| Index: mozilla/security/nss/lib/certhigh/certvfy.c |
| =================================================================== |
| RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v |
| retrieving revision 1.71 |
| diff -p -u -r1.71 certvfy.c |
| --- mozilla/security/nss/lib/certhigh/certvfy.c 30 Apr 2010 07:47:48 -0000 1.71 |
| +++ mozilla/security/nss/lib/certhigh/certvfy.c 22 Jul 2011 20:57:00 -0000 |
| @@ -150,79 +150,6 @@ CERT_VerifySignedData(CERTSignedData *sd |
| } |
| |
| |
| -/* Software FORTEZZA installation hack. The software fortezza installer does |
| - * not have access to the krl and cert.db file. Accept FORTEZZA Certs without |
| - * KRL's in this case. |
| - */ |
| -static int dont_use_krl = 0; |
| -/* not a public exposed function... */ |
| -void sec_SetCheckKRLState(int value) { dont_use_krl = value; } |
| - |
| -SECStatus |
| -SEC_CheckKRL(CERTCertDBHandle *handle,SECKEYPublicKey *key, |
| - CERTCertificate *rootCert, int64 t, void * wincx) |
| -{ |
| - CERTSignedCrl *crl = NULL; |
| - SECStatus rv = SECFailure; |
| - SECStatus rv2; |
| - CERTCrlEntry **crlEntry; |
| - SECCertTimeValidity validity; |
| - CERTCertificate *issuerCert = NULL; |
| - |
| - if (dont_use_krl) return SECSuccess; |
| - |
| - /* first look up the KRL */ |
| - crl = SEC_FindCrlByName(handle,&rootCert->derSubject, SEC_KRL_TYPE); |
| - if (crl == NULL) { |
| - PORT_SetError(SEC_ERROR_NO_KRL); |
| - goto done; |
| - } |
| - |
| - /* get the issuing certificate */ |
| - issuerCert = CERT_FindCertByName(handle, &crl->crl.derName); |
| - if (issuerCert == NULL) { |
| - PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE); |
| - goto done; |
| - } |
| - |
| - |
| - /* now verify the KRL signature */ |
| - rv2 = CERT_VerifySignedData(&crl->signatureWrap, issuerCert, t, wincx); |
| - if (rv2 != SECSuccess) { |
| - PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE); |
| - goto done; |
| - } |
| - |
| - /* Verify the date validity of the KRL */ |
| - validity = SEC_CheckCrlTimes(&crl->crl, t); |
| - if (validity == secCertTimeExpired) { |
| - PORT_SetError(SEC_ERROR_KRL_EXPIRED); |
| - goto done; |
| - } |
| - |
| - /* now make sure the key in this cert is still valid */ |
| - if (key->keyType != fortezzaKey) { |
| - PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN); |
| - goto done; /* This should be an assert? */ |
| - } |
| - |
| - /* now make sure the key is not on the revocation list */ |
| - for (crlEntry = crl->crl.entries; crlEntry && *crlEntry; crlEntry++) { |
| - if (PORT_Memcmp((*crlEntry)->serialNumber.data, |
| - key->u.fortezza.KMID, |
| - (*crlEntry)->serialNumber.len) == 0) { |
| - PORT_SetError(SEC_ERROR_REVOKED_KEY); |
| - goto done; |
| - } |
| - } |
| - rv = SECSuccess; |
| - |
| -done: |
| - if (issuerCert) CERT_DestroyCertificate(issuerCert); |
| - if (crl) SEC_DestroyCrl(crl); |
| - return rv; |
| -} |
| - |
| SECStatus |
| SEC_CheckCRL(CERTCertDBHandle *handle,CERTCertificate *cert, |
| CERTCertificate *caCert, int64 t, void * wincx) |
| @@ -405,85 +332,6 @@ cert_AddToVerifyLog(CERTVerifyLog *log, |
| cert_AddToVerifyLog(log, cert, PORT_GetError(), depth, (void *)arg); \ |
| } |
| |
| - |
| -typedef enum { cbd_None, cbd_User, cbd_CA } cbd_FortezzaType; |
| - |
| -static SECStatus |
| -cert_VerifyFortezzaV1Cert(CERTCertDBHandle *handle, CERTCertificate *cert, |
| - cbd_FortezzaType *next_type, cbd_FortezzaType last_type, |
| - int64 t, void *wincx) |
| -{ |
| - unsigned char priv = 0; |
| - SECKEYPublicKey *key; |
| - SECStatus rv; |
| - |
| - *next_type = cbd_CA; |
| - |
| - /* read the key */ |
| - key = CERT_ExtractPublicKey(cert); |
| - |
| - /* Cant' get Key? fail. */ |
| - if (key == NULL) { |
| - PORT_SetError(SEC_ERROR_BAD_KEY); |
| - return SECFailure; |
| - } |
| - |
| - |
| - /* if the issuer is not an old fortezza cert, we bail */ |
| - if (key->keyType != fortezzaKey) { |
| - SECKEY_DestroyPublicKey(key); |
| - /* CA Cert not fortezza */ |
| - PORT_SetError(SEC_ERROR_NOT_FORTEZZA_ISSUER); |
| - return SECFailure; |
| - } |
| - |
| - /* get the privilege mask */ |
| - if (key->u.fortezza.DSSprivilege.len > 0) { |
| - priv = key->u.fortezza.DSSprivilege.data[0]; |
| - } |
| - |
| - /* |
| - * make sure the CA's keys are OK |
| - */ |
| - |
| - rv = SEC_CheckKRL(handle, key, NULL, t, wincx); |
| - SECKEY_DestroyPublicKey(key); |
| - if (rv != SECSuccess) { |
| - return rv; |
| - } |
| - |
| - switch (last_type) { |
| - case cbd_User: |
| - /* first check for subordination */ |
| - /*rv = FortezzaSubordinateCheck(cert,issuerCert);*/ |
| - rv = SECSuccess; |
| - |
| - /* now check for issuer privilege */ |
| - if ((rv != SECSuccess) || ((priv & 0x10) == 0)) { |
| - /* bail */ |
| - PORT_SetError (SEC_ERROR_CA_CERT_INVALID); |
| - return SECFailure; |
| - } |
| - break; |
| - case cbd_CA: |
| - if ((priv & 0x20) == 0) { |
| - /* bail */ |
| - PORT_SetError (SEC_ERROR_CA_CERT_INVALID); |
| - return SECFailure; |
| - } |
| - break; |
| - case cbd_None: |
| - *next_type = (priv & 0x30) ? cbd_CA : cbd_User; |
| - break; |
| - default: |
| - /* bail */ /* shouldn't ever happen */ |
| - PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER); |
| - return SECFailure; |
| - } |
| - return SECSuccess; |
| -} |
| - |
| - |
| static SECStatus |
| cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert, |
| PRBool checkSig, PRBool* sigerror, |
| @@ -496,7 +344,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| CERTCertificate *subjectCert = NULL; |
| CERTCertificate *badCert = NULL; |
| PRBool isca; |
| - PRBool isFortezzaV1 = PR_FALSE; |
| SECStatus rv; |
| SECStatus rvFinal = SECSuccess; |
| int count; |
| @@ -512,8 +359,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| int namesCount = 0; |
| PRBool subjectCertIsSelfIssued; |
| |
| - cbd_FortezzaType last_type = cbd_None; |
| - |
| if (revoked) { |
| *revoked = PR_FALSE; |
| } |
| @@ -562,21 +407,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| goto loser; |
| } |
| |
| - /* determine if the cert is fortezza. |
| - */ |
| - isFortezzaV1 = (PRBool) |
| - (CERT_GetCertKeyType(&subjectCert->subjectPublicKeyInfo) |
| - == fortezzaKey); |
| - |
| - if (isFortezzaV1) { |
| - rv = cert_VerifyFortezzaV1Cert(handle, subjectCert, &last_type, |
| - cbd_None, t, wincx); |
| - if (rv == SECFailure) { |
| - /**** PORT_SetError is already set by cert_VerifyFortezzaV1Cert **/ |
| - LOG_ERROR_OR_EXIT(log,subjectCert,0,0); |
| - } |
| - } |
| - |
| arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); |
| if (arena == NULL) { |
| goto loser; |
| @@ -663,19 +493,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| } |
| } |
| |
| - /* |
| - * XXX - fortezza may need error logging stuff added |
| - */ |
| - if (isFortezzaV1) { |
| - rv = cert_VerifyFortezzaV1Cert(handle, issuerCert, &last_type, |
| - last_type, t, wincx); |
| - if (rv == SECFailure) { |
| - /**** PORT_SetError is already set by * |
| - * cert_VerifyFortezzaV1Cert **/ |
| - LOG_ERROR_OR_EXIT(log,subjectCert,0,0); |
| - } |
| - } |
| - |
| /* If the basicConstraint extension is included in an immediate CA |
| * certificate, make sure that the isCA flag is on. If the |
| * pathLenConstraint component exists, it must be greater than the |
| @@ -683,12 +500,6 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| * is omitted, we will assume that this is a CA certificate with |
| * an unlimited pathLenConstraint (since it already passes the |
| * netscape-cert-type extension checking). |
| - * |
| - * In the fortezza (V1) case, we've already checked the CA bits |
| - * in the key, so we're presumed to be a CA; however we really don't |
| - * want to bypass Basic constraint or netscape extension parsing. |
| - * |
| - * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA |
| */ |
| |
| rv = CERT_FindBasicConstraintExten(issuerCert, &basicConstraint); |
| @@ -697,10 +508,8 @@ cert_VerifyCertChainOld(CERTCertDBHandle |
| LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0); |
| } |
| pathLengthLimit = CERT_UNLIMITED_PATH_CONSTRAINT; |
| - /* no basic constraints found, if we're fortezza, CA bit is already |
| - * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca |
| - * isca = PR_FALSE */ |
| - isca = isFortezzaV1; |
| + /* no basic constraints found, we aren't (yet) a CA. */ |
| + isca = PR_FALSE; |
| } else { |
| if ( basicConstraint.isCA == PR_FALSE ) { |
| PORT_SetError (SEC_ERROR_CA_CERT_INVALID); |
| @@ -960,12 +769,6 @@ CERT_VerifyCACertForUsage(CERTCertDBHand |
| * is omitted, we will assume that this is a CA certificate with |
| * an unlimited pathLenConstraint (since it already passes the |
| * netscape-cert-type extension checking). |
| - * |
| - * In the fortezza (V1) case, we've already checked the CA bits |
| - * in the key, so we're presumed to be a CA; however we really don't |
| - * want to bypass Basic constraint or netscape extension parsing. |
| - * |
| - * In Fortezza V2, basicConstraint will be set for every CA,PCA,PAA |
| */ |
| |
| rv = CERT_FindBasicConstraintExten(cert, &basicConstraint); |
| @@ -973,9 +776,7 @@ CERT_VerifyCACertForUsage(CERTCertDBHand |
| if (PORT_GetError() != SEC_ERROR_EXTENSION_NOT_FOUND) { |
| LOG_ERROR_OR_EXIT(log,cert,0,0); |
| } |
| - /* no basic constraints found, if we're fortezza, CA bit is already |
| - * verified (isca = PR_TRUE). otherwise, we aren't (yet) a ca |
| - * isca = PR_FALSE */ |
| + /* no basic constraints found, we aren't (yet) a CA. */ |
| isca = PR_FALSE; |
| } else { |
| if ( basicConstraint.isCA == PR_FALSE ) { |
| Index: mozilla/security/nss/lib/cryptohi/seckey.c |
| =================================================================== |
| RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v |
| retrieving revision 1.54 |
| diff -p -u -r1.54 seckey.c |
| --- mozilla/security/nss/lib/cryptohi/seckey.c 23 Jun 2010 02:13:56 -0000 1.54 |
| +++ mozilla/security/nss/lib/cryptohi/seckey.c 22 Jul 2011 20:57:00 -0000 |
| @@ -105,47 +105,6 @@ const SEC_ASN1Template SECKEY_DHParamKey |
| { 0, } |
| }; |
| |
| -const SEC_ASN1Template SECKEY_FortezzaParameterTemplate[] = { |
| - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) }, |
| - { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,prime), }, |
| - { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,subPrime), }, |
| - { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPQGParams,base), }, |
| - { 0 }, |
| -}; |
| - |
| -const SEC_ASN1Template SECKEY_FortezzaDiffParameterTemplate[] = { |
| - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYDiffPQGParams) }, |
| - { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffKEAParams), |
| - SECKEY_FortezzaParameterTemplate}, |
| - { SEC_ASN1_INLINE, offsetof(SECKEYDiffPQGParams,DiffDSAParams), |
| - SECKEY_FortezzaParameterTemplate}, |
| - { 0 }, |
| -}; |
| - |
| -const SEC_ASN1Template SECKEY_FortezzaPreParamTemplate[] = { |
| - { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
| - SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(SECKEYPQGDualParams,CommParams), |
| - SECKEY_FortezzaParameterTemplate}, |
| - { 0, } |
| -}; |
| - |
| -const SEC_ASN1Template SECKEY_FortezzaAltPreParamTemplate[] = { |
| - { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | |
| - SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(SECKEYPQGDualParams,DiffParams), |
| - SECKEY_FortezzaDiffParameterTemplate}, |
| - { 0, } |
| -}; |
| - |
| -const SEC_ASN1Template SECKEY_KEAPublicKeyTemplate[] = { |
| - { SEC_ASN1_INTEGER, offsetof(SECKEYPublicKey,u.kea.publicValue), }, |
| - { 0, } |
| -}; |
| - |
| -const SEC_ASN1Template SECKEY_KEAParamsTemplate[] = { |
| - { SEC_ASN1_OCTET_STRING, offsetof(SECKEYPublicKey,u.kea.params.hash), }, |
| - { 0, } |
| -}; |
| - |
| SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_DSAPublicKeyTemplate) |
| SEC_ASN1_CHOOSER_IMPLEMENT(SECKEY_RSAPublicKeyTemplate) |
| SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SubjectPublicKeyInfoTemplate) |
| @@ -187,12 +146,6 @@ prepare_dh_pub_key_for_asn1(SECKEYPublic |
| pubk->u.dh.publicValue.type = siUnsignedInteger; |
| } |
| |
| -static void |
| -prepare_kea_pub_key_for_asn1(SECKEYPublicKey *pubk) |
| -{ |
| - pubk->u.kea.publicValue.type = siUnsignedInteger; |
| -} |
| - |
| /* Create an RSA key pair is any slot able to do so. |
| ** The created keys are "session" (temporary), not "token" (permanent), |
| ** and they are "sensitive", which makes them costly to move to another token. |
| @@ -603,149 +556,6 @@ SECKEY_UpdateCertPQG(CERTCertificate * s |
| } |
| |
| |
| -/* Decode the PQG parameters. The params could be stored in two |
| - * possible formats, the old fortezza-only wrapped format or |
| - * the standard DER encoded format. Store the decoded parameters in an |
| - * old fortezza cert data structure */ |
| - |
| -SECStatus |
| -SECKEY_FortezzaDecodePQGtoOld(PRArenaPool *arena, SECKEYPublicKey *pubk, |
| - SECItem *params) { |
| - SECStatus rv; |
| - SECKEYPQGDualParams dual_params; |
| - SECItem newparams; |
| - |
| - PORT_Assert(arena); |
| - |
| - if (params == NULL) return SECFailure; |
| - |
| - if (params->data == NULL) return SECFailure; |
| - |
| - /* make a copy of the data into the arena so QuickDER output is valid */ |
| - rv = SECITEM_CopyItem(arena, &newparams, params); |
| - |
| - /* Check if params use the standard format. |
| - * The value 0xa1 will appear in the first byte of the parameter data |
| - * if the PQG parameters are not using the standard format. This |
| - * code should be changed to use a better method to detect non-standard |
| - * parameters. */ |
| - |
| - if ((newparams.data[0] != 0xa1) && |
| - (newparams.data[0] != 0xa0)) { |
| - |
| - if (SECSuccess == rv) { |
| - /* PQG params are in the standard format */ |
| - |
| - /* Store DSA PQG parameters */ |
| - prepare_pqg_params_for_asn1(&pubk->u.fortezza.params); |
| - rv = SEC_QuickDERDecodeItem(arena, &pubk->u.fortezza.params, |
| - SECKEY_PQGParamsTemplate, |
| - &newparams); |
| - } |
| - |
| - if (SECSuccess == rv) { |
| - |
| - /* Copy the DSA PQG parameters to the KEA PQG parameters. */ |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, |
| - &pubk->u.fortezza.params.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, |
| - &pubk->u.fortezza.params.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, |
| - &pubk->u.fortezza.params.base); |
| - } |
| - } else { |
| - |
| - dual_params.CommParams.prime.len = 0; |
| - dual_params.CommParams.subPrime.len = 0; |
| - dual_params.CommParams.base.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.prime.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.subPrime.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.base.len = 0; |
| - |
| - /* else the old fortezza-only wrapped format is used. */ |
| - |
| - if (SECSuccess == rv) { |
| - if (newparams.data[0] == 0xa1) { |
| - rv = SEC_QuickDERDecodeItem(arena, &dual_params, |
| - SECKEY_FortezzaPreParamTemplate, &newparams); |
| - } else { |
| - rv = SEC_QuickDERDecodeItem(arena, &dual_params, |
| - SECKEY_FortezzaAltPreParamTemplate, &newparams); |
| - } |
| - } |
| - |
| - if ( (dual_params.CommParams.prime.len > 0) && |
| - (dual_params.CommParams.subPrime.len > 0) && |
| - (dual_params.CommParams.base.len > 0) ) { |
| - /* copy in common params */ |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, |
| - &dual_params.CommParams.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, |
| - &dual_params.CommParams.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, |
| - &dual_params.CommParams.base); |
| - } |
| - |
| - /* Copy the DSA PQG parameters to the KEA PQG parameters. */ |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, |
| - &pubk->u.fortezza.params.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, |
| - &pubk->u.fortezza.params.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, |
| - &pubk->u.fortezza.params.base); |
| - } |
| - } else { |
| - |
| - /* else copy in different params */ |
| - |
| - /* copy DSA PQG parameters */ |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.prime, |
| - &dual_params.DiffParams.DiffDSAParams.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.subPrime, |
| - &dual_params.DiffParams.DiffDSAParams.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.params.base, |
| - &dual_params.DiffParams.DiffDSAParams.base); |
| - } |
| - |
| - /* copy KEA PQG parameters */ |
| - |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.prime, |
| - &dual_params.DiffParams.DiffKEAParams.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.subPrime, |
| - &dual_params.DiffParams.DiffKEAParams.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.keaParams.base, |
| - &dual_params.DiffParams.DiffKEAParams.base); |
| - } |
| - } |
| - } |
| - return rv; |
| -} |
| - |
| - |
| /* Decode the DSA PQG parameters. The params could be stored in two |
| * possible formats, the old fortezza-only wrapped format or |
| * the normal standard format. Store the decoded parameters in |
| @@ -754,7 +564,6 @@ SECKEY_FortezzaDecodePQGtoOld(PRArenaPoo |
| SECStatus |
| SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) { |
| SECStatus rv; |
| - SECKEYPQGDualParams dual_params; |
| SECItem newparams; |
| |
| if (params == NULL) return SECFailure; |
| @@ -784,187 +593,16 @@ SECKEY_DSADecodePQG(PRArenaPool *arena, |
| } |
| } else { |
| |
| - dual_params.CommParams.prime.len = 0; |
| - dual_params.CommParams.subPrime.len = 0; |
| - dual_params.CommParams.base.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.prime.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.subPrime.len = 0; |
| - dual_params.DiffParams.DiffDSAParams.base.len = 0; |
| - |
| if (SECSuccess == rv) { |
| /* else the old fortezza-only wrapped format is used. */ |
| - if (newparams.data[0] == 0xa1) { |
| - rv = SEC_QuickDERDecodeItem(arena, &dual_params, |
| - SECKEY_FortezzaPreParamTemplate, &newparams); |
| - } else { |
| - rv = SEC_QuickDERDecodeItem(arena, &dual_params, |
| - SECKEY_FortezzaAltPreParamTemplate, &newparams); |
| - } |
| - } |
| - |
| - if ( (dual_params.CommParams.prime.len > 0) && |
| - (dual_params.CommParams.subPrime.len > 0) && |
| - (dual_params.CommParams.base.len > 0) ) { |
| - /* copy in common params */ |
| - |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, |
| - &dual_params.CommParams.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, |
| - &dual_params.CommParams.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, |
| - &dual_params.CommParams.base); |
| - } |
| - } else { |
| - |
| - /* else copy in different params */ |
| - |
| - /* copy DSA PQG parameters */ |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime, |
| - &dual_params.DiffParams.DiffDSAParams.prime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime, |
| - &dual_params.DiffParams.DiffDSAParams.subPrime); |
| - } |
| - if (SECSuccess == rv) { |
| - rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base, |
| - &dual_params.DiffParams.DiffDSAParams.base); |
| - } |
| + PORT_SetError(SEC_ERROR_BAD_DER); |
| + rv = SECFailure; |
| } |
| } |
| return rv; |
| } |
| |
| |
| -/* Decodes the DER encoded fortezza public key and stores the results in a |
| - * structure of type SECKEYPublicKey. */ |
| - |
| -SECStatus |
| -SECKEY_FortezzaDecodeCertKey(PRArenaPool *arena, SECKEYPublicKey *pubk, |
| - SECItem *rawkey, SECItem *params) { |
| - |
| - unsigned char *rawptr = rawkey->data; |
| - unsigned char *end = rawkey->data + rawkey->len; |
| - unsigned char *clearptr; |
| - |
| - /* first march down and decode the raw key data */ |
| - |
| - /* version */ |
| - pubk->u.fortezza.KEAversion = *rawptr++; |
| - if (*rawptr++ != 0x01) { |
| - return SECFailure; |
| - } |
| - |
| - /* KMID */ |
| - PORT_Memcpy(pubk->u.fortezza.KMID,rawptr, |
| - sizeof(pubk->u.fortezza.KMID)); |
| - rawptr += sizeof(pubk->u.fortezza.KMID); |
| - |
| - /* clearance (the string up to the first byte with the hi-bit on */ |
| - clearptr = rawptr; |
| - while ((rawptr < end) && (*rawptr++ & 0x80)); |
| - |
| - if (rawptr >= end) { return SECFailure; } |
| - pubk->u.fortezza.clearance.len = rawptr - clearptr; |
| - pubk->u.fortezza.clearance.data = |
| - (unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.clearance.len); |
| - if (pubk->u.fortezza.clearance.data == NULL) { |
| - return SECFailure; |
| - } |
| - PORT_Memcpy(pubk->u.fortezza.clearance.data,clearptr, |
| - pubk->u.fortezza.clearance.len); |
| - |
| - /* KEAPrivilege (the string up to the first byte with the hi-bit on */ |
| - clearptr = rawptr; |
| - while ((rawptr < end) && (*rawptr++ & 0x80)); |
| - if (rawptr >= end) { return SECFailure; } |
| - pubk->u.fortezza.KEAprivilege.len = rawptr - clearptr; |
| - pubk->u.fortezza.KEAprivilege.data = |
| - (unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAprivilege.len); |
| - if (pubk->u.fortezza.KEAprivilege.data == NULL) { |
| - return SECFailure; |
| - } |
| - PORT_Memcpy(pubk->u.fortezza.KEAprivilege.data,clearptr, |
| - pubk->u.fortezza.KEAprivilege.len); |
| - |
| - |
| - /* now copy the key. The next to bytes are the key length, and the |
| - * key follows */ |
| - pubk->u.fortezza.KEAKey.len = (*rawptr << 8) | rawptr[1]; |
| - |
| - rawptr += 2; |
| - if (rawptr+pubk->u.fortezza.KEAKey.len > end) { return SECFailure; } |
| - pubk->u.fortezza.KEAKey.data = |
| - (unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.KEAKey.len); |
| - if (pubk->u.fortezza.KEAKey.data == NULL) { |
| - return SECFailure; |
| - } |
| - PORT_Memcpy(pubk->u.fortezza.KEAKey.data,rawptr, |
| - pubk->u.fortezza.KEAKey.len); |
| - rawptr += pubk->u.fortezza.KEAKey.len; |
| - |
| - /* shared key */ |
| - if (rawptr >= end) { |
| - pubk->u.fortezza.DSSKey.len = pubk->u.fortezza.KEAKey.len; |
| - /* this depends on the fact that we are going to get freed with an |
| - * ArenaFree call. We cannot free DSSKey and KEAKey separately */ |
| - pubk->u.fortezza.DSSKey.data= |
| - pubk->u.fortezza.KEAKey.data; |
| - pubk->u.fortezza.DSSprivilege.len = |
| - pubk->u.fortezza.KEAprivilege.len; |
| - pubk->u.fortezza.DSSprivilege.data = |
| - pubk->u.fortezza.DSSprivilege.data; |
| - goto done; |
| - } |
| - |
| - |
| - /* DSS Version is next */ |
| - pubk->u.fortezza.DSSversion = *rawptr++; |
| - |
| - if (*rawptr++ != 2) { |
| - return SECFailure; |
| - } |
| - |
| - /* DSSPrivilege (the string up to the first byte with the hi-bit on */ |
| - clearptr = rawptr; |
| - while ((rawptr < end) && (*rawptr++ & 0x80)); |
| - if (rawptr >= end) { return SECFailure; } |
| - pubk->u.fortezza.DSSprivilege.len = rawptr - clearptr; |
| - pubk->u.fortezza.DSSprivilege.data = |
| - (unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSprivilege.len); |
| - if (pubk->u.fortezza.DSSprivilege.data == NULL) { |
| - return SECFailure; |
| - } |
| - PORT_Memcpy(pubk->u.fortezza.DSSprivilege.data,clearptr, |
| - pubk->u.fortezza.DSSprivilege.len); |
| - |
| - /* finally copy the DSS key. The next to bytes are the key length, |
| - * and the key follows */ |
| - pubk->u.fortezza.DSSKey.len = (*rawptr << 8) | rawptr[1]; |
| - |
| - rawptr += 2; |
| - if (rawptr+pubk->u.fortezza.DSSKey.len > end){ return SECFailure; } |
| - pubk->u.fortezza.DSSKey.data = |
| - (unsigned char*)PORT_ArenaZAlloc(arena,pubk->u.fortezza.DSSKey.len); |
| - if (pubk->u.fortezza.DSSKey.data == NULL) { |
| - return SECFailure; |
| - } |
| - PORT_Memcpy(pubk->u.fortezza.DSSKey.data,rawptr, |
| - pubk->u.fortezza.DSSKey.len); |
| - |
| - /* ok, now we decode the parameters */ |
| -done: |
| - |
| - return SECKEY_FortezzaDecodePQGtoOld(arena, pubk, params); |
| -} |
| - |
| - |
| /* Function used to make an oid tag to a key type */ |
| KeyType |
| seckey_GetKeyType (SECOidTag tag) { |
| @@ -1085,59 +723,6 @@ seckey_ExtractPublicKey(CERTSubjectPubli |
| |
| if (rv == SECSuccess) return pubk; |
| break; |
| - case SEC_OID_MISSI_KEA_DSS_OLD: |
| - case SEC_OID_MISSI_KEA_DSS: |
| - case SEC_OID_MISSI_DSS_OLD: |
| - case SEC_OID_MISSI_DSS: |
| - pubk->keyType = fortezzaKey; |
| - rv = SECKEY_FortezzaDecodeCertKey(arena, pubk, &newOs, |
| - &spki->algorithm.parameters); |
| - if (rv == SECSuccess) |
| - return pubk; |
| - break; |
| - |
| - case SEC_OID_MISSI_KEA: |
| - pubk->keyType = keaKey; |
| - |
| - prepare_kea_pub_key_for_asn1(pubk); |
| - rv = SEC_QuickDERDecodeItem(arena, pubk, |
| - SECKEY_KEAPublicKeyTemplate, &newOs); |
| - if (rv != SECSuccess) break; |
| - |
| - /* copy the DER into the arena, since Quick DER returns data that points |
| - into the DER input, which may get freed by the caller */ |
| - rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters); |
| - if ( rv != SECSuccess ) |
| - break; |
| - |
| - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate, |
| - &newParms); |
| - |
| - if (rv == SECSuccess) |
| - return pubk; |
| - |
| - break; |
| - |
| - case SEC_OID_MISSI_ALT_KEA: |
| - pubk->keyType = keaKey; |
| - |
| - rv = SECITEM_CopyItem(arena,&pubk->u.kea.publicValue,&newOs); |
| - if (rv != SECSuccess) break; |
| - |
| - /* copy the DER into the arena, since Quick DER returns data that points |
| - into the DER input, which may get freed by the caller */ |
| - rv = SECITEM_CopyItem(arena, &newParms, &spki->algorithm.parameters); |
| - if ( rv != SECSuccess ) |
| - break; |
| - |
| - rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_KEAParamsTemplate, |
| - &newParms); |
| - |
| - if (rv == SECSuccess) |
| - return pubk; |
| - |
| - break; |
| - |
| case SEC_OID_ANSIX962_EC_PUBLIC_KEY: |
| pubk->keyType = ecKey; |
| pubk->u.ec.size = 0; |
| @@ -1154,6 +739,7 @@ seckey_ExtractPublicKey(CERTSubjectPubli |
| break; |
| |
| default: |
| + PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); |
| rv = SECFailure; |
| break; |
| } |
| Index: mozilla/security/nss/lib/pk11wrap/pk11akey.c |
| =================================================================== |
| RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v |
| retrieving revision 1.30 |
| diff -p -u -r1.30 pk11akey.c |
| --- mozilla/security/nss/lib/pk11wrap/pk11akey.c 17 Jun 2010 20:36:37 -0000 1.30 |
| +++ mozilla/security/nss/lib/pk11wrap/pk11akey.c 22 Jul 2011 20:57:00 -0000 |
| @@ -171,20 +171,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, |
| PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.dsa.publicValue.data, |
| pubKey->u.dsa.publicValue.len); attrs++; |
| break; |
| - case fortezzaKey: |
| - keyType = CKK_DSA; |
| - PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));attrs++; |
| - signedattr = attrs; |
| - PK11_SETATTRS(attrs, CKA_PRIME,pubKey->u.fortezza.params.prime.data, |
| - pubKey->u.fortezza.params.prime.len); attrs++; |
| - PK11_SETATTRS(attrs,CKA_SUBPRIME, |
| - pubKey->u.fortezza.params.subPrime.data, |
| - pubKey->u.fortezza.params.subPrime.len);attrs++; |
| - PK11_SETATTRS(attrs, CKA_BASE, pubKey->u.fortezza.params.base.data, |
| - pubKey->u.fortezza.params.base.len); attrs++; |
| - PK11_SETATTRS(attrs, CKA_VALUE, pubKey->u.fortezza.DSSKey.data, |
| - pubKey->u.fortezza.DSSKey.len); attrs++; |
| - break; |
| case dhKey: |
| keyType = CKK_DH; |
| PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));attrs++; |
| @@ -223,6 +209,9 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, |
| } |
| break; |
| default: |
| + if (ckaId) { |
| + SECITEM_FreeItem(ckaId,PR_TRUE); |
| + } |
| PORT_SetError( SEC_ERROR_BAD_KEY ); |
| return CK_INVALID_HANDLE; |
| } |
| @@ -242,6 +231,10 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, |
| SECITEM_FreeItem(pubValue,PR_TRUE); |
| } |
| if ( rv != SECSuccess) { |
| + /* CKR_ATTRIBUTE_VALUE_INVALID is mapped to SEC_ERROR_BAD_DATA */ |
| + if (PORT_GetError() == SEC_ERROR_BAD_DATA) { |
| + PORT_SetError( SEC_ERROR_BAD_KEY ); |
| + } |
| return CK_INVALID_HANDLE; |
| } |
| } |
| Index: mozilla/security/nss/lib/util/quickder.c |
| =================================================================== |
| RCS file: /cvsroot/mozilla/security/nss/lib/util/quickder.c,v |
| retrieving revision 1.23 |
| diff -p -u -r1.23 quickder.c |
| --- mozilla/security/nss/lib/util/quickder.c 31 Oct 2005 18:34:42 -0000 1.23 |
| +++ mozilla/security/nss/lib/util/quickder.c 22 Jul 2011 20:57:00 -0000 |
| @@ -102,7 +102,7 @@ static unsigned char* definite_length_de |
| |
| static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag) |
| { |
| - if ( (!src) || (!dest) || (!src->data) ) |
| + if ( (!src) || (!dest) || (!src->data && src->len) ) |
| { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |