nss_spi.c revision 6b35cb3cf158584a9408d44b9b6796564e8e1882
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS keystore wrapper
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* NSS related headers */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int nss_initialized = 0;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_ConfigureKeystore(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_CreateKeypair(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindCertInCRL(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindPrikeyByCert(KMF_HANDLE_T, int, KMF_ATTRIBUTE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* additions for importing and exporting PKCS 12 files */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct p12uContextStr {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_NSS; \
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic char *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysnss_getpassword(PK11SlotInfo *slot, PRBool retry, void *arg)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If a password was given, try to login to the slot */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (cred == NULL || cred->cred == NULL || cred->credlen == 0 ||
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nssrv = PK11_Authenticate(nss_slot, PR_TRUE, (void *)cred->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *certPrefix,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *keyPrefix,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *secmodName)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If another thread already did it, return OK. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = NSS_Initialize((configdir && strlen(configdir)) ?
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys secmodName ? secmodName : "secmod.db", NSS_INIT_COOPERATE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When it is called the first time, it will intialize NSS. Once the NSS
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * is initialized, this function returns KMF_KEYSTORE_ALREADY_INITIALIZED
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * if it is called again.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys configdir = kmf_get_attr_ptr(KMF_DIRPATH_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certPrefix = kmf_get_attr_ptr(KMF_CERTPREFIX_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keyPrefix = kmf_get_attr_ptr(KMF_KEYPREFIX_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys secModName = kmf_get_attr_ptr(KMF_SECMODNAME_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function sets up the slot to be used for other operations.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function is basically called by every NSS SPI function.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * For those functions that can only be performed in the internal slot, the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * boolean "internal_slot_only" argument needs to be TRUE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * A slot pointer will be returned when this function is executed successfully.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys slotlabel = kmf_get_attr_ptr(KMF_TOKEN_LABEL_ATTR, attrlist, numattr);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS Is already initialized, but we need to find
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the right slot.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the token was not yet initialized, return an error.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysnss2kmf_cert(CERTCertificate *nss_cert, KMF_X509_DER_CERT *kmf_cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmf_cert->kmf_private.keystore_type = KMF_KEYSTORE_NSS;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmf_cert->certificate.Length = nss_cert->derCert.len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kmf_cert->certificate.Data = malloc(nss_cert->derCert.len)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(kmf_cert->certificate.Data, nss_cert->derCert.data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t *num_certs, KMF_CERT_VALIDITY find_criteria)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys validity = CERT_CheckCertValidTimes(nss_cert, PR_Now(),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert, reject it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys validity = CERT_CheckCertValidTimes(nss_cert, PR_Now(),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert, reject it in this case. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* We copied the data we need, so cleanup the internal record */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertList **certlist, KMF_CERT_VALIDITY find_criteria)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (serial != 0 && serial->val != NULL && serial->len > 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* select the certs using find criteria */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Don't copy more certs than the caller wanted.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If we failed, delete any certs allocated so far.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < *numcerts; i++)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys num_certs = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the optional returned certificate list */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys kmfcerts = kmf_get_attr_ptr(KMF_X509_DER_CERT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get optional search criteria attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
f482c776bc557f0256e776932c7842b9db390de1wyllys /* This will only find 1 certificate */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = nss_getcert_by_label(kmfh, certlabel, kmfcerts, num_certs,
f482c776bc557f0256e776932c7842b9db390de1wyllys * Build a list of matching certs.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = nss_find_matching_certs(nss_slot, issuer, subject, serial,
f482c776bc557f0256e776932c7842b9db390de1wyllys * If the caller supplied a pointer to storage for
f482c776bc557f0256e776932c7842b9db390de1wyllys * a list of certs, convert up to 'maxcerts' of the
f482c776bc557f0256e776932c7842b9db390de1wyllys * matching certs.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_DeleteCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the search criteria attributes. They are all optional. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CERT_VALIDITY_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Start finding the matched certificates and delete them. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert - skip it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert - skip it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* delete it from database */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = nss_find_matching_certs(nss_slot, issuer, subject, serial,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "storekey" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keytype is optional. KMF_RSA is default */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Default keylen = 1024 */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLABEL_ATTR, attrlist, numattr, NULL, &len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Now fill in the label value */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLABEL_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get some random bits */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS only allows for a 4 byte exponent.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Ignore the exponent parameter if it is too big.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rv = kmf_get_attr(KMF_RSAEXP_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = PK11_PQG_ParamGen(ks, &pqgParams, &pqgVerify);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = PK11_PQG_VerifyParams(pqgParams, pqgVerify, &passed);
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll KMF_OID *eccoid = kmf_get_attr_ptr(KMF_ECC_CURVE_OID_ATTR,
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll ecparams = SECITEM_AllocItem(NULL, NULL, (eccoid->Length));
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll (void) memcpy(ecparams->data, eccoid->Data, eccoid->Length);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys NSSprivkey = PK11_GenerateKeyPair(nss_slot, mechanism, nssparams,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) PK11_SetPublicKeyNickname(NSSpubkey, keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now, convert it to a KMF_KEY object for the framework */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys privkey->keylabel = PK11_GetPrivateKeyNickname(NSSprivkey);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey->keylabel = PK11_GetPublicKeyNickname(NSSpubkey);
5ad42b1b1469908fabc0099764182e9ecbc04ddaSurya Prakki (void) PK11_DeleteTokenPrivateKey(NSSprivkey, PR_TRUE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Map the OID to a NSS algorithm */
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys signAlgTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else if (AlgId == KMF_ALGID_SHA1WithECDSA || AlgId == KMF_ALGID_ECDSA)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else if (AlgId == KMF_ALGID_SHA256WithECDSA)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else if (AlgId == KMF_ALGID_SHA384WithECDSA)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else if (AlgId == KMF_ALGID_SHA512WithECDSA)
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll signAlgTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE;
e65e5c2d2f32a99e8c5f740cabae9075dab03ce7Wyllys Ingersoll else /* NSS does not support DSA with SHA2 hashes (FIPS 186-3) */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(output->Data, signed_data.data, signed_data.len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *keyp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (keyp == NULL || encoded == NULL || keyp->keyp == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys spki = SECKEY_CreateSubjectPublicKeyInfo(keyp->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(encoded->Data, rvitem->data, rvitem->len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * "delete_token" means to clear it from the token storage as well
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * as from memory.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_DESTROY_BOOL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* "delete_token" is optional. Default is TRUE */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SECKEY_DestroyPublicKey((SECKEYPublicKey *)key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SECKEY_DestroyPrivateKey((SECKEYPrivateKey *)key->keyp);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the error string in the default language */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys str = (char *)PR_ErrorToName((PRErrorCode)kmfh->lasterr.errcode);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindPrikeyByCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the credential */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the key handle */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys key = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the cert data and decode it */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_cert = CERT_DecodeCertFromPackage((char *)cert->Data,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys privkey = PK11_FindPrivateKeyFromCert(nss_slot, nss_cert, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < blocks; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (rv != 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* not supported */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys numkeys = kmf_get_attr_ptr(KMF_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
2cbed7292737821015ab481353eb10e8346b2c05wyllys /* It is OK if this is NULL, we dont need a cred to find public keys */
2cbed7292737821015ab481353eb10e8346b2c05wyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYCLASS_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys findLabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys publist = PK11_ListPublicKeysInSlot(nss_slot, findLabel);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys prilist = PK11_ListPrivKeysInSlot(nss_slot, findLabel, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys symlist = PK11_ListFixedKeysInSlot(nss_slot, findLabel, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keys = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* it is okay to have "keys" contains NULL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys !PUBKEY_LIST_END(pubnode, publist) && count < maxkeys;
2cbed7292737821015ab481353eb10e8346b2c05wyllys * Due to bug in NSS, we have to manually match
2cbed7292737821015ab481353eb10e8346b2c05wyllys * the labels to be sure we have a match.
2cbed7292737821015ab481353eb10e8346b2c05wyllys /* always match if findLabel is NULL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (count = 0, prinode = PRIVKEY_LIST_HEAD(prilist);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys !PRIVKEY_LIST_END(prinode, prilist) && count < maxkeys;
2cbed7292737821015ab481353eb10e8346b2c05wyllys * Due to bug in NSS, we have to manually match
2cbed7292737821015ab481353eb10e8346b2c05wyllys * the labels to be sure we have a match.
2cbed7292737821015ab481353eb10e8346b2c05wyllys /* always match if findLabel is NULL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If keytype is specified in the searching parameter,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * check the keytype and skip the key if its keytype
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * doesn't match.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (keytype != KMF_KEYALG_NONE && keytype != keyalg) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* free that key since we arent using it */
2cbed7292737821015ab481353eb10e8346b2c05wyllys * Due to bug in NSS, we have to manually match
2cbed7292737821015ab481353eb10e8346b2c05wyllys * the labels to be sure we have a match.
2cbed7292737821015ab481353eb10e8346b2c05wyllys /* always match if findLabel is NULL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Cleanup memory for unused keys.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned int i;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char a;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *inBuf,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned int inBufLen,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned char *outBuf,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned int maxOutBufLen,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys unsigned int *outBufLen,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If converting Unicode to ASCII, swap bytes before conversion
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * as neccessary.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Perform the conversion. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = PORT_UCS2_UTF8Conversion(toUnicode, dup->data, dup->len,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12ctx->file = PR_Open(p12ctx->filename, PR_RDONLY, 0400);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysp12u_DestroyContext(p12uContext **ppCtx, PRBool removeFile)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysp12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (int32)len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_ExportPK12(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (kmfh == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cred = kmf_get_attr_ptr(KMF_CREDENTIAL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12cred = kmf_get_attr_ptr(KMF_PK12CRED_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys filename = kmf_get_attr_ptr(KMF_OUTPUT_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get optional search criteria attributes */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuer = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subject = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys serial = kmf_get_attr_ptr(KMF_BIGINT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Find the certificate(s) first.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nsscert = PK11_FindCertFromNickname(certlabel, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = nss_find_matching_certs(slot, issuer, subject, serial,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The KMF_CREDENTIAL holds the password to use for
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * encrypting the PKCS12 key information.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, slot, NULL);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (SEC_PKCS12AddPasswordIntegrity(p12ecx, &pwitem, SEC_OID_SHA1)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * NSS actually supports storing a list of keys and certs
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * in the PKCS#12 PDU. Nice feature.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12ctx)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (kmfh == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys symkey = kmf_get_attr_ptr(KMF_KEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYALG_ATTR, attrlist, numattr, (void *)&keytype,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_KEYLENGTH_ATTR, attrlist, numattr, &keylen,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* keylength is not required for DES and 3DES */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
ab8b4e5c888370036603c72719799620ea5c6b77Wyllys Ingersoll /* convert key length to bytes */
ab8b4e5c888370036603c72719799620ea5c6b77Wyllys Ingersoll nsskey = PK11_TokenKeyGen(nss_slot, keyType, NULL, keySize / 8, NULL,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys KMF_RAW_KEY_DATA *rawkey = (KMF_RAW_KEY_DATA *)symkey->keyp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys (void) memcpy(rkey->keydata.val, value->data, value->len);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_SetTokenPin(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_NEWPIN_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If it was uninitialized, set it */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = PK11_ChangePW(nss_slot, oldcred.cred, newcred.cred);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (kmfh == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = kmf_get_attr(KMF_CREDENTIAL_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* look for private key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys prikey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* look for raw key */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If no keys were found, return error */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (pubkey == NULL && prikey == NULL && rawkey == NULL)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys keylabel = kmf_get_attr_ptr(KMF_KEYLABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Decode the cert into an NSS CERT object so we can access the
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * SPKI and KeyUsage data later.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_cert = CERT_DecodeCertFromPackage((char *)cert->Data,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rpk.algorithm = nss_cert->subjectPublicKeyInfo.algorithm;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ckrv = PK11_ImportPrivateKeyInfo(nss_slot, &rpk, &nickname,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys &nss_cert->subjectPublicKeyInfo.subjectPublicKey, TRUE,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (pubkey != NULL && pubkey->kstype == KMF_KEYSTORE_NSS) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SECKEYPublicKey *publicKey = (SECKEYPublicKey *) pubkey->keyp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pk = PK11_ImportPublicKey(nss_slot, publicKey, PR_TRUE);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys } else if (prikey != NULL && prikey->kstype == KMF_KEYSTORE_NSS) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys SECKEYPrivateKey *privKey = (SECKEYPrivateKey *) prikey->keyp;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys pk = PK11_LoadPrivKey(nss_slot, privKey, NULL, PR_TRUE,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* We stored it, but don't need the handle anymore */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * This function is called by NSS_StoreCert() and NSS_ImportCert().
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * The "label" and "trust_flag" arguments can be NULL.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysstore_cert(KMF_HANDLE_T handle, PK11SlotInfo *nss_slot, KMF_DATA *cert,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_cert = CERT_DecodeCertFromPackage((char *)cert->Data,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Store the cert into the NSS database */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_rv = PK11_ImportCert(nss_slot, nss_cert, CK_INVALID_HANDLE,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If trust_flag is NULL, then we are done */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_trust = (CERTCertTrust *) malloc(sizeof (CERTCertTrust));
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_rv = CERT_DecodeTrustString(nss_trust, trust_flag);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_rv = CERT_ChangeCertTrust(certHandle, nss_cert, nss_trust);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_StoreCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the cert data */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = kmf_get_attr_ptr(KMF_CERT_DATA_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The label attribute is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys label = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* The trustflag attriburte is optional */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys trust_flag = kmf_get_attr_ptr(KMF_TRUSTFLAG_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = store_cert(handle, nss_slot, cert, label, trust_flag);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_ImportCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys if (handle == NULL || attrlist == NULL || numattr == 0) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the input cert filename attribute */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certfile = kmf_get_attr_ptr(KMF_CERT_FILENAME_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check the cert file and auto-detect the file format of it. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the imported cert is in PEM format, convert it to
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * DER format in order to store it in NSS token.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys label = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys trust_flag = kmf_get_attr_ptr(KMF_TRUSTFLAG_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = store_cert(handle, nss_slot, cptr, label, trust_flag);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_ImportCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlfilename = kmf_get_attr_ptr(KMF_CRL_FILENAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Check if the input CRL file is a valid CRL file and auto-detect
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * the encoded format of the file.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_get_attr(KMF_CRL_CHECK_ATTR, attrlist, numattr,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* set importOptions */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Read in the CRL file */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys ret = kmf_read_input_file(handle, crlfilename, &crl1);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If the input CRL is in PEM format, convert it to DER first. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlDER.data = format == KMF_FORMAT_ASN1 ? crl1.Data : crl2.Data;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crlDER.len = format == KMF_FORMAT_ASN1 ? crl1.Length : crl2.Length;
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nss_crl = PK11_ImportCRL(nss_slot, &crlDER, NULL, SEC_CRL_TYPE,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys NULL, importOptions, NULL, CRL_DECODE_DEFAULT_OPTIONS);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_DeleteCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* check params */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys issuername = kmf_get_attr_ptr(KMF_ISSUER_NAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys subjectname = kmf_get_attr_ptr(KMF_SUBJECT_NAME_ATTR, attrlist,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Caller must specify issuer or subject but not both */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Find the CRL based on the deletion criteria. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the deletion is based on the issuer's certificate
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * nickname, we will get the issuer's cert first, then
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * get the CRL from the cert.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = CERT_FindCertByNicknameOrEmailAddr(certHandle,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crl = SEC_FindCrlByName(certHandle, &cert->derSubject,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * If the deletion is based on the CRL's subject name, we will
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * get all the CRLs from the internal database and search
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * for the CRL with the same subject name.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nssrv = SEC_LookupCrls(certHandle, &crlList, SEC_CRL_TYPE);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Allocate space for name */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* We found a cert but no CRL */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CRLCount = kmf_get_attr_ptr(KMF_CRL_COUNT_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CRLNameList = (char **)kmf_get_attr_ptr(KMF_CRL_NAMELIST_ATTR,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Look up Crls */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys nssrv = SEC_LookupCrls(certHandle, &crlList, SEC_CRL_TYPE);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Allocate space for name first */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Loop thru the crlList and create a crl list with CRL's subject name.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Get the CRL subject name */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* success */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* If failed, free memory allocated for the returning rlist */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys for (i = 0; i < crl_num; i++) {
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllysNSS_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist)
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* check params */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys rv = do_nss_init(handle, numattr, attrlist, FALSE, &nss_slot);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys certlabel = kmf_get_attr_ptr(KMF_CERT_LABEL_ATTR, attrlist, numattr);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Find the certificate first */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys cert = CERT_FindCertByNicknameOrEmailAddr(certHandle,
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Find the CRL with the same issuer as the given certificate. */
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys crl = SEC_FindCrlByName(certHandle, &cert->derIssuer, SEC_CRL_TYPE);
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * Could not find the CRL issued by the same issuer. This
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys * usually means that the CRL is not installed in the DB.
30a5e8fa1253cb33980ee4514743cf683f584b4ewyllys /* Check if the certificate's serialNumber is revoked in the CRL */