/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "ckcapi.h"
#include "nssbase.h"
/*
* ckcapi/cobject.c
*
* This file implements the NSSCKMDObject object for the
* "nss to capi objects" cryptoki module.
*/
const CK_ATTRIBUTE_TYPE certAttrs[] = {
CKA_CLASS,
CKA_TOKEN,
CKA_PRIVATE,
CKA_MODIFIABLE,
CKA_LABEL,
CKA_CERTIFICATE_TYPE,
CKA_SUBJECT,
CKA_ISSUER,
CKA_SERIAL_NUMBER,
CKA_VALUE
};
const PRUint32 certAttrsCount = NSS_CKCAPI_ARRAY_SIZE(certAttrs);
/* private keys, for now only support RSA */
const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
CKA_CLASS,
CKA_TOKEN,
CKA_PRIVATE,
CKA_MODIFIABLE,
CKA_LABEL,
CKA_KEY_TYPE,
CKA_DERIVE,
CKA_LOCAL,
CKA_SUBJECT,
CKA_SENSITIVE,
CKA_DECRYPT,
CKA_SIGN,
CKA_SIGN_RECOVER,
CKA_UNWRAP,
CKA_EXTRACTABLE,
CKA_ALWAYS_SENSITIVE,
CKA_NEVER_EXTRACTABLE,
CKA_MODULUS,
CKA_PUBLIC_EXPONENT,
};
const PRUint32 privKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(privKeyAttrs);
/* public keys, for now only support RSA */
const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
CKA_CLASS,
CKA_TOKEN,
CKA_PRIVATE,
CKA_MODIFIABLE,
CKA_LABEL,
CKA_KEY_TYPE,
CKA_DERIVE,
CKA_LOCAL,
CKA_SUBJECT,
CKA_ENCRYPT,
CKA_VERIFY,
CKA_VERIFY_RECOVER,
CKA_WRAP,
CKA_MODULUS,
CKA_PUBLIC_EXPONENT,
};
const PRUint32 pubKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(pubKeyAttrs);
static const CK_BBOOL ck_true = CK_TRUE;
static const CK_BBOOL ck_false = CK_FALSE;
static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
static const NSSItem ckcapi_trueItem = {
(void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)
};
static const NSSItem ckcapi_falseItem = {
(void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)
};
static const NSSItem ckcapi_x509Item = {
(void *)&ckc_x509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE)
};
static const NSSItem ckcapi_rsaItem = {
(void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE)
};
static const NSSItem ckcapi_certClassItem = {
(void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS)
};
static const NSSItem ckcapi_privKeyClassItem = {
(void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS)
};
static const NSSItem ckcapi_pubKeyClassItem = {
(void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS)
};
static const NSSItem ckcapi_emptyItem = {
(void *)&ck_true, 0
};
/*
* these are utilities. The chould be moved to a new utilities file.
*/
/*
* unwrap a single DER value
*/
unsigned char *
nss_ckcapi_DERUnwrap(
unsigned char *src,
unsigned int size,
unsigned int *outSize,
unsigned char **next)
{
unsigned char *start = src;
unsigned char *end = src + size;
unsigned int len = 0;
/* initialize error condition return values */
*outSize = 0;
if (next) {
*next = src;
}
if (size < 2) {
return start;
}
src++; /* skip the tag -- should check it against an expected value! */
len = (unsigned)*src++;
if (len & 0x80) {
unsigned int count = len & 0x7f;
len = 0;
if (count + 2 > size) {
return start;
}
while (count-- > 0) {
len = (len << 8) | (unsigned)*src++;
}
}
if (len + (src - start) > size) {
return start;
}
if (next) {
*next = src + len;
}
*outSize = len;
return src;
}
/*
* convert a PKCS #11 bytestrin into a CK_ULONG, the byte stream must be
* less than sizeof (CK_ULONG).
*/
CK_ULONG
nss_ckcapi_DataToInt(
NSSItem *data,
CK_RV *pError)
{
CK_ULONG value = 0;
unsigned long count = data->size;
unsigned char *dataPtr = data->data;
unsigned long size = 0;
*pError = CKR_OK;
while (count--) {
value = value << 8;
value = value + *dataPtr++;
if (size || value) {
size++;
}
}
if (size > sizeof(CK_ULONG)) {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
}
return value;
}
/*
* convert a CK_ULONG to a bytestream. Data is stored in the buffer 'buf'
* and must be at least CK_ULONG. Caller must provide buf.
*/
CK_ULONG
nss_ckcapi_IntToData(
CK_ULONG value,
NSSItem *data,
unsigned char *dataPtr,
CK_RV *pError)
{
unsigned long count = 0;
unsigned long i;
#define SHIFT ((sizeof(CK_ULONG) - 1) * 8)
PRBool first = 0;
*pError = CKR_OK;
data->data = dataPtr;
for (i = 0; i < sizeof(CK_ULONG); i++) {
unsigned char digit = (unsigned char)((value >> SHIFT) & 0xff);
value = value << 8;
/* drop leading zero bytes */
if (first && (0 == digit)) {
continue;
}
*dataPtr++ = digit;
count++;
}
data->size = count;
return count;
}
/*
* get an attribute from a template. Value is returned in NSS item.
* data for the item is owned by the template.
*/
CK_RV
nss_ckcapi_GetAttribute(
CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *template,
CK_ULONG templateSize,
NSSItem *item)
{
CK_ULONG i;
for (i = 0; i < templateSize; i++) {
if (template[i].type == type) {
item->data = template[i].pValue;
item->size = template[i].ulValueLen;
return CKR_OK;
}
}
return CKR_TEMPLATE_INCOMPLETE;
}
/*
* get an attribute which is type CK_ULONG.
*/
CK_ULONG
nss_ckcapi_GetULongAttribute(
CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *template,
CK_ULONG templateSize,
CK_RV *pError)
{
NSSItem item;
*pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
if (CKR_OK != *pError) {
return (CK_ULONG)0;
}
if (item.size != sizeof(CK_ULONG)) {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
return (CK_ULONG)0;
}
return *(CK_ULONG *)item.data;
}
/*
* get an attribute which is type CK_BBOOL.
*/
CK_BBOOL
nss_ckcapi_GetBoolAttribute(
CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *template,
CK_ULONG templateSize,
CK_RV *pError)
{
NSSItem item;
*pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
if (CKR_OK != *pError) {
return (CK_BBOOL)0;
}
if (item.size != sizeof(CK_BBOOL)) {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
return (CK_BBOOL)0;
}
return *(CK_BBOOL *)item.data;
}
/*
* get an attribute which is type CK_BBOOL.
*/
char *
nss_ckcapi_GetStringAttribute(
CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *template,
CK_ULONG templateSize,
CK_RV *pError)
{
NSSItem item;
char *str;
/* get the attribute */
*pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item);
if (CKR_OK != *pError) {
return (char *)NULL;
}
/* make sure it is null terminated */
str = nss_ZNEWARRAY(NULL, char, item.size + 1);
if ((char *)NULL == str) {
*pError = CKR_HOST_MEMORY;
return (char *)NULL;
}
nsslibc_memcpy(str, item.data, item.size);
str[item.size] = 0;
return str;
}
/*
* Return the size in bytes of a wide string, including the terminating null
* character
*/
int
nss_ckcapi_WideSize(
LPCWSTR wide)
{
DWORD size;
if ((LPWSTR)NULL == wide) {
return 0;
}
size = wcslen(wide) + 1;
return size * sizeof(WCHAR);
}
/*
* Covert a Unicode wide character string to a UTF8 string
*/
char *
nss_ckcapi_WideToUTF8(
LPCWSTR wide)
{
DWORD size;
char *buf;
if ((LPWSTR)NULL == wide) {
return (char *)NULL;
}
size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, NULL, 0, NULL, 0);
if (size == 0) {
return (char *)NULL;
}
buf = nss_ZNEWARRAY(NULL, char, size);
size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, buf, size, NULL, 0);
if (size == 0) {
nss_ZFreeIf(buf);
return (char *)NULL;
}
return buf;
}
/*
* Return a Wide String duplicated with nss allocated memory.
*/
LPWSTR
nss_ckcapi_WideDup(
LPCWSTR wide)
{
DWORD len;
LPWSTR buf;
if ((LPWSTR)NULL == wide) {
return (LPWSTR)NULL;
}
len = wcslen(wide) + 1;
buf = nss_ZNEWARRAY(NULL, WCHAR, len);
if ((LPWSTR)NULL == buf) {
return buf;
}
nsslibc_memcpy(buf, wide, len * sizeof(WCHAR));
return buf;
}
/*
* Covert a UTF8 string to Unicode wide character
*/
LPWSTR
nss_ckcapi_UTF8ToWide(
char *buf)
{
DWORD size;
LPWSTR wide;
if ((char *)NULL == buf) {
return (LPWSTR)NULL;
}
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0);
if (size == 0) {
return (LPWSTR)NULL;
}
wide = nss_ZNEWARRAY(NULL, WCHAR, size);
size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size);
if (size == 0) {
nss_ZFreeIf(wide);
return (LPWSTR)NULL;
}
return wide;
}
/*
* keep all the knowlege of how the internalObject is laid out in this function
*
* nss_ckcapi_FetchKeyContainer
*
* fetches the Provider container and info as well as a key handle for a
* private key. If something other than a private key is passed in,
* this function fails with CKR_KEY_TYPE_INCONSISTENT
*/
NSS_EXTERN CK_RV
nss_ckcapi_FetchKeyContainer(
ckcapiInternalObject *iKey,
HCRYPTPROV *hProv,
DWORD *keySpec,
HCRYPTKEY *hKey)
{
ckcapiCertObject *co;
ckcapiKeyObject *ko;
BOOL rc, dummy;
DWORD msError;
switch (iKey->type) {
default:
case ckcapiRaw:
/* can't have raw private keys */
return CKR_KEY_TYPE_INCONSISTENT;
case ckcapiCert:
if (iKey->objClass != CKO_PRIVATE_KEY) {
/* Only private keys have private key provider handles */
return CKR_KEY_TYPE_INCONSISTENT;
}
co = &iKey->u.cert;
/* OK, get the Provider */
rc = CryptAcquireCertificatePrivateKey(co->certContext,
CRYPT_ACQUIRE_CACHE_FLAG |
CRYPT_ACQUIRE_COMPARE_KEY_FLAG,
NULL, hProv,
keySpec, &dummy);
if (!rc) {
goto loser;
}
break;
case ckcapiBareKey:
if (iKey->objClass != CKO_PRIVATE_KEY) {
/* Only private keys have private key provider handles */
return CKR_KEY_TYPE_INCONSISTENT;
}
ko = &iKey->u.key;
/* OK, get the Provider */
if (0 == ko->hProv) {
rc =
CryptAcquireContext(hProv,
ko->containerName,
ko->provName,
ko->provInfo.dwProvType, 0);
if (!rc) {
goto loser;
}
} else {
*hProv =
ko->hProv;
}
*keySpec = ko->provInfo.dwKeySpec;
break;
}
/* and get the crypto handle */
rc = CryptGetUserKey(*hProv, *keySpec, hKey);
if (!rc) {
goto loser;
}
return CKR_OK;
loser:
/* map the microsoft error before leaving */
msError = GetLastError();
switch (msError) {
case ERROR_INVALID_HANDLE:
case ERROR_INVALID_PARAMETER:
case NTE_BAD_KEY:
case NTE_NO_KEY:
case NTE_BAD_PUBLIC_KEY:
case NTE_BAD_KEYSET:
case NTE_KEYSET_NOT_DEF:
return CKR_KEY_TYPE_INCONSISTENT;
case NTE_BAD_UID:
case NTE_KEYSET_ENTRY_BAD:
return CKR_DEVICE_ERROR;
}
return CKR_GENERAL_ERROR;
}
/*
* take a DER PUBLIC Key block and return the modulus and exponent
*/
static void
ckcapi_CertPopulateModulusExponent(
ckcapiInternalObject *io)
{
ckcapiKeyParams *kp = &io->u.cert.key;
PCCERT_CONTEXT certContext = io->u.cert.certContext;
unsigned char *pkData =
certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
unsigned int size =
certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
unsigned int newSize;
unsigned char *ptr, *newptr;
/* find the start of the modulus -- this will not give good results if
* the key isn't an rsa key! */
ptr = nss_ckcapi_DERUnwrap(pkData, size, &newSize, NULL);
kp->modulus.data = nss_ckcapi_DERUnwrap(ptr, newSize,
&kp->modulus.size, &newptr);
/* changed from signed to unsigned int */
if (0 == *(char *)kp->modulus.data) {
kp->modulus.data = ((char *)kp->modulus.data) + 1;
kp->modulus.size = kp->modulus.size - 1;
}
/* changed from signed to unsigned int */
kp->exponent.data = nss_ckcapi_DERUnwrap(newptr, (newptr - ptr) + newSize,
&kp->exponent.size, NULL);
if (0 == *(char *)kp->exponent.data) {
kp->exponent.data = ((char *)kp->exponent.data) + 1;
kp->exponent.size = kp->exponent.size - 1;
}
return;
}
typedef struct _CAPI_RSA_KEY_BLOB {
PUBLICKEYSTRUC header;
RSAPUBKEY rsa;
char data[1];
} CAPI_RSA_KEY_BLOB;
#define CAPI_MODULUS_OFFSET(modSize) 0
#define CAPI_PRIME_1_OFFSET(modSize) (modSize)
#define CAPI_PRIME_2_OFFSET(modSize) ((modSize) + (modSize) / 2)
#define CAPI_EXPONENT_1_OFFSET(modSize) ((modSize)*2)
#define CAPI_EXPONENT_2_OFFSET(modSize) ((modSize)*2 + (modSize) / 2)
#define CAPI_COEFFICIENT_OFFSET(modSize) ((modSize)*3)
#define CAPI_PRIVATE_EXP_OFFSET(modSize) ((modSize)*3 + (modSize) / 2)
void
ckcapi_FetchPublicKey(
ckcapiInternalObject *io)
{
ckcapiKeyParams *kp;
HCRYPTPROV hProv;
DWORD keySpec;
HCRYPTKEY hKey = 0;
CK_RV error;
DWORD bufLen;
BOOL rc;
unsigned long modulus;
char *buf = NULL;
CAPI_RSA_KEY_BLOB *blob;
error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
if (CKR_OK != error) {
goto loser;
}
kp = (ckcapiCert == io->type) ? &io->u.cert.key : &io->u.key.key;
rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
if (!rc) {
goto loser;
}
buf = nss_ZNEWARRAY(NULL, char, bufLen);
rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen);
if (!rc) {
goto loser;
}
/* validate the blob */
blob = (CAPI_RSA_KEY_BLOB *)buf;
if ((PUBLICKEYBLOB != blob->header.bType) ||
(0x02 != blob->header.bVersion) ||
(0x31415352 != blob->rsa.magic)) {
goto loser;
}
modulus = blob->rsa.bitlen / 8;
kp->pubKey = buf;
buf = NULL;
kp->modulus.data = &blob->data[CAPI_MODULUS_OFFSET(modulus)];
kp->modulus.size = modulus;
ckcapi_ReverseData(&kp->modulus);
nss_ckcapi_IntToData(blob->rsa.pubexp, &kp->exponent,
kp->publicExponentData, &error);
loser:
nss_ZFreeIf(buf);
if (0 != hKey) {
CryptDestroyKey(hKey);
}
return;
}
void
ckcapi_FetchPrivateKey(
ckcapiInternalObject *io)
{
ckcapiKeyParams *kp;
HCRYPTPROV hProv;
DWORD keySpec;
HCRYPTKEY hKey = 0;
CK_RV error;
DWORD bufLen;
BOOL rc;
unsigned long modulus;
char *buf = NULL;
CAPI_RSA_KEY_BLOB *blob;
error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
if (CKR_OK != error) {
goto loser;
}
kp = (ckcapiCert == io->type) ? &io->u.cert.key : &io->u.key.key;
rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
if (!rc) {
goto loser;
}
buf = nss_ZNEWARRAY(NULL, char, bufLen);
rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
if (!rc) {
goto loser;
}
/* validate the blob */
blob = (CAPI_RSA_KEY_BLOB *)buf;
if ((PRIVATEKEYBLOB != blob->header.bType) ||
(0x02 != blob->header.bVersion) ||
(0x32415352 != blob->rsa.magic)) {
goto loser;
}
modulus = blob->rsa.bitlen / 8;
kp->privateKey = buf;
buf = NULL;
kp->privateExponent.data = &blob->data[CAPI_PRIVATE_EXP_OFFSET(modulus)];
kp->privateExponent.size = modulus;
ckcapi_ReverseData(&kp->privateExponent);
kp->prime1.data = &blob->data[CAPI_PRIME_1_OFFSET(modulus)];
kp->prime1.size = modulus / 2;
ckcapi_ReverseData(&kp->prime1);
kp->prime2.data = &blob->data[CAPI_PRIME_2_OFFSET(modulus)];
kp->prime2.size = modulus / 2;
ckcapi_ReverseData(&kp->prime2);
kp->exponent1.data = &blob->data[CAPI_EXPONENT_1_OFFSET(modulus)];
kp->exponent1.size = modulus / 2;
ckcapi_ReverseData(&kp->exponent1);
kp->exponent2.data = &blob->data[CAPI_EXPONENT_2_OFFSET(modulus)];
kp->exponent2.size = modulus / 2;
ckcapi_ReverseData(&kp->exponent2);
kp->coefficient.data = &blob->data[CAPI_COEFFICIENT_OFFSET(modulus)];
kp->coefficient.size = modulus / 2;
ckcapi_ReverseData(&kp->coefficient);
loser:
nss_ZFreeIf(buf);
if (0 != hKey) {
CryptDestroyKey(hKey);
}
return;
}
void
ckcapi_PopulateModulusExponent(
ckcapiInternalObject *io)
{
if (ckcapiCert == io->type) {
ckcapi_CertPopulateModulusExponent(io);
} else {
ckcapi_FetchPublicKey(io);
}
return;
}
/*
* fetch the friendly name attribute.
* can only be called with ckcapiCert type objects!
*/
void
ckcapi_FetchLabel(
ckcapiInternalObject *io)
{
ckcapiCertObject *co = &io->u.cert;
char *label;
PCCERT_CONTEXT certContext = io->u.cert.certContext;
char labelDataUTF16[128];
DWORD size = sizeof(labelDataUTF16);
DWORD size8 = sizeof(co->labelData);
BOOL rv;
rv = CertGetCertificateContextProperty(certContext,
CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
if (rv) {
co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16);
if ((CHAR *)NULL == co->labelData) {
rv = 0;
} else {
size = strlen(co->labelData);
}
}
label = co->labelData;
/* we are presuming a user cert, make sure it has a nickname, even if
* Microsoft never gave it one */
if (!rv && co->hasID) {
DWORD mserror = GetLastError();
#define DEFAULT_NICKNAME "no Microsoft nickname"
label = DEFAULT_NICKNAME;
size = sizeof(DEFAULT_NICKNAME);
rv = 1;
}
if (rv) {
co->label.data = label;
co->label.size = size;
}
return;
}
void
ckcapi_FetchSerial(
ckcapiInternalObject *io)
{
ckcapiCertObject *co = &io->u.cert;
PCCERT_CONTEXT certContext = io->u.cert.certContext;
DWORD size = sizeof(co->derSerial);
BOOL rc = CryptEncodeObject(X509_ASN_ENCODING,
X509_MULTI_BYTE_INTEGER,
&certContext->pCertInfo->SerialNumber,
co->derSerial,
&size);
if (rc) {
co->serial.data = co->derSerial;
co->serial.size = size;
}
return;
}
/*
* fetch the key ID.
*/
void
ckcapi_FetchID(
ckcapiInternalObject *io)
{
PCCERT_CONTEXT certContext = io->u.cert.certContext;
DWORD size = 0;
BOOL rc;
rc = CertGetCertificateContextProperty(certContext,
CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size);
if (!rc) {
return;
}
io->idData = nss_ZNEWARRAY(NULL, char, size);
if (io->idData == NULL) {
return;
}
rc = CertGetCertificateContextProperty(certContext,
CERT_KEY_IDENTIFIER_PROP_ID, io->idData, &size);
if (!rc) {
nss_ZFreeIf(io->idData);
io->idData = NULL;
return;
}
io->id.data = io->idData;
io->id.size = size;
return;
}
/*
* fetch the hash key.
*/
void
ckcapi_CertFetchHashKey(
ckcapiInternalObject *io)
{
ckcapiCertObject *co = &io->u.cert;
PCCERT_CONTEXT certContext = io->u.cert.certContext;
DWORD size = certContext->cbCertEncoded;
DWORD max = sizeof(io->hashKeyData) - 1;
DWORD offset = 0;
/* make sure we don't over flow. NOTE: cutting the top of a cert is
* not a big issue because the signature for will be unique for the cert */
if (size > max) {
offset = size - max;
size = max;
}
nsslibc_memcpy(io->hashKeyData, certContext->pbCertEncoded + offset, size);
io->hashKeyData[size] = (char)(io->objClass & 0xff);
io->hashKey.data = io->hashKeyData;
io->hashKey.size = size + 1;
return;
}
/*
* fetch the hash key.
*/
void
ckcapi_KeyFetchHashKey(
ckcapiInternalObject *io)
{
ckcapiKeyObject *ko = &io->u.key;
DWORD size;
DWORD max = sizeof(io->hashKeyData) - 2;
DWORD offset = 0;
DWORD provLen = strlen(ko->provName);
DWORD containerLen = strlen(ko->containerName);
size = provLen + containerLen;
/* make sure we don't overflow, try to keep things unique */
if (size > max) {
DWORD diff = ((size - max) + 1) / 2;
provLen -= diff;
containerLen -= diff;
size = provLen + containerLen;
}
nsslibc_memcpy(io->hashKeyData, ko->provName, provLen);
nsslibc_memcpy(&io->hashKeyData[provLen],
ko->containerName,
containerLen);
io->hashKeyData[size] = (char)(io->objClass & 0xff);
io->hashKeyData[size + 1] = (char)(ko->provInfo.dwKeySpec & 0xff);
io->hashKey.data = io->hashKeyData;
io->hashKey.size = size + 2;
return;
}
/*
* fetch the hash key.
*/
void
ckcapi_FetchHashKey(
ckcapiInternalObject *io)
{
if (ckcapiCert == io->type) {
ckcapi_CertFetchHashKey(io);
} else {
ckcapi_KeyFetchHashKey(io);
}
return;
}
const NSSItem *
ckcapi_FetchCertAttribute(
ckcapiInternalObject *io,
CK_ATTRIBUTE_TYPE type)
{
PCCERT_CONTEXT certContext = io->u.cert.certContext;
switch (type) {
case CKA_CLASS:
return &ckcapi_certClassItem;
case CKA_TOKEN:
return &ckcapi_trueItem;
case CKA_MODIFIABLE:
case CKA_PRIVATE:
return &ckcapi_falseItem;
case CKA_CERTIFICATE_TYPE:
return &ckcapi_x509Item;
case CKA_LABEL:
if (0 == io->u.cert.label.size) {
ckcapi_FetchLabel(io);
}
return &io->u.cert.label;
case CKA_SUBJECT:
if (0 == io->u.cert.subject.size) {
io->u.cert.subject.data =
certContext->pCertInfo->Subject.pbData;
io->u.cert.subject.size =
certContext->pCertInfo->Subject.cbData;
}
return &io->u.cert.subject;
case CKA_ISSUER:
if (0 == io->u.cert.issuer.size) {
io->u.cert.issuer.data =
certContext->pCertInfo->Issuer.pbData;
io->u.cert.issuer.size =
certContext->pCertInfo->Issuer.cbData;
}
return &io->u.cert.issuer;
case CKA_SERIAL_NUMBER:
if (0 == io->u.cert.serial.size) {
/* not exactly right. This should be the encoded serial number, but
* it's the decoded serial number! */
ckcapi_FetchSerial(io);
}
return &io->u.cert.serial;
case CKA_VALUE:
if (0 == io->u.cert.derCert.size) {
io->u.cert.derCert.data =
io->u.cert.certContext->pbCertEncoded;
io->u.cert.derCert.size =
io->u.cert.certContext->cbCertEncoded;
}
return &io->u.cert.derCert;
case CKA_ID:
if (!io->u.cert.hasID) {
return NULL;
}
if (0 == io->id.size) {
ckcapi_FetchID(io);
}
return &io->id;
default:
break;
}
return NULL;
}
const NSSItem *
ckcapi_FetchPubKeyAttribute(
ckcapiInternalObject *io,
CK_ATTRIBUTE_TYPE type)
{
PRBool isCertType = (ckcapiCert == io->type);
ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
switch (type) {
case CKA_CLASS:
return &ckcapi_pubKeyClassItem;
case CKA_TOKEN:
case CKA_LOCAL:
case CKA_ENCRYPT:
case CKA_VERIFY:
case CKA_VERIFY_RECOVER:
return &ckcapi_trueItem;
case CKA_PRIVATE:
case CKA_MODIFIABLE:
case CKA_DERIVE:
case CKA_WRAP:
return &ckcapi_falseItem;
case CKA_KEY_TYPE:
return &ckcapi_rsaItem;
case CKA_LABEL:
if (!isCertType) {
return &ckcapi_emptyItem;
}
if (0 == io->u.cert.label.size) {
ckcapi_FetchLabel(io);
}
return &io->u.cert.label;
case CKA_SUBJECT:
if (!isCertType) {
return &ckcapi_emptyItem;
}
if (0 == io->u.cert.subject.size) {
PCCERT_CONTEXT certContext =
io->u.cert.certContext;
io->u.cert.subject.data =
certContext->pCertInfo->Subject.pbData;
io->u.cert.subject.size =
certContext->pCertInfo->Subject.cbData;
}
return &io->u.cert.subject;
case CKA_MODULUS:
if (0 == kp->modulus.size) {
ckcapi_PopulateModulusExponent(io);
}
return &kp->modulus;
case CKA_PUBLIC_EXPONENT:
if (0 == kp->modulus.size) {
ckcapi_PopulateModulusExponent(io);
}
return &kp->exponent;
case CKA_ID:
if (0 == io->id.size) {
ckcapi_FetchID(io);
}
return &io->id;
default:
break;
}
return NULL;
}
const NSSItem *
ckcapi_FetchPrivKeyAttribute(
ckcapiInternalObject *io,
CK_ATTRIBUTE_TYPE type)
{
PRBool isCertType = (ckcapiCert == io->type);
ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key;
switch (type) {
case CKA_CLASS:
return &ckcapi_privKeyClassItem;
case CKA_TOKEN:
case CKA_LOCAL:
case CKA_SIGN:
case CKA_DECRYPT:
case CKA_SIGN_RECOVER:
return &ckcapi_trueItem;
case CKA_SENSITIVE:
case CKA_PRIVATE: /* should move in the future */
case CKA_MODIFIABLE:
case CKA_DERIVE:
case CKA_UNWRAP:
case CKA_EXTRACTABLE: /* will probably move in the future */
case CKA_ALWAYS_SENSITIVE:
case CKA_NEVER_EXTRACTABLE:
return &ckcapi_falseItem;
case CKA_KEY_TYPE:
return &ckcapi_rsaItem;
case CKA_LABEL:
if (!isCertType) {
return &ckcapi_emptyItem;
}
if (0 == io->u.cert.label.size) {
ckcapi_FetchLabel(io);
}
return &io->u.cert.label;
case CKA_SUBJECT:
if (!isCertType) {
return &ckcapi_emptyItem;
}
if (0 == io->u.cert.subject.size) {
PCCERT_CONTEXT certContext =
io->u.cert.certContext;
io->u.cert.subject.data =
certContext->pCertInfo->Subject.pbData;
io->u.cert.subject.size =
certContext->pCertInfo->Subject.cbData;
}
return &io->u.cert.subject;
case CKA_MODULUS:
if (0 == kp->modulus.size) {
ckcapi_PopulateModulusExponent(io);
}
return &kp->modulus;
case CKA_PUBLIC_EXPONENT:
if (0 == kp->modulus.size) {
ckcapi_PopulateModulusExponent(io);
}
return &kp->exponent;
case CKA_PRIVATE_EXPONENT:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->privateExponent;
case CKA_PRIME_1:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->prime1;
case CKA_PRIME_2:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->prime2;
case CKA_EXPONENT_1:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->exponent1;
case CKA_EXPONENT_2:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->exponent2;
case CKA_COEFFICIENT:
if (0 == kp->privateExponent.size) {
ckcapi_FetchPrivateKey(io);
}
return &kp->coefficient;
case CKA_ID:
if (0 == io->id.size) {
ckcapi_FetchID(io);
}
return &io->id;
default:
return NULL;
}
}
const NSSItem *
nss_ckcapi_FetchAttribute(
ckcapiInternalObject *io,
CK_ATTRIBUTE_TYPE type)
{
CK_ULONG i;
if (io->type == ckcapiRaw) {
for (i = 0; i < io->u.raw.n; i++) {
if (type == io->u.raw.types[i]) {
return &io->u.raw.items[i];
}
}
return NULL;
}
/* deal with the common attributes */
switch (io->objClass) {
case CKO_CERTIFICATE:
return ckcapi_FetchCertAttribute(io, type);
case CKO_PRIVATE_KEY:
return ckcapi_FetchPrivKeyAttribute(io, type);
case CKO_PUBLIC_KEY:
return ckcapi_FetchPubKeyAttribute(io, type);
}
return NULL;
}
/*
* check to see if the certificate already exists
*/
static PRBool
ckcapi_cert_exists(
NSSItem *value,
ckcapiInternalObject **io)
{
int count, i;
PRUint32 size = 0;
ckcapiInternalObject **listp = NULL;
CK_ATTRIBUTE myTemplate[2];
CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE;
CK_ULONG templateCount = 2;
CK_RV error;
PRBool found = PR_FALSE;
myTemplate[0].type = CKA_CLASS;
myTemplate[0].pValue = &cert_class;
myTemplate[0].ulValueLen = sizeof(cert_class);
myTemplate[1].type = CKA_VALUE;
myTemplate[1].pValue = value->data;
myTemplate[1].ulValueLen = value->size;
count = nss_ckcapi_collect_all_certs(myTemplate, templateCount, &listp,
&size, 0, &error);
/* free them */
if (count > 1) {
*io = listp[0];
found = PR_TRUE;
}
for (i = 1; i < count; i++) {
nss_ckcapi_DestroyInternalObject(listp[i]);
}
nss_ZFreeIf(listp);
return found;
}
static PRBool
ckcapi_cert_hasEmail(
PCCERT_CONTEXT certContext)
{
int count;
count = CertGetNameString(certContext, CERT_NAME_EMAIL_TYPE,
0, NULL, NULL, 0);
return count > 1 ? PR_TRUE : PR_FALSE;
}
static PRBool
ckcapi_cert_isRoot(
PCCERT_CONTEXT certContext)
{
return CertCompareCertificateName(certContext->dwCertEncodingType,
&certContext->pCertInfo->Issuer, &certContext->pCertInfo->Subject);
}
static PRBool
ckcapi_cert_isCA(
PCCERT_CONTEXT certContext)
{
PCERT_EXTENSION extension;
CERT_BASIC_CONSTRAINTS2_INFO basicInfo;
DWORD size = sizeof(basicInfo);
BOOL rc;
extension = CertFindExtension(szOID_BASIC_CONSTRAINTS,
certContext->pCertInfo->cExtension,
certContext->pCertInfo->rgExtension);
if ((PCERT_EXTENSION)NULL == extension) {
return PR_FALSE;
}
rc = CryptDecodeObject(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS2,
extension->Value.pbData, extension->Value.cbData,
0, &basicInfo, &size);
if (!rc) {
return PR_FALSE;
}
return (PRBool)basicInfo.fCA;
}
static CRYPT_KEY_PROV_INFO *
ckcapi_cert_getPrivateKeyInfo(
PCCERT_CONTEXT certContext,
NSSItem *keyID)
{
BOOL rc;
CRYPT_HASH_BLOB msKeyID;
DWORD size = 0;
CRYPT_KEY_PROV_INFO *prov = NULL;
msKeyID.cbData = keyID->size;
msKeyID.pbData = keyID->data;
rc = CryptGetKeyIdentifierProperty(
&msKeyID,
CERT_KEY_PROV_INFO_PROP_ID,
0, NULL, NULL, NULL, &size);
if (!rc) {
return (CRYPT_KEY_PROV_INFO *)NULL;
}
prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
return (CRYPT_KEY_PROV_INFO *)NULL;
}
rc = CryptGetKeyIdentifierProperty(
&msKeyID,
CERT_KEY_PROV_INFO_PROP_ID,
0, NULL, NULL, prov, &size);
if (!rc) {
nss_ZFreeIf(prov);
return (CRYPT_KEY_PROV_INFO *)NULL;
}
return prov;
}
static CRYPT_KEY_PROV_INFO *
ckcapi_cert_getProvInfo(
ckcapiInternalObject *io)
{
BOOL rc;
DWORD size = 0;
CRYPT_KEY_PROV_INFO *prov = NULL;
rc = CertGetCertificateContextProperty(
io->u.cert.certContext,
CERT_KEY_PROV_INFO_PROP_ID,
NULL, &size);
if (!rc) {
return (CRYPT_KEY_PROV_INFO *)NULL;
}
prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
if ((CRYPT_KEY_PROV_INFO *)prov == NULL) {
return (CRYPT_KEY_PROV_INFO *)NULL;
}
rc = CertGetCertificateContextProperty(
io->u.cert.certContext,
CERT_KEY_PROV_INFO_PROP_ID,
prov, &size);
if (!rc) {
nss_ZFreeIf(prov);
return (CRYPT_KEY_PROV_INFO *)NULL;
}
return prov;
}
/* forward declaration */
static void
ckcapi_removeObjectFromHash(
ckcapiInternalObject *io);
/*
* Finalize - unneeded
* Destroy
* IsTokenObject - CK_TRUE
* GetAttributeCount
* GetAttributeTypes
* GetAttributeSize
* GetAttribute
* SetAttribute
* GetObjectSize
*/
static CK_RV
ckcapi_mdObject_Destroy(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
CK_OBJECT_CLASS objClass;
BOOL rc;
DWORD provType;
DWORD msError;
PRBool isCertType = (PRBool)(ckcapiCert == io->type);
HCERTSTORE hStore = 0;
if (ckcapiRaw == io->type) {
/* there is not 'object write protected' error, use the next best thing */
return CKR_TOKEN_WRITE_PROTECTED;
}
objClass = io->objClass;
if (CKO_CERTIFICATE == objClass) {
PCCERT_CONTEXT certContext;
/* get the store */
hStore = CertOpenSystemStore(0, io->u.cert.certStore);
if (0 == hStore) {
rc = 0;
goto loser;
}
certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0,
CERT_FIND_EXISTING, io->u.cert.certContext, NULL);
if ((PCCERT_CONTEXT)NULL == certContext) {
rc = 0;
goto loser;
}
rc = CertDeleteCertificateFromStore(certContext);
} else {
char *provName = NULL;
char *containerName = NULL;
HCRYPTPROV hProv;
CRYPT_HASH_BLOB msKeyID;
if (0 == io->id.size) {
ckcapi_FetchID(io);
}
if (isCertType) {
CRYPT_KEY_PROV_INFO *provInfo = ckcapi_cert_getProvInfo(io);
provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName);
containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName);
provType = provInfo->dwProvType;
nss_ZFreeIf(provInfo);
} else {
provName = io->u.key.provName;
containerName = io->u.key.containerName;
provType = io->u.key.provInfo.dwProvType;
io->u.key.provName = NULL;
io->u.key.containerName = NULL;
}
/* first remove the key id pointer */
msKeyID.cbData = io->id.size;
msKeyID.pbData = io->id.data;
rc = CryptSetKeyIdentifierProperty(&msKeyID,
CERT_KEY_PROV_INFO_PROP_ID, CRYPT_KEYID_DELETE_FLAG, NULL, NULL, NULL);
if (rc) {
rc = CryptAcquireContext(&hProv, containerName, provName, provType,
CRYPT_DELETEKEYSET);
}
nss_ZFreeIf(provName);
nss_ZFreeIf(containerName);
}
loser:
if (hStore) {
CertCloseStore(hStore, 0);
}
if (!rc) {
msError = GetLastError();
return CKR_GENERAL_ERROR;
}
/* remove it from the hash */
ckcapi_removeObjectFromHash(io);
/* free the puppy.. */
nss_ckcapi_DestroyInternalObject(io);
return CKR_OK;
}
static CK_BBOOL
ckcapi_mdObject_IsTokenObject(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance)
{
return CK_TRUE;
}
static CK_ULONG
ckcapi_mdObject_GetAttributeCount(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
if (ckcapiRaw == io->type) {
return io->u.raw.n;
}
switch (io->objClass) {
case CKO_CERTIFICATE:
return certAttrsCount;
case CKO_PUBLIC_KEY:
return pubKeyAttrsCount;
case CKO_PRIVATE_KEY:
return privKeyAttrsCount;
default:
break;
}
return 0;
}
static CK_RV
ckcapi_mdObject_GetAttributeTypes(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE_PTR typeArray,
CK_ULONG ulCount)
{
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
CK_ULONG i;
CK_RV error = CKR_OK;
const CK_ATTRIBUTE_TYPE *attrs = NULL;
CK_ULONG size = ckcapi_mdObject_GetAttributeCount(
mdObject, fwObject, mdSession, fwSession,
mdToken, fwToken, mdInstance, fwInstance, &error);
if (size != ulCount) {
return CKR_BUFFER_TOO_SMALL;
}
if (io->type == ckcapiRaw) {
attrs = io->u.raw.types;
} else
switch (io->objClass) {
case CKO_CERTIFICATE:
attrs =
certAttrs;
break;
case CKO_PUBLIC_KEY:
attrs =
pubKeyAttrs;
break;
case CKO_PRIVATE_KEY:
attrs =
privKeyAttrs;
break;
default:
return CKR_OK;
}
for (i = 0; i < size; i++) {
typeArray[i] = attrs[i];
}
return CKR_OK;
}
static CK_ULONG
ckcapi_mdObject_GetAttributeSize(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
CK_RV *pError)
{
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
const NSSItem *b;
b = nss_ckcapi_FetchAttribute(io, attribute);
if ((const NSSItem *)NULL == b) {
*pError = CKR_ATTRIBUTE_TYPE_INVALID;
return 0;
}
return b->size;
}
static CK_RV
ckcapi_mdObject_SetAttribute(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
NSSItem *value)
{
return CKR_OK;
}
static NSSCKFWItem
ckcapi_mdObject_GetAttribute(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_ATTRIBUTE_TYPE attribute,
CK_RV *pError)
{
NSSCKFWItem mdItem;
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
mdItem.needsFreeing = PR_FALSE;
mdItem.item = (NSSItem *)nss_ckcapi_FetchAttribute(io, attribute);
if ((NSSItem *)NULL == mdItem.item) {
*pError = CKR_ATTRIBUTE_TYPE_INVALID;
}
return mdItem;
}
static CK_ULONG
ckcapi_mdObject_GetObjectSize(
NSSCKMDObject *mdObject,
NSSCKFWObject *fwObject,
NSSCKMDSession *mdSession,
NSSCKFWSession *fwSession,
NSSCKMDToken *mdToken,
NSSCKFWToken *fwToken,
NSSCKMDInstance *mdInstance,
NSSCKFWInstance *fwInstance,
CK_RV *pError)
{
ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
CK_ULONG rv = 1;
/* size is irrelevant to this token */
return rv;
}
static const NSSCKMDObject
ckcapi_prototype_mdObject = {
(void *)NULL, /* etc */
NULL, /* Finalize */
ckcapi_mdObject_Destroy,
ckcapi_mdObject_IsTokenObject,
ckcapi_mdObject_GetAttributeCount,
ckcapi_mdObject_GetAttributeTypes,
ckcapi_mdObject_GetAttributeSize,
ckcapi_mdObject_GetAttribute,
NULL, /* FreeAttribute */
ckcapi_mdObject_SetAttribute,
ckcapi_mdObject_GetObjectSize,
(void *)NULL /* null terminator */
};
static nssHash *ckcapiInternalObjectHash = NULL;
NSS_IMPLEMENT NSSCKMDObject *
nss_ckcapi_CreateMDObject(
NSSArena *arena,
ckcapiInternalObject *io,
CK_RV *pError)
{
if ((nssHash *)NULL == ckcapiInternalObjectHash) {
ckcapiInternalObjectHash = nssHash_CreateItem(NULL, 10);
}
if (ckcapiCert == io->type) {
/* the hash key, not a cryptographic key */
NSSItem *key = &io->hashKey;
ckcapiInternalObject *old_o = NULL;
if (key->size == 0) {
ckcapi_FetchHashKey(io);
}
old_o = (ckcapiInternalObject *)
nssHash_Lookup(ckcapiInternalObjectHash, key);
if (!old_o) {
nssHash_Add(ckcapiInternalObjectHash, key, io);
} else if (old_o != io) {
nss_ckcapi_DestroyInternalObject(io);
io = old_o;
}
}
if ((void *)NULL == io->mdObject.etc) {
(void)nsslibc_memcpy(&io->mdObject, &ckcapi_prototype_mdObject,
sizeof(ckcapi_prototype_mdObject));
io->mdObject.etc = (void *)io;
}
return &io->mdObject;
}
static void
ckcapi_removeObjectFromHash(
ckcapiInternalObject *io)
{
NSSItem *key = &io->hashKey;
if ((nssHash *)NULL == ckcapiInternalObjectHash) {
return;
}
if (key->size == 0) {
ckcapi_FetchHashKey(io);
}
nssHash_Remove(ckcapiInternalObjectHash, key);
return;
}
void
nss_ckcapi_DestroyInternalObject(
ckcapiInternalObject *io)
{
switch (io->type) {
case ckcapiRaw:
return;
case ckcapiCert:
CertFreeCertificateContext(io->u.cert.certContext);
nss_ZFreeIf(io->u.cert.labelData);
nss_ZFreeIf(io->u.cert.key.privateKey);
nss_ZFreeIf(io->u.cert.key.pubKey);
nss_ZFreeIf(io->idData);
break;
case ckcapiBareKey:
nss_ZFreeIf(io->u.key.provInfo.pwszContainerName);
nss_ZFreeIf(io->u.key.provInfo.pwszProvName);
nss_ZFreeIf(io->u.key.provName);
nss_ZFreeIf(io->u.key.containerName);
nss_ZFreeIf(io->u.key.key.privateKey);
nss_ZFreeIf(io->u.key.key.pubKey);
if (0 != io->u.key.hProv) {
CryptReleaseContext(io->u.key.hProv, 0);
}
nss_ZFreeIf(io->idData);
break;
}
nss_ZFreeIf(io);
return;
}
static ckcapiInternalObject *
nss_ckcapi_CreateCertificate(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
NSSItem value;
NSSItem keyID;
char *storeStr;
ckcapiInternalObject *io = NULL;
PCCERT_CONTEXT certContext = NULL;
PCCERT_CONTEXT storedCertContext = NULL;
CRYPT_KEY_PROV_INFO *prov_info = NULL;
char *nickname = NULL;
HCERTSTORE hStore = 0;
DWORD msError = 0;
PRBool hasID;
CK_RV dummy;
BOOL rc;
*pError = nss_ckcapi_GetAttribute(CKA_VALUE, pTemplate,
ulAttributeCount, &value);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate,
ulAttributeCount, &keyID);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
if (ckcapi_cert_exists(&value, &io)) {
return io;
}
/* OK, we are creating a new one, figure out what store it belongs to..
* first get a certContext handle.. */
certContext = CertCreateCertificateContext(X509_ASN_ENCODING,
value.data, value.size);
if ((PCCERT_CONTEXT)NULL == certContext) {
msError = GetLastError();
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
/* do we have a private key laying around... */
prov_info = ckcapi_cert_getPrivateKeyInfo(certContext, &keyID);
if (prov_info) {
CRYPT_DATA_BLOB msKeyID;
storeStr = "My";
hasID = PR_TRUE;
rc = CertSetCertificateContextProperty(certContext,
CERT_KEY_PROV_INFO_PROP_ID,
0, prov_info);
nss_ZFreeIf(prov_info);
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
msKeyID.cbData = keyID.size;
msKeyID.pbData = keyID.data;
rc = CertSetCertificateContextProperty(certContext,
CERT_KEY_IDENTIFIER_PROP_ID,
0, &msKeyID);
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
/* does it look like a CA */
} else if (ckcapi_cert_isCA(certContext)) {
storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root";
/* does it look like an S/MIME cert */
} else if (ckcapi_cert_hasEmail(certContext)) {
storeStr = "AddressBook";
} else {
/* just pick a store */
storeStr = "CA";
}
/* get the nickname, not an error if we can't find it */
nickname = nss_ckcapi_GetStringAttribute(CKA_LABEL, pTemplate,
ulAttributeCount, &dummy);
if (nickname) {
LPWSTR nicknameUTF16 = NULL;
CRYPT_DATA_BLOB nicknameBlob;
nicknameUTF16 = nss_ckcapi_UTF8ToWide(nickname);
nss_ZFreeIf(nickname);
nickname = NULL;
if ((LPWSTR)NULL == nicknameUTF16) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
nicknameBlob.cbData = nss_ckcapi_WideSize(nicknameUTF16);
nicknameBlob.pbData = (BYTE *)nicknameUTF16;
rc = CertSetCertificateContextProperty(certContext,
CERT_FRIENDLY_NAME_PROP_ID, 0, &nicknameBlob);
nss_ZFreeIf(nicknameUTF16);
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
}
hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
if (0 == hStore) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
rc = CertAddCertificateContextToStore(hStore, certContext,
CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES, &storedCertContext);
CertFreeCertificateContext(certContext);
certContext = NULL;
CertCloseStore(hStore, 0);
hStore = 0;
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
io = nss_ZNEW(NULL, ckcapiInternalObject);
if ((ckcapiInternalObject *)NULL == io) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
io->type = ckcapiCert;
io->objClass = CKO_CERTIFICATE;
io->u.cert.certContext = storedCertContext;
io->u.cert.hasID = hasID;
return io;
loser:
if (certContext) {
CertFreeCertificateContext(certContext);
certContext = NULL;
}
if (storedCertContext) {
CertFreeCertificateContext(storedCertContext);
storedCertContext = NULL;
}
if (0 != hStore) {
CertCloseStore(hStore, 0);
}
return (ckcapiInternalObject *)NULL;
}
static char *
ckcapi_getDefaultProvider(
CK_RV *pError)
{
char *name = NULL;
BOOL rc;
DWORD nameLength = 0;
rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, NULL,
&nameLength);
if (!rc) {
return (char *)NULL;
}
name = nss_ZNEWARRAY(NULL, char, nameLength);
if ((char *)NULL == name) {
return (char *)NULL;
}
rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, name,
&nameLength);
if (!rc) {
nss_ZFreeIf(name);
return (char *)NULL;
}
return name;
}
static char *
ckcapi_getContainer(
CK_RV *pError,
NSSItem *id)
{
RPC_STATUS rstat;
UUID uuid;
char *uuidStr;
char *container;
rstat = UuidCreate(&uuid);
rstat = UuidToString(&uuid, &uuidStr);
/* convert it from rcp memory to our own */
container = nssUTF8_Duplicate(uuidStr, NULL);
RpcStringFree(&uuidStr);
return container;
}
static CK_RV
ckcapi_buildPrivateKeyBlob(
NSSItem *keyBlob,
NSSItem *modulus,
NSSItem *publicExponent,
NSSItem *privateExponent,
NSSItem *prime1,
NSSItem *prime2,
NSSItem *exponent1,
NSSItem *exponent2,
NSSItem *coefficient,
PRBool isKeyExchange)
{
CAPI_RSA_KEY_BLOB *keyBlobData = NULL;
unsigned char *target;
unsigned long modSize = modulus->size;
unsigned long dataSize;
CK_RV error = CKR_OK;
/* validate extras */
if (privateExponent->size != modSize) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
if (prime1->size != modSize / 2) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
if (prime2->size != modSize / 2) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
if (exponent1->size != modSize / 2) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
if (exponent2->size != modSize / 2) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
if (coefficient->size != modSize / 2) {
error = CKR_ATTRIBUTE_VALUE_INVALID;
goto loser;
}
dataSize = (modSize * 4) + (modSize / 2) + sizeof(CAPI_RSA_KEY_BLOB);
keyBlobData = (CAPI_RSA_KEY_BLOB *)nss_ZAlloc(NULL, dataSize);
if ((CAPI_RSA_KEY_BLOB *)NULL == keyBlobData) {
error = CKR_HOST_MEMORY;
goto loser;
}
keyBlobData->header.bType = PRIVATEKEYBLOB;
keyBlobData->header.bVersion = 0x02;
keyBlobData->header.reserved = 0x00;
keyBlobData->header.aiKeyAlg = isKeyExchange ? CALG_RSA_KEYX : CALG_RSA_SIGN;
keyBlobData->rsa.magic = 0x32415352;
keyBlobData->rsa.bitlen = modSize * 8;
keyBlobData->rsa.pubexp = nss_ckcapi_DataToInt(publicExponent, &error);
if (CKR_OK != error) {
goto loser;
}
target = &keyBlobData->data[CAPI_MODULUS_OFFSET(modSize)];
nsslibc_memcpy(target, modulus->data, modulus->size);
modulus->data = target;
ckcapi_ReverseData(modulus);
target = &keyBlobData->data[CAPI_PRIVATE_EXP_OFFSET(modSize)];
nsslibc_memcpy(target, privateExponent->data, privateExponent->size);
privateExponent->data = target;
ckcapi_ReverseData(privateExponent);
target = &keyBlobData->data[CAPI_PRIME_1_OFFSET(modSize)];
nsslibc_memcpy(target, prime1->data, prime1->size);
prime1->data = target;
ckcapi_ReverseData(prime1);
target = &keyBlobData->data[CAPI_PRIME_2_OFFSET(modSize)];
nsslibc_memcpy(target, prime2->data, prime2->size);
prime2->data = target;
ckcapi_ReverseData(prime2);
target = &keyBlobData->data[CAPI_EXPONENT_1_OFFSET(modSize)];
nsslibc_memcpy(target, exponent1->data, exponent1->size);
exponent1->data = target;
ckcapi_ReverseData(exponent1);
target = &keyBlobData->data[CAPI_EXPONENT_2_OFFSET(modSize)];
nsslibc_memcpy(target, exponent2->data, exponent2->size);
exponent2->data = target;
ckcapi_ReverseData(exponent2);
target = &keyBlobData->data[CAPI_COEFFICIENT_OFFSET(modSize)];
nsslibc_memcpy(target, coefficient->data, coefficient->size);
coefficient->data = target;
ckcapi_ReverseData(coefficient);
keyBlob->data = keyBlobData;
keyBlob->size = dataSize;
return CKR_OK;
loser:
nss_ZFreeIf(keyBlobData);
return error;
}
static ckcapiInternalObject *
nss_ckcapi_CreatePrivateKey(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
NSSItem modulus;
NSSItem publicExponent;
NSSItem privateExponent;
NSSItem exponent1;
NSSItem exponent2;
NSSItem prime1;
NSSItem prime2;
NSSItem coefficient;
NSSItem keyID;
NSSItem keyBlob;
ckcapiInternalObject *io = NULL;
char *providerName = NULL;
char *containerName = NULL;
char *idData = NULL;
CRYPT_KEY_PROV_INFO provInfo;
CRYPT_HASH_BLOB msKeyID;
CK_KEY_TYPE keyType;
HCRYPTPROV hProv = 0;
HCRYPTKEY hKey = 0;
PRBool decrypt;
DWORD keySpec;
DWORD msError;
BOOL rc;
keyType = nss_ckcapi_GetULongAttribute(CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
if (CKK_RSA != keyType) {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
return (ckcapiInternalObject *)NULL;
}
decrypt = nss_ckcapi_GetBoolAttribute(CKA_DECRYPT,
pTemplate, ulAttributeCount, pError);
if (CKR_TEMPLATE_INCOMPLETE == *pError) {
decrypt = PR_TRUE; /* default to true */
}
decrypt = decrypt || nss_ckcapi_GetBoolAttribute(CKA_UNWRAP,
pTemplate, ulAttributeCount, pError);
if (CKR_TEMPLATE_INCOMPLETE == *pError) {
decrypt = PR_TRUE; /* default to true */
}
keySpec = decrypt ? AT_KEYEXCHANGE : AT_SIGNATURE;
*pError = nss_ckcapi_GetAttribute(CKA_MODULUS, pTemplate,
ulAttributeCount, &modulus);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate,
ulAttributeCount, &publicExponent);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate,
ulAttributeCount, &privateExponent);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_PRIME_1, pTemplate,
ulAttributeCount, &prime1);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_PRIME_2, pTemplate,
ulAttributeCount, &prime2);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_1, pTemplate,
ulAttributeCount, &exponent1);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_2, pTemplate,
ulAttributeCount, &exponent2);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_COEFFICIENT, pTemplate,
ulAttributeCount, &coefficient);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
*pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate,
ulAttributeCount, &keyID);
if (CKR_OK != *pError) {
return (ckcapiInternalObject *)NULL;
}
providerName = ckcapi_getDefaultProvider(pError);
if ((char *)NULL == providerName) {
return (ckcapiInternalObject *)NULL;
}
containerName = ckcapi_getContainer(pError, &keyID);
if ((char *)NULL == containerName) {
goto loser;
}
rc = CryptAcquireContext(&hProv, containerName, providerName,
PROV_RSA_FULL, CRYPT_NEWKEYSET);
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
*pError = ckcapi_buildPrivateKeyBlob(
&keyBlob,
&modulus,
&publicExponent,
&privateExponent,
&prime1,
&prime2,
&exponent1,
&exponent2,
&coefficient,
decrypt);
if (CKR_OK != *pError) {
goto loser;
}
rc = CryptImportKey(hProv, keyBlob.data, keyBlob.size,
0, CRYPT_EXPORTABLE, &hKey);
if (!rc) {
msError = GetLastError();
*pError = CKR_DEVICE_ERROR;
goto loser;
}
idData = nss_ZNEWARRAY(NULL, char, keyID.size);
if ((void *)NULL == idData) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
nsslibc_memcpy(idData, keyID.data, keyID.size);
provInfo.pwszContainerName = nss_ckcapi_UTF8ToWide(containerName);
provInfo.pwszProvName = nss_ckcapi_UTF8ToWide(providerName);
provInfo.dwProvType = PROV_RSA_FULL;
provInfo.dwFlags = 0;
provInfo.cProvParam = 0;
provInfo.rgProvParam = NULL;
provInfo.dwKeySpec = keySpec;
msKeyID.cbData = keyID.size;
msKeyID.pbData = keyID.data;
rc = CryptSetKeyIdentifierProperty(&msKeyID, CERT_KEY_PROV_INFO_PROP_ID,
0, NULL, NULL, &provInfo);
if (!rc) {
goto loser;
}
/* handle error here */
io = nss_ZNEW(NULL, ckcapiInternalObject);
if ((ckcapiInternalObject *)NULL == io) {
*pError = CKR_HOST_MEMORY;
goto loser;
}
io->type = ckcapiBareKey;
io->objClass = CKO_PRIVATE_KEY;
io->u.key.provInfo = provInfo;
io->u.key.provName = providerName;
io->u.key.containerName = containerName;
io->u.key.hProv = hProv; /* save the handle */
io->idData = idData;
io->id.data = idData;
io->id.size = keyID.size;
/* done with the key handle */
CryptDestroyKey(hKey);
return io;
loser:
nss_ZFreeIf(containerName);
nss_ZFreeIf(providerName);
nss_ZFreeIf(idData);
if (0 != hProv) {
CryptReleaseContext(hProv, 0);
}
if (0 != hKey) {
CryptDestroyKey(hKey);
}
return (ckcapiInternalObject *)NULL;
}
NSS_EXTERN NSSCKMDObject *
nss_ckcapi_CreateObject(
NSSCKFWSession *fwSession,
CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulAttributeCount,
CK_RV *pError)
{
CK_OBJECT_CLASS objClass;
ckcapiInternalObject *io = NULL;
CK_BBOOL isToken;
/*
* only create token objects
*/
isToken = nss_ckcapi_GetBoolAttribute(CKA_TOKEN, pTemplate,
ulAttributeCount, pError);
if (CKR_OK != *pError) {
return (NSSCKMDObject *)NULL;
}
if (!isToken) {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
return (NSSCKMDObject *)NULL;
}
/*
* only create keys and certs.
*/
objClass = nss_ckcapi_GetULongAttribute(CKA_CLASS, pTemplate,
ulAttributeCount, pError);
if (CKR_OK != *pError) {
return (NSSCKMDObject *)NULL;
}
#ifdef notdef
if (objClass == CKO_PUBLIC_KEY) {
return CKR_OK; /* fake public key creation, happens as a side effect of
* private key creation */
}
#endif
if (objClass == CKO_CERTIFICATE) {
io = nss_ckcapi_CreateCertificate(fwSession, pTemplate,
ulAttributeCount, pError);
} else if (objClass == CKO_PRIVATE_KEY) {
io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate,
ulAttributeCount, pError);
} else {
*pError = CKR_ATTRIBUTE_VALUE_INVALID;
}
if ((ckcapiInternalObject *)NULL == io) {
return (NSSCKMDObject *)NULL;
}
return nss_ckcapi_CreateMDObject(NULL, io, pError);
}