static int generate_random_key(TALLOC_CTX *mem_ctx,
PK11SlotInfo *slot,
struct crypto_mech_data *mech_props,
SECItem **_key)
{
SECStatus sret;
SECItem *randkeydata;
SECItem *key = NULL;
PK11SymKey *randkey;
int ret;
randkey = PK11_KeyGen(slot, mech_props->cipher,
NULL, mech_props->keylen, NULL);
if (randkey == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
sret = PK11_ExtractKeyValue(randkey);
if (sret != SECSuccess) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
randkeydata = PK11_GetKeyData(randkey);
if (randkeydata == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n",
PR_GetError());
ret = EIO;
goto done;
}
/* randkeydata is valid until randkey is. Copy with talloc to
* get a nice memory hierarchy symmetrical in encrypt
* and decrypt case */
key = talloc_zero(mem_ctx, SECItem);
if (!key) {
ret = ENOMEM;
goto done;
}
key->data = talloc_memdup(key, randkeydata->data, randkeydata->len);
if (!key->data) {
ret = ENOMEM;
goto done;
}
key->len = randkeydata->len;
*_key = key;
ret = EOK;
done:
if (ret != EOK) talloc_zfree(key);
PK11_FreeSymKey(randkey);
return ret;
}
SECStatus
SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites,
PRBool *pcanbypass, void *pwArg)
{ SECStatus rv;
int i;
PRUint16 suite;
PK11SymKey * pms = NULL;
SECKEYPublicKey * srvPubkey = NULL;
KeyType privKeytype;
PK11SlotInfo * slot = NULL;
SECItem param;
CK_VERSION version;
CK_MECHANISM_TYPE mechanism_array[2];
SECItem enc_pms = {siBuffer, NULL, 0};
PRBool isTLS = PR_FALSE;
SSLCipherSuiteInfo csdef;
PRBool testrsa = PR_FALSE;
PRBool testrsa_export = PR_FALSE;
PRBool testecdh = PR_FALSE;
PRBool testecdhe = PR_FALSE;
#ifdef NSS_ENABLE_ECC
SECKEYECParams ecParams = { siBuffer, NULL, 0 };
#endif
if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
srvPubkey = CERT_ExtractPublicKey(cert);
if (!srvPubkey)
return SECFailure;
*pcanbypass = PR_TRUE;
rv = SECFailure;
/* determine which KEAs to test */
/* 0 (SSL_NULL_WITH_NULL_NULL) is used as a list terminator because
* SSL3 and TLS specs forbid negotiating that cipher suite number.
*/
for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) {
/* skip SSL2 cipher suites and ones NSS doesn't support */
if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess
|| SSL_IS_SSL2_CIPHER(suite) )
continue;
switch (csdef.keaType) {
case ssl_kea_rsa:
switch (csdef.cipherSuite) {
case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
testrsa_export = PR_TRUE;
}
if (!testrsa_export)
testrsa = PR_TRUE;
break;
case ssl_kea_ecdh:
if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */
testecdhe = PR_TRUE;
else
testecdh = PR_TRUE;
break;
case ssl_kea_dh:
/* this is actually DHE */
default:
continue;
}
}
/* For each protocol try to derive and extract an MS.
* Failure of function any function except MS extract means
* continue with the next cipher test. Stop testing when the list is
* exhausted or when the first MS extract--not derive--fails.
*/
privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey);
protocolmask &= SSL_CBP_SSL3|SSL_CBP_TLS1_0;
while (protocolmask) {
if (protocolmask & SSL_CBP_SSL3) {
isTLS = PR_FALSE;
protocolmask ^= SSL_CBP_SSL3;
} else {
isTLS = PR_TRUE;
protocolmask ^= SSL_CBP_TLS1_0;
}
if (privKeytype == rsaKey && testrsa_export) {
if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
*pcanbypass = PR_FALSE;
rv = SECSuccess;
break;
} else
testrsa = PR_TRUE;
}
for (; privKeytype == rsaKey && testrsa; ) {
/* TLS_RSA */
unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
unsigned int outLen = 0;
CK_MECHANISM_TYPE target;
SECStatus irv;
mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
mechanism_array[1] = CKM_RSA_PKCS;
slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
if (slot == NULL) {
PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
break;
}
/* Generate the pre-master secret ... (client side) */
version.major = 3 /*MSB(clientHelloVersion)*/;
version.minor = 0 /*LSB(clientHelloVersion)*/;
param.data = (unsigned char *)&version;
param.len = sizeof version;
pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg);
PK11_FreeSlot(slot);
if (!pms)
break;
/* now wrap it */
enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey);
enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
if (enc_pms.data == NULL) {
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
break;
}
irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms);
if (irv != SECSuccess)
break;
PK11_FreeSymKey(pms);
pms = NULL;
/* now do the server side--check the triple bypass first */
rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen,
sizeof rsaPmsBuf,
(unsigned char *)enc_pms.data,
enc_pms.len);
/* if decrypt worked we're done with the RSA test */
if (rv == SECSuccess) {
*pcanbypass = PR_TRUE;
break;
}
/* check for fallback to double bypass */
target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE
: CKM_SSL3_MASTER_KEY_DERIVE;
pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms,
target, CKA_DERIVE, 0);
rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass);
if (rv == SECSuccess && *pcanbypass == PR_FALSE)
goto done;
break;
}
/* Check for NULL to avoid double free.
* SECItem_FreeItem sets data NULL in secitem.c#265
*/
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
#ifdef NSS_ENABLE_ECC
for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
(privKeytype == rsaKey && testecdhe); ) {
CK_MECHANISM_TYPE target;
SECKEYPublicKey *keapub = NULL;
SECKEYPrivateKey *keapriv;
SECKEYPublicKey *cpub = NULL; /* client's ephemeral ECDH keys */
SECKEYPrivateKey *cpriv = NULL;
SECKEYECParams *pecParams = NULL;
if (privKeytype == ecKey && testecdhe) {
/* TLS_ECDHE_ECDSA */
pecParams = &srvPubkey->u.ec.DEREncodedParams;
} else if (privKeytype == rsaKey && testecdhe) {
/* TLS_ECDHE_RSA */
ECName ec_curve;
int serverKeyStrengthInBits;
int signatureKeyStrength;
int requiredECCbits;
/* find a curve of equivalent strength to the RSA key's */
requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey);
if (requiredECCbits < 0)
break;
requiredECCbits *= BPB;
serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len;
if (srvPubkey->u.rsa.modulus.data[0] == 0) {
serverKeyStrengthInBits--;
}
/* convert to strength in bits */
serverKeyStrengthInBits *= BPB;
signatureKeyStrength =
SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
if ( requiredECCbits > signatureKeyStrength )
requiredECCbits = signatureKeyStrength;
ec_curve =
ssl3_GetCurveWithECKeyStrength(SSL3_SUPPORTED_CURVES_MASK,
requiredECCbits);
rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams);
if (rv == SECFailure) {
break;
}
pecParams = &ecParams;
}
if (testecdhe) {
/* generate server's ephemeral keys */
keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL);
if (!keapriv || !keapub) {
if (keapriv)
SECKEY_DestroyPrivateKey(keapriv);
if (keapub)
SECKEY_DestroyPublicKey(keapub);
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
rv = SECFailure;
break;
}
} else {
/* TLS_ECDH_ECDSA */
keapub = srvPubkey;
keapriv = srvPrivkey;
pecParams = &srvPubkey->u.ec.DEREncodedParams;
}
/* perform client side ops */
/* generate a pair of ephemeral keys using server's parms */
cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL);
if (!cpriv || !cpub) {
if (testecdhe) {
SECKEY_DestroyPrivateKey(keapriv);
SECKEY_DestroyPublicKey(keapub);
}
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
rv = SECFailure;
break;
}
/* now do the server side */
/* determine the PMS using client's public value */
target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH
: CKM_SSL3_MASTER_KEY_DERIVE_DH;
pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL,
CKM_ECDH1_DERIVE,
target,
CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass);
SECKEY_DestroyPrivateKey(cpriv);
SECKEY_DestroyPublicKey(cpub);
if (testecdhe) {
SECKEY_DestroyPrivateKey(keapriv);
SECKEY_DestroyPublicKey(keapub);
}
if (rv == SECSuccess && *pcanbypass == PR_FALSE)
goto done;
break;
}
/* Check for NULL to avoid double free. */
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif /* NSS_ENABLE_ECC */
if (pms)
PK11_FreeSymKey(pms);
}
/* *pcanbypass has been set */
rv = SECSuccess;
done:
if (pms)
PK11_FreeSymKey(pms);
/* Check for NULL to avoid double free.
* SECItem_FreeItem sets data NULL in secitem.c#265
*/
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
#ifdef NSS_ENABLE_ECC
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif /* NSS_ENABLE_ECC */
if (srvPubkey) {
SECKEY_DestroyPublicKey(srvPubkey);
srvPubkey = NULL;
}
return rv;
}
static int
sm_encrypt(CamelCipherContext *context, const char *userid, GPtrArray *recipients, CamelMimePart *ipart, CamelMimePart *opart, CamelException *ex)
{
struct _CamelSMIMEContextPrivate *p = ((CamelSMIMEContext *)context)->priv;
/*NSSCMSRecipientInfo **recipient_infos;*/
CERTCertificate **recipient_certs = NULL;
NSSCMSContentInfo *cinfo;
PK11SymKey *bulkkey = NULL;
SECOidTag bulkalgtag;
int bulkkeysize, i;
CK_MECHANISM_TYPE type;
PK11SlotInfo *slot;
PLArenaPool *poolp;
NSSCMSMessage *cmsg = NULL;
NSSCMSEnvelopedData *envd;
NSSCMSEncoderContext *enc = NULL;
CamelStreamMem *mem;
CamelStream *ostream = NULL;
CamelDataWrapper *dw;
CamelContentType *ct;
poolp = PORT_NewArena(1024);
if (poolp == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
return -1;
}
/* Lookup all recipients certs, for later working */
recipient_certs = (CERTCertificate **)PORT_ArenaZAlloc(poolp, sizeof(*recipient_certs[0])*(recipients->len + 1));
if (recipient_certs == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
goto fail;
}
for (i=0;i<recipients->len;i++) {
recipient_certs[i] = CERT_FindCertByNicknameOrEmailAddr(p->certdb, recipients->pdata[i]);
if (recipient_certs[i] == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate for `%s'"), recipients->pdata[i]);
goto fail;
}
}
/* Find a common algorithm, probably 3DES anyway ... */
if (NSS_SMIMEUtil_FindBulkAlgForRecipients(recipient_certs, &bulkalgtag, &bulkkeysize) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find common bulk encryption algorithm"));
goto fail;
}
/* Generate a new bulk key based on the common algorithm - expensive */
type = PK11_AlgtagToMechanism(bulkalgtag);
slot = PK11_GetBestSlot(type, context);
if (slot == NULL) {
/* PORT_GetError(); ?? */
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot allocate slot for encryption bulk key"));
goto fail;
}
bulkkey = PK11_KeyGen(slot, type, NULL, bulkkeysize/8, context);
PK11_FreeSlot(slot);
/* Now we can start building the message */
/* msg->envelopedData->data */
cmsg = NSS_CMSMessage_Create(NULL);
if (cmsg == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Message"));
goto fail;
}
envd = NSS_CMSEnvelopedData_Create(cmsg, bulkalgtag, bulkkeysize);
if (envd == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Enveloped data"));
goto fail;
}
cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
if (NSS_CMSContentInfo_SetContent_EnvelopedData(cmsg, cinfo, envd) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS Enveloped data"));
goto fail;
}
cinfo = NSS_CMSEnvelopedData_GetContentInfo(envd);
if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, PR_FALSE) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS data object"));
goto fail;
}
/* add recipient certs */
for (i=0;recipient_certs[i];i++) {
NSSCMSRecipientInfo *ri = NSS_CMSRecipientInfo_Create(cmsg, recipient_certs[i]);
if (ri == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Recipient information"));
goto fail;
}
if (NSS_CMSEnvelopedData_AddRecipient(envd, ri) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Recipient information"));
goto fail;
}
}
/* dump it out */
ostream = camel_stream_mem_new();
enc = NSS_CMSEncoder_Start(cmsg,
sm_write_stream, ostream,
NULL, NULL,
NULL, NULL,
sm_decrypt_key, bulkkey,
NULL, NULL);
if (enc == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create encoder context"));
goto fail;
}
/* FIXME: Stream the input */
/* FIXME: Canonicalise the input? */
mem = (CamelStreamMem *)camel_stream_mem_new();
camel_data_wrapper_write_to_stream((CamelDataWrapper *)ipart, (CamelStream *)mem);
if (NSS_CMSEncoder_Update(enc, (char *) mem->buffer->data, mem->buffer->len) != SECSuccess) {
NSS_CMSEncoder_Cancel(enc);
camel_object_unref(mem);
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Failed to add data to encoder"));
goto fail;
}
camel_object_unref(mem);
if (NSS_CMSEncoder_Finish(enc) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Failed to encode data"));
goto fail;
}
PK11_FreeSymKey(bulkkey);
NSS_CMSMessage_Destroy(cmsg);
for (i=0;recipient_certs[i];i++)
CERT_DestroyCertificate(recipient_certs[i]);
PORT_FreeArena(poolp, PR_FALSE);
dw = camel_data_wrapper_new();
camel_data_wrapper_construct_from_stream(dw, ostream);
camel_object_unref(ostream);
dw->encoding = CAMEL_TRANSFER_ENCODING_BINARY;
ct = camel_content_type_new("application", "x-pkcs7-mime");
camel_content_type_set_param(ct, "name", "smime.p7m");
camel_content_type_set_param(ct, "smime-type", "enveloped-data");
camel_data_wrapper_set_mime_type_field(dw, ct);
camel_content_type_unref(ct);
camel_medium_set_content_object((CamelMedium *)opart, dw);
camel_object_unref(dw);
camel_mime_part_set_disposition(opart, "attachment");
camel_mime_part_set_filename(opart, "smime.p7m");
camel_mime_part_set_description(opart, "S/MIME Encrypted Message");
camel_mime_part_set_encoding(opart, CAMEL_TRANSFER_ENCODING_BASE64);
return 0;
fail:
if (ostream)
camel_object_unref(ostream);
if (cmsg)
NSS_CMSMessage_Destroy(cmsg);
if (bulkkey)
PK11_FreeSymKey(bulkkey);
if (recipient_certs) {
for (i=0;recipient_certs[i];i++)
CERT_DestroyCertificate(recipient_certs[i]);
}
PORT_FreeArena(poolp, PR_FALSE);
return -1;
}
/*
* NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding
*
* at this point, we need
* - recipientinfos set up with recipient's certificates
* - a content encryption algorithm (if none, 3DES will be used)
*
* this function will generate a random content encryption key (aka bulk key),
* initialize the recipientinfos with certificate identification and wrap the bulk key
* using the proper algorithm for every certificiate.
* it will finally set the bulk algorithm and key so that the encode step can find it.
*/
SECStatus
NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
{
int version;
NSSCMSRecipientInfo **recipientinfos;
NSSCMSContentInfo *cinfo;
PK11SymKey *bulkkey = NULL;
SECOidTag bulkalgtag;
CK_MECHANISM_TYPE type;
PK11SlotInfo *slot;
SECStatus rv;
SECItem *dummy;
PLArenaPool *poolp;
extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
void *mark = NULL;
int i;
poolp = envd->cmsg->poolp;
cinfo = &(envd->contentInfo);
recipientinfos = envd->recipientInfos;
if (recipientinfos == NULL) {
PORT_SetError(SEC_ERROR_BAD_DATA);
#if 0
PORT_SetErrorString("Cannot find recipientinfos to encode.");
#endif
goto loser;
}
version = NSS_CMS_ENVELOPED_DATA_VERSION_REG;
if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) {
version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
} else {
for (i = 0; recipientinfos[i] != NULL; i++) {
if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) {
version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV;
break;
}
}
}
dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version);
if (dummy == NULL)
goto loser;
/* now we need to have a proper content encryption algorithm
* on the SMIME level, we would figure one out by looking at SMIME capabilities
* we cannot do that on our level, so if none is set already, we'll just go
* with one of the mandatory algorithms (3DES) */
if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) {
rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168);
if (rv != SECSuccess)
goto loser;
bulkalgtag = SEC_OID_DES_EDE3_CBC;
}
/* generate a random bulk key suitable for content encryption alg */
type = PK11_AlgtagToMechanism(bulkalgtag);
slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg);
if (slot == NULL)
goto loser; /* error has been set by PK11_GetBestSlot */
/* this is expensive... */
bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg);
PK11_FreeSlot(slot);
if (bulkkey == NULL)
goto loser; /* error has been set by PK11_KeyGen */
mark = PORT_ArenaMark(poolp);
/* Encrypt the bulk key with the public key of each recipient. */
for (i = 0; recipientinfos[i] != NULL; i++) {
rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag);
if (rv != SECSuccess)
goto loser; /* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */
/* could be: alg not supported etc. */
}
/* the recipientinfos are all finished. now sort them by DER for SET OF encoding */
rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL);
if (rv != SECSuccess)
goto loser; /* error has been set by NSS_CMSArray_SortByDER */
/* store the bulk key in the contentInfo so that the encoder can find it */
NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey);
PORT_ArenaUnmark(poolp, mark);
PK11_FreeSymKey(bulkkey);
return SECSuccess;
loser:
if (mark != NULL)
PORT_ArenaRelease (poolp, mark);
if (bulkkey)
PK11_FreeSymKey(bulkkey);
return SECFailure;
}
/*
* CreatePk11PinStore
*/
int
CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin)
{
int err = PIN_SUCCESS;
Pk11PinStore *store;
do {
store = (Pk11PinStore*)malloc(sizeof(Pk11PinStore));
if (store == 0) { err = PIN_NOMEMORY; break; }
/* Low-level init */
store->key = 0;
store->params = 0;
store->crypt = 0;
/* Use the tokenName to find a PKCS11 slot */
store->slot = PK11_FindSlotByName((char *)tokenName);
if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; }
/* Check the password/PIN. This allows access to the token */
{
SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin);
if (rv == SECSuccess)
;
else if (rv == SECWouldBlock)
{
/* NSS returns a blocking error when the pin is wrong */
err = PIN_INCORRECTPW;
break;
}
else
{
err = PIN_SYSTEMERROR;
break;
}
}
/* Find the mechanism that this token can do */
{
const mech_item *tp;
store->mech = 0;
for(tp = table;tp < &table[MECH_TABLE_SIZE];tp++)
{
if (PK11_DoesMechanism(store->slot, tp->type))
{
store->mech = (mech_item *)tp;
break;
}
}
/* Default to a mechanism (probably on the internal token */
if (store->mech == 0) {
store->mech = &dflt_mech;
}
}
/* Generate a key and parameters to do the encryption */
#if NSS_VMAJOR >= 3 && (NSS_VMINOR <= 9 || (NSS_VMINOR <= 10 && NSS_VPATCH == 0))
store->key = PK11_KeyGen(store->slot, store->mech->type,
0, 0, 0);
#else
store->key = PK11_TokenKeyGenWithFlags(store->slot, store->mech->type,
NULL, 0, NULL, CKF_ENCRYPT|CKF_DECRYPT, PR_FALSE, NULL);
#endif
if (store->key == 0)
{
/* PR_SetError(xxx); */
err = PIN_SYSTEMERROR;
break;
}
store->params = PK11_GenerateNewParam(store->mech->type, store->key);
if (store->params == 0)
{
err = PIN_SYSTEMERROR;
break;
}
/* Compute the size of the encrypted data including necessary padding */
{
int blocksize = PK11_GetBlockSize(store->mech->type, 0);
store->length = strlen(pin)+1;
/* Compute padded size - 0 means stream cipher */
if (blocksize != 0)
{
store->length += blocksize - (store->length % blocksize);
}
store->crypt = (unsigned char *)malloc(store->length);
if (!store->crypt) { err = PIN_NOMEMORY; break; }
}
/* Encrypt */
{
unsigned char *plain;
PK11Context *ctx;
SECStatus rv;
int outLen;
plain = (unsigned char *)malloc(store->length);
if (!plain) { err = PIN_NOMEMORY; break; }
/* Pad with 0 bytes */
memset(plain, 0, store->length);
strcpy((char *)plain, pin);
ctx = PK11_CreateContextBySymKey(store->mech->type, CKA_ENCRYPT,
store->key, store->params);
if (!ctx) { err = PIN_SYSTEMERROR; break; }
do {
rv = PK11_CipherOp(ctx, store->crypt, &outLen, store->length,
plain, store->length);
if (rv) break;
rv = PK11_Finalize(ctx);
} while(0);
PK11_DestroyContext(ctx, PR_TRUE);
memset(plain, 0, store->length);
free(plain);
if (rv) err = PIN_SYSTEMERROR;
}
} while(0);
if (err)
{
DestroyPk11PinStore(store);
store = 0;
}
*out = store;
return err;
}
CRMFEncryptedValue *
crmf_create_encrypted_value_wrapped_privkey(SECKEYPrivateKey *inPrivKey,
SECKEYPublicKey *inCAKey,
CRMFEncryptedValue *destValue)
{
SECItem wrappedPrivKey, wrappedSymKey;
SECItem encodedParam, *dummy;
SECStatus rv;
CK_MECHANISM_TYPE pubMechType, symKeyType;
unsigned char *wrappedSymKeyBits;
unsigned char *wrappedPrivKeyBits;
SECItem *iv = NULL;
SECOidTag tag;
PK11SymKey *symKey;
PK11SlotInfo *slot;
SECAlgorithmID *symmAlg;
CRMFEncryptedValue *myEncrValue = NULL;
encodedParam.data = NULL;
wrappedSymKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
wrappedPrivKeyBits = PORT_NewArray(unsigned char, MAX_WRAPPED_KEY_LEN);
if (wrappedSymKeyBits == NULL || wrappedPrivKeyBits == NULL) {
goto loser;
}
if (destValue == NULL) {
myEncrValue = destValue = PORT_ZNew(CRMFEncryptedValue);
if (destValue == NULL) {
goto loser;
}
}
pubMechType = crmf_get_mechanism_from_public_key(inCAKey);
if (pubMechType == CKM_INVALID_MECHANISM) {
/* XXX I should probably do something here for non-RSA
* keys that are in certs. (ie DSA)
* XXX or at least SET AN ERROR CODE.
*/
goto loser;
}
slot = inPrivKey->pkcs11Slot;
PORT_Assert(slot != NULL);
symKeyType = crmf_get_best_privkey_wrap_mechanism(slot);
symKey = PK11_KeyGen(slot, symKeyType, NULL, 0, NULL);
if (symKey == NULL) {
goto loser;
}
wrappedSymKey.data = wrappedSymKeyBits;
wrappedSymKey.len = MAX_WRAPPED_KEY_LEN;
rv = PK11_PubWrapSymKey(pubMechType, inCAKey, symKey, &wrappedSymKey);
if (rv != SECSuccess) {
goto loser;
}
/* Make the length of the result a Bit String length. */
wrappedSymKey.len <<= 3;
wrappedPrivKey.data = wrappedPrivKeyBits;
wrappedPrivKey.len = MAX_WRAPPED_KEY_LEN;
iv = crmf_get_iv(symKeyType);
rv = PK11_WrapPrivKey(slot, symKey, inPrivKey, symKeyType, iv,
&wrappedPrivKey, NULL);
PK11_FreeSymKey(symKey);
if (rv != SECSuccess) {
goto loser;
}
/* Make the length of the result a Bit String length. */
wrappedPrivKey.len <<= 3;
rv = crmf_make_bitstring_copy(NULL,
&destValue->encValue,
&wrappedPrivKey);
if (rv != SECSuccess) {
goto loser;
}
rv = crmf_make_bitstring_copy(NULL,
&destValue->encSymmKey,
&wrappedSymKey);
if (rv != SECSuccess) {
goto loser;
}
destValue->symmAlg = symmAlg = PORT_ZNew(SECAlgorithmID);
if (symmAlg == NULL) {
goto loser;
}
dummy = SEC_ASN1EncodeItem(NULL, &encodedParam, iv,
SEC_ASN1_GET(SEC_OctetStringTemplate));
if (dummy != &encodedParam) {
SECITEM_FreeItem(dummy, PR_TRUE);
goto loser;
}
symKeyType = crmf_get_non_pad_mechanism(symKeyType);
tag = PK11_MechanismToAlgtag(symKeyType);
rv = SECOID_SetAlgorithmID(NULL, symmAlg, tag, &encodedParam);
if (rv != SECSuccess) {
goto loser;
}
SECITEM_FreeItem(&encodedParam, PR_FALSE);
PORT_Free(wrappedPrivKeyBits);
PORT_Free(wrappedSymKeyBits);
SECITEM_FreeItem(iv, PR_TRUE);
return destValue;
loser:
if (iv != NULL) {
SECITEM_FreeItem(iv, PR_TRUE);
}
if (myEncrValue != NULL) {
crmf_destroy_encrypted_value(myEncrValue, PR_TRUE);
}
if (wrappedSymKeyBits != NULL) {
PORT_Free(wrappedSymKeyBits);
}
if (wrappedPrivKeyBits != NULL) {
PORT_Free(wrappedPrivKeyBits);
}
if (encodedParam.data != NULL) {
SECITEM_FreeItem(&encodedParam, PR_FALSE);
}
return NULL;
}
SECStatus
SSL_CanBypass(CERTCertificate *cert, SECKEYPrivateKey *srvPrivkey,
PRUint32 protocolmask, PRUint16 *ciphersuites, int nsuites,
PRBool *pcanbypass, void *pwArg)
{
#ifdef NO_PKCS11_BYPASS
if (!pcanbypass) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
*pcanbypass = PR_FALSE;
return SECSuccess;
#else
SECStatus rv;
int i;
PRUint16 suite;
PK11SymKey * pms = NULL;
SECKEYPublicKey * srvPubkey = NULL;
KeyType privKeytype;
PK11SlotInfo * slot = NULL;
SECItem param;
CK_VERSION version;
CK_MECHANISM_TYPE mechanism_array[2];
SECItem enc_pms = {siBuffer, NULL, 0};
PRBool isTLS = PR_FALSE;
SSLCipherSuiteInfo csdef;
PRBool testrsa = PR_FALSE;
PRBool testrsa_export = PR_FALSE;
PRBool testecdh = PR_FALSE;
PRBool testecdhe = PR_FALSE;
#ifdef NSS_ENABLE_ECC
SECKEYECParams ecParams = { siBuffer, NULL, 0 };
#endif
if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
srvPubkey = CERT_ExtractPublicKey(cert);
if (!srvPubkey)
return SECFailure;
*pcanbypass = PR_TRUE;
rv = SECFailure;
for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) {
if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess
|| SSL_IS_SSL2_CIPHER(suite) )
continue;
switch (csdef.keaType) {
case ssl_kea_rsa:
switch (csdef.cipherSuite) {
case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
testrsa_export = PR_TRUE;
}
if (!testrsa_export)
testrsa = PR_TRUE;
break;
case ssl_kea_ecdh:
if (strcmp(csdef.keaTypeName, "ECDHE") == 0)
testecdhe = PR_TRUE;
else
testecdh = PR_TRUE;
break;
case ssl_kea_dh:
default:
continue;
}
}
privKeytype = SECKEY_GetPrivateKeyType(srvPrivkey);
protocolmask &= SSL_CBP_SSL3|SSL_CBP_TLS1_0;
while (protocolmask) {
if (protocolmask & SSL_CBP_SSL3) {
isTLS = PR_FALSE;
protocolmask ^= SSL_CBP_SSL3;
} else {
isTLS = PR_TRUE;
protocolmask ^= SSL_CBP_TLS1_0;
}
if (privKeytype == rsaKey && testrsa_export) {
if (PK11_GetPrivateModulusLen(srvPrivkey) > EXPORT_RSA_KEY_LENGTH) {
*pcanbypass = PR_FALSE;
rv = SECSuccess;
break;
} else
testrsa = PR_TRUE;
}
for (; privKeytype == rsaKey && testrsa; ) {
unsigned char rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
unsigned int outLen = 0;
CK_MECHANISM_TYPE target;
SECStatus irv;
mechanism_array[0] = CKM_SSL3_PRE_MASTER_KEY_GEN;
mechanism_array[1] = CKM_RSA_PKCS;
slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
if (slot == NULL) {
PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
break;
}
version.major = 3 ;
version.minor = 0 ;
param.data = (unsigned char *)&version;
param.len = sizeof version;
pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, ¶m, 0, pwArg);
PK11_FreeSlot(slot);
if (!pms)
break;
enc_pms.len = SECKEY_PublicKeyStrength(srvPubkey);
enc_pms.data = (unsigned char*)PORT_Alloc(enc_pms.len);
if (enc_pms.data == NULL) {
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
break;
}
irv = PK11_PubWrapSymKey(CKM_RSA_PKCS, srvPubkey, pms, &enc_pms);
if (irv != SECSuccess)
break;
PK11_FreeSymKey(pms);
pms = NULL;
rv = PK11_PrivDecryptPKCS1(srvPrivkey, rsaPmsBuf, &outLen,
sizeof rsaPmsBuf,
(unsigned char *)enc_pms.data,
enc_pms.len);
if (rv == SECSuccess) {
*pcanbypass = PR_TRUE;
break;
}
target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE
: CKM_SSL3_MASTER_KEY_DERIVE;
pms = PK11_PubUnwrapSymKey(srvPrivkey, &enc_pms,
target, CKA_DERIVE, 0);
rv = ssl_canExtractMS(pms, isTLS, PR_FALSE, pcanbypass);
if (rv == SECSuccess && *pcanbypass == PR_FALSE)
goto done;
break;
}
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
#ifdef NSS_ENABLE_ECC
for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
(privKeytype == rsaKey && testecdhe); ) {
CK_MECHANISM_TYPE target;
SECKEYPublicKey *keapub = NULL;
SECKEYPrivateKey *keapriv;
SECKEYPublicKey *cpub = NULL;
SECKEYPrivateKey *cpriv = NULL;
SECKEYECParams *pecParams = NULL;
if (privKeytype == ecKey && testecdhe) {
pecParams = &srvPubkey->u.ec.DEREncodedParams;
} else if (privKeytype == rsaKey && testecdhe) {
ECName ec_curve;
int serverKeyStrengthInBits;
int signatureKeyStrength;
int requiredECCbits;
requiredECCbits = PK11_GetPrivateModulusLen(srvPrivkey);
if (requiredECCbits < 0)
break;
requiredECCbits *= BPB;
serverKeyStrengthInBits = srvPubkey->u.rsa.modulus.len;
if (srvPubkey->u.rsa.modulus.data[0] == 0) {
serverKeyStrengthInBits--;
}
serverKeyStrengthInBits *= BPB;
signatureKeyStrength =
SSL_RSASTRENGTH_TO_ECSTRENGTH(serverKeyStrengthInBits);
if ( requiredECCbits > signatureKeyStrength )
requiredECCbits = signatureKeyStrength;
ec_curve =
ssl3_GetCurveWithECKeyStrength(
ssl3_GetSupportedECCurveMask(NULL),
requiredECCbits);
rv = ssl3_ECName2Params(NULL, ec_curve, &ecParams);
if (rv == SECFailure) {
break;
}
pecParams = &ecParams;
}
if (testecdhe) {
keapriv = SECKEY_CreateECPrivateKey(pecParams, &keapub, NULL);
if (!keapriv || !keapub) {
if (keapriv)
SECKEY_DestroyPrivateKey(keapriv);
if (keapub)
SECKEY_DestroyPublicKey(keapub);
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
rv = SECFailure;
break;
}
} else {
keapub = srvPubkey;
keapriv = srvPrivkey;
pecParams = &srvPubkey->u.ec.DEREncodedParams;
}
cpriv = SECKEY_CreateECPrivateKey(pecParams, &cpub, NULL);
if (!cpriv || !cpub) {
if (testecdhe) {
SECKEY_DestroyPrivateKey(keapriv);
SECKEY_DestroyPublicKey(keapub);
}
PORT_SetError(SEC_ERROR_KEYGEN_FAIL);
rv = SECFailure;
break;
}
target = isTLS ? CKM_TLS_MASTER_KEY_DERIVE_DH
: CKM_SSL3_MASTER_KEY_DERIVE_DH;
pms = PK11_PubDeriveWithKDF(keapriv, cpub, PR_FALSE, NULL, NULL,
CKM_ECDH1_DERIVE,
target,
CKA_DERIVE, 0, CKD_NULL, NULL, NULL);
rv = ssl_canExtractMS(pms, isTLS, PR_TRUE, pcanbypass);
SECKEY_DestroyPrivateKey(cpriv);
SECKEY_DestroyPublicKey(cpub);
if (testecdhe) {
SECKEY_DestroyPrivateKey(keapriv);
SECKEY_DestroyPublicKey(keapub);
}
if (rv == SECSuccess && *pcanbypass == PR_FALSE)
goto done;
break;
}
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif
if (pms)
PK11_FreeSymKey(pms);
}
rv = SECSuccess;
done:
if (pms)
PK11_FreeSymKey(pms);
if (enc_pms.data != NULL) {
SECITEM_FreeItem(&enc_pms, PR_FALSE);
}
#ifdef NSS_ENABLE_ECC
if (ecParams.data != NULL) {
PORT_Free(ecParams.data);
ecParams.data = NULL;
}
#endif
if (srvPubkey) {
SECKEY_DestroyPublicKey(srvPubkey);
srvPubkey = NULL;
}
return rv;
#endif
}
static sec_PKCS7CipherObject *
sec_pkcs7_encoder_start_encrypt (SEC_PKCS7ContentInfo *cinfo,
PK11SymKey *orig_bulkkey)
{
SECOidTag kind;
sec_PKCS7CipherObject *encryptobj;
SEC_PKCS7RecipientInfo **recipientinfos, *ri;
SEC_PKCS7EncryptedContentInfo *enccinfo;
SECKEYPublicKey *publickey = NULL;
SECKEYPrivateKey *ourPrivKey = NULL;
PK11SymKey *bulkkey;
void *mark, *wincx;
int i;
PLArenaPool *arena = NULL;
/* Get the context in case we need it below. */
wincx = cinfo->pwfn_arg;
kind = SEC_PKCS7ContentType (cinfo);
switch (kind) {
default:
case SEC_OID_PKCS7_DATA:
case SEC_OID_PKCS7_DIGESTED_DATA:
case SEC_OID_PKCS7_SIGNED_DATA:
recipientinfos = NULL;
enccinfo = NULL;
break;
case SEC_OID_PKCS7_ENCRYPTED_DATA:
{
SEC_PKCS7EncryptedData *encdp;
/* To do EncryptedData we *must* be given a bulk key. */
PORT_Assert (orig_bulkkey != NULL);
if (orig_bulkkey == NULL) {
/* XXX error? */
return NULL;
}
encdp = cinfo->content.encryptedData;
recipientinfos = NULL;
enccinfo = &(encdp->encContentInfo);
}
break;
case SEC_OID_PKCS7_ENVELOPED_DATA:
{
SEC_PKCS7EnvelopedData *envdp;
envdp = cinfo->content.envelopedData;
recipientinfos = envdp->recipientInfos;
enccinfo = &(envdp->encContentInfo);
}
break;
case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
{
SEC_PKCS7SignedAndEnvelopedData *saedp;
saedp = cinfo->content.signedAndEnvelopedData;
recipientinfos = saedp->recipientInfos;
enccinfo = &(saedp->encContentInfo);
}
break;
}
if (enccinfo == NULL)
return NULL;
bulkkey = orig_bulkkey;
if (bulkkey == NULL) {
CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(enccinfo->encalg);
PK11SlotInfo *slot;
slot = PK11_GetBestSlot(type,cinfo->pwfn_arg);
if (slot == NULL) {
return NULL;
}
bulkkey = PK11_KeyGen(slot,type,NULL, enccinfo->keysize/8,
cinfo->pwfn_arg);
PK11_FreeSlot(slot);
if (bulkkey == NULL) {
return NULL;
}
}
encryptobj = NULL;
mark = PORT_ArenaMark (cinfo->poolp);
/*
* Encrypt the bulk key with the public key of each recipient.
*/
for (i = 0; recipientinfos && (ri = recipientinfos[i]) != NULL; i++) {
CERTCertificate *cert;
SECOidTag certalgtag, encalgtag;
SECStatus rv;
int data_len;
SECItem *params = NULL;
cert = ri->cert;
PORT_Assert (cert != NULL);
if (cert == NULL)
continue;
/*
* XXX Want an interface that takes a cert and some data and
* fills in an algorithmID and encrypts the data with the public
* key from the cert. Or, give me two interfaces -- one which
* gets the algorithm tag from a cert (I should not have to go
* down into the subjectPublicKeyInfo myself) and another which
* takes a public key and algorithm tag and data and encrypts
* the data. Or something like that. The point is that all
* of the following hardwired RSA stuff should be done elsewhere.
*/
certalgtag=SECOID_GetAlgorithmTag(&(cert->subjectPublicKeyInfo.algorithm));
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
encalgtag = certalgtag;
publickey = CERT_ExtractPublicKey (cert);
if (publickey == NULL) goto loser;
data_len = SECKEY_PublicKeyStrength(publickey);
ri->encKey.data =
(unsigned char*)PORT_ArenaAlloc(cinfo->poolp ,data_len);
ri->encKey.len = data_len;
if (ri->encKey.data == NULL) goto loser;
rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(certalgtag),publickey,
bulkkey,&ri->encKey);
SECKEY_DestroyPublicKey(publickey);
publickey = NULL;
if (rv != SECSuccess) goto loser;
params = NULL; /* paranoia */
break;
default:
PORT_SetError (SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
rv = SECOID_SetAlgorithmID(cinfo->poolp, &ri->keyEncAlg, encalgtag,
params);
if (rv != SECSuccess)
goto loser;
if (arena) PORT_FreeArena(arena,PR_FALSE);
arena = NULL;
}
encryptobj = sec_PKCS7CreateEncryptObject (cinfo->poolp, bulkkey,
enccinfo->encalg,
&(enccinfo->contentEncAlg));
if (encryptobj != NULL) {
PORT_ArenaUnmark (cinfo->poolp, mark);
mark = NULL; /* good one; do not want to release */
}
/* fallthru */
loser:
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
if (publickey) {
SECKEY_DestroyPublicKey(publickey);
}
if (ourPrivKey) {
SECKEY_DestroyPrivateKey(ourPrivKey);
}
if (mark != NULL) {
PORT_ArenaRelease (cinfo->poolp, mark);
}
if (orig_bulkkey == NULL) {
if (bulkkey) PK11_FreeSymKey(bulkkey);
}
return encryptobj;
}