/src/nss/lib/pk11wrap/pk11kea.c

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * This file implements the Symkey wrapper and the PKCS context
 * Interfaces.
 */

#include <stddef.h>

#include "seccomon.h"
#include "secmod.h"
#include "nssilock.h"
#include "secmodi.h"
#include "secmodti.h"
#include "pkcs11.h"
#include "pk11func.h"
#include "secitem.h"
#include "keyhi.h"
#include "secasn1.h"
#include "sechash.h"
#include "cert.h"
#include "secerr.h"

/*
 * find an RSA public key on a card
 */
static CK_OBJECT_HANDLE
pk11_FindRSAPubKey(PK11SlotInfo *slot)
{
    CK_KEY_TYPE key_type = CKK_RSA;
    CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
    CK_ATTRIBUTE theTemplate[2];
    size_t template_count = sizeof(theTemplate) / sizeof(theTemplate[0]);
    CK_ATTRIBUTE *attrs = theTemplate;

    PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type));
    attrs++;
    PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type));
    attrs++;
    template_count = attrs - theTemplate;
    PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));

    return pk11_FindObjectByTemplate(slot, theTemplate, template_count);
}

PK11SymKey *
pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                 CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags,
                 PRBool isPerm, PK11SymKey *symKey)
{
    PK11SymKey *newSymKey = NULL;
    SECStatus rv;
    /* performance improvement can go here --- use a generated key at startup
     * to generate a per token wrapping key. If it exists, use it, otherwise
     * do a full key exchange. */

    /* find a common Key Exchange algorithm */
    /* RSA */
    if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) &&
        PK11_DoesMechanism(slot, CKM_RSA_PKCS)) {
        CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
        CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
        SECKEYPublicKey *pubKey = NULL;
        SECKEYPrivateKey *privKey = NULL;
        SECItem wrapData;
        unsigned int symKeyLength = PK11_GetKeyLength(symKey);

        wrapData.data = NULL;

        /* find RSA Public Key on target */
        pubKeyHandle = pk11_FindRSAPubKey(slot);
        if (pubKeyHandle != CK_INVALID_HANDLE) {
            privKeyHandle = PK11_MatchItem(slot, pubKeyHandle, CKO_PRIVATE_KEY);
        }

        /* if no key exists, generate a key pair */
        if (privKeyHandle == CK_INVALID_HANDLE) {
            PK11RSAGenParams rsaParams;

            if (symKeyLength > 120) /* bytes */ {
                /* we'd have to generate an RSA key pair > 1024 bits long,
                ** and that's too costly.  Don't even try.
                */
                PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
                goto rsa_failed;
            }
            rsaParams.keySizeInBits = 1024;
            rsaParams.pe = 0x10001;
            privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
                                           &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
        } else {
            /* if keys exist, build SECKEY data structures for them */
            privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, privKeyHandle,
                                       symKey->cx);
            if (privKey != NULL) {
                pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
                if (pubKey && pubKey->pkcs11Slot) {
                    PK11_FreeSlot(pubKey->pkcs11Slot);
                    pubKey->pkcs11Slot = NULL;
                    pubKey->pkcs11ID = CK_INVALID_HANDLE;
                }
            }
        }
        if (privKey == NULL)
            goto rsa_failed;
        if (pubKey == NULL)
            goto rsa_failed;

        wrapData.len = SECKEY_PublicKeyStrength(pubKey);
        if (!wrapData.len)
            goto rsa_failed;
        wrapData.data = PORT_Alloc(wrapData.len);
        if (wrapData.data == NULL)
            goto rsa_failed;

        /* now wrap the keys in and out */
        rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
        if (rv == SECSuccess) {
            newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey,
                                                          &wrapData, type, operation,
                                                          symKeyLength, flags, isPerm);
            /* make sure we wound up where we wanted to be! */
            if (newSymKey && newSymKey->slot != slot) {
                PK11_FreeSymKey(newSymKey);
                newSymKey = NULL;
            }
        }
    rsa_failed:
        if (wrapData.data != NULL)
            PORT_Free(wrapData.data);
        if (privKey != NULL)
            SECKEY_DestroyPrivateKey(privKey);
        if (pubKey != NULL)
            SECKEY_DestroyPublicKey(pubKey);

        return newSymKey;
    }
    PORT_SetError(SEC_ERROR_NO_MODULE);
    return NULL;
}

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4		/*
5		* This file implements the Symkey wrapper and the PKCS context
6		* Interfaces.
7		*/
8
9		#include <stddef.h>
10
11		#include "seccomon.h"
12		#include "secmod.h"
13		#include "nssilock.h"
14		#include "secmodi.h"
15		#include "secmodti.h"
16		#include "pkcs11.h"
17		#include "pk11func.h"
18		#include "secitem.h"
19		#include "keyhi.h"
20		#include "secasn1.h"
21		#include "sechash.h"
22		#include "cert.h"
23		#include "secerr.h"
24
25		/*
26		* find an RSA public key on a card
27		*/
28		static CK_OBJECT_HANDLE
29		pk11_FindRSAPubKey(PK11SlotInfo *slot)
30	0	{
31	0	CK_KEY_TYPE key_type = CKK_RSA;
32	0	CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
33	0	CK_ATTRIBUTE theTemplate[2];
34	0	size_t template_count = sizeof(theTemplate) / sizeof(theTemplate[0]);
35	0	CK_ATTRIBUTE *attrs = theTemplate;
36
37	0	PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type));
38	0	attrs++;
39	0	PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type));
40	0	attrs++;
41	0	template_count = attrs - theTemplate;
42	0	PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
43
44	0	return pk11_FindObjectByTemplate(slot, theTemplate, template_count);
45	0	}
46
47		PK11SymKey *
48		pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
49		CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags,
50		PRBool isPerm, PK11SymKey *symKey)
51	0	{
52	0	PK11SymKey *newSymKey = NULL;
53	0	SECStatus rv;
54		/* performance improvement can go here --- use a generated key at startup
55		* to generate a per token wrapping key. If it exists, use it, otherwise
56		* do a full key exchange. */
57
58		/* find a common Key Exchange algorithm */
59		/* RSA */
60	0	if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) &&
61	0	PK11_DoesMechanism(slot, CKM_RSA_PKCS)) {
62	0	CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
63	0	CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
64	0	SECKEYPublicKey *pubKey = NULL;
65	0	SECKEYPrivateKey *privKey = NULL;
66	0	SECItem wrapData;
67	0	unsigned int symKeyLength = PK11_GetKeyLength(symKey);
68
69	0	wrapData.data = NULL;
70
71		/* find RSA Public Key on target */
72	0	pubKeyHandle = pk11_FindRSAPubKey(slot);
73	0	if (pubKeyHandle != CK_INVALID_HANDLE) {
74	0	privKeyHandle = PK11_MatchItem(slot, pubKeyHandle, CKO_PRIVATE_KEY);
75	0	}
76
77		/* if no key exists, generate a key pair */
78	0	if (privKeyHandle == CK_INVALID_HANDLE) {
79	0	PK11RSAGenParams rsaParams;
80
81	0	if (symKeyLength > 120) /* bytes */ {
82		/* we'd have to generate an RSA key pair > 1024 bits long,
83		** and that's too costly. Don't even try.
84		*/
85	0	PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
86	0	goto rsa_failed;
87	0	}
88	0	rsaParams.keySizeInBits = 1024;
89	0	rsaParams.pe = 0x10001;
90	0	privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
91	0	&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
92	0	} else {
93		/* if keys exist, build SECKEY data structures for them */
94	0	privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, privKeyHandle,
95	0	symKey->cx);
96	0	if (privKey != NULL) {
97	0	pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
98	0	if (pubKey && pubKey->pkcs11Slot) {
99	0	PK11_FreeSlot(pubKey->pkcs11Slot);
100	0	pubKey->pkcs11Slot = NULL;
101	0	pubKey->pkcs11ID = CK_INVALID_HANDLE;
102	0	}
103	0	}
104	0	}
105	0	if (privKey == NULL)
106	0	goto rsa_failed;
107	0	if (pubKey == NULL)
108	0	goto rsa_failed;
109
110	0	wrapData.len = SECKEY_PublicKeyStrength(pubKey);
111	0	if (!wrapData.len)
112	0	goto rsa_failed;
113	0	wrapData.data = PORT_Alloc(wrapData.len);
114	0	if (wrapData.data == NULL)
115	0	goto rsa_failed;
116
117		/* now wrap the keys in and out */
118	0	rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
119	0	if (rv == SECSuccess) {
120	0	newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey,
121	0	&wrapData, type, operation,
122	0	symKeyLength, flags, isPerm);
123		/* make sure we wound up where we wanted to be! */
124	0	if (newSymKey && newSymKey->slot != slot) {
125	0	PK11_FreeSymKey(newSymKey);
126	0	newSymKey = NULL;
127	0	}
128	0	}
129	0	rsa_failed:
130	0	if (wrapData.data != NULL)
131	0	PORT_Free(wrapData.data);
132	0	if (privKey != NULL)
133	0	SECKEY_DestroyPrivateKey(privKey);
134	0	if (pubKey != NULL)
135	0	SECKEY_DestroyPublicKey(pubKey);
136
137	0	return newSymKey;
138	0	}
139	0	PORT_SetError(SEC_ERROR_NO_MODULE);
140	0	return NULL;
141	0	}

Coverage Report

Created: 2024-05-20 06:23