/* * before we do a private key op, we check to see if we * need to reauthenticate. */ void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx) { int askpw = slot->askpw; PRBool NeedAuth = PR_FALSE; if (!slot->needLogin) return; if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); if (def_slot) { askpw = def_slot->askpw; PK11_FreeSlot(def_slot); } } /* timeouts are handled by isLoggedIn */ if (!PK11_IsLoggedIn(slot,wincx)) { NeedAuth = PR_TRUE; } else if (askpw == -1) { if (!PK11_Global.inTransaction || (PK11_Global.transaction != slot->authTransact)) { PK11_EnterSlotMonitor(slot); PK11_GETTAB(slot)->C_Logout(slot->session); slot->lastLoginCheck = 0; PK11_ExitSlotMonitor(slot); NeedAuth = PR_TRUE; } } if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx); }
/* Add the server's certificate to our database of trusted servers. */ static SECStatus trustNewServer (CERTCertificate *serverCert) { SECStatus secStatus; CERTCertTrust *trust = NULL; PK11SlotInfo *slot; /* Import the certificate. */ slot = PK11_GetInternalKeySlot();; secStatus = PK11_ImportCert(slot, serverCert, CK_INVALID_HANDLE, "stap-server", PR_FALSE); if (secStatus != SECSuccess) goto done; /* Make it a trusted peer. */ trust = (CERTCertTrust *)PORT_ZAlloc(sizeof(CERTCertTrust)); if (! trust) { secStatus = SECFailure; goto done; } secStatus = CERT_DecodeTrustString(trust, "P,P,P"); if (secStatus != SECSuccess) goto done; secStatus = CERT_ChangeCertTrust(CERT_GetDefaultCertDB(), serverCert, trust); if (secStatus != SECSuccess) goto done; done: if (trust) PORT_Free(trust); return secStatus; }
/** * xmlSecNssGetInternalKeySlot: * * Gets internal NSS key slot. * * Returns: internal key slot and initializes it if needed. */ PK11SlotInfo * xmlSecNssGetInternalKeySlot() { PK11SlotInfo *slot = NULL; SECStatus rv; slot = PK11_GetInternalKeySlot(); if (slot == NULL) { xmlSecNssError("PK11_GetInternalKeySlot", NULL); return NULL; } if (PK11_NeedUserInit(slot)) { rv = PK11_InitPin(slot, NULL, NULL); if (rv != SECSuccess) { xmlSecNssError("PK11_InitPin", NULL); return NULL; } } if(PK11_IsLoggedIn(slot, NULL) != PR_TRUE) { rv = PK11_Authenticate(slot, PR_TRUE, NULL); if (rv != SECSuccess) { xmlSecNssError2("PK11_Authenticate", NULL, "token=%s", xmlSecErrorsSafeString(PK11_GetTokenName(slot))); return NULL; } } return(slot); }
NS_IMETHODIMP nsNSSCertificateDB::ExportPKCS12File(nsISupports *aToken, nsILocalFile *aFile, PRUint32 count, nsIX509Cert **certs) //const PRUnichar **aCertNames) { nsNSSShutDownPreventionLock locker; NS_ENSURE_ARG(aFile); nsPKCS12Blob blob; if (count == 0) return NS_OK; nsCOMPtr<nsIPK11Token> localRef; if (!aToken) { PK11SlotInfo *keySlot = PK11_GetInternalKeySlot(); NS_ASSERTION(keySlot,"Failed to get the internal key slot"); localRef = new nsPK11Token(keySlot); PK11_FreeSlot(keySlot); } else { localRef = do_QueryInterface(aToken); } blob.SetToken(localRef); //blob.LoadCerts(aCertNames, count); //return blob.ExportToFile(aFile); return blob.ExportToFile(aFile, certs, count); }
char *oauth_body_hash_data(size_t length, const char *data) { PK11SlotInfo *slot = NULL; PK11Context *context = NULL; unsigned char digest[20]; // Is there a way to tell how large the output is? unsigned int len; SECStatus s; char *rv=NULL; oauth_init_nss(); slot = PK11_GetInternalKeySlot(); if (!slot) goto looser; context = PK11_CreateDigestContext(SEC_OID_SHA1); if (!context) goto looser; s = PK11_DigestBegin(context); if (s != SECSuccess) goto looser; s = PK11_DigestOp(context, (unsigned char*) data, length); if (s != SECSuccess) goto looser; s = PK11_DigestFinal(context, digest, &len, sizeof digest); if (s != SECSuccess) goto looser; unsigned char *dgst = xmalloc(len*sizeof(char)); // oauth_body_hash_encode frees the digest.. memcpy(dgst, digest, len); rv=oauth_body_hash_encode(len, dgst); looser: if (context) PK11_DestroyContext(context, PR_TRUE); if (slot) PK11_FreeSlot(slot); return rv; }
char *oauth_sign_rsa_sha1 (const char *m, const char *k) { PK11SlotInfo *slot = NULL; SECKEYPrivateKey *pkey = NULL; SECItem signature; SECStatus s; SECItem der; char *rv=NULL; char *key = oauth_strip_pkcs(k, NS_PRIV_HEADER, NS_PRIV_TRAILER); if (!key) return NULL; oauth_init_nss(); slot = PK11_GetInternalKeySlot(); if (!slot) goto looser; s = ATOB_ConvertAsciiToItem(&der, key); if (s != SECSuccess) goto looser; s = PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, &pkey, NULL); SECITEM_FreeItem(&der, PR_FALSE); if (s != SECSuccess) goto looser; if (!pkey) goto looser; if (pkey->keyType != rsaKey) goto looser; s = SEC_SignData(&signature, (unsigned char*) m, strlen(m), pkey, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE); if (s != SECSuccess) goto looser; rv=oauth_encode_base64(signature.len, signature.data); SECITEM_FreeItem(&signature, PR_FALSE); looser: if (pkey) SECKEY_DestroyPrivateKey(pkey); if (slot) PK11_FreeSlot(slot); free(key); return rv; }
/************************************************************************ * * I n i t P W */ Error InitPW(void) { PK11SlotInfo *slot; Error ret = UNSPECIFIED_ERR; slot = PK11_GetInternalKeySlot(); if (!slot) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal"); return NO_SUCH_TOKEN_ERR; } /* Set the initial password to empty */ if (PK11_NeedUserInit(slot)) { if (PK11_InitPin(slot, NULL, "") != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]); ret = INITPW_FAILED_ERR; goto loser; } } ret = SUCCESS; loser: PK11_FreeSlot(slot); return ret; }
nsresult KeyService::Init() { // Bring up psm nsCOMPtr<nsISupports> nss = do_GetService("@mozilla.org/psm;1"); SECStatus sv; mSlot = PK11_GetInternalKeySlot(); if (PK11_NeedUserInit(mSlot)) { NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(mSlot)); nsCOMPtr<nsITokenPasswordDialogs> dialogs; dialogs = do_GetService(NS_TOKENPASSWORDSDIALOG_CONTRACTID); if (!dialogs) return NS_ERROR_FAILURE; PRBool cancelled; nsresult rv = dialogs->SetPassword(nsnull, tokenName.get(), &cancelled); NS_ENSURE_SUCCESS(rv, rv); if (cancelled) return NS_ERROR_FAILURE; } if (PK11_NeedLogin(mSlot)) { sv = PK11_Authenticate(mSlot, PR_TRUE, NULL); if (sv != SECSuccess) return NS_ERROR_FAILURE; } return NS_OK; }
// Set up the context for the soft U2F Token. This is called by NSS // initialization. nsresult U2FSoftTokenManager::Init() { // If we've already initialized, just return. if (mInitialized) { return NS_OK; } nsNSSShutDownPreventionLock locker; if (NS_WARN_IF(isAlreadyShutDown())) { return NS_ERROR_NOT_AVAILABLE; } UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); MOZ_ASSERT(slot.get()); // Search for an existing wrapping key, or create one. nsresult rv = GetOrCreateWrappingKey(slot, locker); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } mInitialized = true; MOZ_LOG(gNSSTokenLog, LogLevel::Debug, ("U2F Soft Token initialized.")); return NS_OK; }
CryptoRc4 crypto_rc4_init(uint8 * key, uint32 len) { CryptoRc4 rc4 = xmalloc(sizeof(*rc4)); CK_MECHANISM_TYPE cipherMech = CKM_RC4; PK11SlotInfo* slot = PK11_GetInternalKeySlot(); ASSERT(slot); SECItem keyItem; keyItem.type = siBuffer; keyItem.data = key; keyItem.len = len; PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL); ASSERT(symKey); SECItem* secParam = PK11_ParamFromIV(cipherMech, NULL); ASSERT(secParam); rc4->context = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, symKey, secParam); ASSERT(rc4->context); PK11_FreeSymKey(symKey); SECITEM_FreeItem(secParam, PR_TRUE); PK11_FreeSlot(slot); return rc4; }
PRBool PK11_NeedPWInit() { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); PRBool ret = PK11_NeedPWInitForSlot(slot); PK11_FreeSlot(slot); return ret; }
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions) { CERTSignedCrl *crl = NULL; SECItem crlDER; PK11SlotInfo* slot = NULL; int rv; #if defined(DEBUG_jp96085) PRIntervalTime starttime, endtime, elapsed; PRUint32 mins, secs, msecs; #endif crlDER.data = NULL; /* Read in the entire file specified with the -f argument */ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); if (rv != SECSuccess) { SECU_PrintError(progName, "unable to read input file"); return (SECFailure); } decodeOptions |= CRL_DECODE_DONT_COPY_DER; slot = PK11_GetInternalKeySlot(); #if defined(DEBUG_jp96085) starttime = PR_IntervalNow(); #endif crl = PK11_ImportCRL(slot, &crlDER, url, type, NULL, importOptions, NULL, decodeOptions); #if defined(DEBUG_jp96085) endtime = PR_IntervalNow(); elapsed = endtime - starttime; mins = PR_IntervalToSeconds(elapsed) / 60; secs = PR_IntervalToSeconds(elapsed) % 60; msecs = PR_IntervalToMilliseconds(elapsed) % 1000; printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs); #endif if (!crl) { const char *errString; rv = SECFailure; errString = SECU_Strerror(PORT_GetError()); if ( errString && PORT_Strlen (errString) == 0) SECU_PrintError (progName, "CRL is not imported (error: input CRL is not up to date.)"); else SECU_PrintError (progName, "unable to import CRL"); } else { SEC_DestroyCrl (crl); } if (slot) { PK11_FreeSlot(slot); } return (rv); }
/* From crl.c */ CERTSignedCrl * CERT_ImportCRL (CERTCertDBHandle *handle, SECItem *derCRL, char *url, int type, void *wincx) { CERTSignedCrl* retCrl = NULL; PK11SlotInfo* slot = PK11_GetInternalKeySlot(); retCrl = PK11_ImportCRL(slot, derCRL, url, type, wincx, CRL_IMPORT_DEFAULT_OPTIONS, NULL, CRL_DECODE_DEFAULT_OPTIONS); PK11_FreeSlot(slot); return retCrl; }
sxi_hmac_sha1_ctx *sxi_hmac_sha1_init() { sxi_hmac_sha1_ctx *ctx = calloc(1, sizeof(*ctx)); if (!ctx) return NULL; ctx->slot = PK11_GetInternalKeySlot(); if (!ctx->slot) { free(ctx); return NULL; } return ctx; }
/*********************************************************************** * * J S S _ P K 1 1 _ w r a p P K 1 1 T o k e n * * Create a PK11Token object from a PKCS #11 slot. * * slot is a pointer to a PKCS #11 slot, which must not be NULL. It will * be eaten by the wrapper, so you can't use it after you call this. * * Returns a new PK11Token object, or NULL if an exception was thrown. */ jobject JSS_PK11_wrapPK11Token(JNIEnv *env, PK11SlotInfo **slot) { jclass tokenClass; jmethodID constructor; jbyteArray byteArray; jobject Token=NULL; jboolean internal; jboolean keyStorage; PR_ASSERT(env!=NULL && slot!=NULL && *slot!=NULL); internal = (*slot == PK11_GetInternalSlot()); keyStorage = (*slot == PK11_GetInternalKeySlot()); byteArray = JSS_ptrToByteArray(env, (void*)*slot); /* * Lookup the class and constructor */ tokenClass = (*env)->FindClass(env, PK11TOKEN_CLASS_NAME); if(tokenClass == NULL) { ASSERT_OUTOFMEM(env); goto finish; } constructor = (*env)->GetMethodID( env, tokenClass, PK11TOKEN_CONSTRUCTOR_NAME, PK11TOKEN_CONSTRUCTOR_SIG); if(constructor == NULL) { ASSERT_OUTOFMEM(env); goto finish; } /* Call the constructor */ Token = (*env)->NewObject(env, tokenClass, constructor, byteArray, internal, keyStorage); finish: if(Token==NULL) { PK11_FreeSlot(*slot); } *slot = NULL; return Token; }
static int nr_crypto_nss_hmac(UCHAR *key, int keyl, UCHAR *buf, int bufl, UCHAR *result) { CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC; PK11SlotInfo *slot = 0; MOZ_ASSERT(keyl > 0); SECItem keyi = { siBuffer, key, static_cast<unsigned int>(keyl)}; PK11SymKey *skey = 0; PK11Context *hmac_ctx = 0; SECStatus status; unsigned int hmac_len; SECItem param = { siBuffer, nullptr, 0 }; int err = R_INTERNAL; slot = PK11_GetInternalKeySlot(); if (!slot) goto abort; skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi, nullptr); if (!skey) goto abort; hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, ¶m); if (!hmac_ctx) goto abort; status = PK11_DigestBegin(hmac_ctx); if (status != SECSuccess) goto abort; status = PK11_DigestOp(hmac_ctx, buf, bufl); if (status != SECSuccess) goto abort; status = PK11_DigestFinal(hmac_ctx, result, &hmac_len, 20); if (status != SECSuccess) goto abort; MOZ_ASSERT(hmac_len == 20); err = 0; abort: if(hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE); if (skey) PK11_FreeSymKey(skey); if (slot) PK11_FreeSlot(slot); return err; }
/* * This code is mostly cargo-cult taken from here: * http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html * * It should implement HMAC with the given mechanism (SHA: 1, 256, 384, 512). */ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in, struct digest_buffer *out) { SECItem param = { siBuffer, NULL, 0 }; PK11SlotInfo *slot = NULL; PK11SymKey *symkey = NULL; PK11Context *ctx = NULL; bool ret = false; SECStatus s; slot = PK11_GetBestSlot(mech, NULL); if (slot == NULL) { slot = PK11_GetInternalKeySlot(); if (slot == NULL) { goto done; } } symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, key, NULL); if (symkey == NULL) goto done; ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, symkey, ¶m); if (ctx == NULL) goto done; s = PK11_DigestBegin(ctx); if (s != SECSuccess) goto done; s = PK11_DigestOp(ctx, in->data, in->len); if (s != SECSuccess) goto done; s = PK11_DigestFinal(ctx, out->buf, &out->len, sizeof(out->buf)); if (s != SECSuccess) goto done; ret = true; done: if (ctx != NULL) PK11_DestroyContext(ctx, PR_TRUE); if (symkey != NULL) PK11_FreeSymKey(symkey); if (slot != NULL) PK11_FreeSlot(slot); return ret; }
NS_IMETHODIMP nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token** _retval) { NS_ENSURE_ARG_POINTER(_retval); UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIPK11Token> token = new nsPK11Token(slot.get()); token.forget(_retval); return NS_OK; }
/************************************************************************** * * G e n e r a t e S e l f S i g n e d O b j e c t S i g n i n g C e r t * *phew*^ * */ static CERTCertificate* GenerateSelfSignedObjectSigningCert(char *nickname, CERTCertDBHandle *db, char *subject, unsigned long serial, int keysize, char *token) { CERTCertificate * cert, *temp_cert; SECItem * derCert; CERTCertificateRequest * req; PK11SlotInfo * slot = NULL; SECKEYPrivateKey * privk = NULL; SECKEYPublicKey * pubk = NULL; if ( token ) { slot = PK11_FindSlotByName(token); } else { slot = PK11_GetInternalKeySlot(); } if (slot == NULL) { PR_fprintf(errorFD, "Can't find PKCS11 slot %s\n", token ? token : ""); errorCount++; exit (ERRX); } if ( GenerateKeyPair(slot, &pubk, &privk, keysize) != SECSuccess) { FatalError("Error generating keypair."); } req = make_cert_request (subject, pubk); temp_cert = make_cert (req, serial, &req->subject); if (set_cert_type(temp_cert, NS_CERT_TYPE_OBJECT_SIGNING | NS_CERT_TYPE_OBJECT_SIGNING_CA) != SECSuccess) { FatalError("Unable to set cert type"); } derCert = sign_cert (temp_cert, privk); cert = install_cert(db, derCert, nickname); if (ChangeTrustAttributes(db, cert, ",,uC") != SECSuccess) { FatalError("Unable to change trust on generated certificate"); } /* !!! Free memory ? !!! */ PK11_FreeSlot(slot); SECKEY_DestroyPrivateKey(privk); SECKEY_DestroyPublicKey(pubk); return cert; }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; pphrase_arg_t *parg = NULL; parg = (pphrase_arg_t *) malloc(sizeof(*parg)); parg->retryCount = 0; parg->data = conn->data; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized.\n"); } else { failf(conn->data, "The token %s has not been initialized.", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, parg); if(SECSuccess != ret) { if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } parg->retryCount = 0; /* reset counter to 0 for the next token */ PK11_FreeSlot(slot); } free(parg); return status; }
/* * Get the askpw and timeout values for this slot */ void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout) { *askpw = slot->askpw; *timeout = slot->timeout; if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); if (def_slot) { *askpw = def_slot->askpw; *timeout = def_slot->timeout; PK11_FreeSlot(def_slot); } } }
/* Generate a key pair, and then generate a subjectPublicKeyInfo ** for the public key in that pair. return all 3. */ CERTSubjectPublicKeyInfo * GetSubjectPubKeyInfo(TESTKeyPair *pair) { CERTSubjectPublicKeyInfo *spki = NULL; SECKEYPrivateKey *privKey = NULL; SECKEYPublicKey *pubKey = NULL; PK11SlotInfo *keySlot = NULL; keySlot = PK11_GetInternalKeySlot(); PK11_Authenticate(keySlot, PR_FALSE, &pwdata); if (!doingDSA) { PK11RSAGenParams *rsaParams = GetRSAParams(); if (rsaParams == NULL) { PK11_FreeSlot(keySlot); return NULL; } privKey = PK11_GenerateKeyPair(keySlot, CKM_RSA_PKCS_KEY_PAIR_GEN, (void*)rsaParams, &pubKey, PR_FALSE, PR_FALSE, &pwdata); } else { PQGParams *dsaParams = GetDSAParams(); if (dsaParams == NULL) { PK11_FreeSlot(keySlot); return NULL; } privKey = PK11_GenerateKeyPair(keySlot, CKM_DSA_KEY_PAIR_GEN, (void*)dsaParams, &pubKey, PR_FALSE, PR_FALSE, &pwdata); } PK11_FreeSlot(keySlot); if (privKey == NULL || pubKey == NULL) { if (pubKey) { SECKEY_DestroyPublicKey(pubKey); } if (privKey) { SECKEY_DestroyPrivateKey(privKey); } return NULL; } spki = SECKEY_CreateSubjectPublicKeyInfo(pubKey); pair->privKey = privKey; pair->pubKey = pubKey; return spki; }
NS_IMETHODIMP nsPK11TokenDB::GetInternalKeyToken(nsIPK11Token **_retval) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; PK11SlotInfo *slot = 0; nsCOMPtr<nsIPK11Token> token; slot = PK11_GetInternalKeySlot(); if (!slot) { rv = NS_ERROR_FAILURE; goto done; } token = new nsPK11Token(slot); token.forget(_retval); done: if (slot) PK11_FreeSlot(slot); return rv; }
/* * Determine if the token is logged in. We have to actually query the token, * because it's state can change without intervention from us. */ PRBool PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx) { CK_SESSION_INFO sessionInfo; int askpw = slot->askpw; int timeout = slot->timeout; CK_RV crv; PRIntervalTime curTime; static PRIntervalTime login_delay_time = 0; if (login_delay_time == 0) { login_delay_time = PR_SecondsToInterval(1); } /* If we don't have our own password default values, use the system * ones */ if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); if (def_slot) { askpw = def_slot->askpw; timeout = def_slot->timeout; PK11_FreeSlot(def_slot); } } if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) && (*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; } /* forget the password if we've been inactive too long */ if (askpw == 1) { int64 currtime = PR_Now(); int64 result; int64 mult; LL_I2L(result, timeout); LL_I2L(mult, 60*1000*1000); LL_MUL(result,result,mult); LL_ADD(result, result, slot->authTime); if (LL_CMP(result, <, currtime) ) { PK11_EnterSlotMonitor(slot); PK11_GETTAB(slot)->C_Logout(slot->session); slot->lastLoginCheck = 0; PK11_ExitSlotMonitor(slot); } else {
SECStatus InitPKCS11(void) { PK11SlotInfo *keySlot; PK11_SetPasswordFunc(SECU_GetModulePassword); keySlot = PK11_GetInternalKeySlot(); if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) { if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) { printf ("Initializing the PINs failed.\n"); return SECFailure; } } PK11_FreeSlot(keySlot); return SECSuccess; }
/* [noscript] long encrypt (in buffer data, in long dataLen, out buffer result); */ NS_IMETHODIMP nsSecretDecoderRing:: Encrypt(unsigned char * data, PRInt32 dataLen, unsigned char * *result, PRInt32 *_retval) { nsNSSShutDownPreventionLock locker; nsresult rv = NS_OK; PK11SlotInfo *slot = 0; PK11SlotInfoCleaner tmpSlotCleaner(slot); SECItem keyid; SECItem request; SECItem reply; SECStatus s; nsCOMPtr<nsIInterfaceRequestor> ctx = new nsSDRContext(); if (!ctx) { rv = NS_ERROR_OUT_OF_MEMORY; goto loser; } slot = PK11_GetInternalKeySlot(); if (!slot) { rv = NS_ERROR_NOT_AVAILABLE; goto loser; } /* Make sure token is initialized. */ rv = setPassword(slot, ctx); if (NS_FAILED(rv)) goto loser; /* Force authentication */ s = PK11_Authenticate(slot, true, ctx); if (s != SECSuccess) { rv = NS_ERROR_FAILURE; goto loser; } /* Use default key id */ keyid.data = 0; keyid.len = 0; request.data = data; request.len = dataLen; reply.data = 0; reply.len = 0; s= PK11SDR_Encrypt(&keyid, &request, &reply, ctx); if (s != SECSuccess) { rv = NS_ERROR_FAILURE; goto loser; } *result = reply.data; *_retval = reply.len; loser: return rv; }
char *oauth_sign_hmac_sha1_raw (const char *m, const size_t ml, const char *k, const size_t kl) { PK11SlotInfo *slot = NULL; PK11SymKey *pkey = NULL; PK11Context *context = NULL; unsigned char digest[20]; // Is there a way to tell how large the output is? unsigned int len; SECStatus s; SECItem keyItem, noParams; char *rv=NULL; keyItem.type = siBuffer; keyItem.data = (unsigned char*) k; keyItem.len = kl; noParams.type = siBuffer; noParams.data = NULL; noParams.len = 0; oauth_init_nss(); slot = PK11_GetInternalKeySlot(); if (!slot) goto looser; pkey = PK11_ImportSymKey(slot, CKM_SHA_1_HMAC, PK11_OriginUnwrap, CKA_SIGN, &keyItem, NULL); if (!pkey) goto looser; context = PK11_CreateContextBySymKey(CKM_SHA_1_HMAC, CKA_SIGN, pkey, &noParams); if (!context) goto looser; s = PK11_DigestBegin(context); if (s != SECSuccess) goto looser; s = PK11_DigestOp(context, (unsigned char*) m, ml); if (s != SECSuccess) goto looser; s = PK11_DigestFinal(context, digest, &len, sizeof digest); if (s != SECSuccess) goto looser; rv=oauth_encode_base64(len, digest); looser: if (context) PK11_DestroyContext(context, PR_TRUE); if (pkey) PK11_FreeSymKey(pkey); if (slot) PK11_FreeSlot(slot); return rv; }
PK11SlotInfo *lsw_nss_get_authenticated_slot(lsw_nss_buf_t err) { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); if (slot == NULL) { snprintf(err, sizeof(lsw_nss_buf_t), "no internal key slot"); return NULL; } if (PK11_IsFIPS() || PK11_NeedLogin(slot)) { SECStatus status = PK11_Authenticate(slot, PR_FALSE, lsw_return_nss_password_file_info()); if (status != SECSuccess) { const char *token = PK11_GetTokenName(slot); snprintf(err, sizeof(lsw_nss_buf_t), "authentication of \"%s\" failed", token); PK11_FreeSlot(slot); return NULL; } } return slot; }
static SECStatus nss_Init_Tokens(struct connectdata * conn) { PK11SlotList *slotList; PK11SlotListElement *listEntry; SECStatus ret, status = SECSuccess; PK11_SetPasswordFunc(nss_get_password); slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL); for(listEntry = PK11_GetFirstSafe(slotList); listEntry; listEntry = listEntry->next) { PK11SlotInfo *slot = listEntry->slot; if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { if(slot == PK11_GetInternalKeySlot()) { failf(conn->data, "The NSS database has not been initialized"); } else { failf(conn->data, "The token %s has not been initialized", PK11_GetTokenName(slot)); } PK11_FreeSlot(slot); continue; } ret = PK11_Authenticate(slot, PR_TRUE, conn->data->set.str[STRING_KEY_PASSWD]); if(SECSuccess != ret) { if(PR_GetError() == SEC_ERROR_BAD_PASSWORD) infof(conn->data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); status = SECFailure; break; } PK11_FreeSlot(slot); } return status; }
/* void changePassword(); */ NS_IMETHODIMP nsSecretDecoderRing:: ChangePassword() { nsNSSShutDownPreventionLock locker; nsresult rv; PK11SlotInfo *slot; slot = PK11_GetInternalKeySlot(); if (!slot) return NS_ERROR_NOT_AVAILABLE; /* Convert UTF8 token name to UCS2 */ NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(slot)); PK11_FreeSlot(slot); /* Get the set password dialog handler imlementation */ nsCOMPtr<nsITokenPasswordDialogs> dialogs; rv = getNSSDialogs(getter_AddRefs(dialogs), NS_GET_IID(nsITokenPasswordDialogs), NS_TOKENPASSWORDSDIALOG_CONTRACTID); if (NS_FAILED(rv)) return rv; nsCOMPtr<nsIInterfaceRequestor> ctx = new nsSDRContext(); bool canceled; { nsPSMUITracker tracker; if (tracker.isUIForbidden()) { rv = NS_ERROR_NOT_AVAILABLE; } else { rv = dialogs->SetPassword(ctx, tokenName.get(), &canceled); } } /* canceled is ignored */ return rv; }