diff options
author | Peter Foley <pefoley2@verizon.net> | 2012-11-29 20:50:15 -0500 |
---|---|---|
committer | Peter Foley <pefoley2@verizon.net> | 2012-11-30 11:34:29 -0500 |
commit | ec6af4194e80f5f0b2e46ca59802ff397a2a4a24 (patch) | |
tree | 9f0ff42902bdd0a7988cc462571259c873794289 /libxmlsec/src | |
parent | 694a2c53810dec6d8e069d74baf51e6cdda91faa (diff) |
convert libxmlsec to gbuild
Change-Id: Id0ad4e1c8e3e1ac03c625fb77b70fe0aa8ddfcdc
Diffstat (limited to 'libxmlsec/src')
-rw-r--r-- | libxmlsec/src/akmngr_mscrypto.c | 237 | ||||
-rw-r--r-- | libxmlsec/src/akmngr_nss.c | 384 | ||||
-rw-r--r-- | libxmlsec/src/keywrapers.c | 1213 | ||||
-rw-r--r-- | libxmlsec/src/tokens.c | 548 |
4 files changed, 2382 insertions, 0 deletions
diff --git a/libxmlsec/src/akmngr_mscrypto.c b/libxmlsec/src/akmngr_mscrypto.c new file mode 100644 index 000000000000..af9eef4ecfb6 --- /dev/null +++ b/libxmlsec/src/akmngr_mscrypto.c @@ -0,0 +1,237 @@ +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright......................... + */ +#include "globals.h" + +#include <xmlsec/xmlsec.h> +#include <xmlsec/keys.h> +#include <xmlsec/keysmngr.h> +#include <xmlsec/transforms.h> +#include <xmlsec/errors.h> + +#include <xmlsec/mscrypto/crypto.h> +#include <xmlsec/mscrypto/keysstore.h> +#include <xmlsec/mscrypto/akmngr.h> +#include <xmlsec/mscrypto/x509.h> + +/** + * xmlSecMSCryptoAppliedKeysMngrCreate: + * @hKeyStore: the pointer to key store. + * @hCertStore: the pointer to certificate database. + * + * Create and load key store and certificate database into keys manager + * + * Returns keys manager pointer on success or NULL otherwise. + */ +xmlSecKeysMngrPtr +xmlSecMSCryptoAppliedKeysMngrCreate( + HCERTSTORE hKeyStore , + HCERTSTORE hCertStore +) { + xmlSecKeyDataStorePtr certStore = NULL ; + xmlSecKeysMngrPtr keyMngr = NULL ; + xmlSecKeyStorePtr keyStore = NULL ; + + keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyStoreCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + /*- + * At present, MS Crypto engine do not provide a way to setup a key store. + */ + if( keyStore != NULL ) { + /*TODO: binding key store.*/ + } + + keyMngr = xmlSecKeysMngrCreate() ; + if( keyMngr == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /*- + * Add key store to manager, from now on keys manager destroys the store if + * needed + */ + if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Initialize crypto library specific data in keys manager + */ + if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecMSCryptoKeysMngrInit" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Set certificate databse to X509 key data store + */ + /*- + * At present, MS Crypto engine do not provide a way to setup a cert store. + */ + + /*- + * Set the getKey callback + */ + keyMngr->getKey = xmlSecKeysMngrGetKey ; + + return keyMngr ; +} + +int +xmlSecMSCryptoAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY symKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY pubKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY priKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE keyStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( keyStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE trustedStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( trustedStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE untrustedStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( untrustedStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + + diff --git a/libxmlsec/src/akmngr_nss.c b/libxmlsec/src/akmngr_nss.c new file mode 100644 index 000000000000..0eddf86ef931 --- /dev/null +++ b/libxmlsec/src/akmngr_nss.c @@ -0,0 +1,384 @@ +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright......................... + */ +#include "globals.h" + +#include <nspr.h> +#include <nss.h> +#include <pk11func.h> +#include <cert.h> +#include <keyhi.h> + +#include <xmlsec/xmlsec.h> +#include <xmlsec/keys.h> +#include <xmlsec/transforms.h> +#include <xmlsec/errors.h> + +#include <xmlsec/nss/crypto.h> +#include <xmlsec/nss/tokens.h> +#include <xmlsec/nss/akmngr.h> +#include <xmlsec/nss/pkikeys.h> +#include <xmlsec/nss/ciphers.h> +#include <xmlsec/nss/keysstore.h> + +/** + * xmlSecNssAppliedKeysMngrCreate: + * @slot: array of pointers to NSS PKCS#11 slot information. + * @cSlots: number of slots in the array + * @handler: the pointer to NSS certificate database. + * + * Create and load NSS crypto slot and certificate database into keys manager + * + * Returns keys manager pointer on success or NULL otherwise. + */ +xmlSecKeysMngrPtr +xmlSecNssAppliedKeysMngrCreate( + PK11SlotInfo** slots, + int cSlots, + CERTCertDBHandle* handler +) { + xmlSecKeyDataStorePtr certStore = NULL ; + xmlSecKeysMngrPtr keyMngr = NULL ; + xmlSecKeyStorePtr keyStore = NULL ; + int islot = 0; + keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyStoreCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + for (islot = 0; islot < cSlots; islot++) + { + xmlSecNssKeySlotPtr keySlot ; + + /* Create a key slot */ + keySlot = xmlSecNssKeySlotCreate() ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeySlotCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /* Set slot */ + if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeySlotSetSlot" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return NULL ; + } + + /* Adopt keySlot */ + if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeysStoreAdoptKeySlot" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return NULL ; + } + } + + keyMngr = xmlSecKeysMngrCreate() ; + if( keyMngr == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /*- + * Add key store to manager, from now on keys manager destroys the store if + * needed + */ + if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Initialize crypto library specific data in keys manager + */ + if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Set certificate databse to X509 key data store + */ + /** + * Because Tej's implementation of certDB use the default DB, so I ignore + * the certDB handler at present. I'll modify the cert store sources to + * accept particular certDB instead of default ones. + certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ; + if( certStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeyDataStoreX509SetCertDb" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + */ + + /*- + * Set the getKey callback + */ + keyMngr->getKey = xmlSecKeysMngrGetKey ; + + return keyMngr ; +} + +int +xmlSecNssAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + PK11SymKey* symKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( symKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + +int +xmlSecNssAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPublicKey* pubKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( pubKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssPKIAdoptKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + +int +xmlSecNssAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPrivateKey* priKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( priKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssPKIAdoptKey( priKey, NULL ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssPKIAdoptKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + diff --git a/libxmlsec/src/keywrapers.c b/libxmlsec/src/keywrapers.c new file mode 100644 index 000000000000..6066724c874b --- /dev/null +++ b/libxmlsec/src/keywrapers.c @@ -0,0 +1,1213 @@ +/** + * + * XMLSec library + * + * AES Algorithm support + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright ................................. + */ +#include "globals.h" + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> + +#include <nss.h> +#include <pk11func.h> +#include <hasht.h> + +#include <xmlsec/xmlsec.h> +#include <xmlsec/xmltree.h> +#include <xmlsec/keys.h> +#include <xmlsec/transforms.h> +#include <xmlsec/errors.h> + +#include <xmlsec/nss/crypto.h> +#include <xmlsec/nss/ciphers.h> + +#define XMLSEC_NSS_AES128_KEY_SIZE 16 +#define XMLSEC_NSS_AES192_KEY_SIZE 24 +#define XMLSEC_NSS_AES256_KEY_SIZE 32 +#define XMLSEC_NSS_DES3_KEY_SIZE 24 +#define XMLSEC_NSS_DES3_KEY_LENGTH 24 +#define XMLSEC_NSS_DES3_IV_LENGTH 8 +#define XMLSEC_NSS_DES3_BLOCK_LENGTH 8 + +static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = { + 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 +}; + +/********************************************************************* + * + * key wrap transforms + * + ********************************************************************/ +typedef struct _xmlSecNssKeyWrapCtx xmlSecNssKeyWrapCtx ; +typedef struct _xmlSecNssKeyWrapCtx* xmlSecNssKeyWrapCtxPtr ; + +#define xmlSecNssKeyWrapSize \ + ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) ) + +#define xmlSecNssKeyWrapGetCtx( transform ) \ + ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) ) + +struct _xmlSecNssKeyWrapCtx { + CK_MECHANISM_TYPE cipher ; + PK11SymKey* symkey ; + xmlSecKeyDataId keyId ; + xmlSecBufferPtr material ; /* to be encrypted/decrypted key material */ +} ; + +static int xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform); +static void xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform); +static int xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, + xmlSecKeyReqPtr keyReq); +static int xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, + xmlSecKeyPtr key); +static int xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, + int last, + xmlSecTransformCtxPtr transformCtx); +static xmlSecSize xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform); + +static int +xmlSecNssKeyWrapCheckId( + xmlSecTransformPtr transform +) { + #ifndef XMLSEC_NO_DES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { + return(1); + } + #endif /* XMLSEC_NO_DES */ + + #ifndef XMLSEC_NO_AES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) || + xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) || + xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) { + + return(1); + } + #endif /* XMLSEC_NO_AES */ + + return(0); +} + +static xmlSecSize +xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) { +#ifndef XMLSEC_NO_DES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { + return(XMLSEC_NSS_DES3_KEY_SIZE); + } else +#endif /* XMLSEC_NO_DES */ + +#ifndef XMLSEC_NO_AES + if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) { + return(XMLSEC_NSS_AES128_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) { + return(XMLSEC_NSS_AES192_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { + return(XMLSEC_NSS_AES256_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { + return(XMLSEC_NSS_AES256_KEY_SIZE); + } else +#endif /* XMLSEC_NO_AES */ + + if(1) + return(0); +} + + +static int +xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) { + xmlSecNssKeyWrapCtxPtr context ; + int ret; + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert2( context != NULL , -1 ) ; + + #ifndef XMLSEC_NO_DES + if( transform->id == xmlSecNssTransformKWDes3Id ) { + context->cipher = CKM_DES3_CBC ; + context->keyId = xmlSecNssKeyDataDesId ; + } else + #endif /* XMLSEC_NO_DES */ + + #ifndef XMLSEC_NO_AES + if( transform->id == xmlSecNssTransformKWAes128Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + if( transform->id == xmlSecNssTransformKWAes192Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + if( transform->id == xmlSecNssTransformKWAes256Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + #endif /* XMLSEC_NO_AES */ + + + if( 1 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + context->symkey = NULL ; + context->material = NULL ; + + return(0); +} + +static void +xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) { + xmlSecNssKeyWrapCtxPtr context ; + + xmlSecAssert(xmlSecNssKeyWrapCheckId(transform)); + xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize)); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert( context != NULL ) ; + + if( context->symkey != NULL ) { + PK11_FreeSymKey( context->symkey ) ; + context->symkey = NULL ; + } + + if( context->material != NULL ) { + xmlSecBufferDestroy(context->material); + context->material = NULL ; + } +} + +static int +xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { + xmlSecNssKeyWrapCtxPtr context ; + xmlSecSize cipherSize = 0 ; + + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); + xmlSecAssert2(keyReq != NULL, -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert2( context != NULL , -1 ) ; + + keyReq->keyId = context->keyId; + keyReq->keyType = xmlSecKeyDataTypeSymmetric; + if(transform->operation == xmlSecTransformOperationEncrypt) { + keyReq->keyUsage = xmlSecKeyUsageEncrypt; + } else { + keyReq->keyUsage = xmlSecKeyUsageDecrypt; + } + + keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ; + + return(0); +} + +static int +xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { + xmlSecNssKeyWrapCtxPtr context = NULL ; + xmlSecKeyDataPtr keyData = NULL ; + PK11SymKey* symkey = NULL ; + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); + xmlSecAssert2(key != NULL, -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + if( context == NULL || context->keyId == NULL || context->symkey != NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ; + + keyData = xmlSecKeyGetValue( key ) ; + if( keyData == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) , + "xmlSecKeyGetValue" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) , + "xmlSecNssSymKeyDataGetKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + context->symkey = symkey ; + + return(0) ; +} + +/** + * key wrap transform + */ +static int +xmlSecNssKeyWrapCtxInit( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + xmlSecSize blockSize ; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + if( ctx->material != NULL ) { + xmlSecBufferDestroy( ctx->material ) ; + ctx->material = NULL ; + } + + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + ctx->material = xmlSecBufferCreate( blockSize ) ; + if( ctx->material == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* read raw key material into context */ + if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetData" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return(0); +} + +/** + * key wrap transform update + */ +static int +xmlSecNssKeyWrapCtxUpdate( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + /* read raw key material and append into context */ + if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return(0); +} + +static int +xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) { + xmlSecSize s; + xmlSecSize i; + xmlSecByte c; + + xmlSecAssert2(buf != NULL, -1); + + s = size / 2; + --size; + for(i = 0; i < s; ++i) { + c = buf[i]; + buf[i] = buf[size - i]; + buf[size - i] = c; + } + return(0); +} + +static xmlSecByte * +xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize, + xmlSecByte *out, xmlSecSize outSize) +{ + PK11Context *context = NULL; + SECStatus s; + xmlSecByte *digest = NULL; + unsigned int len; + + xmlSecAssert2(in != NULL, NULL); + xmlSecAssert2(out != NULL, NULL); + xmlSecAssert2(outSize >= SHA1_LENGTH, NULL); + + /* Create a context for hashing (digesting) */ + context = PK11_CreateDigestContext(SEC_OID_SHA1); + if (context == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CreateDigestContext", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestBegin(context); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestBegin", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestOp(context, in, inSize); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestOp", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestFinal(context, out, &len, outSize); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + xmlSecAssert2(len == SHA1_LENGTH, NULL); + + digest = out; + +done: + if (context != NULL) { + PK11_DestroyContext(context, PR_TRUE); + } + return (digest); +} + +static int +xmlSecNssKWDes3Encrypt( + PK11SymKey* symKey , + CK_MECHANISM_TYPE cipherMech , + const xmlSecByte* iv , + xmlSecSize ivSize , + const xmlSecByte* in , + xmlSecSize inSize , + xmlSecByte* out , + xmlSecSize outSize , + int enc +) { + PK11Context* EncContext = NULL; + SECItem ivItem ; + SECItem* secParam = NULL ; + int tmp1_outlen; + unsigned int tmp2_outlen; + int result_len = -1; + SECStatus rv; + + xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( symKey != NULL , -1 ) ; + xmlSecAssert2(iv != NULL, -1); + xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1); + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(inSize > 0, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(outSize >= inSize, -1); + + /* Prepare IV */ + ivItem.data = ( unsigned char* )iv ; + ivItem.len = ivSize ; + + secParam = PK11_ParamFromIV(cipherMech, &ivItem); + if (secParam == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_ParamFromIV", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + EncContext = PK11_CreateContextBySymKey(cipherMech, + enc ? CKA_ENCRYPT : CKA_DECRYPT, + symKey, secParam); + if (EncContext == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CreateContextBySymKey", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + tmp1_outlen = tmp2_outlen = 0; + rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize, + (unsigned char *)in, inSize); + if (rv != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CipherOp", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + rv = PK11_DigestFinal(EncContext, out+tmp1_outlen, + &tmp2_outlen, outSize-tmp1_outlen); + if (rv != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + result_len = tmp1_outlen + tmp2_outlen; + +done: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + if (EncContext) { + PK11_DestroyContext(EncContext, PR_TRUE); + } + + return(result_len); +} + +static int +xmlSecNssKeyWrapDesOp( + xmlSecNssKeyWrapCtxPtr ctx , + int encrypt , + xmlSecBufferPtr result +) { + xmlSecByte sha1[SHA1_LENGTH]; + xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH]; + xmlSecByte* in; + xmlSecSize inSize; + xmlSecByte* out; + xmlSecSize outSize; + xmlSecSize s; + int ret; + SECStatus status; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( result != NULL , -1 ) ; + + in = xmlSecBufferGetData(ctx->material); + inSize = xmlSecBufferGetSize(ctx->material) ; + out = xmlSecBufferGetData(result); + outSize = xmlSecBufferGetMaxSize(result) ; + if( encrypt ) { + /* step 2: calculate sha1 and CMS */ + if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssComputeSHA1", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 3: construct WKCKS */ + memcpy(out, in, inSize); + memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH); + + /* step 4: generate random iv */ + status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH); + if(status != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_GenerateRandom", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + return(-1); + } + + /* step 5: first encryption, result is TEMP1 */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + iv, XMLSEC_NSS_DES3_IV_LENGTH, + out, inSize + XMLSEC_NSS_DES3_IV_LENGTH, + out, outSize, 1); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 6: construct TEMP2=IV || TEMP1 */ + memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out, + inSize + XMLSEC_NSS_DES3_IV_LENGTH); + memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH); + s = ret + XMLSEC_NSS_DES3_IV_LENGTH; + + /* step 7: reverse octets order, result is TEMP3 */ + ret = xmlSecNssKWDes3BufferReverse(out, s); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3BufferReverse", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 8: second encryption with static IV */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, + out, s, + out, outSize, 1); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret; + + if( xmlSecBufferSetSize( result , s ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else { + /* step 2: first decryption with static IV, result is TEMP3 */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, + in, inSize, + out, outSize, 0); + if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret; + + /* step 3: reverse octets order in TEMP3, result is TEMP2 */ + ret = xmlSecNssKWDes3BufferReverse(out, s); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3BufferReverse", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + out, XMLSEC_NSS_DES3_IV_LENGTH, + out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH, + out, outSize, 0); + if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret - XMLSEC_NSS_DES3_IV_LENGTH; + + /* steps 6 and 7: calculate SHA1 and validate it */ + if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssComputeSHA1", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "SHA1 does not match"); + return(-1); + } + + if( xmlSecBufferSetSize( result , s ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + + return(0); +} + +static int +xmlSecNssKeyWrapAesOp( + xmlSecNssKeyWrapCtxPtr ctx , + int encrypt , + xmlSecBufferPtr result +) { + PK11Context* cipherCtx = NULL; + SECItem ivItem ; + SECItem* secParam = NULL ; + xmlSecSize inSize ; + xmlSecSize inBlocks ; + int blockSize ; + int midSize ; + int finSize ; + xmlSecByte* out ; + xmlSecSize outSize; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( result != NULL , -1 ) ; + + /* Do not set any IV */ + memset(&ivItem, 0, sizeof(ivItem)); + + /* Get block size */ + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + inSize = xmlSecBufferGetSize( ctx->material ) ; + if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetMaxSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Get Param for context initialization */ + if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_ParamFromIV" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ; + if( cipherCtx == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_CreateContextBySymKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + SECITEM_FreeItem( secParam , PR_TRUE ) ; + return(-1); + } + + out = xmlSecBufferGetData(result) ; + outSize = xmlSecBufferGetMaxSize(result) ; + if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_CipherOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_DigestFinal" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return 0 ; +} + +/** + * Block cipher transform final + */ +static int +xmlSecNssKeyWrapCtxFinal( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + PK11SymKey* targetKey ; + xmlSecSize blockSize ; + xmlSecBufferPtr result ; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + /* read raw key material and append into context */ + if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Now we get all of the key materail */ + /* from now on we will wrap or unwrap the key */ + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + result = xmlSecBufferCreate( blockSize ) ; + if( result == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + switch( ctx->cipher ) { + case CKM_DES3_CBC : + if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssKeyWrapDesOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + break ; + /* case CKM_NETSCAPE_AES_KEY_WRAP :*/ + case CKM_AES_CBC : + if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssKeyWrapAesOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + break ; + } + + /* Write output */ + if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + xmlSecBufferDestroy(result); + + return(0); +} + +static int +xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { + xmlSecNssKeyWrapCtxPtr context = NULL ; + xmlSecBufferPtr inBuf, outBuf ; + int operation ; + int rtv ; + + xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ; + xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ; + xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + inBuf = &( transform->inBuf ) ; + outBuf = &( transform->outBuf ) ; + + if( transform->status == xmlSecTransformStatusNone ) { + transform->status = xmlSecTransformStatusWorking ; + } + + operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ; + if( transform->status == xmlSecTransformStatusWorking ) { + if( context->material == NULL ) { + rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxInit" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + if( context->material == NULL && last != 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "No enough data to intialize transform" ) ; + return(-1); + } + + if( context->material != NULL ) { + rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxUpdate" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + if( last ) { + rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxFinal" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + transform->status = xmlSecTransformStatusFinished ; + } + } else if( transform->status == xmlSecTransformStatusFinished ) { + if( xmlSecBufferGetSize( inBuf ) != 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "status=%d", transform->status ) ; + return(-1); + } + } else { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "status=%d", transform->status ) ; + return(-1); + } + + return(0); +} + +#ifndef XMLSEC_NO_AES + + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes128Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes128, /* const xmlChar* name; */ + xmlSecHrefKWAes128, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes192Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes192, /* const xmlChar* name; */ + xmlSecHrefKWAes192, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes256Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes256, /* const xmlChar* name; */ + xmlSecHrefKWAes256, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecNssTransformKWAes128GetKlass: + * + * The AES-128 key wrapper transform klass. + * + * Returns AES-128 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes128GetKlass(void) { + return(&xmlSecNssKWAes128Klass); +} + +/** + * xmlSecNssTransformKWAes192GetKlass: + * + * The AES-192 key wrapper transform klass. + * + * Returns AES-192 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes192GetKlass(void) { + return(&xmlSecNssKWAes192Klass); +} + +/** + * + * The AES-256 key wrapper transform klass. + * + * Returns AES-256 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes256GetKlass(void) { + return(&xmlSecNssKWAes256Klass); +} + +#endif /* XMLSEC_NO_AES */ + + +#ifndef XMLSEC_NO_DES + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWDes3Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWDes3, /* const xmlChar* name; */ + xmlSecHrefKWDes3, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecNssTransformKWDes3GetKlass: + * + * The Triple DES key wrapper transform klass. + * + * Returns Triple DES key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWDes3GetKlass(void) { + return(&xmlSecNssKWDes3Klass); +} + +#endif /* XMLSEC_NO_DES */ + diff --git a/libxmlsec/src/tokens.c b/libxmlsec/src/tokens.c new file mode 100644 index 000000000000..8f2a4f890339 --- /dev/null +++ b/libxmlsec/src/tokens.c @@ -0,0 +1,548 @@ +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright.................................. + * + * Contributor(s): _____________________________ + * + */ + +/** + * In order to ensure that particular crypto operation is performed on + * particular crypto device, a subclass of xmlSecList is used to store slot and + * mechanism information. + * + * In the list, a slot is bound with a mechanism. If the mechanism is available, + * this mechanism only can perform on the slot; otherwise, it can perform on + * every eligibl slot in the list. + * + * When try to find a slot for a particular mechanism, the slot bound with + * avaliable mechanism will be looked up firstly. + */ +#include "globals.h" +#include <string.h> + +#include <xmlsec/xmlsec.h> +#include <xmlsec/errors.h> +#include <xmlsec/list.h> + +#include <xmlsec/nss/tokens.h> + +int +xmlSecNssKeySlotSetMechList( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE_PTR mechanismList +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( keySlot->mechanismList != CK_NULL_PTR ) { + xmlFree( keySlot->mechanismList ) ; + + for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( keySlot->mechanismList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + for( ; counter >= 0 ; counter -- ) + *( keySlot->mechanismList + counter ) = *( mechanismList + counter ) ; + } + + return( 0 ); +} + +int +xmlSecNssKeySlotEnableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) { + int counter ; + CK_MECHANISM_TYPE_PTR newList ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( mechanism != CKM_INVALID_MECHANISM ) { + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( newList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + *( newList + counter + 1 ) = CKM_INVALID_MECHANISM ; + *( newList + counter ) = mechanism ; + for( counter -= 1 ; counter >= 0 ; counter -- ) + *( newList + counter ) = *( keySlot->mechanismList + counter ) ; + + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = newList ; + } + + return(0); +} + +int +xmlSecNssKeySlotDisableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + if( *( keySlot->mechanismList + counter ) == mechanism ) { + for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + *( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ; + } + + break ; + } + } + + return(0); +} + +CK_MECHANISM_TYPE_PTR +xmlSecNssKeySlotGetMechList( + xmlSecNssKeySlotPtr keySlot +) { + if( keySlot != NULL ) + return keySlot->mechanismList ; + else + return NULL ; +} + +int +xmlSecNssKeySlotSetSlot( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) { + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( slot != NULL && keySlot->slot != slot ) { + if( keySlot->slot != NULL ) + PK11_FreeSlot( keySlot->slot ) ; + + if( keySlot->mechanismList != NULL ) { + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = NULL ; + } + + keySlot->slot = PK11_ReferenceSlot( slot ) ; + } + + return(0); +} + +int +xmlSecNssKeySlotInitialize( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) { + xmlSecAssert2( keySlot != NULL , -1 ) ; + xmlSecAssert2( keySlot->slot == NULL , -1 ) ; + xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ; + + if( slot != NULL ) { + keySlot->slot = PK11_ReferenceSlot( slot ) ; + } + + return(0); +} + +void +xmlSecNssKeySlotFinalize( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecAssert( keySlot != NULL ) ; + + if( keySlot->mechanismList != NULL ) { + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = NULL ; + } + + if( keySlot->slot != NULL ) { + PK11_FreeSlot( keySlot->slot ) ; + keySlot->slot = NULL ; + } + +} + +PK11SlotInfo* +xmlSecNssKeySlotGetSlot( + xmlSecNssKeySlotPtr keySlot +) { + if( keySlot != NULL ) + return keySlot->slot ; + else + return NULL ; +} + +xmlSecNssKeySlotPtr +xmlSecNssKeySlotCreate() { + xmlSecNssKeySlotPtr keySlot ; + + /* Allocates a new xmlSecNssKeySlot and fill the fields */ + keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ; + + return( keySlot ) ; +} + +int +xmlSecNssKeySlotCopy( + xmlSecNssKeySlotPtr newKeySlot , + xmlSecNssKeySlotPtr keySlot +) { + CK_MECHANISM_TYPE_PTR mech ; + int counter ; + + xmlSecAssert2( newKeySlot != NULL , -1 ) ; + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) { + if( newKeySlot->slot != NULL ) + PK11_FreeSlot( newKeySlot->slot ) ; + + newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ; + } + + if( keySlot->mechanismList != CK_NULL_PTR ) { + xmlFree( newKeySlot->mechanismList ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( newKeySlot->mechanismList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + for( ; counter >= 0 ; counter -- ) + *( newKeySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter ) ; + } + + return( 0 ); +} + +xmlSecNssKeySlotPtr +xmlSecNssKeySlotDuplicate( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecNssKeySlotPtr newKeySlot ; + int ret ; + + xmlSecAssert2( keySlot != NULL , NULL ) ; + + newKeySlot = xmlSecNssKeySlotCreate() ; + if( newKeySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + + if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + + return( newKeySlot ); +} + +void +xmlSecNssKeySlotDestroy( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecAssert( keySlot != NULL ) ; + + if( keySlot->mechanismList != NULL ) + xmlFree( keySlot->mechanismList ) ; + + if( keySlot->slot != NULL ) + PK11_FreeSlot( keySlot->slot ) ; + + xmlFree( keySlot ) ; +} + +int +xmlSecNssKeySlotBindMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , 0 ) ; + xmlSecAssert2( keySlot->slot != NULL , 0 ) ; + xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + if( *( keySlot->mechanismList + counter ) == type ) + return(1) ; + } + + return( 0 ) ; +} + +int +xmlSecNssKeySlotSupportMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) { + xmlSecAssert2( keySlot != NULL , 0 ) ; + xmlSecAssert2( keySlot->slot != NULL , 0 ) ; + xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; + + if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) { + return(1); + } else + return(0); +} + +void +xmlSecNssKeySlotDebugDump( + xmlSecNssKeySlotPtr keySlot , + FILE* output +) { + xmlSecAssert( keySlot != NULL ) ; + xmlSecAssert( output != NULL ) ; + + fprintf( output, "== KEY SLOT\n" ); +} + +void +xmlSecNssKeySlotDebugXmlDump( + xmlSecNssKeySlotPtr keySlot , + FILE* output +) { +} + +/** + * Key Slot List + */ +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { +#else +static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { +#endif + BAD_CAST "mechanism-list", + (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate, + (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy, + (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump, + (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump, +}; + +xmlSecPtrListId +xmlSecNssKeySlotListGetKlass(void) { + return(&xmlSecNssKeySlotPtrListKlass); +} + + +/*- + * Global PKCS#11 crypto token repository -- Key slot list + */ +static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ; + +PK11SlotInfo* +xmlSecNssSlotGet( + CK_MECHANISM_TYPE type +) { + PK11SlotInfo* slot = NULL ; + xmlSecNssKeySlotPtr keySlot ; + xmlSecSize ksSize ; + xmlSecSize ksPos ; + char flag ; + + if( _xmlSecNssKeySlotList == NULL ) { + slot = PK11_GetBestSlot( type , NULL ) ; + } else { + ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; + + /*- + * Firstly, checking whether the mechanism is bound with a special slot. + * If no bound slot, we try to find the first eligible slot in the list. + */ + for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { + keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; + if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) { + slot = xmlSecNssKeySlotGetSlot( keySlot ) ; + flag = 2 ; + } else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) { + slot = xmlSecNssKeySlotGetSlot( keySlot ) ; + flag = 1 ; + } + + if( flag == 2 ) + break ; + } + if( slot != NULL ) + slot = PK11_ReferenceSlot( slot ) ; + } + + if( slot != NULL && PK11_NeedLogin( slot ) ) { + if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSlot( slot ) ; + return( NULL ); + } + } + + return slot ; +} + +int +xmlSecNssSlotInitialize( + void +) { + if( _xmlSecNssKeySlotList != NULL ) { + xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; + _xmlSecNssKeySlotList = NULL ; + } + + _xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ; + if( _xmlSecNssKeySlotList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + + return(0); +} + +void +xmlSecNssSlotShutdown( + void +) { + if( _xmlSecNssKeySlotList != NULL ) { + xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; + _xmlSecNssKeySlotList = NULL ; + } +} + +int +xmlSecNssSlotAdopt( + PK11SlotInfo* slot, + CK_MECHANISM_TYPE type +) { + xmlSecNssKeySlotPtr keySlot ; + xmlSecSize ksSize ; + xmlSecSize ksPos ; + char flag ; + + xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ; + xmlSecAssert2( slot != NULL, -1 ) ; + + ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; + + /*- + * Firstly, checking whether the slot is in the repository already. + */ + flag = 0 ; + for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { + keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; + /* If find the slot in the list */ + if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) { + /* If mechnism type is valid, bind the slot with the mechanism */ + if( type != CKM_INVALID_MECHANISM ) { + if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + flag = 1 ; + } + } + + /* If the slot do not in the list, add a new item to the list */ + if( flag == 0 ) { + /* Create a new KeySlot */ + keySlot = xmlSecNssKeySlotCreate() ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Initialize the keySlot with a slot */ + if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + + /* If mechnism type is valid, bind the slot with the mechanism */ + if( type != CKM_INVALID_MECHANISM ) { + if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + } + + /* Add keySlot into the list */ + if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + } + + return(0); +} + |