEC_ERROR_INVALID_KEY);
return -1;
}
/*
* take a private key in one pkcs11 module and load it into another:
* NOTE: the source private key is a rare animal... it can't be sensitive.
* This is used to do a key gen using one pkcs11 module and storing the
* result into another.
*/
static SECKEYPrivateKey *
pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PK11AttrFlags attrFlags)
{
CK_ATTRIBUTE privTemplate[] = {
/* class must be first */
{ CKA_CLASS, NULL, 0 },
{ CKA_KEY_TYPE, NULL, 0 },
{ CKA_ID, NULL, 0 },
/* RSA - the attributes below will be replaced for other
* key types.
*/
{ CKA_MODULUS, NULL, 0 },
{ CKA_PRIVATE_EXPONENT, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
{ CKA_PRIME_1, NULL, 0 },
{ CKA_PRIME_2, NULL, 0 },
{ CKA_EXPONENT_1, NULL, 0 },
{ CKA_EXPONENT_2, NULL, 0 },
{ CKA_COEFFICIENT, NULL, 0 },
{ CKA_DECRYPT, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_SIGN, NULL, 0 },
{ CKA_SIGN_RECOVER, NULL, 0 },
{ CKA_UNWRAP, NULL, 0 },
/* reserve space for the attributes that may be
* specified in attrFlags */
{ CKA_TOKEN, NULL, 0 },
{ CKA_PRIVATE, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
{ CKA_SENSITIVE, NULL, 0 },
{ CKA_EXTRACTABLE, NULL, 0 },
#define NUM_RESERVED_ATTRS 5 /* number of reserved attributes above */
};
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
CK_ATTRIBUTE *attrs = NULL, *ap;
const int templateSize = sizeof(privTemplate) / sizeof(privTemplate[0]);
PLArenaPool *arena;
CK_OBJECT_HANDLE objectID;
int i, count = 0;
int extra_count = 0;
CK_RV crv;
SECStatus rv;
PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
if (pk11_BadAttrFlags(attrFlags)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
for (i = 0; i < templateSize; i++) {
if (privTemplate[i].type == CKA_MODULUS) {
attrs = &privTemplate[i];
count = i;
break;
}
}
PORT_Assert(attrs != NULL);
if (attrs == NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
ap = attrs;
switch (privKey->keyType) {
case rsaKey:
count = templateSize - NUM_RESERVED_ATTRS;
extra_count = count - (attrs - privTemplate);
break;
case dsaKey:
ap->type = CKA_PRIME;
ap++;
count++;
extra_count++;
ap->type = CKA_SUBPRIME;
ap++;
count++;
extra_count++;
ap->type = CKA_BASE;
ap++;
count++;
extra_count++;
ap->type = CKA_VALUE;
ap++;
count++;
extra_count++;
ap->type = CKA_SIGN;
ap++;
count++;
extra_count++;
break;
case dhKey:
ap->type = CKA_PRIME;
ap++;
count++;
extra_count++;
ap->type = CKA_BASE;
ap++;
count++;
extra_count++;
ap->type = CKA_VALUE;
ap++;
count++;
extra_count++;
ap->type = CKA_DERIVE;
ap++;
count++;
extra_count++;
break;
case ecKey:
case edKey:
ap->type = CKA_EC_PARAMS;
ap++;
count++;
extra_count++;
ap->type = CKA_VALUE;
ap++;
count++;
extra_count++;
if (privKey->keyType == ecKey) {
ap->type = CKA_DERIVE;
ap++;
count++;
extra_count++;
}
ap->type = CKA_SIGN;
ap++;
count++;
extra_count++;
break;
default:
count = 0;
extra_count = 0;
break;
}
if (count == 0) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
return NULL;
/*
* read out the old attributes.
*/
crv = PK11_GetAttributes(arena, privKey->pkcs11Slot, privKey->pkcs11ID,
privTemplate, count);
if (crv != CKR_OK) {
PORT_SetError(PK11_MapError(crv));
PORT_FreeArena(arena, PR_TRUE);
return NULL;
}
/* Set token, private, modifiable, sensitive, and extractable */
count += pk11_AttrFlagsToAttributes(attrFlags, &privTemplate[count],
&cktrue, &ckfalse);
/* Not everyone can handle zero padded key values, give
* them the raw data as unsigned. The exception is EC,
* where the values are encoded or zero-preserving
* per-RFC5915 */
if (privKey->keyType != ecKey && privKey->keyType != edKey) {
for (ap = attrs; extra_count; ap++, extra_count--) {
pk11_SignedToUnsigned(ap);
}
}
/* now Store the puppies */
rv = PK11_CreateNewObject(slot, CK_INVALID_HANDLE, privTemplate,
count, token, &objectID);
PORT_FreeArena(arena, PR_TRUE);
if (rv != SECSuccess) {
return NULL;
}
/* try loading the public key */
if (pubKey) {
PK11_ImportPublicKey(slot, pubKey, token);
if (pubKey->pkcs11Slot) {
PK11_FreeSlot(pubKey->pkcs11Slot);
pubKey->pkcs11Slot = NULL;
pubKey->pkcs11ID = CK_INVALID_HANDLE;
}
}
/* build new key structure */
return PK11_MakePrivKey(slot, privKey->keyType, !token,
objectID, privKey->wincx);
}
static SECKEYPrivateKey *
pk11_loadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive)
{
PK11AttrFlags attrFlags = 0;
if (token) {
attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE);
} else {
attrFlags |= (PK11_ATTR_SESSION | PK11_ATTR_PUBLIC);
}
if (sensitive) {
attrFlags |= PK11_ATTR_SENSITIVE;
} else {
attrFlags |= PK11_ATTR_INSENSITIVE;
}
return pk11_loadPrivKeyWithFlags(slot, privKey, pubKey, attrFlags);
}
/*
* export this for PSM
*/
SECKEYPrivateKey *
PK11_LoadPrivKey(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
SECKEYPublicKey *pubKey, PRBool token, PRBool sensitive)
{
return pk11_loadPrivKey(slot, privKey, pubKey, token, sensitive);
}
/*
* Use the token to generate a key pair.
*/
SECKEYPrivateKey *
PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags,
CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx)
{
/* we have to use these native types because when we call PKCS 11 modules
* we have to make sure that we are using the correct sizes for all the
* parameters. */
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE;
CK_ULONG modulusBits;
CK_BYTE publicExponent[4];
CK_ATTRIBUTE privTemplate[] = {
{ CKA_SENSITIVE, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_PRIVATE, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_UNWRAP, NULL, 0 },
{ CKA_SIGN, NULL, 0 },
{ CKA_DECRYPT, NULL, 0 },
{ CKA_EXTRACTABLE, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
CK_ATTRIBUTE rsaPubTemplate[] = {
{ CKA_MODULUS_BITS, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_WRAP, NULL, 0 },
{ CKA_VERIFY, NULL, 0 },
{ CKA_VERIFY_RECOVER, NULL, 0 },
{ CKA_ENCRYPT, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
CK_ATTRIBUTE dsaPubTemplate[] = {
{ CKA_PRIME, NULL, 0 },
{ CKA_SUBPRIME, NULL, 0 },
{ CKA_BASE, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_WRAP, NULL, 0 },
{ CKA_VERIFY, NULL, 0 },
{ CKA_VERIFY_RECOVER, NULL, 0 },
{ CKA_ENCRYPT, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
CK_ATTRIBUTE dhPubTemplate[] = {
{ CKA_PRIME, NULL, 0 },
{ CKA_BASE, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_WRAP, NULL, 0 },
{ CKA_VERIFY, NULL, 0 },
{ CKA_VERIFY_RECOVER, NULL, 0 },
{ CKA_ENCRYPT, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
CK_ATTRIBUTE ecPubTemplate[] = {
{ CKA_EC_PARAMS, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_WRAP, NULL, 0 },
{ CKA_VERIFY, NULL, 0 },
{ CKA_VERIFY_RECOVER, NULL, 0 },
{ CKA_ENCRYPT, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
SECKEYECParams *ecParams;
CK_ATTRIBUTE kyberPubTemplate[] = {
{ CKA_NSS_PARAMETER_SET, NULL, 0 },
{ CKA_TOKEN, NULL, 0 },
{ CKA_DERIVE, NULL, 0 },
{ CKA_WRAP, NULL, 0 },
{ CKA_VERIFY, NULL, 0 },
{ CKA_VERIFY_RECOVER, NULL, 0 },
{ CKA_ENCRYPT, NULL, 0 },
{ CKA_MODIFIABLE, NULL, 0 },
};
/*CK_ULONG key_size = 0;*/
CK_ATTRIBUTE *pubTemplate;
int privCount = 0;
int pubCount = 0;
PK11RSAGenParams *rsaParams;
SECKEYPQGParams *dsaParams;
SECKEYDHParams *dhParams;
CK_NSS_KEM_PARAMETER_SET_TYPE *kemParams;
CK_MECHANISM mechanism;
CK_MECHANISM test_mech;
CK_MECHANISM test_mech2;
CK_SESSION_HANDLE session_handle;
CK_RV crv;
CK_OBJECT_HANDLE privID, pubID;
SECKEYPrivateKey *privKey;
KeyType keyType;
PRBool restore;
int peCount, i;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE *privattrs;
CK_ATTRIBUTE setTemplate;
CK_MECHANISM_INFO mechanism_info;
CK_OBJECT_CLASS keyClass;
SECItem *cka_id;
PRBool haslock = PR_FALSE;
PRBool pubIsToken = PR_FALSE;
PRBool token = ((attrFlags & PK11_ATTR_TOKEN) != 0);
/* subset of attrFlags applicable to the public key */
PK11AttrFlags pubKeyAttrFlags = attrFlags &
(PK11_ATTR_TOKEN | PK11_ATTR_SESSION | PK11_ATTR_MODIFIABLE | PK11_ATTR_UNMODIFIABLE);
if (pk11_BadAttrFlags(attrFlags)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
if (!param) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
/*
* The opFlags and opFlagMask parameters allow us to control the
* settings of the key usage attributes (CKA_ENCRYPT and friends).
* opFlagMask is set to one if the flag is specified in opFlags and
* zero if it is to take on a default value calculated by
* PK11_GenerateKeyPairWithOpFlags.
* opFlags specifies the actual value of the flag 1 or 0.
* Bits not corresponding to one bits in opFlagMask should be zero.
*/
/* if we are trying to turn on a flag, it better be in the mask */
PORT_Assert((opFlags & ~opFlagsMask) == 0);
opFlags &= opFlagsMask;
PORT_Assert(slot != NULL);
if (slot == NULL) {
PORT_SetError(SEC_ERROR_NO_MODULE);
return NULL;
}
/* if our slot really doesn't do this mechanism, Generate the key
* in our internal token and write it out */
if (!PK11_DoesMechanism(slot, type)) {
PK11SlotInfo *int_slot = PK11_GetInternalSlot();
/* don't loop forever looking for a slot */
if (slot == int_slot) {
PK11_FreeSlot(int_slot);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return NULL;
}
/* if there isn't a suitable slot, then we can't do the keygen */
if (int_slot == NULL) {
PORT_SetError(SEC_ERROR_NO_MODULE);
return NULL;
}
/* generate the temporary key to load */
privKey = PK11_GenerateKeyPair(int_slot, type, param, pubKey, PR_FALSE,
PR_FALSE, wincx);
PK11_FreeSlot(int_slot);
/* if successful, load the temp key into the new token */
if (privKey != NULL) {
SECKEYPrivateKey *newPrivKey = pk11_loadPrivKeyWithFlags(slot,
privKey, *pubKey, attrFlags);
SECKEY_DestroyPrivateKey(privKey);
if (newPrivKey == NULL) {
SECKEY_DestroyPublicKey(*pubKey);
*pubKey = NULL;
}
return newPrivKey;
}
return NULL;
}
mechanism.mechanism = type;
mechanism.pParameter = NULL;
mechanism.ulParameterLen = 0;
test_mech.pParameter = NULL;
test_mech.ulParameterLen = 0;
test_mech2.mechanism = CKM_INVALID_MECHANISM;
test_mech2.pParameter = NULL;
test_mech2.ulParameterLen = 0;
/* set up the private key template */
privattrs = privTemplate;
privattrs += pk11_AttrFlagsToAttributes(attrFlags, privattrs,
&cktrue, &ckfalse);
/* set up the mechanism specific info */
switch (type) {
case CKM_RSA_PKCS_KEY_PAIR_GEN:
case CKM_RSA_X9_31_KEY_PAIR_GEN:
rsaParams = (PK11RSAGenParams *)param;
if (rsaParams->pe == 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
modulusBits = rsaParams->keySizeInBits;
peCount = 0;
/* convert pe to a PKCS #11 string */
for (i = 0; i < 4; i++) {
if (peCount || (rsaParams->pe &
((unsigned long)0xff000000L >> (i * 8)))) {
publicExponent[peCount] =
(CK_BYTE)((rsaParams->pe >> (3 - i) * 8) & 0xff);
peCount++;
}
}
PORT_Assert(peCount != 0);
attrs = rsaPubTemplate;
PK11_SETATTRS(attrs, CKA_MODULUS_BITS,
&modulusBits, sizeof(modulusBits));
attrs++;
PK11_SETATTRS(attrs, CKA_PUBLIC_EXPONENT,
publicExponent, peCount);
attrs++;
pubTemplate = rsaPubTemplate;
keyType = rsaKey;
test_mech.mechanism = CKM_RSA_PKCS;
break;
case CKM_DSA_KEY_PAIR_GEN:
dsaParams = (SECKEYPQGParams *)param;
attrs = dsaPubTemplate;
PK11_SETATTRS(attrs, CKA_PRIME, dsaParams->prime.data,
dsaParams->prime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_SUBPRIME, dsaParams->subPrime.data,
dsaParams->subPrime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, dsaParams->base.data,
dsaParams->base.len);
attrs++;
pubTemplate = dsaPubTemplate;
keyType = dsaKey;
test_mech.mechanism = CKM_DSA;
break;
case CKM_DH_PKCS_KEY_PAIR_GEN:
dhParams = (SECKEYDHParams *)param;
attrs = dhPubTemplate;
PK11_SETATTRS(attrs, CKA_PRIME, dhParams->prime.data,
dhParams->prime.len);
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, dhParams->base.data,
dhParams->base.len);
attrs++;
pubTemplate = dhPubTemplate;
keyType = dhKey;
test_mech.mechanism = CKM_DH_PKCS_DERIVE;
break;
case CKM_EC_KEY_PAIR_GEN:
ecParams = (SECKEYECParams *)param;
attrs = ecPubTemplate;
PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data,
ecParams->len);
attrs++;
pubTemplate = ecPubTemplate;
keyType = ecKey;
/*
* ECC supports 2 different mechanism types (unlike RSA, which
* supports different usages with the same mechanism).
* We may need to query both mechanism types and or the results
* together -- but we only do that if either the user has
* requested both usages, or not specified any usages.
*/
if ((opFlags & (CKF_SIGN | CKF_DERIVE)) == (CKF_SIGN | CKF_DERIVE)) {
/* We've explicitly turned on both flags, use both mechanism */
test_mech.mechanism = CKM_ECDH1_DERIVE;
test_mech2.mechanism = CKM_ECDSA;
} else if (opFlags & CKF_SIGN) {
/* just do signing */
test_mech.mechanism = CKM_ECDSA;
} else if (opFlags & CKF_DERIVE) {
/* just do ECDH */
test_mech.mechanism = CKM_ECDH1_DERIVE;
} else {
/* neither was specified default to both */
test_mech.mechanism = CKM_ECDH1_DERIVE;
test_mech2.mechanism = CKM_ECDSA;
}
break;
case CKM_NSS_KYBER_KEY_PAIR_GEN:
kemParams = (CK_NSS_KEM_PARAMETER_SET_TYPE *)param;
attrs = kyberPubTemplate;
PK11_SETATTRS(attrs, CKA_NSS_PARAMETER_SET,
kemParams,
sizeof(CK_NSS_KEM_PARAMETER_SET_TYPE));
attrs++;
pubTemplate = kyberPubTemplate;
keyType = kyberKey;
test_mech.mechanism = CKM_NSS_KYBER;
break;
case CKM_EC_EDWARDS_KEY_PAIR_GEN:
ecParams = (SECKEYECParams *)param;
attrs = ecPubTemplate;
PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data,
ecParams->len);
attrs++;
pubTemplate = ecPubTemplate;
keyType = edKey;
test_mech.mechanism = CKM_EDDSA;
break;
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
return NULL;
}
/* now query the slot to find out how "good" a key we can generate */
if (!slot->isThreadSafe)
PK11_EnterSlotMonitor(slot);
crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
test_mech.mechanism, &mechanism_info);
/*
* EC keys are used in multiple different types of mechanism, if we
* are using dual use keys, we need to query the second mechanism
* as well.
*/
if (test_mech2.mechanism != CKM_INVALID_MECHANISM) {
CK_MECHANISM_INFO mechanism_info2;
CK_RV crv2;
if (crv != CKR_OK) {
/* the first failed, make sure there is no trash in the
* mechanism flags when we or it below */
mechanism_info.flags = 0;
}
crv2 = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
test_mech2.mechanism, &mechanism_info2);
if (crv2 == CKR_OK) {
crv = CKR_OK; /* succeed if either mechnaism info succeeds */
/* combine the 2 sets of mechnanism flags */
mechanism_info.flags |= mechanism_info2.flags;
}
}
if (!slot->isThreadSafe)
PK11_ExitSlotMonitor(slot);
if ((crv != CKR_OK) || (mechanism_info.flags == 0)) {
/* must be old module... guess what it should be... */
switch (test_mech.mechanism) {
case CKM_RSA_PKCS:
mechanism_info.flags = (CKF_SIGN | CKF_DECRYPT |
CKF_WRAP | CKF_VERIFY_RECOVER | CKF_ENCRYPT | CKF_WRAP);
break;
case CKM_DSA:
mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
break;
case CKM_DH_PKCS_DERIVE:
mechanism_info.flags = CKF_DERIVE;
break;
case CKM_ECDH1_DERIVE:
mechanism_info.flags = CKF_DERIVE;
if (test_mech2.mechanism == CKM_ECDSA) {
mechanism_info.flags |= CKF_SIGN | CKF_VERIFY;
}
break;
case CKM_ECDSA:
mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
break;
case CKM_EDDSA:
mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
break;
default:
break;
}
}
/* now adjust our flags according to the user's key usage passed to us */
mechanism_info.flags = (mechanism_info.flags & (~opFlagsMask)) | opFlags;
/* set the public key attributes */
attrs += pk11_AttrFlagsToAttributes(pubKeyAttrFlags, attrs,
&cktrue, &ckfalse);
PK11_SETATTRS(attrs, CKA_DERIVE,
mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_WRAP,
mechanism_info.flags & CKF_WRAP ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_VERIFY,
mechanism_info.flags & CKF_VERIFY ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_VERIFY_RECOVER,
mechanism_info.flags & CKF_VERIFY_RECOVER ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
PK11_SETATTRS(attrs, CKA_ENCRYPT,
mechanism_info.flags & CKF_ENCRYPT ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
attrs++;
/* set the private key attributes */
PK11_SETATTRS(privattrs, CKA_DERIVE,
mechanism_info.flags & CKF_DERIVE ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
privattrs++;
PK11_SETATTRS(privattrs, CKA_UNWRAP,
mechanism_info.flags & CKF_UNWRAP ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
privattrs++;
PK11_SETATTRS(privattrs, CKA_SIGN,
mechanism_info.flags & CKF_SIGN ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
privattrs++;
PK11_SETATTRS(privattrs, CKA_DECRYPT,
mechanism_info.flags & CKF_DECRYPT ? &cktrue : &ckfalse,
sizeof(CK_BBOOL));
privattrs++;
if (token) {
session_handle = PK11_GetRWSession(slot);
haslock = PK11_RWSessionHasLock(slot, session_handle);
restore = PR_TRUE;
} else {
session_handle = slot->session;
if (session_handle != CK_INVALID_HANDLE)
PK11_EnterSlotMonitor(slot);
restore = PR_FALSE;
haslock = PR_TRUE;
}
if (session_handle == CK_INVALID_HANDLE) {
PORT_SetError(SEC_ERROR_BAD_DATA);
return NULL;
}
privCount = privattrs - privTemplate;
pubCount = attrs - pubTemplate;
crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism,
pubTemplate, pubCount, privTemplate, privCount, &pubID, &privID);
if (crv != CKR_OK) {
if (restore) {
PK11_RestoreROSession(slot, session_handle);
} else
PK11_ExitSlotMonitor(slot);
PORT_SetError(PK11_MapError(crv));
return NULL;
}
/* This locking code is dangerous and needs to be more thought
* out... the real problem is that we're holding the mutex open this long
*/
if (haslock) {
PK11_ExitSlotMonitor(slot);
}
/* swap around the ID's for older PKCS #11 modules */
keyClass = PK11_ReadULongAttribute(slot, pubID, CKA_CLASS);
if (keyClass != CKO_PUBLIC_KEY) {
CK_OBJECT_HANDLE tmp = pubID;
pubID = privID;
privID = tmp;
}
*pubKey = PK11_ExtractPublicKey(slot, keyType, pubID);
if (*pubKey == NULL) {
if (restore) {
/* we may have to restore the mutex so it get's exited properly
* in RestoreROSession */
if (haslock)
PK11_EnterSlotMonitor(slot);
PK11_RestoreROSession(slot, session_handle);
}
PK11_DestroyObject(slot, pubID);
PK11_DestroyObject(slot, privID);
return NULL;
}
/* set the ID to the public key so we can find it again */
cka_id = pk11_MakeIDFromPublicKey(*pubKey);
pubIsToken = (PRBool)PK11_HasAttributeSet(slot, pubID, CKA_TOKEN, PR_FALSE);
PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
if (haslock) {
PK11_EnterSlotMonitor(slot);
}
crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, privID,
&setTemplate, 1);
if (crv == CKR_OK && pubIsToken) {
crv = PK11_GETTAB(slot)->C_SetAttributeValue(session_handle, pubID,
&setTemplate, 1);
}
if (restore) {
PK11_RestoreROSession(slot, session_handle);
} else {
PK11_ExitSlotMonitor(slot);
}
SECITEM_FreeItem(cka_id, PR_TRUE);
if (crv != CKR_OK) {
PK11_DestroyObject(slot, pubID);
PK11_DestroyObject(slot, privID);
PORT_SetError(PK11_MapError(crv));
*pubKey = NULL;
return NULL;
}
privKey = PK11_MakePrivKey(slot, keyType, !token, privID, wincx);
if (privKey == NULL) {
SECKEY_DestroyPublicKey(*pubKey);
PK11_DestroyObject(slot, privID);
*pubKey = NULL;
return NULL;
}
return privKey;
}
SECKEYPrivateKey *
PK11_GenerateKeyPairWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
void *param, SECKEYPublicKey **pubKey, PK11AttrFlags attrFlags, void *wincx)
{
return PK11_GenerateKeyPairWithOpFlags(slot, type, param, pubKey, attrFlags,
0, 0, wincx);
}
/*
* Use the token to generate a key pair.
*/
SECKEYPrivateKey *
PK11_GenerateKeyPair(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
void *param, SECKEYPublicKey **pubKey, PRBool token,
PRBool sensitive, void *wincx)
{
PK11AttrFlags attrFlags = 0;
if (token) {
attrFlags |= PK11_ATTR_TOKEN;
} else {
attrFlags |= PK11_ATTR_SESSION;
}
if (sensitive) {
attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
} else {
attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
}
return PK11_GenerateKeyPairWithFlags(slot, type, param, pubKey,
attrFlags, wincx);
}
/* build a public KEA key from the public value */
SECKEYPublicKey *
PK11_MakeKEAPubKey(unsigned char *keyData, int length)
{
SECKEYPublicKey *pubk;
SECItem pkData;
SECStatus rv;
PLArenaPool *arena;
pkData.data = keyData;
pkData.len = length;
pkData.type = siBuffer;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL)
return NULL;
pubk = (SECKEYPublicKey *)PORT_ArenaZAlloc(arena, sizeof(SECKEYPublicKey