| OLD | NEW |
|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 /* | 4 /* |
| 5 * This file implements PKCS 11 on top of our existing security modules | 5 * This file implements PKCS 11 on top of our existing security modules |
| 6 * | 6 * |
| 7 * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. | 7 * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. |
| 8 * This implementation has two slots: | 8 * This implementation has two slots: |
| 9 * slot 1 is our generic crypto support. It does not require login. | 9 * slot 1 is our generic crypto support. It does not require login. |
| 10 * It supports Public Key ops, and all they bulk ciphers and hashes. | 10 * It supports Public Key ops, and all they bulk ciphers and hashes. |
| (...skipping 272 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 283 CKF_SN_VR}, PR_TRUE}, | 283 CKF_SN_VR}, PR_TRUE}, |
| 284 {CKM_SHA384_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, | 284 {CKM_SHA384_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, |
| 285 CKF_SN_VR}, PR_TRUE}, | 285 CKF_SN_VR}, PR_TRUE}, |
| 286 {CKM_SHA512_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, | 286 {CKM_SHA512_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, |
| 287 CKF_SN_VR}, PR_TRUE}, | 287 CKF_SN_VR}, PR_TRUE}, |
| 288 /* ------------------------- DSA Operations --------------------------- */ | 288 /* ------------------------- DSA Operations --------------------------- */ |
| 289 {CKM_DSA_KEY_PAIR_GEN, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, | 289 {CKM_DSA_KEY_PAIR_GEN, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, |
| 290 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, | 290 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, |
| 291 {CKM_DSA, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, | 291 {CKM_DSA, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, |
| 292 CKF_SN_VR}, PR_TRUE}, | 292 CKF_SN_VR}, PR_TRUE}, |
| 293 {CKM_DSA_PARAMETER_GEN, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, |
| 294 CKF_GENERATE}, PR_TRUE}, |
| 293 {CKM_DSA_SHA1, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, | 295 {CKM_DSA_SHA1, {DSA_MIN_P_BITS, DSA_MAX_P_BITS, |
| 294 CKF_SN_VR}, PR_TRUE}, | 296 CKF_SN_VR}, PR_TRUE}, |
| 295 /* -------------------- Diffie Hellman Operations --------------------- */ | 297 /* -------------------- Diffie Hellman Operations --------------------- */ |
| 296 /* no diffie hellman yet */ | 298 /* no diffie hellman yet */ |
| 297 {CKM_DH_PKCS_KEY_PAIR_GEN, {DH_MIN_P_BITS, DH_MAX_P_BITS, | 299 {CKM_DH_PKCS_KEY_PAIR_GEN, {DH_MIN_P_BITS, DH_MAX_P_BITS, |
| 298 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, | 300 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, |
| 299 {CKM_DH_PKCS_DERIVE, {DH_MIN_P_BITS, DH_MAX_P_BITS, | 301 {CKM_DH_PKCS_DERIVE, {DH_MIN_P_BITS, DH_MAX_P_BITS, |
| 300 CKF_DERIVE}, PR_TRUE}, | 302 CKF_DERIVE}, PR_TRUE}, |
| 301 #ifdef NSS_ENABLE_ECC | 303 #ifdef NSS_ENABLE_ECC |
| 302 /* -------------------- Elliptic Curve Operations --------------------- */ | 304 /* -------------------- Elliptic Curve Operations --------------------- */ |
| (...skipping 550 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 853 if (crv != CKR_OK) { | 855 if (crv != CKR_OK) { |
| 854 return crv; | 856 return crv; |
| 855 } | 857 } |
| 856 crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0); | 858 crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0); |
| 857 if (crv != CKR_OK) { | 859 if (crv != CKR_OK) { |
| 858 return crv; | 860 return crv; |
| 859 } | 861 } |
| 860 break; | 862 break; |
| 861 case CKK_DSA: | 863 case CKK_DSA: |
| 862 crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME, | 864 crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME, |
| 863 » » » » » » DSA_Q_BITS, DSA_Q_BITS, 0); | 865 » » » » » DSA_MIN_Q_BITS, DSA_MAX_Q_BITS, 0); |
| 864 if (crv != CKR_OK) { | 866 if (crv != CKR_OK) { |
| 865 return crv; | 867 return crv; |
| 866 } | 868 } |
| 867 crv = sftk_ConstrainAttribute(object, CKA_PRIME, | 869 crv = sftk_ConstrainAttribute(object, CKA_PRIME, |
| 868 DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64); | 870 DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64); |
| 869 if (crv != CKR_OK) { | 871 if (crv != CKR_OK) { |
| 870 return crv; | 872 return crv; |
| 871 } | 873 } |
| 872 » crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DSA_MAX_P_BITS, 0); | 874 » crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DSA_MAX_P_BITS, 0); |
| 873 if (crv != CKR_OK) { | 875 if (crv != CKR_OK) { |
| 874 return crv; | 876 return crv; |
| 875 } | 877 } |
| 876 » crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DSA_MAX_P_BITS, 0); | 878 » crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DSA_MAX_P_BITS, 0); |
| 877 if (crv != CKR_OK) { | 879 if (crv != CKR_OK) { |
| 878 return crv; | 880 return crv; |
| 879 } | 881 } |
| 880 encrypt = CK_FALSE; | 882 encrypt = CK_FALSE; |
| 881 recover = CK_FALSE; | 883 recover = CK_FALSE; |
| 882 wrap = CK_FALSE; | 884 wrap = CK_FALSE; |
| 883 break; | 885 break; |
| 884 case CKK_DH: | 886 case CKK_DH: |
| 885 crv = sftk_ConstrainAttribute(object, CKA_PRIME, | 887 crv = sftk_ConstrainAttribute(object, CKA_PRIME, |
| 886 DH_MIN_P_BITS, DH_MAX_P_BITS, 0); | 888 DH_MIN_P_BITS, DH_MAX_P_BITS, 0); |
| 887 if (crv != CKR_OK) { | 889 if (crv != CKR_OK) { |
| 888 return crv; | 890 return crv; |
| 889 } | 891 } |
| 890 » crv = sftk_ConstrainAttribute(object, CKA_BASE, 1, DH_MAX_P_BITS, 0); | 892 » crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DH_MAX_P_BITS, 0); |
| 891 if (crv != CKR_OK) { | 893 if (crv != CKR_OK) { |
| 892 return crv; | 894 return crv; |
| 893 } | 895 } |
| 894 » crv = sftk_ConstrainAttribute(object, CKA_VALUE, 1, DH_MAX_P_BITS, 0); | 896 » crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DH_MAX_P_BITS, 0); |
| 895 if (crv != CKR_OK) { | 897 if (crv != CKR_OK) { |
| 896 return crv; | 898 return crv; |
| 897 } | 899 } |
| 898 verify = CK_FALSE; | 900 verify = CK_FALSE; |
| 899 derive = CK_TRUE; | 901 derive = CK_TRUE; |
| 900 encrypt = CK_FALSE; | 902 encrypt = CK_FALSE; |
| 901 recover = CK_FALSE; | 903 recover = CK_FALSE; |
| 902 wrap = CK_FALSE; | 904 wrap = CK_FALSE; |
| 903 break; | 905 break; |
| 904 #ifdef NSS_ENABLE_ECC | 906 #ifdef NSS_ENABLE_ECC |
| (...skipping 437 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1342 SFTKAttribute *primeAttr = NULL; | 1344 SFTKAttribute *primeAttr = NULL; |
| 1343 SFTKAttribute *subPrimeAttr = NULL; | 1345 SFTKAttribute *subPrimeAttr = NULL; |
| 1344 SFTKAttribute *baseAttr = NULL; | 1346 SFTKAttribute *baseAttr = NULL; |
| 1345 SFTKAttribute *seedAttr = NULL; | 1347 SFTKAttribute *seedAttr = NULL; |
| 1346 SFTKAttribute *hAttr = NULL; | 1348 SFTKAttribute *hAttr = NULL; |
| 1347 SFTKAttribute *attribute; | 1349 SFTKAttribute *attribute; |
| 1348 CK_RV crv = CKR_TEMPLATE_INCOMPLETE; | 1350 CK_RV crv = CKR_TEMPLATE_INCOMPLETE; |
| 1349 PQGParams params; | 1351 PQGParams params; |
| 1350 PQGVerify vfy, *verify = NULL; | 1352 PQGVerify vfy, *verify = NULL; |
| 1351 SECStatus result,rv; | 1353 SECStatus result,rv; |
| 1354 /* This bool keeps track of whether or not we need verify parameters. |
| 1355 * If a P, Q and G or supplied, we dont' need verify parameters, as we |
| 1356 * have PQ and G. |
| 1357 * - If G is not supplied, the presumption is that we want to |
| 1358 * verify P and Q only. |
| 1359 * - If counter is supplied, it is presumed we want to verify PQ because |
| 1360 * the counter is only used in verification. |
| 1361 * - If H is supplied, is is presumed we want to verify G because H is |
| 1362 * only used to verify G. |
| 1363 * - Any verification step must have the SEED (counter or H could be |
| 1364 * missing depending on exactly what we want to verify). If SEED is supplied
, |
| 1365 * the code just goes ahead and runs verify (other errors are parameter |
| 1366 * errors are detected by the PQG_VerifyParams function). If SEED is not |
| 1367 * supplied, but we determined that we are trying to verify (because needVfy |
| 1368 * is set, go ahead and return CKR_TEMPLATE_INCOMPLETE. |
| 1369 */ |
| 1370 PRBool needVfy = PR_FALSE; |
| 1352 | 1371 |
| 1353 primeAttr = sftk_FindAttribute(object,CKA_PRIME); | 1372 primeAttr = sftk_FindAttribute(object,CKA_PRIME); |
| 1354 if (primeAttr == NULL) goto loser; | 1373 if (primeAttr == NULL) goto loser; |
| 1355 params.prime.data = primeAttr->attrib.pValue; | 1374 params.prime.data = primeAttr->attrib.pValue; |
| 1356 params.prime.len = primeAttr->attrib.ulValueLen; | 1375 params.prime.len = primeAttr->attrib.ulValueLen; |
| 1357 | 1376 |
| 1358 subPrimeAttr = sftk_FindAttribute(object,CKA_SUBPRIME); | 1377 subPrimeAttr = sftk_FindAttribute(object,CKA_SUBPRIME); |
| 1359 if (subPrimeAttr == NULL) goto loser; | 1378 if (subPrimeAttr == NULL) goto loser; |
| 1360 params.subPrime.data = subPrimeAttr->attrib.pValue; | 1379 params.subPrime.data = subPrimeAttr->attrib.pValue; |
| 1361 params.subPrime.len = subPrimeAttr->attrib.ulValueLen; | 1380 params.subPrime.len = subPrimeAttr->attrib.ulValueLen; |
| 1362 | 1381 |
| 1363 baseAttr = sftk_FindAttribute(object,CKA_BASE); | 1382 baseAttr = sftk_FindAttribute(object,CKA_BASE); |
| 1364 if (baseAttr == NULL) goto loser; | 1383 if (baseAttr != NULL) { |
| 1365 params.base.data = baseAttr->attrib.pValue; | 1384 » params.base.data = baseAttr->attrib.pValue; |
| 1366 params.base.len = baseAttr->attrib.ulValueLen; | 1385 » params.base.len = baseAttr->attrib.ulValueLen; |
| 1386 } else { |
| 1387 » params.base.data = NULL; |
| 1388 » params.base.len = 0; |
| 1389 » needVfy = PR_TRUE; /* presumably only including PQ so we can verify |
| 1390 » » » * them. */ |
| 1391 } |
| 1367 | 1392 |
| 1368 attribute = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER); | 1393 attribute = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_COUNTER); |
| 1369 if (attribute != NULL) { | 1394 if (attribute != NULL) { |
| 1370 vfy.counter = *(CK_ULONG *) attribute->attrib.pValue; | 1395 vfy.counter = *(CK_ULONG *) attribute->attrib.pValue; |
| 1371 sftk_FreeAttribute(attribute); | 1396 sftk_FreeAttribute(attribute); |
| 1397 needVfy = PR_TRUE; /* included a count so we can verify PQ */ |
| 1398 } else { |
| 1399 vfy.counter = -1; |
| 1400 } |
| 1372 | 1401 |
| 1373 » seedAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_SEED); | 1402 hAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_H); |
| 1374 » if (seedAttr == NULL) goto loser; | 1403 if (hAttr != NULL) { |
| 1404 » vfy.h.data = hAttr->attrib.pValue; |
| 1405 » vfy.h.len = hAttr->attrib.ulValueLen; |
| 1406 » needVfy = PR_TRUE; /* included H so we can verify G */ |
| 1407 } else { |
| 1408 » vfy.h.data = NULL; |
| 1409 » vfy.h.len = 0; |
| 1410 } |
| 1411 seedAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_SEED); |
| 1412 if (seedAttr != NULL) { |
| 1375 vfy.seed.data = seedAttr->attrib.pValue; | 1413 vfy.seed.data = seedAttr->attrib.pValue; |
| 1376 vfy.seed.len = seedAttr->attrib.ulValueLen; | 1414 vfy.seed.len = seedAttr->attrib.ulValueLen; |
| 1377 | 1415 |
| 1378 hAttr = sftk_FindAttribute(object, CKA_NETSCAPE_PQG_H); | |
| 1379 if (hAttr == NULL) goto loser; | |
| 1380 vfy.h.data = hAttr->attrib.pValue; | |
| 1381 vfy.h.len = hAttr->attrib.ulValueLen; | |
| 1382 | |
| 1383 verify = &vfy; | 1416 verify = &vfy; |
| 1417 } else if (needVfy) { |
| 1418 goto loser; /* Verify always needs seed, if we need verify and not seed |
| 1419 * then fail */ |
| 1384 } | 1420 } |
| 1385 | 1421 |
| 1386 crv = CKR_FUNCTION_FAILED; | 1422 crv = CKR_FUNCTION_FAILED; |
| 1387 rv = PQG_VerifyParams(¶ms,verify,&result); | 1423 rv = PQG_VerifyParams(¶ms,verify,&result); |
| 1388 if (rv == SECSuccess) { | 1424 if (rv == SECSuccess) { |
| 1389 crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID; | 1425 crv = (result== SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID; |
| 1390 } | 1426 } |
| 1391 | 1427 |
| 1392 loser: | 1428 loser: |
| 1393 if (hAttr) sftk_FreeAttribute(hAttr); | 1429 if (hAttr) sftk_FreeAttribute(hAttr); |
| (...skipping 3201 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 4595 | 4631 |
| 4596 | 4632 |
| 4597 CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, | 4633 CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, |
| 4598 CK_VOID_PTR pReserved) | 4634 CK_VOID_PTR pReserved) |
| 4599 { | 4635 { |
| 4600 CHECK_FORK(); | 4636 CHECK_FORK(); |
| 4601 | 4637 |
| 4602 return CKR_FUNCTION_NOT_SUPPORTED; | 4638 return CKR_FUNCTION_NOT_SUPPORTED; |
| 4603 } | 4639 } |
| 4604 | 4640 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11359091:
Update NSS to NSS 3.14 pre-release snapshot 2012-06-26 01:00:00 PDT. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/