From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- security/nss/lib/pk11wrap/pk11skey.c | 3297 ++++++++++++++++++++++++++++++++++ 1 file changed, 3297 insertions(+) create mode 100644 security/nss/lib/pk11wrap/pk11skey.c (limited to 'security/nss/lib/pk11wrap/pk11skey.c') diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c new file mode 100644 index 0000000000..f09519ee27 --- /dev/null +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -0,0 +1,3297 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements the Symkey wrapper and the PKCS context + * Interfaces. + */ + +#include +#include + +#include "seccomon.h" +#include "secmod.h" +#include "nssilock.h" +#include "secmodi.h" +#include "secmodti.h" +#include "pkcs11.h" +#include "pk11func.h" +#include "secitem.h" +#include "secoid.h" +#include "secerr.h" +#include "hasht.h" + +static ECPointEncoding pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey); + +static void +pk11_EnterKeyMonitor(PK11SymKey *symKey) +{ + if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) + PK11_EnterSlotMonitor(symKey->slot); +} + +static void +pk11_ExitKeyMonitor(PK11SymKey *symKey) +{ + if (!symKey->sessionOwner || !(symKey->slot->isThreadSafe)) + PK11_ExitSlotMonitor(symKey->slot); +} + +/* + * pk11_getKeyFromList returns a symKey that has a session (if needSession + * was specified), or explicitly does not have a session (if needSession + * was not specified). + */ +static PK11SymKey * +pk11_getKeyFromList(PK11SlotInfo *slot, PRBool needSession) +{ + PK11SymKey *symKey = NULL; + + PZ_Lock(slot->freeListLock); + /* own session list are symkeys with sessions that the symkey owns. + * 'most' symkeys will own their own session. */ + if (needSession) { + if (slot->freeSymKeysWithSessionHead) { + symKey = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey->next; + slot->keyCount--; + } + } + /* if we don't need a symkey with its own session, or we couldn't find + * one on the owner list, get one from the non-owner free list. */ + if (!symKey) { + if (slot->freeSymKeysHead) { + symKey = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey->next; + slot->keyCount--; + } + } + PZ_Unlock(slot->freeListLock); + if (symKey) { + symKey->next = NULL; + if (!needSession) { + return symKey; + } + /* if we are getting an owner key, make sure we have a valid session. + * session could be invalid if the token has been removed or because + * we got it from the non-owner free list */ + if ((symKey->series != slot->series) || + (symKey->session == CK_INVALID_HANDLE)) { + symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner); + } + PORT_Assert(symKey->session != CK_INVALID_HANDLE); + if (symKey->session != CK_INVALID_HANDLE) + return symKey; + PK11_FreeSymKey(symKey); + /* if we are here, we need a session, but couldn't get one, it's + * unlikely we pk11_GetNewSession will succeed if we call it a second + * time. */ + return NULL; + } + + symKey = PORT_New(PK11SymKey); + if (symKey == NULL) { + return NULL; + } + + symKey->next = NULL; + if (needSession) { + symKey->session = pk11_GetNewSession(slot, &symKey->sessionOwner); + PORT_Assert(symKey->session != CK_INVALID_HANDLE); + if (symKey->session == CK_INVALID_HANDLE) { + PK11_FreeSymKey(symKey); + symKey = NULL; + } + } else { + symKey->session = CK_INVALID_HANDLE; + } + return symKey; +} + +/* Caller MUST hold slot->freeListLock (or ref count == 0?) !! */ +void +PK11_CleanKeyList(PK11SlotInfo *slot) +{ + PK11SymKey *symKey = NULL; + + while (slot->freeSymKeysWithSessionHead) { + symKey = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey->next; + pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); + PORT_Free(symKey); + } + while (slot->freeSymKeysHead) { + symKey = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey->next; + pk11_CloseSession(slot, symKey->session, symKey->sessionOwner); + PORT_Free(symKey); + } + return; +} + +/* + * create a symetric key: + * Slot is the slot to create the key in. + * type is the mechanism type + * owner is does this symKey structure own it's object handle (rare + * that this is false). + * needSession means the returned symKey will return with a valid session + * allocated already. + */ +static PK11SymKey * +pk11_CreateSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PRBool owner, PRBool needSession, void *wincx) +{ + + PK11SymKey *symKey = pk11_getKeyFromList(slot, needSession); + + if (symKey == NULL) { + return NULL; + } + /* if needSession was specified, make sure we have a valid session. + * callers which specify needSession as false should do their own + * check of the session before returning the symKey */ + if (needSession && symKey->session == CK_INVALID_HANDLE) { + PK11_FreeSymKey(symKey); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + + symKey->type = type; + symKey->data.type = siBuffer; + symKey->data.data = NULL; + symKey->data.len = 0; + symKey->owner = owner; + symKey->objectID = CK_INVALID_HANDLE; + symKey->slot = slot; + symKey->series = slot->series; + symKey->cx = wincx; + symKey->size = 0; + symKey->refCount = 1; + symKey->origin = PK11_OriginNULL; + symKey->parent = NULL; + symKey->freeFunc = NULL; + symKey->userData = NULL; + PK11_ReferenceSlot(slot); + return symKey; +} + +/* + * destroy a symetric key + */ +void +PK11_FreeSymKey(PK11SymKey *symKey) +{ + PK11SlotInfo *slot; + PRBool freeit = PR_TRUE; + + if (!symKey) { + return; + } + + if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) { + PK11SymKey *parent = symKey->parent; + + symKey->parent = NULL; + if ((symKey->owner) && symKey->objectID != CK_INVALID_HANDLE) { + pk11_EnterKeyMonitor(symKey); + (void)PK11_GETTAB(symKey->slot)->C_DestroyObject(symKey->session, symKey->objectID); + pk11_ExitKeyMonitor(symKey); + } + if (symKey->data.data) { + PORT_Memset(symKey->data.data, 0, symKey->data.len); + PORT_Free(symKey->data.data); + } + /* free any existing data */ + if (symKey->userData && symKey->freeFunc) { + (*symKey->freeFunc)(symKey->userData); + } + slot = symKey->slot; + PZ_Lock(slot->freeListLock); + if (slot->keyCount < slot->maxKeyCount) { + /* + * freeSymkeysWithSessionHead contain a list of reusable + * SymKey structures with valid sessions. + * sessionOwner must be true. + * session must be valid. + * freeSymKeysHead contain a list of SymKey structures without + * valid session. + * session must be CK_INVALID_HANDLE. + * though sessionOwner is false, callers should not depend on + * this fact. + */ + if (symKey->sessionOwner) { + PORT_Assert(symKey->session != CK_INVALID_HANDLE); + symKey->next = slot->freeSymKeysWithSessionHead; + slot->freeSymKeysWithSessionHead = symKey; + } else { + symKey->session = CK_INVALID_HANDLE; + symKey->next = slot->freeSymKeysHead; + slot->freeSymKeysHead = symKey; + } + slot->keyCount++; + symKey->slot = NULL; + freeit = PR_FALSE; + } + PZ_Unlock(slot->freeListLock); + if (freeit) { + pk11_CloseSession(symKey->slot, symKey->session, + symKey->sessionOwner); + PORT_Free(symKey); + } + PK11_FreeSlot(slot); + + if (parent) { + PK11_FreeSymKey(parent); + } + } +} + +PK11SymKey * +PK11_ReferenceSymKey(PK11SymKey *symKey) +{ + PR_ATOMIC_INCREMENT(&symKey->refCount); + return symKey; +} + +/* + * Accessors + */ +CK_MECHANISM_TYPE +PK11_GetMechanism(PK11SymKey *symKey) +{ + return symKey->type; +} + +/* + * return the slot associated with a symetric key + */ +PK11SlotInfo * +PK11_GetSlotFromKey(PK11SymKey *symKey) +{ + return PK11_ReferenceSlot(symKey->slot); +} + +CK_KEY_TYPE +PK11_GetSymKeyType(PK11SymKey *symKey) +{ + return PK11_GetKeyType(symKey->type, symKey->size); +} + +PK11SymKey * +PK11_GetNextSymKey(PK11SymKey *symKey) +{ + return symKey ? symKey->next : NULL; +} + +char * +PK11_GetSymKeyNickname(PK11SymKey *symKey) +{ + return PK11_GetObjectNickname(symKey->slot, symKey->objectID); +} + +SECStatus +PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname) +{ + return PK11_SetObjectNickname(symKey->slot, symKey->objectID, nickname); +} + +void * +PK11_GetSymKeyUserData(PK11SymKey *symKey) +{ + return symKey->userData; +} + +void +PK11_SetSymKeyUserData(PK11SymKey *symKey, void *userData, + PK11FreeDataFunc freeFunc) +{ + /* free any existing data */ + if (symKey->userData && symKey->freeFunc) { + (*symKey->freeFunc)(symKey->userData); + } + symKey->userData = userData; + symKey->freeFunc = freeFunc; + return; +} + +/* + * turn key handle into an appropriate key object + */ +PK11SymKey * +PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin, + CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, PRBool owner, void *wincx) +{ + PK11SymKey *symKey; + PRBool needSession = !(owner && parent); + + if (keyID == CK_INVALID_HANDLE) { + return NULL; + } + + symKey = pk11_CreateSymKey(slot, type, owner, needSession, wincx); + if (symKey == NULL) { + return NULL; + } + + symKey->objectID = keyID; + symKey->origin = origin; + + /* adopt the parent's session */ + /* This is only used by SSL. What we really want here is a session + * structure with a ref count so the session goes away only after all the + * keys do. */ + if (!needSession) { + symKey->sessionOwner = PR_FALSE; + symKey->session = parent->session; + symKey->parent = PK11_ReferenceSymKey(parent); + /* This is the only case where pk11_CreateSymKey does not explicitly + * check symKey->session. We need to assert here to make sure. + * the session isn't invalid. */ + PORT_Assert(parent->session != CK_INVALID_HANDLE); + if (parent->session == CK_INVALID_HANDLE) { + PK11_FreeSymKey(symKey); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return NULL; + } + } + + return symKey; +} + +/* + * Restore a symmetric wrapping key that was saved using PK11_SetWrapKey. + * + * This function is provided for ABI compatibility; see PK11_SetWrapKey below. + */ +PK11SymKey * +PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, CK_MECHANISM_TYPE type, + int series, void *wincx) +{ + PK11SymKey *symKey = NULL; + CK_OBJECT_HANDLE keyHandle; + + PK11_EnterSlotMonitor(slot); + if (slot->series != series || + slot->refKeys[wrap] == CK_INVALID_HANDLE) { + PK11_ExitSlotMonitor(slot); + return NULL; + } + + if (type == CKM_INVALID_MECHANISM) { + type = slot->wrapMechanism; + } + + keyHandle = slot->refKeys[wrap]; + PK11_ExitSlotMonitor(slot); + symKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, + slot->wrapMechanism, keyHandle, PR_FALSE, wincx); + return symKey; +} + +/* + * This function sets an attribute on the current slot with a wrapping key. The + * data saved is ephemeral; it needs to be run every time the program is + * invoked. + * + * Since NSS 3.45, this function is marginally more thread safe. It uses the + * slot lock (if present) and fails silently if a value is already set. Use + * PK11_GetWrapKey() after calling this function to get the current wrapping key + * in case there was an update on another thread. + * + * Either way, using this function is inadvisable. It's provided for ABI + * compatibility only. + */ +void +PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey) +{ + PK11_EnterSlotMonitor(slot); + if (wrap >= 0) { + size_t uwrap = (size_t)wrap; + if (uwrap < PR_ARRAY_SIZE(slot->refKeys) && + slot->refKeys[uwrap] == CK_INVALID_HANDLE) { + /* save the handle and mechanism for the wrapping key */ + /* mark the key and session as not owned by us so they don't get + * freed when the key goes way... that lets us reuse the key + * later */ + slot->refKeys[uwrap] = wrapKey->objectID; + wrapKey->owner = PR_FALSE; + wrapKey->sessionOwner = PR_FALSE; + slot->wrapMechanism = wrapKey->type; + } + } + PK11_ExitSlotMonitor(slot); +} + +/* + * figure out if a key is still valid or if it is stale. + */ +PRBool +PK11_VerifyKeyOK(PK11SymKey *key) +{ + if (!PK11_IsPresent(key->slot)) { + return PR_FALSE; + } + return (PRBool)(key->series == key->slot->series); +} + +static PK11SymKey * +pk11_ImportSymKeyWithTempl(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PK11Origin origin, PRBool isToken, CK_ATTRIBUTE *keyTemplate, + unsigned int templateCount, SECItem *key, void *wincx) +{ + PK11SymKey *symKey; + SECStatus rv; + + symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx); + if (symKey == NULL) { + return NULL; + } + + symKey->size = key->len; + + PK11_SETATTRS(&keyTemplate[templateCount], CKA_VALUE, key->data, key->len); + templateCount++; + + if (SECITEM_CopyItem(NULL, &symKey->data, key) != SECSuccess) { + PK11_FreeSymKey(symKey); + return NULL; + } + + symKey->origin = origin; + + /* import the keys */ + rv = PK11_CreateNewObject(slot, symKey->session, keyTemplate, + templateCount, isToken, &symKey->objectID); + if (rv != SECSuccess) { + PK11_FreeSymKey(symKey); + return NULL; + } + + return symKey; +} + +/* + * turn key bits into an appropriate key object + */ +PK11SymKey * +PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx) +{ + PK11SymKey *symKey; + unsigned int templateCount = 0; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_BBOOL cktrue = CK_TRUE; /* sigh */ + CK_ATTRIBUTE keyTemplate[5]; + CK_ATTRIBUTE *attrs = keyTemplate; + + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(type, key->len); + symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, PR_FALSE, + keyTemplate, templateCount, key, wincx); + return symKey; +} +/* Import a PKCS #11 data object and return it as a key. This key is + * only useful in a limited number of mechanisms, such as HKDF. */ +PK11SymKey * +PK11_ImportDataKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, PK11Origin origin, + CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx) +{ + CK_OBJECT_CLASS ckoData = CKO_DATA; + CK_ATTRIBUTE template[2] = { { CKA_CLASS, (CK_BYTE_PTR)&ckoData, sizeof(ckoData) }, + { CKA_VALUE, (CK_BYTE_PTR)key->data, key->len } }; + CK_OBJECT_HANDLE handle; + PK11GenericObject *genObject; + + genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE); + if (genObject == NULL) { + return NULL; + } + handle = PK11_GetObjectHandle(PK11_TypeGeneric, genObject, NULL); + if (handle == CK_INVALID_HANDLE) { + return NULL; + } + /* A note about ownership of the PKCS #11 handle: + * PK11_CreateGenericObject() will not destroy the object it creates + * on Free, For that you want PK11_CreateManagedGenericObject(). + * Below we import the handle into the symKey structure. We pass + * PR_TRUE as the owner so that the symKey will destroy the object + * once it's freed. This is way it's safe to free now. */ + PK11_DestroyGenericObject(genObject); + return PK11_SymKeyFromHandle(slot, NULL, origin, type, handle, PR_TRUE, wincx); +} + +/* turn key bits into an appropriate key object */ +PK11SymKey * +PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, + CK_FLAGS flags, PRBool isPerm, void *wincx) +{ + PK11SymKey *symKey; + unsigned int templateCount = 0; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_BBOOL cktrue = CK_TRUE; /* sigh */ + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs = keyTemplate; + + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + if (isPerm) { + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; + /* sigh some tokens think CKA_PRIVATE = false is a reasonable + * default for secret keys */ + PK11_SETATTRS(attrs, CKA_PRIVATE, &cktrue, sizeof(cktrue)); + attrs++; + } + attrs += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); + if ((operation != CKA_FLAGS_ONLY) && + !pk11_FindAttrInTemplate(keyTemplate, attrs - keyTemplate, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, sizeof(cktrue)); + attrs++; + } + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount + 1 <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(type, key->len); + symKey = pk11_ImportSymKeyWithTempl(slot, type, origin, isPerm, + keyTemplate, templateCount, key, wincx); + if (symKey && isPerm) { + symKey->owner = PR_FALSE; + } + return symKey; +} + +PK11SymKey * +PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *keyID, + void *wincx) +{ + CK_ATTRIBUTE findTemp[4]; + CK_ATTRIBUTE *attrs; + CK_BBOOL ckTrue = CK_TRUE; + CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; + size_t tsize = 0; + CK_OBJECT_HANDLE key_id; + + attrs = findTemp; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; + if (keyID) { + PK11_SETATTRS(attrs, CKA_ID, keyID->data, keyID->len); + attrs++; + } + tsize = attrs - findTemp; + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); + + key_id = pk11_FindObjectByTemplate(slot, findTemp, tsize); + if (key_id == CK_INVALID_HANDLE) { + return NULL; + } + return PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, type, key_id, + PR_FALSE, wincx); +} + +PK11SymKey * +PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, void *wincx) +{ + CK_ATTRIBUTE findTemp[4]; + CK_ATTRIBUTE *attrs; + CK_BBOOL ckTrue = CK_TRUE; + CK_OBJECT_CLASS keyclass = CKO_SECRET_KEY; + int tsize = 0; + int objCount = 0; + CK_OBJECT_HANDLE *key_ids; + PK11SymKey *nextKey = NULL; + PK11SymKey *topKey = NULL; + int i, len; + + attrs = findTemp; + PK11_SETATTRS(attrs, CKA_CLASS, &keyclass, sizeof(keyclass)); + attrs++; + PK11_SETATTRS(attrs, CKA_TOKEN, &ckTrue, sizeof(ckTrue)); + attrs++; + if (nickname) { + len = PORT_Strlen(nickname); + PK11_SETATTRS(attrs, CKA_LABEL, nickname, len); + attrs++; + } + tsize = attrs - findTemp; + PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); + + key_ids = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); + if (key_ids == NULL) { + return NULL; + } + + for (i = 0; i < objCount; i++) { + SECItem typeData; + CK_KEY_TYPE type = CKK_GENERIC_SECRET; + SECStatus rv = PK11_ReadAttribute(slot, key_ids[i], + CKA_KEY_TYPE, NULL, &typeData); + if (rv == SECSuccess) { + if (typeData.len == sizeof(CK_KEY_TYPE)) { + type = *(CK_KEY_TYPE *)typeData.data; + } + PORT_Free(typeData.data); + } + nextKey = PK11_SymKeyFromHandle(slot, NULL, PK11_OriginDerive, + PK11_GetKeyMechanism(type), key_ids[i], PR_FALSE, wincx); + if (nextKey) { + nextKey->next = topKey; + topKey = nextKey; + } + } + PORT_Free(key_ids); + return topKey; +} + +void * +PK11_GetWindow(PK11SymKey *key) +{ + return key->cx; +} + +/* + * extract a symmetric key value. NOTE: if the key is sensitive, we will + * not be able to do this operation. This function is used to move + * keys from one token to another */ +SECStatus +PK11_ExtractKeyValue(PK11SymKey *symKey) +{ + SECStatus rv; + + if (symKey == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (symKey->data.data != NULL) { + if (symKey->size == 0) { + symKey->size = symKey->data.len; + } + return SECSuccess; + } + + if (symKey->slot == NULL) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + + rv = PK11_ReadAttribute(symKey->slot, symKey->objectID, CKA_VALUE, NULL, + &symKey->data); + if (rv == SECSuccess) { + symKey->size = symKey->data.len; + } + return rv; +} + +SECStatus +PK11_DeleteTokenSymKey(PK11SymKey *symKey) +{ + if (!PK11_IsPermObject(symKey->slot, symKey->objectID)) { + return SECFailure; + } + PK11_DestroyTokenObject(symKey->slot, symKey->objectID); + symKey->objectID = CK_INVALID_HANDLE; + return SECSuccess; +} + +SECItem * +PK11_GetKeyData(PK11SymKey *symKey) +{ + return &symKey->data; +} + +/* This symbol is exported for backward compatibility. */ +SECItem * +__PK11_GetKeyData(PK11SymKey *symKey) +{ + return PK11_GetKeyData(symKey); +} + +/* + * PKCS #11 key Types with predefined length + */ +unsigned int +pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType) +{ + int length = 0; + switch (keyType) { + case CKK_DES: + length = 8; + break; + case CKK_DES2: + length = 16; + break; + case CKK_DES3: + length = 24; + break; + case CKK_SKIPJACK: + length = 10; + break; + case CKK_BATON: + length = 20; + break; + case CKK_JUNIPER: + length = 20; + break; + default: + break; + } + return length; +} + +/* return the keylength if possible. '0' if not */ +unsigned int +PK11_GetKeyLength(PK11SymKey *key) +{ + CK_KEY_TYPE keyType; + + if (key->size != 0) + return key->size; + + /* First try to figure out the key length from its type */ + keyType = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_KEY_TYPE); + key->size = pk11_GetPredefinedKeyLength(keyType); + if ((keyType == CKK_GENERIC_SECRET) && + (key->type == CKM_SSL3_PRE_MASTER_KEY_GEN)) { + key->size = 48; + } + + if (key->size != 0) + return key->size; + + if (key->data.data == NULL) { + PK11_ExtractKeyValue(key); + } + /* key is probably secret. Look up its length */ + /* this is new PKCS #11 version 2.0 functionality. */ + if (key->size == 0) { + CK_ULONG keyLength; + + keyLength = PK11_ReadULongAttribute(key->slot, key->objectID, CKA_VALUE_LEN); + if (keyLength != CK_UNAVAILABLE_INFORMATION) { + key->size = (unsigned int)keyLength; + } + } + + return key->size; +} + +/* return the strength of a key. This is different from length in that + * 1) it returns the size in bits, and 2) it returns only the secret portions + * of the key minus any checksums or parity. + */ +unsigned int +PK11_GetKeyStrength(PK11SymKey *key, SECAlgorithmID *algid) +{ + int size = 0; + CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM; /* RC2 only */ + SECItem *param = NULL; /* RC2 only */ + CK_RC2_CBC_PARAMS *rc2_params = NULL; /* RC2 ONLY */ + unsigned int effectiveBits = 0; /* RC2 ONLY */ + + switch (PK11_GetKeyType(key->type, 0)) { + case CKK_CDMF: + return 40; + case CKK_DES: + return 56; + case CKK_DES3: + case CKK_DES2: + size = PK11_GetKeyLength(key); + if (size == 16) { + /* double des */ + return 112; /* 16*7 */ + } + return 168; + /* + * RC2 has is different than other ciphers in that it allows the user + * to deprecating keysize while still requiring all the bits for the + * original key. The info + * on what the effective key strength is in the parameter for the key. + * In S/MIME this parameter is stored in the DER encoded algid. In Our + * other uses of RC2, effectiveBits == keyBits, so this code functions + * correctly without an algid. + */ + case CKK_RC2: + /* if no algid was provided, fall through to default */ + if (!algid) { + break; + } + /* verify that the algid is for RC2 */ + mechanism = PK11_AlgtagToMechanism(SECOID_GetAlgorithmTag(algid)); + if ((mechanism != CKM_RC2_CBC) && (mechanism != CKM_RC2_ECB)) { + break; + } + + /* now get effective bits from the algorithm ID. */ + param = PK11_ParamFromAlgid(algid); + /* if we couldn't get memory just use key length */ + if (param == NULL) { + break; + } + + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + /* paranoia... shouldn't happen */ + PORT_Assert(param->data != NULL); + if (param->data == NULL) { + SECITEM_FreeItem(param, PR_TRUE); + break; + } + effectiveBits = (unsigned int)rc2_params->ulEffectiveBits; + SECITEM_FreeItem(param, PR_TRUE); + param = NULL; + rc2_params = NULL; /* paranoia */ + + /* we have effective bits, is and allocated memory is free, now + * we need to return the smaller of effective bits and keysize */ + size = PK11_GetKeyLength(key); + if ((unsigned int)size * 8 > effectiveBits) { + return effectiveBits; + } + + return size * 8; /* the actual key is smaller, the strength can't be + * greater than the actual key size */ + + default: + break; + } + return PK11_GetKeyLength(key) * 8; +} + +/* + * The next three utilities are to deal with the fact that a given operation + * may be a multi-slot affair. This creates a new key object that is copied + * into the new slot. + */ +PK11SymKey * +pk11_CopyToSlotPerm(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, + PRBool isPerm, PK11SymKey *symKey) +{ + SECStatus rv; + PK11SymKey *newKey = NULL; + + /* Extract the raw key data if possible */ + if (symKey->data.data == NULL) { + rv = PK11_ExtractKeyValue(symKey); + /* KEY is sensitive, we're try key exchanging it. */ + if (rv != SECSuccess) { + return pk11_KeyExchange(slot, type, operation, + flags, isPerm, symKey); + } + } + + newKey = PK11_ImportSymKeyWithFlags(slot, type, symKey->origin, + operation, &symKey->data, flags, isPerm, symKey->cx); + if (newKey == NULL) { + newKey = pk11_KeyExchange(slot, type, operation, flags, isPerm, symKey); + } + return newKey; +} + +PK11SymKey * +pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey) +{ + return pk11_CopyToSlotPerm(slot, type, operation, 0, PR_FALSE, symKey); +} + +/* + * Make sure the slot we are in is the correct slot for the operation + * by verifying that it supports all of the specified mechanism types. + */ +PK11SymKey * +pk11_ForceSlotMultiple(PK11SymKey *symKey, CK_MECHANISM_TYPE *type, + int mechCount, CK_ATTRIBUTE_TYPE operation) +{ + PK11SlotInfo *slot = symKey->slot; + PK11SymKey *newKey = NULL; + PRBool needToCopy = PR_FALSE; + int i; + + if (slot == NULL) { + needToCopy = PR_TRUE; + } else { + i = 0; + while ((i < mechCount) && (needToCopy == PR_FALSE)) { + if (!PK11_DoesMechanism(slot, type[i])) { + needToCopy = PR_TRUE; + } + i++; + } + } + + if (needToCopy == PR_TRUE) { + slot = PK11_GetBestSlotMultiple(type, mechCount, symKey->cx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + newKey = pk11_CopyToSlot(slot, type[0], operation, symKey); + PK11_FreeSlot(slot); + } + return newKey; +} + +/* + * Make sure the slot we are in is the correct slot for the operation + */ +PK11SymKey * +pk11_ForceSlot(PK11SymKey *symKey, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation) +{ + return pk11_ForceSlotMultiple(symKey, &type, 1, operation); +} + +PK11SymKey * +PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation, + CK_FLAGS flags, PRBool perm, PK11SymKey *symKey) +{ + if (symKey->slot == slot) { + if (perm) { + return PK11_ConvertSessionSymKeyToTokenSymKey(symKey, symKey->cx); + } else { + return PK11_ReferenceSymKey(symKey); + } + } + + return pk11_CopyToSlotPerm(slot, symKey->type, + operation, flags, perm, symKey); +} + +/* + * Use the token to generate a key. + * + * keySize must be 'zero' for fixed key length algorithms. A nonzero + * keySize causes the CKA_VALUE_LEN attribute to be added to the template + * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN + * attribute for keys with fixed length. The exception is DES2. If you + * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN + * parameter and use the key size to determine which underlying DES keygen + * function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN). + * + * keyType must be -1 for most algorithms. Some PBE algorthims cannot + * determine the correct key type from the mechanism or the parameters, + * so key type must be specified. Other PKCS #11 mechanisms may do so in + * the future. Currently there is no need to export this publically. + * Keep it private until there is a need in case we need to expand the + * keygen parameters again... + * + * CK_FLAGS flags: key operation flags + * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags + */ +PK11SymKey * +pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *param, CK_KEY_TYPE keyType, int keySize, SECItem *keyid, + CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx) +{ + PK11SymKey *symKey; + CK_ATTRIBUTE genTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs = genTemplate; + int count = sizeof(genTemplate) / sizeof(genTemplate[0]); + CK_MECHANISM_TYPE keyGenType; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_ULONG ck_key_size; /* only used for variable-length keys */ + + if (pk11_BadAttrFlags(attrFlags)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + if ((keySize != 0) && (type != CKM_DES3_CBC) && + (type != CKM_DES3_CBC_PAD) && (type != CKM_DES3_ECB)) { + ck_key_size = keySize; /* Convert to PK11 type */ + + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &ck_key_size, sizeof(ck_key_size)); + attrs++; + } + + if (keyType != -1) { + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(CK_KEY_TYPE)); + attrs++; + } + + /* Include key id value if provided */ + if (keyid) { + PK11_SETATTRS(attrs, CKA_ID, keyid->data, keyid->len); + attrs++; + } + + attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse); + attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue); + + count = attrs - genTemplate; + PR_ASSERT(count <= sizeof(genTemplate) / sizeof(CK_ATTRIBUTE)); + + keyGenType = PK11_GetKeyGenWithSize(type, keySize); + if (keyGenType == CKM_FAKE_RANDOM) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + symKey = PK11_KeyGenWithTemplate(slot, type, keyGenType, + param, genTemplate, count, wincx); + if (symKey != NULL) { + symKey->size = keySize; + } + return symKey; +} + +/* + * Use the token to generate a key. - Public + * + * keySize must be 'zero' for fixed key length algorithms. A nonzero + * keySize causes the CKA_VALUE_LEN attribute to be added to the template + * for the key. Most PKCS #11 modules fail if you specify the CKA_VALUE_LEN + * attribute for keys with fixed length. The exception is DES2. If you + * select a CKM_DES3_CBC mechanism, this code will not add the CKA_VALUE_LEN + * parameter and use the key size to determine which underlying DES keygen + * function to use (CKM_DES2_KEY_GEN or CKM_DES3_KEY_GEN). + * + * CK_FLAGS flags: key operation flags + * PK11AttrFlags attrFlags: PK11_ATTR_XXX key attribute flags + */ +PK11SymKey * +PK11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, + PK11AttrFlags attrFlags, void *wincx) +{ + return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, -1, keySize, + keyid, opFlags, attrFlags, wincx); +} + +/* + * Use the token to generate a key. keySize must be 'zero' for fixed key + * length algorithms. A nonzero keySize causes the CKA_VALUE_LEN attribute + * to be added to the template for the key. PKCS #11 modules fail if you + * specify the CKA_VALUE_LEN attribute for keys with fixed length. + * NOTE: this means to generate a DES2 key from this interface you must + * specify CKM_DES2_KEY_GEN as the mechanism directly; specifying + * CKM_DES3_CBC as the mechanism and 16 as keySize currently doesn't work. + */ +PK11SymKey * +PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, + int keySize, SECItem *keyid, PRBool isToken, void *wincx) +{ + PK11SymKey *symKey; + PRBool weird = PR_FALSE; /* hack for fortezza */ + CK_FLAGS opFlags = CKF_SIGN; + PK11AttrFlags attrFlags = 0; + + if ((keySize == -1) && (type == CKM_SKIPJACK_CBC64)) { + weird = PR_TRUE; + keySize = 0; + } + + opFlags |= weird ? CKF_DECRYPT : CKF_ENCRYPT; + + if (isToken) { + attrFlags |= (PK11_ATTR_TOKEN | PK11_ATTR_PRIVATE); + } + + symKey = pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, param, + -1, keySize, keyid, opFlags, attrFlags, wincx); + if (symKey && weird) { + PK11_SetFortezzaHack(symKey); + } + + return symKey; +} + +PK11SymKey * +PK11_KeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, + int keySize, void *wincx) +{ + return PK11_TokenKeyGen(slot, type, param, keySize, 0, PR_FALSE, wincx); +} + +PK11SymKey * +PK11_KeyGenWithTemplate(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_MECHANISM_TYPE keyGenType, + SECItem *param, CK_ATTRIBUTE *attrs, + unsigned int attrsCount, void *wincx) +{ + PK11SymKey *symKey; + CK_SESSION_HANDLE session; + CK_MECHANISM mechanism; + CK_RV crv; + PRBool isToken = CK_FALSE; + CK_ULONG keySize = 0; + unsigned i; + + /* Extract the template's CKA_VALUE_LEN into keySize and CKA_TOKEN into + isToken. */ + for (i = 0; i < attrsCount; ++i) { + switch (attrs[i].type) { + case CKA_VALUE_LEN: + if (attrs[i].pValue == NULL || + attrs[i].ulValueLen != sizeof(CK_ULONG)) { + PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT)); + return NULL; + } + keySize = *(CK_ULONG *)attrs[i].pValue; + break; + case CKA_TOKEN: + if (attrs[i].pValue == NULL || + attrs[i].ulValueLen != sizeof(CK_BBOOL)) { + PORT_SetError(PK11_MapError(CKR_TEMPLATE_INCONSISTENT)); + return NULL; + } + isToken = (*(CK_BBOOL *)attrs[i].pValue) ? PR_TRUE : PR_FALSE; + break; + } + } + + /* find a slot to generate the key into */ + /* Only do slot management if this is not a token key */ + if (!isToken && (slot == NULL || !PK11_DoesMechanism(slot, type))) { + PK11SlotInfo *bestSlot = PK11_GetBestSlot(type, wincx); + if (bestSlot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; + } + symKey = pk11_CreateSymKey(bestSlot, type, !isToken, PR_TRUE, wincx); + PK11_FreeSlot(bestSlot); + } else { + symKey = pk11_CreateSymKey(slot, type, !isToken, PR_TRUE, wincx); + } + if (symKey == NULL) + return NULL; + + symKey->size = keySize; + symKey->origin = PK11_OriginGenerated; + + /* Set the parameters for the key gen if provided */ + mechanism.mechanism = keyGenType; + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + if (param) { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; + } + + /* Get session and perform locking */ + if (isToken) { + PK11_Authenticate(symKey->slot, PR_TRUE, wincx); + /* Should always be original slot */ + session = PK11_GetRWSession(symKey->slot); + symKey->owner = PR_FALSE; + } else { + session = symKey->session; + if (session != CK_INVALID_HANDLE) + pk11_EnterKeyMonitor(symKey); + } + if (session == CK_INVALID_HANDLE) { + PK11_FreeSymKey(symKey); + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; + } + + crv = PK11_GETTAB(symKey->slot)->C_GenerateKey(session, &mechanism, attrs, attrsCount, &symKey->objectID); + + /* Release lock and session */ + if (isToken) { + PK11_RestoreROSession(symKey->slot, session); + } else { + pk11_ExitKeyMonitor(symKey); + } + + if (crv != CKR_OK) { + PK11_FreeSymKey(symKey); + PORT_SetError(PK11_MapError(crv)); + return NULL; + } + + return symKey; +} + +/* --- */ +PK11SymKey * +PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx) +{ + return PK11_TokenKeyGen(slot, CKM_DES3_CBC, 0, 0, keyid, PR_TRUE, cx); +} + +PK11SymKey * +PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx) +{ + PK11SlotInfo *slot = symk->slot; + CK_ATTRIBUTE template[1]; + CK_ATTRIBUTE *attrs = template; + CK_BBOOL cktrue = CK_TRUE; + CK_RV crv; + CK_OBJECT_HANDLE newKeyID; + CK_SESSION_HANDLE rwsession; + + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); + attrs++; + + PK11_Authenticate(slot, PR_TRUE, wincx); + rwsession = PK11_GetRWSession(slot); + if (rwsession == CK_INVALID_HANDLE) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return NULL; + } + crv = PK11_GETTAB(slot)->C_CopyObject(rwsession, symk->objectID, + template, 1, &newKeyID); + PK11_RestoreROSession(slot, rwsession); + + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return NULL; + } + + return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin, + symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/); +} + +/* This function does a straight public key wrap with the CKM_RSA_PKCS + * mechanism. */ +SECStatus +PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, + PK11SymKey *symKey, SECItem *wrappedKey) +{ + CK_MECHANISM_TYPE inferred = pk11_mapWrapKeyType(pubKey->keyType); + return PK11_PubWrapSymKeyWithMechanism(pubKey, inferred, NULL, symKey, + wrappedKey); +} + +/* This function wraps a symmetric key with a public key, such as with the + * CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP mechanisms. */ +SECStatus +PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey, + CK_MECHANISM_TYPE mechType, SECItem *param, + PK11SymKey *symKey, SECItem *wrappedKey) +{ + PK11SlotInfo *slot; + CK_ULONG len = wrappedKey->len; + PK11SymKey *newKey = NULL; + CK_OBJECT_HANDLE id; + CK_MECHANISM mechanism; + PRBool owner = PR_TRUE; + CK_SESSION_HANDLE session; + CK_RV crv; + + if (symKey == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* if this slot doesn't support the mechanism, go to a slot that does */ + newKey = pk11_ForceSlot(symKey, mechType, CKA_ENCRYPT); + if (newKey != NULL) { + symKey = newKey; + } + + if (symKey->slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; + } + + slot = symKey->slot; + + mechanism.mechanism = mechType; + if (param == NULL) { + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + } else { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; + } + + id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE); + if (id == CK_INVALID_HANDLE) { + if (newKey) { + PK11_FreeSymKey(newKey); + } + return SECFailure; /* Error code has been set. */ + } + + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism, + id, symKey->objectID, wrappedKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + if (newKey) { + PK11_FreeSymKey(newKey); + } + + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + wrappedKey->len = len; + return SECSuccess; +} + +/* + * this little function uses the Encrypt function to wrap a key, just in + * case we have problems with the wrap implementation for a token. + */ +static SECStatus +pk11_HandWrap(PK11SymKey *wrappingKey, SECItem *param, CK_MECHANISM_TYPE type, + SECItem *inKey, SECItem *outKey) +{ + PK11SlotInfo *slot; + CK_ULONG len; + SECItem *data; + CK_MECHANISM mech; + PRBool owner = PR_TRUE; + CK_SESSION_HANDLE session; + CK_RV crv; + + slot = wrappingKey->slot; + /* use NULL IV's for wrapping */ + mech.mechanism = type; + if (param) { + mech.pParameter = param->data; + mech.ulParameterLen = param->len; + } else { + mech.pParameter = NULL; + mech.ulParameterLen = 0; + } + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_EncryptInit(session, &mech, + wrappingKey->objectID); + if (crv != CKR_OK) { + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + + /* keys are almost always aligned, but if we get this far, + * we've gone above and beyond anyway... */ + data = PK11_BlockData(inKey, PK11_GetBlockSize(type, param)); + if (data == NULL) { + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + len = outKey->len; + crv = PK11_GETTAB(slot)->C_Encrypt(session, data->data, data->len, + outKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + SECITEM_FreeItem(data, PR_TRUE); + outKey->len = len; + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +/* + * helper function which moves two keys into a new slot based on the + * desired mechanism. + */ +static SECStatus +pk11_moveTwoKeys(CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE preferedOperation, + CK_ATTRIBUTE_TYPE movingOperation, + PK11SymKey *preferedKey, PK11SymKey *movingKey, + PK11SymKey **newPreferedKey, PK11SymKey **newMovingKey) +{ + PK11SlotInfo *newSlot; + *newMovingKey = NULL; + *newPreferedKey = NULL; + + newSlot = PK11_GetBestSlot(mech, preferedKey->cx); + if (newSlot == NULL) { + return SECFailure; + } + *newMovingKey = pk11_CopyToSlot(newSlot, movingKey->type, + movingOperation, movingKey); + if (*newMovingKey == NULL) { + goto loser; + } + *newPreferedKey = pk11_CopyToSlot(newSlot, preferedKey->type, + preferedOperation, preferedKey); + if (*newPreferedKey == NULL) { + goto loser; + } + + PK11_FreeSlot(newSlot); + return SECSuccess; +loser: + PK11_FreeSlot(newSlot); + PK11_FreeSymKey(*newMovingKey); + PK11_FreeSymKey(*newPreferedKey); + *newMovingKey = NULL; + *newPreferedKey = NULL; + return SECFailure; +} + +/* + * To do joint operations, we often need two keys in the same slot. + * Usually the PKCS #11 wrappers handle this correctly (like for PK11_WrapKey), + * but sometimes the wrappers don't know about mechanism specific keys in + * the Mechanism params. This function makes sure the two keys are in the + * same slot by copying one or both of the keys into a common slot. This + * functions makes sure the slot can handle the target mechanism. If the copy + * is warranted, this function will prefer to move the movingKey first, then + * the preferedKey. If the keys are moved, the new keys are returned in + * newMovingKey and/or newPreferedKey. The application is responsible + * for freeing those keys once the operation is complete. + */ +SECStatus +PK11_SymKeysToSameSlot(CK_MECHANISM_TYPE mech, + CK_ATTRIBUTE_TYPE preferedOperation, + CK_ATTRIBUTE_TYPE movingOperation, + PK11SymKey *preferedKey, PK11SymKey *movingKey, + PK11SymKey **newPreferedKey, PK11SymKey **newMovingKey) +{ + /* usually don't return new keys */ + *newMovingKey = NULL; + *newPreferedKey = NULL; + if (movingKey->slot == preferedKey->slot) { + + /* this should be the most common case */ + if ((preferedKey->slot != NULL) && + PK11_DoesMechanism(preferedKey->slot, mech)) { + return SECSuccess; + } + + /* we are in the same slot, but it doesn't do the operation, + * move both keys to an appropriate target slot */ + return pk11_moveTwoKeys(mech, preferedOperation, movingOperation, + preferedKey, movingKey, + newPreferedKey, newMovingKey); + } + + /* keys are in different slot, try moving the moving key to the prefered + * key's slot */ + if ((preferedKey->slot != NULL) && + PK11_DoesMechanism(preferedKey->slot, mech)) { + *newMovingKey = pk11_CopyToSlot(preferedKey->slot, movingKey->type, + movingOperation, movingKey); + if (*newMovingKey != NULL) { + return SECSuccess; + } + } + /* couldn't moving the moving key to the prefered slot, try moving + * the prefered key */ + if ((movingKey->slot != NULL) && + PK11_DoesMechanism(movingKey->slot, mech)) { + *newPreferedKey = pk11_CopyToSlot(movingKey->slot, preferedKey->type, + preferedOperation, preferedKey); + if (*newPreferedKey != NULL) { + return SECSuccess; + } + } + /* Neither succeeded, but that could be that they were not in slots that + * supported the operation, try moving both keys into a common slot that + * can do the operation. */ + return pk11_moveTwoKeys(mech, preferedOperation, movingOperation, + preferedKey, movingKey, + newPreferedKey, newMovingKey); +} + +/* + * This function does a symetric based wrap. + */ +SECStatus +PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *param, + PK11SymKey *wrappingKey, PK11SymKey *symKey, + SECItem *wrappedKey) +{ + PK11SlotInfo *slot; + CK_ULONG len = wrappedKey->len; + PK11SymKey *newSymKey = NULL; + PK11SymKey *newWrappingKey = NULL; + SECItem *param_save = NULL; + CK_MECHANISM mechanism; + PRBool owner = PR_TRUE; + CK_SESSION_HANDLE session; + CK_RV crv; + SECStatus rv; + + /* force the keys into same slot */ + rv = PK11_SymKeysToSameSlot(type, CKA_ENCRYPT, CKA_WRAP, + symKey, wrappingKey, + &newSymKey, &newWrappingKey); + if (rv != SECSuccess) { + /* Couldn't move the keys as desired, try to hand unwrap if possible */ + if (symKey->data.data == NULL) { + rv = PK11_ExtractKeyValue(symKey); + if (rv != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MODULE); + return SECFailure; + } + } + if (param == NULL) { + param_save = param = PK11_ParamFromIV(type, NULL); + } + rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data, wrappedKey); + if (param_save) + SECITEM_FreeItem(param_save, PR_TRUE); + return rv; + } + if (newSymKey) { + symKey = newSymKey; + } + if (newWrappingKey) { + wrappingKey = newWrappingKey; + } + + /* at this point both keys are in the same token */ + slot = wrappingKey->slot; + mechanism.mechanism = type; + /* use NULL IV's for wrapping */ + if (param == NULL) { + param_save = param = PK11_ParamFromIV(type, NULL); + } + if (param) { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; + } else { + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + } + + len = wrappedKey->len; + + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_WrapKey(session, &mechanism, + wrappingKey->objectID, symKey->objectID, + wrappedKey->data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + rv = SECSuccess; + if (crv != CKR_OK) { + /* can't wrap it? try hand wrapping it... */ + do { + if (symKey->data.data == NULL) { + rv = PK11_ExtractKeyValue(symKey); + if (rv != SECSuccess) + break; + } + rv = pk11_HandWrap(wrappingKey, param, type, &symKey->data, + wrappedKey); + } while (PR_FALSE); + } else { + wrappedKey->len = len; + } + PK11_FreeSymKey(newSymKey); + PK11_FreeSymKey(newWrappingKey); + if (param_save) + SECITEM_FreeItem(param_save, PR_TRUE); + return rv; +} + +/* + * This Generates a new key based on a symetricKey + */ +PK11SymKey * +PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, SECItem *param, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize) +{ + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, NULL, 0, PR_FALSE); +} + +PK11SymKey * +PK11_DeriveWithFlags(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags) +{ + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + + templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, keyTemplate, templateCount, PR_FALSE); +} + +PK11SymKey * +PK11_DeriveWithFlagsPerm(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm) +{ + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount = 0; + + attrs = keyTemplate; + if (isPerm) { + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; + } + templateCount = attrs - keyTemplate; + templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); + return PK11_DeriveWithTemplate(baseKey, derive, param, target, operation, + keySize, keyTemplate, templateCount, isPerm); +} + +PK11SymKey * +PK11_DeriveWithTemplate(PK11SymKey *baseKey, CK_MECHANISM_TYPE derive, + SECItem *param, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, + PRBool isPerm) +{ + PK11SlotInfo *slot = baseKey->slot; + PK11SymKey *symKey; + PK11SymKey *newBaseKey = NULL; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG valueLen = 0; + CK_MECHANISM mechanism; + CK_RV crv; +#define MAX_ADD_ATTRS 4 + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; +#undef MAX_ADD_ATTRS + CK_ATTRIBUTE *attrs = keyTemplate; + CK_SESSION_HANDLE session; + unsigned int templateCount; + + if (numAttrs > MAX_TEMPL_ATTRS) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + /* first copy caller attributes in. */ + for (templateCount = 0; templateCount < numAttrs; ++templateCount) { + *attrs++ = *userAttr++; + } + + /* We only add the following attributes to the template if the caller + ** didn't already supply them. + */ + if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) { + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); + attrs++; + } + if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) { + keyType = PK11_GetKeyType(target, keySize); + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType); + attrs++; + } + if (keySize > 0 && + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { + valueLen = (CK_ULONG)keySize; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); + attrs++; + } + if ((operation != CKA_FLAGS_ONLY) && + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, sizeof cktrue); + attrs++; + } + + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + /* move the key to a slot that can do the function */ + if (!PK11_DoesMechanism(slot, derive)) { + /* get a new base key & slot */ + PK11SlotInfo *newSlot = PK11_GetBestSlot(derive, baseKey->cx); + + if (newSlot == NULL) + return NULL; + + newBaseKey = pk11_CopyToSlot(newSlot, derive, CKA_DERIVE, + baseKey); + PK11_FreeSlot(newSlot); + if (newBaseKey == NULL) + return NULL; + baseKey = newBaseKey; + slot = baseKey->slot; + } + + /* get our key Structure */ + symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, baseKey->cx); + if (symKey == NULL) { + return NULL; + } + + symKey->size = keySize; + + mechanism.mechanism = derive; + if (param) { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; + } else { + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + } + symKey->origin = PK11_OriginDerive; + + if (isPerm) { + session = PK11_GetRWSession(slot); + } else { + pk11_EnterKeyMonitor(symKey); + session = symKey->session; + } + if (session == CK_INVALID_HANDLE) { + if (!isPerm) + pk11_ExitKeyMonitor(symKey); + crv = CKR_SESSION_HANDLE_INVALID; + } else { + crv = PK11_GETTAB(slot)->C_DeriveKey(session, &mechanism, + baseKey->objectID, keyTemplate, templateCount, &symKey->objectID); + if (isPerm) { + PK11_RestoreROSession(slot, session); + } else { + pk11_ExitKeyMonitor(symKey); + } + } + if (newBaseKey) + PK11_FreeSymKey(newBaseKey); + if (crv != CKR_OK) { + PK11_FreeSymKey(symKey); + PORT_SetError(PK11_MapError(crv)); + return NULL; + } + return symKey; +} + +/* Create a new key by concatenating base and data + */ +static PK11SymKey * +pk11_ConcatenateBaseAndData(PK11SymKey *base, + CK_BYTE *data, CK_ULONG dataLen, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation) +{ + CK_KEY_DERIVATION_STRING_DATA mechParams; + SECItem param; + + if (base == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + mechParams.pData = data; + mechParams.ulLen = dataLen; + param.data = (unsigned char *)&mechParams; + param.len = sizeof(CK_KEY_DERIVATION_STRING_DATA); + + return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_DATA, + ¶m, target, operation, 0); +} + +/* Create a new key by concatenating base and key + */ +static PK11SymKey * +pk11_ConcatenateBaseAndKey(PK11SymKey *base, + PK11SymKey *key, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) +{ + SECItem param; + + if ((base == NULL) || (key == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + param.data = (unsigned char *)&(key->objectID); + param.len = sizeof(CK_OBJECT_HANDLE); + + return PK11_Derive(base, CKM_CONCATENATE_BASE_AND_KEY, + ¶m, target, operation, keySize); +} + +PK11SymKey * +PK11_ConcatSymKeys(PK11SymKey *left, PK11SymKey *right, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation) +{ + PK11SymKey *out = NULL; + PK11SymKey *copyOfLeft = NULL; + PK11SymKey *copyOfRight = NULL; + + if ((left == NULL) || (right == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + SECStatus rv = PK11_SymKeysToSameSlot(CKM_CONCATENATE_BASE_AND_KEY, + CKA_DERIVE, CKA_DERIVE, left, right, + ©OfLeft, ©OfRight); + if (rv != SECSuccess) { + /* error code already set */ + return NULL; + } + + out = pk11_ConcatenateBaseAndKey(copyOfLeft ? copyOfLeft : left, copyOfRight ? copyOfRight : right, target, operation, 0); + PK11_FreeSymKey(copyOfLeft); + PK11_FreeSymKey(copyOfRight); + return out; +} + +/* Create a new key whose value is the hash of tobehashed. + * type is the mechanism for the derived key. + */ +static PK11SymKey * +pk11_HashKeyDerivation(PK11SymKey *toBeHashed, + CK_MECHANISM_TYPE hashMechanism, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, CK_ULONG keySize) +{ + return PK11_Derive(toBeHashed, hashMechanism, NULL, target, operation, keySize); +} + +/* This function implements the ANSI X9.63 key derivation function + */ +static PK11SymKey * +pk11_ANSIX963Derive(PK11SymKey *sharedSecret, + CK_EC_KDF_TYPE kdf, SECItem *sharedData, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + CK_ULONG keySize) +{ + CK_KEY_TYPE keyType; + CK_MECHANISM_TYPE hashMechanism, mechanismArray[4]; + CK_ULONG derivedKeySize, HashLen, counter, maxCounter, bufferLen; + CK_ULONG SharedInfoLen; + CK_BYTE *buffer = NULL; + PK11SymKey *toBeHashed, *hashOutput; + PK11SymKey *newSharedSecret = NULL; + PK11SymKey *oldIntermediateResult, *intermediateResult = NULL; + + if (sharedSecret == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + switch (kdf) { + case CKD_SHA1_KDF: + HashLen = SHA1_LENGTH; + hashMechanism = CKM_SHA1_KEY_DERIVATION; + break; + case CKD_SHA224_KDF: + HashLen = SHA224_LENGTH; + hashMechanism = CKM_SHA224_KEY_DERIVATION; + break; + case CKD_SHA256_KDF: + HashLen = SHA256_LENGTH; + hashMechanism = CKM_SHA256_KEY_DERIVATION; + break; + case CKD_SHA384_KDF: + HashLen = SHA384_LENGTH; + hashMechanism = CKM_SHA384_KEY_DERIVATION; + break; + case CKD_SHA512_KDF: + HashLen = SHA512_LENGTH; + hashMechanism = CKM_SHA512_KEY_DERIVATION; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + derivedKeySize = keySize; + if (derivedKeySize == 0) { + keyType = PK11_GetKeyType(target, keySize); + derivedKeySize = pk11_GetPredefinedKeyLength(keyType); + if (derivedKeySize == 0) { + derivedKeySize = HashLen; + } + } + + /* Check that key_len isn't too long. The maximum key length could be + * greatly increased if the code below did not limit the 4-byte counter + * to a maximum value of 255. */ + if (derivedKeySize > 254 * HashLen) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + maxCounter = derivedKeySize / HashLen; + if (derivedKeySize > maxCounter * HashLen) + maxCounter++; + + if ((sharedData == NULL) || (sharedData->data == NULL)) + SharedInfoLen = 0; + else + SharedInfoLen = sharedData->len; + + bufferLen = SharedInfoLen + 4; + + /* Populate buffer with Counter || sharedData + * where Counter is 0x00000001. */ + buffer = (unsigned char *)PORT_Alloc(bufferLen); + if (buffer == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + buffer[0] = 0; + buffer[1] = 0; + buffer[2] = 0; + buffer[3] = 1; + if (SharedInfoLen > 0) { + PORT_Memcpy(&buffer[4], sharedData->data, SharedInfoLen); + } + + /* Look for a slot that supports the mechanisms needed + * to implement the ANSI X9.63 KDF as well as the + * target mechanism. + */ + mechanismArray[0] = CKM_CONCATENATE_BASE_AND_DATA; + mechanismArray[1] = hashMechanism; + mechanismArray[2] = CKM_CONCATENATE_BASE_AND_KEY; + mechanismArray[3] = target; + + newSharedSecret = pk11_ForceSlotMultiple(sharedSecret, + mechanismArray, 4, operation); + if (newSharedSecret != NULL) { + sharedSecret = newSharedSecret; + } + + for (counter = 1; counter <= maxCounter; counter++) { + /* Concatenate shared_secret and buffer */ + toBeHashed = pk11_ConcatenateBaseAndData(sharedSecret, buffer, + bufferLen, hashMechanism, operation); + if (toBeHashed == NULL) { + goto loser; + } + + /* Hash value */ + if (maxCounter == 1) { + /* In this case the length of the key to be derived is + * less than or equal to the length of the hash output. + * So, the output of the hash operation will be the + * dervied key. */ + hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, + target, operation, keySize); + } else { + /* In this case, the output of the hash operation will be + * concatenated with other data to create the derived key. */ + hashOutput = pk11_HashKeyDerivation(toBeHashed, hashMechanism, + CKM_CONCATENATE_BASE_AND_KEY, operation, 0); + } + PK11_FreeSymKey(toBeHashed); + if (hashOutput == NULL) { + goto loser; + } + + /* Append result to intermediate result, if necessary */ + oldIntermediateResult = intermediateResult; + + if (oldIntermediateResult == NULL) { + intermediateResult = hashOutput; + } else { + if (counter == maxCounter) { + /* This is the final concatenation, and so the output + * will be the derived key. */ + intermediateResult = + pk11_ConcatenateBaseAndKey(oldIntermediateResult, + hashOutput, target, operation, keySize); + } else { + /* The output of this concatenation will be concatenated + * with other data to create the derived key. */ + intermediateResult = + pk11_ConcatenateBaseAndKey(oldIntermediateResult, + hashOutput, CKM_CONCATENATE_BASE_AND_KEY, + operation, 0); + } + + PK11_FreeSymKey(hashOutput); + PK11_FreeSymKey(oldIntermediateResult); + if (intermediateResult == NULL) { + goto loser; + } + } + + /* Increment counter (assumes maxCounter < 255) */ + buffer[3]++; + } + + PORT_ZFree(buffer, bufferLen); + if (newSharedSecret != NULL) + PK11_FreeSymKey(newSharedSecret); + return intermediateResult; + +loser: + PORT_ZFree(buffer, bufferLen); + if (newSharedSecret != NULL) + PK11_FreeSymKey(newSharedSecret); + if (intermediateResult != NULL) + PK11_FreeSymKey(intermediateResult); + return NULL; +} + +/* + * This regenerate a public key from a private key. This function is currently + * NSS private. If we want to make it public, we need to add and optional + * template or at least flags (a.la. PK11_DeriveWithFlags). + */ +CK_OBJECT_HANDLE +PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey) +{ + PK11SlotInfo *slot = privKey->pkcs11Slot; + CK_MECHANISM mechanism; + CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE; + CK_RV crv; + + mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV; + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism, + privKey->pkcs11ID, NULL, 0, + &objectID); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return CK_INVALID_HANDLE; + } + return objectID; +} + +/* + * This Generates a wrapping key based on a privateKey, publicKey, and two + * random numbers. For Mail usage RandomB should be NULL. In the Sender's + * case RandomA is generate, outherwize it is passed. + */ +PK11SymKey * +PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, void *wincx) +{ + PK11SlotInfo *slot = privKey->pkcs11Slot; + CK_MECHANISM mechanism; + PK11SymKey *symKey; + CK_RV crv; + + /* get our key Structure */ + symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); + if (symKey == NULL) { + return NULL; + } + + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + symKey->origin = PK11_OriginDerive; + + switch (privKey->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + case kyberKey: + case nullKey: + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + case dsaKey: + case keaKey: + case fortezzaKey: { + static unsigned char rb_email[128] = { 0 }; + CK_KEA_DERIVE_PARAMS param; + param.isSender = (CK_BBOOL)isSender; + param.ulRandomLen = randomA->len; + param.pRandomA = randomA->data; + param.pRandomB = rb_email; + param.pRandomB[127] = 1; + if (randomB) + param.pRandomB = randomB->data; + if (pubKey->keyType == fortezzaKey) { + param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; + param.pPublicData = pubKey->u.fortezza.KEAKey.data; + } else { + /* assert type == keaKey */ + /* XXX change to match key key types */ + param.ulPublicDataLen = pubKey->u.fortezza.KEAKey.len; + param.pPublicData = pubKey->u.fortezza.KEAKey.data; + } + + mechanism.mechanism = derive; + mechanism.pParameter = ¶m; + mechanism.ulParameterLen = sizeof(param); + + /* get a new symKey structure */ + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, NULL, 0, + &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } break; + case dhKey: { + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + + if (pubKey->keyType != dhKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target, keySize); + key_size = keySize; + symKey->size = keySize; + if (key_size == 0) + templateCount--; + + mechanism.mechanism = derive; + + /* we can undefine these when we define diffie-helman keys */ + + mechanism.pParameter = pubKey->u.dh.publicValue.data; + mechanism.ulParameterLen = pubKey->u.dh.publicValue.len; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } break; + case ecKey: { + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; + + if (pubKey->keyType != ecKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + } + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target, keySize); + key_size = keySize; + if (key_size == 0) { + if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { + templateCount--; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + key_size = SHA1_LENGTH; + } + } + symKey->size = key_size; + + mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); + mechParams->kdf = CKD_SHA1_KDF; + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + mechanism.mechanism = derive; + mechanism.pParameter = mechParams; + mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this again with and encoded public key */ + if (crv != CKR_OK && pk11_ECGetPubkeyEncoding(pubKey) != ECPoint_XOnly) { + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + break; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + SECITEM_FreeItem(pubValue, PR_TRUE); + } + + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + + if (crv == CKR_OK) + return symKey; + PORT_SetError(PK11_MapError(crv)); + } + } + + PK11_FreeSymKey(symKey); + return NULL; +} + +/* Test for curves that are known to use a special encoding. + * Extend this function when additional curves are added. */ +static ECPointEncoding +pk11_ECGetPubkeyEncoding(const SECKEYPublicKey *pubKey) +{ + SECItem oid; + SECStatus rv; + PORTCheapArenaPool tmpArena; + ECPointEncoding encoding = ECPoint_Undefined; + + PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE); + + /* decode the OID tag */ + rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &oid, + SEC_ASN1_GET(SEC_ObjectIDTemplate), + &pubKey->u.ec.DEREncodedParams); + if (rv == SECSuccess) { + SECOidTag tag = SECOID_FindOIDTag(&oid); + switch (tag) { + case SEC_OID_CURVE25519: + encoding = ECPoint_XOnly; + break; + case SEC_OID_SECG_EC_SECP256R1: + case SEC_OID_SECG_EC_SECP384R1: + case SEC_OID_SECG_EC_SECP521R1: + default: + /* unknown curve, default to uncompressed */ + encoding = ECPoint_Uncompressed; + } + } + PORT_DestroyCheapArena(&tmpArena); + return encoding; +} + +/* Returns the size of the public key, or 0 if there + * is an error. */ +static CK_ULONG +pk11_ECPubKeySize(SECKEYPublicKey *pubKey) +{ + SECItem *publicValue = &pubKey->u.ec.publicValue; + + ECPointEncoding encoding = pk11_ECGetPubkeyEncoding(pubKey); + if (encoding == ECPoint_XOnly) { + return publicValue->len; + } + if (encoding == ECPoint_Uncompressed) { + /* key encoded in uncompressed form */ + return ((publicValue->len - 1) / 2); + } + /* key encoding not recognized */ + return 0; +} + +static PK11SymKey * +pk11_PubDeriveECKeyWithKDF( + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) +{ + PK11SlotInfo *slot = privKey->pkcs11Slot; + PK11SymKey *symKey; + PK11SymKey *SharedSecret; + CK_MECHANISM mechanism; + CK_RV crv; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG key_size = 0; + CK_ATTRIBUTE keyTemplate[4]; + int templateCount; + CK_ATTRIBUTE *attrs = keyTemplate; + CK_ECDH1_DERIVE_PARAMS *mechParams = NULL; + + if (pubKey->keyType != ecKey) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return NULL; + } + if ((kdf != CKD_NULL) && (kdf != CKD_SHA1_KDF) && + (kdf != CKD_SHA224_KDF) && (kdf != CKD_SHA256_KDF) && + (kdf != CKD_SHA384_KDF) && (kdf != CKD_SHA512_KDF)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + + /* get our key Structure */ + symKey = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, wincx); + if (symKey == NULL) { + return NULL; + } + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + symKey->origin = PK11_OriginDerive; + + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &key_size, sizeof(key_size)); + attrs++; + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + keyType = PK11_GetKeyType(target, keySize); + key_size = keySize; + if (key_size == 0) { + if ((key_size = pk11_GetPredefinedKeyLength(keyType))) { + templateCount--; + } else { + /* sigh, some tokens can't figure this out and require + * CKA_VALUE_LEN to be set */ + switch (kdf) { + case CKD_NULL: + key_size = pk11_ECPubKeySize(pubKey); + if (key_size == 0) { + PK11_FreeSymKey(symKey); + return NULL; + } + break; + case CKD_SHA1_KDF: + key_size = SHA1_LENGTH; + break; + case CKD_SHA224_KDF: + key_size = SHA224_LENGTH; + break; + case CKD_SHA256_KDF: + key_size = SHA256_LENGTH; + break; + case CKD_SHA384_KDF: + key_size = SHA384_LENGTH; + break; + case CKD_SHA512_KDF: + key_size = SHA512_LENGTH; + break; + default: + PORT_AssertNotReached("Invalid CKD"); + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } + } + } + symKey->size = key_size; + + mechParams = PORT_ZNew(CK_ECDH1_DERIVE_PARAMS); + if (!mechParams) { + PK11_FreeSymKey(symKey); + return NULL; + } + mechParams->kdf = kdf; + if (sharedData == NULL) { + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + } else { + mechParams->ulSharedDataLen = sharedData->len; + mechParams->pSharedData = sharedData->data; + } + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + mechanism.mechanism = derive; + mechanism.pParameter = mechParams; + mechanism.ulParameterLen = sizeof(CK_ECDH1_DERIVE_PARAMS); + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, &mechanism, + privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this again with an encoded public key */ + if (crv != CKR_OK) { + /* For curves that only use X as public value and no encoding we don't + * have to try again. (Currently only Curve25519) */ + if (pk11_ECGetPubkeyEncoding(pubKey) == ECPoint_XOnly) { + goto loser; + } + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &pubKey->u.ec.publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (pubValue == NULL) { + goto loser; + } + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(symKey); + crv = PK11_GETTAB(slot)->C_DeriveKey(symKey->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &symKey->objectID); + pk11_ExitKeyMonitor(symKey); + + if ((crv != CKR_OK) && (kdf != CKD_NULL)) { + /* Some PKCS #11 libraries cannot perform the key derivation + * function. So, try calling C_DeriveKey with CKD_NULL and then + * performing the KDF separately. + */ + CK_ULONG derivedKeySize = key_size; + + keyType = CKK_GENERIC_SECRET; + key_size = pk11_ECPubKeySize(pubKey); + if (key_size == 0) { + SECITEM_FreeItem(pubValue, PR_TRUE); + goto loser; + } + SharedSecret = symKey; + SharedSecret->size = key_size; + + mechParams->kdf = CKD_NULL; + mechParams->ulSharedDataLen = 0; + mechParams->pSharedData = NULL; + mechParams->ulPublicDataLen = pubKey->u.ec.publicValue.len; + mechParams->pPublicData = pubKey->u.ec.publicValue.data; + + pk11_EnterKeyMonitor(SharedSecret); + crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &SharedSecret->objectID); + pk11_ExitKeyMonitor(SharedSecret); + + if (crv != CKR_OK) { + /* old PKCS #11 spec was ambiguous on what needed to be passed, + * try this one final time with an encoded public key */ + mechParams->ulPublicDataLen = pubValue->len; + mechParams->pPublicData = pubValue->data; + + pk11_EnterKeyMonitor(SharedSecret); + crv = PK11_GETTAB(slot)->C_DeriveKey(SharedSecret->session, + &mechanism, privKey->pkcs11ID, keyTemplate, + templateCount, &SharedSecret->objectID); + pk11_ExitKeyMonitor(SharedSecret); + } + + /* Perform KDF. */ + if (crv == CKR_OK) { + symKey = pk11_ANSIX963Derive(SharedSecret, kdf, + sharedData, target, operation, + derivedKeySize); + PK11_FreeSymKey(SharedSecret); + if (symKey == NULL) { + SECITEM_FreeItem(pubValue, PR_TRUE); + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + return NULL; + } + } + } + SECITEM_FreeItem(pubValue, PR_TRUE); + } + +loser: + PORT_ZFree(mechParams, sizeof(CK_ECDH1_DERIVE_PARAMS)); + + if (crv != CKR_OK) { + PK11_FreeSymKey(symKey); + symKey = NULL; + PORT_SetError(PK11_MapError(crv)); + } + return symKey; +} + +PK11SymKey * +PK11_PubDeriveWithKDF(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_ULONG kdf, SECItem *sharedData, void *wincx) +{ + + switch (privKey->keyType) { + case rsaKey: + case nullKey: + case dsaKey: + case keaKey: + case fortezzaKey: + case dhKey: + return PK11_PubDerive(privKey, pubKey, isSender, randomA, randomB, + derive, target, operation, keySize, wincx); + case ecKey: + return pk11_PubDeriveECKeyWithKDF(privKey, pubKey, isSender, + randomA, randomB, derive, target, + operation, keySize, + kdf, sharedData, wincx); + default: + PORT_SetError(SEC_ERROR_BAD_KEY); + break; + } + + return NULL; +} + +/* + * this little function uses the Decrypt function to unwrap a key, just in + * case we are having problem with unwrap. NOTE: The key size may + * not be preserved properly for some algorithms! + */ +static PK11SymKey * +pk11_HandUnwrap(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, + CK_MECHANISM *mech, SECItem *inKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE *keyTemplate, unsigned int templateCount, + int key_size, void *wincx, CK_RV *crvp, PRBool isPerm) +{ + CK_ULONG len; + SECItem outKey; + PK11SymKey *symKey; + CK_RV crv; + PRBool owner = PR_TRUE; + CK_SESSION_HANDLE session; + + /* remove any VALUE_LEN parameters */ + if (keyTemplate[templateCount - 1].type == CKA_VALUE_LEN) { + templateCount--; + } + + /* keys are almost always aligned, but if we get this far, + * we've gone above and beyond anyway... */ + outKey.data = (unsigned char *)PORT_Alloc(inKey->len); + if (outKey.data == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + if (crvp) + *crvp = CKR_HOST_MEMORY; + return NULL; + } + len = inKey->len; + + /* use NULL IV's for wrapping */ + session = pk11_GetNewSession(slot, &owner); + if (!owner || !(slot->isThreadSafe)) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, wrappingKey); + if (crv != CKR_OK) { + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + PORT_Free(outKey.data); + PORT_SetError(PK11_MapError(crv)); + if (crvp) + *crvp = crv; + return NULL; + } + crv = PK11_GETTAB(slot)->C_Decrypt(session, inKey->data, inKey->len, + outKey.data, &len); + if (!owner || !(slot->isThreadSafe)) + PK11_ExitSlotMonitor(slot); + pk11_CloseSession(slot, session, owner); + if (crv != CKR_OK) { + PORT_Free(outKey.data); + PORT_SetError(PK11_MapError(crv)); + if (crvp) + *crvp = crv; + return NULL; + } + + outKey.len = (key_size == 0) ? len : key_size; + outKey.type = siBuffer; + + if (PK11_DoesMechanism(slot, target)) { + symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, + isPerm, keyTemplate, + templateCount, &outKey, wincx); + } else { + slot = PK11_GetBestSlot(target, wincx); + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_MODULE); + PORT_Free(outKey.data); + if (crvp) + *crvp = CKR_DEVICE_ERROR; + return NULL; + } + symKey = pk11_ImportSymKeyWithTempl(slot, target, PK11_OriginUnwrap, + isPerm, keyTemplate, + templateCount, &outKey, wincx); + PK11_FreeSlot(slot); + } + PORT_Free(outKey.data); + + if (crvp) + *crvp = symKey ? CKR_OK : CKR_DEVICE_ERROR; + return symKey; +} + +/* + * The wrap/unwrap function is pretty much the same for private and + * public keys. It's just getting the Object ID and slot right. This is + * the combined unwrap function. + */ +static PK11SymKey * +pk11_AnyUnwrapKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE wrappingKey, + CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, + void *wincx, CK_ATTRIBUTE *userAttr, unsigned int numAttrs, PRBool isPerm) +{ + PK11SymKey *symKey; + SECItem *param_free = NULL; + CK_BBOOL cktrue = CK_TRUE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_ULONG valueLen = 0; + CK_MECHANISM mechanism; + CK_SESSION_HANDLE rwsession; + CK_RV crv; + CK_MECHANISM_INFO mechanism_info; +#define MAX_ADD_ATTRS 4 + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS + MAX_ADD_ATTRS]; +#undef MAX_ADD_ATTRS + CK_ATTRIBUTE *attrs = keyTemplate; + unsigned int templateCount; + + if (numAttrs > MAX_TEMPL_ATTRS) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + /* CKA_NSS_MESSAGE is a fake operation to distinguish between + * Normal Encrypt/Decrypt and MessageEncrypt/Decrypt. Don't try to set + * it as a real attribute */ + if ((operation & CKA_NSS_MESSAGE_MASK) == CKA_NSS_MESSAGE) { + /* Message is or'd with a real Attribute (CKA_ENCRYPT, CKA_DECRYPT), + * etc. Strip out the real attribute here */ + operation &= ~CKA_NSS_MESSAGE_MASK; + } + + /* first copy caller attributes in. */ + for (templateCount = 0; templateCount < numAttrs; ++templateCount) { + *attrs++ = *userAttr++; + } + + /* We only add the following attributes to the template if the caller + ** didn't already supply them. + */ + if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_CLASS)) { + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof keyClass); + attrs++; + } + if (!pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_KEY_TYPE)) { + keyType = PK11_GetKeyType(target, keySize); + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof keyType); + attrs++; + } + if ((operation != CKA_FLAGS_ONLY) && + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, operation)) { + PK11_SETATTRS(attrs, operation, &cktrue, 1); + attrs++; + } + + /* + * must be last in case we need to use this template to import the key + */ + if (keySize > 0 && + !pk11_FindAttrInTemplate(keyTemplate, numAttrs, CKA_VALUE_LEN)) { + valueLen = (CK_ULONG)keySize; + PK11_SETATTRS(attrs, CKA_VALUE_LEN, &valueLen, sizeof valueLen); + attrs++; + } + + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + /* find out if we can do wrap directly. Because the RSA case if *very* + * common, cache the results for it. */ + if ((wrapType == CKM_RSA_PKCS) && (slot->hasRSAInfo)) { + mechanism_info.flags = slot->RSAInfoFlags; + } else { + if (!slot->isThreadSafe) + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, wrapType, + &mechanism_info); + if (!slot->isThreadSafe) + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + mechanism_info.flags = 0; + } + if (wrapType == CKM_RSA_PKCS) { + slot->RSAInfoFlags = mechanism_info.flags; + slot->hasRSAInfo = PR_TRUE; + } + } + + /* initialize the mechanism structure */ + mechanism.mechanism = wrapType; + /* use NULL IV's for wrapping */ + if (param == NULL) + param = param_free = PK11_ParamFromIV(wrapType, NULL); + if (param) { + mechanism.pParameter = param->data; + mechanism.ulParameterLen = param->len; + } else { + mechanism.pParameter = NULL; + mechanism.ulParameterLen = 0; + } + + if ((mechanism_info.flags & CKF_DECRYPT) && !PK11_DoesMechanism(slot, target)) { + symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, + target, keyTemplate, templateCount, keySize, + wincx, &crv, isPerm); + if (symKey) { + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return symKey; + } + /* + * if the RSA OP simply failed, don't try to unwrap again + * with this module. + */ + if (crv == CKR_DEVICE_ERROR) { + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return NULL; + } + /* fall through, maybe they incorrectly set CKF_DECRYPT */ + } + + /* get our key Structure */ + symKey = pk11_CreateSymKey(slot, target, !isPerm, PR_TRUE, wincx); + if (symKey == NULL) { + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + return NULL; + } + + symKey->size = keySize; + symKey->origin = PK11_OriginUnwrap; + + if (isPerm) { + rwsession = PK11_GetRWSession(slot); + } else { + pk11_EnterKeyMonitor(symKey); + rwsession = symKey->session; + } + PORT_Assert(rwsession != CK_INVALID_HANDLE); + if (rwsession == CK_INVALID_HANDLE) + crv = CKR_SESSION_HANDLE_INVALID; + else + crv = PK11_GETTAB(slot)->C_UnwrapKey(rwsession, &mechanism, wrappingKey, + wrappedKey->data, wrappedKey->len, + keyTemplate, templateCount, + &symKey->objectID); + if (isPerm) { + if (rwsession != CK_INVALID_HANDLE) + PK11_RestoreROSession(slot, rwsession); + } else { + pk11_ExitKeyMonitor(symKey); + } + if (param_free) + SECITEM_FreeItem(param_free, PR_TRUE); + if (crv != CKR_OK) { + PK11_FreeSymKey(symKey); + symKey = NULL; + if (crv != CKR_DEVICE_ERROR) { + /* try hand Unwrapping */ + symKey = pk11_HandUnwrap(slot, wrappingKey, &mechanism, wrappedKey, + target, keyTemplate, templateCount, + keySize, wincx, NULL, isPerm); + } + } + + return symKey; +} + +/* use a symetric key to unwrap another symetric key */ +PK11SymKey * +PK11_UnwrapSymKey(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize) +{ + return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, NULL, 0, PR_FALSE); +} + +/* use a symetric key to unwrap another symetric key */ +PK11SymKey * +PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags) +{ + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + + templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); + return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, keyTemplate, templateCount, PR_FALSE); +} + +PK11SymKey * +PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey, + CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, + int keySize, CK_FLAGS flags, PRBool isPerm) +{ + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount; + + attrs = keyTemplate; + if (isPerm) { + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; + } + templateCount = attrs - keyTemplate; + templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); + + return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID, + wrapType, param, wrappedKey, target, operation, keySize, + wrappingKey->cx, keyTemplate, templateCount, isPerm); +} + +/* unwrap a symmetric key with a private key. Only supports CKM_RSA_PKCS. */ +PK11SymKey * +PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize) +{ + CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); + + return PK11_PubUnwrapSymKeyWithMechanism(wrappingKey, wrapType, NULL, + wrappedKey, target, operation, + keySize); +} + +/* unwrap a symmetric key with a private key with the given parameters. */ +PK11SymKey * +PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *wrappingKey, + CK_MECHANISM_TYPE mechType, SECItem *param, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize) +{ + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); + } + + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, mechType, param, + wrappedKey, target, operation, keySize, + wrappingKey->wincx, NULL, 0, PR_FALSE); +} + +/* unwrap a symetric key with a private key. */ +PK11SymKey * +PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags) +{ + CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); + CK_BBOOL ckTrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + + templateCount = pk11_OpFlagsToAttributes(flags, keyTemplate, &ckTrue); + + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); + } + + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, + wrapType, NULL, wrappedKey, target, operation, keySize, + wrappingKey->wincx, keyTemplate, templateCount, PR_FALSE); +} + +PK11SymKey * +PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, + SECItem *wrappedKey, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, + CK_FLAGS flags, PRBool isPerm) +{ + CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType); + CK_BBOOL cktrue = CK_TRUE; + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + CK_ATTRIBUTE *attrs; + unsigned int templateCount; + PK11SlotInfo *slot = wrappingKey->pkcs11Slot; + + attrs = keyTemplate; + if (isPerm) { + PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL)); + attrs++; + } + templateCount = attrs - keyTemplate; + + templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue); + + if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) { + PK11_HandlePasswordCheck(slot, wrappingKey->wincx); + } + + return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, + wrapType, NULL, wrappedKey, target, operation, keySize, + wrappingKey->wincx, keyTemplate, templateCount, isPerm); +} + +PK11SymKey * +PK11_CopySymKeyForSigning(PK11SymKey *originalKey, CK_MECHANISM_TYPE mech) +{ + CK_RV crv; + CK_ATTRIBUTE setTemplate; + CK_BBOOL ckTrue = CK_TRUE; + PK11SlotInfo *slot = originalKey->slot; + + /* first just try to set this key up for signing */ + PK11_SETATTRS(&setTemplate, CKA_SIGN, &ckTrue, sizeof(ckTrue)); + pk11_EnterKeyMonitor(originalKey); + crv = PK11_GETTAB(slot)->C_SetAttributeValue(originalKey->session, + originalKey->objectID, &setTemplate, 1); + pk11_ExitKeyMonitor(originalKey); + if (crv == CKR_OK) { + return PK11_ReferenceSymKey(originalKey); + } + + /* nope, doesn't like it, use the pk11 copy object command */ + return pk11_CopyToSlot(slot, mech, CKA_SIGN, originalKey); +} + +void +PK11_SetFortezzaHack(PK11SymKey *symKey) +{ + symKey->origin = PK11_OriginFortezzaHack; +} + +/* + * This is required to allow FORTEZZA_NULL and FORTEZZA_RC4 + * working. This function simply gets a valid IV for the keys. + */ +SECStatus +PK11_GenerateFortezzaIV(PK11SymKey *symKey, unsigned char *iv, int len) +{ + CK_MECHANISM mech_info; + CK_ULONG count = 0; + CK_RV crv; + SECStatus rv = SECFailure; + + mech_info.mechanism = CKM_SKIPJACK_CBC64; + mech_info.pParameter = iv; + mech_info.ulParameterLen = len; + + /* generate the IV for fortezza */ + PK11_EnterSlotMonitor(symKey->slot); + crv = PK11_GETTAB(symKey->slot)->C_EncryptInit(symKey->slot->session, &mech_info, symKey->objectID); + if (crv == CKR_OK) { + PK11_GETTAB(symKey->slot)->C_EncryptFinal(symKey->slot->session, NULL, &count); + rv = SECSuccess; + } + PK11_ExitSlotMonitor(symKey->slot); + return rv; +} + +CK_OBJECT_HANDLE +PK11_GetSymKeyHandle(PK11SymKey *symKey) +{ + return symKey->objectID; +} + +static CK_ULONG +pk11_KyberCiphertextLength(SECKEYKyberPublicKey *pubKey) +{ + switch (pubKey->params) { + case params_kyber768_round3: + case params_kyber768_round3_test_mode: + return KYBER768_CIPHERTEXT_BYTES; + default: + // unreachable + return 0; + } +} + +static CK_ULONG +pk11_KEMCiphertextLength(SECKEYPublicKey *pubKey) +{ + switch (pubKey->keyType) { + case kyberKey: + return pk11_KyberCiphertextLength(&pubKey->u.kyber); + default: + // unreachable + PORT_Assert(0); + return 0; + } +} + +SECStatus +PK11_Encapsulate(SECKEYPublicKey *pubKey, CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags, CK_FLAGS opFlags, PK11SymKey **outKey, SECItem **outCiphertext) +{ + PORT_Assert(pubKey); + PORT_Assert(outKey); + PORT_Assert(outCiphertext); + + PK11SlotInfo *slot = pubKey->pkcs11Slot; + + PK11SymKey *sharedSecret = NULL; + SECItem *ciphertext = NULL; + + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + + CK_ATTRIBUTE *attrs; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + + CK_INTERFACE_PTR KEMInterface = NULL; + CK_UTF8CHAR_PTR KEMInterfaceName = (CK_UTF8CHAR_PTR) "Vendor NSS KEM Interface"; + CK_VERSION KEMInterfaceVersion = { 1, 0 }; + CK_NSS_KEM_FUNCTIONS *KEMInterfaceFunctions = NULL; + + CK_RV crv; + + *outKey = NULL; + *outCiphertext = NULL; + + CK_MECHANISM_TYPE kemType; + switch (pubKey->keyType) { + case kyberKey: + kemType = CKM_NSS_KYBER; + break; + default: + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + CK_NSS_KEM_PARAMETER_SET_TYPE kemParameterSet = PK11_ReadULongAttribute(slot, pubKey->pkcs11ID, CKA_NSS_PARAMETER_SET); + CK_MECHANISM mech = { kemType, &kemParameterSet, sizeof(kemParameterSet) }; + + sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL); + if (sharedSecret == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + sharedSecret->origin = PK11_OriginGenerated; + + attrs = keyTemplate; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + + attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse); + attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue); + + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + crv = PK11_GETTAB(slot)->C_GetInterface(KEMInterfaceName, &KEMInterfaceVersion, &KEMInterface, 0); + if (crv != CKR_OK) { + goto error; + } + KEMInterfaceFunctions = (CK_NSS_KEM_FUNCTIONS *)(KEMInterface->pFunctionList); + + CK_ULONG ciphertextLen = pk11_KEMCiphertextLength(pubKey); + ciphertext = SECITEM_AllocItem(NULL, NULL, ciphertextLen); + if (ciphertext == NULL) { + crv = CKR_HOST_MEMORY; + goto error; + } + + pk11_EnterKeyMonitor(sharedSecret); + crv = KEMInterfaceFunctions->C_Encapsulate(sharedSecret->session, + &mech, + pubKey->pkcs11ID, + keyTemplate, + templateCount, + &sharedSecret->objectID, + ciphertext->data, + &ciphertextLen); + pk11_ExitKeyMonitor(sharedSecret); + if (crv != CKR_OK) { + goto error; + } + + PORT_Assert(ciphertextLen == ciphertext->len); + + *outKey = sharedSecret; + *outCiphertext = ciphertext; + + return SECSuccess; + +error: + PORT_SetError(PK11_MapError(crv)); + PK11_FreeSymKey(sharedSecret); + SECITEM_FreeItem(ciphertext, PR_TRUE); + return SECFailure; +} + +SECStatus +PK11_Decapsulate(SECKEYPrivateKey *privKey, const SECItem *ciphertext, CK_MECHANISM_TYPE target, PK11AttrFlags attrFlags, CK_FLAGS opFlags, PK11SymKey **outKey) +{ + PORT_Assert(privKey); + PORT_Assert(ciphertext); + PORT_Assert(outKey); + + PK11SlotInfo *slot = privKey->pkcs11Slot; + + PK11SymKey *sharedSecret; + + CK_ATTRIBUTE keyTemplate[MAX_TEMPL_ATTRS]; + unsigned int templateCount; + + CK_ATTRIBUTE *attrs; + CK_BBOOL cktrue = CK_TRUE; + CK_BBOOL ckfalse = CK_FALSE; + CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + + CK_INTERFACE_PTR KEMInterface = NULL; + CK_UTF8CHAR_PTR KEMInterfaceName = (CK_UTF8CHAR_PTR) "Vendor NSS KEM Interface"; + CK_VERSION KEMInterfaceVersion = { 1, 0 }; + CK_NSS_KEM_FUNCTIONS *KEMInterfaceFunctions = NULL; + + CK_RV crv; + + *outKey = NULL; + + CK_MECHANISM_TYPE kemType; + switch (privKey->keyType) { + case kyberKey: + kemType = CKM_NSS_KYBER; + break; + default: + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + CK_NSS_KEM_PARAMETER_SET_TYPE kemParameterSet = PK11_ReadULongAttribute(slot, privKey->pkcs11ID, CKA_NSS_PARAMETER_SET); + CK_MECHANISM mech = { kemType, &kemParameterSet, sizeof(kemParameterSet) }; + + sharedSecret = pk11_CreateSymKey(slot, target, PR_TRUE, PR_TRUE, NULL); + if (sharedSecret == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + sharedSecret->origin = PK11_OriginUnwrap; + + attrs = keyTemplate; + PK11_SETATTRS(attrs, CKA_CLASS, &keyClass, sizeof(keyClass)); + attrs++; + + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &keyType, sizeof(keyType)); + attrs++; + + attrs += pk11_AttrFlagsToAttributes(attrFlags, attrs, &cktrue, &ckfalse); + attrs += pk11_OpFlagsToAttributes(opFlags, attrs, &cktrue); + + templateCount = attrs - keyTemplate; + PR_ASSERT(templateCount <= sizeof(keyTemplate) / sizeof(CK_ATTRIBUTE)); + + crv = PK11_GETTAB(slot)->C_GetInterface(KEMInterfaceName, &KEMInterfaceVersion, &KEMInterface, 0); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + goto error; + } + KEMInterfaceFunctions = (CK_NSS_KEM_FUNCTIONS *)(KEMInterface->pFunctionList); + + pk11_EnterKeyMonitor(sharedSecret); + crv = KEMInterfaceFunctions->C_Decapsulate(sharedSecret->session, + &mech, + privKey->pkcs11ID, + ciphertext->data, + ciphertext->len, + keyTemplate, + templateCount, + &sharedSecret->objectID); + pk11_ExitKeyMonitor(sharedSecret); + if (crv != CKR_OK) { + goto error; + } + + *outKey = sharedSecret; + return SECSuccess; + +error: + PK11_FreeSymKey(sharedSecret); + return SECFailure; +} -- cgit v1.2.3