andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: /* andre@0: * This file manages object type indepentent functions. andre@0: */ andre@0: #include "seccomon.h" andre@0: #include "secmod.h" andre@0: #include "secmodi.h" andre@0: #include "secmodti.h" andre@0: #include "pkcs11.h" andre@0: #include "pkcs11t.h" andre@0: #include "pk11func.h" andre@0: #include "key.h" andre@0: #include "secitem.h" andre@0: #include "secerr.h" andre@0: #include "sslerr.h" andre@0: andre@0: #define PK11_SEARCH_CHUNKSIZE 10 andre@0: andre@0: /* andre@0: * Build a block big enough to hold the data andre@0: */ andre@0: SECItem * andre@0: PK11_BlockData(SECItem *data,unsigned long size) { andre@0: SECItem *newData; andre@0: andre@0: newData = (SECItem *)PORT_Alloc(sizeof(SECItem)); andre@0: if (newData == NULL) return NULL; andre@0: andre@0: newData->len = (data->len + (size-1))/size; andre@0: newData->len *= size; andre@0: andre@0: newData->data = (unsigned char *) PORT_ZAlloc(newData->len); andre@0: if (newData->data == NULL) { andre@0: PORT_Free(newData); andre@0: return NULL; andre@0: } andre@0: PORT_Memset(newData->data,newData->len-data->len,newData->len); andre@0: PORT_Memcpy(newData->data,data->data,data->len); andre@0: return newData; andre@0: } andre@0: andre@0: andre@0: SECStatus andre@0: PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { andre@0: CK_RV crv; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { andre@0: CK_RV crv; andre@0: SECStatus rv = SECSuccess; andre@0: CK_SESSION_HANDLE rwsession; andre@0: andre@0: andre@0: rwsession = PK11_GetRWSession(slot); andre@0: if (rwsession == CK_INVALID_SESSION) { andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: return SECFailure; andre@0: } andre@0: andre@0: crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object); andre@0: if (crv != CKR_OK) { andre@0: rv = SECFailure; andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: } andre@0: PK11_RestoreROSession(slot,rwsession); andre@0: return rv; andre@0: } andre@0: andre@0: /* andre@0: * Read in a single attribute into a SECItem. Allocate space for it with andre@0: * PORT_Alloc unless an arena is supplied. In the latter case use the arena andre@0: * to allocate the space. andre@0: * andre@0: * PK11_ReadAttribute sets the 'data' and 'len' fields of the SECItem but andre@0: * does not modify its 'type' field. andre@0: */ andre@0: SECStatus andre@0: PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, andre@0: CK_ATTRIBUTE_TYPE type, PLArenaPool *arena, SECItem *result) { andre@0: CK_ATTRIBUTE attr = { 0, NULL, 0 }; andre@0: CK_RV crv; andre@0: andre@0: attr.type = type; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); andre@0: if (crv != CKR_OK) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: if (arena) { andre@0: attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen); andre@0: } else { andre@0: attr.pValue = PORT_Alloc(attr.ulValueLen); andre@0: } andre@0: if (attr.pValue == NULL) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: if (!arena) PORT_Free(attr.pValue); andre@0: return SECFailure; andre@0: } andre@0: andre@0: result->data = (unsigned char*)attr.pValue; andre@0: result->len = attr.ulValueLen; andre@0: andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * Read in a single attribute into As a Ulong. andre@0: */ andre@0: CK_ULONG andre@0: PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, andre@0: CK_ATTRIBUTE_TYPE type) { andre@0: CK_ATTRIBUTE attr; andre@0: CK_ULONG value = CK_UNAVAILABLE_INFORMATION; andre@0: CK_RV crv; andre@0: andre@0: PK11_SETATTRS(&attr,type,&value,sizeof(value)); andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: } andre@0: return value; andre@0: } andre@0: andre@0: /* andre@0: * check to see if a bool has been set. andre@0: */ andre@0: CK_BBOOL andre@0: PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id, andre@0: CK_ATTRIBUTE_TYPE type, PRBool haslock ) andre@0: { andre@0: CK_BBOOL ckvalue = CK_FALSE; andre@0: CK_ATTRIBUTE theTemplate; andre@0: CK_RV crv; andre@0: andre@0: /* Prepare to retrieve the attribute. */ andre@0: PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) ); andre@0: andre@0: /* Retrieve attribute value. */ andre@0: if (!haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id, andre@0: &theTemplate, 1 ); andre@0: if (!haslock) PK11_ExitSlotMonitor(slot); andre@0: if( crv != CKR_OK ) { andre@0: PORT_SetError( PK11_MapError( crv ) ); andre@0: return CK_FALSE; andre@0: } andre@0: andre@0: return ckvalue; andre@0: } andre@0: andre@0: /* andre@0: * returns a full list of attributes. Allocate space for them. If an arena is andre@0: * provided, allocate space out of the arena. andre@0: */ andre@0: CK_RV andre@0: PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot, andre@0: CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count) andre@0: { andre@0: int i; andre@0: /* make pedantic happy... note that it's only used arena != NULL */ andre@0: void *mark = NULL; andre@0: CK_RV crv; andre@0: PORT_Assert(slot->session != CK_INVALID_SESSION); andre@0: if (slot->session == CK_INVALID_SESSION) andre@0: return CKR_SESSION_HANDLE_INVALID; andre@0: andre@0: /* andre@0: * first get all the lengths of the parameters. andre@0: */ andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); andre@0: if (crv != CKR_OK) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: return crv; andre@0: } andre@0: andre@0: if (arena) { andre@0: mark = PORT_ArenaMark(arena); andre@0: if (mark == NULL) return CKR_HOST_MEMORY; andre@0: } andre@0: andre@0: /* andre@0: * now allocate space to store the results. andre@0: */ andre@0: for (i=0; i < count; i++) { andre@0: if (attr[i].ulValueLen == 0) andre@0: continue; andre@0: if (arena) { andre@0: attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen); andre@0: if (attr[i].pValue == NULL) { andre@0: /* arena failures, just release the mark */ andre@0: PORT_ArenaRelease(arena,mark); andre@0: PK11_ExitSlotMonitor(slot); andre@0: return CKR_HOST_MEMORY; andre@0: } andre@0: } else { andre@0: attr[i].pValue = PORT_Alloc(attr[i].ulValueLen); andre@0: if (attr[i].pValue == NULL) { andre@0: /* Separate malloc failures, loop to release what we have andre@0: * so far */ andre@0: int j; andre@0: for (j= 0; j < i; j++) { andre@0: PORT_Free(attr[j].pValue); andre@0: /* don't give the caller pointers to freed memory */ andre@0: attr[j].pValue = NULL; andre@0: } andre@0: PK11_ExitSlotMonitor(slot); andre@0: return CKR_HOST_MEMORY; andre@0: } andre@0: } andre@0: } andre@0: andre@0: /* andre@0: * finally get the results. andre@0: */ andre@0: crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: if (arena) { andre@0: PORT_ArenaRelease(arena,mark); andre@0: } else { andre@0: for (i= 0; i < count; i++) { andre@0: PORT_Free(attr[i].pValue); andre@0: /* don't give the caller pointers to freed memory */ andre@0: attr[i].pValue = NULL; andre@0: } andre@0: } andre@0: } else if (arena && mark) { andre@0: PORT_ArenaUnmark(arena,mark); andre@0: } andre@0: return crv; andre@0: } andre@0: andre@0: PRBool andre@0: PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) andre@0: { andre@0: return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE); andre@0: } andre@0: andre@0: char * andre@0: PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) andre@0: { andre@0: char *nickname = NULL; andre@0: SECItem result; andre@0: SECStatus rv; andre@0: andre@0: rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result); andre@0: if (rv != SECSuccess) { andre@0: return NULL; andre@0: } andre@0: andre@0: nickname = PORT_ZAlloc(result.len+1); andre@0: if (nickname == NULL) { andre@0: PORT_Free(result.data); andre@0: return NULL; andre@0: } andre@0: PORT_Memcpy(nickname, result.data, result.len); andre@0: PORT_Free(result.data); andre@0: return nickname; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, andre@0: const char *nickname) andre@0: { andre@0: int len = PORT_Strlen(nickname); andre@0: CK_ATTRIBUTE setTemplate; andre@0: CK_RV crv; andre@0: CK_SESSION_HANDLE rwsession; andre@0: andre@0: if (len < 0) { andre@0: return SECFailure; andre@0: } andre@0: andre@0: PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len); andre@0: rwsession = PK11_GetRWSession(slot); andre@0: if (rwsession == CK_INVALID_SESSION) { andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id, andre@0: &setTemplate, 1); andre@0: PK11_RestoreROSession(slot, rwsession); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * strip leading zero's from key material andre@0: */ andre@0: void andre@0: pk11_SignedToUnsigned(CK_ATTRIBUTE *attrib) { andre@0: char *ptr = (char *)attrib->pValue; andre@0: unsigned long len = attrib->ulValueLen; andre@0: andre@0: while ((len > 1) && (*ptr == 0)) { andre@0: len--; andre@0: ptr++; andre@0: } andre@0: attrib->pValue = ptr; andre@0: attrib->ulValueLen = len; andre@0: } andre@0: andre@0: /* andre@0: * get a new session on a slot. If we run out of session, use the slot's andre@0: * 'exclusive' session. In this case owner becomes false. andre@0: */ andre@0: CK_SESSION_HANDLE andre@0: pk11_GetNewSession(PK11SlotInfo *slot,PRBool *owner) andre@0: { andre@0: CK_SESSION_HANDLE session; andre@0: *owner = PR_TRUE; andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: if ( PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, andre@0: slot,pk11_notify,&session) != CKR_OK) { andre@0: *owner = PR_FALSE; andre@0: session = slot->session; andre@0: } andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: andre@0: return session; andre@0: } andre@0: andre@0: void andre@0: pk11_CloseSession(PK11SlotInfo *slot,CK_SESSION_HANDLE session,PRBool owner) andre@0: { andre@0: if (!owner) return; andre@0: if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); andre@0: (void) PK11_GETTAB(slot)->C_CloseSession(session); andre@0: if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); andre@0: } andre@0: andre@0: andre@0: SECStatus andre@0: PK11_CreateNewObject(PK11SlotInfo *slot, CK_SESSION_HANDLE session, andre@0: const CK_ATTRIBUTE *theTemplate, int count, andre@0: PRBool token, CK_OBJECT_HANDLE *objectID) andre@0: { andre@0: CK_SESSION_HANDLE rwsession; andre@0: CK_RV crv; andre@0: SECStatus rv = SECSuccess; andre@0: andre@0: rwsession = session; andre@0: if (token) { andre@0: rwsession = PK11_GetRWSession(slot); andre@0: } else if (rwsession == CK_INVALID_SESSION) { andre@0: rwsession = slot->session; andre@0: if (rwsession != CK_INVALID_SESSION) andre@0: PK11_EnterSlotMonitor(slot); andre@0: } andre@0: if (rwsession == CK_INVALID_SESSION) { andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_CreateObject(rwsession, andre@0: /* cast away const :-( */ (CK_ATTRIBUTE_PTR)theTemplate, andre@0: count, objectID); andre@0: if(crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: rv = SECFailure; andre@0: } andre@0: if (token) { andre@0: PK11_RestoreROSession(slot, rwsession); andre@0: } else if (session == CK_INVALID_SESSION) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: } andre@0: andre@0: return rv; andre@0: } andre@0: andre@0: andre@0: /* This function may add a maximum of 9 attributes. */ andre@0: unsigned int andre@0: pk11_OpFlagsToAttributes(CK_FLAGS flags, CK_ATTRIBUTE *attrs, CK_BBOOL *ckTrue) andre@0: { andre@0: andre@0: const static CK_ATTRIBUTE_TYPE attrTypes[12] = { andre@0: CKA_ENCRYPT, CKA_DECRYPT, 0 /* DIGEST */, CKA_SIGN, andre@0: CKA_SIGN_RECOVER, CKA_VERIFY, CKA_VERIFY_RECOVER, 0 /* GEN */, andre@0: 0 /* GEN PAIR */, CKA_WRAP, CKA_UNWRAP, CKA_DERIVE andre@0: }; andre@0: andre@0: const CK_ATTRIBUTE_TYPE *pType = attrTypes; andre@0: CK_ATTRIBUTE *attr = attrs; andre@0: CK_FLAGS test = CKF_ENCRYPT; andre@0: andre@0: andre@0: PR_ASSERT(!(flags & ~CKF_KEY_OPERATION_FLAGS)); andre@0: flags &= CKF_KEY_OPERATION_FLAGS; andre@0: andre@0: for (; flags && test <= CKF_DERIVE; test <<= 1, ++pType) { andre@0: if (test & flags) { andre@0: flags ^= test; andre@0: PR_ASSERT(*pType); andre@0: PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); andre@0: ++attr; andre@0: } andre@0: } andre@0: return (attr - attrs); andre@0: } andre@0: andre@0: /* andre@0: * Check for conflicting flags, for example, if both PK11_ATTR_PRIVATE andre@0: * and PK11_ATTR_PUBLIC are set. andre@0: */ andre@0: PRBool andre@0: pk11_BadAttrFlags(PK11AttrFlags attrFlags) andre@0: { andre@0: PK11AttrFlags trueFlags = attrFlags & 0x55555555; andre@0: PK11AttrFlags falseFlags = (attrFlags >> 1) & 0x55555555; andre@0: return ((trueFlags & falseFlags) != 0); andre@0: } andre@0: andre@0: /* andre@0: * This function may add a maximum of 5 attributes. andre@0: * The caller must make sure the attribute flags don't have conflicts. andre@0: */ andre@0: unsigned int andre@0: pk11_AttrFlagsToAttributes(PK11AttrFlags attrFlags, CK_ATTRIBUTE *attrs, andre@0: CK_BBOOL *ckTrue, CK_BBOOL *ckFalse) andre@0: { andre@0: const static CK_ATTRIBUTE_TYPE attrTypes[5] = { andre@0: CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_SENSITIVE, andre@0: CKA_EXTRACTABLE andre@0: }; andre@0: andre@0: const CK_ATTRIBUTE_TYPE *pType = attrTypes; andre@0: CK_ATTRIBUTE *attr = attrs; andre@0: PK11AttrFlags test = PK11_ATTR_TOKEN; andre@0: andre@0: PR_ASSERT(!pk11_BadAttrFlags(attrFlags)); andre@0: andre@0: /* we test two related bitflags in each iteration */ andre@0: for (; attrFlags && test <= PK11_ATTR_EXTRACTABLE; test <<= 2, ++pType) { andre@0: if (test & attrFlags) { andre@0: attrFlags ^= test; andre@0: PK11_SETATTRS(attr, *pType, ckTrue, sizeof *ckTrue); andre@0: ++attr; andre@0: } else if ((test << 1) & attrFlags) { andre@0: attrFlags ^= (test << 1); andre@0: PK11_SETATTRS(attr, *pType, ckFalse, sizeof *ckFalse); andre@0: ++attr; andre@0: } andre@0: } andre@0: return (attr - attrs); andre@0: } andre@0: andre@0: /* andre@0: * Some non-compliant PKCS #11 vendors do not give us the modulus, so actually andre@0: * set up a signature to get the signaure length. andre@0: */ andre@0: static int andre@0: pk11_backupGetSignLength(SECKEYPrivateKey *key) andre@0: { andre@0: PK11SlotInfo *slot = key->pkcs11Slot; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: CK_ULONG len; andre@0: CK_RV crv; andre@0: unsigned char h_data[20] = { 0 }; andre@0: unsigned char buf[20]; /* obviously to small */ andre@0: CK_ULONG smallLen = sizeof(buf); andre@0: andre@0: mech.mechanism = PK11_MapSignKeyType(key->keyType); andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID); andre@0: if (crv != CKR_OK) { andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return -1; andre@0: } andre@0: len = 0; andre@0: crv = PK11_GETTAB(slot)->C_Sign(session,h_data,sizeof(h_data), andre@0: NULL, &len); andre@0: /* now call C_Sign with too small a buffer to clear the session state */ andre@0: (void) PK11_GETTAB(slot)-> andre@0: C_Sign(session,h_data,sizeof(h_data),buf,&smallLen); andre@0: andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return -1; andre@0: } andre@0: return len; andre@0: } andre@0: andre@0: /* andre@0: * get the length of a signature object based on the key andre@0: */ andre@0: int andre@0: PK11_SignatureLen(SECKEYPrivateKey *key) andre@0: { andre@0: int val; andre@0: SECItem attributeItem = {siBuffer, NULL, 0}; andre@0: SECStatus rv; andre@0: int length; andre@0: andre@0: switch (key->keyType) { andre@0: case rsaKey: andre@0: val = PK11_GetPrivateModulusLen(key); andre@0: if (val == -1) { andre@0: return pk11_backupGetSignLength(key); andre@0: } andre@0: return (unsigned long) val; andre@0: andre@0: case fortezzaKey: andre@0: return 40; andre@0: andre@0: case dsaKey: andre@0: rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_SUBPRIME, andre@0: NULL, &attributeItem); andre@0: if (rv == SECSuccess) { andre@0: length = attributeItem.len; andre@0: if ((length > 0) && attributeItem.data[0] == 0) { andre@0: length--; andre@0: } andre@0: PORT_Free(attributeItem.data); andre@0: return length*2; andre@0: } andre@0: return pk11_backupGetSignLength(key); andre@0: andre@0: case ecKey: andre@0: rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_EC_PARAMS, andre@0: NULL, &attributeItem); andre@0: if (rv == SECSuccess) { andre@0: length = SECKEY_ECParamsToBasePointOrderLen(&attributeItem); andre@0: PORT_Free(attributeItem.data); andre@0: if (length != 0) { andre@0: length = ((length + 7)/8) * 2; andre@0: return length; andre@0: } andre@0: } andre@0: return pk11_backupGetSignLength(key); andre@0: default: andre@0: break; andre@0: } andre@0: PORT_SetError( SEC_ERROR_INVALID_KEY ); andre@0: return 0; andre@0: } andre@0: andre@0: /* andre@0: * copy a key (or any other object) on a token andre@0: */ andre@0: CK_OBJECT_HANDLE andre@0: PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject) andre@0: { andre@0: CK_OBJECT_HANDLE destObject; andre@0: CK_RV crv; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_CopyObject(slot->session,srcObject,NULL,0, andre@0: &destObject); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv == CKR_OK) return destObject; andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: PRBool andre@0: pk11_FindAttrInTemplate(CK_ATTRIBUTE *attr, unsigned int numAttrs, andre@0: CK_ATTRIBUTE_TYPE target) andre@0: { andre@0: for (; numAttrs > 0; ++attr, --numAttrs) { andre@0: if (attr->type == target) andre@0: return PR_TRUE; andre@0: } andre@0: return PR_FALSE; andre@0: } andre@0: andre@0: /* andre@0: * Recover the Signed data. We need this because our old verify can't andre@0: * figure out which hash algorithm to use until we decryptted this. andre@0: */ andre@0: SECStatus andre@0: PK11_VerifyRecover(SECKEYPublicKey *key, const SECItem *sig, andre@0: SECItem *dsig, void *wincx) andre@0: { andre@0: PK11SlotInfo *slot = key->pkcs11Slot; andre@0: CK_OBJECT_HANDLE id = key->pkcs11ID; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: CK_ULONG len; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = PK11_MapSignKeyType(key->keyType); andre@0: andre@0: if (slot == NULL) { andre@0: slot = PK11_GetBestSlotWithAttributes(mech.mechanism, andre@0: CKF_VERIFY_RECOVER,0,wincx); andre@0: if (slot == NULL) { andre@0: PORT_SetError( SEC_ERROR_NO_MODULE ); andre@0: return SECFailure; andre@0: } andre@0: id = PK11_ImportPublicKey(slot,key,PR_FALSE); andre@0: } else { andre@0: PK11_ReferenceSlot(slot); andre@0: } andre@0: andre@0: if (id == CK_INVALID_HANDLE) { andre@0: PK11_FreeSlot(slot); andre@0: PORT_SetError( SEC_ERROR_BAD_KEY ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_VerifyRecoverInit(session,&mech,id); andre@0: if (crv != CKR_OK) { andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: PK11_FreeSlot(slot); andre@0: return SECFailure; andre@0: } andre@0: len = dsig->len; andre@0: crv = PK11_GETTAB(slot)->C_VerifyRecover(session,sig->data, andre@0: sig->len, dsig->data, &len); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: dsig->len = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: PK11_FreeSlot(slot); andre@0: return SECFailure; andre@0: } andre@0: PK11_FreeSlot(slot); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * verify a signature from its hash. andre@0: */ andre@0: SECStatus andre@0: PK11_Verify(SECKEYPublicKey *key, const SECItem *sig, const SECItem *hash, andre@0: void *wincx) andre@0: { andre@0: PK11SlotInfo *slot = key->pkcs11Slot; andre@0: CK_OBJECT_HANDLE id = key->pkcs11ID; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = PK11_MapSignKeyType(key->keyType); andre@0: andre@0: if (slot == NULL) { andre@0: unsigned int length = 0; andre@0: if ((mech.mechanism == CKM_DSA) && andre@0: /* 129 is 1024 bits translated to bytes and andre@0: * padded with an optional '0' to maintain a andre@0: * positive sign */ andre@0: (key->u.dsa.params.prime.len > 129)) { andre@0: /* we need to get a slot that not only can do DSA, but can do DSA2 andre@0: * key lengths */ andre@0: length = key->u.dsa.params.prime.len; andre@0: if (key->u.dsa.params.prime.data[0] == 0) { andre@0: length --; andre@0: } andre@0: /* convert keysize to bits for slot lookup */ andre@0: length *= 8; andre@0: } andre@0: slot = PK11_GetBestSlotWithAttributes(mech.mechanism, andre@0: CKF_VERIFY,length,wincx); andre@0: if (slot == NULL) { andre@0: PORT_SetError( SEC_ERROR_NO_MODULE ); andre@0: return SECFailure; andre@0: } andre@0: id = PK11_ImportPublicKey(slot,key,PR_FALSE); andre@0: andre@0: } else { andre@0: PK11_ReferenceSlot(slot); andre@0: } andre@0: andre@0: if (id == CK_INVALID_HANDLE) { andre@0: PK11_FreeSlot(slot); andre@0: PORT_SetError( SEC_ERROR_BAD_KEY ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_VerifyInit(session,&mech,id); andre@0: if (crv != CKR_OK) { andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PK11_FreeSlot(slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_Verify(session,hash->data, andre@0: hash->len, sig->data, sig->len); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PK11_FreeSlot(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * sign a hash. The algorithm is determined by the key. andre@0: */ andre@0: SECStatus andre@0: PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, const SECItem *hash) andre@0: { andre@0: PK11SlotInfo *slot = key->pkcs11Slot; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: PRBool haslock = PR_FALSE; andre@0: CK_ULONG len; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = PK11_MapSignKeyType(key->keyType); andre@0: andre@0: if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) { andre@0: PK11_HandlePasswordCheck(slot, key->wincx); andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: haslock = (!owner || !(slot->isThreadSafe)); andre@0: if (haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID); andre@0: if (crv != CKR_OK) { andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then andre@0: * do C_Login with CKU_CONTEXT_SPECIFIC andre@0: * between C_SignInit and C_Sign */ andre@0: if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { andre@0: PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); andre@0: } andre@0: andre@0: len = sig->len; andre@0: crv = PK11_GETTAB(slot)->C_Sign(session,hash->data, andre@0: hash->len, sig->data, &len); andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: sig->len = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * sign data with a MAC key. andre@0: */ andre@0: SECStatus andre@0: PK11_SignWithSymKey(PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, andre@0: SECItem *param, SECItem *sig, const SECItem *data) andre@0: { andre@0: PK11SlotInfo *slot = symKey->slot; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: PRBool haslock = PR_FALSE; andre@0: CK_ULONG len; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = mechanism; andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: haslock = (!owner || !(slot->isThreadSafe)); andre@0: if (haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,symKey->objectID); andre@0: if (crv != CKR_OK) { andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: len = sig->len; andre@0: crv = PK11_GETTAB(slot)->C_Sign(session,data->data, andre@0: data->len, sig->data, &len); andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: sig->len = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_Decrypt(PK11SymKey *symKey, andre@0: CK_MECHANISM_TYPE mechanism, SECItem *param, andre@0: unsigned char *out, unsigned int *outLen, andre@0: unsigned int maxLen, andre@0: const unsigned char *enc, unsigned encLen) andre@0: { andre@0: PK11SlotInfo *slot = symKey->slot; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: CK_ULONG len = maxLen; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: PRBool haslock = PR_FALSE; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = mechanism; andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot, &owner); andre@0: haslock = (!owner || !slot->isThreadSafe); andre@0: if (haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_DecryptInit(session, &mech, symKey->objectID); andre@0: if (crv != CKR_OK) { andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot, session, owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen, andre@0: out, &len); andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot, session, owner); andre@0: *outLen = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_Encrypt(PK11SymKey *symKey, andre@0: CK_MECHANISM_TYPE mechanism, SECItem *param, andre@0: unsigned char *out, unsigned int *outLen, andre@0: unsigned int maxLen, andre@0: const unsigned char *data, unsigned int dataLen) andre@0: { andre@0: PK11SlotInfo *slot = symKey->slot; andre@0: CK_MECHANISM mech = {0, NULL, 0 }; andre@0: CK_ULONG len = maxLen; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: PRBool haslock = PR_FALSE; andre@0: CK_RV crv; andre@0: andre@0: mech.mechanism = mechanism; andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot, &owner); andre@0: haslock = (!owner || !slot->isThreadSafe); andre@0: if (haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech, symKey->objectID); andre@0: if (crv != CKR_OK) { andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_Encrypt(session, (unsigned char *)data, andre@0: dataLen, out, &len); andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: *outLen = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: static SECStatus andre@0: pk11_PrivDecryptRaw(SECKEYPrivateKey *key, andre@0: unsigned char *data, unsigned *outLen, unsigned int maxLen, andre@0: const unsigned char *enc, unsigned encLen, andre@0: CK_MECHANISM_PTR mech) andre@0: { andre@0: PK11SlotInfo *slot = key->pkcs11Slot; andre@0: CK_ULONG out = maxLen; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: PRBool haslock = PR_FALSE; andre@0: CK_RV crv; andre@0: andre@0: if (key->keyType != rsaKey) { andre@0: PORT_SetError( SEC_ERROR_INVALID_KEY ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: /* Why do we do a PK11_handle check here? for simple andre@0: * decryption? .. because the user may have asked for 'ask always' andre@0: * and this is a private key operation. In practice, thought, it's mute andre@0: * since only servers wind up using this function */ andre@0: if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_PRIVATE)) { andre@0: PK11_HandlePasswordCheck(slot, key->wincx); andre@0: } andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: haslock = (!owner || !(slot->isThreadSafe)); andre@0: if (haslock) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID); andre@0: if (crv != CKR_OK) { andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then andre@0: * do C_Login with CKU_CONTEXT_SPECIFIC andre@0: * between C_DecryptInit and C_Decrypt andre@0: * ... But see note above about servers */ andre@0: if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { andre@0: PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); andre@0: } andre@0: andre@0: crv = PK11_GETTAB(slot)->C_Decrypt(session, (unsigned char *)enc, encLen, andre@0: data, &out); andre@0: if (haslock) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: *outLen = out; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PubDecryptRaw(SECKEYPrivateKey *key, andre@0: unsigned char *data, unsigned *outLen, unsigned int maxLen, andre@0: const unsigned char *enc, unsigned encLen) andre@0: { andre@0: CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; andre@0: return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PrivDecryptPKCS1(SECKEYPrivateKey *key, andre@0: unsigned char *data, unsigned *outLen, unsigned int maxLen, andre@0: const unsigned char *enc, unsigned encLen) andre@0: { andre@0: CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; andre@0: return pk11_PrivDecryptRaw(key, data, outLen, maxLen, enc, encLen, &mech); andre@0: } andre@0: andre@0: static SECStatus andre@0: pk11_PubEncryptRaw(SECKEYPublicKey *key, andre@0: unsigned char *out, unsigned int *outLen, andre@0: unsigned int maxLen, andre@0: const unsigned char *data, unsigned dataLen, andre@0: CK_MECHANISM_PTR mech, void *wincx) andre@0: { andre@0: PK11SlotInfo *slot; andre@0: CK_OBJECT_HANDLE id; andre@0: CK_ULONG len = maxLen; andre@0: PRBool owner = PR_TRUE; andre@0: CK_SESSION_HANDLE session; andre@0: CK_RV crv; andre@0: andre@0: slot = PK11_GetBestSlotWithAttributes(mech->mechanism,CKF_ENCRYPT,0,wincx); andre@0: if (slot == NULL) { andre@0: PORT_SetError( SEC_ERROR_NO_MODULE ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: id = PK11_ImportPublicKey(slot,key,PR_FALSE); andre@0: andre@0: if (id == CK_INVALID_HANDLE) { andre@0: PK11_FreeSlot(slot); andre@0: PORT_SetError( SEC_ERROR_BAD_KEY ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: session = pk11_GetNewSession(slot,&owner); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_GETTAB(slot)->C_EncryptInit(session, mech, id); andre@0: if (crv != CKR_OK) { andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PK11_FreeSlot(slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_Encrypt(session,(unsigned char *)data,dataLen, andre@0: out,&len); andre@0: if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); andre@0: pk11_CloseSession(slot,session,owner); andre@0: PK11_FreeSlot(slot); andre@0: *outLen = len; andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PubEncryptRaw(SECKEYPublicKey *key, andre@0: unsigned char *enc, andre@0: const unsigned char *data, unsigned dataLen, andre@0: void *wincx) andre@0: { andre@0: CK_MECHANISM mech = {CKM_RSA_X_509, NULL, 0 }; andre@0: unsigned int outLen; andre@0: if (!key || key->keyType != rsaKey) { andre@0: PORT_SetError(SEC_ERROR_BAD_KEY); andre@0: return SECFailure; andre@0: } andre@0: outLen = SECKEY_PublicKeyStrength(key); andre@0: return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, andre@0: wincx); andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PubEncryptPKCS1(SECKEYPublicKey *key, andre@0: unsigned char *enc, andre@0: const unsigned char *data, unsigned dataLen, andre@0: void *wincx) andre@0: { andre@0: CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0 }; andre@0: unsigned int outLen; andre@0: if (!key || key->keyType != rsaKey) { andre@0: PORT_SetError(SEC_ERROR_BAD_KEY); andre@0: return SECFailure; andre@0: } andre@0: outLen = SECKEY_PublicKeyStrength(key); andre@0: return pk11_PubEncryptRaw(key, enc, &outLen, outLen, data, dataLen, &mech, andre@0: wincx); andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PrivDecrypt(SECKEYPrivateKey *key, andre@0: CK_MECHANISM_TYPE mechanism, SECItem *param, andre@0: unsigned char *out, unsigned int *outLen, andre@0: unsigned int maxLen, andre@0: const unsigned char *enc, unsigned encLen) andre@0: { andre@0: CK_MECHANISM mech = { mechanism, NULL, 0 }; andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } andre@0: return pk11_PrivDecryptRaw(key, out, outLen, maxLen, enc, encLen, &mech); andre@0: } andre@0: andre@0: SECStatus andre@0: PK11_PubEncrypt(SECKEYPublicKey *key, andre@0: CK_MECHANISM_TYPE mechanism, SECItem *param, andre@0: unsigned char *out, unsigned int *outLen, andre@0: unsigned int maxLen, andre@0: const unsigned char *data, unsigned dataLen, andre@0: void *wincx) andre@0: { andre@0: CK_MECHANISM mech = { mechanism, NULL, 0 }; andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } andre@0: return pk11_PubEncryptRaw(key, out, outLen, maxLen, data, dataLen, &mech, andre@0: wincx); andre@0: } andre@0: andre@0: SECKEYPrivateKey * andre@0: PK11_UnwrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, andre@0: CK_MECHANISM_TYPE wrapType, SECItem *param, andre@0: SECItem *wrappedKey, SECItem *label, andre@0: SECItem *idValue, PRBool perm, PRBool sensitive, andre@0: CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, andre@0: int usageCount, void *wincx) andre@0: { andre@0: CK_BBOOL cktrue = CK_TRUE; andre@0: CK_BBOOL ckfalse = CK_FALSE; andre@0: CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY; andre@0: CK_ATTRIBUTE keyTemplate[15] ; andre@0: int templateCount = 0; andre@0: CK_OBJECT_HANDLE privKeyID; andre@0: CK_MECHANISM mechanism; andre@0: CK_ATTRIBUTE *attrs = keyTemplate; andre@0: SECItem *param_free = NULL, *ck_id = NULL; andre@0: CK_RV crv; andre@0: CK_SESSION_HANDLE rwsession; andre@0: PK11SymKey *newKey = NULL; andre@0: int i; andre@0: andre@0: if(!slot || !wrappedKey || !idValue) { andre@0: /* SET AN ERROR!!! */ andre@0: return NULL; andre@0: } andre@0: andre@0: ck_id = PK11_MakeIDFromPubKey(idValue); andre@0: if(!ck_id) { andre@0: return NULL; andre@0: } andre@0: andre@0: PK11_SETATTRS(attrs, CKA_TOKEN, perm ? &cktrue : &ckfalse, andre@0: sizeof(cktrue)); attrs++; andre@0: PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); attrs++; andre@0: PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); attrs++; andre@0: PK11_SETATTRS(attrs, CKA_PRIVATE, sensitive ? &cktrue : &ckfalse, andre@0: sizeof(cktrue)); attrs++; andre@0: PK11_SETATTRS(attrs, CKA_SENSITIVE, sensitive ? &cktrue : &ckfalse, andre@0: sizeof(cktrue)); attrs++; andre@0: if (label && label->data) { andre@0: PK11_SETATTRS(attrs, CKA_LABEL, label->data, label->len); attrs++; andre@0: } andre@0: PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len); attrs++; andre@0: for (i=0; i < usageCount; i++) { andre@0: PK11_SETATTRS(attrs, usage[i], &cktrue, sizeof(cktrue)); attrs++; andre@0: } andre@0: andre@0: if (PK11_IsInternal(slot)) { andre@0: PK11_SETATTRS(attrs, CKA_NETSCAPE_DB, idValue->data, andre@0: idValue->len); attrs++; andre@0: } andre@0: andre@0: templateCount = attrs - keyTemplate; andre@0: PR_ASSERT(templateCount <= (sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)) ); andre@0: andre@0: mechanism.mechanism = wrapType; andre@0: if(!param) param = param_free= PK11_ParamFromIV(wrapType, NULL); andre@0: if(param) { andre@0: mechanism.pParameter = param->data; andre@0: mechanism.ulParameterLen = param->len; andre@0: } else { andre@0: mechanism.pParameter = NULL; andre@0: mechanism.ulParameterLen = 0; andre@0: } andre@0: andre@0: if (wrappingKey->slot != slot) { andre@0: newKey = pk11_CopyToSlot(slot,wrapType,CKA_UNWRAP,wrappingKey); andre@0: } else { andre@0: newKey = PK11_ReferenceSymKey(wrappingKey); andre@0: } andre@0: andre@0: if (newKey) { andre@0: if (perm) { andre@0: /* Get RW Session will either lock the monitor if necessary, andre@0: * or return a thread safe session handle, or fail. */ andre@0: rwsession = PK11_GetRWSession(slot); andre@0: } else { andre@0: rwsession = slot->session; andre@0: if (rwsession != CK_INVALID_SESSION) andre@0: PK11_EnterSlotMonitor(slot); andre@0: } andre@0: /* This is a lot a work to deal with fussy PKCS #11 modules andre@0: * that can't bother to return BAD_DATA when presented with an andre@0: * invalid session! */ andre@0: if (rwsession == CK_INVALID_SESSION) { andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: goto loser; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, andre@0: newKey->objectID, andre@0: wrappedKey->data, andre@0: wrappedKey->len, keyTemplate, andre@0: templateCount, &privKeyID); andre@0: andre@0: if (perm) { andre@0: PK11_RestoreROSession(slot, rwsession); andre@0: } else { andre@0: PK11_ExitSlotMonitor(slot); andre@0: } andre@0: PK11_FreeSymKey(newKey); andre@0: newKey = NULL; andre@0: } else { andre@0: crv = CKR_FUNCTION_NOT_SUPPORTED; andre@0: } andre@0: andre@0: if (ck_id) { andre@0: SECITEM_FreeItem(ck_id, PR_TRUE); andre@0: ck_id = NULL; andre@0: } andre@0: andre@0: if (crv != CKR_OK) { andre@0: /* we couldn't unwrap the key, use the internal module to do the andre@0: * unwrap, then load the new key into the token */ andre@0: PK11SlotInfo *int_slot = PK11_GetInternalSlot(); andre@0: andre@0: if (int_slot && (slot != int_slot)) { andre@0: SECKEYPrivateKey *privKey = PK11_UnwrapPrivKey(int_slot, andre@0: wrappingKey, wrapType, param, wrappedKey, label, andre@0: idValue, PR_FALSE, PR_FALSE, andre@0: keyType, usage, usageCount, wincx); andre@0: if (privKey) { andre@0: SECKEYPrivateKey *newPrivKey = PK11_LoadPrivKey(slot,privKey, andre@0: NULL,perm,sensitive); andre@0: SECKEY_DestroyPrivateKey(privKey); andre@0: PK11_FreeSlot(int_slot); andre@0: return newPrivKey; andre@0: } andre@0: } andre@0: if (int_slot) PK11_FreeSlot(int_slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return NULL; andre@0: } andre@0: return PK11_MakePrivKey(slot, nullKey, PR_FALSE, privKeyID, wincx); andre@0: andre@0: loser: andre@0: if (newKey) { andre@0: PK11_FreeSymKey(newKey); andre@0: } andre@0: if (ck_id) { andre@0: SECITEM_FreeItem(ck_id, PR_TRUE); andre@0: } andre@0: return NULL; andre@0: } andre@0: andre@0: /* andre@0: * Now we're going to wrap a SECKEYPrivateKey with a PK11SymKey andre@0: * The strategy is to get both keys to reside in the same slot, andre@0: * one that can perform the desired crypto mechanism and then andre@0: * call C_WrapKey after all the setup has taken place. andre@0: */ andre@0: SECStatus andre@0: PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, andre@0: SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, andre@0: SECItem *param, SECItem *wrappedKey, void *wincx) andre@0: { andre@0: PK11SlotInfo *privSlot = privKey->pkcs11Slot; /* The slot where andre@0: * the private key andre@0: * we are going to andre@0: * wrap lives. andre@0: */ andre@0: PK11SymKey *newSymKey = NULL; andre@0: SECKEYPrivateKey *newPrivKey = NULL; andre@0: SECItem *param_free = NULL; andre@0: CK_ULONG len = wrappedKey->len; andre@0: CK_MECHANISM mech; andre@0: CK_RV crv; andre@0: andre@0: if (!privSlot || !PK11_DoesMechanism(privSlot, wrapType)) { andre@0: /* Figure out a slot that does the mechanism and try to import andre@0: * the private key onto that slot. andre@0: */ andre@0: PK11SlotInfo *int_slot = PK11_GetInternalSlot(); andre@0: andre@0: privSlot = int_slot; /* The private key has a new home */ andre@0: newPrivKey = PK11_LoadPrivKey(privSlot,privKey,NULL,PR_FALSE,PR_FALSE); andre@0: /* newPrivKey has allocated its own reference to the slot, so it's andre@0: * safe until we destroy newPrivkey. andre@0: */ andre@0: PK11_FreeSlot(int_slot); andre@0: if (newPrivKey == NULL) { andre@0: return SECFailure; andre@0: } andre@0: privKey = newPrivKey; andre@0: } andre@0: andre@0: if (privSlot != wrappingKey->slot) { andre@0: newSymKey = pk11_CopyToSlot (privSlot, wrapType, CKA_WRAP, andre@0: wrappingKey); andre@0: wrappingKey = newSymKey; andre@0: } andre@0: andre@0: if (wrappingKey == NULL) { andre@0: if (newPrivKey) { andre@0: SECKEY_DestroyPrivateKey(newPrivKey); andre@0: } andre@0: return SECFailure; andre@0: } andre@0: mech.mechanism = wrapType; andre@0: if (!param) { andre@0: param = param_free = PK11_ParamFromIV(wrapType, NULL); andre@0: } andre@0: if (param) { andre@0: mech.pParameter = param->data; andre@0: mech.ulParameterLen = param->len; andre@0: } else { andre@0: mech.pParameter = NULL; andre@0: mech.ulParameterLen = 0; andre@0: } andre@0: andre@0: PK11_EnterSlotMonitor(privSlot); andre@0: crv = PK11_GETTAB(privSlot)->C_WrapKey(privSlot->session, &mech, andre@0: wrappingKey->objectID, andre@0: privKey->pkcs11ID, andre@0: wrappedKey->data, &len); andre@0: PK11_ExitSlotMonitor(privSlot); andre@0: andre@0: if (newSymKey) { andre@0: PK11_FreeSymKey(newSymKey); andre@0: } andre@0: if (newPrivKey) { andre@0: SECKEY_DestroyPrivateKey(newPrivKey); andre@0: } andre@0: if (param_free) { andre@0: SECITEM_FreeItem(param_free,PR_TRUE); andre@0: } andre@0: andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return SECFailure; andre@0: } andre@0: andre@0: wrappedKey->len = len; andre@0: return SECSuccess; andre@0: } andre@0: andre@0: #if 0 andre@0: /* andre@0: * Sample code relating to linked list returned by PK11_FindGenericObjects andre@0: */ andre@0: andre@0: /* andre@0: * You can walk the list with the following code: andre@0: */ andre@0: firstObj = PK11_FindGenericObjects(slot, objClass); andre@0: for (thisObj=firstObj; andre@0: thisObj; andre@0: thisObj=PK11_GetNextGenericObject(thisObj)) { andre@0: /* operate on thisObj */ andre@0: } andre@0: /* andre@0: * If you want a particular object from the list... andre@0: */ andre@0: firstObj = PK11_FindGenericObjects(slot, objClass); andre@0: for (thisObj=firstObj; andre@0: thisObj; andre@0: thisObj=PK11_GetNextGenericObject(thisObj)) { andre@0: if (isMyObj(thisObj)) { andre@0: if ( thisObj == firstObj) { andre@0: /* NOTE: firstObj could be NULL at this point */ andre@0: firstObj = PK11_GetNextGenericObject(thsObj); andre@0: } andre@0: PK11_UnlinkGenericObject(thisObj); andre@0: myObj = thisObj; andre@0: break; andre@0: } andre@0: } andre@0: andre@0: PK11_DestroyGenericObjects(firstObj); andre@0: andre@0: /* use myObj */ andre@0: andre@0: PK11_DestroyGenericObject(myObj); andre@0: #endif /* sample code */ andre@0: andre@0: /* andre@0: * return a linked, non-circular list of generic objects. andre@0: * If you are only interested andre@0: * in one object, just use the first object in the list. To find the andre@0: * rest of the list use PK11_GetNextGenericObject() to return the next object. andre@0: */ andre@0: PK11GenericObject * andre@0: PK11_FindGenericObjects(PK11SlotInfo *slot, CK_OBJECT_CLASS objClass) andre@0: { andre@0: CK_ATTRIBUTE template[1]; andre@0: CK_ATTRIBUTE *attrs = template; andre@0: CK_OBJECT_HANDLE *objectIDs = NULL; andre@0: PK11GenericObject *lastObj = NULL, *obj; andre@0: PK11GenericObject *firstObj = NULL; andre@0: int i, count = 0; andre@0: andre@0: andre@0: PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass)); attrs++; andre@0: andre@0: objectIDs = pk11_FindObjectsByTemplate(slot,template,1,&count); andre@0: if (objectIDs == NULL) { andre@0: return NULL; andre@0: } andre@0: andre@0: /* where we connect our object once we've created it.. */ andre@0: for (i=0; i < count; i++) { andre@0: obj = PORT_New(PK11GenericObject); andre@0: if ( !obj ) { andre@0: if (firstObj) { andre@0: PK11_DestroyGenericObjects(firstObj); andre@0: } andre@0: PORT_Free(objectIDs); andre@0: return NULL; andre@0: } andre@0: /* initialize it */ andre@0: obj->slot = PK11_ReferenceSlot(slot); andre@0: obj->objectID = objectIDs[i]; andre@0: obj->next = NULL; andre@0: obj->prev = NULL; andre@0: andre@0: /* link it in */ andre@0: if (firstObj == NULL) { andre@0: firstObj = obj; andre@0: } else { andre@0: PK11_LinkGenericObject(lastObj, obj); andre@0: } andre@0: lastObj = obj; andre@0: } andre@0: PORT_Free(objectIDs); andre@0: return firstObj; andre@0: } andre@0: andre@0: /* andre@0: * get the Next Object in the list. andre@0: */ andre@0: PK11GenericObject * andre@0: PK11_GetNextGenericObject(PK11GenericObject *object) andre@0: { andre@0: return object->next; andre@0: } andre@0: andre@0: PK11GenericObject * andre@0: PK11_GetPrevGenericObject(PK11GenericObject *object) andre@0: { andre@0: return object->prev; andre@0: } andre@0: andre@0: /* andre@0: * Link a single object into a new list. andre@0: * if the object is already in another list, remove it first. andre@0: */ andre@0: SECStatus andre@0: PK11_LinkGenericObject(PK11GenericObject *list, PK11GenericObject *object) andre@0: { andre@0: PK11_UnlinkGenericObject(object); andre@0: object->prev = list; andre@0: object->next = list->next; andre@0: list->next = object; andre@0: if (object->next != NULL) { andre@0: object->next->prev = object; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * remove an object from the list. If the object isn't already in andre@0: * a list unlink becomes a noop. andre@0: */ andre@0: SECStatus andre@0: PK11_UnlinkGenericObject(PK11GenericObject *object) andre@0: { andre@0: if (object->prev != NULL) { andre@0: object->prev->next = object->next; andre@0: } andre@0: if (object->next != NULL) { andre@0: object->next->prev = object->prev; andre@0: } andre@0: andre@0: object->next = NULL; andre@0: object->prev = NULL; andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * This function removes a single object from the list and destroys it. andre@0: * For an already unlinked object there is no difference between andre@0: * PK11_DestroyGenericObject and PK11_DestroyGenericObjects andre@0: */ andre@0: SECStatus andre@0: PK11_DestroyGenericObject(PK11GenericObject *object) andre@0: { andre@0: if (object == NULL) { andre@0: return SECSuccess; andre@0: } andre@0: andre@0: PK11_UnlinkGenericObject(object); andre@0: if (object->slot) { andre@0: PK11_FreeSlot(object->slot); andre@0: } andre@0: PORT_Free(object); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * walk down a link list of generic objects destroying them. andre@0: * This will destroy all objects in a list that the object is linked into. andre@0: * (the list is traversed in both directions). andre@0: */ andre@0: SECStatus andre@0: PK11_DestroyGenericObjects(PK11GenericObject *objects) andre@0: { andre@0: PK11GenericObject *nextObject; andre@0: PK11GenericObject *prevObject; andre@0: andre@0: if (objects == NULL) { andre@0: return SECSuccess; andre@0: } andre@0: andre@0: nextObject = objects->next; andre@0: prevObject = objects->prev; andre@0: andre@0: /* delete all the objects after it in the list */ andre@0: for (; objects; objects = nextObject) { andre@0: nextObject = objects->next; andre@0: PK11_DestroyGenericObject(objects); andre@0: } andre@0: /* delete all the objects before it in the list */ andre@0: for (objects = prevObject; objects; objects = prevObject) { andre@0: prevObject = objects->prev; andre@0: PK11_DestroyGenericObject(objects); andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * Hand Create a new object and return the Generic object for our new object. andre@0: */ andre@0: PK11GenericObject * andre@0: PK11_CreateGenericObject(PK11SlotInfo *slot, const CK_ATTRIBUTE *pTemplate, andre@0: int count, PRBool token) andre@0: { andre@0: CK_OBJECT_HANDLE objectID; andre@0: PK11GenericObject *obj; andre@0: CK_RV crv; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: crv = PK11_CreateNewObject(slot, slot->session, pTemplate, count, andre@0: token, &objectID); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return NULL; andre@0: } andre@0: andre@0: obj = PORT_New(PK11GenericObject); andre@0: if ( !obj ) { andre@0: /* error set by PORT_New */ andre@0: return NULL; andre@0: } andre@0: andre@0: /* initialize it */ andre@0: obj->slot = PK11_ReferenceSlot(slot); andre@0: obj->objectID = objectID; andre@0: obj->next = NULL; andre@0: obj->prev = NULL; andre@0: return obj; andre@0: } andre@0: andre@0: /* andre@0: * Change an attribute on a raw object andre@0: */ andre@0: SECStatus andre@0: PK11_WriteRawAttribute(PK11ObjectType objType, void *objSpec, andre@0: CK_ATTRIBUTE_TYPE attrType, SECItem *item) andre@0: { andre@0: PK11SlotInfo *slot = NULL; andre@0: CK_OBJECT_HANDLE handle; andre@0: CK_ATTRIBUTE setTemplate; andre@0: CK_RV crv; andre@0: CK_SESSION_HANDLE rwsession; andre@0: andre@0: switch (objType) { andre@0: case PK11_TypeGeneric: andre@0: slot = ((PK11GenericObject *)objSpec)->slot; andre@0: handle = ((PK11GenericObject *)objSpec)->objectID; andre@0: break; andre@0: case PK11_TypePrivKey: andre@0: slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; andre@0: handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; andre@0: break; andre@0: case PK11_TypePubKey: andre@0: slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; andre@0: handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; andre@0: break; andre@0: case PK11_TypeSymKey: andre@0: slot = ((PK11SymKey *)objSpec)->slot; andre@0: handle = ((PK11SymKey *)objSpec)->objectID; andre@0: break; andre@0: case PK11_TypeCert: /* don't handle cert case for now */ andre@0: default: andre@0: break; andre@0: } andre@0: if (slot == NULL) { andre@0: PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); andre@0: return SECFailure; andre@0: } andre@0: andre@0: PK11_SETATTRS(&setTemplate, attrType, (CK_CHAR *) item->data, item->len); andre@0: rwsession = PK11_GetRWSession(slot); andre@0: if (rwsession == CK_INVALID_SESSION) { andre@0: PORT_SetError(SEC_ERROR_BAD_DATA); andre@0: return SECFailure; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, handle, andre@0: &setTemplate, 1); andre@0: PK11_RestoreROSession(slot, rwsession); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError(PK11_MapError(crv)); andre@0: return SECFailure; andre@0: } andre@0: return SECSuccess; andre@0: } andre@0: andre@0: andre@0: SECStatus andre@0: PK11_ReadRawAttribute(PK11ObjectType objType, void *objSpec, andre@0: CK_ATTRIBUTE_TYPE attrType, SECItem *item) andre@0: { andre@0: PK11SlotInfo *slot = NULL; andre@0: CK_OBJECT_HANDLE handle; andre@0: andre@0: switch (objType) { andre@0: case PK11_TypeGeneric: andre@0: slot = ((PK11GenericObject *)objSpec)->slot; andre@0: handle = ((PK11GenericObject *)objSpec)->objectID; andre@0: break; andre@0: case PK11_TypePrivKey: andre@0: slot = ((SECKEYPrivateKey *)objSpec)->pkcs11Slot; andre@0: handle = ((SECKEYPrivateKey *)objSpec)->pkcs11ID; andre@0: break; andre@0: case PK11_TypePubKey: andre@0: slot = ((SECKEYPublicKey *)objSpec)->pkcs11Slot; andre@0: handle = ((SECKEYPublicKey *)objSpec)->pkcs11ID; andre@0: break; andre@0: case PK11_TypeSymKey: andre@0: slot = ((PK11SymKey *)objSpec)->slot; andre@0: handle = ((PK11SymKey *)objSpec)->objectID; andre@0: break; andre@0: case PK11_TypeCert: /* don't handle cert case for now */ andre@0: default: andre@0: break; andre@0: } andre@0: if (slot == NULL) { andre@0: PORT_SetError(SEC_ERROR_UNKNOWN_OBJECT_TYPE); andre@0: return SECFailure; andre@0: } andre@0: andre@0: return PK11_ReadAttribute(slot, handle, attrType, NULL, item); andre@0: } andre@0: andre@0: andre@0: /* andre@0: * return the object handle that matches the template andre@0: */ andre@0: CK_OBJECT_HANDLE andre@0: pk11_FindObjectByTemplate(PK11SlotInfo *slot,CK_ATTRIBUTE *theTemplate,int tsize) andre@0: { andre@0: CK_OBJECT_HANDLE object; andre@0: CK_RV crv = CKR_SESSION_HANDLE_INVALID; andre@0: CK_ULONG objectCount; andre@0: andre@0: /* andre@0: * issue the find andre@0: */ andre@0: PK11_EnterSlotMonitor(slot); andre@0: if (slot->session != CK_INVALID_SESSION) { andre@0: crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, andre@0: theTemplate, tsize); andre@0: } andre@0: if (crv != CKR_OK) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: crv=PK11_GETTAB(slot)->C_FindObjects(slot->session,&object,1,&objectCount); andre@0: PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); andre@0: PK11_ExitSlotMonitor(slot); andre@0: if ((crv != CKR_OK) || (objectCount < 1)) { andre@0: /* shouldn't use SSL_ERROR... here */ andre@0: PORT_SetError( crv != CKR_OK ? PK11_MapError(crv) : andre@0: SSL_ERROR_NO_CERTIFICATE); andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: /* blow up if the PKCS #11 module returns us and invalid object handle */ andre@0: PORT_Assert(object != CK_INVALID_HANDLE); andre@0: return object; andre@0: } andre@0: andre@0: /* andre@0: * return all the object handles that matches the template andre@0: */ andre@0: CK_OBJECT_HANDLE * andre@0: pk11_FindObjectsByTemplate(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, andre@0: int templCount, int *object_count) andre@0: { andre@0: CK_OBJECT_HANDLE *objID = NULL; andre@0: CK_ULONG returned_count = 0; andre@0: CK_RV crv = CKR_SESSION_HANDLE_INVALID; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: if (slot->session != CK_INVALID_SESSION) { andre@0: crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, andre@0: findTemplate, templCount); andre@0: } andre@0: if (crv != CKR_OK) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: *object_count = -1; andre@0: return NULL; andre@0: } andre@0: andre@0: andre@0: /* andre@0: * collect all the Matching Objects andre@0: */ andre@0: do { andre@0: CK_OBJECT_HANDLE *oldObjID = objID; andre@0: andre@0: if (objID == NULL) { andre@0: objID = (CK_OBJECT_HANDLE *) PORT_Alloc(sizeof(CK_OBJECT_HANDLE)* andre@0: (*object_count+ PK11_SEARCH_CHUNKSIZE)); andre@0: } else { andre@0: objID = (CK_OBJECT_HANDLE *) PORT_Realloc(objID, andre@0: sizeof(CK_OBJECT_HANDLE)*(*object_count+PK11_SEARCH_CHUNKSIZE)); andre@0: } andre@0: andre@0: if (objID == NULL) { andre@0: if (oldObjID) PORT_Free(oldObjID); andre@0: break; andre@0: } andre@0: crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, andre@0: &objID[*object_count],PK11_SEARCH_CHUNKSIZE,&returned_count); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: PORT_Free(objID); andre@0: objID = NULL; andre@0: break; andre@0: } andre@0: *object_count += returned_count; andre@0: } while (returned_count == PK11_SEARCH_CHUNKSIZE); andre@0: andre@0: PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); andre@0: PK11_ExitSlotMonitor(slot); andre@0: andre@0: if (objID && (*object_count == 0)) { andre@0: PORT_Free(objID); andre@0: return NULL; andre@0: } andre@0: if (objID == NULL) *object_count = -1; andre@0: return objID; andre@0: } andre@0: /* andre@0: * given a PKCS #11 object, match it's peer based on the KeyID. searchID andre@0: * is typically a privateKey or a certificate while the peer is the opposite andre@0: */ andre@0: CK_OBJECT_HANDLE andre@0: PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID, andre@0: CK_OBJECT_CLASS matchclass) andre@0: { andre@0: CK_ATTRIBUTE theTemplate[] = { andre@0: { CKA_ID, NULL, 0 }, andre@0: { CKA_CLASS, NULL, 0 } andre@0: }; andre@0: /* if you change the array, change the variable below as well */ andre@0: CK_ATTRIBUTE *keyclass = &theTemplate[1]; andre@0: int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); andre@0: /* if you change the array, change the variable below as well */ andre@0: CK_OBJECT_HANDLE peerID; andre@0: CK_OBJECT_HANDLE parent; andre@0: PLArenaPool *arena; andre@0: CK_RV crv; andre@0: andre@0: /* now we need to create space for the public key */ andre@0: arena = PORT_NewArena( DER_DEFAULT_CHUNKSIZE); andre@0: if (arena == NULL) return CK_INVALID_HANDLE; andre@0: andre@0: crv = PK11_GetAttributes(arena,slot,searchID,theTemplate,tsize); andre@0: if (crv != CKR_OK) { andre@0: PORT_FreeArena(arena,PR_FALSE); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) { andre@0: PORT_FreeArena(arena,PR_FALSE); andre@0: if (matchclass == CKO_CERTIFICATE) andre@0: PORT_SetError(SEC_ERROR_BAD_KEY); andre@0: else andre@0: PORT_SetError(SEC_ERROR_NO_KEY); andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: andre@0: andre@0: /* andre@0: * issue the find andre@0: */ andre@0: parent = *(CK_OBJECT_CLASS *)(keyclass->pValue); andre@0: *(CK_OBJECT_CLASS *)(keyclass->pValue) = matchclass; andre@0: andre@0: peerID = pk11_FindObjectByTemplate(slot,theTemplate,tsize); andre@0: PORT_FreeArena(arena,PR_FALSE); andre@0: andre@0: return peerID; andre@0: } andre@0: andre@0: /* andre@0: * count the number of objects that match the template. andre@0: */ andre@0: int andre@0: PK11_NumberObjectsFor(PK11SlotInfo *slot, CK_ATTRIBUTE *findTemplate, andre@0: int templCount) andre@0: { andre@0: CK_OBJECT_HANDLE objID[PK11_SEARCH_CHUNKSIZE]; andre@0: int object_count = 0; andre@0: CK_ULONG returned_count = 0; andre@0: CK_RV crv = CKR_SESSION_HANDLE_INVALID; andre@0: andre@0: PK11_EnterSlotMonitor(slot); andre@0: if (slot->session != CK_INVALID_SESSION) { andre@0: crv = PK11_GETTAB(slot)->C_FindObjectsInit(slot->session, andre@0: findTemplate, templCount); andre@0: } andre@0: if (crv != CKR_OK) { andre@0: PK11_ExitSlotMonitor(slot); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return object_count; andre@0: } andre@0: andre@0: /* andre@0: * collect all the Matching Objects andre@0: */ andre@0: do { andre@0: crv = PK11_GETTAB(slot)->C_FindObjects(slot->session, objID, andre@0: PK11_SEARCH_CHUNKSIZE, andre@0: &returned_count); andre@0: if (crv != CKR_OK) { andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: break; andre@0: } andre@0: object_count += returned_count; andre@0: } while (returned_count == PK11_SEARCH_CHUNKSIZE); andre@0: andre@0: PK11_GETTAB(slot)->C_FindObjectsFinal(slot->session); andre@0: PK11_ExitSlotMonitor(slot); andre@0: return object_count; andre@0: } andre@0: andre@0: /* andre@0: * Traverse all the objects in a given slot. andre@0: */ andre@0: SECStatus andre@0: PK11_TraverseSlot(PK11SlotInfo *slot, void *arg) andre@0: { andre@0: int i; andre@0: CK_OBJECT_HANDLE *objID = NULL; andre@0: int object_count = 0; andre@0: pk11TraverseSlot *slotcb = (pk11TraverseSlot*) arg; andre@0: andre@0: objID = pk11_FindObjectsByTemplate(slot,slotcb->findTemplate, andre@0: slotcb->templateCount,&object_count); andre@0: andre@0: /*Actually this isn't a failure... there just were no objs to be found*/ andre@0: if (object_count == 0) { andre@0: return SECSuccess; andre@0: } andre@0: andre@0: if (objID == NULL) { andre@0: return SECFailure; andre@0: } andre@0: andre@0: for (i=0; i < object_count; i++) { andre@0: (*slotcb->callback)(slot,objID[i],slotcb->callbackArg); andre@0: } andre@0: PORT_Free(objID); andre@0: return SECSuccess; andre@0: } andre@0: andre@0: /* andre@0: * Traverse all the objects in all slots. andre@0: */ andre@0: SECStatus andre@0: pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), andre@0: void *arg, PRBool forceLogin, void *wincx) { andre@0: PK11SlotList *list; andre@0: PK11SlotListElement *le; andre@0: SECStatus rv; andre@0: andre@0: /* get them all! */ andre@0: list = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,wincx); andre@0: if (list == NULL) return SECFailure; andre@0: andre@0: /* look at each slot and authenticate as necessary */ andre@0: for (le = list->head ; le; le = le->next) { andre@0: if (forceLogin) { andre@0: rv = pk11_AuthenticateUnfriendly(le->slot, PR_FALSE, wincx); andre@0: if (rv != SECSuccess) { andre@0: continue; andre@0: } andre@0: } andre@0: if (callback) { andre@0: (*callback)(le->slot,arg); andre@0: } andre@0: } andre@0: andre@0: PK11_FreeSlotList(list); andre@0: andre@0: return SECSuccess; andre@0: } andre@0: andre@0: CK_OBJECT_HANDLE * andre@0: PK11_FindObjectsFromNickname(char *nickname,PK11SlotInfo **slotptr, andre@0: CK_OBJECT_CLASS objclass, int *returnCount, void *wincx) andre@0: { andre@0: char *tokenName; andre@0: char *delimit; andre@0: PK11SlotInfo *slot; andre@0: CK_OBJECT_HANDLE *objID; andre@0: CK_ATTRIBUTE findTemplate[] = { andre@0: { CKA_LABEL, NULL, 0}, andre@0: { CKA_CLASS, NULL, 0}, andre@0: }; andre@0: int findCount = sizeof(findTemplate)/sizeof(findTemplate[0]); andre@0: SECStatus rv; andre@0: PK11_SETATTRS(&findTemplate[1], CKA_CLASS, &objclass, sizeof(objclass)); andre@0: andre@0: *slotptr = slot = NULL; andre@0: *returnCount = 0; andre@0: /* first find the slot associated with this nickname */ andre@0: if ((delimit = PORT_Strchr(nickname,':')) != NULL) { andre@0: int len = delimit - nickname; andre@0: tokenName = (char*)PORT_Alloc(len+1); andre@0: PORT_Memcpy(tokenName,nickname,len); andre@0: tokenName[len] = 0; andre@0: andre@0: slot = *slotptr = PK11_FindSlotByName(tokenName); andre@0: PORT_Free(tokenName); andre@0: /* if we couldn't find a slot, assume the nickname is an internal cert andre@0: * with no proceding slot name */ andre@0: if (slot == NULL) { andre@0: slot = *slotptr = PK11_GetInternalKeySlot(); andre@0: } else { andre@0: nickname = delimit+1; andre@0: } andre@0: } else { andre@0: *slotptr = slot = PK11_GetInternalKeySlot(); andre@0: } andre@0: if (slot == NULL) { andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx); andre@0: if (rv != SECSuccess) { andre@0: PK11_FreeSlot(slot); andre@0: *slotptr = NULL; andre@0: return CK_INVALID_HANDLE; andre@0: } andre@0: andre@0: findTemplate[0].pValue = nickname; andre@0: findTemplate[0].ulValueLen = PORT_Strlen(nickname); andre@0: objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount,returnCount); andre@0: if (objID == NULL) { andre@0: /* PKCS #11 isn't clear on whether or not the NULL is andre@0: * stored in the template.... try the find again with the andre@0: * full null terminated string. */ andre@0: findTemplate[0].ulValueLen += 1; andre@0: objID = pk11_FindObjectsByTemplate(slot,findTemplate,findCount, andre@0: returnCount); andre@0: if (objID == NULL) { andre@0: /* Well that's the best we can do. It's just not here */ andre@0: /* what about faked nicknames? */ andre@0: PK11_FreeSlot(slot); andre@0: *slotptr = NULL; andre@0: *returnCount = 0; andre@0: } andre@0: } andre@0: andre@0: return objID; andre@0: } andre@0: andre@0: SECItem * andre@0: pk11_GetLowLevelKeyFromHandle(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) andre@0: { andre@0: CK_ATTRIBUTE theTemplate[] = { andre@0: { CKA_ID, NULL, 0 }, andre@0: }; andre@0: int tsize = sizeof(theTemplate)/sizeof(theTemplate[0]); andre@0: CK_RV crv; andre@0: SECItem *item; andre@0: andre@0: item = SECITEM_AllocItem(NULL, NULL, 0); andre@0: andre@0: if (item == NULL) { andre@0: return NULL; andre@0: } andre@0: andre@0: crv = PK11_GetAttributes(NULL,slot,handle,theTemplate,tsize); andre@0: if (crv != CKR_OK) { andre@0: SECITEM_FreeItem(item,PR_TRUE); andre@0: PORT_SetError( PK11_MapError(crv) ); andre@0: return NULL; andre@0: } andre@0: andre@0: item->data = (unsigned char*) theTemplate[0].pValue; andre@0: item->len =theTemplate[0].ulValueLen; andre@0: andre@0: return item; andre@0: } andre@0: