int open_pkcs11_session(pkcs11_handle_t *h, unsigned int slot_num)
{
/* NSS manages the sessions under the covers, use this function to
* select a slot */
if (h->slot != NULL) {
/* we've already selected the slot */
if (PK11_GetSlotID(h->slot) == slot_num) {
return 0;
}
/* the slot we've selected isn't the one we want to open */
PK11_FreeSlot(h->slot);
h->slot = NULL;
}
/* look the slot up */
h->slot = SECMOD_LookupSlot(h->module->moduleID, slot_num);
if (h->slot == NULL) {
return -1;
}
/* make sure it is present */
if (!PK11_IsPresent(h->slot)) {
PK11_FreeSlot(h->slot);
h->slot = NULL;
return -1;
}
return 0;
}
static int nss_load_key(struct connectdata *conn, int sockindex, char *key_file)
{
#ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11SlotInfo * slot = NULL;
CK_ATTRIBUTE *attrs;
CK_ATTRIBUTE theTemplate[20];
CK_BBOOL cktrue = CK_TRUE;
CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY;
CK_SLOT_ID slotID;
char slotname[SLOTSIZE];
struct ssl_connect_data *sslconn = &conn->ssl[sockindex];
attrs = theTemplate;
/* FIXME: grok the various file types */
slotID = 1; /* hardcoded for now */
snprintf(slotname, sizeof(slotname), "PEM Token #%ld", slotID);
slot = PK11_FindSlotByName(slotname);
if(!slot)
return 0;
PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++;
PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++;
PK11_SETATTRS(attrs, CKA_LABEL, (unsigned char *)key_file,
strlen(key_file)+1); attrs++;
/* When adding an encrypted key the PKCS#11 will be set as removed */
sslconn->key = PK11_CreateGenericObject(slot, theTemplate, 3,
PR_FALSE /* isPerm */);
if(sslconn->key == NULL) {
PR_SetError(SEC_ERROR_BAD_KEY, 0);
return 0;
}
/* This will force the token to be seen as re-inserted */
SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
PK11_IsPresent(slot);
/* parg is initialized in nss_Init_Tokens() */
if(PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]) != SECSuccess) {
PK11_FreeSlot(slot);
return 0;
}
PK11_FreeSlot(slot);
return 1;
#else
/* If we don't have PK11_CreateGenericObject then we can't load a file-based
* key.
*/
(void)conn; /* unused */
(void)key_file; /* unused */
return 0;
#endif
}
/*
* This thread looks for card and reader insertions and puts events on the
* event queue
*/
static void
vcard_emul_event_thread(void *arg)
{
PK11SlotInfo *slot;
VReader *vreader;
VReaderEmul *vreader_emul;
VCard *vcard;
SECMODModule *module = (SECMODModule *)arg;
do {
slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
if (slot == NULL) {
break;
}
vreader = vcard_emul_find_vreader_from_slot(slot);
if (vreader == NULL) {
/* new vreader */
vreader_emul = vreader_emul_new(slot, default_card_type,
default_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
PK11_FreeSlot(slot);
slot = NULL;
vreader_add_reader(vreader);
vreader_free(vreader);
continue;
}
/* card remove/insert */
vreader_emul = vreader_get_private(vreader);
if (PK11_IsPresent(slot)) {
int series = PK11_GetSlotSeries(slot);
if (series != vreader_emul->series) {
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_free(vcard);
}
vreader_emul->series = series;
vreader_emul->present = 1;
vreader_free(vreader);
PK11_FreeSlot(slot);
continue;
}
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vreader_emul->series = 0;
vreader_emul->present = 0;
PK11_FreeSlot(slot);
vreader_free(vreader);
} while (1);
}
static SECStatus nss_Init_Tokens(struct connectdata * conn)
{
PK11SlotList *slotList;
PK11SlotListElement *listEntry;
SECStatus ret, status = SECSuccess;
pphrase_arg_t *parg = NULL;
parg = (pphrase_arg_t *) malloc(sizeof(*parg));
parg->retryCount = 0;
parg->data = conn->data;
PK11_SetPasswordFunc(nss_get_password);
slotList =
PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL);
for(listEntry = PK11_GetFirstSafe(slotList);
listEntry; listEntry = listEntry->next) {
PK11SlotInfo *slot = listEntry->slot;
if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if(slot == PK11_GetInternalKeySlot()) {
failf(conn->data, "The NSS database has not been initialized.\n");
}
else {
failf(conn->data, "The token %s has not been initialized.",
PK11_GetTokenName(slot));
}
PK11_FreeSlot(slot);
continue;
}
ret = PK11_Authenticate(slot, PR_TRUE, parg);
if(SECSuccess != ret) {
if (PR_GetError() == SEC_ERROR_BAD_PASSWORD)
infof(conn->data, "The password for token '%s' is incorrect\n",
PK11_GetTokenName(slot));
status = SECFailure;
break;
}
parg->retryCount = 0; /* reset counter to 0 for the next token */
PK11_FreeSlot(slot);
}
free(parg);
return status;
}
/*
* put together the various PK11_Create_Context calls used by different
* parts of libsec.
*/
PK11Context *
__PK11_CreateContextByRawKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key,
SECItem *param, void *wincx)
{
PK11SymKey *symKey = NULL;
PK11Context *context = NULL;
/* first get a slot */
if (slot == NULL) {
slot = PK11_GetBestSlot(type,wincx);
if (slot == NULL) {
PORT_SetError( SEC_ERROR_NO_MODULE );
goto loser;
}
} else {
PK11_ReferenceSlot(slot);
}
/* now import the key */
symKey = PK11_ImportSymKey(slot, type, origin, operation, key, wincx);
if (symKey == NULL) goto loser;
context = PK11_CreateContextBySymKey(type, operation, symKey, param);
loser:
if (symKey) {
PK11_FreeSymKey(symKey);
}
if (slot) {
PK11_FreeSlot(slot);
}
return context;
}
CryptoRc4
crypto_rc4_init(uint8 * key, uint32 len)
{
CryptoRc4 rc4 = xmalloc(sizeof(*rc4));
CK_MECHANISM_TYPE cipherMech = CKM_RC4;
PK11SlotInfo* slot = PK11_GetInternalKeySlot();
ASSERT(slot);
SECItem keyItem;
keyItem.type = siBuffer;
keyItem.data = key;
keyItem.len = len;
PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL);
ASSERT(symKey);
SECItem* secParam = PK11_ParamFromIV(cipherMech, NULL);
ASSERT(secParam);
rc4->context = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, symKey, secParam);
ASSERT(rc4->context);
PK11_FreeSymKey(symKey);
SECITEM_FreeItem(secParam, PR_TRUE);
PK11_FreeSlot(slot);
return rc4;
}
/*
* before we do a private key op, we check to see if we
* need to reauthenticate.
*/
void
PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
{
int askpw = slot->askpw;
PRBool NeedAuth = PR_FALSE;
if (!slot->needLogin) return;
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
if (def_slot) {
askpw = def_slot->askpw;
PK11_FreeSlot(def_slot);
}
}
/* timeouts are handled by isLoggedIn */
if (!PK11_IsLoggedIn(slot,wincx)) {
NeedAuth = PR_TRUE;
} else if (askpw == -1) {
if (!PK11_Global.inTransaction ||
(PK11_Global.transaction != slot->authTransact)) {
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Logout(slot->session);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
NeedAuth = PR_TRUE;
}
}
if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
}
/*
* SVRCORE_DestroyPk11PinStore
*/
void
SVRCORE_DestroyPk11PinStore(SVRCOREPk11PinStore *store)
{
if (store == 0) return;
if (store->slot)
{
PK11_FreeSlot(store->slot);
}
if (store->params)
{
SECITEM_ZfreeItem(store->params, PR_TRUE);
}
if (store->key)
{
PK11_FreeSymKey(store->key);
}
if (store->crypt)
{
memset(store->crypt, 0, store->length);
free(store->crypt);
}
free(store);
}
/************************************************************************
*
* I n i t P W
*/
Error
InitPW(void)
{
PK11SlotInfo *slot;
Error ret = UNSPECIFIED_ERR;
slot = PK11_GetInternalKeySlot();
if (!slot) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal");
return NO_SUCH_TOKEN_ERR;
}
/* Set the initial password to empty */
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, NULL, "") != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]);
ret = INITPW_FAILED_ERR;
goto loser;
}
}
ret = SUCCESS;
loser:
PK11_FreeSlot(slot);
return ret;
}
static PK11Context*
sipe_crypt_ctx_create(CK_MECHANISM_TYPE cipherMech, const guchar *key, gsize key_length)
{
PK11SlotInfo* slot;
SECItem keyItem;
SECItem ivItem;
PK11SymKey* SymKey;
SECItem *SecParam;
PK11Context* EncContext;
/* For key */
slot = PK11_GetBestSlot(cipherMech, NULL);
keyItem.type = siBuffer;
keyItem.data = (unsigned char *)key;
keyItem.len = key_length;
SymKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, CKA_ENCRYPT, &keyItem, NULL);
/* Parameter for crypto context */
ivItem.type = siBuffer;
ivItem.data = NULL;
ivItem.len = 0;
SecParam = PK11_ParamFromIV(cipherMech, &ivItem);
EncContext = PK11_CreateContextBySymKey(cipherMech, CKA_ENCRYPT, SymKey, SecParam);
PK11_FreeSymKey(SymKey);
SECITEM_FreeItem(SecParam, PR_TRUE);
PK11_FreeSlot(slot);
return EncContext;
}
static int nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
#ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11SlotInfo *slot;
SECStatus status;
struct ssl_connect_data *ssl = conn->ssl;
if(CURLE_OK != nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE)) {
PR_SetError(SEC_ERROR_BAD_KEY, 0);
return 0;
}
slot = PK11_FindSlotByName("PEM Token #1");
if(!slot)
return 0;
/* This will force the token to be seen as re-inserted */
SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
PK11_IsPresent(slot);
status = PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]);
PK11_FreeSlot(slot);
return (SECSuccess == status) ? 1 : 0;
#else
/* If we don't have PK11_CreateGenericObject then we can't load a file-based
* key.
*/
(void)conn; /* unused */
(void)key_file; /* unused */
return 0;
#endif
}
static int init_nss_hash(knet_handle_t knet_h)
{
PK11SlotInfo* hash_slot = NULL;
SECItem hash_param;
struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
if (!hash_to_nss[instance->crypto_hash_type]) {
return 0;
}
hash_param.type = siBuffer;
hash_param.data = instance->private_key;
hash_param.len = instance->private_key_len;
hash_slot = PK11_GetBestSlot(hash_to_nss[instance->crypto_hash_type], NULL);
if (hash_slot == NULL) {
log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to find security slot (err %d)",
PR_GetError());
return -1;
}
instance->nss_sym_key_sign = PK11_ImportSymKey(hash_slot,
hash_to_nss[instance->crypto_hash_type],
PK11_OriginUnwrap, CKA_SIGN,
&hash_param, NULL);
if (instance->nss_sym_key_sign == NULL) {
log_err(knet_h, KNET_SUB_NSSCRYPTO, "Failure to import key into NSS (err %d)",
PR_GetError());
return -1;
}
PK11_FreeSlot(hash_slot);
return 0;
}
static int init_nss_crypto(knet_handle_t knet_h)
{
PK11SlotInfo* crypt_slot = NULL;
SECItem crypt_param;
struct nsscrypto_instance *instance = knet_h->crypto_instance->model_instance;
if (!cipher_to_nss[instance->crypto_cipher_type]) {
return 0;
}
crypt_param.type = siBuffer;
crypt_param.data = instance->private_key;
crypt_param.len = cipher_key_len[instance->crypto_cipher_type];
crypt_slot = PK11_GetBestSlot(cipher_to_nss[instance->crypto_cipher_type], NULL);
if (crypt_slot == NULL) {
log_err(knet_h, KNET_SUB_NSSCRYPTO, "Unable to find security slot (err %d)",
PR_GetError());
return -1;
}
instance->nss_sym_key = PK11_ImportSymKey(crypt_slot,
cipher_to_nss[instance->crypto_cipher_type],
PK11_OriginUnwrap, CKA_ENCRYPT|CKA_DECRYPT,
&crypt_param, NULL);
if (instance->nss_sym_key == NULL) {
log_err(knet_h, KNET_SUB_NSSCRYPTO, "Failure to import key into NSS (err %d)",
PR_GetError());
return -1;
}
PK11_FreeSlot(crypt_slot);
return 0;
}
PRBool sslint_DamageTrafficSecret(PRFileDesc *fd, size_t offset) {
unsigned char data[32] = {0};
PK11SymKey **keyPtr;
PK11SlotInfo *slot = PK11_GetInternalSlot();
SECItem key_item = {siBuffer, data, sizeof(data)};
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return PR_FALSE;
}
if (!slot) {
return PR_FALSE;
}
keyPtr = (PK11SymKey **)((char *)&ss->ssl3.hs + offset);
if (!*keyPtr) {
return PR_FALSE;
}
PK11_FreeSymKey(*keyPtr);
*keyPtr = PK11_ImportSymKey(slot, CKM_NSS_HKDF_SHA256, PK11_OriginUnwrap,
CKA_DERIVE, &key_item, NULL);
PK11_FreeSlot(slot);
if (!*keyPtr) {
return PR_FALSE;
}
return PR_TRUE;
}
NSS_IMPLEMENT PRStatus
nssDecodedPKIXCertificate_Destroy (
nssDecodedCert *dc
)
{
CERTCertificate *cert = (CERTCertificate *)dc->data;
/* The decoder may only be half initialized (the case where we find we
* could not decode the certificate). In this case, there is not cert to
* free, just free the dc structure. */
if (cert) {
PRBool freeSlot = cert->ownSlot;
PK11SlotInfo *slot = cert->slot;
PRArenaPool *arena = cert->arena;
/* zero cert before freeing. Any stale references to this cert
* after this point will probably cause an exception. */
PORT_Memset(cert, 0, sizeof *cert);
/* free the arena that contains the cert. */
PORT_FreeArena(arena, PR_FALSE);
if (slot && freeSlot) {
PK11_FreeSlot(slot);
}
}
nss_ZFreeIf(dc);
return PR_SUCCESS;
}
void nsPK11Token::destructorSafeDestroyNSSReference()
{
if (mSlot) {
PK11_FreeSlot(mSlot);
mSlot = nullptr;
}
}
void
crypto_rsa_encrypt(int len, uint8 * in, uint8 * out, uint32 modulus_size, uint8 * modulus, uint8 * exponent)
{
SECKEYPublicKey pubKey;
pubKey.arena = NULL;
pubKey.keyType = rsaKey;
pubKey.pkcs11Slot = NULL;
pubKey.pkcs11ID = CK_INVALID_HANDLE;
pubKey.u.rsa.arena = NULL;
pubKey.u.rsa.modulus.type = siUnsignedInteger;
pubKey.u.rsa.modulus.data = modulus;
pubKey.u.rsa.modulus.len = modulus_size;
pubKey.u.rsa.publicExponent.type = siUnsignedInteger;
pubKey.u.rsa.publicExponent.data = exponent;
pubKey.u.rsa.publicExponent.len = SEC_EXPONENT_SIZE;
ASSERT(modulus_size <= SEC_MAX_MODULUS_SIZE);
uint8 in_be[SEC_MAX_MODULUS_SIZE];
memset(in_be, 0, modulus_size - len); /* must be padded to modulus_size */
memcpy(in_be + modulus_size - len, in, len);
SECStatus s = PK11_PubEncryptRaw(&pubKey, out, in_be, modulus_size, NULL);
check(s, "Error rsa-encrypting");
ASSERT(pubKey.pkcs11Slot);
PK11_FreeSlot(pubKey.pkcs11Slot);
}
/*
* Digest contexts don't need keys, but the do need to find a slot.
* Macing should use PK11_CreateContextBySymKey.
*/
PK11Context *
PK11_CreateDigestContext(SECOidTag hashAlg)
{
/* digesting has to work without authentication to the slot */
CK_MECHANISM_TYPE type;
PK11SlotInfo *slot;
PK11Context *context;
SECItem param;
type = PK11_AlgtagToMechanism(hashAlg);
slot = PK11_GetBestSlot(type, NULL);
if (slot == NULL) {
PORT_SetError( SEC_ERROR_NO_MODULE );
return NULL;
}
/* maybe should really be PK11_GenerateNewParam?? */
param.data = NULL;
param.len = 0;
param.type = 0;
context = pk11_CreateNewContextInSlot(type, slot, CKA_DIGEST, NULL, ¶m);
PK11_FreeSlot(slot);
return context;
}
/*********************************************************************
*
* i n s t a l l _ c e r t
*
* Installs the cert in the permanent database.
*/
static CERTCertificate*
install_cert(CERTCertDBHandle *db, SECItem *derCert, char *nickname)
{
CERTCertificate * newcert;
PK11SlotInfo * newSlot;
newSlot = PK11_ImportDERCertForKey(derCert, nickname, &pwdata);
if ( newSlot == NULL ) {
PR_fprintf(errorFD, "Unable to install certificate\n");
errorCount++;
exit(ERRX);
}
newcert = PK11_FindCertFromDERCertItem(newSlot, derCert, &pwdata);
PK11_FreeSlot(newSlot);
if (newcert == NULL) {
PR_fprintf(errorFD, "%s: can't find new certificate\n",
PROGRAM_NAME);
errorCount++;
exit (ERRX);
}
if (verbosity >= 0) {
PR_fprintf(outputFD, "certificate \"%s\" added to database\n",
nickname);
}
return newcert;
}
char *oauth_body_hash_data(size_t length, const char *data) {
PK11SlotInfo *slot = NULL;
PK11Context *context = NULL;
unsigned char digest[20]; // Is there a way to tell how large the output is?
unsigned int len;
SECStatus s;
char *rv=NULL;
oauth_init_nss();
slot = PK11_GetInternalKeySlot();
if (!slot) goto looser;
context = PK11_CreateDigestContext(SEC_OID_SHA1);
if (!context) goto looser;
s = PK11_DigestBegin(context);
if (s != SECSuccess) goto looser;
s = PK11_DigestOp(context, (unsigned char*) data, length);
if (s != SECSuccess) goto looser;
s = PK11_DigestFinal(context, digest, &len, sizeof digest);
if (s != SECSuccess) goto looser;
unsigned char *dgst = xmalloc(len*sizeof(char)); // oauth_body_hash_encode frees the digest..
memcpy(dgst, digest, len);
rv=oauth_body_hash_encode(len, dgst);
looser:
if (context) PK11_DestroyContext(context, PR_TRUE);
if (slot) PK11_FreeSlot(slot);
return rv;
}
char *oauth_sign_rsa_sha1 (const char *m, const char *k) {
PK11SlotInfo *slot = NULL;
SECKEYPrivateKey *pkey = NULL;
SECItem signature;
SECStatus s;
SECItem der;
char *rv=NULL;
char *key = oauth_strip_pkcs(k, NS_PRIV_HEADER, NS_PRIV_TRAILER);
if (!key) return NULL;
oauth_init_nss();
slot = PK11_GetInternalKeySlot();
if (!slot) goto looser;
s = ATOB_ConvertAsciiToItem(&der, key);
if (s != SECSuccess) goto looser;
s = PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, &pkey, NULL);
SECITEM_FreeItem(&der, PR_FALSE);
if (s != SECSuccess) goto looser;
if (!pkey) goto looser;
if (pkey->keyType != rsaKey) goto looser;
s = SEC_SignData(&signature, (unsigned char*) m, strlen(m), pkey, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE);
if (s != SECSuccess) goto looser;
rv=oauth_encode_base64(signature.len, signature.data);
SECITEM_FreeItem(&signature, PR_FALSE);
looser:
if (pkey) SECKEY_DestroyPrivateKey(pkey);
if (slot) PK11_FreeSlot(slot);
free(key);
return rv;
}
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
PK11SlotInfo *slot;
SECStatus status;
CURLcode rv;
struct ssl_connect_data *ssl = conn->ssl;
(void)sockindex; /* unused */
rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE);
if(CURLE_OK != rv) {
PR_SetError(SEC_ERROR_BAD_KEY, 0);
return rv;
}
slot = PK11_FindSlotByName("PEM Token #1");
if(!slot)
return CURLE_SSL_CERTPROBLEM;
/* This will force the token to be seen as re-inserted */
SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
PK11_IsPresent(slot);
status = PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]);
PK11_FreeSlot(slot);
return (SECSuccess == status)
? CURLE_OK
: CURLE_SSL_CERTPROBLEM;
}
void nsProtectedAuthThread::Run(void)
{
// Login with null password. This call will also do C_Logout() but
// it is harmless here
mLoginResult = PK11_CheckUserPassword(mSlot, 0);
nsIObserver *observer = nsnull;
PR_Lock(mMutex);
mLoginReady = PR_TRUE;
mIAmRunning = PR_FALSE;
// Forget the slot
if (mSlot)
{
PK11_FreeSlot(mSlot);
mSlot = 0;
}
if (!mStatusObserverNotified)
{
observer = mStatusObserver;
}
mStatusObserver = nsnull;
mStatusObserverNotified = PR_TRUE;
PR_Unlock(mMutex);
if (observer)
observer->Observe(nsnull, "operation-completed", nsnull);
}
/* Generate a key pair, and then generate a subjectPublicKeyInfo
** for the public key in that pair. return all 3.
*/
CERTSubjectPublicKeyInfo *
GetSubjectPubKeyInfo(TESTKeyPair *pair)
{
CERTSubjectPublicKeyInfo *spki = NULL;
SECKEYPrivateKey *privKey = NULL;
SECKEYPublicKey *pubKey = NULL;
PK11SlotInfo *keySlot = NULL;
keySlot = PK11_GetInternalKeySlot();
PK11_Authenticate(keySlot, PR_FALSE, &pwdata);
if (!doingDSA) {
PK11RSAGenParams *rsaParams = GetRSAParams();
if (rsaParams == NULL) {
PK11_FreeSlot(keySlot);
return NULL;
}
privKey = PK11_GenerateKeyPair(keySlot, CKM_RSA_PKCS_KEY_PAIR_GEN,
(void*)rsaParams, &pubKey, PR_FALSE,
PR_FALSE, &pwdata);
} else {
PQGParams *dsaParams = GetDSAParams();
if (dsaParams == NULL) {
PK11_FreeSlot(keySlot);
return NULL;
}
privKey = PK11_GenerateKeyPair(keySlot, CKM_DSA_KEY_PAIR_GEN,
(void*)dsaParams, &pubKey, PR_FALSE,
PR_FALSE, &pwdata);
}
PK11_FreeSlot(keySlot);
if (privKey == NULL || pubKey == NULL) {
if (pubKey) {
SECKEY_DestroyPublicKey(pubKey);
}
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
}
return NULL;
}
spki = SECKEY_CreateSubjectPublicKeyInfo(pubKey);
pair->privKey = privKey;
pair->pubKey = pubKey;
return spki;
}
PRBool PK11_NeedPWInit()
{
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
PRBool ret = PK11_NeedPWInitForSlot(slot);
PK11_FreeSlot(slot);
return ret;
}
static void
vcard_emul_delete_card(VCardEmul *vcard_emul)
{
PK11SlotInfo *slot = (PK11SlotInfo *)vcard_emul;
if (slot == NULL) {
return;
}
PK11_FreeSlot(slot);
}
static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx)
{
if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE);
if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE);
if (cctx->slot) PK11_FreeSlot(cctx->slot);
if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj);
return EOK;
}
SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type,
PRFileDesc *inFile, PRInt32 importOptions, PRInt32 decodeOptions)
{
CERTSignedCrl *crl = NULL;
SECItem crlDER;
PK11SlotInfo* slot = NULL;
int rv;
#if defined(DEBUG_jp96085)
PRIntervalTime starttime, endtime, elapsed;
PRUint32 mins, secs, msecs;
#endif
crlDER.data = NULL;
/* Read in the entire file specified with the -f argument */
rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to read input file");
return (SECFailure);
}
decodeOptions |= CRL_DECODE_DONT_COPY_DER;
slot = PK11_GetInternalKeySlot();
#if defined(DEBUG_jp96085)
starttime = PR_IntervalNow();
#endif
crl = PK11_ImportCRL(slot, &crlDER, url, type,
NULL, importOptions, NULL, decodeOptions);
#if defined(DEBUG_jp96085)
endtime = PR_IntervalNow();
elapsed = endtime - starttime;
mins = PR_IntervalToSeconds(elapsed) / 60;
secs = PR_IntervalToSeconds(elapsed) % 60;
msecs = PR_IntervalToMilliseconds(elapsed) % 1000;
printf("Elapsed : %2d:%2d.%3d\n", mins, secs, msecs);
#endif
if (!crl) {
const char *errString;
rv = SECFailure;
errString = SECU_Strerror(PORT_GetError());
if ( errString && PORT_Strlen (errString) == 0)
SECU_PrintError (progName,
"CRL is not imported (error: input CRL is not up to date.)");
else
SECU_PrintError (progName, "unable to import CRL");
} else {
SEC_DestroyCrl (crl);
}
if (slot) {
PK11_FreeSlot(slot);
}
return (rv);
}
NS_IMETHODIMP
nsKeyObjectFactory::KeyFromString(PRInt16 aAlgorithm, const nsACString & aKey,
nsIKeyObject **_retval)
{
CK_MECHANISM_TYPE cipherMech;
CK_ATTRIBUTE_TYPE cipherOperation;
switch (aAlgorithm)
{
case nsIKeyObject::HMAC:
cipherMech = CKM_GENERIC_SECRET_KEY_GEN;
cipherOperation = CKA_SIGN;
break;
case nsIKeyObject::RC4:
cipherMech = CKM_RC4;
cipherOperation = CKA_ENCRYPT;
break;
default:
return NS_ERROR_INVALID_ARG;
}
nsresult rv;
nsCOMPtr<nsIKeyObject> key =
do_CreateInstance(NS_KEYMODULEOBJECT_CONTRACTID, &rv);
NS_ENSURE_SUCCESS(rv, rv);
// Convert the raw string into a SECItem
const nsCString& flatKey = PromiseFlatCString(aKey);
SECItem keyItem;
keyItem.data = (unsigned char*)flatKey.get();
keyItem.len = flatKey.Length();
PK11SlotInfo *slot = nullptr;
slot = PK11_GetBestSlot(cipherMech, nullptr);
if (!slot) {
NS_ERROR("no slot");
return NS_ERROR_FAILURE;
}
PK11SymKey* symKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap,
cipherOperation, &keyItem, nullptr);
// cleanup code
if (slot)
PK11_FreeSlot(slot);
if (!symKey) {
return NS_ERROR_FAILURE;
}
rv = key->InitKey(aAlgorithm, (void*)symKey);
NS_ENSURE_SUCCESS(rv, rv);
key.swap(*_retval);
return NS_OK;
}
static void free_PK11_ctx(struct PK11_ctx *ctx) {
if(!ctx)
return;
if(ctx->list)
CERT_DestroyCertList(ctx->list);
if(ctx->obj)
PK11_DestroyGenericObject(ctx->obj);
if(ctx->slot)
PK11_FreeSlot(ctx->slot);
}
