SECKEYPublicKey*
CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData,
const nsNSSShutDownPreventionLock& /*proofOfLock*/)
{
ScopedSECItem spkiItem(aKeyData.ToSECItem());
if (!spkiItem) {
return nullptr;
}
ScopedCERTSubjectPublicKeyInfo spki(SECKEY_DecodeDERSubjectPublicKeyInfo(spkiItem.get()));
if (!spki) {
return nullptr;
}
// Check for id-ecDH. Per the WebCrypto spec we must support it but NSS
// does unfortunately not know about it. Let's change the algorithm to
// id-ecPublicKey to make NSS happy.
if (SECITEM_ItemsAreEqual(&SEC_OID_DATA_EC_DH, &spki->algorithm.algorithm)) {
// Retrieve OID data for id-ecPublicKey (1.2.840.10045.2.1).
SECOidData* oidData = SECOID_FindOIDByTag(SEC_OID_ANSIX962_EC_PUBLIC_KEY);
if (!oidData) {
return nullptr;
}
SECStatus rv = SECITEM_CopyItem(spki->arena, &spki->algorithm.algorithm,
&oidData->oid);
if (rv != SECSuccess) {
return nullptr;
}
}
return SECKEY_ExtractPublicKey(spki.get());
}
/*
* SecCmsAlgArrayGetIndexByAlgTag - find a specific algorithm in an array of
* algorithms.
*
* algorithmArray - array of algorithm IDs
* algtag - algorithm tag of algorithm to pick
*
* Returns:
* An integer containing the index of the algorithm in the array or -1 if
* algorithm was not found.
*/
int
SecCmsAlgArrayGetIndexByAlgTag(SECAlgorithmID **algorithmArray,
SECOidTag algtag)
{
SECOidData *algid;
int i = -1;
if (algorithmArray == NULL || algorithmArray[0] == NULL)
return i;
#ifdef ORDER_N_SQUARED
for (i = 0; algorithmArray[i] != NULL; i++) {
algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
if (algid->offset == algtag)
break; /* bingo */
}
#else
algid = SECOID_FindOIDByTag(algtag);
if (!algid)
return i;
for (i = 0; algorithmArray[i] != NULL; i++) {
if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
break; /* bingo */
}
#endif
if (algorithmArray[i] == NULL)
return -1; /* not found */
return i;
}
NS_IMETHODIMP
nsNSSCertificate::GetValidEVPolicyOid(nsACString &outDottedOid)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
SECOidTag oid_tag;
PRBool valid;
nsresult rv = getValidEVOidTag(oid_tag, valid);
if (NS_FAILED(rv))
return rv;
if (valid) {
SECOidData *oid_data = SECOID_FindOIDByTag(oid_tag);
if (!oid_data)
return NS_ERROR_FAILURE;
char *oid_str = CERT_GetOidString(&oid_data->oid);
if (!oid_str)
return NS_ERROR_FAILURE;
outDottedOid = oid_str;
PR_smprintf_free(oid_str);
}
return NS_OK;
}
static SECOidData *
HashTypeToOID(HASH_HashType hashtype)
{
SECOidTag hashtag;
if (hashtype <= HASH_AlgNULL || hashtype >= HASH_AlgTOTAL)
return NULL;
switch (hashtype) {
case HASH_AlgMD2:
hashtag = SEC_OID_MD2;
break;
case HASH_AlgMD5:
hashtag = SEC_OID_MD5;
break;
case HASH_AlgSHA1:
hashtag = SEC_OID_SHA1;
break;
default:
fprintf(stderr, "A new hash type has been added to HASH_HashType.\n");
fprintf(stderr, "This program needs to be updated!\n");
return NULL;
}
return SECOID_FindOIDByTag(hashtag);
}
// Find the first policy OID that is known to be an EV policy OID.
SECStatus
GetFirstEVPolicy(CERTCertificate* cert,
/*out*/ mozilla::pkix::CertPolicyId& policy,
/*out*/ SECOidTag& policyOidTag)
{
if (!cert) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
if (cert->extensions) {
for (int i=0; cert->extensions[i]; i++) {
const SECItem* oid = &cert->extensions[i]->id;
SECOidTag oidTag = SECOID_FindOIDTag(oid);
if (oidTag != SEC_OID_X509_CERTIFICATE_POLICIES)
continue;
SECItem* value = &cert->extensions[i]->value;
CERTCertificatePolicies* policies;
CERTPolicyInfo** policyInfos;
policies = CERT_DecodeCertificatePoliciesExtension(value);
if (!policies)
continue;
policyInfos = policies->policyInfos;
bool found = false;
while (*policyInfos) {
const CERTPolicyInfo* policyInfo = *policyInfos++;
SECOidTag oid_tag = policyInfo->oid;
if (oid_tag != SEC_OID_UNKNOWN && isEVPolicy(oid_tag)) {
const SECOidData* oidData = SECOID_FindOIDByTag(oid_tag);
PR_ASSERT(oidData);
PR_ASSERT(oidData->oid.data);
PR_ASSERT(oidData->oid.len > 0);
PR_ASSERT(oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES);
if (oidData && oidData->oid.data && oidData->oid.len > 0 &&
oidData->oid.len <= mozilla::pkix::CertPolicyId::MAX_BYTES) {
policy.numBytes = static_cast<uint16_t>(oidData->oid.len);
memcpy(policy.bytes, oidData->oid.data, policy.numBytes);
policyOidTag = oid_tag;
found = true;
}
break;
}
}
CERT_DestroyCertificatePoliciesExtension(policies);
if (found) {
return SECSuccess;
}
}
}
PR_SetError(SEC_ERROR_POLICY_VALIDATION_FAILED, 0);
return SECFailure;
}
SECOidData *
NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo)
{
SECOidData *algdata;
SECOidTag algtag;
algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
if (algdata == NULL) {
return algdata;
}
/* Windows may have given us a signer algorithm oid instead of a digest
* algorithm oid. This call will map to a signer oid to a digest one,
* otherwise it leaves the oid alone and let the chips fall as they may
* if it's not a digest oid.
*/
algtag = NSS_CMSUtil_MapSignAlgs(algdata->offset);
if (algtag != algdata->offset) {
/* if the tags don't match, then we must have received a signer
* algorithID. Now we need to get the oid data for the digest
* oid, which the rest of the code is expecting */
algdata = SECOID_FindOIDByTag(algtag);
}
return algdata;
}
SECStatus
ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params)
{
SECOidData *oidData = NULL;
PRUint32 policyFlags = 0;
if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
if (NSS_GetAlgorithmPolicy(ecName2OIDTag[curve], &policyFlags) == SECFailure ||
!(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
OSStatus
SecCmsContentInfoSetContentOther(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, CSSM_DATA_PTR data, Boolean detached, const CSSM_OID *eContentType)
{
SECStatus srtn;
SECOidData *tmpOidData;
/* just like SecCmsContentInfoSetContentData, except override the contentType and
* contentTypeTag. This OID is for encoding... */
srtn = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), eContentType);
if (srtn != SECSuccess) {
return memFullErr;
}
/* this serves up a contentTypeTag with an empty OID */
tmpOidData = SECOID_FindOIDByTag(SEC_OID_OTHER);
/* but that's const: cook up a new one we can write to */
cinfo->contentTypeTag = (SECOidData *)PORT_ArenaZAlloc(cmsg->poolp, sizeof(SECOidData));
*cinfo->contentTypeTag = *tmpOidData;
/* now fill in the OID */
srtn = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentTypeTag->oid), eContentType);
if (srtn != SECSuccess) {
return memFullErr;
}
cinfo->content.pointer = data;
cinfo->rawContent = (detached) ?
NULL : (data) ?
data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
return noErr;
}
SECStatus
ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup,
SECKEYECParams *params)
{
SECOidData *oidData = NULL;
if (!params) {
PORT_Assert(0);
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (!ecGroup || ecGroup->keaType != ssl_kea_ecdh ||
(oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
if (SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)) == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
/*
* SecCmsContentInfoSetContent - set content type & content
*/
OSStatus
SecCmsContentInfoSetContent(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, SECOidTag type, void *ptr)
{
OSStatus rv;
cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
if (cinfo->contentTypeTag == NULL)
return paramErr;
/* do not copy the oid, just create a reference */
rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
if (rv != SECSuccess)
return memFullErr;
cinfo->content.pointer = ptr;
if (type != SEC_OID_PKCS7_DATA) {
/* as we always have some inner data,
* we need to set it to something, just to fool the encoder enough to work on it
* and get us into nss_cms_encoder_notify at that point */
cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
if (cinfo->rawContent == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return memFullErr;
}
}
return noErr;
}
/*
* NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
*
* scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
* S/MIME capabilities attribute value.
*
* XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
* symmetric ciphers, NO signature algorithms or key encipherment algorithms.
*
* "poolp" - arena pool to create the S/MIME capabilities data on
* "dest" - SECItem to put the data in
*/
SECStatus
NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest)
{
NSSSMIMECapability *cap;
NSSSMIMECapability **smime_capabilities;
smime_cipher_map_entry *map;
SECOidData *oiddata;
SECItem *dummy;
int i, capIndex;
/* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
/* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
* sizeof(NSSSMIMECapability *));
if (smime_capabilities == NULL)
return SECFailure;
capIndex = 0;
/* Add all the symmetric ciphers
* We walk the cipher list backwards, as it is ordered by increasing strength,
* we prefer the stronger cipher over a weaker one, and we have to list the
* preferred algorithm first */
for (i = smime_cipher_map_count - 1; i >= 0; i--) {
/* Find the corresponding entry in the cipher map. */
map = &(smime_cipher_map[i]);
if (!map->enabled)
continue;
/* get next SMIME capability */
cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
if (cap == NULL)
break;
smime_capabilities[capIndex++] = cap;
oiddata = SECOID_FindOIDByTag(map->algtag);
if (oiddata == NULL)
break;
cap->capabilityID.data = oiddata->oid.data;
cap->capabilityID.len = oiddata->oid.len;
cap->parameters.data = map->parms ? map->parms->data : NULL;
cap->parameters.len = map->parms ? map->parms->len : 0;
cap->cipher = smime_cipher_map[i].cipher;
}
/* XXX add signature algorithms */
/* XXX add key encipherment algorithms */
smime_capabilities[capIndex] = NULL; /* last one - now encode */
dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
/* now that we have the proper encoded SMIMECapabilities (or not),
* free the work data */
for (i = 0; smime_capabilities[i] != NULL; i++)
PORT_Free(smime_capabilities[i]);
PORT_Free(smime_capabilities);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
int
generate_algorithm_id(cms_context *ctx, SECAlgorithmID *idp, SECOidTag tag)
{
SECAlgorithmID id;
if (!idp)
return -1;
SECOidData *oiddata;
oiddata = SECOID_FindOIDByTag(tag);
if (!oiddata) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return -1;
}
if (SECITEM_CopyItem(ctx->arena, &id.algorithm, &oiddata->oid))
return -1;
SECITEM_AllocItem(ctx->arena, &id.parameters, 2);
if (id.parameters.data == NULL)
goto err;
id.parameters.data[0] = SEC_ASN1_NULL;
id.parameters.data[1] = 0;
id.parameters.type = siBuffer;
memcpy(idp, &id, sizeof (id));
return 0;
err:
SECITEM_FreeItem(&id.algorithm, PR_FALSE);
return -1;
}
static SECStatus
SetupAVAType(PRArenaPool *arena, SECOidTag type, SECItem *it, unsigned *maxLenp)
{
unsigned char *oid;
unsigned oidLen;
unsigned char *cp;
int maxLen;
SECOidData *oidrec;
oidrec = SECOID_FindOIDByTag(type);
if (oidrec == NULL)
return SECFailure;
oid = oidrec->oid.data;
oidLen = oidrec->oid.len;
maxLen = cert_AVAOidTagToMaxLen(type);
if (maxLen < 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
it->data = cp = (unsigned char*) PORT_ArenaAlloc(arena, oidLen);
if (cp == NULL) {
return SECFailure;
}
it->len = oidLen;
PORT_Memcpy(cp, oid, oidLen);
*maxLenp = (unsigned)maxLen;
return SECSuccess;
}
/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
* map OID's directly into the PKCS #11 mechanism we want to call. We find
* this mapping in our standard OID table */
CK_MECHANISM_TYPE
PK11_AlgtagToMechanism(SECOidTag algTag) {
SECOidData *oid = SECOID_FindOIDByTag(algTag);
if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
return CKM_INVALID_MECHANISM;
}
UniqueSECKEYPublicKey
CryptoKey::PublicKeyFromSpki(CryptoBuffer& aKeyData,
const nsNSSShutDownPreventionLock& /*proofOfLock*/)
{
UniquePLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena) {
return nullptr;
}
SECItem spkiItem = { siBuffer, nullptr, 0 };
if (!aKeyData.ToSECItem(arena.get(), &spkiItem)) {
return nullptr;
}
UniqueCERTSubjectPublicKeyInfo spki(
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
if (!spki) {
return nullptr;
}
bool isECDHAlgorithm = SECITEM_ItemsAreEqual(&SEC_OID_DATA_EC_DH,
&spki->algorithm.algorithm);
bool isDHAlgorithm = SECITEM_ItemsAreEqual(&SEC_OID_DATA_DH_KEY_AGREEMENT,
&spki->algorithm.algorithm);
// Check for |id-ecDH| and |dhKeyAgreement|. Per the WebCrypto spec we must
// support these OIDs but NSS does unfortunately not know about them. Let's
// change the algorithm to |id-ecPublicKey| or |dhPublicKey| to make NSS happy.
if (isECDHAlgorithm || isDHAlgorithm) {
SECOidTag oid = SEC_OID_UNKNOWN;
if (isECDHAlgorithm) {
oid = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
} else if (isDHAlgorithm) {
oid = SEC_OID_X942_DIFFIE_HELMAN_KEY;
} else {
MOZ_ASSERT(false);
}
SECOidData* oidData = SECOID_FindOIDByTag(oid);
if (!oidData) {
return nullptr;
}
SECStatus rv = SECITEM_CopyItem(spki->arena, &spki->algorithm.algorithm,
&oidData->oid);
if (rv != SECSuccess) {
return nullptr;
}
}
UniqueSECKEYPublicKey tmp(SECKEY_ExtractPublicKey(spki.get()));
if (!tmp.get() || !PublicKeyValid(tmp.get())) {
return nullptr;
}
return UniqueSECKEYPublicKey(SECKEY_CopyPublicKey(tmp.get()));
}
static CK_MECHANISM_TYPE
crmf_get_pad_mech_from_tag(SECOidTag oidTag)
{
CK_MECHANISM_TYPE mechType;
SECOidData *oidData;
oidData = SECOID_FindOIDByTag(oidTag);
mechType = (CK_MECHANISM_TYPE)oidData->mechanism;
return PK11_GetPadMechanism(mechType);
}
static SECStatus
crmf_add_new_control(CRMFCertRequest *inCertReq,SECOidTag inTag,
CRMFControl **destControl)
{
SECOidData *oidData;
SECStatus rv;
PRArenaPool *poolp;
int numControls = 0;
CRMFControl *newControl;
CRMFControl **controls;
void *mark;
poolp = inCertReq->poolp;
if (poolp == NULL) {
return SECFailure;
}
mark = PORT_ArenaMark(poolp);
if (inCertReq->controls != NULL) {
while (inCertReq->controls[numControls] != NULL)
numControls++;
}
rv = crmf_modify_control_array(inCertReq, numControls);
if (rv != SECSuccess) {
goto loser;
}
controls = inCertReq->controls;
oidData = SECOID_FindOIDByTag(inTag);
newControl = *destControl = PORT_ArenaZNew(poolp,CRMFControl);
if (newControl == NULL) {
goto loser;
}
rv = SECITEM_CopyItem(poolp, &newControl->derTag, &oidData->oid);
if (rv != SECSuccess) {
goto loser;
}
newControl->tag = inTag;
controls[numControls] = newControl;
controls[numControls+1] = NULL;
PORT_ArenaUnmark(poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease(poolp, mark);
*destControl = NULL;
return SECFailure;
}
static
SECStatus
OurVerifyData(unsigned char *buf, int len, SECKEYPublicKey *key,
SECItem *sig, SECAlgorithmID *sigAlgorithm)
{
SECStatus rv;
VFYContext *cx;
SECOidData *sigAlgOid, *oiddata;
SECOidTag sigAlgTag;
SECOidTag hashAlgTag;
int showDigestOid=0;
cx = VFY_CreateContextWithAlgorithmID(key, sig, sigAlgorithm, &hashAlgTag,
NULL);
if (cx == NULL)
return SECFailure;
sigAlgOid = SECOID_FindOID(&sigAlgorithm->algorithm);
if (sigAlgOid == 0)
return SECFailure;
sigAlgTag = sigAlgOid->offset;
if (showDigestOid) {
oiddata = SECOID_FindOIDByTag(hashAlgTag);
if ( oiddata ) {
printf("PROBLEM: (cont) Digest OID is %s\n", oiddata->desc);
} else {
SECU_PrintAsHex(stdout,
&oiddata->oid, "PROBLEM: UNKNOWN OID", 0);
}
}
rv = VFY_Begin(cx);
if (rv == SECSuccess) {
rv = VFY_Update(cx, buf, len);
if (rv == SECSuccess)
rv = VFY_End(cx);
}
VFY_DestroyContext(cx, PR_TRUE);
return rv;
}
/*
* SecCmsAttributeCreate - create an attribute
*
* if value is NULL, the attribute won't have a value. It can be added later
* with SecCmsAttributeAddValue.
*/
SecCmsAttribute *
SecCmsAttributeCreate(PRArenaPool *poolp, SECOidTag oidtag, CSSM_DATA_PTR value, Boolean encoded)
{
SecCmsAttribute *attr;
CSSM_DATA_PTR copiedvalue;
void *mark;
PORT_Assert (poolp != NULL);
mark = PORT_ArenaMark (poolp);
attr = (SecCmsAttribute *)PORT_ArenaZAlloc(poolp, sizeof(SecCmsAttribute));
if (attr == NULL)
goto loser;
attr->typeTag = SECOID_FindOIDByTag(oidtag);
if (attr->typeTag == NULL)
goto loser;
if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
goto loser;
if (value != NULL) {
if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, (unsigned int)value->Length)) == NULL)
goto loser;
if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
goto loser;
SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue);
}
attr->encoded = encoded;
PORT_ArenaUnmark (poolp, mark);
return attr;
loser:
PORT_Assert (mark != NULL);
PORT_ArenaRelease (poolp, mark);
return NULL;
}
SECStatus
ssl_NamedGroup2ECParams(PLArenaPool *arena, const namedGroupDef *ecGroup,
SECKEYECParams *params)
{
SECOidData *oidData = NULL;
PRUint32 policyFlags = 0;
SECStatus rv;
if (!params) {
PORT_Assert(0);
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (!ecGroup || ecGroup->type != group_type_ec ||
(oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
rv = NSS_GetAlgorithmPolicy(ecGroup->oidTag, &policyFlags);
if (rv == SECSuccess && !(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
if (SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)) == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
static void nss_ecp_calc_secret(const struct dh_desc *group,
SECKEYPrivateKey **privk,
SECKEYPublicKey **pubk,
uint8_t *ke, size_t sizeof_ke)
{
passert(sizeof_ke == group->bytes);
/*
* Get the PK11 formatted EC parameters (stored in static
* data) from NSS.
*/
DBG(DBG_CRYPT, DBG_log("oid %d %x", group->nss_oid, group->nss_oid));
SECOidData *pk11_data = SECOID_FindOIDByTag(group->nss_oid);
if (pk11_data == NULL) {
PASSERT_FAIL("Lookup of OID %d for EC group %s parameters failed",
group->nss_oid, group->common.name);
}
LSWDBGP(DBG_CRYPT, buf) {
lswlogs(buf, "pk11_data->oid: ");
lswlog_nss_secitem(buf, &pk11_data->oid);
}
/*
* NSS_CMSAttribute_Create - create an attribute
*
* if value is NULL, the attribute won't have a value. It can be added later
* with NSS_CMSAttribute_AddValue.
*/
NSSCMSAttribute *
NSS_CMSAttribute_Create(PRArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded)
{
NSSCMSAttribute *attr;
SECItem *copiedvalue;
void *mark;
PORT_Assert (poolp != NULL);
mark = PORT_ArenaMark (poolp);
attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute));
if (attr == NULL)
goto loser;
attr->typeTag = SECOID_FindOIDByTag(oidtag);
if (attr->typeTag == NULL)
goto loser;
if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
goto loser;
if (value != NULL) {
if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL)
goto loser;
if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
goto loser;
}
attr->encoded = encoded;
PORT_ArenaUnmark (poolp, mark);
return attr;
loser:
PORT_Assert (mark != NULL);
PORT_ArenaRelease (poolp, mark);
return NULL;
}
/*
* FUNCTION: PKIX_PL_OID_Create (see comments in pkix_pl_system.h)
*/
PKIX_Error *
PKIX_PL_OID_Create(
SECOidTag idtag,
PKIX_PL_OID **pOID,
void *plContext)
{
SECOidData *oidData = NULL;
PKIX_ENTER(OID, "PKIX_PL_OID_Create");
PKIX_NULLCHECK_ONE(pOID);
oidData = SECOID_FindOIDByTag((SECOidTag)idtag);
if (!oidData) {
PKIX_ERROR(PKIX_SECOIDFINDOIDTAGDESCRIPTIONFAILED);
}
pkixErrorResult =
PKIX_PL_OID_CreateBySECItem(&oidData->oid, pOID, plContext);
cleanup:
PKIX_RETURN(OID);
}
SECStatus
NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
{
SECStatus rv;
if (!sigd) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
if (rv != SECSuccess) {
return SECFailure;
}
/* handle issue with Windows 2003 servers and kerberos */
if (sigd->digestAlgorithms != NULL) {
int i;
for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
SECAlgorithmID *algid = sigd->digestAlgorithms[i];
SECOidTag senttag= SECOID_FindOIDTag(&algid->algorithm);
SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag);
if (maptag != senttag) {
SECOidData *hashoid = SECOID_FindOIDByTag(maptag);
rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm
,&hashoid->oid);
if (rv != SECSuccess) {
return rv;
}
}
}
}
/* set up the digests */
if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
/* if digests are already there, do nothing */
sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
if (sigd->contentInfo.privateInfo->digcx == NULL)
return SECFailure;
}
return SECSuccess;
}
nsresult
nsCertOverrideService::Init()
{
if (!mSettingsTable.Init())
return NS_ERROR_OUT_OF_MEMORY;
mOidTagForStoringNewHashes = SEC_OID_SHA256;
SECOidData *od = SECOID_FindOIDByTag(mOidTagForStoringNewHashes);
if (!od)
return NS_ERROR_FAILURE;
char *dotted_oid = CERT_GetOidString(&od->oid);
if (!dotted_oid)
return NS_ERROR_FAILURE;
mDottedOidForStoringNewHashes = dotted_oid;
PR_smprintf_free(dotted_oid);
// cache mSettingsFile
NS_GetSpecialDirectory(NS_APP_USER_PROFILE_50_DIR, getter_AddRefs(mSettingsFile));
if (mSettingsFile) {
mSettingsFile->AppendNative(NS_LITERAL_CSTRING(kCertOverrideFileName));
}
Read();
nsresult rv;
NS_WITH_ALWAYS_PROXIED_SERVICE(nsIObserverService, mObserverService,
"@mozilla.org/observer-service;1",
NS_PROXY_TO_MAIN_THREAD, &rv);
if (mObserverService) {
mObserverService->AddObserver(this, "profile-before-change", PR_TRUE);
mObserverService->AddObserver(this, "profile-do-change", PR_TRUE);
mObserverService->AddObserver(this, "shutdown-cleanse", PR_TRUE);
}
return NS_OK;
}
bool
CertIsAuthoritativeForEVPolicy(const CERTCertificate* cert,
const mozilla::pkix::CertPolicyId& policy)
{
PR_ASSERT(cert);
if (!cert) {
return false;
}
for (size_t iEV = 0; iEV < PR_ARRAY_SIZE(myTrustedEVInfos); ++iEV) {
nsMyTrustedEVInfo& entry = myTrustedEVInfos[iEV];
if (entry.cert && CERT_CompareCerts(cert, entry.cert)) {
const SECOidData* oidData = SECOID_FindOIDByTag(entry.oid_tag);
if (oidData && oidData->oid.len == policy.numBytes &&
!memcmp(oidData->oid.data, policy.bytes, policy.numBytes)) {
return true;
}
}
}
return false;
}
SECKEYECParams *
decode_ec_params(const char *curve)
{
SECKEYECParams *ecparams;
SECOidData *oidData = nullptr;
SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */
int i, numCurves;
if (curve && *curve) {
numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair);
for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN));
i++) {
if (PL_strcmp(curve, nameTagPair[i].curveName) == 0)
curveOidTag = nameTagPair[i].curveOidTag;
}
}
/* Return nullptr if curve name is not recognized */
if ((curveOidTag == SEC_OID_UNKNOWN) ||
(oidData = SECOID_FindOIDByTag(curveOidTag)) == nullptr) {
return nullptr;
}
ecparams = SECITEM_AllocItem(nullptr, nullptr, (2 + oidData->oid.len));
if (!ecparams)
return nullptr;
/*
* ecparams->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
ecparams->data[0] = SEC_ASN1_OBJECT_ID;
ecparams->data[1] = oidData->oid.len;
memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
return ecparams;
}
/*
* SecCmsAttributeArrayFindAttrByOidTag - look through a set of attributes and
* find one that matches the specified object ID.
*
* If "only" is true, then make sure that there is not more than one attribute
* of the same type. Otherwise, just return the first one found. (XXX Does
* anybody really want that first-found behavior? It was like that when I found it...)
*/
SecCmsAttribute *
SecCmsAttributeArrayFindAttrByOidTag(SecCmsAttribute **attrs, SECOidTag oidtag, Boolean only)
{
SECOidData *oid;
SecCmsAttribute *attr1, *attr2;
if (attrs == NULL)
return NULL;
oid = SECOID_FindOIDByTag(oidtag);
if (oid == NULL)
return NULL;
while ((attr1 = *attrs++) != NULL) {
if (attr1->type.Length == oid->oid.Length && PORT_Memcmp (attr1->type.Data,
oid->oid.Data,
oid->oid.Length) == 0)
break;
}
if (attr1 == NULL)
return NULL;
if (!only)
return attr1;
while ((attr2 = *attrs++) != NULL) {
if (attr2->type.Length == oid->oid.Length && PORT_Memcmp (attr2->type.Data,
oid->oid.Data,
oid->oid.Length) == 0)
break;
}
if (attr2 != NULL)
return NULL;
return attr1;
}
/*
* NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and
* find one that matches the specified object ID.
*
* If "only" is true, then make sure that there is not more than one attribute
* of the same type. Otherwise, just return the first one found. (XXX Does
* anybody really want that first-found behavior? It was like that when I found it...)
*/
NSSCMSAttribute *
NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only)
{
SECOidData *oid;
NSSCMSAttribute *attr1, *attr2;
if (attrs == NULL)
return NULL;
oid = SECOID_FindOIDByTag(oidtag);
if (oid == NULL)
return NULL;
while ((attr1 = *attrs++) != NULL) {
if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data,
oid->oid.data,
oid->oid.len) == 0)
break;
}
if (attr1 == NULL)
return NULL;
if (!only)
return attr1;
while ((attr2 = *attrs++) != NULL) {
if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data,
oid->oid.data,
oid->oid.len) == 0)
break;
}
if (attr2 != NULL)
return NULL;
return attr1;
}
static SECStatus
ecName2params(ECCurveName curve, SECKEYECParams *params)
{
SECOidData *oidData = NULL;
if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len));
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
