nss_spi.c revision f482c776bc557f0256e776932c7842b9db390de1
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER START
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The contents of this file are subject to the terms of the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Common Development and Distribution License (the "License").
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You may not use this file except in compliance with the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * See the License for the specific language governing permissions
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * and limitations under the License.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When distributing Covered Code, include this CDDL HEADER in each
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If applicable, add the following below this CDDL HEADER, with the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * fields enclosed by brackets "[]" replaced with your own identifying
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * information: Portions Copyright [yyyy] [name of copyright owner]
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * CDDL HEADER END
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS keystore wrapper
5363b1129db4ee42d2c9736898eab4670580bec7hylee * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Use is subject to license terms.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#pragma ident "%Z%%M% %I% %E% SMI"
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* NSS related headers */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic int nss_initialized = 0;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ConfigureKeystore(KMF_HANDLE_T, KMF_CONFIG_PARAMS *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_StoreCert(KMF_HANDLE_T, KMF_STORECERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ImportCert(KMF_HANDLE_T, KMF_IMPORTCERT_PARAMS *params);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DeleteCert(KMF_HANDLE_T, KMF_DELETECERT_PARAMS *params);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_CreateKeypair(KMF_HANDLE_T, KMF_CREATEKEYPAIR_PARAMS *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_EncodePubKeyData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SignData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ImportCRL(KMF_HANDLE_T, KMF_IMPORTCRL_PARAMS *params);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DeleteCRL(KMF_HANDLE_T, KMF_DELETECRL_PARAMS *params);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_FindCertInCRL(KMF_HANDLE_T, KMF_FINDCERTINCRL_PARAMS *params);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetPrikeyByCert(KMF_HANDLE_T, KMF_CRYPTOWITHCERT_PARAMS *, KMF_DATA *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DecryptData(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_OID *,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_StorePrivateKey(KMF_HANDLE_T, KMF_STOREKEY_PARAMS *, KMF_RAW_KEY_DATA *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_CreateSymKey(KMF_HANDLE_T, KMF_CREATESYMKEY_PARAMS *, KMF_KEY_HANDLE *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetSymKeyValue(KMF_HANDLE_T, KMF_KEY_HANDLE *, KMF_RAW_SYM_KEY *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SetTokenPin(KMF_HANDLE_T, KMF_SETPIN_PARAMS *, KMF_CREDENTIAL *);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/* additions for importing and exporting PKCS 12 files */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllystypedef struct p12uContextStr {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys#define SET_ERROR(h, c) h->lasterr.kstype = KMF_KEYSTORE_NSS; \
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysstatic char *
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysnss_getpassword(PK11SlotInfo *slot, PRBool retry, void *arg)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If a password was given, try to login to the slot */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (cred == NULL || cred->cred == NULL || cred->credlen == 0 ||
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *certPrefix,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *keyPrefix,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys const char *secmodName)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If another thread already did it, return OK. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = NSS_Initialize((configdir && strlen(configdir)) ?
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * When it is called the first time, it will intialize NSS. Once the NSS
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * is initialized, this function returns KMF_KEYSTORE_ALREADY_INITIALIZED
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * if it is called again.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ConfigureKeystore(KMF_HANDLE_T handle, KMF_CONFIG_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function sets up the slot to be used for other operations.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * This function is basically called by every NSS SPI function.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * For those functions that can only be performed in the internal slot, the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * boolean "internal_slot_only" argument needs to be TRUE.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * A slot pointer will be returned when this function is executed successfully.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS Is already initialized, but we need to find
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the right slot.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the token was not yet initialized, return an error.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysnss2kmf_cert(CERTCertificate *nss_cert, KMF_X509_DER_CERT *kmf_cert)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmf_cert->kmf_private.keystore_type = KMF_KEYSTORE_NSS;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys kmf_cert->certificate.Length = nss_cert->derCert.len;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((kmf_cert->certificate.Data = malloc(nss_cert->derCert.len)) ==
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(kmf_cert->certificate.Data, nss_cert->derCert.data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys uint32_t *num_certs, KMF_CERT_VALIDITY find_criteria)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys validity = CERT_CheckCertValidTimes(nss_cert, PR_Now(),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert, reject it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys validity = CERT_CheckCertValidTimes(nss_cert, PR_Now(),
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert, reject it in this case. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* We copied the data we need, so cleanup the internal record */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertList **certlist, KMF_CERT_VALIDITY find_criteria)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (serial != 0 && serial->val != NULL && serial->len > 0)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* select the certs using find criteria */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If we failed, delete any certs allocated so far.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < *numcerts; i++)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_FindCert(KMF_HANDLE_T handle, KMF_FINDCERT_PARAMS *params,
f482c776bc557f0256e776932c7842b9db390de1wyllys /* This will only find 1 certificate */
f482c776bc557f0256e776932c7842b9db390de1wyllys * Build a list of matching certs.
f482c776bc557f0256e776932c7842b9db390de1wyllys * If the caller supplied a pointer to storage for
f482c776bc557f0256e776932c7842b9db390de1wyllys * a list of certs, convert up to 'maxcerts' of the
f482c776bc557f0256e776932c7842b9db390de1wyllys * matching certs.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_StoreCert(KMF_HANDLE_T handle, KMF_STORECERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* NSS only support DER format */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_cert = CERT_DecodeCertFromPackage((char *)pcert->Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_rv = PK11_ImportCert(nss_slot, nss_cert, CK_INVALID_HANDLE,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_trust = (CERTCertTrust *) malloc(sizeof (CERTCertTrust));
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_rv = CERT_ChangeCertTrust(certHandle, nss_cert, nss_trust);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ImportCert(KMF_HANDLE_T handle, KMF_IMPORTCERT_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check if the input cert file is a valid certificate and
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * auto-detect the file format of it.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_IsCertFile(handle, params->certfile, &format);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_ReadInputFile(handle, params->certfile, &cert);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the imported cert is in PEM format, convert it to
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * DER format in order to store it in NSS token.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DeleteCert(KMF_HANDLE_T handle, KMF_DELETECERT_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* check params */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cert = PK11_FindCertFromNickname(params->certLabel, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is an invalid cert - skip it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* this is a valid cert - skip it */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* delete it from database */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = nss_authenticate(handle, nss_slot, ¶ms->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get some random bits */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS only allows for a 4 byte exponent.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Ignore the exponent parameter if it is too big.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys params->rsa_exponent.len <= sizeof (publicExponent) &&
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = PK11_PQG_ParamGen(ks, &pqgParams, &pqgVerify);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = PK11_PQG_VerifyParams(pqgParams, pqgVerify, &passed);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Now, convert it to a KMF_KEY object for the framework */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Map the OID to a NSS algorithm */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys signAlgTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(output->Data, signed_data.data, signed_data.len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_EncodePubKeyData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *keyp,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (keyp == NULL || encoded == NULL || keyp->keyp == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys spki = SECKEY_CreateSubjectPublicKeyInfo(keyp->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(encoded->Data, rvitem->data, rvitem->len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DeleteKey(KMF_HANDLE_T handle, KMF_DELETEKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * "delete_token" means to clear it from the token storage as well
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * as from memory.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = nss_authenticate(handle, nss_slot, ¶ms->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SECKEY_DestroyPublicKey((SECKEYPublicKey *)key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SECKEY_DestroyPrivateKey((SECKEYPrivateKey *)key->keyp);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_ImportCRL(KMF_HANDLE_T handle, KMF_IMPORTCRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (params == NULL || params->ks_opt_u.nss_opts.crlfile == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Check if the input CRL file is a valid CRL file and auto-detect
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * the encoded format of the file.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_IsCRLFile(handle, params->ks_opt_u.nss_opts.crlfile,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* set importOptions */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (params->ks_opt_u.nss_opts.crl_check == B_FALSE) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Read in the CRL file */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = KMF_ReadInputFile(handle, params->ks_opt_u.nss_opts.crlfile,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If the input CRL is in PEM format, convert it to DER first. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys crlDER.data = format == KMF_FORMAT_ASN1 ? crl1.Data : crl2.Data;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys crlDER.len = format == KMF_FORMAT_ASN1 ? crl1.Length : crl2.Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_crl = PK11_ImportCRL(nss_slot, &crlDER, NULL, SEC_CRL_TYPE,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys NULL, importOptions, NULL, CRL_DECODE_DEFAULT_OPTIONS);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DeleteCRL(KMF_HANDLE_T handle, KMF_DELETECRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* check params */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Find the CRL based on the deletion criteria. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (params->ks_opt_u.nss_opts.crl_issuerName != NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the deletion is based on the issuer's certificate
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * nickname, we will get the issuer's cert first, then
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * get the CRL from the cert.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys cert = CERT_FindCertByNicknameOrEmailAddr(certHandle,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys crl = SEC_FindCrlByName(certHandle, &cert->derSubject,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If the deletion is based on the CRL's subject name, we will
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * get all the CRLs from the internal database and search
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * for the CRL with the same subject name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = SEC_LookupCrls(certHandle, &crlList, SEC_CRL_TYPE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Allocate space for name */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* We found a cert but no CRL */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_FindCRL(KMF_HANDLE_T handle, KMF_FINDCRL_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Look up Crls */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = SEC_LookupCrls(certHandle, &crlList, SEC_CRL_TYPE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Allocate space for name first */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Loop thru the crlList and create a crl list with CRL's subject name.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the CRL subject name */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* success */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If failed, free memory allocated for the returning rlist */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < crl_num; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_FindCertInCRL(KMF_HANDLE_T handle, KMF_FINDCERTINCRL_PARAMS *params)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERTCertDBHandle *certHandle = CERT_GetDefaultCertDB();
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* check params */
5363b1129db4ee42d2c9736898eab4670580bec7hylee /* Find the certificate first */
5363b1129db4ee42d2c9736898eab4670580bec7hylee derCert.data = params->ks_opt_u.nss_opts.certificate->Data;
5363b1129db4ee42d2c9736898eab4670580bec7hylee derCert.len = params->ks_opt_u.nss_opts.certificate->Length;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Find the CRL with the same issuer as the given certificate. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys crl = SEC_FindCrlByName(certHandle, &cert->derIssuer, SEC_CRL_TYPE);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Could not find the CRL issued by the same issuer. This
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * usually means that the CRL is not installed in the DB.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Check if the certificate's serialNumber is revoked in the CRL */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetErrorString(KMF_HANDLE_T handle, char **msgstr)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Get the error string in the default language */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys str = (char *)PR_ErrorToName((PRErrorCode)kmfh->lasterr.errcode);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetPrikeyByCert(KMF_HANDLE_T handle, KMF_CRYPTOWITHCERT_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = nss_authenticate(handle, nss_slot, ¶ms->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_cert = CERT_DecodeCertFromPackage((char *)SignerCertData->Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys privkey = PK11_FindPrivateKeyFromCert(nss_slot, nss_cert, NULL);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_DecryptData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (i = 0; i < blocks; i++) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (rv != 0) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* not supported */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_FindKey(KMF_HANDLE_T handle, KMF_FINDKEY_PARAMS *parms,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = nss_authenticate(handle, nss_slot, &parms->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys publist = PK11_ListPublicKeysInSlot(nss_slot, parms->findLabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys symlist = PK11_ListFixedKeysInSlot(nss_slot, parms->findLabel,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys for (count = 0, prinode = PRIVKEY_LIST_HEAD(prilist);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If keytype is specified in the searching parameter,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * check the keytype and skip the key if its keytype
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * doesn't match.
f482c776bc557f0256e776932c7842b9db390de1wyllys /* free that key since we aren't using it */
f482c776bc557f0256e776932c7842b9db390de1wyllys * Cleanup memory for unused keys.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned int i;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned char a;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned char *inBuf,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned int inBufLen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned char *outBuf,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned int maxOutBufLen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys unsigned int *outBufLen,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * If converting Unicode to ASCII, swap bytes before conversion
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * as neccessary.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* Perform the conversion. */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys ret = PORT_UCS2_UTF8Conversion(toUnicode, dup->data, dup->len,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysp12u_DestroyContext(p12uContext **ppCtx, PRBool removeFile)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysp12u_WriteToExportFile(void *arg, const char *buf, unsigned long len)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (int32)len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys certSafe = SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys CERT_GetDefaultCertDB(), keySafe, NULL, PR_TRUE, pwitem,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys/*ARGSUSED*/
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Find the certificate(s) first.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nsscert = PK11_FindCertFromNickname(params->certLabel,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * The KMF_CREDENTIAL holds the password to use for
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * encrypting the PKCS12 key information.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (SEC_PKCS12AddPasswordIntegrity(p12ecx, &pwitem, SEC_OID_SHA1)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * NSS actually supports storing a list of keys and certs
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * in the PKCS#12 PDU. Nice feature.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12ctx)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_StorePrivateKey(KMF_HANDLE_T handle, KMF_STOREKEY_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys return (KMF_ERR_UNINITIALIZED); /* Plugin Not Initialized */
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (params == NULL || params->certificate == NULL || rawkey == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * Decode the cert into an NSS CERT object so we can access the
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys * SPKI and KeyUsage data later.
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nss_cert = CERT_DecodeCertFromPackage((char *)params->certificate->Data,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = DerEncodeRSAPrivateKey(&derkey, &rawkey->rawdata.rsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rpk.algorithm = nss_cert->subjectPublicKeyInfo.algorithm;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = DerEncodeDSAPrivateKey(&derkey, &rawkey->rawdata.dsa);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rpk.algorithm = nss_cert->subjectPublicKeyInfo.algorithm;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nickname.len = (params->label ? strlen(params->label) : 0);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys &nickname, &nss_cert->subjectPublicKeyInfo.subjectPublicKey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys rv = nss_authenticate(handle, nss_slot, ¶ms->cred);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nsskey = PK11_TokenKeyGen(nss_slot, keyType, NULL, keySize, NULL,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys nssrv = PK11_SetSymKeyNickname(nsskey, params->keylabel);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_GetSymKeyValue(KMF_HANDLE_T handle, KMF_KEY_HANDLE *symkey,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys KMF_RAW_KEY_DATA *rawkey = (KMF_RAW_KEY_DATA *)symkey->keyp;
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if ((rkey->keydata.val = malloc(rkey->keydata.len)) == NULL)
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys (void) memcpy(rkey->keydata.val, value->data, value->len);
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllysNSS_SetTokenPin(KMF_HANDLE_T handle, KMF_SETPIN_PARAMS *params,
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys if (handle == NULL || params == NULL || newpin == NULL) {
99ebb4ca412cb0a19d77a3899a87c055b9c30fa8wyllys /* If it was uninitialized, set it */