From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- security/nss/lib/ckfw/builtins/Makefile | 70 + security/nss/lib/ckfw/builtins/README | 106 + security/nss/lib/ckfw/builtins/anchor.c | 17 + security/nss/lib/ckfw/builtins/bfind.c | 261 + security/nss/lib/ckfw/builtins/binst.c | 87 + security/nss/lib/ckfw/builtins/bobject.c | 206 + security/nss/lib/ckfw/builtins/bsession.c | 71 + security/nss/lib/ckfw/builtins/bslot.c | 81 + security/nss/lib/ckfw/builtins/btoken.c | 135 + security/nss/lib/ckfw/builtins/builtins.gyp | 63 + security/nss/lib/ckfw/builtins/builtins.h | 66 + security/nss/lib/ckfw/builtins/certdata.perl | 192 + security/nss/lib/ckfw/builtins/certdata.py | 18 + security/nss/lib/ckfw/builtins/certdata.txt | 25361 +++++++++++++++++++ security/nss/lib/ckfw/builtins/ckbiver.c | 18 + security/nss/lib/ckfw/builtins/constants.c | 64 + security/nss/lib/ckfw/builtins/exports.gyp | 25 + security/nss/lib/ckfw/builtins/manifest.mn | 36 + security/nss/lib/ckfw/builtins/nssckbi.def | 26 + security/nss/lib/ckfw/builtins/nssckbi.h | 61 + security/nss/lib/ckfw/builtins/nssckbi.rc | 64 + security/nss/lib/ckfw/builtins/testlib/Makefile | 75 + .../lib/ckfw/builtins/testlib/builtins-testlib.gyp | 64 + .../lib/ckfw/builtins/testlib/certdata-testlib.txt | 479 + security/nss/lib/ckfw/builtins/testlib/manifest.mn | 26 + .../lib/ckfw/builtins/testlib/nssckbi-testlib.def | 26 + .../lib/ckfw/builtins/testlib/nssckbi-testlib.rc | 52 + .../builtins/testlib/testcert_err_distrust.txt | 50 + .../ckfw/builtins/testlib/testcert_no_distrust.txt | 50 + .../ckfw/builtins/testlib/testcert_ok_distrust.txt | 50 + 30 files changed, 27900 insertions(+) create mode 100644 security/nss/lib/ckfw/builtins/Makefile create mode 100644 security/nss/lib/ckfw/builtins/README create mode 100644 security/nss/lib/ckfw/builtins/anchor.c create mode 100644 security/nss/lib/ckfw/builtins/bfind.c create mode 100644 security/nss/lib/ckfw/builtins/binst.c create mode 100644 security/nss/lib/ckfw/builtins/bobject.c create mode 100644 security/nss/lib/ckfw/builtins/bsession.c create mode 100644 security/nss/lib/ckfw/builtins/bslot.c create mode 100644 security/nss/lib/ckfw/builtins/btoken.c create mode 100644 security/nss/lib/ckfw/builtins/builtins.gyp create mode 100644 security/nss/lib/ckfw/builtins/builtins.h create mode 100644 security/nss/lib/ckfw/builtins/certdata.perl create mode 100755 security/nss/lib/ckfw/builtins/certdata.py create mode 100644 security/nss/lib/ckfw/builtins/certdata.txt create mode 100644 security/nss/lib/ckfw/builtins/ckbiver.c create mode 100644 security/nss/lib/ckfw/builtins/constants.c create mode 100644 security/nss/lib/ckfw/builtins/exports.gyp create mode 100644 security/nss/lib/ckfw/builtins/manifest.mn create mode 100644 security/nss/lib/ckfw/builtins/nssckbi.def create mode 100644 security/nss/lib/ckfw/builtins/nssckbi.h create mode 100644 security/nss/lib/ckfw/builtins/nssckbi.rc create mode 100644 security/nss/lib/ckfw/builtins/testlib/Makefile create mode 100644 security/nss/lib/ckfw/builtins/testlib/builtins-testlib.gyp create mode 100644 security/nss/lib/ckfw/builtins/testlib/certdata-testlib.txt create mode 100644 security/nss/lib/ckfw/builtins/testlib/manifest.mn create mode 100644 security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.def create mode 100644 security/nss/lib/ckfw/builtins/testlib/nssckbi-testlib.rc create mode 100644 security/nss/lib/ckfw/builtins/testlib/testcert_err_distrust.txt create mode 100644 security/nss/lib/ckfw/builtins/testlib/testcert_no_distrust.txt create mode 100644 security/nss/lib/ckfw/builtins/testlib/testcert_ok_distrust.txt (limited to 'security/nss/lib/ckfw/builtins') diff --git a/security/nss/lib/ckfw/builtins/Makefile b/security/nss/lib/ckfw/builtins/Makefile new file mode 100644 index 0000000000..2a633d2892 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/Makefile @@ -0,0 +1,70 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +include manifest.mn +include $(CORE_DEPTH)/coreconf/config.mk + +ifdef BUILD_IDG +DEFINES += -DNSSDEBUG +endif + +# Needed for compilation of $(OBJDIR)/certdata.c +INCLUDES += -I. + +# +# To create a loadable module on Darwin, we must use -bundle. +# +ifeq ($(OS_TARGET),Darwin) +DSO_LDOPTS = -bundle +endif + +ifdef USE_GCOV +DSO_LDOPTS += --coverage +endif + +EXTRA_LIBS = \ + $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ + $(NULL) + +# can't do this in manifest.mn because OS_TARGET isn't defined there. +ifeq (,$(filter-out WIN%,$(OS_TARGET))) + +ifdef NS_USE_GCC +EXTRA_SHARED_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +else +EXTRA_SHARED_LIBS += \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \ + $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \ + $(NULL) +endif # NS_USE_GCC +else + +EXTRA_SHARED_LIBS += \ + -L$(NSPR_LIB_DIR) \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) +endif + + +include $(CORE_DEPTH)/coreconf/rules.mk + +# Generate certdata.c. + +# By default, use the unmodified certdata.txt. +ifndef NSS_CERTDATA_TXT +NSS_CERTDATA_TXT = certdata.txt +endif + +$(OBJDIR)/certdata.c: $(NSS_CERTDATA_TXT) certdata.perl | $$(@D)/d + $(PERL) certdata.perl $(NSS_CERTDATA_TXT) $@ diff --git a/security/nss/lib/ckfw/builtins/README b/security/nss/lib/ckfw/builtins/README new file mode 100644 index 0000000000..11f5c2c9a7 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/README @@ -0,0 +1,106 @@ +This README file explains how to add a builtin root CA certificate to NSS +or remove a builtin root CA certificate from NSS. + +The builtin root CA certificates in NSS are stored in the nssckbi PKCS #11 +module. The sources to the nssckbi module are in this directory. + +I. Adding a Builtin Root CA Certificate + +You need to use the addbuiltin command-line tool to add a root CA certificate +to the nssckbi module. In the procedure described below, we assume that the +new root CA certificate is distributed in DER format in the file newroot.der. + +1. Add the directory where the addbuiltin executable resides to your PATH +environment variable. Then, add the directory where the NSPR and NSS shared +libraries (DLLs) reside to the platform-specific environment variable that +specifies your shared library search path: LD_LIBRARY_PATH (most Unix +variants), SHLIB_PATH (32-bit HP-UX), LIBPATH (AIX), or PATH (Windows). + +2. Copy newroot.der to this directory. + +3. In this directory, run addbuiltin to add the new root certificate. The +argument to the -n option should be replaced by the nickname of the root +certificate. + + % addbuiltin -n "Nickname of the Root Certificate" -t C,C,C < newroot.der \ + >> certdata.txt + +4. Edit nssckbi.h to bump the version of the module. + +5. Run gmake in this directory to build the nssckbi module. + +6. After you verify that the new nssckbi module is correct, check in +certdata.txt and nssckbi.h. + +II. Removing a Builtin Root CA Certificate + +1. Change directory to this directory. + +2. Edit certdata.txt and remove the root CA certificate. + +3. Edit nssckbi.h to bump the version of the module. + +4. Run gmake in this directory to build the nssckbi module. + +5. After you verify that the new nssckbi module is correct, check in +certdata.txt and nssckbi.h. + +III. Scheduling a Distrust date for Server/TLS or Email certificates issued +by a CA + +For each Builtin Root CA Certificate we have the Trust Bits to know what kind +of certificates issued by this CA are trusted: Server/TLS, E-mail or S/MIME. +Sometimes a CA discontinues support for a particular kind of certificate, +but will still issue other kinds. For instance, they might cease support for +email certificates but continue to provide server certificates. In this +scenario, we have to disable the Trust Bit for this kind of certificate when +the last issued certificate expires. +Between the last expired certificate date and the change and propagation of +this respective Trust Bit, could have a undesired gap. + +So, in these situations we can set a Distrust Date for this Builtin Root CA +Certificate. Clients should check the distrust date in certificates to avoid +trusting a CA for service they have ceased to support. + +A distrust date is a timestamp in unix epoch, encoded in DER format and saved +in certdata.txt. These fields are defined at the "Certificate" entries of +certdata.txt, in a MULTILINE_OCTAL format. By default, for readability purpose, +these fields are set as a boolean CK_FALSE and will be ignored when read. + +1. Create the timestamp for the desired distrust date. An easy and practical way +to do this is using the date command. + % date -d "2019-07-01 00:00:00 UTC" +%s + The result should be something like: 1561939200 + +2. Then, run the addbuiltin -d to verify the timestamp and do the right +conversions. + The -d option takes the timestamp as an argument, which is interpreted as + seconds since unix epoch. The addbuiltin command will show the result in the + stdout, as it should be inserted in certdata.txt. + % addbuiltin -d 1561939200 + The result should be something like this: + + The timestamp represents this date: Mon Jul 01 00:00:00 2019 + Locate the entry of the desired certificate in certdata.txt + Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE + And override with the following respective entry: + + # For Server Distrust After: Mon Jul 01 00:00:00 2019 + CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL + \061\071\060\067\060\061\060\060\060\060\060\060\132 + END + # For Email Distrust After: Mon Jul 01 00:00:00 2019 + CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL + \061\071\060\067\060\061\060\060\060\060\060\060\132 + END + +3. Edit the certdata.txt, overriding the desired entry for the desired CA, as +the instructions generated by the previous command. + +4. If necessary, increment the version counter +NSS_BUILTINS_LIBRARY_VERSION_MINOR in nssckbi.h. + +5. Build the nssckbi module. + +6. A good way to test is with certutil: + % certutil -L -d $DBDIR -n "Builtin Object Token:" diff --git a/security/nss/lib/ckfw/builtins/anchor.c b/security/nss/lib/ckfw/builtins/anchor.c new file mode 100644 index 0000000000..af21c6a0bf --- /dev/null +++ b/security/nss/lib/ckfw/builtins/anchor.c @@ -0,0 +1,17 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * builtins/anchor.c + * + * This file "anchors" the actual cryptoki entry points in this module's + * shared library, which is required for dynamic loading. See the + * comments in nssck.api for more information. + */ + +#include "builtins.h" + +#define MODULE_NAME builtins +#define INSTANCE_NAME (NSSCKMDInstance *)&nss_builtins_mdInstance +#include "nssck.api" diff --git a/security/nss/lib/ckfw/builtins/bfind.c b/security/nss/lib/ckfw/builtins/bfind.c new file mode 100644 index 0000000000..3e5da1a558 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/bfind.c @@ -0,0 +1,261 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef BUILTINS_H +#include "builtins.h" +#endif /* BUILTINS_H */ + +/* + * builtins/find.c + * + * This file implements the NSSCKMDFindObjects object for the + * "builtin objects" cryptoki module. + */ + +struct builtinsFOStr { + NSSArena *arena; + CK_ULONG n; + CK_ULONG i; + builtinsInternalObject **objs; +}; + +static void +builtins_mdFindObjects_Final( + NSSCKMDFindObjects *mdFindObjects, + NSSCKFWFindObjects *fwFindObjects, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc; + NSSArena *arena = fo->arena; + + nss_ZFreeIf(fo->objs); + nss_ZFreeIf(fo); + nss_ZFreeIf(mdFindObjects); + if ((NSSArena *)NULL != arena) { + NSSArena_Destroy(arena); + } + + return; +} + +static NSSCKMDObject * +builtins_mdFindObjects_Next( + NSSCKMDFindObjects *mdFindObjects, + NSSCKFWFindObjects *fwFindObjects, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSArena *arena, + CK_RV *pError) +{ + struct builtinsFOStr *fo = (struct builtinsFOStr *)mdFindObjects->etc; + builtinsInternalObject *io; + + if (fo->i == fo->n) { + *pError = CKR_OK; + return (NSSCKMDObject *)NULL; + } + + io = fo->objs[fo->i]; + fo->i++; + + return nss_builtins_CreateMDObject(arena, io, pError); +} + +static int +builtins_derUnwrapInt(unsigned char *src, int size, unsigned char **dest) +{ + unsigned char *start = src; + int len = 0; + + if (*src++ != 2) { + return 0; + } + len = *src++; + if (len & 0x80) { + int count = len & 0x7f; + len = 0; + + if (count + 2 > size) { + return 0; + } + while (count-- > 0) { + len = (len << 8) | *src++; + } + } + if (len + (src - start) != size) { + return 0; + } + *dest = src; + return len; +} + +static CK_BBOOL +builtins_attrmatch( + CK_ATTRIBUTE_PTR a, + const NSSItem *b) +{ + PRBool prb; + + if (a->ulValueLen != b->size) { + /* match a decoded serial number */ + if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) { + int len; + unsigned char *data = NULL; + + len = builtins_derUnwrapInt(b->data, b->size, &data); + if (data && + (len == a->ulValueLen) && + nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) { + return CK_TRUE; + } + } + return CK_FALSE; + } + + prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL); + + if (PR_TRUE == prb) { + return CK_TRUE; + } else { + return CK_FALSE; + } +} + +static CK_BBOOL +builtins_match( + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + builtinsInternalObject *o) +{ + CK_ULONG i; + + for (i = 0; i < ulAttributeCount; i++) { + CK_ULONG j; + + for (j = 0; j < o->n; j++) { + if (o->types[j] == pTemplate[i].type) { + if (CK_FALSE == builtins_attrmatch(&pTemplate[i], &o->items[j])) { + return CK_FALSE; + } else { + break; + } + } + } + + if (j == o->n) { + /* Loop ran to the end: no matching attribute */ + return CK_FALSE; + } + } + + /* Every attribute passed */ + return CK_TRUE; +} + +NSS_IMPLEMENT NSSCKMDFindObjects * +nss_builtins_FindObjectsInit( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError) +{ + /* This could be made more efficient. I'm rather rushed. */ + NSSArena *arena; + NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL; + struct builtinsFOStr *fo = (struct builtinsFOStr *)NULL; + +/* + * 99% of the time we get 0 or 1 matches. So we start with a small + * stack-allocated array to hold the matches and switch to a heap-allocated + * array later if the number of matches exceeds STACK_BUF_LENGTH. + */ +#define STACK_BUF_LENGTH 1 + builtinsInternalObject *stackTemp[STACK_BUF_LENGTH]; + builtinsInternalObject **temp = stackTemp; + PRBool tempIsHeapAllocated = PR_FALSE; + PRUint32 i; + + arena = NSSArena_Create(); + if ((NSSArena *)NULL == arena) { + goto loser; + } + + rv = nss_ZNEW(arena, NSSCKMDFindObjects); + if ((NSSCKMDFindObjects *)NULL == rv) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + fo = nss_ZNEW(arena, struct builtinsFOStr); + if ((struct builtinsFOStr *)NULL == fo) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + fo->arena = arena; + /* fo->n and fo->i are already zero */ + + rv->etc = (void *)fo; + rv->Final = builtins_mdFindObjects_Final; + rv->Next = builtins_mdFindObjects_Next; + rv->null = (void *)NULL; + + for (i = 0; i < nss_builtins_nObjects; i++) { + builtinsInternalObject *o = (builtinsInternalObject *)&nss_builtins_data[i]; + + if (CK_TRUE == builtins_match(pTemplate, ulAttributeCount, o)) { + if (fo->n == STACK_BUF_LENGTH) { + /* Switch from the small stack array to a heap-allocated array large + * enough to handle matches in all remaining cases. */ + temp = nss_ZNEWARRAY((NSSArena *)NULL, builtinsInternalObject *, + fo->n + nss_builtins_nObjects - i); + if ((builtinsInternalObject **)NULL == temp) { + *pError = + CKR_HOST_MEMORY; + goto loser; + } + tempIsHeapAllocated = PR_TRUE; + (void)nsslibc_memcpy(temp, stackTemp, + sizeof(builtinsInternalObject *) * fo->n); + } + + temp[fo->n] = o; + fo->n++; + } + } + + fo->objs = nss_ZNEWARRAY(arena, builtinsInternalObject *, fo->n); + if ((builtinsInternalObject **)NULL == fo->objs) { + *pError = CKR_HOST_MEMORY; + goto loser; + } + + (void)nsslibc_memcpy(fo->objs, temp, sizeof(builtinsInternalObject *) * fo->n); + if (tempIsHeapAllocated) { + nss_ZFreeIf(temp); + temp = (builtinsInternalObject **)NULL; + } + + return rv; + +loser: + if (tempIsHeapAllocated) { + nss_ZFreeIf(temp); + } + nss_ZFreeIf(fo); + nss_ZFreeIf(rv); + if ((NSSArena *)NULL != arena) { + NSSArena_Destroy(arena); + } + return (NSSCKMDFindObjects *)NULL; +} diff --git a/security/nss/lib/ckfw/builtins/binst.c b/security/nss/lib/ckfw/builtins/binst.c new file mode 100644 index 0000000000..ca1dac89cd --- /dev/null +++ b/security/nss/lib/ckfw/builtins/binst.c @@ -0,0 +1,87 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "builtins.h" + +/* + * builtins/instance.c + * + * This file implements the NSSCKMDInstance object for the + * "builtin objects" cryptoki module. + */ + +/* + * NSSCKMDInstance methods + */ + +static CK_ULONG +builtins_mdInstance_GetNSlots( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (CK_ULONG)1; +} + +static CK_VERSION +builtins_mdInstance_GetCryptokiVersion( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return nss_builtins_CryptokiVersion; +} + +static NSSUTF8 * +builtins_mdInstance_GetManufacturerID( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_ManufacturerID; +} + +static NSSUTF8 * +builtins_mdInstance_GetLibraryDescription( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_LibraryDescription; +} + +static CK_VERSION +builtins_mdInstance_GetLibraryVersion( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ +#define NSS_VERSION_VARIABLE __nss_builtins_version +#include "verref.h" + return nss_builtins_LibraryVersion; +} + +static CK_RV +builtins_mdInstance_GetSlots( + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKMDSlot *slots[]) +{ + slots[0] = (NSSCKMDSlot *)&nss_builtins_mdSlot; + return CKR_OK; +} + +const NSSCKMDInstance + nss_builtins_mdInstance = { + (void *)NULL, /* etc */ + NULL, /* Initialize */ + NULL, /* Finalize */ + builtins_mdInstance_GetNSlots, + builtins_mdInstance_GetCryptokiVersion, + builtins_mdInstance_GetManufacturerID, + builtins_mdInstance_GetLibraryDescription, + builtins_mdInstance_GetLibraryVersion, + NULL, /* ModuleHandlesSessionObjects -- defaults to false */ + builtins_mdInstance_GetSlots, + NULL, /* WaitForSlotEvent */ + (void *)NULL /* null terminator */ + }; diff --git a/security/nss/lib/ckfw/builtins/bobject.c b/security/nss/lib/ckfw/builtins/bobject.c new file mode 100644 index 0000000000..1c0babdd66 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/bobject.c @@ -0,0 +1,206 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "builtins.h" + +/* + * builtins/object.c + * + * This file implements the NSSCKMDObject object for the + * "builtin objects" cryptoki module. + */ + +/* + * Finalize - unneeded + * Destroy - CKR_SESSION_READ_ONLY + * IsTokenObject - CK_TRUE + * GetAttributeCount + * GetAttributeTypes + * GetAttributeSize + * GetAttribute + * SetAttribute - unneeded + * GetObjectSize + */ + +static CK_RV +builtins_mdObject_Destroy( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return CKR_SESSION_READ_ONLY; +} + +static CK_BBOOL +builtins_mdObject_IsTokenObject( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return CK_TRUE; +} + +static CK_ULONG +builtins_mdObject_GetAttributeCount( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc; + return io->n; +} + +static CK_RV +builtins_mdObject_GetAttributeTypes( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE_PTR typeArray, + CK_ULONG ulCount) +{ + builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc; + CK_ULONG i; + + if (io->n != ulCount) { + return CKR_BUFFER_TOO_SMALL; + } + + for (i = 0; i < io->n; i++) { + typeArray[i] = io->types[i]; + } + + return CKR_OK; +} + +static CK_ULONG +builtins_mdObject_GetAttributeSize( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE attribute, + CK_RV *pError) +{ + builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc; + CK_ULONG i; + + for (i = 0; i < io->n; i++) { + if (attribute == io->types[i]) { + return (CK_ULONG)(io->items[i].size); + } + } + + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + return 0; +} + +static NSSCKFWItem +builtins_mdObject_GetAttribute( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_TYPE attribute, + CK_RV *pError) +{ + NSSCKFWItem mdItem; + builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc; + CK_ULONG i; + + mdItem.needsFreeing = PR_FALSE; + mdItem.item = (NSSItem *)NULL; + + for (i = 0; i < io->n; i++) { + if (attribute == io->types[i]) { + mdItem.item = (NSSItem *)&io->items[i]; + return mdItem; + } + } + + *pError = CKR_ATTRIBUTE_TYPE_INVALID; + return mdItem; +} + +static CK_ULONG +builtins_mdObject_GetObjectSize( + NSSCKMDObject *mdObject, + NSSCKFWObject *fwObject, + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + builtinsInternalObject *io = (builtinsInternalObject *)mdObject->etc; + CK_ULONG i; + CK_ULONG rv = sizeof(CK_ULONG); + + for (i = 0; i < io->n; i++) { + rv += sizeof(CK_ATTRIBUTE_TYPE) + sizeof(NSSItem) + io->items[i].size; + } + + return rv; +} + +static const NSSCKMDObject + builtins_prototype_mdObject = { + (void *)NULL, /* etc */ + NULL, /* Finalize */ + builtins_mdObject_Destroy, + builtins_mdObject_IsTokenObject, + builtins_mdObject_GetAttributeCount, + builtins_mdObject_GetAttributeTypes, + builtins_mdObject_GetAttributeSize, + builtins_mdObject_GetAttribute, + NULL, /* FreeAttribute */ + NULL, /* SetAttribute */ + builtins_mdObject_GetObjectSize, + (void *)NULL /* null terminator */ + }; + +NSS_IMPLEMENT NSSCKMDObject * +nss_builtins_CreateMDObject( + NSSArena *arena, + builtinsInternalObject *io, + CK_RV *pError) +{ + if ((void *)NULL == io->mdObject.etc) { + (void)nsslibc_memcpy(&io->mdObject, &builtins_prototype_mdObject, + sizeof(builtins_prototype_mdObject)); + io->mdObject.etc = (void *)io; + } + + return &io->mdObject; +} diff --git a/security/nss/lib/ckfw/builtins/bsession.c b/security/nss/lib/ckfw/builtins/bsession.c new file mode 100644 index 0000000000..6828a49aff --- /dev/null +++ b/security/nss/lib/ckfw/builtins/bsession.c @@ -0,0 +1,71 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "builtins.h" + +/* + * builtins/session.c + * + * This file implements the NSSCKMDSession object for the + * "builtin objects" cryptoki module. + */ + +static NSSCKMDFindObjects * +builtins_mdSession_FindObjectsInit( + NSSCKMDSession *mdSession, + NSSCKFWSession *fwSession, + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError) +{ + return nss_builtins_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError); +} + +NSS_IMPLEMENT NSSCKMDSession * +nss_builtins_CreateSession( + NSSCKFWSession *fwSession, + CK_RV *pError) +{ + NSSArena *arena; + NSSCKMDSession *rv; + + arena = NSSCKFWSession_GetArena(fwSession, pError); + if ((NSSArena *)NULL == arena) { + return (NSSCKMDSession *)NULL; + } + + rv = nss_ZNEW(arena, NSSCKMDSession); + if ((NSSCKMDSession *)NULL == rv) { + *pError = CKR_HOST_MEMORY; + return (NSSCKMDSession *)NULL; + } + + /* + * rv was zeroed when allocated, so we only + * need to set the non-zero members. + */ + + rv->etc = (void *)fwSession; + /* rv->Close */ + /* rv->GetDeviceError */ + /* rv->Login */ + /* rv->Logout */ + /* rv->InitPIN */ + /* rv->SetPIN */ + /* rv->GetOperationStateLen */ + /* rv->GetOperationState */ + /* rv->SetOperationState */ + /* rv->CreateObject */ + /* rv->CopyObject */ + rv->FindObjectsInit = builtins_mdSession_FindObjectsInit; + /* rv->SeedRandom */ + /* rv->GetRandom */ + /* rv->null */ + + return rv; +} diff --git a/security/nss/lib/ckfw/builtins/bslot.c b/security/nss/lib/ckfw/builtins/bslot.c new file mode 100644 index 0000000000..f2ef1efb92 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/bslot.c @@ -0,0 +1,81 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "builtins.h" + +/* + * builtins/slot.c + * + * This file implements the NSSCKMDSlot object for the + * "builtin objects" cryptoki module. + */ + +static NSSUTF8 * +builtins_mdSlot_GetSlotDescription( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_SlotDescription; +} + +static NSSUTF8 * +builtins_mdSlot_GetManufacturerID( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_ManufacturerID; +} + +static CK_VERSION +builtins_mdSlot_GetHardwareVersion( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return nss_builtins_HardwareVersion; +} + +static CK_VERSION +builtins_mdSlot_GetFirmwareVersion( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return nss_builtins_FirmwareVersion; +} + +static NSSCKMDToken * +builtins_mdSlot_GetToken( + NSSCKMDSlot *mdSlot, + NSSCKFWSlot *fwSlot, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSCKMDToken *)&nss_builtins_mdToken; +} + +const NSSCKMDSlot + nss_builtins_mdSlot = { + (void *)NULL, /* etc */ + NULL, /* Initialize */ + NULL, /* Destroy */ + builtins_mdSlot_GetSlotDescription, + builtins_mdSlot_GetManufacturerID, + NULL, /* GetTokenPresent -- defaults to true */ + NULL, /* GetRemovableDevice -- defaults to false */ + NULL, /* GetHardwareSlot -- defaults to false */ + builtins_mdSlot_GetHardwareVersion, + builtins_mdSlot_GetFirmwareVersion, + builtins_mdSlot_GetToken, + (void *)NULL /* null terminator */ + }; diff --git a/security/nss/lib/ckfw/builtins/btoken.c b/security/nss/lib/ckfw/builtins/btoken.c new file mode 100644 index 0000000000..ae1e1380bd --- /dev/null +++ b/security/nss/lib/ckfw/builtins/btoken.c @@ -0,0 +1,135 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "builtins.h" + +/* + * builtins/token.c + * + * This file implements the NSSCKMDToken object for the + * "builtin objects" cryptoki module. + */ + +static NSSUTF8 * +builtins_mdToken_GetLabel( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_TokenLabel; +} + +static NSSUTF8 * +builtins_mdToken_GetManufacturerID( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_ManufacturerID; +} + +static NSSUTF8 * +builtins_mdToken_GetModel( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_TokenModel; +} + +static NSSUTF8 * +builtins_mdToken_GetSerialNumber( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + CK_RV *pError) +{ + return (NSSUTF8 *)nss_builtins_TokenSerialNumber; +} + +static CK_BBOOL +builtins_mdToken_GetIsWriteProtected( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return CK_TRUE; +} + +static CK_VERSION +builtins_mdToken_GetHardwareVersion( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return nss_builtins_HardwareVersion; +} + +static CK_VERSION +builtins_mdToken_GetFirmwareVersion( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance) +{ + return nss_builtins_FirmwareVersion; +} + +static NSSCKMDSession * +builtins_mdToken_OpenSession( + NSSCKMDToken *mdToken, + NSSCKFWToken *fwToken, + NSSCKMDInstance *mdInstance, + NSSCKFWInstance *fwInstance, + NSSCKFWSession *fwSession, + CK_BBOOL rw, + CK_RV *pError) +{ + return nss_builtins_CreateSession(fwSession, pError); +} + +const NSSCKMDToken + nss_builtins_mdToken = { + (void *)NULL, /* etc */ + NULL, /* Setup */ + NULL, /* Invalidate */ + NULL, /* InitToken -- default errs */ + builtins_mdToken_GetLabel, + builtins_mdToken_GetManufacturerID, + builtins_mdToken_GetModel, + builtins_mdToken_GetSerialNumber, + NULL, /* GetHasRNG -- default is false */ + builtins_mdToken_GetIsWriteProtected, + NULL, /* GetLoginRequired -- default is false */ + NULL, /* GetUserPinInitialized -- default is false */ + NULL, /* GetRestoreKeyNotNeeded -- irrelevant */ + NULL, /* GetHasClockOnToken -- default is false */ + NULL, /* GetHasProtectedAuthenticationPath -- default is false */ + NULL, /* GetSupportsDualCryptoOperations -- default is false */ + NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetMaxPinLen -- irrelevant */ + NULL, /* GetMinPinLen -- irrelevant */ + NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */ + NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */ + builtins_mdToken_GetHardwareVersion, + builtins_mdToken_GetFirmwareVersion, + NULL, /* GetUTCTime -- no clock */ + builtins_mdToken_OpenSession, + NULL, /* GetMechanismCount -- default is zero */ + NULL, /* GetMechanismTypes -- irrelevant */ + NULL, /* GetMechanism -- irrelevant */ + (void *)NULL /* null terminator */ + }; diff --git a/security/nss/lib/ckfw/builtins/builtins.gyp b/security/nss/lib/ckfw/builtins/builtins.gyp new file mode 100644 index 0000000000..5f3c5e321c --- /dev/null +++ b/security/nss/lib/ckfw/builtins/builtins.gyp @@ -0,0 +1,63 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'nssckbi', + 'type': 'shared_library', + 'sources': [ + 'anchor.c', + 'bfind.c', + 'binst.c', + 'bobject.c', + 'bsession.c', + 'bslot.c', + 'btoken.c', + 'ckbiver.c', + 'constants.c', + '<(certdata_c)', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/lib/ckfw/ckfw.gyp:nssckfw', + '<(DEPTH)/lib/base/base.gyp:nssb' + ], + 'actions': [ + { + 'msvs_cygwin_shell': 0, + 'action': [ + '<(python)', + 'certdata.py', + 'certdata.txt', + '<@(_outputs)', + ], + 'inputs': [ + 'certdata.py', + 'certdata.perl', + 'certdata.txt' + ], + 'outputs': [ + '<(certdata_c)' + ], + 'action_name': 'generate_certdata_c' + } + ], + 'variables': { + 'mapfile': 'nssckbi.def', + 'certdata_c': '<(INTERMEDIATE_DIR)/certdata.c', + } + } + ], + 'target_defaults': { + 'include_dirs': [ + '.' + ] + }, + 'variables': { + 'module': 'nss', + } +} diff --git a/security/nss/lib/ckfw/builtins/builtins.h b/security/nss/lib/ckfw/builtins/builtins.h new file mode 100644 index 0000000000..a1693c29ca --- /dev/null +++ b/security/nss/lib/ckfw/builtins/builtins.h @@ -0,0 +1,66 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nssckmdt.h" +#include "nssckfw.h" + +/* + * I'm including this for access to the arena functions. + * Looks like we should publish that API. + */ +#ifndef BASE_H +#include "base.h" +#endif /* BASE_H */ + +/* + * This is where the Netscape extensions live, at least for now. + */ +#ifndef CKT_H +#include "ckt.h" +#endif /* CKT_H */ + +struct builtinsInternalObjectStr { + CK_ULONG n; + const CK_ATTRIBUTE_TYPE *types; + const NSSItem *items; + NSSCKMDObject mdObject; +}; +typedef struct builtinsInternalObjectStr builtinsInternalObject; + +extern builtinsInternalObject nss_builtins_data[]; +extern const PRUint32 nss_builtins_nObjects; + +extern const CK_VERSION nss_builtins_CryptokiVersion; +extern const CK_VERSION nss_builtins_LibraryVersion; +extern const CK_VERSION nss_builtins_HardwareVersion; +extern const CK_VERSION nss_builtins_FirmwareVersion; + +extern const NSSUTF8 nss_builtins_ManufacturerID[]; +extern const NSSUTF8 nss_builtins_LibraryDescription[]; +extern const NSSUTF8 nss_builtins_SlotDescription[]; +extern const NSSUTF8 nss_builtins_TokenLabel[]; +extern const NSSUTF8 nss_builtins_TokenModel[]; +extern const NSSUTF8 nss_builtins_TokenSerialNumber[]; + +extern const NSSCKMDInstance nss_builtins_mdInstance; +extern const NSSCKMDSlot nss_builtins_mdSlot; +extern const NSSCKMDToken nss_builtins_mdToken; + +NSS_EXTERN NSSCKMDSession * +nss_builtins_CreateSession( + NSSCKFWSession *fwSession, + CK_RV *pError); + +NSS_EXTERN NSSCKMDFindObjects * +nss_builtins_FindObjectsInit( + NSSCKFWSession *fwSession, + CK_ATTRIBUTE_PTR pTemplate, + CK_ULONG ulAttributeCount, + CK_RV *pError); + +NSS_EXTERN NSSCKMDObject * +nss_builtins_CreateMDObject( + NSSArena *arena, + builtinsInternalObject *io, + CK_RV *pError); diff --git a/security/nss/lib/ckfw/builtins/certdata.perl b/security/nss/lib/ckfw/builtins/certdata.perl new file mode 100644 index 0000000000..502dfb0c5b --- /dev/null +++ b/security/nss/lib/ckfw/builtins/certdata.perl @@ -0,0 +1,192 @@ +#!perl -w +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +use strict; + +my %constants; +my $count = 0; +my $o; +my @objects = (); +my @objsize; + +$constants{CK_TRUE} = "static const CK_BBOOL ck_true = CK_TRUE;\n"; +$constants{CK_FALSE} = "static const CK_BBOOL ck_false = CK_FALSE;\n"; + +if( scalar @ARGV == 0 ) { + print STDERR "Usage: $0 [output-file]\n"; + exit 1; +} + +open(STDIN, '<', $ARGV[0]) + or die "Could not open input file '$ARGV[0]' $!"; +if( scalar @ARGV > 1 ) { + open(STDOUT, '>', $ARGV[1]) + or die "Could not open output file '$ARGV[1]' $!"; +} + +while(<>) { + my @fields = (); + my $size; + + s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/; + next if (/^\s*$/); + + # This was taken from the perl faq #4. + my $text = $_; + push(@fields, $+) while $text =~ m{ + "([^\"\\]*(?:\\.[^\"\\]*)*)"\s? # groups the phrase inside the quotes + | ([^\s]+)\s? + | \s + }gx; + push(@fields, undef) if substr($text,-1,1) eq '\s'; + + if( $fields[0] =~ /BEGINDATA/ ) { + next; + } + + if( $fields[1] =~ /MULTILINE/ ) { + $fields[2] = ""; + while(<>) { + last if /END/; + chomp; + $fields[2] .= "\"$_\"\n"; + } + } + + if( $fields[1] =~ /UTF8/ ) { + if( $fields[2] =~ /^"/ ) { + ; + } else { + $fields[2] = "\"" . $fields[2] . "\""; + } + + my $scratch = eval($fields[2]); + + $size = length($scratch) + 1; # null terminate + } + + if( $fields[1] =~ /OCTAL/ ) { + if( $fields[2] =~ /^"/ ) { + ; + } else { + $fields[2] = "\"" . $fields[2] . "\""; + } + + my $scratch = $fields[2]; + $size = $scratch =~ tr/\\//; + # no null termination + } + + if( $fields[1] =~ /^CK_/ ) { + my $lcv = $fields[2]; + $lcv =~ tr/A-Z/a-z/; + if( !defined($constants{$fields[2]}) ) { + $constants{$fields[2]} = "static const $fields[1] $lcv = $fields[2];\n"; + } + + $size = "sizeof($fields[1])"; + $fields[2] = "&$lcv"; + } + + if( $fields[0] =~ /CKA_CLASS/ ) { + $count++; + $objsize[$count] = 0; + } + + @{$objects[$count][$objsize[$count]++]} = ( "$fields[0]", $fields[2], "$size" ); + + # print "$fields[0] | $fields[1] | $size | $fields[2]\n"; +} + +doprint(); + +sub dudump { +my $i; +for( $i = 1; $i <= $count; $i++ ) { + print "\n"; + $o = $objects[$i]; + my @ob = @{$o}; + my $l; + my $j; + for( $j = 0; $j < @ob; $j++ ) { + $l = $ob[$j]; + my @a = @{$l}; + print "$a[0] ! $a[1] ! $a[2]\n"; + } +} + +} + +sub doprint { +my $i; + +print <