1
/* ***** BEGIN LICENSE BLOCK *****
2
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
4
* The contents of this file are subject to the Mozilla Public License Version
5
* 1.1 (the "License"); you may not use this file except in compliance with
6
* the License. You may obtain a copy of the License at
7
* http://www.mozilla.org/MPL/
9
* Software distributed under the License is distributed on an "AS IS" basis,
10
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11
* for the specific language governing rights and limitations under the
14
* The Original Code is the Netscape security libraries.
16
* The Initial Developer of the Original Code is
17
* Netscape Communications Corporation.
18
* Portions created by the Initial Developer are Copyright (C) 1994-2000
19
* the Initial Developer. All Rights Reserved.
22
* Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
24
* Alternatively, the contents of this file may be used under the terms of
25
* either the GNU General Public License Version 2 or later (the "GPL"), or
26
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27
* in which case the provisions of the GPL or the LGPL are applicable instead
28
* of those above. If you wish to allow use of your version of this file only
29
* under the terms of either the GPL or the LGPL, and not to allow others to
30
* use your version of this file under the terms of the MPL, indicate your
31
* decision by deleting the provisions above and replace them with the notice
32
* and other provisions required by the GPL or the LGPL. If you do not delete
33
* the provisions above, a recipient may use your version of this file under
34
* the terms of any one of the MPL, the GPL or the LGPL.
36
* ***** END LICENSE BLOCK ***** */
38
* Internal PKCS #11 functions. Should only be called by pkcs11.c
50
* Cache the object we are working on during Set's and Get's
52
typedef struct LGObjectCacheStr {
53
CK_OBJECT_CLASS objclass;
54
CK_OBJECT_HANDLE handle;
61
static const CK_OBJECT_HANDLE lg_classArray[] = {
62
0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
63
CKO_NETSCAPE_TRUST, CKO_NETSCAPE_CRL, CKO_NETSCAPE_SMIME,
66
#define handleToClass(handle) \
67
lg_classArray[((handle & LG_TOKEN_TYPE_MASK))>>LG_TOKEN_TYPE_SHIFT]
70
static void lg_DestroyObjectCache(LGObjectCache *obj);
72
static LGObjectCache *
73
lg_NewObjectCache(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE handle)
75
LGObjectCache *obj = NULL;
78
obj = PORT_New(LGObjectCache);
83
obj->objclass = handleToClass(handle);
86
obj->objectInfo = NULL;
88
obj->dbKey.data = NULL;
92
dbKey = lg_lookupTokenKeyByHandle(sdb,handle);
98
rv = SECITEM_CopyItem(NULL,&obj->dbKey,dbKey);
100
if (rv != SECSuccess) {
107
(void) lg_DestroyObjectCache(obj);
114
* free all the data associated with an object. Object reference count must
118
lg_DestroyObjectCache(LGObjectCache *obj)
120
if (obj->dbKey.data) {
121
PORT_Free(obj->dbKey.data);
122
obj->dbKey.data = NULL;
124
if (obj->objectInfo) {
125
(*obj->infoFree)(obj->objectInfo);
126
obj->objectInfo = NULL;
127
obj->infoFree = NULL;
132
* ******************** Attribute Utilities *******************************
136
lg_ULongAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, CK_ULONG value)
141
if (attr->pValue == NULL) {
142
attr->ulValueLen = 4;
145
if (attr->ulValueLen < 4) {
146
attr->ulValueLen = (CK_ULONG) -1;
147
return CKR_BUFFER_TOO_SMALL;
150
data = (unsigned char *)attr->pValue;
151
for (i=0; i < 4; i++) {
152
data[i] = (value >> ((3-i)*8)) & 0xff;
154
attr->ulValueLen = 4;
159
lg_CopyAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type,
160
CK_VOID_PTR value, CK_ULONG len)
163
if (attr->pValue == NULL) {
164
attr->ulValueLen = len;
167
if (attr->ulValueLen < len) {
168
attr->ulValueLen = (CK_ULONG) -1;
169
return CKR_BUFFER_TOO_SMALL;
171
PORT_Memcpy(attr->pValue,value,len);
172
attr->ulValueLen = len;
177
lg_CopyAttributeSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
178
void *value, CK_ULONG len)
180
unsigned char * dval = (unsigned char *)value;
185
return lg_CopyAttribute(attribute,type,dval,len);
189
lg_CopyPrivAttribute(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
190
void *value, CK_ULONG len, SDB *sdbpw)
192
SECItem plainText, *cipherText = NULL;
193
CK_RV crv = CKR_USER_NOT_LOGGED_IN;
196
plainText.data = value;
198
rv = lg_util_encrypt(NULL, sdbpw, &plainText, &cipherText);
199
if (rv != SECSuccess) {
202
crv = lg_CopyAttribute(attribute,type,cipherText->data,cipherText->len);
205
SECITEM_FreeItem(cipherText,PR_TRUE);
211
lg_CopyPrivAttrSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
212
void *value, CK_ULONG len, SDB *sdbpw)
214
unsigned char * dval = (unsigned char *)value;
220
return lg_CopyPrivAttribute(attribute,type,dval,len,sdbpw);
224
lg_invalidAttribute(CK_ATTRIBUTE *attr)
226
attr->ulValueLen = (CK_ULONG) -1;
227
return CKR_ATTRIBUTE_TYPE_INVALID;
231
#define LG_DEF_ATTRIBUTE(value,len) \
234
#define LG_CLONE_ATTR(attribute, type, staticAttr) \
235
lg_CopyAttribute(attribute, type, staticAttr.pValue, staticAttr.ulValueLen)
237
CK_BBOOL lg_staticTrueValue = CK_TRUE;
238
CK_BBOOL lg_staticFalseValue = CK_FALSE;
239
static const CK_ATTRIBUTE lg_StaticTrueAttr =
240
LG_DEF_ATTRIBUTE(&lg_staticTrueValue,sizeof(lg_staticTrueValue));
241
static const CK_ATTRIBUTE lg_StaticFalseAttr =
242
LG_DEF_ATTRIBUTE(&lg_staticFalseValue,sizeof(lg_staticFalseValue));
243
static const CK_ATTRIBUTE lg_StaticNullAttr = LG_DEF_ATTRIBUTE(NULL,0);
244
char lg_StaticOneValue = 1;
245
static const CK_ATTRIBUTE lg_StaticOneAttr =
246
LG_DEF_ATTRIBUTE(&lg_StaticOneValue,sizeof(lg_StaticOneValue));
249
* helper functions which get the database and call the underlying
250
* low level database function.
253
lg_FindKeyNicknameByPublicKey(SDB *sdb, SECItem *dbKey)
255
NSSLOWKEYDBHandle *keyHandle;
258
keyHandle = lg_getKeyDB(sdb);
263
label = nsslowkey_FindKeyNicknameByPublicKey(keyHandle, dbKey,
269
NSSLOWKEYPrivateKey *
270
lg_FindKeyByPublicKey(SDB *sdb, SECItem *dbKey)
272
NSSLOWKEYPrivateKey *privKey;
273
NSSLOWKEYDBHandle *keyHandle;
275
keyHandle = lg_getKeyDB(sdb);
276
if (keyHandle == NULL) {
279
privKey = nsslowkey_FindKeyByPublicKey(keyHandle, dbKey, sdb);
280
if (privKey == NULL) {
286
static certDBEntrySMime *
287
lg_getSMime(LGObjectCache *obj)
289
certDBEntrySMime *entry;
290
NSSLOWCERTCertDBHandle *certHandle;
292
if (obj->objclass != CKO_NETSCAPE_SMIME) {
295
if (obj->objectInfo) {
296
return (certDBEntrySMime *)obj->objectInfo;
299
certHandle = lg_getCertDB(obj->sdb);
303
entry = nsslowcert_ReadDBSMimeEntry(certHandle, (char *)obj->dbKey.data);
304
obj->objectInfo = (void *)entry;
305
obj->infoFree = (LGFreeFunc) nsslowcert_DestroyDBEntry;
309
static certDBEntryRevocation *
310
lg_getCrl(LGObjectCache *obj)
312
certDBEntryRevocation *crl;
314
NSSLOWCERTCertDBHandle *certHandle;
316
if (obj->objclass != CKO_NETSCAPE_CRL) {
319
if (obj->objectInfo) {
320
return (certDBEntryRevocation *)obj->objectInfo;
323
isKrl = (PRBool) (obj->handle == LG_TOKEN_KRL_HANDLE);
324
certHandle = lg_getCertDB(obj->sdb);
329
crl = nsslowcert_FindCrlByKey(certHandle, &obj->dbKey, isKrl);
330
obj->objectInfo = (void *)crl;
331
obj->infoFree = (LGFreeFunc) nsslowcert_DestroyDBEntry;
335
static NSSLOWCERTCertificate *
336
lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
338
NSSLOWCERTCertificate *cert;
339
CK_OBJECT_CLASS objClass = obj->objclass;
341
if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NETSCAPE_TRUST)) {
344
if (objClass == CKO_CERTIFICATE && obj->objectInfo) {
345
return (NSSLOWCERTCertificate *)obj->objectInfo;
347
cert = nsslowcert_FindCertByKey(certHandle, &obj->dbKey);
348
if (objClass == CKO_CERTIFICATE) {
349
obj->objectInfo = (void *)cert;
350
obj->infoFree = (LGFreeFunc) nsslowcert_DestroyCertificate ;
355
static NSSLOWCERTTrust *
356
lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
358
NSSLOWCERTTrust *trust;
360
if (obj->objclass != CKO_NETSCAPE_TRUST) {
363
if (obj->objectInfo) {
364
return (NSSLOWCERTTrust *)obj->objectInfo;
366
trust = nsslowcert_FindTrustByKey(certHandle, &obj->dbKey);
367
obj->objectInfo = (void *)trust;
368
obj->infoFree = (LGFreeFunc) nsslowcert_DestroyTrust ;
372
static NSSLOWKEYPublicKey *
373
lg_GetPublicKey(LGObjectCache *obj)
375
NSSLOWKEYPublicKey *pubKey;
376
NSSLOWKEYPrivateKey *privKey;
378
if (obj->objclass != CKO_PUBLIC_KEY) {
381
if (obj->objectInfo) {
382
return (NSSLOWKEYPublicKey *)obj->objectInfo;
384
privKey = lg_FindKeyByPublicKey(obj->sdb, &obj->dbKey);
385
if (privKey == NULL) {
388
pubKey = nsslowkey_ConvertToPublicKey(privKey);
389
nsslowkey_DestroyPrivateKey(privKey);
390
obj->objectInfo = (void *) pubKey;
391
obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPublicKey ;
396
* we need two versions of lg_GetPrivateKey. One version that takes the
397
* DB handle so we can pass the handle we have already acquired in,
398
* rather than going through the 'getKeyDB' code again,
399
* which may fail the second time and another which just aquires
400
* the key handle from the sdb (where we don't already have a key handle.
401
* This version does the former.
403
static NSSLOWKEYPrivateKey *
404
lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle)
406
NSSLOWKEYPrivateKey *privKey;
408
if ((obj->objclass != CKO_PRIVATE_KEY) &&
409
(obj->objclass != CKO_SECRET_KEY)) {
412
if (obj->objectInfo) {
413
return (NSSLOWKEYPrivateKey *)obj->objectInfo;
415
privKey = nsslowkey_FindKeyByPublicKey(keyHandle, &obj->dbKey, obj->sdb);
416
if (privKey == NULL) {
419
obj->objectInfo = (void *) privKey;
420
obj->infoFree = (LGFreeFunc) nsslowkey_DestroyPrivateKey ;
424
/* this version does the latter */
425
static NSSLOWKEYPrivateKey *
426
lg_GetPrivateKey(LGObjectCache *obj)
428
NSSLOWKEYDBHandle *keyHandle;
429
NSSLOWKEYPrivateKey *privKey;
431
keyHandle = lg_getKeyDB(obj->sdb);
435
privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
439
/* lg_GetPubItem returns data associated with the public key.
440
* one only needs to free the public key. This comment is here
441
* because this sematic would be non-obvious otherwise. All callers
442
* should include this comment.
445
lg_GetPubItem(NSSLOWKEYPublicKey *pubKey) {
446
SECItem *pubItem = NULL;
447
/* get value to compare from the cert's public key */
448
switch ( pubKey->keyType ) {
449
case NSSLOWKEYRSAKey:
450
pubItem = &pubKey->u.rsa.modulus;
452
case NSSLOWKEYDSAKey:
453
pubItem = &pubKey->u.dsa.publicValue;
456
pubItem = &pubKey->u.dh.publicValue;
458
#ifdef NSS_ENABLE_ECC
460
pubItem = &pubKey->u.ec.publicValue;
462
#endif /* NSS_ENABLE_ECC */
469
static const SEC_ASN1Template lg_SerialTemplate[] = {
470
{ SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
475
lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
476
CK_ATTRIBUTE *attribute)
478
unsigned char hash[SHA1_LENGTH];
479
CK_KEY_TYPE keyType = CKK_RSA;
483
return lg_ULongAttribute(attribute, type, keyType);
485
SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
486
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
488
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
491
case CKA_VERIFY_RECOVER:
493
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
495
return lg_CopyAttributeSigned(attribute,type,key->u.rsa.modulus.data,
496
key->u.rsa.modulus.len);
497
case CKA_PUBLIC_EXPONENT:
498
return lg_CopyAttributeSigned(attribute, type,
499
key->u.rsa.publicExponent.data,
500
key->u.rsa.publicExponent.len);
504
return lg_invalidAttribute(attribute);
508
lg_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
509
CK_ATTRIBUTE *attribute)
511
unsigned char hash[SHA1_LENGTH];
512
CK_KEY_TYPE keyType = CKK_DSA;
516
return lg_ULongAttribute(attribute, type, keyType);
518
SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
519
key->u.dsa.publicValue.len);
520
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
523
case CKA_VERIFY_RECOVER:
525
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
527
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
529
return lg_CopyAttributeSigned(attribute,type,
530
key->u.dsa.publicValue.data,
531
key->u.dsa.publicValue.len);
533
return lg_CopyAttributeSigned(attribute,type,
534
key->u.dsa.params.prime.data,
535
key->u.dsa.params.prime.len);
537
return lg_CopyAttributeSigned(attribute,type,
538
key->u.dsa.params.subPrime.data,
539
key->u.dsa.params.subPrime.len);
541
return lg_CopyAttributeSigned(attribute,type,
542
key->u.dsa.params.base.data,
543
key->u.dsa.params.base.len);
547
return lg_invalidAttribute(attribute);
551
lg_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
552
CK_ATTRIBUTE *attribute)
554
unsigned char hash[SHA1_LENGTH];
555
CK_KEY_TYPE keyType = CKK_DH;
559
return lg_ULongAttribute(attribute, type, keyType);
561
SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
562
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
564
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
567
case CKA_VERIFY_RECOVER:
569
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
571
return lg_CopyAttributeSigned(attribute,type,
572
key->u.dh.publicValue.data,
573
key->u.dh.publicValue.len);
575
return lg_CopyAttributeSigned(attribute,type,key->u.dh.prime.data,
576
key->u.dh.prime.len);
578
return lg_CopyAttributeSigned(attribute,type,key->u.dh.base.data,
583
return lg_invalidAttribute(attribute);
586
#ifdef NSS_ENABLE_ECC
588
lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
589
CK_ATTRIBUTE *attribute)
591
unsigned char hash[SHA1_LENGTH];
592
CK_KEY_TYPE keyType = CKK_EC;
596
return lg_ULongAttribute(attribute, type, keyType);
598
SHA1_HashBuf(hash, key->u.ec.publicValue.data,
599
key->u.ec.publicValue.len);
600
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
603
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
605
case CKA_VERIFY_RECOVER:
607
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
609
return lg_CopyAttributeSigned(attribute,type,
610
key->u.ec.ecParams.DEREncoding.data,
611
key->u.ec.ecParams.DEREncoding.len);
613
return lg_CopyAttributeSigned(attribute, type,
614
key->u.ec.publicValue.data,
615
key->u.ec.publicValue.len);
619
return lg_invalidAttribute(attribute);
621
#endif /* NSS_ENABLE_ECC */
625
lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
626
CK_ATTRIBUTE *attribute)
628
NSSLOWKEYPublicKey *key;
635
case CKA_ALWAYS_SENSITIVE:
636
case CKA_NEVER_EXTRACTABLE:
637
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
639
case CKA_EXTRACTABLE:
640
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
642
label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
644
return LG_CLONE_ATTR(attribute,type,lg_StaticOneAttr);
646
crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
653
key = lg_GetPublicKey(obj);
655
return CKR_OBJECT_HANDLE_INVALID;
658
switch (key->keyType) {
659
case NSSLOWKEYRSAKey:
660
return lg_FindRSAPublicKeyAttribute(key,type,attribute);
661
case NSSLOWKEYDSAKey:
662
return lg_FindDSAPublicKeyAttribute(key,type,attribute);
664
return lg_FindDHPublicKeyAttribute(key,type,attribute);
665
#ifdef NSS_ENABLE_ECC
667
return lg_FindECPublicKeyAttribute(key,type,attribute);
668
#endif /* NSS_ENABLE_ECC */
673
return lg_invalidAttribute(attribute);
677
lg_FindSecretKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
678
CK_ATTRIBUTE *attribute)
680
NSSLOWKEYPrivateKey *key;
682
unsigned char *keyString;
687
PRUint32 keyTypeStorage;
692
case CKA_ALWAYS_SENSITIVE:
693
case CKA_EXTRACTABLE:
702
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
703
case CKA_NEVER_EXTRACTABLE:
704
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
706
label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
708
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
710
crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
714
return lg_CopyAttribute(attribute,type,obj->dbKey.data,
721
return lg_invalidAttribute(attribute);
724
key = lg_GetPrivateKey(obj);
726
return CKR_OBJECT_HANDLE_INVALID;
730
/* handle legacy databases. In legacy databases key_type was stored
731
* in host order, with any leading zeros stripped off. Only key types
732
* under 0x1f (AES) were stored. We assume that any values which are
733
* either 1 byte long (big endian), or have byte[0] between 0 and
734
* 0x7f and bytes[1]-bytes[3] equal to '0' (little endian). All other
735
* values are assumed to be from the new database, which is always 4
736
* bytes in network order */
738
keyString = key->u.rsa.coefficient.data;
739
keyTypeLen = key->u.rsa.coefficient.len;
743
* Because of various endian and word lengths The database may have
744
* stored the keyType value in one of the following formats:
747
* Big Endian, pre-3.9, all lengths: 1 (kt)
748
* Little Endian, pre-3.9, 32 bits: 4 (kt) 0 0 0
749
* Little Endian, pre-3.9, 64 bits: 8 (kt) 0 0 0 0 0 0 0
750
* All platforms, 3.9, 32 bits: 4 0 0 0 (kt)
751
* Big Endian, 3.9, 64 bits: 8 0 0 0 (kt) 0 0 0 0
752
* Little Endian, 3.9, 64 bits: 8 0 0 0 0 0 0 0 (kt)
753
* All platforms, >= 3.9.1, all lengths: 4 (a) k1 k2 k3
754
* where (a) is 0 or >= 0x80. currently (a) can only be 0.
757
* this key was written on a 64 bit platform with a using NSS 3.9
758
* or earlier. Reduce the 64 bit possibilities above. When we are
759
* through, we will only have:
761
* Big Endian, pre-3.9, all lengths: 1 (kt)
762
* Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
763
* All platforms, 3.9, all lengths: 4 0 0 0 (kt)
764
* All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3
766
if (keyTypeLen == 8) {
767
keyTypeStorage = *(PRUint32 *) keyString;
768
if (keyTypeStorage == 0) {
769
keyString += sizeof(PRUint32);
776
* All platforms, 3.9, all lengths: 4 0 0 0 (kt)
777
* All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3
779
* NOTE: if kt == 0 or ak1k2k3 == 0, the test fails and
782
* Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
784
if (keyTypeLen == sizeof(keyTypeStorage) &&
785
(((keyString[0] & 0x80) == 0x80) ||
786
!((keyString[1] == 0) && (keyString[2] == 0)
787
&& (keyString[3] == 0))) ) {
788
PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage));
789
keyType = (CK_KEY_TYPE) PR_ntohl(keyTypeStorage);
794
* Big Endian, pre-3.9, all lengths: 1 (kt)
795
* Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
796
* -- KeyType == 0 all other cases ---: 4 0 0 0 0
798
keyType = (CK_KEY_TYPE) keyString[0] ;
800
return lg_ULongAttribute(attribute, type, keyType);
802
return lg_CopyPrivAttribute(attribute,type,key->u.rsa.privateExponent.data,
803
key->u.rsa.privateExponent.len, obj->sdb);
805
keyLen=key->u.rsa.privateExponent.len;
806
return lg_ULongAttribute(attribute,type, keyLen);
808
return lg_invalidAttribute(attribute);
812
lg_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
813
CK_ATTRIBUTE *attribute, SDB *sdbpw)
815
unsigned char hash[SHA1_LENGTH];
816
CK_KEY_TYPE keyType = CKK_RSA;
820
return lg_ULongAttribute(attribute, type, keyType);
822
SHA1_HashBuf(hash,key->u.rsa.modulus.data,key->u.rsa.modulus.len);
823
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
825
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
828
case CKA_SIGN_RECOVER:
830
return LG_CLONE_ATTR(attribute, type,lg_StaticTrueAttr);
832
return lg_CopyAttributeSigned(attribute,type,key->u.rsa.modulus.data,
833
key->u.rsa.modulus.len);
834
case CKA_PUBLIC_EXPONENT:
835
return lg_CopyAttributeSigned(attribute, type,
836
key->u.rsa.publicExponent.data,
837
key->u.rsa.publicExponent.len);
838
case CKA_PRIVATE_EXPONENT:
839
return lg_CopyPrivAttrSigned(attribute,type,
840
key->u.rsa.privateExponent.data,
841
key->u.rsa.privateExponent.len, sdbpw);
843
return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime1.data,
844
key->u.rsa.prime1.len, sdbpw);
846
return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime2.data,
847
key->u.rsa.prime2.len, sdbpw);
849
return lg_CopyPrivAttrSigned(attribute, type,
850
key->u.rsa.exponent1.data,
851
key->u.rsa.exponent1.len, sdbpw);
853
return lg_CopyPrivAttrSigned(attribute, type,
854
key->u.rsa.exponent2.data,
855
key->u.rsa.exponent2.len, sdbpw);
856
case CKA_COEFFICIENT:
857
return lg_CopyPrivAttrSigned(attribute, type,
858
key->u.rsa.coefficient.data,
859
key->u.rsa.coefficient.len, sdbpw);
863
return lg_invalidAttribute(attribute);
867
lg_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
868
CK_ATTRIBUTE *attribute, SDB *sdbpw)
870
unsigned char hash[SHA1_LENGTH];
871
CK_KEY_TYPE keyType = CKK_DSA;
875
return lg_ULongAttribute(attribute, type, keyType);
877
SHA1_HashBuf(hash,key->u.dsa.publicValue.data,
878
key->u.dsa.publicValue.len);
879
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
882
case CKA_SIGN_RECOVER:
884
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
886
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
888
return lg_CopyPrivAttrSigned(attribute, type,
889
key->u.dsa.privateValue.data,
890
key->u.dsa.privateValue.len, sdbpw);
892
return lg_CopyAttributeSigned(attribute, type,
893
key->u.dsa.params.prime.data,
894
key->u.dsa.params.prime.len);
896
return lg_CopyAttributeSigned(attribute, type,
897
key->u.dsa.params.subPrime.data,
898
key->u.dsa.params.subPrime.len);
900
return lg_CopyAttributeSigned(attribute, type,
901
key->u.dsa.params.base.data,
902
key->u.dsa.params.base.len);
903
case CKA_NETSCAPE_DB:
904
return lg_CopyAttributeSigned(attribute, type,
905
key->u.dsa.publicValue.data,
906
key->u.dsa.publicValue.len);
910
return lg_invalidAttribute(attribute);
914
lg_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
915
CK_ATTRIBUTE *attribute, SDB *sdbpw)
917
unsigned char hash[SHA1_LENGTH];
918
CK_KEY_TYPE keyType = CKK_DH;
922
return lg_ULongAttribute(attribute, type, keyType);
924
SHA1_HashBuf(hash,key->u.dh.publicValue.data,key->u.dh.publicValue.len);
925
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
927
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
930
case CKA_SIGN_RECOVER:
932
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
934
return lg_CopyPrivAttrSigned(attribute, type,
935
key->u.dh.privateValue.data,
936
key->u.dh.privateValue.len, sdbpw);
938
return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data,
939
key->u.dh.prime.len);
941
return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
943
case CKA_NETSCAPE_DB:
944
return lg_CopyAttributeSigned(attribute, type,
945
key->u.dh.publicValue.data,
946
key->u.dh.publicValue.len);
950
return lg_invalidAttribute(attribute);
953
#ifdef NSS_ENABLE_ECC
955
lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
956
CK_ATTRIBUTE *attribute, SDB *sdbpw)
958
unsigned char hash[SHA1_LENGTH];
959
CK_KEY_TYPE keyType = CKK_EC;
963
return lg_ULongAttribute(attribute, type, keyType);
965
SHA1_HashBuf(hash,key->u.ec.publicValue.data,key->u.ec.publicValue.len);
966
return lg_CopyAttribute(attribute,type,hash,SHA1_LENGTH);
969
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
971
case CKA_SIGN_RECOVER:
973
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
975
return lg_CopyPrivAttrSigned(attribute, type,
976
key->u.ec.privateValue.data,
977
key->u.ec.privateValue.len, sdbpw);
979
return lg_CopyAttributeSigned(attribute, type,
980
key->u.ec.ecParams.DEREncoding.data,
981
key->u.ec.ecParams.DEREncoding.len);
982
case CKA_NETSCAPE_DB:
983
return lg_CopyAttributeSigned(attribute, type,
984
key->u.ec.publicValue.data,
985
key->u.ec.publicValue.len);
989
return lg_invalidAttribute(attribute);
991
#endif /* NSS_ENABLE_ECC */
994
lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
995
CK_ATTRIBUTE *attribute)
997
NSSLOWKEYPrivateKey *key;
1004
case CKA_ALWAYS_SENSITIVE:
1005
case CKA_EXTRACTABLE:
1006
case CKA_MODIFIABLE:
1007
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
1008
case CKA_NEVER_EXTRACTABLE:
1009
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1011
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1013
label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
1014
if (label == NULL) {
1015
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1017
crv = lg_CopyAttribute(attribute,type,label,PORT_Strlen(label));
1023
key = lg_GetPrivateKey(obj);
1025
return CKR_OBJECT_HANDLE_INVALID;
1027
switch (key->keyType) {
1028
case NSSLOWKEYRSAKey:
1029
return lg_FindRSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
1030
case NSSLOWKEYDSAKey:
1031
return lg_FindDSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
1032
case NSSLOWKEYDHKey:
1033
return lg_FindDHPrivateKeyAttribute(key,type,attribute,obj->sdb);
1034
#ifdef NSS_ENABLE_ECC
1035
case NSSLOWKEYECKey:
1036
return lg_FindECPrivateKeyAttribute(key,type,attribute,obj->sdb);
1037
#endif /* NSS_ENABLE_ECC */
1042
return lg_invalidAttribute(attribute);
1046
lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1047
CK_ATTRIBUTE *attribute)
1049
certDBEntrySMime *entry;
1052
case CKA_MODIFIABLE:
1053
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1054
case CKA_NETSCAPE_EMAIL:
1055
return lg_CopyAttribute(attribute,type,obj->dbKey.data,
1057
case CKA_NETSCAPE_SMIME_TIMESTAMP:
1062
return lg_invalidAttribute(attribute);
1064
entry = lg_getSMime(obj);
1065
if (entry == NULL) {
1066
return CKR_OBJECT_HANDLE_INVALID;
1069
case CKA_NETSCAPE_SMIME_TIMESTAMP:
1070
return lg_CopyAttribute(attribute,type,entry->optionsDate.data,
1071
entry->optionsDate.len);
1073
return lg_CopyAttribute(attribute,type,entry->subjectName.data,
1074
entry->subjectName.len);
1076
return lg_CopyAttribute(attribute,type,entry->smimeOptions.data,
1077
entry->smimeOptions.len);
1081
return lg_invalidAttribute(attribute);
1085
lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1086
CK_ATTRIBUTE *attribute)
1088
NSSLOWCERTTrust *trust;
1089
NSSLOWCERTCertDBHandle *certHandle;
1090
NSSLOWCERTCertificate *cert;
1091
unsigned char hash[SHA1_LENGTH];
1092
unsigned int trustFlags;
1097
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1098
case CKA_MODIFIABLE:
1099
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
1100
case CKA_CERT_SHA1_HASH:
1101
case CKA_CERT_MD5_HASH:
1102
case CKA_TRUST_CLIENT_AUTH:
1103
case CKA_TRUST_SERVER_AUTH:
1104
case CKA_TRUST_EMAIL_PROTECTION:
1105
case CKA_TRUST_CODE_SIGNING:
1106
case CKA_TRUST_STEP_UP_APPROVED:
1108
case CKA_SERIAL_NUMBER:
1111
return lg_invalidAttribute(attribute);
1113
certHandle = lg_getCertDB(obj->sdb);
1115
return CKR_OBJECT_HANDLE_INVALID;
1117
trust = lg_getTrust(obj, certHandle);
1118
if (trust == NULL) {
1119
return CKR_OBJECT_HANDLE_INVALID;
1122
case CKA_CERT_SHA1_HASH:
1123
SHA1_HashBuf(hash,trust->derCert->data,trust->derCert->len);
1124
return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
1125
case CKA_CERT_MD5_HASH:
1126
MD5_HashBuf(hash,trust->derCert->data,trust->derCert->len);
1127
return lg_CopyAttribute(attribute, type, hash, MD5_LENGTH);
1128
case CKA_TRUST_CLIENT_AUTH:
1129
trustFlags = trust->trust->sslFlags & CERTDB_TRUSTED_CLIENT_CA ?
1130
trust->trust->sslFlags | CERTDB_TRUSTED_CA : 0 ;
1132
case CKA_TRUST_SERVER_AUTH:
1133
trustFlags = trust->trust->sslFlags;
1135
case CKA_TRUST_EMAIL_PROTECTION:
1136
trustFlags = trust->trust->emailFlags;
1138
case CKA_TRUST_CODE_SIGNING:
1139
trustFlags = trust->trust->objectSigningFlags;
1141
if (trustFlags & CERTDB_TRUSTED_CA ) {
1142
return lg_ULongAttribute(attribute, type,
1143
CKT_NETSCAPE_TRUSTED_DELEGATOR);
1145
if (trustFlags & CERTDB_TRUSTED) {
1146
return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_TRUSTED);
1148
if (trustFlags & CERTDB_NOT_TRUSTED) {
1149
return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_UNTRUSTED);
1151
if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
1152
return lg_ULongAttribute(attribute, type,
1153
CKT_NETSCAPE_TRUST_UNKNOWN);
1155
if (trustFlags & CERTDB_VALID_CA) {
1156
return lg_ULongAttribute(attribute, type,
1157
CKT_NETSCAPE_VALID_DELEGATOR);
1159
if (trustFlags & CERTDB_VALID_PEER) {
1160
return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_VALID);
1162
return lg_ULongAttribute(attribute, type, CKT_NETSCAPE_MUST_VERIFY);
1163
case CKA_TRUST_STEP_UP_APPROVED:
1164
if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) {
1165
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
1167
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1176
cert = lg_getCert(obj, certHandle);
1177
if (cert == NULL) break;
1178
crv = lg_CopyAttribute(attribute,type,cert->derIssuer.data,
1179
cert->derIssuer.len);
1181
case CKA_SERIAL_NUMBER:
1182
cert = lg_getCert(obj, certHandle);
1183
if (cert == NULL) break;
1184
crv = lg_CopyAttribute(attribute,type,cert->derSN.data,
1192
nsslowcert_DestroyCertificate(cert);
1195
return lg_invalidAttribute(attribute);
1199
lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1200
CK_ATTRIBUTE *attribute)
1202
certDBEntryRevocation *crl;
1206
case CKA_MODIFIABLE:
1207
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1208
case CKA_NETSCAPE_KRL:
1209
return ((obj->handle == LG_TOKEN_KRL_HANDLE)
1210
? LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr)
1211
: LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr));
1213
return lg_CopyAttribute(attribute,type,obj->dbKey.data,
1215
case CKA_NETSCAPE_URL:
1219
return lg_invalidAttribute(attribute);
1221
crl = lg_getCrl(obj);
1223
return CKR_OBJECT_HANDLE_INVALID;
1226
case CKA_NETSCAPE_URL:
1227
if (crl->url == NULL) {
1228
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1230
return lg_CopyAttribute(attribute, type, crl->url,
1231
PORT_Strlen(crl->url)+1);
1233
return lg_CopyAttribute(attribute, type, crl->derCrl.data,
1238
return lg_invalidAttribute(attribute);
1242
lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1243
CK_ATTRIBUTE *attribute)
1245
NSSLOWCERTCertificate *cert;
1246
NSSLOWCERTCertDBHandle *certHandle;
1247
NSSLOWKEYPublicKey *pubKey;
1248
unsigned char hash[SHA1_LENGTH];
1253
return LG_CLONE_ATTR(attribute,type,lg_StaticFalseAttr);
1254
case CKA_MODIFIABLE:
1255
return LG_CLONE_ATTR(attribute,type,lg_StaticTrueAttr);
1256
case CKA_CERTIFICATE_TYPE:
1257
/* hardcoding X.509 into here */
1258
return lg_ULongAttribute(attribute, type, CKC_X_509);
1264
case CKA_SERIAL_NUMBER:
1265
case CKA_NETSCAPE_EMAIL:
1268
return lg_invalidAttribute(attribute);
1271
certHandle = lg_getCertDB(obj->sdb);
1272
if (certHandle == NULL) {
1273
return CKR_OBJECT_HANDLE_INVALID;
1276
cert = lg_getCert(obj, certHandle);
1278
return CKR_OBJECT_HANDLE_INVALID;
1282
return lg_CopyAttribute(attribute,type,cert->derCert.data,
1285
if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
1286
((cert->trust->emailFlags & CERTDB_USER) == 0) &&
1287
((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
1288
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1290
pubKey = nsslowcert_ExtractPublicKey(cert);
1291
if (pubKey == NULL) break;
1292
item = lg_GetPubItem(pubKey);
1294
nsslowkey_DestroyPublicKey(pubKey);
1297
SHA1_HashBuf(hash,item->data,item->len);
1298
/* item is imbedded in pubKey, just free the key */
1299
nsslowkey_DestroyPublicKey(pubKey);
1300
return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
1302
return cert->nickname
1303
? lg_CopyAttribute(attribute, type, cert->nickname,
1304
PORT_Strlen(cert->nickname))
1305
: LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1307
return lg_CopyAttribute(attribute,type,cert->derSubject.data,
1308
cert->derSubject.len);
1310
return lg_CopyAttribute(attribute,type,cert->derIssuer.data,
1311
cert->derIssuer.len);
1312
case CKA_SERIAL_NUMBER:
1313
return lg_CopyAttribute(attribute,type,cert->derSN.data,
1315
case CKA_NETSCAPE_EMAIL:
1316
return (cert->emailAddr && cert->emailAddr[0])
1317
? lg_CopyAttribute(attribute, type, cert->emailAddr,
1318
PORT_Strlen(cert->emailAddr))
1319
: LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1323
return lg_invalidAttribute(attribute);
1327
lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute)
1329
/* handle the common ones */
1330
CK_ATTRIBUTE_TYPE type = attribute->type;
1333
return lg_ULongAttribute(attribute,type,obj->objclass);
1335
return LG_CLONE_ATTR(attribute, type,lg_StaticTrueAttr);
1337
if ( (obj->objclass == CKO_CERTIFICATE)
1338
|| (obj->objclass == CKO_PRIVATE_KEY)
1339
|| (obj->objclass == CKO_PUBLIC_KEY)
1340
|| (obj->objclass == CKO_SECRET_KEY)) {
1343
return LG_CLONE_ATTR(attribute,type,lg_StaticNullAttr);
1347
switch (obj->objclass) {
1348
case CKO_CERTIFICATE:
1349
return lg_FindCertAttribute(obj,type,attribute);
1350
case CKO_NETSCAPE_CRL:
1351
return lg_FindCrlAttribute(obj,type,attribute);
1352
case CKO_NETSCAPE_TRUST:
1353
return lg_FindTrustAttribute(obj,type,attribute);
1354
case CKO_NETSCAPE_SMIME:
1355
return lg_FindSMIMEAttribute(obj,type,attribute);
1356
case CKO_PUBLIC_KEY:
1357
return lg_FindPublicKeyAttribute(obj,type,attribute);
1358
case CKO_PRIVATE_KEY:
1359
return lg_FindPrivateKeyAttribute(obj,type,attribute);
1360
case CKO_SECRET_KEY:
1361
return lg_FindSecretKeyAttribute(obj,type,attribute);
1365
return lg_invalidAttribute(attribute);
1369
* Fill in the attribute template based on the data in the database.
1372
lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ,
1375
LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
1376
CK_RV crv, crvCollect = CKR_OK;
1380
return CKR_OBJECT_HANDLE_INVALID;
1383
for (i=0; i < count; i++) {
1384
crv = lg_GetSingleAttribute(obj, &templ[i]);
1385
if (crvCollect == CKR_OK) crvCollect = crv;
1388
lg_DestroyObjectCache(obj);
1393
lg_cmpAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attribute)
1395
unsigned char buf[LG_BUF_SPACE];
1396
CK_ATTRIBUTE testAttr;
1397
unsigned char *tempBuf = NULL;
1398
PRBool match = PR_TRUE;
1401
/* we're going to compare 'attribute' with the actual attribute from
1402
* the object. We'll use the length of 'attribute' to decide how much
1403
* space we need to read the test attribute. If 'attribute' doesn't give
1404
* enough space, then we know the values don't match and that will
1405
* show up as ckr != CKR_OK */
1406
testAttr = *attribute;
1407
testAttr.pValue = buf;
1409
/* if we don't have enough space, malloc it */
1410
if (attribute->ulValueLen > LG_BUF_SPACE) {
1411
tempBuf = PORT_Alloc(attribute->ulValueLen);
1415
testAttr.pValue = tempBuf;
1418
/* get the attribute */
1419
crv = lg_GetSingleAttribute(obj, &testAttr);
1420
/* if the attribute was read OK, compare it */
1421
if ((crv != CKR_OK) || (attribute->ulValueLen != testAttr.ulValueLen) ||
1422
(PORT_Memcmp(attribute->pValue,testAttr.pValue,testAttr.ulValueLen)!= 0)){
1423
/* something didn't match, this isn't the object we are looking for */
1426
/* free the buffer we may have allocated */
1434
lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
1435
const CK_ATTRIBUTE *templ, CK_ULONG count)
1437
PRBool match = PR_TRUE;
1438
LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class);
1445
for (i=0; i < count; i++) {
1446
match = lg_cmpAttribute(obj, &templ[i]);
1452
/* done looking, free up our cache */
1453
lg_DestroyObjectCache(obj);
1455
/* if we get through the whole list without finding a mismatched attribute,
1456
* then this object fits the criteria we are matching */
1461
lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1462
const void *value, unsigned int len)
1464
NSSLOWCERTCertificate *cert;
1465
NSSLOWCERTCertDBHandle *certHandle;
1466
char *nickname = NULL;
1470
/* we can't change the EMAIL values, but let the
1471
* upper layers feel better about the fact we tried to set these */
1472
if (type == CKA_NETSCAPE_EMAIL) {
1476
certHandle = lg_getCertDB(obj->sdb);
1477
if (certHandle == NULL) {
1478
crv = CKR_TOKEN_WRITE_PROTECTED;
1482
if ((type != CKA_LABEL) && (type != CKA_ID)) {
1483
crv = CKR_ATTRIBUTE_READ_ONLY;
1487
cert = lg_getCert(obj, certHandle);
1489
crv = CKR_OBJECT_HANDLE_INVALID;
1493
/* if the app is trying to set CKA_ID, it's probably because it just
1494
* imported the key. Look to see if we need to set the CERTDB_USER bits.
1496
if (type == CKA_ID) {
1497
if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
1498
((cert->trust->emailFlags & CERTDB_USER) == 0) &&
1499
((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
1500
NSSLOWKEYDBHandle *keyHandle;
1502
keyHandle = lg_getKeyDB(obj->sdb);
1504
if (nsslowkey_KeyForCertExists(keyHandle, cert)) {
1505
NSSLOWCERTCertTrust trust = *cert->trust;
1506
trust.sslFlags |= CERTDB_USER;
1507
trust.emailFlags |= CERTDB_USER;
1508
trust.objectSigningFlags |= CERTDB_USER;
1509
nsslowcert_ChangeCertTrust(certHandle,cert,&trust);
1517
/* must be CKA_LABEL */
1518
if (value != NULL) {
1519
nickname = PORT_ZAlloc(len+1);
1520
if (nickname == NULL) {
1521
crv = CKR_HOST_MEMORY;
1524
PORT_Memcpy(nickname,value,len);
1527
rv = nsslowcert_AddPermNickname(certHandle, cert, nickname);
1528
crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
1532
PORT_Free(nickname);
1538
lg_SetPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
1539
const void *value, unsigned int len,
1540
PRBool *writePrivate)
1542
NSSLOWKEYPrivateKey *privKey;
1543
NSSLOWKEYDBHandle *keyHandle;
1544
char *nickname = NULL;
1548
/* we can't change the ID and we don't store the subject, but let the
1549
* upper layers feel better about the fact we tried to set these */
1550
if ((type == CKA_ID) || (type == CKA_SUBJECT)) {
1554
keyHandle = lg_getKeyDB(obj->sdb);
1555
if (keyHandle == NULL) {
1556
crv = CKR_TOKEN_WRITE_PROTECTED;
1560
privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
1561
if (privKey == NULL) {
1562
crv = CKR_OBJECT_HANDLE_INVALID;
1566
crv = CKR_ATTRIBUTE_READ_ONLY;
1569
if (value != NULL) {
1570
nickname = PORT_ZAlloc(len+1);
1571
if (nickname == NULL) {
1572
crv = CKR_HOST_MEMORY;
1575
PORT_Memcpy(nickname,value,len);
1578
rv = nsslowkey_UpdateNickname(keyHandle, privKey, &obj->dbKey,
1579
nickname, obj->sdb);
1580
crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
1583
case CKA_PRIVATE_EXPONENT:
1586
case CKA_EXPONENT_1:
1587
case CKA_EXPONENT_2:
1588
case CKA_COEFFICIENT:
1589
/* We aren't really changing these values, we are just triggering
1590
* the database to update it's entry */
1595
crv = CKR_ATTRIBUTE_READ_ONLY;
1600
PORT_Free(nickname);
1606
lg_SetTrustAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr)
1610
NSSLOWCERTCertificate *cert;
1611
NSSLOWCERTCertDBHandle *certHandle;
1612
NSSLOWCERTCertTrust dbTrust;
1616
crv = lg_GetULongAttribute(attr->type, attr, 1, &trust);
1617
if (crv != CKR_OK) {
1620
flags = lg_MapTrust(trust, (PRBool) (attr->type == CKA_TRUST_SERVER_AUTH));
1622
certHandle = lg_getCertDB(obj->sdb);
1624
if (certHandle == NULL) {
1625
crv = CKR_TOKEN_WRITE_PROTECTED;
1629
cert = lg_getCert(obj, certHandle);
1631
crv = CKR_OBJECT_HANDLE_INVALID;
1634
dbTrust = *cert->trust;
1636
switch (attr->type) {
1637
case CKA_TRUST_EMAIL_PROTECTION:
1638
dbTrust.emailFlags = flags |
1639
(cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS);
1641
case CKA_TRUST_CODE_SIGNING:
1642
dbTrust.objectSigningFlags = flags |
1643
(cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS);
1645
case CKA_TRUST_CLIENT_AUTH:
1646
dbTrust.sslFlags = flags | (cert->trust->sslFlags &
1647
(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CA));
1649
case CKA_TRUST_SERVER_AUTH:
1650
dbTrust.sslFlags = flags | (cert->trust->sslFlags &
1651
(CERTDB_PRESERVE_TRUST_BITS|CERTDB_TRUSTED_CLIENT_CA));
1654
crv = CKR_ATTRIBUTE_READ_ONLY;
1658
rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust);
1659
crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
1665
lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr,
1666
PRBool *writePrivate)
1668
CK_ATTRIBUTE attribLocal;
1671
/* Make sure the attribute exists first */
1672
attribLocal.type = attr->type;
1673
attribLocal.pValue = NULL;
1674
attribLocal.ulValueLen = 0;
1675
crv = lg_GetSingleAttribute(obj, &attribLocal);
1676
if (crv != CKR_OK) {
1680
/* if we are just setting it to the value we already have,
1681
* allow it to happen. Let label setting go through so
1682
* we have the opportunity to repair any database corruption. */
1683
if (attr->type != CKA_LABEL) {
1684
if (lg_cmpAttribute(obj,attr)) {
1689
crv = CKR_ATTRIBUTE_READ_ONLY;
1690
switch (obj->objclass) {
1691
case CKO_CERTIFICATE:
1692
/* change NICKNAME, EMAIL, */
1693
crv = lg_SetCertAttribute(obj,attr->type,
1694
attr->pValue,attr->ulValueLen);
1696
case CKO_NETSCAPE_CRL:
1699
case CKO_NETSCAPE_TRUST:
1700
crv = lg_SetTrustAttribute(obj,attr);
1702
case CKO_PRIVATE_KEY:
1703
case CKO_SECRET_KEY:
1704
crv = lg_SetPrivateKeyAttribute(obj,attr->type,
1705
attr->pValue,attr->ulValueLen, writePrivate);
1712
* Fill in the attribute template based on the data in the database.
1715
lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle,
1716
const CK_ATTRIBUTE *templ, CK_ULONG count)
1718
LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
1719
CK_RV crv, crvCollect = CKR_OK;
1720
PRBool writePrivate = PR_FALSE;
1724
return CKR_OBJECT_HANDLE_INVALID;
1727
for (i=0; i < count; i++) {
1728
crv = lg_SetSingleAttribute(obj, &templ[i], &writePrivate);
1729
if (crvCollect == CKR_OK) crvCollect = crv;
1732
/* Write any collected changes out for private and secret keys.
1733
* don't do the write for just the label */
1735
NSSLOWKEYPrivateKey *privKey = lg_GetPrivateKey(obj);
1736
SECStatus rv = SECFailure;
1737
char * label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
1740
rv = nsslowkey_StoreKeyByPublicKeyAlg(lg_getKeyDB(sdb), privKey,
1741
&obj->dbKey, label, sdb, PR_TRUE );
1743
if (rv != SECSuccess) {
1744
crv = CKR_DEVICE_ERROR;
1748
lg_DestroyObjectCache(obj);