OLD | NEW |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 #include "nspr.h" | 4 #include "nspr.h" |
5 #include "secerr.h" | 5 #include "secerr.h" |
6 #include "secport.h" | 6 #include "secport.h" |
7 #include "seccomon.h" | 7 #include "seccomon.h" |
8 #include "secoid.h" | 8 #include "secoid.h" |
9 #include "sslerr.h" | |
10 #include "genname.h" | 9 #include "genname.h" |
11 #include "keyhi.h" | 10 #include "keyhi.h" |
12 #include "cert.h" | 11 #include "cert.h" |
13 #include "certdb.h" | 12 #include "certdb.h" |
14 #include "certi.h" | 13 #include "certi.h" |
15 #include "cryptohi.h" | 14 #include "cryptohi.h" |
16 #ifndef NSS_DISABLE_LIBPKIX | 15 #ifndef NSS_DISABLE_LIBPKIX |
17 #include "pkix.h" | 16 #include "pkix.h" |
18 /*#include "pkix_sample_modules.h" */ | 17 /*#include "pkix_sample_modules.h" */ |
19 #include "pkix_pl_cert.h" | 18 #include "pkix_pl_cert.h" |
20 #endif /* NSS_DISABLE_LIBPKIX */ | 19 #endif /* NSS_DISABLE_LIBPKIX */ |
21 | 20 |
22 | 21 |
23 #include "nsspki.h" | 22 #include "nsspki.h" |
24 #include "pkitm.h" | 23 #include "pkitm.h" |
25 #include "pkim.h" | 24 #include "pkim.h" |
26 #include "pki3hack.h" | 25 #include "pki3hack.h" |
27 #include "base.h" | 26 #include "base.h" |
| 27 #include "keyhi.h" |
28 | 28 |
29 #ifdef NSS_DISABLE_LIBPKIX | 29 #ifdef NSS_DISABLE_LIBPKIX |
30 SECStatus | 30 SECStatus |
31 cert_VerifyCertChainPkix( | 31 cert_VerifyCertChainPkix( |
32 CERTCertificate *cert, | 32 CERTCertificate *cert, |
33 PRBool checkSig, | 33 PRBool checkSig, |
34 SECCertUsage requiredUsage, | 34 SECCertUsage requiredUsage, |
35 PRTime time, | 35 PRTime time, |
36 void *wincx, | 36 void *wincx, |
37 CERTVerifyLog *log, | 37 CERTVerifyLog *log, |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
70 /* | 70 /* |
71 * Check the validity times of a certificate | 71 * Check the validity times of a certificate |
72 */ | 72 */ |
73 SECStatus | 73 SECStatus |
74 CERT_CertTimesValid(CERTCertificate *c) | 74 CERT_CertTimesValid(CERTCertificate *c) |
75 { | 75 { |
76 SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE); | 76 SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE); |
77 return (valid == secCertTimeValid) ? SECSuccess : SECFailure; | 77 return (valid == secCertTimeValid) ? SECSuccess : SECFailure; |
78 } | 78 } |
79 | 79 |
| 80 SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicK
ey *key) |
| 81 { |
| 82 SECStatus rv; |
| 83 SECOidTag sigAlg; |
| 84 SECOidTag curve; |
| 85 PRUint32 policyFlags = 0; |
| 86 PRInt32 minLen, len; |
| 87 |
| 88 sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm); |
| 89 |
| 90 switch(sigAlg) { |
| 91 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: |
| 92 case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: |
| 93 case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: |
| 94 case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: |
| 95 case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: |
| 96 if (key->keyType != ecKey) { |
| 97 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 98 return SECFailure; |
| 99 } |
| 100 |
| 101 curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams); |
| 102 if (curve != 0) { |
| 103 if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure || |
| 104 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { |
| 105 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
| 106 return SECFailure; |
| 107 } else { |
| 108 return SECSuccess; |
| 109 } |
| 110 } else { |
| 111 PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); |
| 112 return SECFailure; |
| 113 } |
| 114 return SECSuccess; |
| 115 case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: |
| 116 case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: |
| 117 case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: |
| 118 case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: |
| 119 case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: |
| 120 case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: |
| 121 case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: |
| 122 case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: |
| 123 if (key->keyType != rsaKey && key->keyType != rsaPssKey) { |
| 124 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 125 return SECFailure; |
| 126 } |
| 127 |
| 128 len = 8 * key->u.rsa.modulus.len; |
| 129 |
| 130 rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen); |
| 131 if (rv != SECSuccess) { |
| 132 return SECFailure; |
| 133 } |
| 134 |
| 135 if (len < minLen) { |
| 136 return SECFailure; |
| 137 } |
| 138 |
| 139 return SECSuccess; |
| 140 case SEC_OID_ANSIX9_DSA_SIGNATURE: |
| 141 case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: |
| 142 case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST: |
| 143 case SEC_OID_SDN702_DSA_SIGNATURE: |
| 144 case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST: |
| 145 case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST: |
| 146 if (key->keyType != dsaKey) { |
| 147 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); |
| 148 return SECFailure; |
| 149 } |
| 150 |
| 151 len = 8 * key->u.dsa.params.prime.len; |
| 152 |
| 153 rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen); |
| 154 if (rv != SECSuccess) { |
| 155 return SECFailure; |
| 156 } |
| 157 |
| 158 if (len < minLen) { |
| 159 return SECFailure; |
| 160 } |
| 161 |
| 162 return SECSuccess; |
| 163 default: |
| 164 return SECSuccess; |
| 165 } |
| 166 } |
| 167 |
80 /* | 168 /* |
81 * verify the signature of a signed data object with the given DER publickey | 169 * verify the signature of a signed data object with the given DER publickey |
82 */ | 170 */ |
83 SECStatus | 171 SECStatus |
84 CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, | 172 CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd, |
85 SECKEYPublicKey *pubKey, | 173 SECKEYPublicKey *pubKey, |
86 void *wincx) | 174 void *wincx) |
87 { | 175 { |
88 SECStatus rv; | 176 SECStatus rv; |
89 SECItem sig; | 177 SECItem sig; |
90 SECOidTag hashAlg = SEC_OID_UNKNOWN; | 178 SECOidTag hashAlg = SEC_OID_UNKNOWN; |
91 | 179 |
92 if ( !pubKey || !sd ) { | 180 if ( !pubKey || !sd ) { |
93 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 181 PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
94 return SECFailure; | 182 return SECFailure; |
95 } | 183 } |
96 | |
97 /* check the signature */ | 184 /* check the signature */ |
98 sig = sd->signature; | 185 sig = sd->signature; |
99 /* convert sig->len from bit counts to byte count. */ | 186 /* convert sig->len from bit counts to byte count. */ |
100 DER_ConvertBitString(&sig); | 187 DER_ConvertBitString(&sig); |
101 | 188 |
102 rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, | 189 rv = VFY_VerifyDataWithAlgorithmID(sd->data.data, sd->data.len, pubKey, |
103 &sig, &sd->signatureAlgorithm, &hashAlg, wincx); | 190 &sig, &sd->signatureAlgorithm, &hashAlg, wincx); |
104 if (rv == SECSuccess) { | 191 if (rv == SECSuccess) { |
105 /* Are we honoring signatures for this algorithm? */ | 192 /* Are we honoring signatures for this algorithm? */ |
106 PRUint32 policyFlags = 0; | 193 PRUint32 policyFlags = 0; |
| 194 rv = checkKeyParams(&sd->signatureAlgorithm, pubKey); |
| 195 if (rv != SECSuccess) { |
| 196 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
| 197 return SECFailure; |
| 198 } |
| 199 |
107 rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); | 200 rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags); |
108 if (rv == SECSuccess && | 201 if (rv == SECSuccess && |
109 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { | 202 !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { |
110 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); | 203 PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); |
111 » rv = SECFailure; | 204 » return SECFailure; |
112 } | 205 } |
113 } | 206 } |
114 return rv; | 207 return rv; |
115 } | 208 } |
116 | 209 |
117 /* | 210 /* |
118 * verify the signature of a signed data object with the given DER publickey | 211 * verify the signature of a signed data object with the given DER publickey |
119 */ | 212 */ |
120 SECStatus | 213 SECStatus |
121 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, | 214 CERT_VerifySignedDataWithPublicKeyInfo(CERTSignedData *sd, |
(...skipping 1756 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1878 return chain; | 1971 return chain; |
1879 } | 1972 } |
1880 | 1973 |
1881 cert = CERT_FindCertIssuer(cert, time, usage); | 1974 cert = CERT_FindCertIssuer(cert, time, usage); |
1882 } | 1975 } |
1883 | 1976 |
1884 /* return partial chain */ | 1977 /* return partial chain */ |
1885 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); | 1978 PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); |
1886 return chain; | 1979 return chain; |
1887 } | 1980 } |
OLD | NEW |