summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/cryptohi
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/cryptohi')
-rw-r--r--security/nss/lib/cryptohi/cryptohi.h2
-rw-r--r--security/nss/lib/cryptohi/key.h6
-rw-r--r--security/nss/lib/cryptohi/keyi.h17
-rw-r--r--security/nss/lib/cryptohi/keyt.h4
-rw-r--r--security/nss/lib/cryptohi/seckey.c104
-rw-r--r--security/nss/lib/cryptohi/secsign.c11
-rw-r--r--security/nss/lib/cryptohi/secvfy.c52
7 files changed, 111 insertions, 85 deletions
diff --git a/security/nss/lib/cryptohi/cryptohi.h b/security/nss/lib/cryptohi/cryptohi.h
index e529fa34f..7b66f0b0b 100644
--- a/security/nss/lib/cryptohi/cryptohi.h
+++ b/security/nss/lib/cryptohi/cryptohi.h
@@ -14,7 +14,7 @@
#include "secoidt.h"
#include "secdert.h"
#include "cryptoht.h"
-#include "keyt.h"
+#include "keythi.h"
#include "certt.h"
SEC_BEGIN_PROTOS
diff --git a/security/nss/lib/cryptohi/key.h b/security/nss/lib/cryptohi/key.h
index 3e89b74cb..8392031c5 100644
--- a/security/nss/lib/cryptohi/key.h
+++ b/security/nss/lib/cryptohi/key.h
@@ -2,11 +2,13 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* This header is deprecated. Please include keyhi.h instead. */
-
#ifndef _KEY_H_
#define _KEY_H_
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("key.h is deprecated. Please include keyhi.h instead.")
+#endif
+
#include "keyhi.h"
#endif /* _KEY_H_ */
diff --git a/security/nss/lib/cryptohi/keyi.h b/security/nss/lib/cryptohi/keyi.h
index ee11fc905..b746d3c8d 100644
--- a/security/nss/lib/cryptohi/keyi.h
+++ b/security/nss/lib/cryptohi/keyi.h
@@ -17,8 +17,21 @@ KeyType seckey_GetKeyType(SECOidTag pubKeyOid);
SECStatus sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg);
-SECStatus sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
- const SECKEYRSAPSSParams *params);
+/* extract the RSA-PSS hash algorithms and salt length from
+ * parameters, taking into account of the default implications.
+ *
+ * (parameters is the parameters field of a algorithm ID structure
+ * (SECAlgorithmID)*/
+SECStatus sec_DecodeRSAPSSParams(PLArenaPool *arena,
+ const SECItem *params,
+ SECOidTag *hashAlg,
+ SECOidTag *maskHashAlg,
+ unsigned long *saltLength);
+
+/* convert the encoded RSA-PSS parameters into PKCS #11 mechanism parameters */
+SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+ const SECItem *params,
+ CK_RSA_PKCS_PSS_PARAMS *mech);
SEC_END_PROTOS
diff --git a/security/nss/lib/cryptohi/keyt.h b/security/nss/lib/cryptohi/keyt.h
index 99da312f6..5a0d2c2e7 100644
--- a/security/nss/lib/cryptohi/keyt.h
+++ b/security/nss/lib/cryptohi/keyt.h
@@ -5,6 +5,10 @@
#ifndef _KEYT_H_
#define _KEYT_H_
+#if defined(_MSC_VER) || defined(__GNUC__) || defined(__clang__)
+#pragma message("keyt.h is deprecated. Please include keythi.h instead.")
+#endif
+
#include "keythi.h"
#endif /* _KEYT_H_ */
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 0f9353f3b..080909772 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -2015,66 +2015,63 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
}
SECStatus
-sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
- const SECKEYRSAPSSParams *params)
+sec_DecodeRSAPSSParams(PLArenaPool *arena,
+ const SECItem *params,
+ SECOidTag *retHashAlg, SECOidTag *retMaskHashAlg,
+ unsigned long *retSaltLength)
{
- SECStatus rv = SECSuccess;
- SECOidTag hashAlgTag;
+ SECKEYRSAPSSParams pssParams;
+ SECOidTag hashAlg;
+ SECOidTag maskHashAlg;
unsigned long saltLength;
unsigned long trailerField;
+ SECStatus rv;
- PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+ PORT_Memset(&pssParams, 0, sizeof(pssParams));
+ rv = SEC_QuickDERDecodeItem(arena, &pssParams,
+ SECKEY_RSAPSSParamsTemplate,
+ params);
+ if (rv != SECSuccess) {
+ return rv;
+ }
- if (params->hashAlg) {
- hashAlgTag = SECOID_GetAlgorithmTag(params->hashAlg);
+ if (pssParams.hashAlg) {
+ hashAlg = SECOID_GetAlgorithmTag(pssParams.hashAlg);
} else {
- hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
- }
- mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
- if (mech->hashAlg == CKM_INVALID_MECHANISM) {
- return SECFailure;
+ hashAlg = SEC_OID_SHA1; /* default, SHA-1 */
}
- if (params->maskAlg) {
- SECAlgorithmID maskHashAlg;
- SECOidTag maskHashAlgTag;
- PORTCheapArenaPool tmpArena;
+ if (pssParams.maskAlg) {
+ SECAlgorithmID algId;
- if (SECOID_GetAlgorithmTag(params->maskAlg) != SEC_OID_PKCS1_MGF1) {
+ if (SECOID_GetAlgorithmTag(pssParams.maskAlg) != SEC_OID_PKCS1_MGF1) {
/* only MGF1 is known to PKCS#11 */
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
- PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
- rv = SEC_QuickDERDecodeItem(&tmpArena.arena, &maskHashAlg,
+ rv = SEC_QuickDERDecodeItem(arena, &algId,
SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
- &params->maskAlg->parameters);
- PORT_DestroyCheapArena(&tmpArena);
+ &pssParams.maskAlg->parameters);
if (rv != SECSuccess) {
return rv;
}
- maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
- mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
- if (mech->mgf == 0) {
- return SECFailure;
- }
+ maskHashAlg = SECOID_GetAlgorithmTag(&algId);
} else {
- mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+ maskHashAlg = SEC_OID_SHA1; /* default, MGF1 with SHA-1 */
}
- if (params->saltLength.data) {
- rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
+ if (pssParams.saltLength.data) {
+ rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.saltLength, &saltLength);
if (rv != SECSuccess) {
return rv;
}
} else {
saltLength = 20; /* default, 20 */
}
- mech->sLen = saltLength;
- if (params->trailerField.data) {
- rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+ if (pssParams.trailerField.data) {
+ rv = SEC_ASN1DecodeInteger((SECItem *)&pssParams.trailerField, &trailerField);
if (rv != SECSuccess) {
return rv;
}
@@ -2086,5 +2083,46 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
}
}
- return rv;
+ if (retHashAlg) {
+ *retHashAlg = hashAlg;
+ }
+ if (retMaskHashAlg) {
+ *retMaskHashAlg = maskHashAlg;
+ }
+ if (retSaltLength) {
+ *retSaltLength = saltLength;
+ }
+
+ return SECSuccess;
+}
+
+SECStatus
+sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
+ const SECItem *params,
+ CK_RSA_PKCS_PSS_PARAMS *mech)
+{
+ SECOidTag hashAlg;
+ SECOidTag maskHashAlg;
+ unsigned long saltLength;
+ SECStatus rv;
+
+ rv = sec_DecodeRSAPSSParams(arena, params,
+ &hashAlg, &maskHashAlg, &saltLength);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
+ mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlg);
+ if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+ return SECFailure;
+ }
+
+ mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlg);
+ if (mech->mgf == 0) {
+ return SECFailure;
+ }
+
+ mech->sLen = saltLength;
+
+ return SECSuccess;
}
diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c
index dc10f2fa6..8a8d0f664 100644
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@@ -225,22 +225,13 @@ SGN_End(SGNContext *cx, SECItem *result)
PORT_Memset(&mech, 0, sizeof(mech));
if (cx->params && cx->params->data) {
- SECKEYRSAPSSParams params;
-
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
rv = SECFailure;
goto loser;
}
- PORT_Memset(&params, 0, sizeof(params));
- rv = SEC_QuickDERDecodeItem(arena, &params,
- SECKEY_RSAPSSParamsTemplate,
- cx->params);
- if (rv != SECSuccess) {
- goto loser;
- }
- rv = sec_RSAPSSParamsToMechanism(&mech, &params);
+ rv = sec_DecodeRSAPSSParamsToMechanism(arena, cx->params, &mech);
if (rv != SECSuccess) {
goto loser;
}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
index 83c9c579d..aa3d6778c 100644
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -161,7 +161,7 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
return _SGN_VerifyPKCS1DigestInfo(
cx->hashAlg, digest, &pkcs1DigestInfo,
- PR_TRUE /*XXX: unsafeAllowMissingParameters*/);
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
/*
@@ -257,25 +257,13 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
break;
case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
if (param && param->data) {
- SECKEYRSAPSSParams pssParam;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- return SECFailure;
- }
- PORT_Memset(&pssParam, 0, sizeof pssParam);
- rv = SEC_QuickDERDecodeItem(arena, &pssParam,
- SECKEY_RSAPSSParamsTemplate,
- param);
- if (rv != SECSuccess) {
- PORT_FreeArena(arena, PR_FALSE);
- return rv;
- }
- if (pssParam.hashAlg) {
- *hashalg = SECOID_GetAlgorithmTag(pssParam.hashAlg);
- } else {
- *hashalg = SEC_OID_SHA1; /* default, SHA-1 */
- }
- PORT_FreeArena(arena, PR_FALSE);
+ PORTCheapArenaPool tmpArena;
+
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+ rv = sec_DecodeRSAPSSParams(&tmpArena.arena, param,
+ hashalg, NULL, NULL);
+ PORT_DestroyCheapArena(&tmpArena);
+
/* only accept hash algorithms */
if (HASH_GetHashTypeByOidTag(*hashalg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@@ -658,27 +646,17 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
if (cx->encAlg == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
CK_RSA_PKCS_PSS_PARAMS mech;
SECItem mechItem = { siBuffer, (unsigned char *)&mech, sizeof(mech) };
- SECKEYRSAPSSParams params;
- PLArenaPool *arena;
+ PORTCheapArenaPool tmpArena;
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- return SECFailure;
- }
-
- PORT_Memset(&params, 0, sizeof(params));
- rv = SEC_QuickDERDecodeItem(arena, &params,
- SECKEY_RSAPSSParamsTemplate,
- cx->params);
- if (rv != SECSuccess) {
- PORT_FreeArena(arena, PR_FALSE);
- return SECFailure;
- }
- rv = sec_RSAPSSParamsToMechanism(&mech, &params);
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+ rv = sec_DecodeRSAPSSParamsToMechanism(&tmpArena.arena,
+ cx->params,
+ &mech);
+ PORT_DestroyCheapArena(&tmpArena);
if (rv != SECSuccess) {
return SECFailure;
}
+
rsasig.data = cx->u.buffer;
rsasig.len = SECKEY_SignatureLen(cx->key);
if (rsasig.len == 0) {