static void
SetExts(void *object, CERTCertExtension **exts)
{
CERTCertificate *cert = (CERTCertificate *)object;
cert->extensions = exts;
DER_SetUInteger (cert->arena, &(cert->version), SEC_CERTIFICATE_VERSION_3);
}
/* Callback to set extensions and adjust verison */
static void
SetCrlExts(void *object, CERTCertExtension **exts)
{
CERTCrl *crl = (CERTCrl *)object;
crl->extensions = exts;
DER_SetUInteger (crl->arena, &crl->version, SEC_CRL_VERSION_2);
}
static NSSLOWKEYPrivateKey *
lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ,
CK_ULONG count, CK_KEY_TYPE key_type,
SECItem *pubkey, SDB *sdbpw)
{
NSSLOWKEYPrivateKey *privKey = 0;
PLArenaPool *arena = 0;
CK_KEY_TYPE keyType;
PRUint32 keyTypeStorage;
SECItem keyTypeItem;
CK_RV crv;
SECStatus rv;
static unsigned char derZero[1] = { 0 };
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
crv = CKR_HOST_MEMORY;
goto loser;
}
privKey = (NSSLOWKEYPrivateKey *)
PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey));
if (privKey == NULL) {
crv = CKR_HOST_MEMORY;
goto loser;
}
privKey->arena = arena;
/* Secret keys are represented in the database as "fake" RSA keys.
* The RSA key is marked as a secret key representation by setting the
* public exponent field to 0, which is an invalid RSA exponent.
* The other fields are set as follows:
* modulus - CKA_ID value for the secret key
* private exponent - CKA_VALUE (the key itself)
* coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
* is used for the key.
* all others - set to integer 0
*/
privKey->keyType = NSSLOWKEYRSAKey;
/* The modulus is set to the key id of the symmetric key */
privKey->u.rsa.modulus.data =
(unsigned char *)PORT_ArenaAlloc(arena, pubkey->len);
if (privKey->u.rsa.modulus.data == NULL) {
crv = CKR_HOST_MEMORY;
goto loser;
}
privKey->u.rsa.modulus.len = pubkey->len;
PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len);
/* The public exponent is set to 0 to indicate a special key */
privKey->u.rsa.publicExponent.len = sizeof derZero;
privKey->u.rsa.publicExponent.data = derZero;
/* The private exponent is the actual key value */
crv = lg_PrivAttr2SecItem(arena, CKA_VALUE, templ, count,
&privKey->u.rsa.privateExponent, sdbpw);
if (crv != CKR_OK)
goto loser;
/* All other fields empty - needs testing */
privKey->u.rsa.prime1.len = sizeof derZero;
privKey->u.rsa.prime1.data = derZero;
privKey->u.rsa.prime2.len = sizeof derZero;
privKey->u.rsa.prime2.data = derZero;
privKey->u.rsa.exponent1.len = sizeof derZero;
privKey->u.rsa.exponent1.data = derZero;
privKey->u.rsa.exponent2.len = sizeof derZero;
privKey->u.rsa.exponent2.data = derZero;
/* Coeficient set to KEY_TYPE */
crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &keyType);
if (crv != CKR_OK)
goto loser;
/* on 64 bit platforms, we still want to store 32 bits of keyType (This is
* safe since the PKCS #11 defines for all types are 32 bits or less). */
keyTypeStorage = (PRUint32)keyType;
keyTypeStorage = PR_htonl(keyTypeStorage);
keyTypeItem.data = (unsigned char *)&keyTypeStorage;
keyTypeItem.len = sizeof(keyTypeStorage);
rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem);
if (rv != SECSuccess) {
crv = CKR_HOST_MEMORY;
goto loser;
}
/* Private key version field set normally for compatibility */
rv = DER_SetUInteger(privKey->arena,
&privKey->u.rsa.version, NSSLOWKEY_VERSION);
if (rv != SECSuccess) {
crv = CKR_HOST_MEMORY;
goto loser;
}
loser:
if (crv != CKR_OK) {
PORT_FreeArena(arena, PR_FALSE);
privKey = 0;
}
return privKey;
}
/* make a private key from a verified object */
static NSSLOWKEYPrivateKey *
lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
CK_KEY_TYPE key_type, CK_RV *crvp)
{
NSSLOWKEYPrivateKey *privKey;
PLArenaPool *arena;
CK_RV crv = CKR_OK;
SECStatus rv;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
*crvp = CKR_HOST_MEMORY;
return NULL;
}
privKey = (NSSLOWKEYPrivateKey *)
PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey));
if (privKey == NULL) {
PORT_FreeArena(arena, PR_FALSE);
*crvp = CKR_HOST_MEMORY;
return NULL;
}
/* in future this would be a switch on key_type */
privKey->arena = arena;
switch (key_type) {
case CKK_RSA:
privKey->keyType = NSSLOWKEYRSAKey;
crv = lg_Attribute2SSecItem(arena, CKA_MODULUS, templ, count,
&privKey->u.rsa.modulus);
if (crv != CKR_OK)
break;
crv = lg_Attribute2SSecItem(arena, CKA_PUBLIC_EXPONENT, templ, count,
&privKey->u.rsa.publicExponent);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_PRIVATE_EXPONENT, templ, count,
&privKey->u.rsa.privateExponent, sdb);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_1, templ, count,
&privKey->u.rsa.prime1, sdb);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_2, templ, count,
&privKey->u.rsa.prime2, sdb);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_1, templ, count,
&privKey->u.rsa.exponent1, sdb);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_2, templ, count,
&privKey->u.rsa.exponent2, sdb);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_COEFFICIENT, templ, count,
&privKey->u.rsa.coefficient, sdb);
if (crv != CKR_OK)
break;
rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
NSSLOWKEY_VERSION);
if (rv != SECSuccess)
crv = CKR_HOST_MEMORY;
break;
case CKK_DSA:
privKey->keyType = NSSLOWKEYDSAKey;
crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count,
&privKey->u.dsa.params.prime);
if (crv != CKR_OK)
break;
crv = lg_Attribute2SSecItem(arena, CKA_SUBPRIME, templ, count,
&privKey->u.dsa.params.subPrime);
if (crv != CKR_OK)
break;
crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count,
&privKey->u.dsa.params.base);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
&privKey->u.dsa.privateValue, sdb);
if (crv != CKR_OK)
break;
if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB, templ, count,
&privKey->u.dsa.publicValue);
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
}
break;
case CKK_DH:
privKey->keyType = NSSLOWKEYDHKey;
crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count,
&privKey->u.dh.prime);
if (crv != CKR_OK)
break;
crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count,
&privKey->u.dh.base);
if (crv != CKR_OK)
break;
crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
&privKey->u.dh.privateValue, sdb);
if (crv != CKR_OK)
break;
if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB, templ, count,
&privKey->u.dh.publicValue);
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
}
break;
#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count,
&privKey->u.ec.ecParams.DEREncoding);
if (crv != CKR_OK)
break;
/* Fill out the rest of the ecParams structure
* based on the encoded params
*/
if (LGEC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
&privKey->u.ec.ecParams) != SECSuccess) {
crv = CKR_DOMAIN_PARAMS_INVALID;
break;
}
crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
&privKey->u.ec.privateValue, sdb);
if (crv != CKR_OK)
break;
if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB, templ, count,
&privKey->u.ec.publicValue);
if (crv != CKR_OK)
break;
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
}
rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
if (rv != SECSuccess)
crv = CKR_HOST_MEMORY;
break;
#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
*crvp = crv;
if (crv != CKR_OK) {
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
return privKey;
}
