OLD | NEW |
1 /* | 1 /* |
2 * Platform specific crypto wrappers | 2 * Platform specific crypto wrappers |
3 * | 3 * |
4 * ***** BEGIN LICENSE BLOCK ***** | 4 * ***** BEGIN LICENSE BLOCK ***** |
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 | 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 |
6 * | 6 * |
7 * The contents of this file are subject to the Mozilla Public License Version | 7 * The contents of this file are subject to the Mozilla Public License Version |
8 * 1.1 (the "License"); you may not use this file except in compliance with | 8 * 1.1 (the "License"); you may not use this file except in compliance with |
9 * the License. You may obtain a copy of the License at | 9 * the License. You may obtain a copy of the License at |
10 * http://www.mozilla.org/MPL/ | 10 * http://www.mozilla.org/MPL/ |
(...skipping 242 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
253 } | 253 } |
254 if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) { | 254 if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) { |
255 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 255 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
256 goto done; | 256 goto done; |
257 } | 257 } |
258 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, | 258 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, |
259 NULL, &signatureLen) || signatureLen == 0) { | 259 NULL, &signatureLen) || signatureLen == 0) { |
260 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 260 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
261 goto done; | 261 goto done; |
262 } | 262 } |
263 buf->len = signatureLen; | |
264 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 263 buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
265 if (!buf->data) | 264 if (!buf->data) |
266 goto done; /* error code was set. */ | 265 goto done; /* error code was set. */ |
267 | 266 |
268 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, | 267 if (!CryptSignHash(hHash, keySpec, NULL, CRYPT_NOHASHOID, |
269 (BYTE*)buf->data, &signatureLen)) { | 268 (BYTE*)buf->data, &signatureLen)) { |
270 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 269 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
271 goto done; | 270 goto done; |
272 } | 271 } |
| 272 buf->len = signatureLen; |
273 | 273 |
274 /* CryptoAPI signs in little-endian, so reverse */ | 274 /* CryptoAPI signs in little-endian, so reverse */ |
275 for (i = 0; i < buf->len / 2; ++i) { | 275 for (i = 0; i < buf->len / 2; ++i) { |
276 unsigned char tmp = buf->data[i]; | 276 unsigned char tmp = buf->data[i]; |
277 buf->data[i] = buf->data[buf->len - 1 - i]; | 277 buf->data[i] = buf->data[buf->len - 1 - i]; |
278 buf->data[buf->len - 1 - i] = tmp; | 278 buf->data[buf->len - 1 - i] = tmp; |
279 } | 279 } |
280 if (doDerEncode) { | 280 if (doDerEncode) { |
281 SECItem derSig = {siBuffer, NULL, 0}; | 281 SECItem derSig = {siBuffer, NULL, 0}; |
282 | 282 |
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
417 /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the | 417 /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the |
418 * needed information is readily available on the key itself. | 418 * needed information is readily available on the key itself. |
419 */ | 419 */ |
420 signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8; | 420 signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8; |
421 | 421 |
422 if (signatureLen == 0) { | 422 if (signatureLen == 0) { |
423 PORT_SetError(SEC_ERROR_INVALID_KEY); | 423 PORT_SetError(SEC_ERROR_INVALID_KEY); |
424 goto done; | 424 goto done; |
425 } | 425 } |
426 | 426 |
427 buf->len = signatureLen; | |
428 buf->data = (unsigned char *)PORT_Alloc(signatureLen); | 427 buf->data = (unsigned char *)PORT_Alloc(signatureLen); |
429 if (!buf->data) | 428 if (!buf->data) |
430 goto done; /* error code was set. */ | 429 goto done; /* error code was set. */ |
431 | 430 |
432 sigAlg = cssmKey->KeyHeader.AlgorithmId; | 431 sigAlg = cssmKey->KeyHeader.AlgorithmId; |
433 switch (sigAlg) { | 432 switch (sigAlg) { |
434 case CSSM_ALGID_RSA: | 433 case CSSM_ALGID_RSA: |
435 hashData.Data = hash->md5; | 434 hashData.Data = hash->md5; |
436 hashData.Length = sizeof(SSL3Hashes); | 435 hashData.Length = sizeof(SSL3Hashes); |
437 break; | 436 break; |
(...skipping 17 matching lines...) Expand all Loading... |
455 * you can prevent the UI by setting the provider handle on the | 454 * you can prevent the UI by setting the provider handle on the |
456 * certificate to be opened with CRYPT_SILENT, but is there an equivalent? | 455 * certificate to be opened with CRYPT_SILENT, but is there an equivalent? |
457 */ | 456 */ |
458 status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN, | 457 status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN, |
459 kSecCredentialTypeDefault, &cssmCreds); | 458 kSecCredentialTypeDefault, &cssmCreds); |
460 if (status != noErr) { | 459 if (status != noErr) { |
461 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 460 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
462 goto done; | 461 goto done; |
463 } | 462 } |
464 | 463 |
465 signatureData.Length = buf->len; | 464 signatureData.Length = signatureLen; |
466 signatureData.Data = (uint8*)buf->data; | 465 signatureData.Data = (uint8*)buf->data; |
467 | 466 |
468 cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds, | 467 cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds, |
469 cssmKey, &cssmSignature); | 468 cssmKey, &cssmSignature); |
470 if (cssmRv) { | 469 if (cssmRv) { |
471 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 470 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
472 goto done; | 471 goto done; |
473 } | 472 } |
474 | 473 |
475 /* See "Apple Cryptographic Service Provider Functional Specification" */ | 474 /* See "Apple Cryptographic Service Provider Functional Specification" */ |
476 if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) { | 475 if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) { |
477 /* To set RSA blinding for RSA keys */ | 476 /* To set RSA blinding for RSA keys */ |
478 CSSM_CONTEXT_ATTRIBUTE blindingAttr; | 477 CSSM_CONTEXT_ATTRIBUTE blindingAttr; |
479 blindingAttr.AttributeType = CSSM_ATTRIBUTE_RSA_BLINDING; | 478 blindingAttr.AttributeType = CSSM_ATTRIBUTE_RSA_BLINDING; |
480 blindingAttr.AttributeLength = sizeof(uint32); | 479 blindingAttr.AttributeLength = sizeof(uint32); |
481 blindingAttr.Attribute.Uint32 = 1; | 480 blindingAttr.Attribute.Uint32 = 1; |
482 cssmRv = CSSM_UpdateContextAttributes(cssmSignature, 1, &blindingAttr); | 481 cssmRv = CSSM_UpdateContextAttributes(cssmSignature, 1, &blindingAttr); |
483 if (cssmRv) { | 482 if (cssmRv) { |
484 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 483 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
485 goto done; | 484 goto done; |
486 } | 485 } |
487 } | 486 } |
488 | 487 |
489 cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, CSSM_ALGID_NONE, | 488 cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, CSSM_ALGID_NONE, |
490 &signatureData); | 489 &signatureData); |
491 if (cssmRv) { | 490 if (cssmRv) { |
492 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); | 491 ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE); |
493 goto done; | 492 goto done; |
494 } | 493 } |
| 494 buf->len = signatureData.Length; |
495 | 495 |
496 if (doDerEncode) { | 496 if (doDerEncode) { |
497 SECItem derSig = {siBuffer, NULL, 0}; | 497 SECItem derSig = {siBuffer, NULL, 0}; |
498 | 498 |
499 /* This also works for an ECDSA signature */ | 499 /* This also works for an ECDSA signature */ |
500 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); | 500 rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len); |
501 if (rv == SECSuccess) { | 501 if (rv == SECSuccess) { |
502 PORT_Free(buf->data); /* discard unencoded signature. */ | 502 PORT_Free(buf->data); /* discard unencoded signature. */ |
503 *buf = derSig; /* give caller encoded signature. */ | 503 *buf = derSig; /* give caller encoded signature. */ |
504 } else if (derSig.data) { | 504 } else if (derSig.data) { |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
552 SECStatus | 552 SECStatus |
553 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, | 553 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf, |
554 PRBool isTLS) | 554 PRBool isTLS) |
555 { | 555 { |
556 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | 556 PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
557 return SECFailure; | 557 return SECFailure; |
558 } | 558 } |
559 #endif | 559 #endif |
560 | 560 |
561 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 561 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
OLD | NEW |