Add PK11_ExportDERPrivateKeyInfo and PK11_ExportPrivKeyInfo.

patches/nss-export-private-key-info.patch

+diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
+--- a/lib/pk11wrap/pk11akey.c
++++ b/lib/pk11wrap/pk11akey.c
+@@ -1708,17 +1708,23 @@ done:
+     }
+ 
+     return rv;
+ }
+ 
+ SECKEYPrivateKeyInfo *
+ PK11_ExportPrivateKeyInfo(CERTCertificate *cert, void *wincx)
+ {
+-    return NULL;
++    SECKEYPrivateKeyInfo *pki = NULL;
++    SECKEYPrivateKey     *pk  = PK11_FindKeyByAnyCert(cert, wincx);
++    if (pk != NULL) {
++       pki = PK11_ExportPrivKeyInfo(pk, wincx);
++       SECKEY_DestroyPrivateKey(pk);
++    }
++    return pki;
+ }
+ 
+ SECKEYEncryptedPrivateKeyInfo * 
+ PK11_ExportEncryptedPrivKeyInfo(
+    PK11SlotInfo     *slot,      /* optional, encrypt key in this slot */
+    SECOidTag         algTag,    /* encrypt key with this algorithm */
+    SECItem          *pwitem,    /* password for PBE encryption */
+    SECKEYPrivateKey *pk,        /* encrypt this private key */
+diff --git a/lib/pk11wrap/pk11obj.c b/lib/pk11wrap/pk11obj.c
+--- a/lib/pk11wrap/pk11obj.c
++++ b/lib/pk11wrap/pk11obj.c
+@@ -76,16 +76,19 @@ PK11_DestroyTokenObject(PK11SlotInfo *sl
+     PK11_RestoreROSession(slot,rwsession);
+     return rv;
+ }
+ 
+ /*
+  * Read in a single attribute into a SECItem. Allocate space for it with 
+  * PORT_Alloc unless an arena is supplied. In the latter case use the arena
+  * to allocate the space.
++ *
++ * PK11_ReadAttribute sets the 'data' and 'len' fields of the SECItem but
++ * does not modify its 'type' field.
+  */
+ SECStatus
+ PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+         CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result) {
+     CK_ATTRIBUTE attr = { 0, NULL, 0 };
+     CK_RV crv;
+ 
+     attr.type = type;
+diff --git a/lib/pk11wrap/pk11pk12.c b/lib/pk11wrap/pk11pk12.c
+--- a/lib/pk11wrap/pk11pk12.c
++++ b/lib/pk11wrap/pk11pk12.c
+@@ -13,16 +13,17 @@
+ #include "secmodi.h"
+ #include "pkcs11.h"
+ #include "pk11func.h"
+ #include "secitem.h"
+ #include "key.h"
+ #include "secoid.h"
+ #include "secasn1.h"
+ #include "secerr.h"
++#include "prerror.h"
+ 
+ 
+ 
+ /* These data structures should move to a common .h file shared between the
+  * wrappers and the pkcs 12 code. */
+ 
+ /*
+ ** RSA Raw Private Key structures
+@@ -511,8 +512,117 @@ PK11_ImportPrivateKeyInfo(PK11SlotInfo *
+        SECItem *nickname, SECItem *publicValue, PRBool isPerm, 
+        PRBool isPrivate, unsigned int keyUsage, void *wincx) 
+ {
+     return PK11_ImportPrivateKeyInfoAndReturnKey(slot, pki, nickname,
+        publicValue, isPerm, isPrivate, keyUsage, NULL, wincx);
+ 
+ }
+ 
++SECItem *
++PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx)
++{
++    SECKEYPrivateKeyInfo *pki = PK11_ExportPrivKeyInfo(pk, wincx);
++    SECItem *derPKI;
++
++    if (!pki) {
++        return NULL;
++    }
++    derPKI = SEC_ASN1EncodeItem(NULL, NULL, pki,
++                                SECKEY_PrivateKeyInfoTemplate);
++    SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
++    return derPKI;
++}
++
++static PRBool
++ReadAttribute(SECKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
++              PLArenaPool *arena, SECItem *output)
++{
++    SECStatus rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, type,
++                                      arena, output);
++    return rv == SECSuccess;
++}
++
++/*
++ * The caller is responsible for freeing the return value by passing it to
++ * SECKEY_DestroyPrivateKeyInfo(..., PR_TRUE).
++ */
++SECKEYPrivateKeyInfo *
++PK11_ExportPrivKeyInfo(SECKEYPrivateKey *pk, void *wincx)
++{
++    /* PrivateKeyInfo version (always zero) */
++    const unsigned char pkiVersion = 0;
++    /* RSAPrivateKey version (always zero) */
++    const unsigned char rsaVersion = 0;
++    PLArenaPool *arena = NULL;
++    SECKEYRawPrivateKey rawKey;
++    SECKEYPrivateKeyInfo *pki;
++    SECItem *encoded;
++    SECStatus rv;
++
++    if (pk->keyType != rsaKey) {
++        PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++        goto loser;
++    }
++
++    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++    if (!arena) {
++        goto loser;
++    }
++    memset(&rawKey, 0, sizeof(rawKey));
++    rawKey.keyType = pk->keyType;
++    rawKey.u.rsa.version.type = siUnsignedInteger;
++    rawKey.u.rsa.version.data = (unsigned char *)PORT_ArenaAlloc(arena, 1);
++    if (!rawKey.u.rsa.version.data) {
++        goto loser;
++    }
++    rawKey.u.rsa.version.data[0] = rsaVersion;
++    rawKey.u.rsa.version.len = 1;
++
++    /* Read the component attributes of the private key */
++    prepare_rsa_priv_key_export_for_asn1(&rawKey);
++    if (!ReadAttribute(pk, CKA_MODULUS, arena, &rawKey.u.rsa.modulus) ||
++        !ReadAttribute(pk, CKA_PUBLIC_EXPONENT, arena,
++                       &rawKey.u.rsa.publicExponent) ||
++        !ReadAttribute(pk, CKA_PRIVATE_EXPONENT, arena,
++                       &rawKey.u.rsa.privateExponent) ||
++        !ReadAttribute(pk, CKA_PRIME_1, arena, &rawKey.u.rsa.prime1) ||
++        !ReadAttribute(pk, CKA_PRIME_2, arena, &rawKey.u.rsa.prime2) ||
++        !ReadAttribute(pk, CKA_EXPONENT_1, arena,
++                       &rawKey.u.rsa.exponent1) ||
++        !ReadAttribute(pk, CKA_EXPONENT_2, arena,
++                       &rawKey.u.rsa.exponent2) ||
++        !ReadAttribute(pk, CKA_COEFFICIENT, arena,
++                       &rawKey.u.rsa.coefficient)) {
++        goto loser;
++    }
++
++    pki = PORT_ArenaZNew(arena, SECKEYPrivateKeyInfo);
++    if (!pki) {
++        goto loser;
++    }
++    encoded = SEC_ASN1EncodeItem(arena, &pki->privateKey, &rawKey,
++                                 SECKEY_RSAPrivateKeyExportTemplate);
++    if (!encoded) {
++        goto loser;
++    }
++    rv = SECOID_SetAlgorithmID(arena, &pki->algorithm,
++                               SEC_OID_PKCS1_RSA_ENCRYPTION, NULL);
++    if (rv != SECSuccess) {
++        goto loser;
++    }
++    pki->version.type = siUnsignedInteger;
++    pki->version.data = (unsigned char *)PORT_ArenaAlloc(arena, 1);
++    if (!pki->version.data) {
++        goto loser;
++    }
++    pki->version.data[0] = pkiVersion;
++    pki->version.len = 1;
++    pki->arena = arena;
++
++    return pki;
++
++loser:
++    if (arena) {
++        PORT_FreeArena(arena, PR_TRUE);
++    }
++    return NULL;
++}
+diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
+--- a/lib/pk11wrap/pk11pub.h
++++ b/lib/pk11wrap/pk11pub.h
+@@ -554,16 +554,19 @@ SECStatus PK11_ImportEncryptedPrivateKey
+                SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+                PRBool isPrivate, KeyType type, 
+                unsigned int usage, void *wincx);
+ SECStatus PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, 
+                SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, 
+                SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+                PRBool isPrivate, KeyType type, 
+                unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
++SECItem *PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx);
++SECKEYPrivateKeyInfo *PK11_ExportPrivKeyInfo(
++               SECKEYPrivateKey *pk, void *wincx);
+ SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
+                CERTCertificate *cert, void *wincx);
+ SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivKeyInfo(
+                PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+                SECKEYPrivateKey *pk, int iteration, void *wincx);
+ SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
+                PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+                CERTCertificate *cert, int iteration, void *wincx);