175
176
#define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG,1
176
177
#define CAMELLIA_WRAP_OID MITSUBISHI_ALG,3
179
/* for SEED : iso(1) member-body(2) korea(410)
180
* kisa(200004) algorithm(1)
182
#define SEED_OID 0x2a,0x83,0x1a,0x8c,0x9a,0x44,0x01
178
184
#define CONST_OID static const unsigned char
180
186
CONST_OID md2[] = { DIGEST, 0x02 };
567
573
CONST_OID secgECsect571k1[] = {SECG_OID, 0x26 };
568
574
CONST_OID secgECsect571r1[] = {SECG_OID, 0x27 };
576
CONST_OID seed_CBC[] = { SEED_OID, 4 };
570
578
#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
571
579
#ifndef SECOID_NO_STRINGS
572
580
#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
584
592
* NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h!
586
const static SECOidData oids[] = {
594
const static SECOidData oids[SEC_OID_TOTAL] = {
587
595
{ { siDEROID, NULL, 0 }, SEC_OID_UNKNOWN,
588
596
"Unknown OID", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION },
589
597
OD( md2, SEC_OID_MD2, "MD2", CKM_MD2, INVALID_CERT_EXTENSION ),
634
642
INVALID_CERT_EXTENSION ),
636
644
OD( pkcs5PbeWithMD2AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC,
637
"PKCS #5 Password Based Encryption with MD2 and DES CBC",
645
"PKCS #5 Password Based Encryption with MD2 and DES-CBC",
638
646
CKM_PBE_MD2_DES_CBC, INVALID_CERT_EXTENSION ),
639
647
OD( pkcs5PbeWithMD5AndDEScbc, SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC,
640
"PKCS #5 Password Based Encryption with MD5 and DES CBC",
648
"PKCS #5 Password Based Encryption with MD5 and DES-CBC",
641
649
CKM_PBE_MD5_DES_CBC, INVALID_CERT_EXTENSION ),
642
650
OD( pkcs5PbeWithSha1AndDEScbc, SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC,
643
"PKCS #5 Password Based Encryption with SHA1 and DES CBC",
651
"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC",
644
652
CKM_NETSCAPE_PBE_SHA1_DES_CBC, INVALID_CERT_EXTENSION ),
645
653
OD( pkcs7, SEC_OID_PKCS7,
646
654
"PKCS #7", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
909
917
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
910
918
OD( pkcs12PBEWithSha1And128BitRC4,
911
919
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4,
912
"PKCS #12 PBE With Sha1 and 128 Bit RC4",
920
"PKCS #12 PBE With SHA-1 and 128 Bit RC4",
913
921
CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4, INVALID_CERT_EXTENSION ),
914
922
OD( pkcs12PBEWithSha1And40BitRC4,
915
923
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4,
916
"PKCS #12 PBE With Sha1 and 40 Bit RC4",
924
"PKCS #12 PBE With SHA-1 and 40 Bit RC4",
917
925
CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4, INVALID_CERT_EXTENSION ),
918
926
OD( pkcs12PBEWithSha1AndTripleDESCBC,
919
927
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC,
920
"PKCS #12 PBE With Sha1 and Triple DES CBC",
928
"PKCS #12 PBE With SHA-1 and Triple DES-CBC",
921
929
CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, INVALID_CERT_EXTENSION ),
922
930
OD( pkcs12PBEWithSha1And128BitRC2CBC,
923
931
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
924
"PKCS #12 PBE With Sha1 and 128 Bit RC2 CBC",
932
"PKCS #12 PBE With SHA-1 and 128 Bit RC2 CBC",
925
933
CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
926
934
OD( pkcs12PBEWithSha1And40BitRC2CBC,
927
935
SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
928
"PKCS #12 PBE With Sha1 and 40 Bit RC2 CBC",
936
"PKCS #12 PBE With SHA-1 and 40 Bit RC2 CBC",
929
937
CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC, INVALID_CERT_EXTENSION ),
930
938
OD( pkcs12RSAEncryptionWith128BitRC4,
931
939
SEC_OID_PKCS12_RSA_ENCRYPTION_WITH_128_BIT_RC4,
949
957
"ANSI X9.57 DSA Signature", CKM_DSA, INVALID_CERT_EXTENSION ),
950
958
OD( ansix9DSASignaturewithSHA1Digest,
951
959
SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST,
952
"ANSI X9.57 DSA Signature with SHA1 Digest",
960
"ANSI X9.57 DSA Signature with SHA-1 Digest",
953
961
CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
954
962
OD( bogusDSASignaturewithSHA1Digest,
955
963
SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST,
956
"FORTEZZA DSA Signature with SHA1 Digest",
964
"FORTEZZA DSA Signature with SHA-1 Digest",
957
965
CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
959
967
/* verisign oids */
1052
1060
/* pkcs12 v2 oids */
1053
1061
OD( pkcs12V2PBEWithSha1And128BitRC4,
1054
1062
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4,
1055
"PKCS12 V2 PBE With SHA1 And 128 Bit RC4",
1063
"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4",
1056
1064
CKM_PBE_SHA1_RC4_128, INVALID_CERT_EXTENSION ),
1057
1065
OD( pkcs12V2PBEWithSha1And40BitRC4,
1058
1066
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4,
1059
"PKCS12 V2 PBE With SHA1 And 40 Bit RC4",
1067
"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4",
1060
1068
CKM_PBE_SHA1_RC4_40, INVALID_CERT_EXTENSION ),
1061
1069
OD( pkcs12V2PBEWithSha1And3KeyTripleDEScbc,
1062
1070
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC,
1063
"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc",
1071
"PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC",
1064
1072
CKM_PBE_SHA1_DES3_EDE_CBC, INVALID_CERT_EXTENSION ),
1065
1073
OD( pkcs12V2PBEWithSha1And2KeyTripleDEScbc,
1066
1074
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC,
1067
"PKCS12 V2 PBE With SHA1 And 2KEY Triple DES-cbc",
1075
"PKCS #12 V2 PBE With SHA-1 And 2KEY Triple DES-CBC",
1068
1076
CKM_PBE_SHA1_DES2_EDE_CBC, INVALID_CERT_EXTENSION ),
1069
1077
OD( pkcs12V2PBEWithSha1And128BitRC2cbc,
1070
1078
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC,
1071
"PKCS12 V2 PBE With SHA1 And 128 Bit RC2 CBC",
1079
"PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC",
1072
1080
CKM_PBE_SHA1_RC2_128_CBC, INVALID_CERT_EXTENSION ),
1073
1081
OD( pkcs12V2PBEWithSha1And40BitRC2cbc,
1074
1082
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC,
1075
"PKCS12 V2 PBE With SHA1 And 40 Bit RC2 CBC",
1083
"PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC",
1076
1084
CKM_PBE_SHA1_RC2_40_CBC, INVALID_CERT_EXTENSION ),
1077
1085
OD( pkcs12SafeContentsID, SEC_OID_PKCS12_SAFE_CONTENTS_ID,
1078
1086
"PKCS #12 Safe Contents ID",
1141
1149
"Ephemeral-Static Diffie-Hellman", CKM_INVALID_MECHANISM /* XXX */,
1142
1150
INVALID_CERT_EXTENSION ),
1143
1151
OD( cms3DESwrap, SEC_OID_CMS_3DES_KEY_WRAP,
1144
"CMS 3DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1152
"CMS Triple DES Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1145
1153
INVALID_CERT_EXTENSION ),
1146
1154
OD( cmsRC2wrap, SEC_OID_CMS_RC2_KEY_WRAP,
1147
1155
"CMS RC2 Key Wrap", CKM_INVALID_MECHANISM /* XXX */,
1188
1196
INVALID_CERT_EXTENSION ),
1190
1198
OD( aes128_KEY_WRAP, SEC_OID_AES_128_KEY_WRAP,
1191
"AES-128 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1199
"AES-128 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1192
1200
OD( aes192_KEY_WRAP, SEC_OID_AES_192_KEY_WRAP,
1193
"AES-192 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1201
"AES-192 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1194
1202
OD( aes256_KEY_WRAP, SEC_OID_AES_256_KEY_WRAP,
1195
"AES-256 Key Wrap", CKM_NETSCAPE_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1203
"AES-256 Key Wrap", CKM_NSS_AES_KEY_WRAP, INVALID_CERT_EXTENSION),
1197
1205
/* Elliptic Curve Cryptography (ECC) OIDs */
1198
1206
OD( ansix962ECPublicKey, SEC_OID_ANSIX962_EC_PUBLIC_KEY,
1200
1208
INVALID_CERT_EXTENSION ),
1201
1209
OD( ansix962SignaturewithSHA1Digest,
1202
1210
SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
1203
"X9.62 ECDSA signature with SHA1", CKM_ECDSA_SHA1,
1211
"X9.62 ECDSA signature with SHA-1", CKM_ECDSA_SHA1,
1204
1212
INVALID_CERT_EXTENSION ),
1206
1214
/* Named curves */
1571
1579
INVALID_CERT_EXTENSION ),
1573
1581
OD( isoSHA1WithRSASignature, SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE,
1574
"ISO SHA1 with RSA Signature",
1582
"ISO SHA-1 with RSA Signature",
1575
1583
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
1585
/* SEED algorithm OIDs */
1586
OD( seed_CBC, SEC_OID_SEED_CBC,
1587
"SEED-CBC", CKM_SEED_CBC, INVALID_CERT_EXTENSION),
1591
/* PRIVATE EXTENDED SECOID Table
1592
* This table is private. Its structure is opaque to the outside.
1593
* It is indexed by the same SECOidTag as the oids table above.
1594
* Every member of this struct must have accessor functions (set, get)
1595
* and those functions must operate by value, not by reference.
1596
* The addresses of the contents of this table must not be exposed
1597
* by the accessor functions.
1599
typedef struct privXOidStr {
1600
PRUint32 notPolicyFlags; /* ones complement of policy flags */
1603
static privXOid xOids[SEC_OID_TOTAL];
1580
1606
* now the dynamic table. The dynamic table gets build at init time.
1581
1607
* and conceivably gets modified if the user loads new crypto modules.
1588
1614
* uninitialized, it is allocated in BSS, and does NOT increase the
1589
1615
* library size.
1618
typedef struct dynXOidStr {
1591
1623
static NSSRWLock * dynOidLock;
1592
1624
static PLArenaPool * dynOidPool;
1593
1625
static PLHashTable * dynOidHash;
1594
static SECOidData ** dynOidTable; /* not in the pool */
1626
static dynXOid ** dynOidTable; /* not in the pool */
1595
1627
static int dynOidEntriesAllocated;
1596
1628
static int dynOidEntriesUsed;
1671
1703
NSSRWLock_LockRead(dynOidLock);
1672
1704
if (dynOidTable != NULL && /* must check it again with lock held. */
1673
1705
tagNumDiff < dynOidEntriesUsed) {
1674
data = dynOidTable[tagNumDiff];
1706
dxo = dynOidTable[tagNumDiff];
1676
1708
NSSRWLock_UnlockRead(dynOidLock);
1679
1711
PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
1735
1767
used = dynOidEntriesUsed;
1737
1769
if (used + 1 > tableEntries) {
1738
SECOidData **newTable;
1770
dynXOid ** newTable;
1739
1771
int newTableEntries = tableEntries + 16;
1741
newTable = (SECOidData **)PORT_Realloc(table,
1742
newTableEntries * sizeof(SECOidData *));
1773
newTable = (dynXOid **)PORT_Realloc(table,
1774
newTableEntries * sizeof(dynXOid *));
1743
1775
if (newTable == NULL) {
1786
1818
return (PLHashNumber) key;
1822
handleHashAlgSupport(char * envVal)
1824
char * myVal = PORT_Strdup(envVal); /* Get a copy we can alter */
1827
while (arg && *arg) {
1828
char * nextArg = PL_strpbrk(arg, ";");
1832
while (*nextArg == ';') {
1836
notEnable = (*arg == '-') ? NSS_USE_ALG_IN_CERT_SIGNATURE : 0;
1837
if ((*arg == '+' || *arg == '-') && *++arg) {
1840
for (i = 1; i < SEC_OID_TOTAL; i++) {
1841
if (oids[i].desc && strstr(arg, oids[i].desc)) {
1842
xOids[i].notPolicyFlags = notEnable |
1843
(xOids[i].notPolicyFlags & ~NSS_USE_ALG_IN_CERT_SIGNATURE);
1849
PORT_Free(myVal); /* can handle NULL argument OK */
1791
1853
SECOID_Init(void)
1793
1855
PLHashEntry *entry;
1794
1856
const SECOidData *oid;
1798
1861
return SECSuccess; /* already initialized */
1864
if (!PR_GetEnv("NSS_ALLOW_WEAK_SIGNATURE_ALG")) {
1865
/* initialize any policy flags that are disabled by default */
1866
xOids[SEC_OID_MD2 ].notPolicyFlags = ~0;
1867
xOids[SEC_OID_MD4 ].notPolicyFlags = ~0;
1868
xOids[SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
1869
xOids[SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION ].notPolicyFlags = ~0;
1870
xOids[SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC].notPolicyFlags = ~0;
1873
envVal = PR_GetEnv("NSS_HASH_ALG_SUPPORT");
1875
handleHashAlgSupport(envVal);
1801
1877
if (secoid_InitDynOidData() != SECSuccess) {
1802
1878
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1803
1879
PORT_Assert(0); /* this function should never fail */
1893
1969
SECOID_FindOIDByTag(SECOidTag tagnum)
1896
1971
if (tagnum >= SEC_OID_TOTAL) {
1897
return secoid_FindDynamicByTag(tagnum);
1972
return (SECOidData *)secoid_FindDynamicByTag(tagnum);
1900
PORT_Assert((unsigned int)tagnum < (sizeof(oids) / sizeof(SECOidData)));
1975
PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
1901
1976
return (SECOidData *)(&oids[tagnum]);
1920
1995
return oidData ? oidData->desc : 0;
1998
/* --------- opaque extended OID table accessor functions ---------------*/
2000
* Any of these functions may return SECSuccess or SECFailure with the error
2001
* code set to SEC_ERROR_UNKNOWN_OBJECT_TYPE if the SECOidTag is out of range.
2005
secoid_FindXOidByTag(SECOidTag tagnum)
2007
if (tagnum >= SEC_OID_TOTAL) {
2008
dynXOid *dxo = secoid_FindDynamicByTag(tagnum);
2009
return (dxo ? &dxo->priv : NULL);
2012
PORT_Assert((unsigned int)tagnum < SEC_OID_TOTAL);
2013
return &xOids[tagnum];
2016
/* The Get function outputs the 32-bit value associated with the SECOidTag.
2017
* Flags bits are the NSS_USE_ALG_ #defines in "secoidt.h".
2018
* Default value for any algorithm is 0xffffffff (enabled for all purposes).
2019
* No value is output if function returns SECFailure.
2022
NSS_GetAlgorithmPolicy(SECOidTag tag, PRUint32 *pValue)
2024
privXOid * pxo = secoid_FindXOidByTag(tag);
2028
PORT_SetError(SEC_ERROR_INVALID_ARGS);
2031
*pValue = ~(pxo->notPolicyFlags);
2035
/* The Set function modifies the stored value according to the following
2037
* policy[tag] = (policy[tag] & ~clearBits) | setBits;
2040
NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits)
2042
privXOid * pxo = secoid_FindXOidByTag(tag);
2043
PRUint32 policyFlags;
2046
/* The stored policy flags are the ones complement of the flags as
2047
* seen by the user. This is not atomic, but these changes should
2048
* be done rarely, e.g. at initialization time.
2050
policyFlags = ~(pxo->notPolicyFlags);
2051
policyFlags = (policyFlags & ~clearBits) | setBits;
2052
pxo->notPolicyFlags = ~policyFlags;
2056
/* --------- END OF opaque extended OID table accessor functions ---------*/
2058
/* for now, this is only used in a single place, so it can remain static */
2059
static PRBool parentForkedAfterC_Initialize;
2061
#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
1924
2064
* free up the oid tables.