Update NSS to NSS 3.14 pre-release snapshot 2012-06-26 01:00:00 PDT.

mozilla/security/nss/lib/pk11wrap/pk11obj.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file manages object type indepentent functions.
  */
 #include "seccomon.h"
 #include "secmod.h"
 #include "secmodi.h"
 #include "secmodti.h"
@@ skipping 501 matching lines @@
     return len;
 }
 
 /*
  * get the length of a signature object based on the key
  */
 int
 PK11_SignatureLen(SECKEYPrivateKey *key)
 {
     int val;
-    CK_ATTRIBUTE theTemplate = { CKA_EC_PARAMS, NULL, 0 };
-    SECItem params = {siBuffer, NULL, 0};
+    SECItem attributeItem = {siBuffer, NULL, 0};
+    SECStatus rv;
     int length; 
 
     switch (key->keyType) {
     case rsaKey:
         val = PK11_GetPrivateModulusLen(key);
         if (val == -1) {
             return pk11_backupGetSignLength(key);
         }
         return (unsigned long) val;
         
     case fortezzaKey:
+        return 40;
+
     case dsaKey:
-        return 40;
+        rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_SUBPRIME, 
+                                NULL, &attributeItem);
+        if (rv == SECSuccess) {
+            length = attributeItem.len;
+            if ((length > 0) && attributeItem.data[0] == 0) {
+                length--;
+            }
+            PORT_Free(attributeItem.data);
+            return length*2;
+        }
+        return pk11_backupGetSignLength(key);
+
     case ecKey:
-        if (PK11_GetAttributes(NULL, key->pkcs11Slot, key->pkcs11ID,
-                               &theTemplate, 1) == CKR_OK) {
-            if (theTemplate.pValue != NULL) {
-                params.len = theTemplate.ulValueLen;
-                params.data = (unsigned char *) theTemplate.pValue;
-                length = SECKEY_ECParamsToBasePointOrderLen(&params);
-                PORT_Free(theTemplate.pValue);
-                if (length == 0) {
-                    return pk11_backupGetSignLength(key);
-                }
+        rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_EC_PARAMS, 
+                                NULL, &attributeItem);
+        if (rv == SECSuccess) {
+            length = SECKEY_ECParamsToBasePointOrderLen(&attributeItem);
+            PORT_Free(attributeItem.data);
+            if (length != 0) {
                 length = ((length + 7)/8) * 2;
                 return length;
             }
         }
-        break;
+        return pk11_backupGetSignLength(key);
     default:
         break;
     }
     PORT_SetError( SEC_ERROR_INVALID_KEY );
     return 0;
 }
 
 /*
  * copy a key (or any other object) on a token
  */
@@ skipping 92 matching lines @@
     PK11SlotInfo *slot = key->pkcs11Slot;
     CK_OBJECT_HANDLE id = key->pkcs11ID;
     CK_MECHANISM mech = {0, NULL, 0 };
     PRBool owner = PR_TRUE;
     CK_SESSION_HANDLE session;
     CK_RV crv;
 
     mech.mechanism = PK11_MapSignKeyType(key->keyType);
 
     if (slot == NULL) {
-        slot = PK11_GetBestSlot(mech.mechanism,wincx);
+        if ((mech.mechanism == CKM_DSA) && 
+                                /* 129 is 1024 bits translated to bytes and
+                                 * padded with an optional '0' to maintain a
+                                 * positive sign */
+                                (key->u.dsa.params.prime.len > 129)) {
+            /* we need to get a slot that not only can do DSA, but can do DSA2
+             * key lengths */
+            unsigned int length = key->u.dsa.params.prime.len;
+            if (length > 0 && key->u.dsa.params.prime.data[0] == 0) {
+                length --;
+            }
+            slot = PK11_GetBestSlotWithKeySize(mech.mechanism, 
+                                                length*BITS_PER_BYTE, wincx);
+        } else {
+            slot = PK11_GetBestSlot(mech.mechanism,wincx);
+        }
        
         if (slot == NULL) {
             PORT_SetError( SEC_ERROR_NO_MODULE );
             return SECFailure;
         }
         id = PK11_ImportPublicKey(slot,key,PR_FALSE);
             
     } else {
         PK11_ReferenceSlot(slot);
     }
@@ skipping 47 matching lines @@
 
     session = pk11_GetNewSession(slot,&owner);
     if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
     if (crv != CKR_OK) {
         if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
         pk11_CloseSession(slot,session,owner);
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
+        /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
+         * do C_Login with CKU_CONTEXT_SPECIFIC 
+         * between C_SignInit and C_Sign */
+        if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
+                PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
+        }
     len = sig->len;
     crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
                                         hash->len, sig->data, &len);
     if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     sig->len = len;
     if (crv != CKR_OK) {
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
@@ skipping 32 matching lines @@
     }
     session = pk11_GetNewSession(slot,&owner);
     if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
     crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID);
     if (crv != CKR_OK) {
         if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
         pk11_CloseSession(slot,session,owner);
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
+        /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then 
+         * do C_Login with CKU_CONTEXT_SPECIFIC 
+         * between C_DecryptInit and C_Decrypt */
+        /* But see note above about servers */
+        if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
+                PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
+        }
     crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
     if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
     pk11_CloseSession(slot,session,owner);
     *outLen = out;
     if (crv != CKR_OK) {
         PORT_SetError( PK11_MapError(crv) );
         return SECFailure;
     }
     return SECSuccess;
 }
@@ skipping 995 matching lines @@
         PORT_SetError( PK11_MapError(crv) );
         return NULL;
     }
 
     item->data = (unsigned char*) theTemplate[0].pValue;
     item->len =theTemplate[0].ulValueLen;
 
     return item;
 }