diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/dev/ckhelper.c | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/lib/dev/ckhelper.c')
-rw-r--r-- | security/nss/lib/dev/ckhelper.c | 595 |
1 files changed, 595 insertions, 0 deletions
diff --git a/security/nss/lib/dev/ckhelper.c b/security/nss/lib/dev/ckhelper.c new file mode 100644 index 0000000000..8ebf58fabd --- /dev/null +++ b/security/nss/lib/dev/ckhelper.c @@ -0,0 +1,595 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pkcs11.h" + +#ifndef DEVM_H +#include "devm.h" +#endif /* DEVM_H */ + +#ifndef CKHELPER_H +#include "ckhelper.h" +#endif /* CKHELPER_H */ + +extern const NSSError NSS_ERROR_DEVICE_ERROR; + +static const CK_BBOOL s_true = CK_TRUE; +NSS_IMPLEMENT_DATA const NSSItem + g_ck_true = { (CK_VOID_PTR)&s_true, sizeof(s_true) }; + +static const CK_BBOOL s_false = CK_FALSE; +NSS_IMPLEMENT_DATA const NSSItem + g_ck_false = { (CK_VOID_PTR)&s_false, sizeof(s_false) }; + +static const CK_OBJECT_CLASS s_class_cert = CKO_CERTIFICATE; +NSS_IMPLEMENT_DATA const NSSItem + g_ck_class_cert = { (CK_VOID_PTR)&s_class_cert, sizeof(s_class_cert) }; + +static const CK_OBJECT_CLASS s_class_pubkey = CKO_PUBLIC_KEY; +NSS_IMPLEMENT_DATA const NSSItem + g_ck_class_pubkey = { (CK_VOID_PTR)&s_class_pubkey, sizeof(s_class_pubkey) }; + +static const CK_OBJECT_CLASS s_class_privkey = CKO_PRIVATE_KEY; +NSS_IMPLEMENT_DATA const NSSItem + g_ck_class_privkey = { (CK_VOID_PTR)&s_class_privkey, sizeof(s_class_privkey) }; + +static PRBool +is_string_attribute( + CK_ATTRIBUTE_TYPE aType) +{ + PRBool isString; + switch (aType) { + case CKA_LABEL: + case CKA_NSS_EMAIL: + isString = PR_TRUE; + break; + default: + isString = PR_FALSE; + break; + } + return isString; +} + +NSS_IMPLEMENT PRStatus +nssCKObject_GetAttributes( + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_PTR obj_template, + CK_ULONG count, + NSSArena *arenaOpt, + nssSession *session, + NSSSlot *slot) +{ + nssArenaMark *mark = NULL; + CK_SESSION_HANDLE hSession; + CK_ULONG i = 0; + CK_RV ckrv; + PRStatus nssrv; + PRBool alloced = PR_FALSE; + void *epv = nssSlot_GetCryptokiEPV(slot); + hSession = session->handle; + if (arenaOpt) { + mark = nssArena_Mark(arenaOpt); + if (!mark) { + goto loser; + } + } + nssSession_EnterMonitor(session); + /* XXX kinda hacky, if the storage size is already in the first template + * item, then skip the alloc portion + */ + if (obj_template[0].ulValueLen == 0) { + /* Get the storage size needed for each attribute */ + ckrv = CKAPI(epv)->C_GetAttributeValue(hSession, + object, obj_template, count); + if (ckrv != CKR_OK && + ckrv != CKR_ATTRIBUTE_TYPE_INVALID && + ckrv != CKR_ATTRIBUTE_SENSITIVE) { + nssSession_ExitMonitor(session); + nss_SetError(NSS_ERROR_DEVICE_ERROR); + goto loser; + } + /* Allocate memory for each attribute. */ + for (i = 0; i < count; i++) { + CK_ULONG ulValueLen = obj_template[i].ulValueLen; + if (ulValueLen == 0 || ulValueLen == (CK_ULONG)-1) { + obj_template[i].pValue = NULL; + obj_template[i].ulValueLen = 0; + continue; + } + if (is_string_attribute(obj_template[i].type)) { + ulValueLen++; + } + obj_template[i].pValue = nss_ZAlloc(arenaOpt, ulValueLen); + if (!obj_template[i].pValue) { + nssSession_ExitMonitor(session); + goto loser; + } + } + alloced = PR_TRUE; + } + /* Obtain the actual attribute values. */ + ckrv = CKAPI(epv)->C_GetAttributeValue(hSession, + object, obj_template, count); + nssSession_ExitMonitor(session); + if (ckrv != CKR_OK && + ckrv != CKR_ATTRIBUTE_TYPE_INVALID && + ckrv != CKR_ATTRIBUTE_SENSITIVE) { + nss_SetError(NSS_ERROR_DEVICE_ERROR); + goto loser; + } + if (alloced && arenaOpt) { + nssrv = nssArena_Unmark(arenaOpt, mark); + if (nssrv != PR_SUCCESS) { + goto loser; + } + } + + if (count > 1 && ((ckrv == CKR_ATTRIBUTE_TYPE_INVALID) || + (ckrv == CKR_ATTRIBUTE_SENSITIVE))) { + /* old tokens would keep the length of '0' and not deal with any + * of the attributes we passed. For those tokens read them one at + * a time */ + for (i = 0; i < count; i++) { + if ((obj_template[i].ulValueLen == 0) || + (obj_template[i].ulValueLen == -1)) { + obj_template[i].ulValueLen = 0; + (void)nssCKObject_GetAttributes(object, &obj_template[i], 1, + arenaOpt, session, slot); + } + } + } + return PR_SUCCESS; +loser: + if (alloced) { + if (arenaOpt) { + /* release all arena memory allocated before the failure. */ + (void)nssArena_Release(arenaOpt, mark); + } else { + CK_ULONG j; + /* free each heap object that was allocated before the failure. */ + for (j = 0; j < i; j++) { + nss_ZFreeIf(obj_template[j].pValue); + } + } + } + return PR_FAILURE; +} + +NSS_IMPLEMENT PRStatus +nssCKObject_GetAttributeItem( + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_TYPE attribute, + NSSArena *arenaOpt, + nssSession *session, + NSSSlot *slot, + NSSItem *rvItem) +{ + CK_ATTRIBUTE attr = { 0, NULL, 0 }; + PRStatus nssrv; + attr.type = attribute; + nssrv = nssCKObject_GetAttributes(object, &attr, 1, + arenaOpt, session, slot); + if (nssrv != PR_SUCCESS) { + return nssrv; + } + rvItem->data = (void *)attr.pValue; + rvItem->size = (PRUint32)attr.ulValueLen; + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRBool +nssCKObject_IsAttributeTrue( + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_TYPE attribute, + nssSession *session, + NSSSlot *slot, + PRStatus *rvStatus) +{ + CK_BBOOL bool; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE atemplate = { 0, NULL, 0 }; + CK_RV ckrv; + void *epv = nssSlot_GetCryptokiEPV(slot); + attr = &atemplate; + NSS_CK_SET_ATTRIBUTE_VAR(attr, attribute, bool); + nssSession_EnterMonitor(session); + ckrv = CKAPI(epv)->C_GetAttributeValue(session->handle, object, + &atemplate, 1); + nssSession_ExitMonitor(session); + if (ckrv != CKR_OK) { + *rvStatus = PR_FAILURE; + return PR_FALSE; + } + *rvStatus = PR_SUCCESS; + return (PRBool)(bool == CK_TRUE); +} + +NSS_IMPLEMENT PRStatus +nssCKObject_SetAttributes( + CK_OBJECT_HANDLE object, + CK_ATTRIBUTE_PTR obj_template, + CK_ULONG count, + nssSession *session, + NSSSlot *slot) +{ + CK_RV ckrv; + void *epv = nssSlot_GetCryptokiEPV(slot); + nssSession_EnterMonitor(session); + ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, object, + obj_template, count); + nssSession_ExitMonitor(session); + if (ckrv == CKR_OK) { + return PR_SUCCESS; + } else { + return PR_FAILURE; + } +} + +NSS_IMPLEMENT PRBool +nssCKObject_IsTokenObjectTemplate( + CK_ATTRIBUTE_PTR objectTemplate, + CK_ULONG otsize) +{ + CK_ULONG ul; + for (ul = 0; ul < otsize; ul++) { + if (objectTemplate[ul].type == CKA_TOKEN) { + return (*((CK_BBOOL *)objectTemplate[ul].pValue) == CK_TRUE); + } + } + return PR_FALSE; +} + +static NSSCertificateType +nss_cert_type_from_ck_attrib(CK_ATTRIBUTE_PTR attrib) +{ + CK_CERTIFICATE_TYPE ckCertType; + if (!attrib->pValue) { + /* default to PKIX */ + return NSSCertificateType_PKIX; + } + ckCertType = *((CK_ULONG *)attrib->pValue); + switch (ckCertType) { + case CKC_X_509: + return NSSCertificateType_PKIX; + default: + break; + } + return NSSCertificateType_Unknown; +} + +/* incoming pointers must be valid */ +NSS_IMPLEMENT PRStatus +nssCryptokiCertificate_GetAttributes( + nssCryptokiObject *certObject, + nssSession *sessionOpt, + NSSArena *arenaOpt, + NSSCertificateType *certTypeOpt, + NSSItem *idOpt, + NSSDER *encodingOpt, + NSSDER *issuerOpt, + NSSDER *serialOpt, + NSSDER *subjectOpt) +{ + PRStatus status; + PRUint32 i; + nssSession *session; + NSSSlot *slot; + CK_ULONG template_size; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE cert_template[6]; + /* Set up a template of all options chosen by caller */ + NSS_CK_TEMPLATE_START(cert_template, attr, template_size); + if (certTypeOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CERTIFICATE_TYPE); + } + if (idOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ID); + } + if (encodingOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE); + } + if (issuerOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_ISSUER); + } + if (serialOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SERIAL_NUMBER); + } + if (subjectOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT); + } + NSS_CK_TEMPLATE_FINISH(cert_template, attr, template_size); + if (template_size == 0) { + /* caller didn't want anything */ + return PR_SUCCESS; + } + + status = nssToken_GetCachedObjectAttributes(certObject->token, arenaOpt, + certObject, CKO_CERTIFICATE, + cert_template, template_size); + if (status != PR_SUCCESS) { + + session = sessionOpt ? sessionOpt + : nssToken_GetDefaultSession(certObject->token); + if (!session) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } + + slot = nssToken_GetSlot(certObject->token); + status = nssCKObject_GetAttributes(certObject->handle, + cert_template, template_size, + arenaOpt, session, slot); + nssSlot_Destroy(slot); + if (status != PR_SUCCESS) { + return status; + } + } + + i = 0; + if (certTypeOpt) { + *certTypeOpt = nss_cert_type_from_ck_attrib(&cert_template[i]); + i++; + } + if (idOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], idOpt); + i++; + } + if (encodingOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], encodingOpt); + i++; + } + if (issuerOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], issuerOpt); + i++; + } + if (serialOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], serialOpt); + i++; + } + if (subjectOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&cert_template[i], subjectOpt); + i++; + } + return PR_SUCCESS; +} + +static nssTrustLevel +get_nss_trust( + CK_TRUST ckt) +{ + nssTrustLevel t; + switch (ckt) { + case CKT_NSS_NOT_TRUSTED: + t = nssTrustLevel_NotTrusted; + break; + case CKT_NSS_TRUSTED_DELEGATOR: + t = nssTrustLevel_TrustedDelegator; + break; + case CKT_NSS_VALID_DELEGATOR: + t = nssTrustLevel_ValidDelegator; + break; + case CKT_NSS_TRUSTED: + t = nssTrustLevel_Trusted; + break; + case CKT_NSS_MUST_VERIFY_TRUST: + t = nssTrustLevel_MustVerify; + break; + case CKT_NSS_TRUST_UNKNOWN: + default: + t = nssTrustLevel_Unknown; + break; + } + return t; +} + +NSS_IMPLEMENT PRStatus +nssCryptokiTrust_GetAttributes( + nssCryptokiObject *trustObject, + nssSession *sessionOpt, + NSSItem *sha1_hash, + nssTrustLevel *serverAuth, + nssTrustLevel *clientAuth, + nssTrustLevel *codeSigning, + nssTrustLevel *emailProtection, + PRBool *stepUpApproved) +{ + PRStatus status; + NSSSlot *slot; + nssSession *session; + CK_BBOOL isToken = PR_FALSE; + /* default values if the trust is record does not exist. In the highly + * unlikely case that these change, be sure to update softoken's + * 'sftkdb_isNullTrust()' function */ + CK_BBOOL stepUp = PR_FALSE; + CK_TRUST saTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST caTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST epTrust = CKT_NSS_TRUST_UNKNOWN; + CK_TRUST csTrust = CKT_NSS_TRUST_UNKNOWN; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE trust_template[7]; + CK_ATTRIBUTE_PTR sha1_hash_attr; + CK_ULONG trust_size; + + /* Use the trust object to find the trust settings */ + NSS_CK_TEMPLATE_START(trust_template, attr, trust_size); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TOKEN, isToken); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_SERVER_AUTH, saTrust); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CLIENT_AUTH, caTrust); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_EMAIL_PROTECTION, epTrust); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_CODE_SIGNING, csTrust); + NSS_CK_SET_ATTRIBUTE_VAR(attr, CKA_TRUST_STEP_UP_APPROVED, stepUp); + sha1_hash_attr = attr; + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CERT_SHA1_HASH, sha1_hash); + NSS_CK_TEMPLATE_FINISH(trust_template, attr, trust_size); + + status = nssToken_GetCachedObjectAttributes(trustObject->token, NULL, + trustObject, + CKO_NSS_TRUST, + trust_template, trust_size); + if (status != PR_SUCCESS) { + session = sessionOpt ? sessionOpt + : nssToken_GetDefaultSession(trustObject->token); + if (!session) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } + + slot = nssToken_GetSlot(trustObject->token); + status = nssCKObject_GetAttributes(trustObject->handle, + trust_template, trust_size, + NULL, session, slot); + nssSlot_Destroy(slot); + if (status != PR_SUCCESS) { + return status; + } + } + + if (sha1_hash_attr->ulValueLen == -1) { + /* The trust object does not have the CKA_CERT_SHA1_HASH attribute. */ + sha1_hash_attr->ulValueLen = 0; + } + sha1_hash->size = sha1_hash_attr->ulValueLen; + *serverAuth = get_nss_trust(saTrust); + *clientAuth = get_nss_trust(caTrust); + *emailProtection = get_nss_trust(epTrust); + *codeSigning = get_nss_trust(csTrust); + *stepUpApproved = stepUp; + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRStatus +nssCryptokiCRL_GetAttributes( + nssCryptokiObject *crlObject, + nssSession *sessionOpt, + NSSArena *arenaOpt, + NSSItem *encodingOpt, + NSSItem *subjectOpt, + CK_ULONG *crl_class, + NSSUTF8 **urlOpt, + PRBool *isKRLOpt) +{ + PRStatus status; + NSSSlot *slot; + nssSession *session; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE crl_template[7]; + CK_ULONG crl_size; + PRUint32 i; + + NSS_CK_TEMPLATE_START(crl_template, attr, crl_size); + if (crl_class) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_CLASS); + } + if (encodingOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_VALUE); + } + if (urlOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_URL); + } + if (isKRLOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_NSS_KRL); + } + if (subjectOpt) { + NSS_CK_SET_ATTRIBUTE_NULL(attr, CKA_SUBJECT); + } + NSS_CK_TEMPLATE_FINISH(crl_template, attr, crl_size); + + status = nssToken_GetCachedObjectAttributes(crlObject->token, NULL, + crlObject, + CKO_NSS_CRL, + crl_template, crl_size); + if (status != PR_SUCCESS) { + session = sessionOpt ? sessionOpt + : nssToken_GetDefaultSession(crlObject->token); + if (session == NULL) { + nss_SetError(NSS_ERROR_INVALID_ARGUMENT); + return PR_FAILURE; + } + + slot = nssToken_GetSlot(crlObject->token); + status = nssCKObject_GetAttributes(crlObject->handle, + crl_template, crl_size, + arenaOpt, session, slot); + nssSlot_Destroy(slot); + if (status != PR_SUCCESS) { + return status; + } + } + + i = 0; + if (crl_class) { + NSS_CK_ATTRIBUTE_TO_ULONG(&crl_template[i], *crl_class); + i++; + } + if (encodingOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], encodingOpt); + i++; + } + if (urlOpt) { + NSS_CK_ATTRIBUTE_TO_UTF8(&crl_template[i], *urlOpt); + i++; + } + if (isKRLOpt) { + NSS_CK_ATTRIBUTE_TO_BOOL(&crl_template[i], *isKRLOpt); + i++; + } + if (subjectOpt) { + NSS_CK_ATTRIBUTE_TO_ITEM(&crl_template[i], subjectOpt); + i++; + } + return PR_SUCCESS; +} + +NSS_IMPLEMENT PRStatus +nssCryptokiPrivateKey_SetCertificate( + nssCryptokiObject *keyObject, + nssSession *sessionOpt, + const NSSUTF8 *nickname, + NSSItem *id, + NSSDER *subject) +{ + CK_RV ckrv; + CK_ATTRIBUTE_PTR attr; + CK_ATTRIBUTE key_template[3]; + CK_ULONG key_size; + void *epv = nssToken_GetCryptokiEPV(keyObject->token); + nssSession *session; + NSSToken *token = keyObject->token; + nssSession *defaultSession = nssToken_GetDefaultSession(token); + PRBool createdSession = PR_FALSE; + + NSS_CK_TEMPLATE_START(key_template, attr, key_size); + NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id); + NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_SUBJECT, subject); + NSS_CK_TEMPLATE_FINISH(key_template, attr, key_size); + + if (sessionOpt) { + if (!nssSession_IsReadWrite(sessionOpt)) { + return PR_FAILURE; + } + session = sessionOpt; + } else if (defaultSession && nssSession_IsReadWrite(defaultSession)) { + session = defaultSession; + } else { + NSSSlot *slot = nssToken_GetSlot(token); + session = nssSlot_CreateSession(token->slot, NULL, PR_TRUE); + nssSlot_Destroy(slot); + if (!session) { + return PR_FAILURE; + } + createdSession = PR_TRUE; + } + + ckrv = CKAPI(epv)->C_SetAttributeValue(session->handle, + keyObject->handle, + key_template, + key_size); + + if (createdSession) { + nssSession_Destroy(session); + } + + return (ckrv == CKR_OK) ? PR_SUCCESS : PR_FAILURE; +} |