Back to index

lightning-sunbird  0.9+nobinonly
pk11kea.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 /*
00037  * This file implements the Symkey wrapper and the PKCS context
00038  * Interfaces.
00039  */
00040 
00041 #include "seccomon.h"
00042 #include "secmod.h"
00043 #include "nssilock.h"
00044 #include "secmodi.h"
00045 #include "secmodti.h"
00046 #include "pkcs11.h"
00047 #include "pk11func.h"
00048 #include "secitem.h"
00049 #include "key.h"
00050 #include "secasn1.h"
00051 #include "sechash.h"
00052 #include "cert.h"
00053 #include "secerr.h"
00054 
00055 /*
00056  * find an RSA public key on a card
00057  */
00058 static CK_OBJECT_HANDLE
00059 pk11_FindRSAPubKey(PK11SlotInfo *slot)
00060 {
00061     CK_KEY_TYPE key_type = CKK_RSA;
00062     CK_OBJECT_CLASS class_type = CKO_PUBLIC_KEY;
00063     CK_ATTRIBUTE theTemplate[2];
00064     int template_count = sizeof(theTemplate)/sizeof(theTemplate[0]);
00065     CK_ATTRIBUTE *attrs = theTemplate;
00066 
00067     PK11_SETATTRS(attrs,CKA_CLASS,&class_type,sizeof(class_type)); attrs++;
00068     PK11_SETATTRS(attrs,CKA_KEY_TYPE,&key_type,sizeof(key_type)); attrs++;
00069     template_count = attrs - theTemplate;
00070     PR_ASSERT(template_count <= sizeof(theTemplate)/sizeof(CK_ATTRIBUTE));
00071 
00072     return pk11_FindObjectByTemplate(slot,theTemplate,template_count);
00073 }
00074 
00075 PK11SymKey *
00076 pk11_KeyExchange(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
00077                CK_ATTRIBUTE_TYPE operation, CK_FLAGS flags, 
00078                                    PRBool isPerm, PK11SymKey *symKey)
00079 {
00080     PK11SymKey *newSymKey = NULL;
00081     SECStatus rv;
00082     /* performance improvement can go here --- use a generated key at startup
00083      * to generate a per token wrapping key. If it exists, use it, otherwise 
00084      * do a full key exchange. */
00085 
00086     /* find a common Key Exchange algorithm */
00087     /* RSA */
00088     if (PK11_DoesMechanism(symKey->slot, CKM_RSA_PKCS) && 
00089                             PK11_DoesMechanism(slot,CKM_RSA_PKCS)) {
00090        CK_OBJECT_HANDLE pubKeyHandle = CK_INVALID_HANDLE;
00091        CK_OBJECT_HANDLE privKeyHandle = CK_INVALID_HANDLE;
00092        SECKEYPublicKey *pubKey = NULL;
00093        SECKEYPrivateKey *privKey = NULL;
00094        SECItem wrapData;
00095        unsigned int     symKeyLength = PK11_GetKeyLength(symKey);
00096 
00097        wrapData.data = NULL;
00098 
00099        /* find RSA Public Key on target */
00100        pubKeyHandle = pk11_FindRSAPubKey(slot);
00101        if (pubKeyHandle != CK_INVALID_HANDLE) {
00102            privKeyHandle = PK11_MatchItem(slot,pubKeyHandle,CKO_PRIVATE_KEY);
00103        }
00104 
00105        /* if no key exists, generate a key pair */
00106        if (privKeyHandle == CK_INVALID_HANDLE) {
00107            PK11RSAGenParams rsaParams;
00108 
00109            if (symKeyLength > 53) /* bytes */ {
00110               /* we'd have to generate an RSA key pair > 512 bits long,
00111               ** and that's too costly.  Don't even try. 
00112               */
00113               PORT_SetError( SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY );
00114               goto rsa_failed;
00115            }
00116            rsaParams.keySizeInBits = 
00117                (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
00118            rsaParams.pe  = 0x10001;
00119            privKey = PK11_GenerateKeyPair(slot,CKM_RSA_PKCS_KEY_PAIR_GEN, 
00120                          &rsaParams, &pubKey,PR_FALSE,PR_TRUE,symKey->cx);
00121        } else {
00122            /* if keys exist, build SECKEY data structures for them */
00123            privKey = PK11_MakePrivKey(slot,nullKey, PR_TRUE, privKeyHandle,
00124                                    symKey->cx);
00125            if (privKey != NULL) {
00126               pubKey = PK11_ExtractPublicKey(slot, rsaKey, pubKeyHandle);
00127               if (pubKey && pubKey->pkcs11Slot) {
00128                   PK11_FreeSlot(pubKey->pkcs11Slot);
00129                   pubKey->pkcs11Slot = NULL;
00130                   pubKey->pkcs11ID = CK_INVALID_HANDLE;
00131               }
00132            }
00133        }
00134        if (privKey == NULL) goto rsa_failed;
00135        if (pubKey == NULL)  goto rsa_failed;
00136 
00137         wrapData.len  = SECKEY_PublicKeyStrength(pubKey);
00138         if (!wrapData.len) goto rsa_failed;
00139         wrapData.data = PORT_Alloc(wrapData.len);
00140         if (wrapData.data == NULL) goto rsa_failed;
00141 
00142        /* now wrap the keys in and out */
00143        rv = PK11_PubWrapSymKey(CKM_RSA_PKCS, pubKey, symKey, &wrapData);
00144        if (rv == SECSuccess) {
00145            newSymKey = PK11_PubUnwrapSymKeyWithFlagsPerm(privKey,
00146                      &wrapData,type,operation,symKeyLength,flags,isPerm);
00147        }
00148 rsa_failed:
00149        if (wrapData.data != NULL) PORT_Free(wrapData.data);
00150        if (privKey != NULL) SECKEY_DestroyPrivateKey(privKey);
00151        if (pubKey != NULL) SECKEY_DestroyPublicKey(pubKey);
00152 
00153        return  newSymKey;
00154     }
00155     PORT_SetError( SEC_ERROR_NO_MODULE );
00156     return NULL;
00157 }
00158