SECKEYPrivateKey* CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData, const nsNSSShutDownPreventionLock& /*proofOfLock*/) { SECKEYPrivateKey* privKey; ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); if (!arena) { return nullptr; } SECItem pkcs8Item = { siBuffer, nullptr, 0 }; if (!aKeyData.ToSECItem(arena, &pkcs8Item)) { return nullptr; } // Allow everything, we enforce usage ourselves unsigned int usage = KU_ALL; SECStatus rv = PK11_ImportDERPrivateKeyInfoAndReturnKey( slot.get(), &pkcs8Item, nullptr, nullptr, false, false, usage, &privKey, nullptr); if (rv == SECFailure) { return nullptr; } return privKey; }
char *oauth_sign_rsa_sha1 (const char *m, const char *k) { PK11SlotInfo *slot = NULL; SECKEYPrivateKey *pkey = NULL; SECItem signature; SECStatus s; SECItem der; char *rv=NULL; char *key = oauth_strip_pkcs(k, NS_PRIV_HEADER, NS_PRIV_TRAILER); if (!key) return NULL; oauth_init_nss(); slot = PK11_GetInternalKeySlot(); if (!slot) goto looser; s = ATOB_ConvertAsciiToItem(&der, key); if (s != SECSuccess) goto looser; s = PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &der, NULL, NULL, PR_FALSE, PR_TRUE, KU_ALL, &pkey, NULL); SECITEM_FreeItem(&der, PR_FALSE); if (s != SECSuccess) goto looser; if (!pkey) goto looser; if (pkey->keyType != rsaKey) goto looser; s = SEC_SignData(&signature, (unsigned char*) m, strlen(m), pkey, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE); if (s != SECSuccess) goto looser; rv=oauth_encode_base64(signature.len, signature.data); SECITEM_FreeItem(&signature, PR_FALSE); looser: if (pkey) SECKEY_DestroyPrivateKey(pkey); if (slot) PK11_FreeSlot(slot); free(key); return rv; }
SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, SECItem *derPKI, SECItem *nickname, SECItem *publicValue, PRBool isPerm, PRBool isPrivate, unsigned int keyUsage, void *wincx) { return PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, derPKI, nickname, publicValue, isPerm, isPrivate, keyUsage, NULL, wincx); }
int main(int argc, char **argv) { if (NSS_NoDB_Init(NULL) != SECSuccess) { printf(" >>> NSS_NoDB_Init() failed.\n"); return 1; } if (argc < 3) { printf(" >>> I need a DER encoded file to read and have to know what to do with it [decode, private]!\n"); return 1; } PRFileDesc* file = PR_Open(argv[1], PR_RDONLY, 0); SECItem data = {0, NULL, 0}; if (SECU_ReadDERFromFile(&data, file, PR_FALSE, PR_FALSE) != SECSuccess) { printf(" >>> SECU_ReadDERFromFile() failed.\n"); return 1; } PR_Close(file); if (strcmp(argv[2], "decode") == 0) { CERTCertificate *cert = CERT_DecodeCertFromPackage((char*)data.data, data.len); if (cert){ printf(" >>> read cert!\n"); printf(" >>> SN: %s\n", cert->subjectName); printf(" >>> IN: %s\n", cert->issuerName); CERT_DestroyCertificate(cert); } else { printf(" >>> CERT_DecodeCertFromPackage failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } } if (argv[2] == "private") { PK11SlotInfo* slot = PK11_GetInternalSlot(); if (!slot) { printf(" >>> PK11_GetInternalSlot() failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } SECKEYPrivateKey* privKey; if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, NULL, NULL, PR_FALSE, PR_FALSE, KU_ALL, &privKey, NULL) != SECSuccess) { printf(" >>> PK11_ImportDERPrivateKeyInfoAndReturnKey() failed.\n"); SECITEM_FreeItem(&data, PR_FALSE); return 1; } } printf(" !!! Done.\n"); return 0; }
SECKEYPrivateKey* CryptoKey::PrivateKeyFromPkcs8(CryptoBuffer& aKeyData, const nsNSSShutDownPreventionLock& /*proofOfLock*/) { SECKEYPrivateKey* privKey; ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); ScopedSECItem pkcs8Item(aKeyData.ToSECItem()); if (!pkcs8Item) { return nullptr; } // Allow everything, we enforce usage ourselves unsigned int usage = KU_ALL; nsresult rv = MapSECStatus(PK11_ImportDERPrivateKeyInfoAndReturnKey( slot.get(), pkcs8Item.get(), nullptr, nullptr, false, false, usage, &privKey, nullptr)); if (NS_FAILED(rv)) { return nullptr; } return privKey; }
SECStatus AddKeyFromFile(const char* basePath, const char* filename) { const char* PRIVATE_KEY_HEADER = "-----BEGIN PRIVATE KEY-----"; const char* PRIVATE_KEY_FOOTER = "-----END PRIVATE KEY-----"; char buf[16384] = { 0 }; SECStatus rv = ReadFileToBuffer(basePath, filename, buf); if (rv != SECSuccess) { return rv; } if (strncmp(buf, PRIVATE_KEY_HEADER, strlen(PRIVATE_KEY_HEADER)) != 0) { PR_fprintf(PR_STDERR, "invalid key - not importing\n"); return SECFailure; } const char* bufPtr = buf + strlen(PRIVATE_KEY_HEADER); size_t bufLen = strlen(buf); char base64[16384] = { 0 }; char* base64Ptr = base64; while (bufPtr < buf + bufLen) { if (strncmp(bufPtr, PRIVATE_KEY_FOOTER, strlen(PRIVATE_KEY_FOOTER)) == 0) { break; } if (*bufPtr != '\r' && *bufPtr != '\n') { *base64Ptr = *bufPtr; base64Ptr++; } bufPtr++; } unsigned int binLength; UniquePORTString bin( reinterpret_cast<char*>(ATOB_AsciiToData(base64, &binLength))); if (!bin || binLength == 0) { PrintPRError("ATOB_AsciiToData failed"); return SECFailure; } ScopedSECItem secitem(::SECITEM_AllocItem(nullptr, nullptr, binLength)); if (!secitem) { PrintPRError("SECITEM_AllocItem failed"); return SECFailure; } PORT_Memcpy(secitem->data, bin.get(), binLength); ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { PrintPRError("PK11_GetInternalKeySlot failed"); return SECFailure; } if (PK11_NeedUserInit(slot)) { if (PK11_InitPin(slot, nullptr, nullptr) != SECSuccess) { PrintPRError("PK11_InitPin failed"); return SECFailure; } } SECKEYPrivateKey* privateKey; if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, secitem, nullptr, nullptr, true, false, KU_ALL, &privateKey, nullptr) != SECSuccess) { PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed"); return SECFailure; } SECKEY_DestroyPrivateKey(privateKey); return SECSuccess; }