Chromium Code Reviews Chromium Code Reviews
Issue 295043002:
Add RSA-OAEP support from upstream NSS bugs 1009794 and 1009785 (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/nss| OLD | NEW |
|---|---|
| 1 /* This Source Code Form is subject to the terms of the Mozilla Public | 1 /* This Source Code Form is subject to the terms of the Mozilla Public |
| 2 * License, v. 2.0. If a copy of the MPL was not distributed with this | 2 * License, v. 2.0. If a copy of the MPL was not distributed with this |
| 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| 4 /* | 4 /* |
| 5 * This file manages object type indepentent functions. | 5 * This file manages object type indepentent functions. |
| 6 */ | 6 */ |
| 7 #include "seccomon.h" | 7 #include "seccomon.h" |
| 8 #include "secmod.h" | 8 #include "secmod.h" |
| 9 #include "secmodi.h" | 9 #include "secmodi.h" |
| 10 #include "secmodti.h" | 10 #include "secmodti.h" |
| (...skipping 896 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 907 if (haslock) PK11_ExitSlotMonitor(slot); | 907 if (haslock) PK11_ExitSlotMonitor(slot); |
| 908 pk11_CloseSession(slot,session,owner); | 908 pk11_CloseSession(slot,session,owner); |
| 909 *outLen = len; | 909 *outLen = len; |
| 910 if (crv != CKR_OK) { | 910 if (crv != CKR_OK) { |
| 911 PORT_SetError( PK11_MapError(crv) ); | 911 PORT_SetError( PK11_MapError(crv) ); |
| 912 return SECFailure; | 912 return SECFailure; |
| 913 } | 913 } |
| 914 return SECSuccess; | 914 return SECSuccess; |
| 915 } | 915 } |
| 916 | 916 |
| 917 /* | |
| 918 * Now SSL 2.0 uses raw RSA stuff. These next to functions *must* use | |
| 919 * RSA keys, or they'll fail. We do the checks up front. If anyone comes | |
| 920 * up with a meaning for rawdecrypt for any other public key operation, | |
| 921 * then we need to move this check into some of PK11_PubDecrypt callers, | |
| 922 * (namely SSL 2.0). | |
| 923 */ | |
| 924 static SECStatus | 917 static SECStatus |
| 925 pk11_PrivDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, | 918 pk11_PrivDecryptRaw(SECKEYPrivateKey *key, |
| 926 » unsigned *outLen, unsigned int maxLen, unsigned char *enc, | 919 unsigned char *data, unsigned *outLen, unsigned int maxLen, |
| 927 » » » » unsigned encLen, CK_MECHANISM_PTR mech) | 920 const unsigned char *enc, unsigned encLen, |
| 921 CK_MECHANISM_PTR mech) | |
| 928 { | 922 { |
| 929 PK11SlotInfo *slot = key->pkcs11Slot; | 923 PK11SlotInfo *slot = key->pkcs11Slot; |
| 930 CK_ULONG out = maxLen; | 924 CK_ULONG out = maxLen; |
| 931 PRBool owner = PR_TRUE; | 925 PRBool owner = PR_TRUE; |
| 932 CK_SESSION_HANDLE session; | 926 CK_SESSION_HANDLE session; |
| 933 PRBool haslock = PR_FALSE; | 927 PRBool haslock = PR_FALSE; |
| 934 CK_RV crv; | 928 CK_RV crv; |
| 935 | 929 |
| 936 if (key->keyType != rsaKey) { | 930 if (key->keyType != rsaKey) { |
| 937 PORT_SetError( SEC_ERROR_INVALID_KEY ); | 931 PORT_SetError( SEC_ERROR_INVALID_KEY ); |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 953 if (haslock) PK11_ExitSlotMonitor(slot); | 947 if (haslock) PK11_ExitSlotMonitor(slot); |
| 954 pk11_CloseSession(slot,session,owner); | 948 pk11_CloseSession(slot,session,owner); |
| 955 PORT_SetError( PK11_MapError(crv) ); | 949 PORT_SetError( PK11_MapError(crv) ); |
| 956 return SECFailure; | 950 return SECFailure; |
| 957 } | 951 } |
| 958 | 952 |
| 959 /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then | 953 /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then |
| 960 * do C_Login with CKU_CONTEXT_SPECIFIC | 954 * do C_Login with CKU_CONTEXT_SPECIFIC |
| 961 * between C_DecryptInit and C_Decrypt | 955 * between C_DecryptInit and C_Decrypt |
| 962 * ... But see note above about servers */ | 956 * ... But see note above about servers */ |
| 963 if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { | 957 if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { |
| 964 PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); | 958 PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); |
| 965 } | 959 } |
| 966 | 960 |
| 967 crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out); | 961 crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen, |
| 962 » » » » data, &out); | |
| 968 if (haslock) PK11_ExitSlotMonitor(slot); | 963 if (haslock) PK11_ExitSlotMonitor(slot); |
| 969 pk11_CloseSession(slot,session,owner); | 964 pk11_CloseSession(slot,session,owner); |
| 970 *outLen = out; | 965 *outLen = out; |
| 971 if (crv != CKR_OK) { | 966 if (crv != CKR_OK) { |
| 972 PORT_SetError( PK11_MapError(crv) ); | 967 PORT_SetError( PK11_MapError(crv) ); |
| 973 return SECFailure; | 968 return SECFailure; |
| 974 } | 969 } |
| 975 return SECSuccess; | 970 return SECSuccess; |
| 976 } | 971 } |
| 977 | 972 |
| 978 SECStatus | 973 SECStatus |
| 979 PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, | 974 PK11_PubDecryptRaw(SECKEYPrivateKey *key, |
| 980 » unsigned *outLen, unsigned int maxLen, unsigned char *enc, | 975 unsigned char *data, unsigned *outLen, unsigned int maxLen, |
| 981 » » » » unsigned encLen) | 976 const unsigned char *enc, unsigned encLen) |
| 982 { | 977 { |
| 983 CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; | 978 CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; |
| 984 return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); | 979 return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); |
| 985 } | 980 } |
| 986 | 981 |
| 987 SECStatus | 982 SECStatus |
| 988 PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, unsigned char *data, | 983 PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, |
| 989 » unsigned *outLen, unsigned int maxLen, unsigned char *enc, | 984 unsigned char *data, unsigned *outLen, unsigned int maxLen , |
| 990 » » » » unsigned encLen) | 985 const unsigned char *enc, unsigned encLen) |
| 991 { | 986 { |
| 992 CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; | 987 CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; |
| 993 return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); | 988 return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); |
| 994 } | 989 } |
| 995 | 990 |
| 996 static SECStatus | 991 static SECStatus |
| 997 pk11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, | 992 pk11_PubEncryptRaw(SECKEYPublicKey *key, |
| 998 » » unsigned char *data, unsigned dataLen, | 993 unsigned char *out, unsigned int *outLen, |
| 999 » » CK_MECHANISM_PTR mech, void *wincx) | 994 unsigned int maxLen, |
| 995 const unsigned char *data, unsigned dataLen, | |
| 996 CK_MECHANISM_PTR mech, void *wincx) | |
| 1000 { | 997 { |
| 1001 PK11SlotInfo *slot; | 998 PK11SlotInfo *slot; |
| 1002 CK_OBJECT_HANDLE id; | 999 CK_OBJECT_HANDLE id; |
| 1003 CK_ULONG out; | 1000 CK_ULONG len = maxLen; |
| 1004 PRBool owner = PR_TRUE; | 1001 PRBool owner = PR_TRUE; |
| 1005 CK_SESSION_HANDLE session; | 1002 CK_SESSION_HANDLE session; |
| 1006 CK_RV crv; | 1003 CK_RV crv; |
| 1007 | 1004 |
| 1008 if (!key || key->keyType != rsaKey) { | |
| 1009 PORT_SetError( SEC_ERROR_BAD_KEY ); | |
| 1010 return SECFailure; | |
| 1011 } | |
| 1012 out = SECKEY_PublicKeyStrength(key); | |
| 1013 | |
| 1014 slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx); | 1005 slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx); |
| 1015 if (slot == NULL) { | 1006 if (slot == NULL) { |
| 1016 PORT_SetError( SEC_ERROR_NO_MODULE ); | 1007 PORT_SetError( SEC_ERROR_NO_MODULE ); |
| 1017 return SECFailure; | 1008 return SECFailure; |
| 1018 } | 1009 } |
| 1019 | 1010 |
| 1020 id = PK11_ImportPublicKey(slot,key,PR_FALSE); | 1011 id = PK11_ImportPublicKey(slot,key,PR_FALSE); |
| 1021 | 1012 |
| 1022 if (id == CK_INVALID_HANDLE) { | 1013 if (id == CK_INVALID_HANDLE) { |
| 1023 PK11_FreeSlot(slot); | 1014 PK11_FreeSlot(slot); |
| 1024 PORT_SetError( SEC_ERROR_BAD_KEY ); | 1015 PORT_SetError( SEC_ERROR_BAD_KEY ); |
| 1025 return SECFailure; | 1016 return SECFailure; |
| 1026 } | 1017 } |
| 1027 | 1018 |
| 1028 session = pk11_GetNewSession(slot,&owner); | 1019 session = pk11_GetNewSession(slot,&owner); |
| 1029 if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); | 1020 if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); |
| 1030 crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id); | 1021 crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id); |
| 1031 if (crv != CKR_OK) { | 1022 if (crv != CKR_OK) { |
| 1032 if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); | 1023 if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); |
| 1033 pk11_CloseSession(slot,session,owner); | 1024 pk11_CloseSession(slot,session,owner); |
| 1034 PK11_FreeSlot(slot); | 1025 PK11_FreeSlot(slot); |
| 1035 PORT_SetError( PK11_MapError(crv) ); | 1026 PORT_SetError( PK11_MapError(crv) ); |
| 1036 return SECFailure; | 1027 return SECFailure; |
| 1037 } | 1028 } |
| 1038 crv = PK11_GETTAB(slot)->C_Encrypt(session,data,dataLen,enc,&out); | 1029 crv = PK11_GETTAB(slot)->C_Encrypt(session,(unsigned char *)data,dataLen, |
| 1030 » » » » out,&len); | |
| 1039 if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); | 1031 if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); |
| 1040 pk11_CloseSession(slot,session,owner); | 1032 pk11_CloseSession(slot,session,owner); |
| 1041 PK11_FreeSlot(slot); | 1033 PK11_FreeSlot(slot); |
| 1034 *outLen = len; | |
| 1042 if (crv != CKR_OK) { | 1035 if (crv != CKR_OK) { |
| 1043 PORT_SetError( PK11_MapError(crv) ); | 1036 PORT_SetError( PK11_MapError(crv) ); |
| 1044 return SECFailure; | 1037 return SECFailure; |
| 1045 } | 1038 } |
| 1046 return SECSuccess; | 1039 return SECSuccess; |
| 1047 } | 1040 } |
| 1048 | 1041 |
| 1049 SECStatus | 1042 SECStatus |
| 1050 PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, | 1043 PK11_PubEncryptRaw(SECKEYPublicKey *key, |
| 1051 » » unsigned char *data, unsigned dataLen, void *wincx) | 1044 unsigned char *enc, |
| 1045 const unsigned char *data, unsigned dataLen, | |
| 1046 void *wincx) | |
| 1052 { | 1047 { |
| 1053 CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; | 1048 CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; |
| 1054 return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx); | 1049 unsigned int outLen; |
| 1050 if (!key || key->keyType != rsaKey) { | |
| 1051 » PORT_SetError(SEC_ERROR_BAD_KEY); | |
| 1052 » return SECFailure; | |
| 1053 } | |
| 1054 outLen = SECKEY_PublicKeyStrength(key); | |
| 1055 return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, | |
| 1056 wincx); | |
| 1055 } | 1057 } |
| 1056 | 1058 |
| 1057 SECStatus | 1059 SECStatus |
| 1058 PK11_PubEncryptPKCS1(SECKEYPublicKey *key, unsigned char *enc, | 1060 PK11_PubEncryptPKCS1(SECKEYPublicKey *key, |
| 1059 » » unsigned char *data, unsigned dataLen, void *wincx) | 1061 unsigned char *enc, |
| 1062 const unsigned char *data, unsigned dataLen, | |
| 1063 void *wincx) | |
| 1060 { | 1064 { |
| 1061 CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; | 1065 CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; |
| 1062 return pk11_PubEncryptRaw(key, enc, data, dataLen, &mech, wincx); | 1066 unsigned int outLen; |
| 1067 if (!key || key->keyType != rsaKey) { | |
|
wtc
2014/05/20 19:25:57
It seems that we lost the key type checks in the n
Ryan Sleevi
2014/05/20 21:19:14
This was intentional.
I wanted PK11_PubEncrypt an
| |
| 1068 » PORT_SetError(SEC_ERROR_BAD_KEY); | |
| 1069 » return SECFailure; | |
| 1070 } | |
| 1071 outLen = SECKEY_PublicKeyStrength(key); | |
| 1072 return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, | |
| 1073 wincx); | |
| 1074 } | |
| 1075 | |
| 1076 SECStatus | |
| 1077 PK11_PrivDecrypt(SECKEYPrivateKey *key, | |
| 1078 CK_MECHANISM_TYPE mechanism, SECItem *param, | |
| 1079 unsigned char *out, unsigned int *outLen, | |
| 1080 unsigned int maxLen, | |
| 1081 const unsigned char *enc, unsigned encLen) | |
| 1082 { | |
| 1083 CK_MECHANISM mech = { mechanism, NULL, 0 }; | |
| 1084 if (param) { | |
| 1085 mech.pParameter = param->data; | |
| 1086 mech.ulParameterLen = param->len; | |
| 1087 } | |
| 1088 return pk11_PrivDecryptRaw(key, out, outLen, maxLen, enc, encLen, &mech); | |
| 1089 } | |
| 1090 | |
| 1091 SECStatus | |
| 1092 PK11_PubEncrypt(SECKEYPublicKey *key, | |
| 1093 CK_MECHANISM_TYPE mechanism, SECItem *param, | |
| 1094 unsigned char *out, unsigned int *outLen, | |
| 1095 unsigned int maxLen, | |
| 1096 const unsigned char *data, unsigned dataLen, | |
| 1097 void *wincx) | |
| 1098 { | |
| 1099 CK_MECHANISM mech = { mechanism, NULL, 0 }; | |
| 1100 if (param) { | |
| 1101 mech.pParameter = param->data; | |
| 1102 mech.ulParameterLen = param->len; | |
| 1103 } | |
| 1104 return pk11_PubEncryptRaw(key, out, outLen, maxLen, data, dataLen, &mech, | |
| 1105 wincx); | |
| 1063 } | 1106 } |
| 1064 | 1107 |
| 1065 SECKEYPrivateKey * | 1108 SECKEYPrivateKey * |
| 1066 PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, | 1109 PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, |
| 1067 CK_MECHANISM_TYPE wrapType, SECItem *param, | 1110 CK_MECHANISM_TYPE wrapType, SECItem *param, |
| 1068 SECItem *wrappedKey, SECItem *label, | 1111 SECItem *wrappedKey, SECItem *label, |
| 1069 SECItem *idValue, PRBool perm, PRBool sensitive, | 1112 SECItem *idValue, PRBool perm, PRBool sensitive, |
| 1070 CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, | 1113 CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, |
| 1071 int usageCount, void *wincx) | 1114 int usageCount, void *wincx) |
| 1072 { | 1115 { |
| (...skipping 899 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1972 PORT_SetError( PK11_MapError(crv) ); | 2015 PORT_SetError( PK11_MapError(crv) ); |
| 1973 return NULL; | 2016 return NULL; |
| 1974 } | 2017 } |
| 1975 | 2018 |
| 1976 item->data = (unsigned char*) theTemplate[0].pValue; | 2019 item->data = (unsigned char*) theTemplate[0].pValue; |
| 1977 item->len =theTemplate[0].ulValueLen; | 2020 item->len =theTemplate[0].ulValueLen; |
| 1978 | 2021 |
| 1979 return item; | 2022 return item; |
| 1980 } | 2023 } |
| 1981 | 2024 |
| OLD | NEW |
