| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| /* |
| * This file implements the Symkey wrapper and the PKCS context |
| * Interfaces. |
| */ |
| |
| #include <stddef.h> |
| |
| #include "seccomon.h" |
| #include "secmod.h" |
| #include "nssilock.h" |
| #include "secmodi.h" |
| #include "secmodti.h" |
| #include "pkcs11.h" |
| #include "pk11func.h" |
| #include "secitem.h" |
| #include "keyhi.h" |
| #include "secasn1.h" |
| #include "sechash.h" |
| #include "cert.h" |
| #include "secerr.h" |
| |
| /* |
| * find an RSA public key on a card |
| */ |
| static CK_OBJECT_HANDLE |
| pk11_FindRSAPubKey(PK11SlotInfo *slot) |
| { |
| CK_KEY_TYPE key_type = CKK_RSA; |
| CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY; |
| CK_ATTRIBUTE theTemplate[2]; |
| size_t template_count = sizeof(theTemplate) / sizeof(theTemplate[0]); |
| CK_ATTRIBUTE *attrs = theTemplate; |
| |
| PK11_SETATTRS(attrs, CKA_CLASS, &class_type, sizeof(class_type)); |
| attrs++; |
| PK11_SETATTRS(attrs, CKA_KEY_TYPE, &key_type, sizeof(key_type)); |
| attrs++; |
| template_count = attrs - theTemplate; |
| PR_ASSERT(template_count <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)); |
| |
| return pk11_FindObjectByTemplate(slot, theTemplate, template_count); |
| } |
| |
| PK11SymKey * |
| pk11_KeyExchange(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, |
| CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, |
| PRBool isPerm, PK11SymKey *symKey) |
| { |
| PK11SymKey *newSymKey = NULL; |
| SECStatus rv; |
| /* performance improvement can go here --- use a generated key at startup |
| * to generate a per token wrapping key. If it exists, use it, otherwise |
| * do a full key exchange. */ |
| |
| /* find a common Key Exchange algorithm */ |
| /* RSA */ |
| if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && |
| PK11_DoesMechanism(slot, CKM_RSA_PKCS)) { |
| CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE; |
| CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE; |
| SECKEYPublicKey *pubKey = NULL; |
| SECKEYPrivateKey *privKey = NULL; |
| SECItem wrapData; |
| unsigned int symKeyLength = PK11_GetKeyLength(symKey); |
| |
| wrapData.data = NULL; |
| |
| /* find RSA Public Key on target */ |
| pubKeyHandle = pk11_FindRSAPubKey(slot); |
| if (pubKeyHandle != CK_INVALID_HANDLE) { |
| privKeyHandle = PK11_MatchItem(slot, pubKeyHandle, CKO_PRIVATE_KEY); |
| } |
| |
| /* if no key exists, generate a key pair */ |
| if (privKeyHandle == CK_INVALID_HANDLE) { |
| PK11RSAGenParams rsaParams; |
| |
| if (symKeyLength > 53) /* bytes */ { |
| /* we'd have to generate an RSA key pair > 512 bits long, |
| ** and that's too costly. Don't even try. |
| */ |
| PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); |
| goto rsa_failed; |
| } |
| rsaParams.keySizeInBits = |
| (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; |
| rsaParams.pe = 0x10001; |
| privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, |
| &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); |
| } else { |
| /* if keys exist, build SECKEY data structures for them */ |
| privKey = PK11_MakePrivKey(slot, nullKey, PR_TRUE, privKeyHandle, |
| symKey->cx); |
| if (privKey != NULL) { |
| pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle); |
| if (pubKey && pubKey->pkcs11Slot) { |
| PK11_FreeSlot(pubKey->pkcs11Slot); |
| pubKey->pkcs11Slot = NULL; |
| pubKey->pkcs11ID = CK_INVALID_HANDLE; |
| } |
| } |
| } |
| if (privKey == NULL) |
| goto rsa_failed; |
| if (pubKey == NULL) |
| goto rsa_failed; |
| |
| wrapData.len = SECKEY_PublicKeyStrength(pubKey); |
| if (!wrapData.len) |
| goto rsa_failed; |
| wrapData.data = PORT_Alloc(wrapData.len); |
| if (wrapData.data == NULL) |
| goto rsa_failed; |
| |
| /* now wrap the keys in and out */ |
| rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData); |
| if (rv == SECSuccess) { |
| newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey, |
| &wrapData, type, operation, |
| symKeyLength, flags, isPerm); |
| /* make sure we wound up where we wanted to be! */ |
| if (newSymKey && newSymKey->slot != slot) { |
| PK11_FreeSymKey(newSymKey); |
| newSymKey = NULL; |
| } |
| } |
| rsa_failed: |
| if (wrapData.data != NULL) |
| PORT_Free(wrapData.data); |
| if (privKey != NULL) |
| SECKEY_DestroyPrivateKey(privKey); |
| if (pubKey != NULL) |
| SECKEY_DestroyPublicKey(pubKey); |
| |
| return newSymKey; |
| } |
| PORT_SetError(SEC_ERROR_NO_MODULE); |
| return NULL; |
| } |