--- misc/xmlsec1-1.2.12/include/xmlsec/mscrypto/Makefile.am 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/mscrypto/Makefile.am 2009-09-21 14:02:48.563253008 +0200 @@ -3,6 +3,7 @@ xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto xmlsecmscryptoinc_HEADERS = \ +akmngr.h \ app.h \ certkeys.h \ crypto.h \ --- misc/xmlsec1-1.2.12/include/xmlsec/mscrypto/Makefile.in 2009-06-25 22:53:30.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/mscrypto/Makefile.in 2009-09-21 14:02:48.571021349 +0200 @@ -308,6 +308,7 @@ NULL = xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto xmlsecmscryptoinc_HEADERS = \ +akmngr.h \ app.h \ certkeys.h \ crypto.h \ --- misc/xmlsec1-1.2.12/include/xmlsec/mscrypto/akmngr.h 2009-09-21 14:07:19.052318336 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/mscrypto/akmngr.h 2009-09-21 14:02:48.504966762 +0200 @@ -1 +1,71 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright .......................... + */ +#ifndef __XMLSEC_MSCRYPTO_AKMNGR_H__ +#define __XMLSEC_MSCRYPTO_AKMNGR_H__ + +#include +#include + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr +xmlSecMSCryptoAppliedKeysMngrCreate( + HCERTSTORE keyStore , + HCERTSTORE certStore +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY symKey +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY pubKey +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY priKey +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE keyStore +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE trustedStore +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE untrustedStore +) ; + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __XMLSEC_MSCRYPTO_AKMNGR_H__ */ + + --- misc/xmlsec1-1.2.12/include/xmlsec/nss/Makefile.am 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/Makefile.am 2009-09-21 14:02:48.577933031 +0200 @@ -10,6 +10,9 @@ keysstore.h \ pkikeys.h \ x509.h \ +akmngr.h \ +tokens.h \ +ciphers.h \ $(NULL) install-exec-hook: --- misc/xmlsec1-1.2.12/include/xmlsec/nss/Makefile.in 2009-06-25 22:53:31.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/Makefile.in 2009-09-21 14:02:48.585376325 +0200 @@ -315,6 +315,9 @@ keysstore.h \ pkikeys.h \ x509.h \ +akmngr.h \ +tokens.h \ +ciphers.h \ $(NULL) all: all-am --- misc/xmlsec1-1.2.12/include/xmlsec/nss/akmngr.h 2009-09-21 14:07:19.105517659 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/akmngr.h 2009-09-21 14:02:48.510978278 +0200 @@ -1 +1,56 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright .......................... + */ +#ifndef __XMLSEC_NSS_AKMNGR_H__ +#define __XMLSEC_NSS_AKMNGR_H__ + +#include +#include +#include +#include + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr +xmlSecNssAppliedKeysMngrCreate( + PK11SlotInfo** slots, + int cSlots, + CERTCertDBHandle* handler +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + PK11SymKey* symKey +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPublicKey* pubKey +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPrivateKey* priKey +) ; + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __XMLSEC_NSS_AKMNGR_H__ */ + + --- misc/xmlsec1-1.2.12/include/xmlsec/nss/app.h 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/app.h 2009-09-21 14:02:48.612847068 +0200 @@ -22,6 +22,9 @@ #include #include +#include +#include + /** * Init/shutdown */ @@ -36,6 +39,8 @@ xmlSecKeyPtr key); XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrLoad (xmlSecKeysMngrPtr mngr, const char* uri); +XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr, + xmlSecNssKeySlotPtr keySlot); XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrSave (xmlSecKeysMngrPtr mngr, const char* filename, xmlSecKeyDataType type); --- misc/xmlsec1-1.2.12/include/xmlsec/nss/ciphers.h 2009-09-21 14:07:19.146496548 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/ciphers.h 2009-09-21 14:02:48.516689712 +0200 @@ -1 +1,35 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright .......................... + */ +#ifndef __XMLSEC_NSS_CIPHERS_H__ +#define __XMLSEC_NSS_CIPHERS_H__ + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +#include +#include +#include + + +XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data, + PK11SymKey* symkey ) ; + +XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ; + +XMLSEC_CRYPTO_EXPORT PK11SymKey* xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data); + + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __XMLSEC_NSS_CIPHERS_H__ */ + + --- misc/xmlsec1-1.2.12/include/xmlsec/nss/keysstore.h 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/keysstore.h 2009-09-21 14:02:48.626261748 +0200 @@ -16,6 +16,8 @@ #endif /* __cplusplus */ #include +#include +#include /**************************************************************************** * @@ -31,6 +33,8 @@ XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId xmlSecNssKeysStoreGetKlass (void); XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKey (xmlSecKeyStorePtr store, xmlSecKeyPtr key); +XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store, + xmlSecNssKeySlotPtr keySlot); XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreLoad (xmlSecKeyStorePtr store, const char *uri, xmlSecKeysMngrPtr keysMngr); --- misc/xmlsec1-1.2.12/include/xmlsec/nss/tokens.h 2009-09-21 14:07:19.172421448 +0200 +++ misc/build/xmlsec1-1.2.12/include/xmlsec/nss/tokens.h 2009-09-21 14:02:48.522913605 +0200 @@ -1 +1,182 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved. + * + * Contributor(s): _____________________________ + * + */ +#ifndef __XMLSEC_NSS_TOKENS_H__ +#define __XMLSEC_NSS_TOKENS_H__ + +#include + +#include +#include + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +/** + * xmlSecNssKeySlotListId + * + * The crypto mechanism list klass + */ +#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass() +XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ; + +/******************************************* + * KeySlot interfaces + *******************************************/ +/** + * Internal NSS key slot data + * @mechanismList: the mechanisms that the slot bound with. + * @slot: the pkcs slot + * + * This context is located after xmlSecPtrList + */ +typedef struct _xmlSecNssKeySlot xmlSecNssKeySlot ; +typedef struct _xmlSecNssKeySlot* xmlSecNssKeySlotPtr ; + +struct _xmlSecNssKeySlot { + CK_MECHANISM_TYPE_PTR mechanismList ; /* mech. array, NULL ternimated */ + PK11SlotInfo* slot ; +} ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotSetMechList( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE_PTR mechanismList +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotEnableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotDisableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) ; + +XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR +xmlSecNssKeySlotGetMechList( + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotSetSlot( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotInitialize( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) ; + +XMLSEC_CRYPTO_EXPORT void +xmlSecNssKeySlotFinalize( + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT PK11SlotInfo* +xmlSecNssKeySlotGetSlot( + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr +xmlSecNssKeySlotCreate() ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotCopy( + xmlSecNssKeySlotPtr newKeySlot , + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr +xmlSecNssKeySlotDuplicate( + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT void +xmlSecNssKeySlotDestroy( + xmlSecNssKeySlotPtr keySlot +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotBindMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) ; + +XMLSEC_CRYPTO_EXPORT int +xmlSecNssKeySlotSupportMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) ; + + +/************************************************************************ + * PKCS#11 crypto token interfaces + * + * A PKCS#11 slot repository will be defined internally. From the + * repository, a user can specify a particular slot for a certain crypto + * mechanism. + * + * In some situation, some cryptographic operation should act in a user + * designated devices. The interfaces defined here provide the way. If + * the user do not initialize the repository distinctly, the interfaces + * use the default functions provided by NSS itself. + * + ************************************************************************/ +/** + * Initialize NSS pkcs#11 slot repository + * + * Returns 0 if success or -1 if an error occurs. + */ +XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ; + +/** + * Shutdown and destroy NSS pkcs#11 slot repository + */ +XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ; + +/** + * Get PKCS#11 slot handler + * @type the mechanism that the slot must support. + * + * Returns a pointer to PKCS#11 slot or NULL if an error occurs. + * + * Notes: The returned handler must be destroied distinctly. + */ +XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ; + +/** + * Adopt a pkcs#11 slot with a mechanism into the repository + * @slot: the pkcs#11 slot. + * @mech: the mechanism. + * + * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with + * this mechanism only can perform on the @slot. + * + * Returns 0 if success or -1 if an error occurs. + */ +XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ; + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* __XMLSEC_NSS_TOKENS_H__ */ + --- misc/xmlsec1-1.2.12/src/mscrypto/akmngr.c 2009-09-21 14:07:19.078910929 +0200 +++ misc/build/xmlsec1-1.2.12/src/mscrypto/akmngr.c 2009-09-21 14:02:48.531281225 +0200 @@ -1 +1,235 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright......................... + */ +#include "globals.h" + +#include +#include +#include +#include + +#include +#include +#include +#include + +/** + * xmlSecMSCryptoAppliedKeysMngrCreate: + * @hKeyStore: the pointer to key store. + * @hCertStore: the pointer to certificate database. + * + * Create and load key store and certificate database into keys manager + * + * Returns keys manager pointer on success or NULL otherwise. + */ +xmlSecKeysMngrPtr +xmlSecMSCryptoAppliedKeysMngrCreate( + HCERTSTORE hKeyStore , + HCERTSTORE hCertStore +) { + xmlSecKeyDataStorePtr certStore = NULL ; + xmlSecKeysMngrPtr keyMngr = NULL ; + xmlSecKeyStorePtr keyStore = NULL ; + + keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyStoreCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + /*- + * At present, MS Crypto engine do not provide a way to setup a key store. + */ + if( keyStore != NULL ) { + /*TODO: binding key store.*/ + } + + keyMngr = xmlSecKeysMngrCreate() ; + if( keyMngr == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /*- + * Add key store to manager, from now on keys manager destroys the store if + * needed + */ + if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Initialize crypto library specific data in keys manager + */ + if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecMSCryptoKeysMngrInit" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Set certificate databse to X509 key data store + */ + /*- + * At present, MS Crypto engine do not provide a way to setup a cert store. + */ + + /*- + * Set the getKey callback + */ + keyMngr->getKey = xmlSecKeysMngrGetKey ; + + return keyMngr ; +} + +int +xmlSecMSCryptoAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY symKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY pubKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + HCRYPTKEY priKey +) { + /*TODO: import the key into keys manager.*/ + return(0) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE keyStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( keyStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE trustedStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( trustedStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + +int +xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore ( + xmlSecKeysMngrPtr mngr , + HCERTSTORE untrustedStore +) { + xmlSecKeyDataStorePtr x509Store ; + + xmlSecAssert2( mngr != NULL, -1 ) ; + xmlSecAssert2( untrustedStore != NULL, -1 ) ; + + x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; + if( x509Store == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , + "xmlSecMSCryptoX509StoreAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ) ; + } + + return( 0 ) ; +} + --- misc/xmlsec1-1.2.12/src/nss/Makefile.am 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/Makefile.am 2009-09-21 14:02:48.591560472 +0200 @@ -35,6 +35,9 @@ kw_des.c \ kw_aes.c \ globals.h \ + akmngr.c \ + keywrapers.c \ + tokens.c \ $(NULL) if SHAREDLIB_HACK --- misc/xmlsec1-1.2.12/src/nss/Makefile.in 2009-06-25 22:53:33.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/Makefile.in 2009-09-21 14:02:48.599339718 +0200 @@ -61,7 +61,8 @@ am__libxmlsec1_nss_la_SOURCES_DIST = app.c bignum.c ciphers.c crypto.c \ digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \ x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \ - ../strings.c + ../strings.c \ + akmngr.c keywrapers.c tokens.c am__objects_1 = @SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_nss_la-strings.lo am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \ @@ -72,6 +73,8 @@ libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \ libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \ libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \ + libxmlsec1_nss_la-akmngr.lo libxmlsec1_nss_la-keywrapers.lo \ + libxmlsec1_nss_la-tokens.lo \ $(am__objects_1) $(am__objects_2) libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS) DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) @@ -357,6 +360,7 @@ libxmlsec1_nss_la_SOURCES = app.c bignum.c ciphers.c crypto.c \ digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \ x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \ + akmngr.c keywrapers.c tokens.c \ $(NULL) $(am__append_1) libxmlsec1_nss_la_LIBADD = \ ../libxmlsec1.la \ @@ -458,6 +462,9 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ @@ -487,6 +494,27 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c +libxmlsec1_nss_la-akmngr.lo: akmngr.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-akmngr.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='akmngr.c' object='libxmlsec1_nss_la-akmngr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c + +libxmlsec1_nss_la-keywrapers.lo: keywrapers.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-keywrapers.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keywrapers.c' object='libxmlsec1_nss_la-keywrapers.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c + +libxmlsec1_nss_la-tokens.lo: tokens.c +@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tokens.c' object='libxmlsec1_nss_la-tokens.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c + libxmlsec1_nss_la-bignum.lo: bignum.c @am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-bignum.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo" -c -o libxmlsec1_nss_la-bignum.lo `test -f 'bignum.c' || echo '$(srcdir)/'`bignum.c; \ @am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-bignum.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo"; exit 1; fi --- misc/xmlsec1-1.2.12/src/nss/akmngr.c 2009-09-21 14:07:19.197249962 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/akmngr.c 2009-09-21 14:02:48.539616129 +0200 @@ -1 +1,384 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright......................... + */ +#include "globals.h" + +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +/** + * xmlSecNssAppliedKeysMngrCreate: + * @slot: array of pointers to NSS PKCS#11 slot infomation. + * @cSlots: number of slots in the array + * @handler: the pointer to NSS certificate database. + * + * Create and load NSS crypto slot and certificate database into keys manager + * + * Returns keys manager pointer on success or NULL otherwise. + */ +xmlSecKeysMngrPtr +xmlSecNssAppliedKeysMngrCreate( + PK11SlotInfo** slots, + int cSlots, + CERTCertDBHandle* handler +) { + xmlSecKeyDataStorePtr certStore = NULL ; + xmlSecKeysMngrPtr keyMngr = NULL ; + xmlSecKeyStorePtr keyStore = NULL ; + int islot = 0; + keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyStoreCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + for (islot = 0; islot < cSlots; islot++) + { + xmlSecNssKeySlotPtr keySlot ; + + /* Create a key slot */ + keySlot = xmlSecNssKeySlotCreate() ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeySlotCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /* Set slot */ + if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeySlotSetSlot" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return NULL ; + } + + /* Adopt keySlot */ + if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeysStoreAdoptKeySlot" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return NULL ; + } + } + + keyMngr = xmlSecKeysMngrCreate() ; + if( keyMngr == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + return NULL ; + } + + /*- + * Add key store to manager, from now on keys manager destroys the store if + * needed + */ + if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrAdoptKeyStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyStoreDestroy( keyStore ) ; + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Initialize crypto library specific data in keys manager + */ + if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + /*- + * Set certificate databse to X509 key data store + */ + /** + * Because Tej's implementation of certDB use the default DB, so I ignore + * the certDB handler at present. I'll modify the cert store sources to + * accept particular certDB instead of default ones. + certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ; + if( certStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecKeysMngrGetDataStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + + if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , + "xmlSecNssKeyDataStoreX509SetCertDb" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeysMngrDestroy( keyMngr ) ; + return NULL ; + } + */ + + /*- + * Set the getKey callback + */ + keyMngr->getKey = xmlSecKeysMngrGetKey ; + + return keyMngr ; +} + +int +xmlSecNssAppliedKeysMngrSymKeyLoad( + xmlSecKeysMngrPtr mngr , + PK11SymKey* symKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( symKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + +int +xmlSecNssAppliedKeysMngrPubKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPublicKey* pubKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( pubKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssPKIAdoptKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + +int +xmlSecNssAppliedKeysMngrPriKeyLoad( + xmlSecKeysMngrPtr mngr , + SECKEYPrivateKey* priKey +) { + xmlSecKeyPtr key ; + xmlSecKeyDataPtr data ; + xmlSecKeyStorePtr keyStore ; + + xmlSecAssert2( mngr != NULL , -1 ) ; + xmlSecAssert2( priKey != NULL , -1 ) ; + + keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; + if( keyStore == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeysMngrGetKeysStore" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; + + data = xmlSecNssPKIAdoptKey( priKey, NULL ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssPKIAdoptKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + key = xmlSecKeyCreate() ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataKeyAdopt" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDestroy( key ) ; + return(-1) ; + } + + return(0) ; +} + --- misc/xmlsec1-1.2.12/src/nss/hmac.c 2009-06-26 06:18:13.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/hmac.c 2009-09-21 14:02:48.649065288 +0200 @@ -23,8 +23,8 @@ #include #include -#include #include +#include #define XMLSEC_NSS_MIN_HMAC_SIZE 40 #define XMLSEC_NSS_MAX_HMAC_SIZE 128 @@ -284,13 +284,13 @@ keyItem.data = xmlSecBufferGetData(buffer); keyItem.len = xmlSecBufferGetSize(buffer); - slot = PK11_GetBestSlot(ctx->digestType, NULL); + slot = xmlSecNssSlotGet(ctx->digestType); if(slot == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "PK11_GetBestSlot", + "xmlSecNssSlotGet", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); return(-1); } --- misc/xmlsec1-1.2.12/src/nss/keysstore.c 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/keysstore.c 2009-09-21 14:02:48.633533885 +0200 @@ -1,36 +1,56 @@ /** * XMLSec library * - * Nss keys store that uses Simple Keys Store under the hood. Uses the - * Nss DB as a backing store for the finding keys, but the NSS DB is - * not written to by the keys store. - * So, if store->findkey is done and the key is not found in the simple - * keys store, the NSS DB is looked up. - * If store is called to adopt a key, that key is not written to the NSS - * DB. - * Thus, the NSS DB can be used to pre-load keys and becomes an alternate - * source of keys for xmlsec - * * This is free software; see Copyright file in the source * distribution for precise wording. * * Copyright (c) 2003 America Online, Inc. All rights reserved. */ + +/** + * NSS key store uses a key list and a slot list as the key repository. NSS slot + * list is a backup repository for the finding keys. If a key is not found from + * the key list, the NSS slot list is looked up. + * + * Any key in the key list will not save to pkcs11 slot. When a store to called + * to adopt a key, the key is resident in the key list; While a store to called + * to set a is resident in the key list; While a store to called to set a slot + * list, which means that the keys in the listed slot can be used for xml sign- + * nature or encryption. + * + * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec. + * + * The framework will decrease the user interfaces to administrate xmlSec crypto + * engine. He can only focus on NSS layer functions. For examples, after the + * user set up a slot list handler to the keys store, he do not need to do any + * other work atop xmlSec interfaces, his action on the slot list handler, such + * as add a token to, delete a token from the list, will directly effect the key + * store behaviors. + * + * For example, a scenariio: + * 0. Create a slot list;( NSS interfaces ) + * 1. Create a keys store;( xmlSec interfaces ) + * 2. Set slot list with the keys store;( xmlSec Interfaces ) + * 3. Add a slot to the slot list;( NSS interfaces ) + * 4. Perform xml signature; ( xmlSec Interfaces ) + * 5. Deleter a slot from the slot list;( NSS interfaces ) + * 6. Perform xml encryption; ( xmlSec Interfaces ) + * 7. Perform xml signature;( xmlSec Interfaces ) + * 8. Destroy the keys store;( xmlSec Interfaces ) + * 8. Destroy the slot list.( NSS Interfaces ) + */ #include "globals.h" #include #include #include -#include #include +#include #include -#include - #include -#include -#include +#include #include #include @@ -38,82 +58,464 @@ #include #include -#include +#include +#include #include /**************************************************************************** * - * Nss Keys Store. Uses Simple Keys Store under the hood + * Internal NSS key store context * - * Simple Keys Store ptr is located after xmlSecKeyStore + * This context is located after xmlSecKeyStore * ***************************************************************************/ +typedef struct _xmlSecNssKeysStoreCtx xmlSecNssKeysStoreCtx ; +typedef struct _xmlSecNssKeysStoreCtx* xmlSecNssKeysStoreCtxPtr ; + +struct _xmlSecNssKeysStoreCtx { + xmlSecPtrListPtr keyList ; + xmlSecPtrListPtr slotList ; +} ; + #define xmlSecNssKeysStoreSize \ - (sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr)) + ( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) ) -#define xmlSecNssKeysStoreGetSS(store) \ - ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \ - (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \ - (xmlSecKeyStorePtr*)NULL) - -static int xmlSecNssKeysStoreInitialize (xmlSecKeyStorePtr store); -static void xmlSecNssKeysStoreFinalize (xmlSecKeyStorePtr store); -static xmlSecKeyPtr xmlSecNssKeysStoreFindKey (xmlSecKeyStorePtr store, - const xmlChar* name, - xmlSecKeyInfoCtxPtr keyInfoCtx); +#define xmlSecNssKeysStoreGetCtx( data ) \ + ( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) ) -static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = { - sizeof(xmlSecKeyStoreKlass), - xmlSecNssKeysStoreSize, +int xmlSecNssKeysStoreAdoptKeySlot( + xmlSecKeyStorePtr store , + xmlSecNssKeySlotPtr keySlot +) { + xmlSecNssKeysStoreCtxPtr context = NULL ; + + xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; + xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; + context = xmlSecNssKeysStoreGetCtx( store ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecNssKeysStoreGetCtx" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + if( context->slotList == NULL ) { + if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + } + + if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListCheckId" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListAdd" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } - /* data */ - BAD_CAST "NSS-keys-store", /* const xmlChar* name; */ - - /* constructors/destructor */ - xmlSecNssKeysStoreInitialize, /* xmlSecKeyStoreInitializeMethod initialize; */ - xmlSecNssKeysStoreFinalize, /* xmlSecKeyStoreFinalizeMethod finalize; */ - xmlSecNssKeysStoreFindKey, /* xmlSecKeyStoreFindKeyMethod findKey; */ - - /* reserved for the future */ - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; + return 0 ; +} -/** - * xmlSecNssKeysStoreGetKlass: - * - * The Nss list based keys store klass. +int xmlSecNssKeysStoreAdoptKey( + xmlSecKeyStorePtr store , + xmlSecKeyPtr key +) { + xmlSecNssKeysStoreCtxPtr context = NULL ; + + xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; + xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; + + context = xmlSecNssKeysStoreGetCtx( store ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecNssKeysStoreGetCtx" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + if( context->keyList == NULL ) { + if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + } + + if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListCheckId" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecPtrListAdd" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + return 0 ; +} + +/* + * xmlSecKeyStoreInitializeMethod: + * @store: the store. + * + * Keys store specific initialization method. * - * Returns Nss list based keys store klass. + * Returns 0 on success or a negative value if an error occurs. */ -xmlSecKeyStoreId -xmlSecNssKeysStoreGetKlass(void) { - return(&xmlSecNssKeysStoreKlass); +static int +xmlSecNssKeysStoreInitialize( + xmlSecKeyStorePtr store +) { + xmlSecNssKeysStoreCtxPtr context = NULL ; + + xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; + xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; + + context = xmlSecNssKeysStoreGetCtx( store ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecNssKeysStoreGetCtx" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + + context->keyList = NULL ; + context->slotList = NULL ; + + return 0 ; } /** - * xmlSecNssKeysStoreAdoptKey: - * @store: the pointer to Nss keys store. - * @key: the pointer to key. - * - * Adds @key to the @store. * - * Returns 0 on success or a negative value if an error occurs. + * xmlSecKeyStoreFinalizeMethod: + * @store: the store. + * + * Keys store specific finalization (destroy) method. */ -int -xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) { - xmlSecKeyStorePtr *ss; - - xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); - xmlSecAssert2((key != NULL), -1); +void +xmlSecNssKeysStoreFinalize( + xmlSecKeyStorePtr store +) { + xmlSecNssKeysStoreCtxPtr context = NULL ; + + xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ; + xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ; + + context = xmlSecNssKeysStoreGetCtx( store ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecNssKeysStoreGetCtx" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return ; + } + + if( context->keyList != NULL ) { + xmlSecPtrListDestroy( context->keyList ) ; + context->keyList = NULL ; + } + + if( context->slotList != NULL ) { + xmlSecPtrListDestroy( context->slotList ) ; + context->slotList = NULL ; + } +} - ss = xmlSecNssKeysStoreGetSS(store); - xmlSecAssert2(((ss != NULL) && (*ss != NULL) && - (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1); +xmlSecKeyPtr +xmlSecNssKeysStoreFindKeyFromSlot( + PK11SlotInfo* slot, + const xmlChar* name, + xmlSecKeyInfoCtxPtr keyInfoCtx +) { + xmlSecKeyPtr key = NULL ; + xmlSecKeyDataPtr data = NULL ; + int length ; + + xmlSecAssert2( slot != NULL , NULL ) ; + xmlSecAssert2( name != NULL , NULL ) ; + xmlSecAssert2( keyInfoCtx != NULL , NULL ) ; + + if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) { + PK11SymKey* symKey ; + PK11SymKey* curKey ; + + /* Find symmetric key from the slot by name */ + symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ; + for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) { + /* Check the key request */ + length = PK11_GetKeyLength( curKey ) ; + length *= 8 ; + if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && + ( length > 0 ) && + ( length < keyInfoCtx->keyReq.keyBitsSize ) ) + continue ; + + /* We find a eligible key */ + data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ; + if( data == NULL ) { + /* Do nothing */ + } + break ; + } + + /* Destroy the sym key list */ + for( curKey = symKey ; curKey != NULL ; ) { + symKey = curKey ; + curKey = PK11_GetNextSymKey( symKey ) ; + PK11_FreeSymKey( symKey ) ; + } + } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) { + SECKEYPublicKeyList* pubKeyList ; + SECKEYPublicKey* pubKey ; + SECKEYPublicKeyListNode* curPub ; + + /* Find asymmetric key from the slot by name */ + pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ; + pubKey = NULL ; + curPub = PUBKEY_LIST_HEAD(pubKeyList); + for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) { + /* Check the key request */ + length = SECKEY_PublicKeyStrength( curPub->key ) ; + length *= 8 ; + if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && + ( length > 0 ) && + ( length < keyInfoCtx->keyReq.keyBitsSize ) ) + continue ; + + /* We find a eligible key */ + pubKey = curPub->key ; + break ; + } + + if( pubKey != NULL ) { + data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ; + if( data == NULL ) { + /* Do nothing */ + } + } + + /* Destroy the public key list */ + SECKEY_DestroyPublicKeyList( pubKeyList ) ; + } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) { + SECKEYPrivateKeyList* priKeyList = NULL ; + SECKEYPrivateKey* priKey = NULL ; + SECKEYPrivateKeyListNode* curPri ; + + /* Find asymmetric key from the slot by name */ + priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ; + priKey = NULL ; + curPri = PRIVKEY_LIST_HEAD(priKeyList); + for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) { + /* Check the key request */ + length = PK11_SignatureLen( curPri->key ) ; + length *= 8 ; + if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && + ( length > 0 ) && + ( length < keyInfoCtx->keyReq.keyBitsSize ) ) + continue ; + + /* We find a eligible key */ + priKey = curPri->key ; + break ; + } + + if( priKey != NULL ) { + data = xmlSecNssPKIAdoptKey( priKey, NULL ) ; + if( data == NULL ) { + /* Do nothing */ + } + } + + /* Destroy the private key list */ + SECKEY_DestroyPrivateKeyList( priKeyList ) ; + } + + /* If we have gotten the key value */ + if( data != NULL ) { + if( ( key = xmlSecKeyCreate() ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyDataDestroy( data ) ; + return NULL ; + } + + if( xmlSecKeySetValue( key , data ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeySetValue" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyDestroy( key ) ; + xmlSecKeyDataDestroy( data ) ; + return NULL ; + } + } - return (xmlSecSimpleKeysStoreAdoptKey(*ss, key)); + return(key); } + +/** + * xmlSecKeyStoreFindKeyMethod: + * @store: the store. + * @name: the desired key name. + * @keyInfoCtx: the pointer to key info context. + * + * Keys store specific find method. The caller is responsible for destroying + * the returned key using #xmlSecKeyDestroy method. + * + * Returns the pointer to a key or NULL if key is not found or an error occurs. + */ +static xmlSecKeyPtr +xmlSecNssKeysStoreFindKey( + xmlSecKeyStorePtr store , + const xmlChar* name , + xmlSecKeyInfoCtxPtr keyInfoCtx +) { + xmlSecNssKeysStoreCtxPtr context = NULL ; + xmlSecKeyPtr key = NULL ; + xmlSecNssKeySlotPtr keySlot = NULL ; + xmlSecSize pos ; + xmlSecSize size ; + + xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ; + xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ; + xmlSecAssert2( keyInfoCtx != NULL , NULL ) ; + + context = xmlSecNssKeysStoreGetCtx( store ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecNssKeysStoreGetCtx" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + /*- + * Look for key at keyList at first. + */ + if( context->keyList != NULL ) { + size = xmlSecPtrListGetSize( context->keyList ) ; + for( pos = 0 ; pos < size ; pos ++ ) { + key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ; + if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) { + return xmlSecKeyDuplicate( key ) ; + } + } + } + + /*- + * Find the key from slotList + */ + if( context->slotList != NULL ) { + PK11SlotInfo* slot = NULL ; + + size = xmlSecPtrListGetSize( context->slotList ) ; + for( pos = 0 ; pos < size ; pos ++ ) { + keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ; + slot = xmlSecNssKeySlotGetSlot( keySlot ) ; + if( slot == NULL ) { + continue ; + } else { + key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ; + if( key == NULL ) { + continue ; + } else { + return( key ) ; + } + } + } + } + + /*- + * Create a session key if we can not find the key from keyList and slotList + */ + if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) { + key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ; + if( key == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , + "xmlSecKeySetValue" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return NULL ; + } + + return key ; + } + + /** + * We have no way to find the key any more. + */ + return NULL ; +} + +static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = { + sizeof( xmlSecKeyStoreKlass ) , + xmlSecNssKeysStoreSize , + BAD_CAST "implicit_nss_keys_store" , + xmlSecNssKeysStoreInitialize , + xmlSecNssKeysStoreFinalize , + xmlSecNssKeysStoreFindKey , + NULL , + NULL +} ; + +/** + * xmlSecNssKeysStoreGetKlass: + * + * The simple list based keys store klass. + * + * Returns simple list based keys store klass. + */ +xmlSecKeyStoreId +xmlSecNssKeysStoreGetKlass( void ) { + return &xmlSecNssKeysStoreKlass ; +} + +/************************** + * Application routines + */ + /** * xmlSecNssKeysStoreLoad: * @store: the pointer to Nss keys store. @@ -252,234 +654,147 @@ */ int xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) { - xmlSecKeyStorePtr *ss; + xmlSecKeyInfoCtx keyInfoCtx; + xmlSecNssKeysStoreCtxPtr context ; + xmlSecPtrListPtr list; + xmlSecKeyPtr key; + xmlSecSize i, keysSize; + xmlDocPtr doc; + xmlNodePtr cur; + xmlSecKeyDataPtr data; + xmlSecPtrListPtr idsList; + xmlSecKeyDataId dataId; + xmlSecSize idsSize, j; + int ret; xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); - xmlSecAssert2((filename != NULL), -1); - - ss = xmlSecNssKeysStoreGetSS(store); - xmlSecAssert2(((ss != NULL) && (*ss != NULL) && - (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1); + xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ; + xmlSecAssert2(filename != NULL, -1); - return (xmlSecSimpleKeysStoreSave(*ss, filename, type)); -} + context = xmlSecNssKeysStoreGetCtx( store ) ; + xmlSecAssert2( context != NULL, -1 ); -static int -xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) { - xmlSecKeyStorePtr *ss; + list = context->keyList ; + xmlSecAssert2( list != NULL, -1 ); + xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1); - xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); - - ss = xmlSecNssKeysStoreGetSS(store); - xmlSecAssert2((*ss == NULL), -1); - - *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId); - if(*ss == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, + /* create doc */ + doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs); + if(doc == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), - "xmlSecKeyStoreCreate", + "xmlSecCreateTree", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "xmlSecSimpleKeysStoreId"); + XMLSEC_ERRORS_NO_MESSAGE); return(-1); } - return(0); -} + idsList = xmlSecKeyDataIdsGet(); + xmlSecAssert2(idsList != NULL, -1); -static void -xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) { - xmlSecKeyStorePtr *ss; - - xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId)); - - ss = xmlSecNssKeysStoreGetSS(store); - xmlSecAssert((ss != NULL) && (*ss != NULL)); - - xmlSecKeyStoreDestroy(*ss); -} + keysSize = xmlSecPtrListGetSize(list); + idsSize = xmlSecPtrListGetSize(idsList); + for(i = 0; i < keysSize; ++i) { + key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i); + xmlSecAssert2(key != NULL, -1); -static xmlSecKeyPtr -xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, - xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlSecKeyStorePtr* ss; - xmlSecKeyPtr key = NULL; - xmlSecKeyPtr retval = NULL; - xmlSecKeyReqPtr keyReq = NULL; - CERTCertificate *cert = NULL; - SECKEYPublicKey *pubkey = NULL; - SECKEYPrivateKey *privkey = NULL; - xmlSecKeyDataPtr data = NULL; - xmlSecKeyDataPtr x509Data = NULL; - int ret; - - xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL); - xmlSecAssert2(keyInfoCtx != NULL, NULL); - - ss = xmlSecNssKeysStoreGetSS(store); - xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL); - - key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx); - if (key != NULL) { - return (key); - } - - /* Try to find the key in the NSS DB, and construct an xmlSecKey. - * we must have a name to lookup keys in NSS DB. - */ - if (name == NULL) { - goto done; - } - - /* what type of key are we looking for? - * TBD: For now, we'll look only for public/private keys using the - * name as a cert nickname. Later on, we can attempt to find - * symmetric keys using PK11_FindFixedKey - */ - keyReq = &(keyInfoCtx->keyReq); - if (keyReq->keyType & - (xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) { - cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name); - if (cert == NULL) { - goto done; - } - - if (keyReq->keyType & xmlSecKeyDataTypePublic) { - pubkey = CERT_ExtractPublicKey(cert); - if (pubkey == NULL) { + cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs); + if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "CERT_ExtractPublicKey", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSecAddChild", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "node=%s", + xmlSecErrorsSafeString(xmlSecNodeKeyInfo)); + xmlFreeDoc(doc); + return(-1); } - if (keyReq->keyType & xmlSecKeyDataTypePrivate) { - privkey = PK11_FindKeyByAnyCert(cert, NULL); - if (privkey == NULL) { + /* special data key name */ + if(xmlSecKeyGetName(key) != NULL) { + if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "PK11_FindKeyByAnyCert", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSecAddChild", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "node=%s", + xmlSecErrorsSafeString(xmlSecNodeKeyName)); + xmlFreeDoc(doc); + return(-1); } } - data = xmlSecNssPKIAdoptKey(privkey, pubkey); - if(data == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssPKIAdoptKey", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - privkey = NULL; - pubkey = NULL; - - key = xmlSecKeyCreate(); - if (key == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecKeyCreate", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return (NULL); - } - - x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id); - if(x509Data == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecKeyDataCreate", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "transform=%s", - xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id))); - goto done; - } + /* create nodes for other keys data */ + for(j = 0; j < idsSize; ++j) { + dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j); + xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1); + + if(dataId->dataNodeName == NULL) { + continue; + } + + data = xmlSecKeyGetData(key, dataId); + if(data == NULL) { + continue; + } - ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert); - if (ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssKeyDataX509AdoptKeyCert", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "data=%s", - xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); - goto done; - } - cert = CERT_DupCertificate(cert); - if (cert == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "CERT_DupCertificate", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - "data=%s", - xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); - goto done; + if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSecAddChild", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "node=%s", + xmlSecErrorsSafeString(dataId->dataNodeName)); + xmlFreeDoc(doc); + return(-1); + } } - ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert); + ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL); if (ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssKeyDataX509AdoptCert", + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSecKeyInfoCtxInitialize", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "data=%s", - xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); - goto done; + XMLSEC_ERRORS_NO_MESSAGE); + xmlFreeDoc(doc); + return(-1); } - cert = NULL; - ret = xmlSecKeySetValue(key, data); - if (ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecKeySetValue", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "data=%s", - xmlSecErrorsSafeString(xmlSecKeyDataGetName(data))); - goto done; - } - data = NULL; + keyInfoCtx.mode = xmlSecKeyInfoModeWrite; + keyInfoCtx.keyReq.keyId = xmlSecKeyDataIdUnknown; + keyInfoCtx.keyReq.keyType = type; + keyInfoCtx.keyReq.keyUsage = xmlSecKeyDataUsageAny; - ret = xmlSecKeyAdoptData(key, x509Data); + /* finally write key in the node */ + ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx); if (ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecKeyAdoptData", + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSecKeyInfoNodeWrite", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "data=%s", - xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); - goto done; - } - x509Data = NULL; + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecKeyInfoCtxFinalize(&keyInfoCtx); + xmlFreeDoc(doc); + return(-1); + } - retval = key; - key = NULL; + xmlSecKeyInfoCtxFinalize(&keyInfoCtx); } -done: - if (cert != NULL) { - CERT_DestroyCertificate(cert); - } - if (pubkey != NULL) { - SECKEY_DestroyPublicKey(pubkey); - } - if (privkey != NULL) { - SECKEY_DestroyPrivateKey(privkey); - } - if (data != NULL) { - xmlSecKeyDataDestroy(data); - } - if (x509Data != NULL) { - xmlSecKeyDataDestroy(x509Data); - } - if (key != NULL) { - xmlSecKeyDestroy(key); + /* now write result */ + ret = xmlSaveFormatFile(filename, doc, 1); + if (ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), + "xmlSaveFormatFile", + XMLSEC_ERRORS_R_XML_FAILED, + "filename=%s", + xmlSecErrorsSafeString(filename)); + xmlFreeDoc(doc); + return(-1); } - return (retval); + xmlFreeDoc(doc); + return(0); } --- misc/xmlsec1-1.2.12/src/nss/keywrapers.c 2009-09-21 14:07:19.223802688 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/keywrapers.c 2009-09-21 14:02:48.548869372 +0200 @@ -1 +1,1213 @@ -dummy +/** + * + * XMLSec library + * + * AES Algorithm support + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright ................................. + */ +#include "globals.h" + +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include + +#include +#include + +#define XMLSEC_NSS_AES128_KEY_SIZE 16 +#define XMLSEC_NSS_AES192_KEY_SIZE 24 +#define XMLSEC_NSS_AES256_KEY_SIZE 32 +#define XMLSEC_NSS_DES3_KEY_SIZE 24 +#define XMLSEC_NSS_DES3_KEY_LENGTH 24 +#define XMLSEC_NSS_DES3_IV_LENGTH 8 +#define XMLSEC_NSS_DES3_BLOCK_LENGTH 8 + +static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = { + 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 +}; + +/********************************************************************* + * + * key wrap transforms + * + ********************************************************************/ +typedef struct _xmlSecNssKeyWrapCtx xmlSecNssKeyWrapCtx ; +typedef struct _xmlSecNssKeyWrapCtx* xmlSecNssKeyWrapCtxPtr ; + +#define xmlSecNssKeyWrapSize \ + ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) ) + +#define xmlSecNssKeyWrapGetCtx( transform ) \ + ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) ) + +struct _xmlSecNssKeyWrapCtx { + CK_MECHANISM_TYPE cipher ; + PK11SymKey* symkey ; + xmlSecKeyDataId keyId ; + xmlSecBufferPtr material ; /* to be encrypted/decrypted key material */ +} ; + +static int xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform); +static void xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform); +static int xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, + xmlSecKeyReqPtr keyReq); +static int xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, + xmlSecKeyPtr key); +static int xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, + int last, + xmlSecTransformCtxPtr transformCtx); +static xmlSecSize xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform); + +static int +xmlSecNssKeyWrapCheckId( + xmlSecTransformPtr transform +) { + #ifndef XMLSEC_NO_DES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { + return(1); + } + #endif /* XMLSEC_NO_DES */ + + #ifndef XMLSEC_NO_AES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) || + xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) || + xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) { + + return(1); + } + #endif /* XMLSEC_NO_AES */ + + return(0); +} + +static xmlSecSize +xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) { +#ifndef XMLSEC_NO_DES + if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { + return(XMLSEC_NSS_DES3_KEY_SIZE); + } else +#endif /* XMLSEC_NO_DES */ + +#ifndef XMLSEC_NO_AES + if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) { + return(XMLSEC_NSS_AES128_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) { + return(XMLSEC_NSS_AES192_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { + return(XMLSEC_NSS_AES256_KEY_SIZE); + } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { + return(XMLSEC_NSS_AES256_KEY_SIZE); + } else +#endif /* XMLSEC_NO_AES */ + + if(1) + return(0); +} + + +static int +xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) { + xmlSecNssKeyWrapCtxPtr context ; + int ret; + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert2( context != NULL , -1 ) ; + + #ifndef XMLSEC_NO_DES + if( transform->id == xmlSecNssTransformKWDes3Id ) { + context->cipher = CKM_DES3_CBC ; + context->keyId = xmlSecNssKeyDataDesId ; + } else + #endif /* XMLSEC_NO_DES */ + + #ifndef XMLSEC_NO_AES + if( transform->id == xmlSecNssTransformKWAes128Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + if( transform->id == xmlSecNssTransformKWAes192Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + if( transform->id == xmlSecNssTransformKWAes256Id ) { + /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ + context->cipher = CKM_AES_CBC ; + context->keyId = xmlSecNssKeyDataAesId ; + } else + #endif /* XMLSEC_NO_AES */ + + + if( 1 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + context->symkey = NULL ; + context->material = NULL ; + + return(0); +} + +static void +xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) { + xmlSecNssKeyWrapCtxPtr context ; + + xmlSecAssert(xmlSecNssKeyWrapCheckId(transform)); + xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize)); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert( context != NULL ) ; + + if( context->symkey != NULL ) { + PK11_FreeSymKey( context->symkey ) ; + context->symkey = NULL ; + } + + if( context->material != NULL ) { + xmlSecBufferDestroy(context->material); + context->material = NULL ; + } +} + +static int +xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { + xmlSecNssKeyWrapCtxPtr context ; + xmlSecSize cipherSize = 0 ; + + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); + xmlSecAssert2(keyReq != NULL, -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + xmlSecAssert2( context != NULL , -1 ) ; + + keyReq->keyId = context->keyId; + keyReq->keyType = xmlSecKeyDataTypeSymmetric; + if(transform->operation == xmlSecTransformOperationEncrypt) { + keyReq->keyUsage = xmlSecKeyUsageEncrypt; + } else { + keyReq->keyUsage = xmlSecKeyUsageDecrypt; + } + + keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ; + + return(0); +} + +static int +xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { + xmlSecNssKeyWrapCtxPtr context = NULL ; + xmlSecKeyDataPtr keyData = NULL ; + PK11SymKey* symkey = NULL ; + + xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); + xmlSecAssert2(key != NULL, -1); + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + if( context == NULL || context->keyId == NULL || context->symkey != NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ; + + keyData = xmlSecKeyGetValue( key ) ; + if( keyData == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) , + "xmlSecKeyGetValue" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) , + "xmlSecNssSymKeyDataGetKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + context->symkey = symkey ; + + return(0) ; +} + +/** + * key wrap transform + */ +static int +xmlSecNssKeyWrapCtxInit( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + xmlSecSize blockSize ; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + if( ctx->material != NULL ) { + xmlSecBufferDestroy( ctx->material ) ; + ctx->material = NULL ; + } + + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + ctx->material = xmlSecBufferCreate( blockSize ) ; + if( ctx->material == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* read raw key material into context */ + if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetData" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return(0); +} + +/** + * key wrap transform update + */ +static int +xmlSecNssKeyWrapCtxUpdate( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + /* read raw key material and append into context */ + if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return(0); +} + +static int +xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) { + xmlSecSize s; + xmlSecSize i; + xmlSecByte c; + + xmlSecAssert2(buf != NULL, -1); + + s = size / 2; + --size; + for(i = 0; i < s; ++i) { + c = buf[i]; + buf[i] = buf[size - i]; + buf[size - i] = c; + } + return(0); +} + +static xmlSecByte * +xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize, + xmlSecByte *out, xmlSecSize outSize) +{ + PK11Context *context = NULL; + SECStatus s; + xmlSecByte *digest = NULL; + unsigned int len; + + xmlSecAssert2(in != NULL, NULL); + xmlSecAssert2(out != NULL, NULL); + xmlSecAssert2(outSize >= SHA1_LENGTH, NULL); + + /* Create a context for hashing (digesting) */ + context = PK11_CreateDigestContext(SEC_OID_SHA1); + if (context == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CreateDigestContext", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestBegin(context); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestBegin", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestOp(context, in, inSize); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestOp", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + + s = PK11_DigestFinal(context, out, &len, outSize); + if (s != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + goto done; + } + xmlSecAssert2(len == SHA1_LENGTH, NULL); + + digest = out; + +done: + if (context != NULL) { + PK11_DestroyContext(context, PR_TRUE); + } + return (digest); +} + +static int +xmlSecNssKWDes3Encrypt( + PK11SymKey* symKey , + CK_MECHANISM_TYPE cipherMech , + const xmlSecByte* iv , + xmlSecSize ivSize , + const xmlSecByte* in , + xmlSecSize inSize , + xmlSecByte* out , + xmlSecSize outSize , + int enc +) { + PK11Context* EncContext = NULL; + SECItem ivItem ; + SECItem* secParam = NULL ; + int tmp1_outlen; + unsigned int tmp2_outlen; + int result_len = -1; + SECStatus rv; + + xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( symKey != NULL , -1 ) ; + xmlSecAssert2(iv != NULL, -1); + xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1); + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(inSize > 0, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(outSize >= inSize, -1); + + /* Prepare IV */ + ivItem.data = ( unsigned char* )iv ; + ivItem.len = ivSize ; + + secParam = PK11_ParamFromIV(cipherMech, &ivItem); + if (secParam == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_ParamFromIV", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + EncContext = PK11_CreateContextBySymKey(cipherMech, + enc ? CKA_ENCRYPT : CKA_DECRYPT, + symKey, secParam); + if (EncContext == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CreateContextBySymKey", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + tmp1_outlen = tmp2_outlen = 0; + rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize, + (unsigned char *)in, inSize); + if (rv != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_CipherOp", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + rv = PK11_DigestFinal(EncContext, out+tmp1_outlen, + &tmp2_outlen, outSize-tmp1_outlen); + if (rv != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_DigestFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "Error code = %d", PORT_GetError()); + goto done; + } + + result_len = tmp1_outlen + tmp2_outlen; + +done: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + if (EncContext) { + PK11_DestroyContext(EncContext, PR_TRUE); + } + + return(result_len); +} + +static int +xmlSecNssKeyWrapDesOp( + xmlSecNssKeyWrapCtxPtr ctx , + int encrypt , + xmlSecBufferPtr result +) { + xmlSecByte sha1[SHA1_LENGTH]; + xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH]; + xmlSecByte* in; + xmlSecSize inSize; + xmlSecByte* out; + xmlSecSize outSize; + xmlSecSize s; + int ret; + SECStatus status; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( result != NULL , -1 ) ; + + in = xmlSecBufferGetData(ctx->material); + inSize = xmlSecBufferGetSize(ctx->material) ; + out = xmlSecBufferGetData(result); + outSize = xmlSecBufferGetMaxSize(result) ; + if( encrypt ) { + /* step 2: calculate sha1 and CMS */ + if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssComputeSHA1", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 3: construct WKCKS */ + memcpy(out, in, inSize); + memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH); + + /* step 4: generate random iv */ + status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH); + if(status != SECSuccess) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PK11_GenerateRandom", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "error code = %d", PORT_GetError()); + return(-1); + } + + /* step 5: first encryption, result is TEMP1 */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + iv, XMLSEC_NSS_DES3_IV_LENGTH, + out, inSize + XMLSEC_NSS_DES3_IV_LENGTH, + out, outSize, 1); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 6: construct TEMP2=IV || TEMP1 */ + memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out, + inSize + XMLSEC_NSS_DES3_IV_LENGTH); + memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH); + s = ret + XMLSEC_NSS_DES3_IV_LENGTH; + + /* step 7: reverse octets order, result is TEMP3 */ + ret = xmlSecNssKWDes3BufferReverse(out, s); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3BufferReverse", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* step 8: second encryption with static IV */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, + out, s, + out, outSize, 1); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret; + + if( xmlSecBufferSetSize( result , s ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else { + /* step 2: first decryption with static IV, result is TEMP3 */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, + in, inSize, + out, outSize, 0); + if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret; + + /* step 3: reverse octets order in TEMP3, result is TEMP2 */ + ret = xmlSecNssKWDes3BufferReverse(out, s); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3BufferReverse", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */ + ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, + out, XMLSEC_NSS_DES3_IV_LENGTH, + out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH, + out, outSize, 0); + if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssKWDes3Encrypt", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + s = ret - XMLSEC_NSS_DES3_IV_LENGTH; + + /* steps 6 and 7: calculate SHA1 and validate it */ + if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssComputeSHA1", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "SHA1 does not match"); + return(-1); + } + + if( xmlSecBufferSetSize( result , s ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + + return(0); +} + +static int +xmlSecNssKeyWrapAesOp( + xmlSecNssKeyWrapCtxPtr ctx , + int encrypt , + xmlSecBufferPtr result +) { + PK11Context* cipherCtx = NULL; + SECItem ivItem ; + SECItem* secParam = NULL ; + xmlSecSize inSize ; + xmlSecSize inBlocks ; + int blockSize ; + int midSize ; + int finSize ; + xmlSecByte* out ; + xmlSecSize outSize; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( result != NULL , -1 ) ; + + /* Do not set any IV */ + memset(&ivItem, 0, sizeof(ivItem)); + + /* Get block size */ + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + inSize = xmlSecBufferGetSize( ctx->material ) ; + if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetMaxSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Get Param for context initialization */ + if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_ParamFromIV" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ; + if( cipherCtx == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_CreateContextBySymKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + SECITEM_FreeItem( secParam , PR_TRUE ) ; + return(-1); + } + + out = xmlSecBufferGetData(result) ; + outSize = xmlSecBufferGetMaxSize(result) ; + if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_CipherOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_DigestFinal" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferSetSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + return 0 ; +} + +/** + * Block cipher transform final + */ +static int +xmlSecNssKeyWrapCtxFinal( + xmlSecNssKeyWrapCtxPtr ctx , + xmlSecBufferPtr in , + xmlSecBufferPtr out , + int encrypt , + xmlSecTransformCtxPtr transformCtx +) { + PK11SymKey* targetKey ; + xmlSecSize blockSize ; + xmlSecBufferPtr result ; + + xmlSecAssert2( ctx != NULL , -1 ) ; + xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; + xmlSecAssert2( ctx->symkey != NULL , -1 ) ; + xmlSecAssert2( ctx->keyId != NULL , -1 ) ; + xmlSecAssert2( ctx->material != NULL , -1 ) ; + xmlSecAssert2( in != NULL , -1 ) ; + xmlSecAssert2( out != NULL , -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + /* read raw key material and append into context */ + if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferRemoveHead" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Now we get all of the key materail */ + /* from now on we will wrap or unwrap the key */ + if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "PK11_GetBlockSize" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + result = xmlSecBufferCreate( blockSize ) ; + if( result == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + switch( ctx->cipher ) { + case CKM_DES3_CBC : + if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssKeyWrapDesOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + break ; + /* case CKM_NETSCAPE_AES_KEY_WRAP :*/ + case CKM_AES_CBC : + if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssKeyWrapAesOp" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + break ; + } + + /* Write output */ + if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecBufferAppend" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBufferDestroy(result); + return(-1); + } + xmlSecBufferDestroy(result); + + return(0); +} + +static int +xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { + xmlSecNssKeyWrapCtxPtr context = NULL ; + xmlSecBufferPtr inBuf, outBuf ; + int operation ; + int rtv ; + + xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ; + xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ; + xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; + xmlSecAssert2( transformCtx != NULL , -1 ) ; + + context = xmlSecNssKeyWrapGetCtx( transform ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + inBuf = &( transform->inBuf ) ; + outBuf = &( transform->outBuf ) ; + + if( transform->status == xmlSecTransformStatusNone ) { + transform->status = xmlSecTransformStatusWorking ; + } + + operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ; + if( transform->status == xmlSecTransformStatusWorking ) { + if( context->material == NULL ) { + rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxInit" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + if( context->material == NULL && last != 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "No enough data to intialize transform" ) ; + return(-1); + } + + if( context->material != NULL ) { + rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxUpdate" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + if( last ) { + rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ; + if( rtv < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + "xmlSecNssKeyWrapCtxFinal" , + XMLSEC_ERRORS_R_INVALID_STATUS , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + transform->status = xmlSecTransformStatusFinished ; + } + } else if( transform->status == xmlSecTransformStatusFinished ) { + if( xmlSecBufferGetSize( inBuf ) != 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "status=%d", transform->status ) ; + return(-1); + } + } else { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , + NULL , + XMLSEC_ERRORS_R_INVALID_STATUS , + "status=%d", transform->status ) ; + return(-1); + } + + return(0); +} + +#ifndef XMLSEC_NO_AES + + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes128Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes128, /* const xmlChar* name; */ + xmlSecHrefKWAes128, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes192Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes192, /* const xmlChar* name; */ + xmlSecHrefKWAes192, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWAes256Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWAes256, /* const xmlChar* name; */ + xmlSecHrefKWAes256, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecNssTransformKWAes128GetKlass: + * + * The AES-128 key wrapper transform klass. + * + * Returns AES-128 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes128GetKlass(void) { + return(&xmlSecNssKWAes128Klass); +} + +/** + * xmlSecNssTransformKWAes192GetKlass: + * + * The AES-192 key wrapper transform klass. + * + * Returns AES-192 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes192GetKlass(void) { + return(&xmlSecNssKWAes192Klass); +} + +/** + * + * The AES-256 key wrapper transform klass. + * + * Returns AES-256 key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWAes256GetKlass(void) { + return(&xmlSecNssKWAes256Klass); +} + +#endif /* XMLSEC_NO_AES */ + + +#ifndef XMLSEC_NO_DES + +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = { +#else +static xmlSecTransformKlass xmlSecNssKWDes3Klass = { +#endif + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ + + xmlSecNameKWDes3, /* const xmlChar* name; */ + xmlSecHrefKWDes3, /* const xmlChar* href; */ + xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ + + xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ + xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + NULL, /* xmlSecTransformValidateMethod validate; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecNssTransformKWDes3GetKlass: + * + * The Triple DES key wrapper transform klass. + * + * Returns Triple DES key wrapper transform klass. + */ +xmlSecTransformId +xmlSecNssTransformKWDes3GetKlass(void) { + return(&xmlSecNssKWDes3Klass); +} + +#endif /* XMLSEC_NO_DES */ + --- misc/xmlsec1-1.2.12/src/nss/pkikeys.c 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/pkikeys.c 2009-09-21 14:02:48.657352624 +0200 @@ -24,6 +24,7 @@ #include #include #include +#include /************************************************************************** * @@ -115,6 +116,8 @@ xmlSecNssPKIKeyDataCtxPtr ctxSrc) { xmlSecNSSPKIKeyDataCtxFree(ctxDst); + ctxDst->privkey = NULL ; + ctxDst->pubkey = NULL ; if (ctxSrc->privkey != NULL) { ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey); if(ctxDst->privkey == NULL) { @@ -588,13 +591,13 @@ goto done; } - slot = PK11_GetBestSlot(CKM_DSA, NULL); + slot = xmlSecNssSlotGet(CKM_DSA); if(slot == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "PK11_GetBestSlot", + "xmlSecNssSlotGet", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); ret = -1; goto done; } @@ -792,14 +795,14 @@ if (slot != NULL) { PK11_FreeSlot(slot); } - if (ret != 0) { + if (pubkey != NULL) { SECKEY_DestroyPublicKey(pubkey); } if (data != NULL) { xmlSecKeyDataDestroy(data); } - } + return(ret); } @@ -818,7 +821,7 @@ ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key)); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); +/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) { /* we can have only private key or public key */ @@ -940,7 +943,8 @@ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "PK11_PQG_ParamGen", XMLSEC_ERRORS_R_CRYPTO_FAILED, - "size=%d", sizeBits); + "size=%d, error code=%d", sizeBits, PORT_GetError()); + ret = -1; goto done; } @@ -950,11 +954,12 @@ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "PK11_PQG_VerifyParams", XMLSEC_ERRORS_R_CRYPTO_FAILED, - "size=%d", sizeBits); + "size=%d, error code=%d", sizeBits, PORT_GetError()); + ret = -1; goto done; } - slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL); + slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN); PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */); privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams, &pubkey, PR_FALSE, PR_TRUE, NULL); @@ -964,8 +969,9 @@ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "PK11_GenerateKeyPair", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); + ret = -1; goto done; } @@ -979,6 +985,8 @@ goto done; } + privkey = NULL ; + pubkey = NULL ; ret = 0; done: @@ -991,16 +999,13 @@ if (pqgVerify != NULL) { PK11_PQG_DestroyVerify(pqgVerify); } - if (ret == 0) { - return (0); - } if (pubkey != NULL) { SECKEY_DestroyPublicKey(pubkey); } if (privkey != NULL) { SECKEY_DestroyPrivateKey(privkey); } - return(-1); + return(ret); } static xmlSecKeyDataType @@ -1010,10 +1015,10 @@ xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown); ctx = xmlSecNssPKIKeyDataGetCtx(data); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); +/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ if (ctx->privkey != NULL) { return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic); - } else { + } else if( ctx->pubkey != NULL ) { return(xmlSecKeyDataTypePublic); } @@ -1027,7 +1032,7 @@ xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0); ctx = xmlSecNssPKIKeyDataGetCtx(data); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); +/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ return(8 * SECKEY_PublicKeyStrength(ctx->pubkey)); } @@ -1216,13 +1221,13 @@ goto done; } - slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL); + slot = xmlSecNssSlotGet(CKM_RSA_PKCS); if(slot == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "PK11_GetBestSlot", + "xmlSecNssSlotGet", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); ret = -1; goto done; } @@ -1384,7 +1389,7 @@ ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key)); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1); +/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/ if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) { @@ -1455,7 +1460,7 @@ params.keySizeInBits = sizeBits; params.pe = 65537; - slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL); + slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN); PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */); privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, ¶ms, &pubkey, PR_FALSE, PR_TRUE, NULL); @@ -1525,7 +1530,7 @@ ctx = xmlSecNssPKIKeyDataGetCtx(data); xmlSecAssert2(ctx != NULL, -1); - xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1); +/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/ return(8 * SECKEY_PublicKeyStrength(ctx->pubkey)); } --- misc/xmlsec1-1.2.12/src/nss/symkeys.c 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/symkeys.c 2009-09-21 14:02:48.620574832 +0200 @@ -15,20 +15,41 @@ #include #include +#include +#include + #include #include +#include #include #include #include #include #include +#include +#include /***************************************************************************** * - * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary + * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey * ****************************************************************************/ +typedef struct _xmlSecNssSymKeyDataCtx xmlSecNssSymKeyDataCtx ; +typedef struct _xmlSecNssSymKeyDataCtx* xmlSecNssSymKeyDataCtxPtr ; + +struct _xmlSecNssSymKeyDataCtx { + CK_MECHANISM_TYPE cipher ; /* the symmetic key mechanism */ + PK11SlotInfo* slot ; /* the key resident slot */ + PK11SymKey* symkey ; /* the symmetic key */ +} ; + +#define xmlSecNssSymKeyDataSize \ + ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) ) + +#define xmlSecNssSymKeyDataGetCtx( data ) \ + ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) ) + static int xmlSecNssSymKeyDataInitialize (xmlSecKeyDataPtr data); static int xmlSecNssSymKeyDataDuplicate (xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src); @@ -67,107 +88,743 @@ (xmlSecKeyDataIsValid((data)) && \ xmlSecNssSymKeyDataKlassCheck((data)->id)) +/** + * xmlSecNssSymKeyDataAdoptKey: + * @data: the pointer to symmetric key data. + * @symkey: the symmetric key + * + * Set the value of symmetric key data. + * + * Returns 0 on success or a negative value if an error occurs. + */ +int +xmlSecNssSymKeyDataAdoptKey( + xmlSecKeyDataPtr data , + PK11SymKey* symkey +) { + xmlSecNssSymKeyDataCtxPtr context = NULL ; + + xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ; + xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ; + xmlSecAssert2( symkey != NULL, -1 ) ; + + context = xmlSecNssSymKeyDataGetCtx( data ) ; + xmlSecAssert2(context != NULL, -1); + + context->cipher = PK11_GetMechanism( symkey ) ; + + if( context->slot != NULL ) { + PK11_FreeSlot( context->slot ) ; + context->slot = NULL ; + } + context->slot = PK11_GetSlotFromKey( symkey ) ; + + if( context->symkey != NULL ) { + PK11_FreeSymKey( context->symkey ) ; + context->symkey = NULL ; + } + context->symkey = PK11_ReferenceSymKey( symkey ) ; + + return 0 ; +} + +xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( + PK11SymKey* symKey +) { + xmlSecKeyDataPtr data = NULL ; + CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM ; + + xmlSecAssert2( symKey != NULL , NULL ) ; + + mechanism = PK11_GetMechanism( symKey ) ; + switch( mechanism ) { + case CKM_DES3_KEY_GEN : + case CKM_DES3_CBC : + case CKM_DES3_MAC : + data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyDataCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + "xmlSecNssKeyDataDesId" ) ; + return NULL ; + } + break ; + case CKM_AES_KEY_GEN : + case CKM_AES_CBC : + case CKM_AES_MAC : + data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ; + if( data == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecKeyDataCreate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + "xmlSecNssKeyDataDesId" ) ; + return NULL ; + } + break ; + default : + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + "Unsupported mechanism" ) ; + return NULL ; + } + + if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + "xmlSecNssSymKeyDataAdoptKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecKeyDataDestroy( data ) ; + return NULL ; + } + + return data ; +} + + +PK11SymKey* +xmlSecNssSymKeyDataGetKey( + xmlSecKeyDataPtr data +) { + xmlSecNssSymKeyDataCtxPtr ctx; + PK11SymKey* symkey ; + + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL); + xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL); + + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, NULL); + + if( ctx->symkey != NULL ) { + symkey = PK11_ReferenceSymKey( ctx->symkey ) ; + } else { + symkey = NULL ; + } + + return(symkey); +} + static int xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) { + xmlSecNssSymKeyDataCtxPtr ctx; + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1); - - return(xmlSecKeyDataBinaryValueInitialize(data)); + xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1); + + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); + + memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx)); + + /* Set the block cipher mechanism */ +#ifndef XMLSEC_NO_DES + if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) { + ctx->cipher = CKM_DES3_KEY_GEN; + } else +#endif /* XMLSEC_NO_DES */ + +#ifndef XMLSEC_NO_AES + if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) { + ctx->cipher = CKM_AES_KEY_GEN; + } else +#endif /* XMLSEC_NO_AES */ + + if(1) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + "Unsupported block cipher" ) ; + return(-1) ; + } + + return(0); } static int xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) { + xmlSecNssSymKeyDataCtxPtr ctxDst; + xmlSecNssSymKeyDataCtxPtr ctxSrc; + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1); + xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1); xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1); + xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1); xmlSecAssert2(dst->id == src->id, -1); - - return(xmlSecKeyDataBinaryValueDuplicate(dst, src)); + + ctxDst = xmlSecNssSymKeyDataGetCtx(dst); + xmlSecAssert2(ctxDst != NULL, -1); + + ctxSrc = xmlSecNssSymKeyDataGetCtx(src); + xmlSecAssert2(ctxSrc != NULL, -1); + + ctxDst->cipher = ctxSrc->cipher ; + + if( ctxSrc->slot != NULL ) { + if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) { + PK11_FreeSlot( ctxDst->slot ) ; + ctxDst->slot = NULL ; + } + + if( ctxDst->slot == NULL && ctxSrc->slot != NULL ) + ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ; + } else { + if( ctxDst->slot != NULL ) { + PK11_FreeSlot( ctxDst->slot ) ; + ctxDst->slot = NULL ; + } + } + + if( ctxSrc->symkey != NULL ) { + if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) { + PK11_FreeSymKey( ctxDst->symkey ) ; + ctxDst->symkey = NULL ; + } + + if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL ) + ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ; + } else { + if( ctxDst->symkey != NULL ) { + PK11_FreeSymKey( ctxDst->symkey ) ; + ctxDst->symkey = NULL ; + } + } + + return(0); } static void xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) { + xmlSecNssSymKeyDataCtxPtr ctx; + xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); - - xmlSecKeyDataBinaryValueFinalize(data); + xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize)); + + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert(ctx != NULL); + + if( ctx->slot != NULL ) { + PK11_FreeSlot( ctx->slot ) ; + ctx->slot = NULL ; + } + + if( ctx->symkey != NULL ) { + PK11_FreeSymKey( ctx->symkey ) ; + ctx->symkey = NULL ; + } + + ctx->cipher = CKM_INVALID_MECHANISM ; } static int xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); + PK11SymKey* symKey ; + PK11SlotInfo* slot ; + xmlSecBufferPtr keyBuf; + xmlSecSize len; + xmlSecKeyDataPtr data; + xmlSecNssSymKeyDataCtxPtr ctx; + SECItem keyItem ; + int ret; + + xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1); + xmlSecAssert2(key != NULL, -1); + xmlSecAssert2(node != NULL, -1); + xmlSecAssert2(keyInfoCtx != NULL, -1); + + /* Create a new KeyData from a id */ + data = xmlSecKeyDataCreate(id); + if(data == NULL ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyDataCreate", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); + + /* Create a buffer for raw symmetric key value */ + if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecBufferCreate" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + /* Read the raw key value */ + if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + xmlSecErrorsSafeString(xmlSecNodeGetName(node)), + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecBufferDestroy( keyBuf ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + /* Get slot */ + slot = xmlSecNssSlotGet(ctx->cipher); + if( slot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecNssSlotGet" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + xmlSecBufferDestroy( keyBuf ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + /* Wrap the raw key value SECItem */ + keyItem.type = siBuffer ; + keyItem.data = xmlSecBufferGetData( keyBuf ) ; + keyItem.len = xmlSecBufferGetSize( keyBuf ) ; + + /* Import the raw key into slot temporalily and get the key handler*/ + symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ; + if( symKey == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_ImportSymKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + PK11_FreeSlot( slot ) ; + xmlSecBufferDestroy( keyBuf ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + PK11_FreeSlot( slot ) ; + + /* raw key material has been copied into symKey, it isn't used any more */ + xmlSecBufferDestroy( keyBuf ) ; + + /* Adopt the symmetric key into key data */ + ret = xmlSecNssSymKeyDataAdoptKey(data, symKey); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyDataBinaryValueSetBuffer", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1); + } + /* symKey has been duplicated into data, it isn't used any more */ + PK11_FreeSymKey( symKey ) ; + + /* Check value */ + if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyReqMatchKeyValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecKeyDataDestroy( data ) ; + return(0); + } - return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx)); + ret = xmlSecKeySetValue(key, data); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeySetValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecKeyDataDestroy( data ) ; + return(-1); + } + + return(0); } static int xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + PK11SymKey* symKey ; + xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); - - return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx)); + xmlSecAssert2(key != NULL, -1); + xmlSecAssert2(node != NULL, -1); + xmlSecAssert2(keyInfoCtx != NULL, -1); + + /* Get symmetric key from "key" */ + symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); + if( symKey != NULL ) { + SECItem* keyItem ; + xmlSecBufferPtr keyBuf ; + + /* Extract raw key data from symmetric key */ + if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_ExtractKeyValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + /* Get raw key data from "symKey" */ + keyItem = PK11_GetKeyData( symKey ) ; + if(keyItem == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_GetKeyData", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + /* Create key data buffer with raw kwy material */ + keyBuf = xmlSecBufferCreate(keyItem->len) ; + if(keyBuf == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecBufferCreate", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ; + + /* Write raw key material into current xml node */ + if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecBufferBase64NodeContentWrite", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecBufferDestroy(keyBuf); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + xmlSecBufferDestroy(keyBuf); + PK11_FreeSymKey( symKey ) ; + } + + return 0 ; } static int xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key, const xmlSecByte* buf, xmlSecSize bufSize, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); + PK11SymKey* symKey ; + PK11SlotInfo* slot ; + xmlSecKeyDataPtr data; + xmlSecNssSymKeyDataCtxPtr ctx; + SECItem keyItem ; + int ret; + + xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1); + xmlSecAssert2(key != NULL, -1); + xmlSecAssert2(buf != NULL, -1); + xmlSecAssert2(bufSize != 0, -1); + xmlSecAssert2(keyInfoCtx != NULL, -1); + + /* Create a new KeyData from a id */ + data = xmlSecKeyDataCreate(id); + if(data == NULL ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyDataCreate", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); + + /* Get slot */ + slot = xmlSecNssSlotGet(ctx->cipher); + if( slot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecNssSlotGet" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + /* Wrap the raw key value SECItem */ + keyItem.type = siBuffer ; + keyItem.data = buf ; + keyItem.len = bufSize ; + + /* Import the raw key into slot temporalily and get the key handler*/ + symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ; + if( symKey == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_ImportSymKey" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSlot( slot ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1) ; + } + + /* Adopt the symmetric key into key data */ + ret = xmlSecNssSymKeyDataAdoptKey(data, symKey); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyDataBinaryValueSetBuffer", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSymKey( symKey ) ; + PK11_FreeSlot( slot ) ; + xmlSecKeyDataDestroy( data ) ; + return(-1); + } + /* symKey has been duplicated into data, it isn't used any more */ + PK11_FreeSymKey( symKey ) ; + PK11_FreeSlot( slot ) ; + + /* Check value */ + if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeyReqMatchKeyValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecKeyDataDestroy( data ) ; + return(0); + } - return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx)); + ret = xmlSecKeySetValue(key, data); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecKeySetValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + xmlSecKeyDataDestroy( data ) ; + return(-1); + } + + return(0); } static int xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecByte** buf, xmlSecSize* bufSize, xmlSecKeyInfoCtxPtr keyInfoCtx) { + PK11SymKey* symKey ; + xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); + xmlSecAssert2(key != NULL, -1); + xmlSecAssert2(buf != NULL, -1); + xmlSecAssert2(bufSize != 0, -1); + xmlSecAssert2(keyInfoCtx != NULL, -1); + + /* Get symmetric key from "key" */ + symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); + if( symKey != NULL ) { + SECItem* keyItem ; + + /* Extract raw key data from symmetric key */ + if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_ExtractKeyValue", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + /* Get raw key data from "symKey" */ + keyItem = PK11_GetKeyData( symKey ) ; + if(keyItem == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "PK11_GetKeyData", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + *bufSize = keyItem->len; + *buf = ( xmlSecByte* )xmlMalloc( *bufSize ); + if( *buf == NULL ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + NULL, + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + PK11_FreeSymKey( symKey ) ; + return(-1); + } + + memcpy((*buf), keyItem->data, (*bufSize)); + PK11_FreeSymKey( symKey ) ; + } - return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx)); + return 0 ; } static int xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) { - xmlSecBufferPtr buffer; + PK11SymKey* symkey ; + PK11SlotInfo* slot ; + xmlSecNssSymKeyDataCtxPtr ctx; + int ret; xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1); xmlSecAssert2(sizeBits > 0, -1); - buffer = xmlSecKeyDataBinaryValueGetBuffer(data); - xmlSecAssert2(buffer != NULL, -1); - - return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8)); + ctx = xmlSecNssSymKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); + + if( sizeBits % 8 != 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + NULL, + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "Symmetric key size must be octuple"); + return(-1); + } + + /* Get slot */ + slot = xmlSecNssSlotGet(ctx->cipher); + if( slot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "xmlSecNssSlotGet" , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1) ; + } + + if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "PK11_Authenticate" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSlot( slot ) ; + return -1 ; + } + + symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ; + if( symkey == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "PK11_KeyGen" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSlot( slot ) ; + return -1 ; + } + + if( ctx->slot != NULL ) { + PK11_FreeSlot( ctx->slot ) ; + ctx->slot = NULL ; + } + ctx->slot = slot ; + + if( ctx->symkey != NULL ) { + PK11_FreeSymKey( ctx->symkey ) ; + ctx->symkey = NULL ; + } + ctx->symkey = symkey ; + + return 0; } static xmlSecKeyDataType xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) { - xmlSecBufferPtr buffer; + xmlSecNssSymKeyDataCtxPtr context = NULL ; + xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ; xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown); + xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ; - buffer = xmlSecKeyDataBinaryValueGetBuffer(data); - xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown); + context = xmlSecNssSymKeyDataGetCtx( data ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "xmlSecNssSymKeyDataGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return xmlSecKeyDataTypeUnknown ; + } - return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown); + if( context->symkey != NULL ) { + type |= xmlSecKeyDataTypeSymmetric ; + } else { + type |= xmlSecKeyDataTypeUnknown ; + } + + return type ; } static xmlSecSize xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) { + xmlSecNssSymKeyDataCtxPtr context ; + unsigned int length = 0 ; + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0); + xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ; + context = xmlSecNssSymKeyDataGetCtx( data ) ; + if( context == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "xmlSecNssSymKeyDataGetCtx" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return 0 ; + } + + if( context->symkey != NULL ) { + length = PK11_GetKeyLength( context->symkey ) ; + length *= 8 ; + } - return(xmlSecKeyDataBinaryValueGetSize(data)); + return length ; } static void xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) { xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); - xmlSecKeyDataBinaryValueDebugDump(data, output); + /* print only size, everything else is sensitive */ + fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName , + xmlSecKeyDataGetSize(data)) ; } static void xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); - - xmlSecKeyDataBinaryValueDebugXmlDump(data, output); + + /* print only size, everything else is sensitive */ + fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName , + xmlSecKeyDataGetSize(data)) ; } static int @@ -201,7 +858,7 @@ *************************************************************************/ static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = { sizeof(xmlSecKeyDataKlass), - xmlSecKeyDataBinarySize, + xmlSecNssSymKeyDataSize, /* data */ xmlSecNameAESKeyValue, @@ -282,7 +939,7 @@ *************************************************************************/ static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = { sizeof(xmlSecKeyDataKlass), - xmlSecKeyDataBinarySize, + xmlSecNssSymKeyDataSize, /* data */ xmlSecNameDESKeyValue, @@ -364,7 +1021,7 @@ *************************************************************************/ static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = { sizeof(xmlSecKeyDataKlass), - xmlSecKeyDataBinarySize, + xmlSecNssSymKeyDataSize, /* data */ xmlSecNameHMACKeyValue, --- misc/xmlsec1-1.2.12/src/nss/tokens.c 2009-09-21 14:07:19.249145861 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/tokens.c 2009-09-21 14:02:48.556772442 +0200 @@ -1 +1,548 @@ -dummy +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright.................................. + * + * Contributor(s): _____________________________ + * + */ + +/** + * In order to ensure that particular crypto operation is performed on + * particular crypto device, a subclass of xmlSecList is used to store slot and + * mechanism information. + * + * In the list, a slot is bound with a mechanism. If the mechanism is available, + * this mechanism only can perform on the slot; otherwise, it can perform on + * every eligibl slot in the list. + * + * When try to find a slot for a particular mechanism, the slot bound with + * avaliable mechanism will be looked up firstly. + */ +#include "globals.h" +#include + +#include +#include +#include + +#include + +int +xmlSecNssKeySlotSetMechList( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE_PTR mechanismList +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( keySlot->mechanismList != CK_NULL_PTR ) { + xmlFree( keySlot->mechanismList ) ; + + for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( keySlot->mechanismList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + for( ; counter >= 0 ; counter -- ) + *( keySlot->mechanismList + counter ) = *( mechanismList + counter ) ; + } + + return( 0 ); +} + +int +xmlSecNssKeySlotEnableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) { + int counter ; + CK_MECHANISM_TYPE_PTR newList ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( mechanism != CKM_INVALID_MECHANISM ) { + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( newList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + *( newList + counter + 1 ) = CKM_INVALID_MECHANISM ; + *( newList + counter ) = mechanism ; + for( counter -= 1 ; counter >= 0 ; counter -- ) + *( newList + counter ) = *( keySlot->mechanismList + counter ) ; + + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = newList ; + } + + return(0); +} + +int +xmlSecNssKeySlotDisableMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE mechanism +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , -1 ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + if( *( keySlot->mechanismList + counter ) == mechanism ) { + for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + *( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ; + } + + break ; + } + } + + return(0); +} + +CK_MECHANISM_TYPE_PTR +xmlSecNssKeySlotGetMechList( + xmlSecNssKeySlotPtr keySlot +) { + if( keySlot != NULL ) + return keySlot->mechanismList ; + else + return NULL ; +} + +int +xmlSecNssKeySlotSetSlot( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) { + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( slot != NULL && keySlot->slot != slot ) { + if( keySlot->slot != NULL ) + PK11_FreeSlot( keySlot->slot ) ; + + if( keySlot->mechanismList != NULL ) { + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = NULL ; + } + + keySlot->slot = PK11_ReferenceSlot( slot ) ; + } + + return(0); +} + +int +xmlSecNssKeySlotInitialize( + xmlSecNssKeySlotPtr keySlot , + PK11SlotInfo* slot +) { + xmlSecAssert2( keySlot != NULL , -1 ) ; + xmlSecAssert2( keySlot->slot == NULL , -1 ) ; + xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ; + + if( slot != NULL ) { + keySlot->slot = PK11_ReferenceSlot( slot ) ; + } + + return(0); +} + +void +xmlSecNssKeySlotFinalize( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecAssert( keySlot != NULL ) ; + + if( keySlot->mechanismList != NULL ) { + xmlFree( keySlot->mechanismList ) ; + keySlot->mechanismList = NULL ; + } + + if( keySlot->slot != NULL ) { + PK11_FreeSlot( keySlot->slot ) ; + keySlot->slot = NULL ; + } + +} + +PK11SlotInfo* +xmlSecNssKeySlotGetSlot( + xmlSecNssKeySlotPtr keySlot +) { + if( keySlot != NULL ) + return keySlot->slot ; + else + return NULL ; +} + +xmlSecNssKeySlotPtr +xmlSecNssKeySlotCreate() { + xmlSecNssKeySlotPtr keySlot ; + + /* Allocates a new xmlSecNssKeySlot and fill the fields */ + keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ; + + return( keySlot ) ; +} + +int +xmlSecNssKeySlotCopy( + xmlSecNssKeySlotPtr newKeySlot , + xmlSecNssKeySlotPtr keySlot +) { + CK_MECHANISM_TYPE_PTR mech ; + int counter ; + + xmlSecAssert2( newKeySlot != NULL , -1 ) ; + xmlSecAssert2( keySlot != NULL , -1 ) ; + + if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) { + if( newKeySlot->slot != NULL ) + PK11_FreeSlot( newKeySlot->slot ) ; + + newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ; + } + + if( keySlot->mechanismList != CK_NULL_PTR ) { + xmlFree( newKeySlot->mechanismList ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; + newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; + if( newKeySlot->mechanismList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + for( ; counter >= 0 ; counter -- ) + *( newKeySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter ) ; + } + + return( 0 ); +} + +xmlSecNssKeySlotPtr +xmlSecNssKeySlotDuplicate( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecNssKeySlotPtr newKeySlot ; + int ret ; + + xmlSecAssert2( keySlot != NULL , NULL ) ; + + newKeySlot = xmlSecNssKeySlotCreate() ; + if( newKeySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + + if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( NULL ); + } + + return( newKeySlot ); +} + +void +xmlSecNssKeySlotDestroy( + xmlSecNssKeySlotPtr keySlot +) { + xmlSecAssert( keySlot != NULL ) ; + + if( keySlot->mechanismList != NULL ) + xmlFree( keySlot->mechanismList ) ; + + if( keySlot->slot != NULL ) + PK11_FreeSlot( keySlot->slot ) ; + + xmlFree( keySlot ) ; +} + +int +xmlSecNssKeySlotBindMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) { + int counter ; + + xmlSecAssert2( keySlot != NULL , 0 ) ; + xmlSecAssert2( keySlot->slot != NULL , 0 ) ; + xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; + + for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { + if( *( keySlot->mechanismList + counter ) == type ) + return(1) ; + } + + return( 0 ) ; +} + +int +xmlSecNssKeySlotSupportMech( + xmlSecNssKeySlotPtr keySlot , + CK_MECHANISM_TYPE type +) { + xmlSecAssert2( keySlot != NULL , 0 ) ; + xmlSecAssert2( keySlot->slot != NULL , 0 ) ; + xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; + + if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) { + return(1); + } else + return(0); +} + +void +xmlSecNssKeySlotDebugDump( + xmlSecNssKeySlotPtr keySlot , + FILE* output +) { + xmlSecAssert( keySlot != NULL ) ; + xmlSecAssert( output != NULL ) ; + + fprintf( output, "== KEY SLOT\n" ); +} + +void +xmlSecNssKeySlotDebugXmlDump( + xmlSecNssKeySlotPtr keySlot , + FILE* output +) { +} + +/** + * Key Slot List + */ +#ifdef __MINGW32__ // for runtime-pseudo-reloc +static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { +#else +static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { +#endif + BAD_CAST "mechanism-list", + (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate, + (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy, + (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump, + (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump, +}; + +xmlSecPtrListId +xmlSecNssKeySlotListGetKlass(void) { + return(&xmlSecNssKeySlotPtrListKlass); +} + + +/*- + * Global PKCS#11 crypto token repository -- Key slot list + */ +static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ; + +PK11SlotInfo* +xmlSecNssSlotGet( + CK_MECHANISM_TYPE type +) { + PK11SlotInfo* slot = NULL ; + xmlSecNssKeySlotPtr keySlot ; + xmlSecSize ksSize ; + xmlSecSize ksPos ; + char flag ; + + if( _xmlSecNssKeySlotList == NULL ) { + slot = PK11_GetBestSlot( type , NULL ) ; + } else { + ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; + + /*- + * Firstly, checking whether the mechanism is bound with a special slot. + * If no bound slot, we try to find the first eligible slot in the list. + */ + for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { + keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; + if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) { + slot = xmlSecNssKeySlotGetSlot( keySlot ) ; + flag = 2 ; + } else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) { + slot = xmlSecNssKeySlotGetSlot( keySlot ) ; + flag = 1 ; + } + + if( flag == 2 ) + break ; + } + if( slot != NULL ) + slot = PK11_ReferenceSlot( slot ) ; + } + + if( slot != NULL && PK11_NeedLogin( slot ) ) { + if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + PK11_FreeSlot( slot ) ; + return( NULL ); + } + } + + return slot ; +} + +int +xmlSecNssSlotInitialize( + void +) { + if( _xmlSecNssKeySlotList != NULL ) { + xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; + _xmlSecNssKeySlotList = NULL ; + } + + _xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ; + if( _xmlSecNssKeySlotList == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return( -1 ); + } + + return(0); +} + +void +xmlSecNssSlotShutdown( + void +) { + if( _xmlSecNssKeySlotList != NULL ) { + xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; + _xmlSecNssKeySlotList = NULL ; + } +} + +int +xmlSecNssSlotAdopt( + PK11SlotInfo* slot, + CK_MECHANISM_TYPE type +) { + xmlSecNssKeySlotPtr keySlot ; + xmlSecSize ksSize ; + xmlSecSize ksPos ; + char flag ; + + xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ; + xmlSecAssert2( slot != NULL, -1 ) ; + + ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; + + /*- + * Firstly, checking whether the slot is in the repository already. + */ + flag = 0 ; + for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { + keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; + /* If find the slot in the list */ + if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) { + /* If mechnism type is valid, bind the slot with the mechanism */ + if( type != CKM_INVALID_MECHANISM ) { + if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + } + + flag = 1 ; + } + } + + /* If the slot do not in the list, add a new item to the list */ + if( flag == 0 ) { + /* Create a new KeySlot */ + keySlot = xmlSecNssKeySlotCreate() ; + if( keySlot == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return(-1); + } + + /* Initialize the keySlot with a slot */ + if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + + /* If mechnism type is valid, bind the slot with the mechanism */ + if( type != CKM_INVALID_MECHANISM ) { + if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + } + + /* Add keySlot into the list */ + if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) { + xmlSecError( XMLSEC_ERRORS_HERE , + NULL , + NULL , + XMLSEC_ERRORS_R_XMLSEC_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecNssKeySlotDestroy( keySlot ) ; + return(-1); + } + } + + return(0); +} + --- misc/xmlsec1-1.2.12/src/nss/x509.c 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/x509.c 2009-09-21 14:02:48.642312431 +0200 @@ -34,7 +34,6 @@ #include #include #include -#include #include #include @@ -61,33 +60,18 @@ static int xmlSecNssX509CertificateNodeRead (xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx); -static int xmlSecNssX509CertificateNodeWrite (CERTCertificate* cert, - xmlNodePtr node, - xmlSecKeyInfoCtxPtr keyInfoCtx); static int xmlSecNssX509SubjectNameNodeRead (xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx); -static int xmlSecNssX509SubjectNameNodeWrite (CERTCertificate* cert, - xmlNodePtr node, - xmlSecKeyInfoCtxPtr keyInfoCtx); static int xmlSecNssX509IssuerSerialNodeRead (xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx); -static int xmlSecNssX509IssuerSerialNodeWrite (CERTCertificate* cert, - xmlNodePtr node, - xmlSecKeyInfoCtxPtr keyInfoCtx); static int xmlSecNssX509SKINodeRead (xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx); -static int xmlSecNssX509SKINodeWrite (CERTCertificate* cert, - xmlNodePtr node, - xmlSecKeyInfoCtxPtr keyInfoCtx); static int xmlSecNssX509CRLNodeRead (xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx); -static int xmlSecNssX509CRLNodeWrite (CERTSignedCrl* crl, - xmlNodePtr node, - xmlSecKeyInfoCtxPtr keyInfoCtx); static int xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key, xmlSecKeyInfoCtxPtr keyInfoCtx); @@ -104,9 +88,6 @@ xmlSecKeyInfoCtxPtr keyInfoCtx); static xmlChar* xmlSecNssX509CrlBase64DerWrite (CERTSignedCrl* crl, int base64LineWrap); -static xmlChar* xmlSecNssX509NameWrite (CERTName* nm); -static xmlChar* xmlSecNssASN1IntegerWrite (SECItem *num); -static xmlChar* xmlSecNssX509SKIWrite (CERTCertificate* cert); static void xmlSecNssX509CertDebugDump (CERTCertificate* cert, FILE* output); static void xmlSecNssX509CertDebugXmlDump (CERTCertificate* cert, @@ -752,31 +733,22 @@ xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlSecKeyDataPtr data; + xmlNodePtr cur; + xmlChar* buf; CERTCertificate* cert; CERTSignedCrl* crl; xmlSecSize size, pos; - int content = 0; - int ret; xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1); xmlSecAssert2(key != NULL, -1); xmlSecAssert2(node != NULL, -1); xmlSecAssert2(keyInfoCtx != NULL, -1); - content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx); - if (content < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecX509DataGetNodeContent", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "content=%d", content); - return(-1); - } else if(content == 0) { - /* by default we are writing certificates and crls */ - content = XMLSEC_X509DATA_DEFAULT; + /* todo: flag in ctx remove all existing content */ + if(0) { + xmlNodeSetContent(node, NULL); } - /* get x509 data */ data = xmlSecKeyGetData(key, id); if(data == NULL) { /* no x509 data in the key */ @@ -796,79 +768,74 @@ return(-1); } - if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) { - ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx); - if(ret < 0) { + /* set base64 lines size from context */ + buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); + if(buf == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssX509CertificateNodeWrite", + "xmlSecNssX509CertBase64DerWrite", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); + XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } } - if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) { - ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx); - if(ret < 0) { + cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs); + if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssX509SubjectNameNodeWrite", + "xmlSecAddChild", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); + "node=%s", + xmlSecErrorsSafeString(xmlSecNodeX509Certificate)); + xmlFree(buf); return(-1); - } } + /* todo: add \n around base64 data - from context */ + /* todo: add errors check */ + xmlNodeSetContent(cur, xmlSecStringCR); + xmlNodeSetContent(cur, buf); + xmlFree(buf); + } - if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) { - ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssX509IssuerSerialNodeWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); - return(-1); - } + /* write crls */ + size = xmlSecNssKeyDataX509GetCrlsSize(data); + for(pos = 0; pos < size; ++pos) { + crl = xmlSecNssKeyDataX509GetCrl(data, pos); + if(crl == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecNssKeyDataX509GetCrl", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "pos=%d", pos); + return(-1); } - if((content & XMLSEC_X509DATA_SKI_NODE) != 0) { - ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssX509SKINodeWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); - return(-1); - } + /* set base64 lines size from context */ + buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); + if(buf == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecNssX509CrlBase64DerWrite", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } - } - /* write crls if needed */ - if((content & XMLSEC_X509DATA_CRL_NODE) != 0) { - size = xmlSecNssKeyDataX509GetCrlsSize(data); - for(pos = 0; pos < size; ++pos) { - crl = xmlSecNssKeyDataX509GetCrl(data, pos); - if(crl == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssKeyDataX509GetCrl", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); - return(-1); - } - - ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), - "xmlSecNssX509CRLNodeWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "pos=%d", pos); - return(-1); - } - } + cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs); + if(cur == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), + "xmlSecAddChild", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "new_node=%s", + xmlSecErrorsSafeString(xmlSecNodeX509CRL)); + xmlFree(buf); + return(-1); + } + /* todo: add \n around base64 data - from context */ + /* todo: add errors check */ + xmlNodeSetContent(cur, xmlSecStringCR); + xmlNodeSetContent(cur, buf); } return(0); @@ -1057,46 +1024,6 @@ return(0); } -static int -xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlChar* buf; - xmlNodePtr cur; - - xmlSecAssert2(cert != NULL, -1); - xmlSecAssert2(node != NULL, -1); - xmlSecAssert2(keyInfoCtx != NULL, -1); - - /* set base64 lines size from context */ - buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509CertBase64DerWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs); - if(cur == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509Certificate)); - xmlFree(buf); - return(-1); - } - - /* todo: add \n around base64 data - from context */ - /* todo: add errors check */ - xmlNodeSetContent(cur, xmlSecStringCR); - xmlNodeSetContent(cur, buf); - xmlFree(buf); - return(0); -} - static int xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlSecKeyDataStorePtr x509Store; @@ -1120,19 +1047,13 @@ } subject = xmlNodeGetContent(node); - if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) { - if(subject != NULL) { - xmlFree(subject); - } - if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { + if(subject == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), xmlSecErrorsSafeString(xmlSecNodeGetName(node)), XMLSEC_ERRORS_R_INVALID_NODE_CONTENT, XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } - return(0); } cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx); @@ -1169,40 +1090,6 @@ return(0); } -static int -xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { - xmlChar* buf = NULL; - xmlNodePtr cur = NULL; - - xmlSecAssert2(cert != NULL, -1); - xmlSecAssert2(node != NULL, -1); - - buf = xmlSecNssX509NameWrite(&(cert->subject)); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509NameWrite(&(cert->subject))", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs); - if(cur == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509SubjectName)); - xmlFree(buf); - return(-1); - } - xmlSecNodeEncodeAndSetContent(cur, buf); - xmlFree(buf); - return(0); -} - static int xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlSecKeyDataStorePtr x509Store; @@ -1228,21 +1115,9 @@ } cur = xmlSecGetNextElementNode(node->children); - if(cur == NULL) { - if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), - xmlSecErrorsSafeString(xmlSecNodeX509IssuerName), - XMLSEC_ERRORS_R_NODE_NOT_FOUND, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeGetName(cur))); - return(-1); - } - return(0); - } /* the first is required node X509IssuerName */ - if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) { + if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), xmlSecErrorsSafeString(xmlSecNodeX509IssuerName), @@ -1336,78 +1211,6 @@ return(0); } -static int -xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { - xmlNodePtr cur; - xmlNodePtr issuerNameNode; - xmlNodePtr issuerNumberNode; - xmlChar* buf; - - xmlSecAssert2(cert != NULL, -1); - xmlSecAssert2(node != NULL, -1); - - /* create xml nodes */ - cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs); - if(cur == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial)); - return(-1); - } - - issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs); - if(issuerNameNode == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509IssuerName)); - return(-1); - } - - issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs); - if(issuerNumberNode == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber)); - return(-1); - } - - /* write data */ - buf = xmlSecNssX509NameWrite(&(cert->issuer)); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509NameWrite(&(cert->issuer))", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - xmlSecNodeEncodeAndSetContent(issuerNameNode, buf); - xmlFree(buf); - - buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber)); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - xmlNodeSetContent(issuerNumberNode, buf); - xmlFree(buf); - - return(0); -} - static int xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlSecKeyDataStorePtr x509Store; @@ -1431,11 +1234,7 @@ } ski = xmlNodeGetContent(node); - if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) { - if(ski != NULL) { - xmlFree(ski); - } - if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { + if(ski == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), xmlSecErrorsSafeString(xmlSecNodeGetName(node)), @@ -1443,8 +1242,6 @@ "node=%s", xmlSecErrorsSafeString(xmlSecNodeX509SKI)); return(-1); - } - return(0); } cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx); @@ -1479,41 +1276,6 @@ return(0); } -static int -xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { - xmlChar *buf = NULL; - xmlNodePtr cur = NULL; - - xmlSecAssert2(cert != NULL, -1); - xmlSecAssert2(node != NULL, -1); - - buf = xmlSecNssX509SKIWrite(cert); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509SKIWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs); - if(cur == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "new_node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509SKI)); - xmlFree(buf); - return(-1); - } - xmlSecNodeEncodeAndSetContent(cur, buf); - xmlFree(buf); - - return(0); -} - static int xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlChar *content; @@ -1524,19 +1286,13 @@ xmlSecAssert2(keyInfoCtx != NULL, -1); content = xmlNodeGetContent(node); - if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) { - if(content != NULL) { - xmlFree(content); - } - if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { + if(content == NULL){ xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), xmlSecErrorsSafeString(xmlSecNodeGetName(node)), XMLSEC_ERRORS_R_INVALID_NODE_CONTENT, XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } - return(0); } crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx); @@ -1556,47 +1312,6 @@ } static int -xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlChar* buf = NULL; - xmlNodePtr cur = NULL; - - xmlSecAssert2(crl != NULL, -1); - xmlSecAssert2(node != NULL, -1); - xmlSecAssert2(keyInfoCtx != NULL, -1); - - /* set base64 lines size from context */ - buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); - if(buf == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509CrlBase64DerWrite", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } - - cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs); - if(cur == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecAddChild", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "new_node=%s", - xmlSecErrorsSafeString(xmlSecNodeX509CRL)); - xmlFree(buf); - return(-1); - } - /* todo: add \n around base64 data - from context */ - /* todo: add errors check */ - xmlNodeSetContent(cur, xmlSecStringCR); - xmlNodeSetContent(cur, buf); - xmlFree(buf); - - return(0); -} - - -static int xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlSecNssX509DataCtxPtr ctx; @@ -1604,6 +1319,10 @@ int ret; SECStatus status; PRTime notBefore, notAfter; + + PK11SlotInfo* slot ; + SECKEYPublicKey *pubKey = NULL; + SECKEYPrivateKey *priKey = NULL; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1); xmlSecAssert2(key != NULL, -1); @@ -1636,10 +1355,14 @@ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "CERT_DupCertificate", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); return(-1); } - + + /*- + * Get Public key from cert, which does not always work for sign + * action. + * keyValue = xmlSecNssX509CertGetKey(ctx->keyCert); if(keyValue == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -1649,6 +1372,54 @@ XMLSEC_ERRORS_NO_MESSAGE); return(-1); } + */ + /*- + * I'll search key according to KeyReq. + */ + slot = cert->slot ; + if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) { + if( ( priKey = PK11_FindPrivateKeyFromCert( slot , cert , NULL ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "PK11_FindPrivateKeyFromCert" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + return -1 ; + } + } + + if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) { + if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "CERT_ExtractPublicKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + + if( priKey != NULL ) + SECKEY_DestroyPrivateKey( priKey ) ; + return -1 ; + } + } + + keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey); + if( keyValue == NULL ) { + xmlSecError( XMLSEC_ERRORS_HERE , + xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , + "xmlSecNssPKIAdoptKey" , + XMLSEC_ERRORS_R_CRYPTO_FAILED , + XMLSEC_ERRORS_NO_MESSAGE ) ; + + if( priKey != NULL ) + SECKEY_DestroyPrivateKey( priKey ) ; + + if( pubKey != NULL ) + SECKEY_DestroyPublicKey( pubKey ) ; + + return -1 ; + } + /* Modify keyValue get Done */ /* verify that the key matches our expectations */ if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) { @@ -1950,86 +1721,6 @@ return(res); } -static xmlChar* -xmlSecNssX509NameWrite(CERTName* nm) { - xmlChar *res = NULL; - char *str; - - xmlSecAssert2(nm != NULL, NULL); - - str = CERT_NameToAscii(nm); - if (str == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "CERT_NameToAscii", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(NULL); - } - - res = xmlStrdup(BAD_CAST str); - if(res == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlStrdup", - XMLSEC_ERRORS_R_MALLOC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - PORT_Free(str); - return(NULL); - } - PORT_Free(str); - return(res); -} - -static xmlChar* -xmlSecNssASN1IntegerWrite(SECItem *num) { - xmlChar *res = NULL; - - xmlSecAssert2(num != NULL, NULL); - - /* TODO : to be implemented after - * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed - */ - return(res); -} - -static xmlChar* -xmlSecNssX509SKIWrite(CERTCertificate* cert) { - xmlChar *res = NULL; - SECItem ski; - SECStatus rv; - - xmlSecAssert2(cert != NULL, NULL); - - memset(&ski, 0, sizeof(ski)); - - rv = CERT_FindSubjectKeyIDExtension(cert, &ski); - if (rv != SECSuccess) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "CERT_FindSubjectKeyIDExtension", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - SECITEM_FreeItem(&ski, PR_FALSE); - return(NULL); - } - - res = xmlSecBase64Encode(ski.data, ski.len, 0); - if(res == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecBase64Encode", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - SECITEM_FreeItem(&ski, PR_FALSE); - return(NULL); - } - SECITEM_FreeItem(&ski, PR_FALSE); - - return(res); -} - - static void xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) { SECItem *sn; --- misc/xmlsec1-1.2.12/src/nss/x509vfy.c 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/src/nss/x509vfy.c 2009-09-21 14:02:48.669245207 +0200 @@ -30,6 +30,7 @@ #include #include #include +#include #include #include @@ -61,17 +62,7 @@ static int xmlSecNssX509StoreInitialize (xmlSecKeyDataStorePtr store); static void xmlSecNssX509StoreFinalize (xmlSecKeyDataStorePtr store); -static int xmlSecNssX509NameStringRead (xmlSecByte **str, - int *strLen, - xmlSecByte *res, - int resLen, - xmlSecByte delim, - int ingoreTrailingSpaces); -static xmlSecByte * xmlSecNssX509NameRead (xmlSecByte *str, - int len); - -static void xmlSecNssNumToItem(SECItem *it, unsigned long num); - +static int xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ; static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = { sizeof(xmlSecKeyDataStoreKlass), @@ -343,40 +334,28 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName, xmlChar *issuerSerial, xmlChar *ski) { CERTCertificate *cert = NULL; - xmlChar *p = NULL; CERTName *name = NULL; SECItem *nameitem = NULL; PRArenaPool *arena = NULL; if (subjectName != NULL) { - p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName)); - if (p == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "subject=%s", - xmlSecErrorsSafeString(subjectName)); - goto done; - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "PORT_NewArena", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); goto done; } - name = CERT_AsciiToName((char*)p); + name = CERT_AsciiToName((char*)subjectName); if (name == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "CERT_AsciiToName", XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); goto done; } @@ -398,34 +377,23 @@ if((issuerName != NULL) && (issuerSerial != NULL)) { CERTIssuerAndSN issuerAndSN; - p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName)); - if (p == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509NameRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "issuer=%s", - xmlSecErrorsSafeString(issuerName)); - goto done; - } - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "PORT_NewArena", XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); goto done; } - name = CERT_AsciiToName((char*)p); + name = CERT_AsciiToName((char*)issuerName); if (name == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "CERT_AsciiToName", XMLSEC_ERRORS_R_XMLSEC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "error code=%d", PORT_GetError()); goto done; } @@ -445,8 +413,15 @@ issuerAndSN.derIssuer.data = nameitem->data; issuerAndSN.derIssuer.len = nameitem->len; - /* TBD: serial num can be arbitrarily long */ - xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial)); + if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecNssIntegerToItem", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "serial number=%s", + xmlSecErrorsSafeString(issuerSerial)); + goto done; + } cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), &issuerAndSN); @@ -477,9 +452,6 @@ } done: - if (p != NULL) { - PORT_Free(p); - } if (arena != NULL) { PORT_FreeArena(arena, PR_FALSE); } @@ -490,226 +462,76 @@ return(cert); } -/** - * xmlSecNssX509NameRead: - */ -static xmlSecByte * -xmlSecNssX509NameRead(xmlSecByte *str, int len) { - xmlSecByte name[256]; - xmlSecByte value[256]; - xmlSecByte *retval = NULL; - xmlSecByte *p = NULL; - int nameLen, valueLen; +static int +xmlSecNssIntegerToItem( + const xmlChar* integer , + SECItem *item +) { + xmlSecBn bn ; + xmlSecSize i, length ; + const xmlSecByte* bnInteger ; - xmlSecAssert2(str != NULL, NULL); - - /* return string should be no longer than input string */ - retval = (xmlSecByte *)PORT_Alloc(len+1); - if(retval == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "PORT_Alloc", - XMLSEC_ERRORS_R_MALLOC_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(NULL); - } - p = retval; - - while(len > 0) { - /* skip spaces after comma or semicolon */ - while((len > 0) && isspace(*str)) { - ++str; --len; - } + xmlSecAssert2( integer != NULL, -1 ) ; + xmlSecAssert2( item != NULL, -1 ) ; - nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0); - if(nameLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, + if( xmlSecBnInitialize( &bn, 0 ) < 0 ) { + xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "xmlSecNssX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, + "xmlSecBnInitialize", + XMLSEC_ERRORS_R_INVALID_DATA, XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - memcpy(p, name, nameLen); - p+=nameLen; - *p++='='; - if(len > 0) { - ++str; --len; - if((*str) == '\"') { - valueLen = xmlSecNssX509NameStringRead(&str, &len, - value, sizeof(value), '"', 1); - if(valueLen < 0) { + return -1 ; + } + + if( xmlSecBnFromDecString( &bn, integer ) < 0 ) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "xmlSecNssX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, + "xmlSecBnFromDecString", + XMLSEC_ERRORS_R_INVALID_DATA, XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - /* skip spaces before comma or semicolon */ - while((len > 0) && isspace(*str)) { - ++str; --len; - } - if((len > 0) && ((*str) != ',')) { + xmlSecBnFinalize( &bn ) ; + return -1 ; + } + + length = xmlSecBnGetSize( &bn ) ; + if( length <= 0 ) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - NULL, + "xmlSecBnGetSize", XMLSEC_ERRORS_R_INVALID_DATA, - "comma is expected"); - goto done; - } - if(len > 0) { - ++str; --len; - } - *p++='\"'; - memcpy(p, value, valueLen); - p+=valueLen; - *p++='\"'; - } else if((*str) == '#') { - /* TODO: read octect values */ - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "reading octect values is not implemented yet"); - goto done; - } else { - valueLen = xmlSecNssX509NameStringRead(&str, &len, - value, sizeof(value), ',', 1); - if(valueLen < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "xmlSecNssX509NameStringRead", - XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - memcpy(p, value, valueLen); - p+=valueLen; - if (len > 0) - *p++=','; - } - } else { - valueLen = 0; - } - if(len > 0) { - ++str; --len; - } } - *p = 0; - return(retval); - -done: - PORT_Free(retval); - return (NULL); -} - - - -/** - * xmlSecNssX509NameStringRead: - */ -static int -xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen, - xmlSecByte *res, int resLen, - xmlSecByte delim, int ingoreTrailingSpaces) { - xmlSecByte *p, *q, *nonSpace; - - xmlSecAssert2(str != NULL, -1); - xmlSecAssert2(strLen != NULL, -1); - xmlSecAssert2(res != NULL, -1); - - p = (*str); - nonSpace = q = res; - while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { - if((*p) != '\\') { - if(ingoreTrailingSpaces && !isspace(*p)) { - nonSpace = q; - } - *(q++) = *(p++); - } else { - ++p; - nonSpace = q; - if(xmlSecIsHex((*p))) { - if((p - (*str) + 1) >= (*strLen)) { + bnInteger = xmlSecBnGetData( &bn ) ; + if( bnInteger == NULL ) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - NULL, + "xmlSecBnGetData", XMLSEC_ERRORS_R_INVALID_DATA, - "two hex digits expected"); - return(-1); - } - *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]); - p += 2; - } else { - if(((++p) - (*str)) >= (*strLen)) { + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBnFinalize( &bn ) ; + return -1 ; + } + + item->data = ( unsigned char * )PORT_Alloc( length ); + if( item->data == NULL ) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - NULL, + "PORT_Alloc", XMLSEC_ERRORS_R_INVALID_DATA, - "escaped symbol missed"); - return(-1); - } - *(q++) = *(p++); - } - } + XMLSEC_ERRORS_NO_MESSAGE ) ; + xmlSecBnFinalize( &bn ) ; + return -1 ; } - if(((p - (*str)) < (*strLen)) && ((*p) != delim)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_SIZE, - "buffer is too small"); - return(-1); - } - (*strLen) -= (p - (*str)); - (*str) = p; - return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res); -} -/* code lifted from NSS */ -static void -xmlSecNssNumToItem(SECItem *it, unsigned long ui) -{ - unsigned char bb[5]; - int len; - - bb[0] = 0; - bb[1] = (unsigned char) (ui >> 24); - bb[2] = (unsigned char) (ui >> 16); - bb[3] = (unsigned char) (ui >> 8); - bb[4] = (unsigned char) (ui); - - /* - ** Small integers are encoded in a single byte. Larger integers - ** require progressively more space. - */ - if (ui > 0x7f) { - if (ui > 0x7fff) { - if (ui > 0x7fffffL) { - if (ui >= 0x80000000L) { - len = 5; - } else { - len = 4; - } - } else { - len = 3; - } - } else { - len = 2; - } - } else { - len = 1; - } + item->len = length; - it->data = (unsigned char *)PORT_Alloc(len); - if (it->data == NULL) { - return; - } + for( i = 0 ; i < length ; i ++ ) + item->data[i] = *( bnInteger + i ) ; + + xmlSecBnFinalize( &bn ) ; - it->len = len; - PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len); + return 0 ; } #endif /* XMLSEC_NO_X509 */ --- misc/xmlsec1-1.2.12/win32/Makefile.msvc 2009-06-25 22:53:18.000000000 +0200 +++ misc/build/xmlsec1-1.2.12/win32/Makefile.msvc 2009-09-21 14:02:48.607277908 +0200 @@ -223,6 +223,9 @@ $(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj XMLSEC_NSS_OBJS = \ + $(XMLSEC_NSS_INTDIR)\akmngr.obj\ + $(XMLSEC_NSS_INTDIR)\keywrapers.obj\ + $(XMLSEC_NSS_INTDIR)\tokens.obj\ $(XMLSEC_NSS_INTDIR)\app.obj\ $(XMLSEC_NSS_INTDIR)\bignum.obj\ $(XMLSEC_NSS_INTDIR)\ciphers.obj \ @@ -258,6 +261,7 @@ $(XMLSEC_NSS_INTDIR_A)\strings.obj XMLSEC_MSCRYPTO_OBJS = \ + $(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\ $(XMLSEC_MSCRYPTO_INTDIR)\app.obj\ $(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \ $(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \