/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "ckcapi.h" #include "nssbase.h" /* * ckcapi/cobject.c * * This file implements the NSSCKMDObject object for the * "nss to capi objects" cryptoki module. */ const CK_ATTRIBUTE_TYPE certAttrs[] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_CERTIFICATE_TYPE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_VALUE }; const PRUint32 certAttrsCount = NSS_CKCAPI_ARRAY_SIZE(certAttrs); /* private keys, for now only support RSA */ const CK_ATTRIBUTE_TYPE privKeyAttrs[] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_KEY_TYPE, CKA_DERIVE, CKA_LOCAL, CKA_SUBJECT, CKA_SENSITIVE, CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, CKA_NEVER_EXTRACTABLE, CKA_MODULUS, CKA_PUBLIC_EXPONENT, }; const PRUint32 privKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(privKeyAttrs); /* public keys, for now only support RSA */ const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = { CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_MODIFIABLE, CKA_LABEL, CKA_KEY_TYPE, CKA_DERIVE, CKA_LOCAL, CKA_SUBJECT, CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_WRAP, CKA_MODULUS, CKA_PUBLIC_EXPONENT, }; const PRUint32 pubKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(pubKeyAttrs); static const CK_BBOOL ck_true = CK_TRUE; static const CK_BBOOL ck_false = CK_FALSE; static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509; static const CK_KEY_TYPE ckk_rsa = CKK_RSA; static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE; static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY; static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY; static const NSSItem ckcapi_trueItem = { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) }; static const NSSItem ckcapi_falseItem = { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }; static const NSSItem ckcapi_x509Item = { (void *)&ckc_x509, (PRUint32)sizeof(CK_CERTIFICATE_TYPE) }; static const NSSItem ckcapi_rsaItem = { (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) }; static const NSSItem ckcapi_certClassItem = { (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) }; static const NSSItem ckcapi_privKeyClassItem = { (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) }; static const NSSItem ckcapi_pubKeyClassItem = { (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) }; static const NSSItem ckcapi_emptyItem = { (void *)&ck_true, 0 }; /* * these are utilities. The chould be moved to a new utilities file. */ /* * unwrap a single DER value */ unsigned char * nss_ckcapi_DERUnwrap( unsigned char *src, unsigned int size, unsigned int *outSize, unsigned char **next) { unsigned char *start = src; unsigned char *end = src + size; unsigned int len = 0; /* initialize error condition return values */ *outSize = 0; if (next) { *next = src; } if (size < 2) { return start; } src++; /* skip the tag -- should check it against an expected value! */ len = (unsigned)*src++; if (len & 0x80) { unsigned int count = len & 0x7f; len = 0; if (count + 2 > size) { return start; } while (count-- > 0) { len = (len << 8) | (unsigned)*src++; } } if (len + (src - start) > size) { return start; } if (next) { *next = src + len; } *outSize = len; return src; } /* * convert a PKCS #11 bytestrin into a CK_ULONG, the byte stream must be * less than sizeof (CK_ULONG). */ CK_ULONG nss_ckcapi_DataToInt( NSSItem *data, CK_RV *pError) { CK_ULONG value = 0; unsigned long count = data->size; unsigned char *dataPtr = data->data; unsigned long size = 0; *pError = CKR_OK; while (count--) { value = value << 8; value = value + *dataPtr++; if (size || value) { size++; } } if (size > sizeof(CK_ULONG)) { *pError = CKR_ATTRIBUTE_VALUE_INVALID; } return value; } /* * convert a CK_ULONG to a bytestream. Data is stored in the buffer 'buf' * and must be at least CK_ULONG. Caller must provide buf. */ CK_ULONG nss_ckcapi_IntToData( CK_ULONG value, NSSItem *data, unsigned char *dataPtr, CK_RV *pError) { unsigned long count = 0; unsigned long i; #define SHIFT ((sizeof(CK_ULONG) - 1) * 8) PRBool first = 0; *pError = CKR_OK; data->data = dataPtr; for (i = 0; i < sizeof(CK_ULONG); i++) { unsigned char digit = (unsigned char)((value >> SHIFT) & 0xff); value = value << 8; /* drop leading zero bytes */ if (first && (0 == digit)) { continue; } *dataPtr++ = digit; count++; } data->size = count; return count; } /* * get an attribute from a template. Value is returned in NSS item. * data for the item is owned by the template. */ CK_RV nss_ckcapi_GetAttribute( CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE *template, CK_ULONG templateSize, NSSItem *item) { CK_ULONG i; for (i = 0; i < templateSize; i++) { if (template[i].type == type) { item->data = template[i].pValue; item->size = template[i].ulValueLen; return CKR_OK; } } return CKR_TEMPLATE_INCOMPLETE; } /* * get an attribute which is type CK_ULONG. */ CK_ULONG nss_ckcapi_GetULongAttribute( CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE *template, CK_ULONG templateSize, CK_RV *pError) { NSSItem item; *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item); if (CKR_OK != *pError) { return (CK_ULONG)0; } if (item.size != sizeof(CK_ULONG)) { *pError = CKR_ATTRIBUTE_VALUE_INVALID; return (CK_ULONG)0; } return *(CK_ULONG *)item.data; } /* * get an attribute which is type CK_BBOOL. */ CK_BBOOL nss_ckcapi_GetBoolAttribute( CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE *template, CK_ULONG templateSize, CK_RV *pError) { NSSItem item; *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item); if (CKR_OK != *pError) { return (CK_BBOOL)0; } if (item.size != sizeof(CK_BBOOL)) { *pError = CKR_ATTRIBUTE_VALUE_INVALID; return (CK_BBOOL)0; } return *(CK_BBOOL *)item.data; } /* * get an attribute which is type CK_BBOOL. */ char * nss_ckcapi_GetStringAttribute( CK_ATTRIBUTE_TYPE type, CK_ATTRIBUTE *template, CK_ULONG templateSize, CK_RV *pError) { NSSItem item; char *str; /* get the attribute */ *pError = nss_ckcapi_GetAttribute(type, template, templateSize, &item); if (CKR_OK != *pError) { return (char *)NULL; } /* make sure it is null terminated */ str = nss_ZNEWARRAY(NULL, char, item.size + 1); if ((char *)NULL == str) { *pError = CKR_HOST_MEMORY; return (char *)NULL; } nsslibc_memcpy(str, item.data, item.size); str[item.size] = 0; return str; } /* * Return the size in bytes of a wide string, including the terminating null * character */ int nss_ckcapi_WideSize( LPCWSTR wide) { DWORD size; if ((LPWSTR)NULL == wide) { return 0; } size = wcslen(wide) + 1; return size * sizeof(WCHAR); } /* * Covert a Unicode wide character string to a UTF8 string */ char * nss_ckcapi_WideToUTF8( LPCWSTR wide) { DWORD size; char *buf; if ((LPWSTR)NULL == wide) { return (char *)NULL; } size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, NULL, 0, NULL, 0); if (size == 0) { return (char *)NULL; } buf = nss_ZNEWARRAY(NULL, char, size); size = WideCharToMultiByte(CP_UTF8, 0, wide, -1, buf, size, NULL, 0); if (size == 0) { nss_ZFreeIf(buf); return (char *)NULL; } return buf; } /* * Return a Wide String duplicated with nss allocated memory. */ LPWSTR nss_ckcapi_WideDup( LPCWSTR wide) { DWORD len; LPWSTR buf; if ((LPWSTR)NULL == wide) { return (LPWSTR)NULL; } len = wcslen(wide) + 1; buf = nss_ZNEWARRAY(NULL, WCHAR, len); if ((LPWSTR)NULL == buf) { return buf; } nsslibc_memcpy(buf, wide, len * sizeof(WCHAR)); return buf; } /* * Covert a UTF8 string to Unicode wide character */ LPWSTR nss_ckcapi_UTF8ToWide( char *buf) { DWORD size; LPWSTR wide; if ((char *)NULL == buf) { return (LPWSTR)NULL; } size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0); if (size == 0) { return (LPWSTR)NULL; } wide = nss_ZNEWARRAY(NULL, WCHAR, size); size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size); if (size == 0) { nss_ZFreeIf(wide); return (LPWSTR)NULL; } return wide; } /* * keep all the knowlege of how the internalObject is laid out in this function * * nss_ckcapi_FetchKeyContainer * * fetches the Provider container and info as well as a key handle for a * private key. If something other than a private key is passed in, * this function fails with CKR_KEY_TYPE_INCONSISTENT */ NSS_EXTERN CK_RV nss_ckcapi_FetchKeyContainer( ckcapiInternalObject *iKey, HCRYPTPROV *hProv, DWORD *keySpec, HCRYPTKEY *hKey) { ckcapiCertObject *co; ckcapiKeyObject *ko; BOOL rc, dummy; DWORD msError; switch (iKey->type) { default: case ckcapiRaw: /* can't have raw private keys */ return CKR_KEY_TYPE_INCONSISTENT; case ckcapiCert: if (iKey->objClass != CKO_PRIVATE_KEY) { /* Only private keys have private key provider handles */ return CKR_KEY_TYPE_INCONSISTENT; } co = &iKey->u.cert; /* OK, get the Provider */ rc = CryptAcquireCertificatePrivateKey(co->certContext, CRYPT_ACQUIRE_CACHE_FLAG | CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, hProv, keySpec, &dummy); if (!rc) { goto loser; } break; case ckcapiBareKey: if (iKey->objClass != CKO_PRIVATE_KEY) { /* Only private keys have private key provider handles */ return CKR_KEY_TYPE_INCONSISTENT; } ko = &iKey->u.key; /* OK, get the Provider */ if (0 == ko->hProv) { rc = CryptAcquireContext(hProv, ko->containerName, ko->provName, ko->provInfo.dwProvType, 0); if (!rc) { goto loser; } } else { *hProv = ko->hProv; } *keySpec = ko->provInfo.dwKeySpec; break; } /* and get the crypto handle */ rc = CryptGetUserKey(*hProv, *keySpec, hKey); if (!rc) { goto loser; } return CKR_OK; loser: /* map the microsoft error before leaving */ msError = GetLastError(); switch (msError) { case ERROR_INVALID_HANDLE: case ERROR_INVALID_PARAMETER: case NTE_BAD_KEY: case NTE_NO_KEY: case NTE_BAD_PUBLIC_KEY: case NTE_BAD_KEYSET: case NTE_KEYSET_NOT_DEF: return CKR_KEY_TYPE_INCONSISTENT; case NTE_BAD_UID: case NTE_KEYSET_ENTRY_BAD: return CKR_DEVICE_ERROR; } return CKR_GENERAL_ERROR; } /* * take a DER PUBLIC Key block and return the modulus and exponent */ static void ckcapi_CertPopulateModulusExponent( ckcapiInternalObject *io) { ckcapiKeyParams *kp = &io->u.cert.key; PCCERT_CONTEXT certContext = io->u.cert.certContext; unsigned char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData; unsigned int size = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData; unsigned int newSize; unsigned char *ptr, *newptr; /* find the start of the modulus -- this will not give good results if * the key isn't an rsa key! */ ptr = nss_ckcapi_DERUnwrap(pkData, size, &newSize, NULL); kp->modulus.data = nss_ckcapi_DERUnwrap(ptr, newSize, &kp->modulus.size, &newptr); /* changed from signed to unsigned int */ if (0 == *(char *)kp->modulus.data) { kp->modulus.data = ((char *)kp->modulus.data) + 1; kp->modulus.size = kp->modulus.size - 1; } /* changed from signed to unsigned int */ kp->exponent.data = nss_ckcapi_DERUnwrap(newptr, (newptr - ptr) + newSize, &kp->exponent.size, NULL); if (0 == *(char *)kp->exponent.data) { kp->exponent.data = ((char *)kp->exponent.data) + 1; kp->exponent.size = kp->exponent.size - 1; } return; } typedef struct _CAPI_RSA_KEY_BLOB { PUBLICKEYSTRUC header; RSAPUBKEY rsa; char data[1]; } CAPI_RSA_KEY_BLOB; #define CAPI_MODULUS_OFFSET(modSize) 0 #define CAPI_PRIME_1_OFFSET(modSize) (modSize) #define CAPI_PRIME_2_OFFSET(modSize) ((modSize) + (modSize) / 2) #define CAPI_EXPONENT_1_OFFSET(modSize) ((modSize)*2) #define CAPI_EXPONENT_2_OFFSET(modSize) ((modSize)*2 + (modSize) / 2) #define CAPI_COEFFICIENT_OFFSET(modSize) ((modSize)*3) #define CAPI_PRIVATE_EXP_OFFSET(modSize) ((modSize)*3 + (modSize) / 2) void ckcapi_FetchPublicKey( ckcapiInternalObject *io) { ckcapiKeyParams *kp; HCRYPTPROV hProv; DWORD keySpec; HCRYPTKEY hKey = 0; CK_RV error; DWORD bufLen; BOOL rc; unsigned long modulus; char *buf = NULL; CAPI_RSA_KEY_BLOB *blob; error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey); if (CKR_OK != error) { goto loser; } kp = (ckcapiCert == io->type) ? &io->u.cert.key : &io->u.key.key; rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen); if (!rc) { goto loser; } buf = nss_ZNEWARRAY(NULL, char, bufLen); rc = CryptExportKey(hKey, 0, PUBLICKEYBLOB, 0, buf, &bufLen); if (!rc) { goto loser; } /* validate the blob */ blob = (CAPI_RSA_KEY_BLOB *)buf; if ((PUBLICKEYBLOB != blob->header.bType) || (0x02 != blob->header.bVersion) || (0x31415352 != blob->rsa.magic)) { goto loser; } modulus = blob->rsa.bitlen / 8; kp->pubKey = buf; buf = NULL; kp->modulus.data = &blob->data[CAPI_MODULUS_OFFSET(modulus)]; kp->modulus.size = modulus; ckcapi_ReverseData(&kp->modulus); nss_ckcapi_IntToData(blob->rsa.pubexp, &kp->exponent, kp->publicExponentData, &error); loser: nss_ZFreeIf(buf); if (0 != hKey) { CryptDestroyKey(hKey); } return; } void ckcapi_FetchPrivateKey( ckcapiInternalObject *io) { ckcapiKeyParams *kp; HCRYPTPROV hProv; DWORD keySpec; HCRYPTKEY hKey = 0; CK_RV error; DWORD bufLen; BOOL rc; unsigned long modulus; char *buf = NULL; CAPI_RSA_KEY_BLOB *blob; error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey); if (CKR_OK != error) { goto loser; } kp = (ckcapiCert == io->type) ? &io->u.cert.key : &io->u.key.key; rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen); if (!rc) { goto loser; } buf = nss_ZNEWARRAY(NULL, char, bufLen); rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen); if (!rc) { goto loser; } /* validate the blob */ blob = (CAPI_RSA_KEY_BLOB *)buf; if ((PRIVATEKEYBLOB != blob->header.bType) || (0x02 != blob->header.bVersion) || (0x32415352 != blob->rsa.magic)) { goto loser; } modulus = blob->rsa.bitlen / 8; kp->privateKey = buf; buf = NULL; kp->privateExponent.data = &blob->data[CAPI_PRIVATE_EXP_OFFSET(modulus)]; kp->privateExponent.size = modulus; ckcapi_ReverseData(&kp->privateExponent); kp->prime1.data = &blob->data[CAPI_PRIME_1_OFFSET(modulus)]; kp->prime1.size = modulus / 2; ckcapi_ReverseData(&kp->prime1); kp->prime2.data = &blob->data[CAPI_PRIME_2_OFFSET(modulus)]; kp->prime2.size = modulus / 2; ckcapi_ReverseData(&kp->prime2); kp->exponent1.data = &blob->data[CAPI_EXPONENT_1_OFFSET(modulus)]; kp->exponent1.size = modulus / 2; ckcapi_ReverseData(&kp->exponent1); kp->exponent2.data = &blob->data[CAPI_EXPONENT_2_OFFSET(modulus)]; kp->exponent2.size = modulus / 2; ckcapi_ReverseData(&kp->exponent2); kp->coefficient.data = &blob->data[CAPI_COEFFICIENT_OFFSET(modulus)]; kp->coefficient.size = modulus / 2; ckcapi_ReverseData(&kp->coefficient); loser: nss_ZFreeIf(buf); if (0 != hKey) { CryptDestroyKey(hKey); } return; } void ckcapi_PopulateModulusExponent( ckcapiInternalObject *io) { if (ckcapiCert == io->type) { ckcapi_CertPopulateModulusExponent(io); } else { ckcapi_FetchPublicKey(io); } return; } /* * fetch the friendly name attribute. * can only be called with ckcapiCert type objects! */ void ckcapi_FetchLabel( ckcapiInternalObject *io) { ckcapiCertObject *co = &io->u.cert; char *label; PCCERT_CONTEXT certContext = io->u.cert.certContext; char labelDataUTF16[128]; DWORD size = sizeof(labelDataUTF16); DWORD size8 = sizeof(co->labelData); BOOL rv; rv = CertGetCertificateContextProperty(certContext, CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size); if (rv) { co->labelData = nss_ckcapi_WideToUTF8((LPCWSTR)labelDataUTF16); if ((CHAR *)NULL == co->labelData) { rv = 0; } else { size = strlen(co->labelData); } } label = co->labelData; /* we are presuming a user cert, make sure it has a nickname, even if * Microsoft never gave it one */ if (!rv && co->hasID) { DWORD mserror = GetLastError(); #define DEFAULT_NICKNAME "no Microsoft nickname" label = DEFAULT_NICKNAME; size = sizeof(DEFAULT_NICKNAME); rv = 1; } if (rv) { co->label.data = label; co->label.size = size; } return; } void ckcapi_FetchSerial( ckcapiInternalObject *io) { ckcapiCertObject *co = &io->u.cert; PCCERT_CONTEXT certContext = io->u.cert.certContext; DWORD size = sizeof(co->derSerial); BOOL rc = CryptEncodeObject(X509_ASN_ENCODING, X509_MULTI_BYTE_INTEGER, &certContext->pCertInfo->SerialNumber, co->derSerial, &size); if (rc) { co->serial.data = co->derSerial; co->serial.size = size; } return; } /* * fetch the key ID. */ void ckcapi_FetchID( ckcapiInternalObject *io) { PCCERT_CONTEXT certContext = io->u.cert.certContext; DWORD size = 0; BOOL rc; rc = CertGetCertificateContextProperty(certContext, CERT_KEY_IDENTIFIER_PROP_ID, NULL, &size); if (!rc) { return; } io->idData = nss_ZNEWARRAY(NULL, char, size); if (io->idData == NULL) { return; } rc = CertGetCertificateContextProperty(certContext, CERT_KEY_IDENTIFIER_PROP_ID, io->idData, &size); if (!rc) { nss_ZFreeIf(io->idData); io->idData = NULL; return; } io->id.data = io->idData; io->id.size = size; return; } /* * fetch the hash key. */ void ckcapi_CertFetchHashKey( ckcapiInternalObject *io) { ckcapiCertObject *co = &io->u.cert; PCCERT_CONTEXT certContext = io->u.cert.certContext; DWORD size = certContext->cbCertEncoded; DWORD max = sizeof(io->hashKeyData) - 1; DWORD offset = 0; /* make sure we don't over flow. NOTE: cutting the top of a cert is * not a big issue because the signature for will be unique for the cert */ if (size > max) { offset = size - max; size = max; } nsslibc_memcpy(io->hashKeyData, certContext->pbCertEncoded + offset, size); io->hashKeyData[size] = (char)(io->objClass & 0xff); io->hashKey.data = io->hashKeyData; io->hashKey.size = size + 1; return; } /* * fetch the hash key. */ void ckcapi_KeyFetchHashKey( ckcapiInternalObject *io) { ckcapiKeyObject *ko = &io->u.key; DWORD size; DWORD max = sizeof(io->hashKeyData) - 2; DWORD offset = 0; DWORD provLen = strlen(ko->provName); DWORD containerLen = strlen(ko->containerName); size = provLen + containerLen; /* make sure we don't overflow, try to keep things unique */ if (size > max) { DWORD diff = ((size - max) + 1) / 2; provLen -= diff; containerLen -= diff; size = provLen + containerLen; } nsslibc_memcpy(io->hashKeyData, ko->provName, provLen); nsslibc_memcpy(&io->hashKeyData[provLen], ko->containerName, containerLen); io->hashKeyData[size] = (char)(io->objClass & 0xff); io->hashKeyData[size + 1] = (char)(ko->provInfo.dwKeySpec & 0xff); io->hashKey.data = io->hashKeyData; io->hashKey.size = size + 2; return; } /* * fetch the hash key. */ void ckcapi_FetchHashKey( ckcapiInternalObject *io) { if (ckcapiCert == io->type) { ckcapi_CertFetchHashKey(io); } else { ckcapi_KeyFetchHashKey(io); } return; } const NSSItem * ckcapi_FetchCertAttribute( ckcapiInternalObject *io, CK_ATTRIBUTE_TYPE type) { PCCERT_CONTEXT certContext = io->u.cert.certContext; switch (type) { case CKA_CLASS: return &ckcapi_certClassItem; case CKA_TOKEN: return &ckcapi_trueItem; case CKA_MODIFIABLE: case CKA_PRIVATE: return &ckcapi_falseItem; case CKA_CERTIFICATE_TYPE: return &ckcapi_x509Item; case CKA_LABEL: if (0 == io->u.cert.label.size) { ckcapi_FetchLabel(io); } return &io->u.cert.label; case CKA_SUBJECT: if (0 == io->u.cert.subject.size) { io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData; io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData; } return &io->u.cert.subject; case CKA_ISSUER: if (0 == io->u.cert.issuer.size) { io->u.cert.issuer.data = certContext->pCertInfo->Issuer.pbData; io->u.cert.issuer.size = certContext->pCertInfo->Issuer.cbData; } return &io->u.cert.issuer; case CKA_SERIAL_NUMBER: if (0 == io->u.cert.serial.size) { /* not exactly right. This should be the encoded serial number, but * it's the decoded serial number! */ ckcapi_FetchSerial(io); } return &io->u.cert.serial; case CKA_VALUE: if (0 == io->u.cert.derCert.size) { io->u.cert.derCert.data = io->u.cert.certContext->pbCertEncoded; io->u.cert.derCert.size = io->u.cert.certContext->cbCertEncoded; } return &io->u.cert.derCert; case CKA_ID: if (!io->u.cert.hasID) { return NULL; } if (0 == io->id.size) { ckcapi_FetchID(io); } return &io->id; default: break; } return NULL; } const NSSItem * ckcapi_FetchPubKeyAttribute( ckcapiInternalObject *io, CK_ATTRIBUTE_TYPE type) { PRBool isCertType = (ckcapiCert == io->type); ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key; switch (type) { case CKA_CLASS: return &ckcapi_pubKeyClassItem; case CKA_TOKEN: case CKA_LOCAL: case CKA_ENCRYPT: case CKA_VERIFY: case CKA_VERIFY_RECOVER: return &ckcapi_trueItem; case CKA_PRIVATE: case CKA_MODIFIABLE: case CKA_DERIVE: case CKA_WRAP: return &ckcapi_falseItem; case CKA_KEY_TYPE: return &ckcapi_rsaItem; case CKA_LABEL: if (!isCertType) { return &ckcapi_emptyItem; } if (0 == io->u.cert.label.size) { ckcapi_FetchLabel(io); } return &io->u.cert.label; case CKA_SUBJECT: if (!isCertType) { return &ckcapi_emptyItem; } if (0 == io->u.cert.subject.size) { PCCERT_CONTEXT certContext = io->u.cert.certContext; io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData; io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData; } return &io->u.cert.subject; case CKA_MODULUS: if (0 == kp->modulus.size) { ckcapi_PopulateModulusExponent(io); } return &kp->modulus; case CKA_PUBLIC_EXPONENT: if (0 == kp->modulus.size) { ckcapi_PopulateModulusExponent(io); } return &kp->exponent; case CKA_ID: if (0 == io->id.size) { ckcapi_FetchID(io); } return &io->id; default: break; } return NULL; } const NSSItem * ckcapi_FetchPrivKeyAttribute( ckcapiInternalObject *io, CK_ATTRIBUTE_TYPE type) { PRBool isCertType = (ckcapiCert == io->type); ckcapiKeyParams *kp = isCertType ? &io->u.cert.key : &io->u.key.key; switch (type) { case CKA_CLASS: return &ckcapi_privKeyClassItem; case CKA_TOKEN: case CKA_LOCAL: case CKA_SIGN: case CKA_DECRYPT: case CKA_SIGN_RECOVER: return &ckcapi_trueItem; case CKA_SENSITIVE: case CKA_PRIVATE: /* should move in the future */ case CKA_MODIFIABLE: case CKA_DERIVE: case CKA_UNWRAP: case CKA_EXTRACTABLE: /* will probably move in the future */ case CKA_ALWAYS_SENSITIVE: case CKA_NEVER_EXTRACTABLE: return &ckcapi_falseItem; case CKA_KEY_TYPE: return &ckcapi_rsaItem; case CKA_LABEL: if (!isCertType) { return &ckcapi_emptyItem; } if (0 == io->u.cert.label.size) { ckcapi_FetchLabel(io); } return &io->u.cert.label; case CKA_SUBJECT: if (!isCertType) { return &ckcapi_emptyItem; } if (0 == io->u.cert.subject.size) { PCCERT_CONTEXT certContext = io->u.cert.certContext; io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData; io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData; } return &io->u.cert.subject; case CKA_MODULUS: if (0 == kp->modulus.size) { ckcapi_PopulateModulusExponent(io); } return &kp->modulus; case CKA_PUBLIC_EXPONENT: if (0 == kp->modulus.size) { ckcapi_PopulateModulusExponent(io); } return &kp->exponent; case CKA_PRIVATE_EXPONENT: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->privateExponent; case CKA_PRIME_1: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->prime1; case CKA_PRIME_2: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->prime2; case CKA_EXPONENT_1: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->exponent1; case CKA_EXPONENT_2: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->exponent2; case CKA_COEFFICIENT: if (0 == kp->privateExponent.size) { ckcapi_FetchPrivateKey(io); } return &kp->coefficient; case CKA_ID: if (0 == io->id.size) { ckcapi_FetchID(io); } return &io->id; default: return NULL; } } const NSSItem * nss_ckcapi_FetchAttribute( ckcapiInternalObject *io, CK_ATTRIBUTE_TYPE type) { CK_ULONG i; if (io->type == ckcapiRaw) { for (i = 0; i < io->u.raw.n; i++) { if (type == io->u.raw.types[i]) { return &io->u.raw.items[i]; } } return NULL; } /* deal with the common attributes */ switch (io->objClass) { case CKO_CERTIFICATE: return ckcapi_FetchCertAttribute(io, type); case CKO_PRIVATE_KEY: return ckcapi_FetchPrivKeyAttribute(io, type); case CKO_PUBLIC_KEY: return ckcapi_FetchPubKeyAttribute(io, type); } return NULL; } /* * check to see if the certificate already exists */ static PRBool ckcapi_cert_exists( NSSItem *value, ckcapiInternalObject **io) { int count, i; PRUint32 size = 0; ckcapiInternalObject **listp = NULL; CK_ATTRIBUTE myTemplate[2]; CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; CK_ULONG templateCount = 2; CK_RV error; PRBool found = PR_FALSE; myTemplate[0].type = CKA_CLASS; myTemplate[0].pValue = &cert_class; myTemplate[0].ulValueLen = sizeof(cert_class); myTemplate[1].type = CKA_VALUE; myTemplate[1].pValue = value->data; myTemplate[1].ulValueLen = value->size; count = nss_ckcapi_collect_all_certs(myTemplate, templateCount, &listp, &size, 0, &error); /* free them */ if (count > 1) { *io = listp[0]; found = PR_TRUE; } for (i = 1; i < count; i++) { nss_ckcapi_DestroyInternalObject(listp[i]); } nss_ZFreeIf(listp); return found; } static PRBool ckcapi_cert_hasEmail( PCCERT_CONTEXT certContext) { int count; count = CertGetNameString(certContext, CERT_NAME_EMAIL_TYPE, 0, NULL, NULL, 0); return count > 1 ? PR_TRUE : PR_FALSE; } static PRBool ckcapi_cert_isRoot( PCCERT_CONTEXT certContext) { return CertCompareCertificateName(certContext->dwCertEncodingType, &certContext->pCertInfo->Issuer, &certContext->pCertInfo->Subject); } static PRBool ckcapi_cert_isCA( PCCERT_CONTEXT certContext) { PCERT_EXTENSION extension; CERT_BASIC_CONSTRAINTS2_INFO basicInfo; DWORD size = sizeof(basicInfo); BOOL rc; extension = CertFindExtension(szOID_BASIC_CONSTRAINTS, certContext->pCertInfo->cExtension, certContext->pCertInfo->rgExtension); if ((PCERT_EXTENSION)NULL == extension) { return PR_FALSE; } rc = CryptDecodeObject(X509_ASN_ENCODING, szOID_BASIC_CONSTRAINTS2, extension->Value.pbData, extension->Value.cbData, 0, &basicInfo, &size); if (!rc) { return PR_FALSE; } return (PRBool)basicInfo.fCA; } static CRYPT_KEY_PROV_INFO * ckcapi_cert_getPrivateKeyInfo( PCCERT_CONTEXT certContext, NSSItem *keyID) { BOOL rc; CRYPT_HASH_BLOB msKeyID; DWORD size = 0; CRYPT_KEY_PROV_INFO *prov = NULL; msKeyID.cbData = keyID->size; msKeyID.pbData = keyID->data; rc = CryptGetKeyIdentifierProperty( &msKeyID, CERT_KEY_PROV_INFO_PROP_ID, 0, NULL, NULL, NULL, &size); if (!rc) { return (CRYPT_KEY_PROV_INFO *)NULL; } prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size); if ((CRYPT_KEY_PROV_INFO *)prov == NULL) { return (CRYPT_KEY_PROV_INFO *)NULL; } rc = CryptGetKeyIdentifierProperty( &msKeyID, CERT_KEY_PROV_INFO_PROP_ID, 0, NULL, NULL, prov, &size); if (!rc) { nss_ZFreeIf(prov); return (CRYPT_KEY_PROV_INFO *)NULL; } return prov; } static CRYPT_KEY_PROV_INFO * ckcapi_cert_getProvInfo( ckcapiInternalObject *io) { BOOL rc; DWORD size = 0; CRYPT_KEY_PROV_INFO *prov = NULL; rc = CertGetCertificateContextProperty( io->u.cert.certContext, CERT_KEY_PROV_INFO_PROP_ID, NULL, &size); if (!rc) { return (CRYPT_KEY_PROV_INFO *)NULL; } prov = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size); if ((CRYPT_KEY_PROV_INFO *)prov == NULL) { return (CRYPT_KEY_PROV_INFO *)NULL; } rc = CertGetCertificateContextProperty( io->u.cert.certContext, CERT_KEY_PROV_INFO_PROP_ID, prov, &size); if (!rc) { nss_ZFreeIf(prov); return (CRYPT_KEY_PROV_INFO *)NULL; } return prov; } /* forward declaration */ static void ckcapi_removeObjectFromHash( ckcapiInternalObject *io); /* * Finalize - unneeded * Destroy * IsTokenObject - CK_TRUE * GetAttributeCount * GetAttributeTypes * GetAttributeSize * GetAttribute * SetAttribute * GetObjectSize */ static CK_RV ckcapi_mdObject_Destroy( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance) { ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; CK_OBJECT_CLASS objClass; BOOL rc; DWORD provType; DWORD msError; PRBool isCertType = (PRBool)(ckcapiCert == io->type); HCERTSTORE hStore = 0; if (ckcapiRaw == io->type) { /* there is not 'object write protected' error, use the next best thing */ return CKR_TOKEN_WRITE_PROTECTED; } objClass = io->objClass; if (CKO_CERTIFICATE == objClass) { PCCERT_CONTEXT certContext; /* get the store */ hStore = CertOpenSystemStore(0, io->u.cert.certStore); if (0 == hStore) { rc = 0; goto loser; } certContext = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0, CERT_FIND_EXISTING, io->u.cert.certContext, NULL); if ((PCCERT_CONTEXT)NULL == certContext) { rc = 0; goto loser; } rc = CertDeleteCertificateFromStore(certContext); } else { char *provName = NULL; char *containerName = NULL; HCRYPTPROV hProv; CRYPT_HASH_BLOB msKeyID; if (0 == io->id.size) { ckcapi_FetchID(io); } if (isCertType) { CRYPT_KEY_PROV_INFO *provInfo = ckcapi_cert_getProvInfo(io); provName = nss_ckcapi_WideToUTF8(provInfo->pwszProvName); containerName = nss_ckcapi_WideToUTF8(provInfo->pwszContainerName); provType = provInfo->dwProvType; nss_ZFreeIf(provInfo); } else { provName = io->u.key.provName; containerName = io->u.key.containerName; provType = io->u.key.provInfo.dwProvType; io->u.key.provName = NULL; io->u.key.containerName = NULL; } /* first remove the key id pointer */ msKeyID.cbData = io->id.size; msKeyID.pbData = io->id.data; rc = CryptSetKeyIdentifierProperty(&msKeyID, CERT_KEY_PROV_INFO_PROP_ID, CRYPT_KEYID_DELETE_FLAG, NULL, NULL, NULL); if (rc) { rc = CryptAcquireContext(&hProv, containerName, provName, provType, CRYPT_DELETEKEYSET); } nss_ZFreeIf(provName); nss_ZFreeIf(containerName); } loser: if (hStore) { CertCloseStore(hStore, 0); } if (!rc) { msError = GetLastError(); return CKR_GENERAL_ERROR; } /* remove it from the hash */ ckcapi_removeObjectFromHash(io); /* free the puppy.. */ nss_ckcapi_DestroyInternalObject(io); return CKR_OK; } static CK_BBOOL ckcapi_mdObject_IsTokenObject( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance) { return CK_TRUE; } static CK_ULONG ckcapi_mdObject_GetAttributeCount( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_RV *pError) { ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; if (ckcapiRaw == io->type) { return io->u.raw.n; } switch (io->objClass) { case CKO_CERTIFICATE: return certAttrsCount; case CKO_PUBLIC_KEY: return pubKeyAttrsCount; case CKO_PRIVATE_KEY: return privKeyAttrsCount; default: break; } return 0; } static CK_RV ckcapi_mdObject_GetAttributeTypes( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_ATTRIBUTE_TYPE_PTR typeArray, CK_ULONG ulCount) { ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; CK_ULONG i; CK_RV error = CKR_OK; const CK_ATTRIBUTE_TYPE *attrs = NULL; CK_ULONG size = ckcapi_mdObject_GetAttributeCount( mdObject, fwObject, mdSession, fwSession, mdToken, fwToken, mdInstance, fwInstance, &error); if (size != ulCount) { return CKR_BUFFER_TOO_SMALL; } if (io->type == ckcapiRaw) { attrs = io->u.raw.types; } else switch (io->objClass) { case CKO_CERTIFICATE: attrs = certAttrs; break; case CKO_PUBLIC_KEY: attrs = pubKeyAttrs; break; case CKO_PRIVATE_KEY: attrs = privKeyAttrs; break; default: return CKR_OK; } for (i = 0; i < size; i++) { typeArray[i] = attrs[i]; } return CKR_OK; } static CK_ULONG ckcapi_mdObject_GetAttributeSize( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_ATTRIBUTE_TYPE attribute, CK_RV *pError) { ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; const NSSItem *b; b = nss_ckcapi_FetchAttribute(io, attribute); if ((const NSSItem *)NULL == b) { *pError = CKR_ATTRIBUTE_TYPE_INVALID; return 0; } return b->size; } static CK_RV ckcapi_mdObject_SetAttribute( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_ATTRIBUTE_TYPE attribute, NSSItem *value) { return CKR_OK; } static NSSCKFWItem ckcapi_mdObject_GetAttribute( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_ATTRIBUTE_TYPE attribute, CK_RV *pError) { NSSCKFWItem mdItem; ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; mdItem.needsFreeing = PR_FALSE; mdItem.item = (NSSItem *)nss_ckcapi_FetchAttribute(io, attribute); if ((NSSItem *)NULL == mdItem.item) { *pError = CKR_ATTRIBUTE_TYPE_INVALID; } return mdItem; } static CK_ULONG ckcapi_mdObject_GetObjectSize( NSSCKMDObject *mdObject, NSSCKFWObject *fwObject, NSSCKMDSession *mdSession, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, NSSCKFWToken *fwToken, NSSCKMDInstance *mdInstance, NSSCKFWInstance *fwInstance, CK_RV *pError) { ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc; CK_ULONG rv = 1; /* size is irrelevant to this token */ return rv; } static const NSSCKMDObject ckcapi_prototype_mdObject = { (void *)NULL, /* etc */ NULL, /* Finalize */ ckcapi_mdObject_Destroy, ckcapi_mdObject_IsTokenObject, ckcapi_mdObject_GetAttributeCount, ckcapi_mdObject_GetAttributeTypes, ckcapi_mdObject_GetAttributeSize, ckcapi_mdObject_GetAttribute, NULL, /* FreeAttribute */ ckcapi_mdObject_SetAttribute, ckcapi_mdObject_GetObjectSize, (void *)NULL /* null terminator */ }; static nssHash *ckcapiInternalObjectHash = NULL; NSS_IMPLEMENT NSSCKMDObject * nss_ckcapi_CreateMDObject( NSSArena *arena, ckcapiInternalObject *io, CK_RV *pError) { if ((nssHash *)NULL == ckcapiInternalObjectHash) { ckcapiInternalObjectHash = nssHash_CreateItem(NULL, 10); } if (ckcapiCert == io->type) { /* the hash key, not a cryptographic key */ NSSItem *key = &io->hashKey; ckcapiInternalObject *old_o = NULL; if (key->size == 0) { ckcapi_FetchHashKey(io); } old_o = (ckcapiInternalObject *) nssHash_Lookup(ckcapiInternalObjectHash, key); if (!old_o) { nssHash_Add(ckcapiInternalObjectHash, key, io); } else if (old_o != io) { nss_ckcapi_DestroyInternalObject(io); io = old_o; } } if ((void *)NULL == io->mdObject.etc) { (void)nsslibc_memcpy(&io->mdObject, &ckcapi_prototype_mdObject, sizeof(ckcapi_prototype_mdObject)); io->mdObject.etc = (void *)io; } return &io->mdObject; } static void ckcapi_removeObjectFromHash( ckcapiInternalObject *io) { NSSItem *key = &io->hashKey; if ((nssHash *)NULL == ckcapiInternalObjectHash) { return; } if (key->size == 0) { ckcapi_FetchHashKey(io); } nssHash_Remove(ckcapiInternalObjectHash, key); return; } void nss_ckcapi_DestroyInternalObject( ckcapiInternalObject *io) { switch (io->type) { case ckcapiRaw: return; case ckcapiCert: CertFreeCertificateContext(io->u.cert.certContext); nss_ZFreeIf(io->u.cert.labelData); nss_ZFreeIf(io->u.cert.key.privateKey); nss_ZFreeIf(io->u.cert.key.pubKey); nss_ZFreeIf(io->idData); break; case ckcapiBareKey: nss_ZFreeIf(io->u.key.provInfo.pwszContainerName); nss_ZFreeIf(io->u.key.provInfo.pwszProvName); nss_ZFreeIf(io->u.key.provName); nss_ZFreeIf(io->u.key.containerName); nss_ZFreeIf(io->u.key.key.privateKey); nss_ZFreeIf(io->u.key.key.pubKey); if (0 != io->u.key.hProv) { CryptReleaseContext(io->u.key.hProv, 0); } nss_ZFreeIf(io->idData); break; } nss_ZFreeIf(io); return; } static ckcapiInternalObject * nss_ckcapi_CreateCertificate( NSSCKFWSession *fwSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_RV *pError) { NSSItem value; NSSItem keyID; char *storeStr; ckcapiInternalObject *io = NULL; PCCERT_CONTEXT certContext = NULL; PCCERT_CONTEXT storedCertContext = NULL; CRYPT_KEY_PROV_INFO *prov_info = NULL; char *nickname = NULL; HCERTSTORE hStore = 0; DWORD msError = 0; PRBool hasID; CK_RV dummy; BOOL rc; *pError = nss_ckcapi_GetAttribute(CKA_VALUE, pTemplate, ulAttributeCount, &value); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, ulAttributeCount, &keyID); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } if (ckcapi_cert_exists(&value, &io)) { return io; } /* OK, we are creating a new one, figure out what store it belongs to.. * first get a certContext handle.. */ certContext = CertCreateCertificateContext(X509_ASN_ENCODING, value.data, value.size); if ((PCCERT_CONTEXT)NULL == certContext) { msError = GetLastError(); *pError = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } /* do we have a private key laying around... */ prov_info = ckcapi_cert_getPrivateKeyInfo(certContext, &keyID); if (prov_info) { CRYPT_DATA_BLOB msKeyID; storeStr = "My"; hasID = PR_TRUE; rc = CertSetCertificateContextProperty(certContext, CERT_KEY_PROV_INFO_PROP_ID, 0, prov_info); nss_ZFreeIf(prov_info); if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } msKeyID.cbData = keyID.size; msKeyID.pbData = keyID.data; rc = CertSetCertificateContextProperty(certContext, CERT_KEY_IDENTIFIER_PROP_ID, 0, &msKeyID); if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } /* does it look like a CA */ } else if (ckcapi_cert_isCA(certContext)) { storeStr = ckcapi_cert_isRoot(certContext) ? "CA" : "Root"; /* does it look like an S/MIME cert */ } else if (ckcapi_cert_hasEmail(certContext)) { storeStr = "AddressBook"; } else { /* just pick a store */ storeStr = "CA"; } /* get the nickname, not an error if we can't find it */ nickname = nss_ckcapi_GetStringAttribute(CKA_LABEL, pTemplate, ulAttributeCount, &dummy); if (nickname) { LPWSTR nicknameUTF16 = NULL; CRYPT_DATA_BLOB nicknameBlob; nicknameUTF16 = nss_ckcapi_UTF8ToWide(nickname); nss_ZFreeIf(nickname); nickname = NULL; if ((LPWSTR)NULL == nicknameUTF16) { *pError = CKR_HOST_MEMORY; goto loser; } nicknameBlob.cbData = nss_ckcapi_WideSize(nicknameUTF16); nicknameBlob.pbData = (BYTE *)nicknameUTF16; rc = CertSetCertificateContextProperty(certContext, CERT_FRIENDLY_NAME_PROP_ID, 0, &nicknameBlob); nss_ZFreeIf(nicknameUTF16); if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } } hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr); if (0 == hStore) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } rc = CertAddCertificateContextToStore(hStore, certContext, CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES, &storedCertContext); CertFreeCertificateContext(certContext); certContext = NULL; CertCloseStore(hStore, 0); hStore = 0; if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } io = nss_ZNEW(NULL, ckcapiInternalObject); if ((ckcapiInternalObject *)NULL == io) { *pError = CKR_HOST_MEMORY; goto loser; } io->type = ckcapiCert; io->objClass = CKO_CERTIFICATE; io->u.cert.certContext = storedCertContext; io->u.cert.hasID = hasID; return io; loser: if (certContext) { CertFreeCertificateContext(certContext); certContext = NULL; } if (storedCertContext) { CertFreeCertificateContext(storedCertContext); storedCertContext = NULL; } if (0 != hStore) { CertCloseStore(hStore, 0); } return (ckcapiInternalObject *)NULL; } static char * ckcapi_getDefaultProvider( CK_RV *pError) { char *name = NULL; BOOL rc; DWORD nameLength = 0; rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, NULL, &nameLength); if (!rc) { return (char *)NULL; } name = nss_ZNEWARRAY(NULL, char, nameLength); if ((char *)NULL == name) { return (char *)NULL; } rc = CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_USER_DEFAULT, name, &nameLength); if (!rc) { nss_ZFreeIf(name); return (char *)NULL; } return name; } static char * ckcapi_getContainer( CK_RV *pError, NSSItem *id) { RPC_STATUS rstat; UUID uuid; char *uuidStr; char *container; rstat = UuidCreate(&uuid); rstat = UuidToString(&uuid, &uuidStr); /* convert it from rcp memory to our own */ container = nssUTF8_Duplicate(uuidStr, NULL); RpcStringFree(&uuidStr); return container; } static CK_RV ckcapi_buildPrivateKeyBlob( NSSItem *keyBlob, NSSItem *modulus, NSSItem *publicExponent, NSSItem *privateExponent, NSSItem *prime1, NSSItem *prime2, NSSItem *exponent1, NSSItem *exponent2, NSSItem *coefficient, PRBool isKeyExchange) { CAPI_RSA_KEY_BLOB *keyBlobData = NULL; unsigned char *target; unsigned long modSize = modulus->size; unsigned long dataSize; CK_RV error = CKR_OK; /* validate extras */ if (privateExponent->size != modSize) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } if (prime1->size != modSize / 2) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } if (prime2->size != modSize / 2) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } if (exponent1->size != modSize / 2) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } if (exponent2->size != modSize / 2) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } if (coefficient->size != modSize / 2) { error = CKR_ATTRIBUTE_VALUE_INVALID; goto loser; } dataSize = (modSize * 4) + (modSize / 2) + sizeof(CAPI_RSA_KEY_BLOB); keyBlobData = (CAPI_RSA_KEY_BLOB *)nss_ZAlloc(NULL, dataSize); if ((CAPI_RSA_KEY_BLOB *)NULL == keyBlobData) { error = CKR_HOST_MEMORY; goto loser; } keyBlobData->header.bType = PRIVATEKEYBLOB; keyBlobData->header.bVersion = 0x02; keyBlobData->header.reserved = 0x00; keyBlobData->header.aiKeyAlg = isKeyExchange ? CALG_RSA_KEYX : CALG_RSA_SIGN; keyBlobData->rsa.magic = 0x32415352; keyBlobData->rsa.bitlen = modSize * 8; keyBlobData->rsa.pubexp = nss_ckcapi_DataToInt(publicExponent, &error); if (CKR_OK != error) { goto loser; } target = &keyBlobData->data[CAPI_MODULUS_OFFSET(modSize)]; nsslibc_memcpy(target, modulus->data, modulus->size); modulus->data = target; ckcapi_ReverseData(modulus); target = &keyBlobData->data[CAPI_PRIVATE_EXP_OFFSET(modSize)]; nsslibc_memcpy(target, privateExponent->data, privateExponent->size); privateExponent->data = target; ckcapi_ReverseData(privateExponent); target = &keyBlobData->data[CAPI_PRIME_1_OFFSET(modSize)]; nsslibc_memcpy(target, prime1->data, prime1->size); prime1->data = target; ckcapi_ReverseData(prime1); target = &keyBlobData->data[CAPI_PRIME_2_OFFSET(modSize)]; nsslibc_memcpy(target, prime2->data, prime2->size); prime2->data = target; ckcapi_ReverseData(prime2); target = &keyBlobData->data[CAPI_EXPONENT_1_OFFSET(modSize)]; nsslibc_memcpy(target, exponent1->data, exponent1->size); exponent1->data = target; ckcapi_ReverseData(exponent1); target = &keyBlobData->data[CAPI_EXPONENT_2_OFFSET(modSize)]; nsslibc_memcpy(target, exponent2->data, exponent2->size); exponent2->data = target; ckcapi_ReverseData(exponent2); target = &keyBlobData->data[CAPI_COEFFICIENT_OFFSET(modSize)]; nsslibc_memcpy(target, coefficient->data, coefficient->size); coefficient->data = target; ckcapi_ReverseData(coefficient); keyBlob->data = keyBlobData; keyBlob->size = dataSize; return CKR_OK; loser: nss_ZFreeIf(keyBlobData); return error; } static ckcapiInternalObject * nss_ckcapi_CreatePrivateKey( NSSCKFWSession *fwSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_RV *pError) { NSSItem modulus; NSSItem publicExponent; NSSItem privateExponent; NSSItem exponent1; NSSItem exponent2; NSSItem prime1; NSSItem prime2; NSSItem coefficient; NSSItem keyID; NSSItem keyBlob; ckcapiInternalObject *io = NULL; char *providerName = NULL; char *containerName = NULL; char *idData = NULL; CRYPT_KEY_PROV_INFO provInfo; CRYPT_HASH_BLOB msKeyID; CK_KEY_TYPE keyType; HCRYPTPROV hProv = 0; HCRYPTKEY hKey = 0; PRBool decrypt; DWORD keySpec; DWORD msError; BOOL rc; keyType = nss_ckcapi_GetULongAttribute(CKA_KEY_TYPE, pTemplate, ulAttributeCount, pError); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } if (CKK_RSA != keyType) { *pError = CKR_ATTRIBUTE_VALUE_INVALID; return (ckcapiInternalObject *)NULL; } decrypt = nss_ckcapi_GetBoolAttribute(CKA_DECRYPT, pTemplate, ulAttributeCount, pError); if (CKR_TEMPLATE_INCOMPLETE == *pError) { decrypt = PR_TRUE; /* default to true */ } decrypt = decrypt || nss_ckcapi_GetBoolAttribute(CKA_UNWRAP, pTemplate, ulAttributeCount, pError); if (CKR_TEMPLATE_INCOMPLETE == *pError) { decrypt = PR_TRUE; /* default to true */ } keySpec = decrypt ? AT_KEYEXCHANGE : AT_SIGNATURE; *pError = nss_ckcapi_GetAttribute(CKA_MODULUS, pTemplate, ulAttributeCount, &modulus); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_PUBLIC_EXPONENT, pTemplate, ulAttributeCount, &publicExponent); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_PRIVATE_EXPONENT, pTemplate, ulAttributeCount, &privateExponent); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_PRIME_1, pTemplate, ulAttributeCount, &prime1); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_PRIME_2, pTemplate, ulAttributeCount, &prime2); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_1, pTemplate, ulAttributeCount, &exponent1); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_EXPONENT_2, pTemplate, ulAttributeCount, &exponent2); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_COEFFICIENT, pTemplate, ulAttributeCount, &coefficient); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } *pError = nss_ckcapi_GetAttribute(CKA_ID, pTemplate, ulAttributeCount, &keyID); if (CKR_OK != *pError) { return (ckcapiInternalObject *)NULL; } providerName = ckcapi_getDefaultProvider(pError); if ((char *)NULL == providerName) { return (ckcapiInternalObject *)NULL; } containerName = ckcapi_getContainer(pError, &keyID); if ((char *)NULL == containerName) { goto loser; } rc = CryptAcquireContext(&hProv, containerName, providerName, PROV_RSA_FULL, CRYPT_NEWKEYSET); if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } *pError = ckcapi_buildPrivateKeyBlob( &keyBlob, &modulus, &publicExponent, &privateExponent, &prime1, &prime2, &exponent1, &exponent2, &coefficient, decrypt); if (CKR_OK != *pError) { goto loser; } rc = CryptImportKey(hProv, keyBlob.data, keyBlob.size, 0, CRYPT_EXPORTABLE, &hKey); if (!rc) { msError = GetLastError(); *pError = CKR_DEVICE_ERROR; goto loser; } idData = nss_ZNEWARRAY(NULL, char, keyID.size); if ((void *)NULL == idData) { *pError = CKR_HOST_MEMORY; goto loser; } nsslibc_memcpy(idData, keyID.data, keyID.size); provInfo.pwszContainerName = nss_ckcapi_UTF8ToWide(containerName); provInfo.pwszProvName = nss_ckcapi_UTF8ToWide(providerName); provInfo.dwProvType = PROV_RSA_FULL; provInfo.dwFlags = 0; provInfo.cProvParam = 0; provInfo.rgProvParam = NULL; provInfo.dwKeySpec = keySpec; msKeyID.cbData = keyID.size; msKeyID.pbData = keyID.data; rc = CryptSetKeyIdentifierProperty(&msKeyID, CERT_KEY_PROV_INFO_PROP_ID, 0, NULL, NULL, &provInfo); if (!rc) { goto loser; } /* handle error here */ io = nss_ZNEW(NULL, ckcapiInternalObject); if ((ckcapiInternalObject *)NULL == io) { *pError = CKR_HOST_MEMORY; goto loser; } io->type = ckcapiBareKey; io->objClass = CKO_PRIVATE_KEY; io->u.key.provInfo = provInfo; io->u.key.provName = providerName; io->u.key.containerName = containerName; io->u.key.hProv = hProv; /* save the handle */ io->idData = idData; io->id.data = idData; io->id.size = keyID.size; /* done with the key handle */ CryptDestroyKey(hKey); return io; loser: nss_ZFreeIf(containerName); nss_ZFreeIf(providerName); nss_ZFreeIf(idData); if (0 != hProv) { CryptReleaseContext(hProv, 0); } if (0 != hKey) { CryptDestroyKey(hKey); } return (ckcapiInternalObject *)NULL; } NSS_EXTERN NSSCKMDObject * nss_ckcapi_CreateObject( NSSCKFWSession *fwSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_RV *pError) { CK_OBJECT_CLASS objClass; ckcapiInternalObject *io = NULL; CK_BBOOL isToken; /* * only create token objects */ isToken = nss_ckcapi_GetBoolAttribute(CKA_TOKEN, pTemplate, ulAttributeCount, pError); if (CKR_OK != *pError) { return (NSSCKMDObject *)NULL; } if (!isToken) { *pError = CKR_ATTRIBUTE_VALUE_INVALID; return (NSSCKMDObject *)NULL; } /* * only create keys and certs. */ objClass = nss_ckcapi_GetULongAttribute(CKA_CLASS, pTemplate, ulAttributeCount, pError); if (CKR_OK != *pError) { return (NSSCKMDObject *)NULL; } #ifdef notdef if (objClass == CKO_PUBLIC_KEY) { return CKR_OK; /* fake public key creation, happens as a side effect of * private key creation */ } #endif if (objClass == CKO_CERTIFICATE) { io = nss_ckcapi_CreateCertificate(fwSession, pTemplate, ulAttributeCount, pError); } else if (objClass == CKO_PRIVATE_KEY) { io = nss_ckcapi_CreatePrivateKey(fwSession, pTemplate, ulAttributeCount, pError); } else { *pError = CKR_ATTRIBUTE_VALUE_INVALID; } if ((ckcapiInternalObject *)NULL == io) { return (NSSCKMDObject *)NULL; } return nss_ckcapi_CreateMDObject(NULL, io, pError); }