diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/lib/pk11wrap/pk11kea.c | |
parent | Initial commit. (diff) | |
download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | security/nss/lib/pk11wrap/pk11kea.c | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/security/nss/lib/pk11wrap/pk11kea.c b/security/nss/lib/pk11wrap/pk11kea.c new file mode 100644 index 0000000000..805e486518 --- /dev/null +++ b/security/nss/lib/pk11wrap/pk11kea.c @@ -0,0 +1,141 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* + * This file implements the Symkey wrapper and the PKCS context + * Interfaces. + */ + +#include <stddef.h> + +#include "seccomon.h" +#include "secmod.h" +#include "nssilock.h" +#include "secmodi.h" +#include "secmodti.h" +#include "pkcs11.h" +#include "pk11func.h" +#include "secitem.h" +#include "keyhi.h" +#include "secasn1.h" +#include "sechash.h" +#include "cert.h" +#include "secerr.h" + +/* + * find an RSA public key on a card + */ +static CK_OBJECT_HANDLE +pk11_FindRSAPubKey(PK11SlotInfo *slot) +{ + CK_KEY_TYPE key_type = CKK_RSA; + CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY; + CK_ATTRIBUTE theTemplate[2]; + size_t template_count = sizeof(theTemplate) / sizeof(theTemplate[0]); + CK_ATTRIBUTE *attrs = theTemplate; + + PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type)); + attrs++; + PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type)); + attrs++; + template_count = attrs - theTemplate; + PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)); + + return pk11_FindObjectByTemplate(slot, theTemplate, template_count); +} + +PK11SymKey * +pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, + PRBool isPerm, PK11SymKey *symKey) +{ + PK11SymKey *newSymKey = NULL; + SECStatus rv; + /* performance improvement can go here --- use a generated key at startup + * to generate a per token wrapping key. If it exists, use it, otherwise + * do a full key exchange. */ + + /* find a common Key Exchange algorithm */ + /* RSA */ + if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && + PK11_DoesMechanism(slot, CKM_RSA_PKCS)) { + CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE; + CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE; + SECKEYPublicKey *pubKey = NULL; + SECKEYPrivateKey *privKey = NULL; + SECItem wrapData; + unsigned int symKeyLength = PK11_GetKeyLength(symKey); + + wrapData.data = NULL; + + /* find RSA Public Key on target */ + pubKeyHandle = pk11_FindRSAPubKey(slot); + if (pubKeyHandle != CK_INVALID_HANDLE) { + privKeyHandle = PK11_MatchItem(slot, pubKeyHandle, CKO_PRIVATE_KEY); + } + + /* if no key exists, generate a key pair */ + if (privKeyHandle == CK_INVALID_HANDLE) { + PK11RSAGenParams rsaParams; + + if (symKeyLength > 120) /* bytes */ { + /* we'd have to generate an RSA key pair > 1024 bits long, + ** and that's too costly. Don't even try. + */ + PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); + goto rsa_failed; + } + rsaParams.keySizeInBits = 1024; + rsaParams.pe = 0x10001; + privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, + &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); + } else { + /* if keys exist, build SECKEY data structures for them */ + privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, privKeyHandle, + symKey->cx); + if (privKey != NULL) { + pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); + if (pubKey && pubKey->pkcs11Slot) { + PK11_FreeSlot(pubKey->pkcs11Slot); + pubKey->pkcs11Slot = NULL; + pubKey->pkcs11ID = CK_INVALID_HANDLE; + } + } + } + if (privKey == NULL) + goto rsa_failed; + if (pubKey == NULL) + goto rsa_failed; + + wrapData.len = SECKEY_PublicKeyStrength(pubKey); + if (!wrapData.len) + goto rsa_failed; + wrapData.data = PORT_Alloc(wrapData.len); + if (wrapData.data == NULL) + goto rsa_failed; + + /* now wrap the keys in and out */ + rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); + if (rv == SECSuccess) { + newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey, + &wrapData, type, operation, + symKeyLength, flags, isPerm); + /* make sure we wound up where we wanted to be! */ + if (newSymKey && newSymKey->slot != slot) { + PK11_FreeSymKey(newSymKey); + newSymKey = NULL; + } + } + rsa_failed: + if (wrapData.data != NULL) + PORT_Free(wrapData.data); + if (privKey != NULL) + SECKEY_DestroyPrivateKey(privKey); + if (pubKey != NULL) + SECKEY_DestroyPublicKey(pubKey); + + return newSymKey; + } + PORT_SetError(SEC_ERROR_NO_MODULE); + return NULL; +} |