Don't unnecessarily strip leading 0's from key material during PKCS11 import.

author: wolfbeast <mcwerewolf@wolfbeast.com> 2019-07-17 01:31:34 +0200
committer: wolfbeast <mcwerewolf@wolfbeast.com> 2019-07-17 01:31:34 +0200
commit: 1e560deff8c37164eb7496e7d87aa7b30de80398 (patch)
tree: 57dbb282776c358d430747f34e77298b1f069511 /security/nss/lib/pk11wrap
parent: ef189737a3a97bbdeb06825c06121697f62ed50b (diff)
download: UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar
UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.gz
UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.lz
UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.xz
UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.zip
3 files changed, 23 insertions, 14 deletions
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index c6070e264..9a914272d 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -190,7 +190,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
                 attrs++;
                 PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
                 attrs++;
-                signedattr = attrs;
                 PK11_SETATTRS(attrs, CKA_EC_PARAMS,
                               pubKey->u.ec.DEREncodedParams.data,
                               pubKey->u.ec.DEREncodedParams.len);
@@ -224,10 +223,13 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
         }
 
         templateCount = attrs - theTemplate;
-        signedcount = attrs - signedattr;
         PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
-        for (attrs = signedattr; signedcount; attrs++, signedcount--) {
-            pk11_SignedToUnsigned(attrs);
+        if (pubKey->keyType != ecKey) {
+            PORT_Assert(signedattr);
+            signedcount = attrs - signedattr;
+            for (attrs = signedattr; signedcount; attrs++, signedcount--) {
+                pk11_SignedToUnsigned(attrs);
+            }
         }
         rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
                                   templateCount, isToken, &objectID);
@@ -1074,9 +1076,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
                                         &cktrue, &ckfalse);
 
     /* Not everyone can handle zero padded key values, give
-      * them the raw data as unsigned */
-    for (ap = attrs; extra_count; ap++, extra_count--) {
-        pk11_SignedToUnsigned(ap);
+     * them the raw data as unsigned. The exception is EC,
+     * where the values are encoded or zero-preserving
+     * per-RFC5915 */
+    if (privKey->keyType != ecKey) {
+        for (ap = attrs; extra_count; ap++, extra_count--) {
+            pk11_SignedToUnsigned(ap);
+        }
     }
 
     /* now Store the puppies */
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 819769643..a880b1ab8 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -184,7 +184,9 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
             SECKEY_DestroyPublicKey(pubKey);
             return PR_FALSE;
         }
-        pk11_SignedToUnsigned(&theTemplate);
+        if (pubKey->keyType != ecKey) {
+            pk11_SignedToUnsigned(&theTemplate);
+        }
         if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
             SECKEY_DestroyPublicKey(pubKey);
             return PR_TRUE;
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 47b6702c6..9888ace69 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -505,7 +505,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
             }
             PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len);
             attrs++;
-            signedattr = attrs;
+            /* No signed attrs for EC */
             /* curveOID always is a copy of AlgorithmID.parameters. */
             PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
                           lpk->u.ec.curveOID.len);
@@ -523,11 +523,12 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
     }
     templateCount = attrs - theTemplate;
     PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
-    PORT_Assert(signedattr != NULL);
-    signedcount = attrs - signedattr;
-
-    for (ap = signedattr; signedcount; ap++, signedcount--) {
-        pk11_SignedToUnsigned(ap);
+    if (lpk->keyType != ecKey) {
+        PORT_Assert(signedattr);
+        signedcount = attrs - signedattr;
+        for (ap = signedattr; signedcount; ap++, signedcount--) {
+            pk11_SignedToUnsigned(ap);
+        }
     }
 
     rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
author	wolfbeast <mcwerewolf@wolfbeast.com>	2019-07-17 01:31:34 +0200
committer	wolfbeast <mcwerewolf@wolfbeast.com>	2019-07-17 01:31:34 +0200
commit	1e560deff8c37164eb7496e7d87aa7b30de80398 (patch)
tree	57dbb282776c358d430747f34e77298b1f069511 /security/nss/lib/pk11wrap
parent	ef189737a3a97bbdeb06825c06121697f62ed50b (diff)
download	UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.gz UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.lz UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.tar.xz UXP-1e560deff8c37164eb7496e7d87aa7b30de80398.zip