mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-10 01:40:17 +01:00
351 lines
11 KiB
C
351 lines
11 KiB
C
|
/* -*- Mode: C; tab-width: 8 -*-*/
|
||
|
/* ***** BEGIN LICENSE BLOCK *****
|
||
|
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
|
||
|
*
|
||
|
* The contents of this file are subject to the Mozilla Public License Version
|
||
|
* 1.1 (the "License"); you may not use this file except in compliance with
|
||
|
* the License. You may obtain a copy of the License at
|
||
|
* http://www.mozilla.org/MPL/
|
||
|
*
|
||
|
* Software distributed under the License is distributed on an "AS IS" basis,
|
||
|
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
|
||
|
* for the specific language governing rights and limitations under the
|
||
|
* License.
|
||
|
*
|
||
|
* The Original Code is the Netscape security libraries.
|
||
|
*
|
||
|
* The Initial Developer of the Original Code is
|
||
|
* Netscape Communications Corporation.
|
||
|
* Portions created by the Initial Developer are Copyright (C) 1994-2000
|
||
|
* the Initial Developer. All Rights Reserved.
|
||
|
*
|
||
|
* Contributor(s):
|
||
|
*
|
||
|
* Alternatively, the contents of this file may be used under the terms of
|
||
|
* either the GNU General Public License Version 2 or later (the "GPL"), or
|
||
|
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
|
||
|
* in which case the provisions of the GPL or the LGPL are applicable instead
|
||
|
* of those above. If you wish to allow use of your version of this file only
|
||
|
* under the terms of either the GPL or the LGPL, and not to allow others to
|
||
|
* use your version of this file under the terms of the MPL, indicate your
|
||
|
* decision by deleting the provisions above and replace them with the notice
|
||
|
* and other provisions required by the GPL or the LGPL. If you do not delete
|
||
|
* the provisions above, a recipient may use your version of this file under
|
||
|
* the terms of any one of the MPL, the GPL or the LGPL.
|
||
|
*
|
||
|
* ***** END LICENSE BLOCK ***** */
|
||
|
|
||
|
/*
|
||
|
* This file will implement the functions related to key recovery in
|
||
|
* CMMF
|
||
|
*/
|
||
|
|
||
|
#include "cmmf.h"
|
||
|
#include "cmmfi.h"
|
||
|
#include "secitem.h"
|
||
|
#include "keyhi.h"
|
||
|
|
||
|
CMMFKeyRecRepContent*
|
||
|
CMMF_CreateKeyRecRepContent(void)
|
||
|
{
|
||
|
PRArenaPool *poolp;
|
||
|
CMMFKeyRecRepContent *keyRecContent;
|
||
|
|
||
|
poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
|
||
|
if (poolp == NULL) {
|
||
|
return NULL;
|
||
|
}
|
||
|
keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
|
||
|
if (keyRecContent == NULL) {
|
||
|
PORT_FreeArena(poolp, PR_FALSE);
|
||
|
return NULL;
|
||
|
}
|
||
|
keyRecContent->poolp = poolp;
|
||
|
return keyRecContent;
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
|
||
|
int i;
|
||
|
|
||
|
if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert != NULL) {
|
||
|
CERT_DestroyCertificate(inKeyRecRep->newSigCert);
|
||
|
}
|
||
|
if (inKeyRecRep->caCerts != NULL) {
|
||
|
for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
|
||
|
CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
|
||
|
}
|
||
|
}
|
||
|
if (inKeyRecRep->keyPairHist != NULL) {
|
||
|
for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
|
||
|
if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
|
||
|
cmmfCertificate) {
|
||
|
CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
|
||
|
certOrEncCert.cert.certificate);
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
|
||
|
}
|
||
|
return SECSuccess;
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
CMMFPKIStatus inPKIStatus)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
|
||
|
inPKIStatus < cmmfNumPKIStatus);
|
||
|
if (inKeyRecRep == NULL) {
|
||
|
return SECFailure;
|
||
|
}
|
||
|
|
||
|
return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status,
|
||
|
inKeyRecRep->poolp,
|
||
|
inPKIStatus);
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
CERTCertificate *inNewSignCert)
|
||
|
{
|
||
|
PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
|
||
|
if (inKeyRecRep == NULL || inNewSignCert == NULL) {
|
||
|
return SECFailure;
|
||
|
}
|
||
|
if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert) {
|
||
|
CERT_DestroyCertificate(inKeyRecRep->newSigCert);
|
||
|
}
|
||
|
inKeyRecRep->isDecoded = PR_FALSE;
|
||
|
inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
|
||
|
return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
CERTCertList *inCACerts)
|
||
|
{
|
||
|
SECStatus rv;
|
||
|
void *mark;
|
||
|
|
||
|
PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
|
||
|
if (inKeyRecRep == NULL || inCACerts == NULL) {
|
||
|
return SECFailure;
|
||
|
}
|
||
|
mark = PORT_ArenaMark(inKeyRecRep->poolp);
|
||
|
rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
|
||
|
&inKeyRecRep->caCerts);
|
||
|
if (rv != SECSuccess) {
|
||
|
PORT_ArenaRelease(inKeyRecRep->poolp, mark);
|
||
|
} else {
|
||
|
PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
|
||
|
}
|
||
|
return rv;
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
CERTCertificate *inCert,
|
||
|
SECKEYPrivateKey *inPrivKey,
|
||
|
SECKEYPublicKey *inPubKey)
|
||
|
{
|
||
|
CMMFCertifiedKeyPair *keyPair;
|
||
|
CRMFEncryptedValue *dummy;
|
||
|
PRArenaPool *poolp;
|
||
|
void *mark;
|
||
|
SECStatus rv;
|
||
|
|
||
|
PORT_Assert (inKeyRecRep != NULL &&
|
||
|
inCert != NULL &&
|
||
|
inPrivKey != NULL &&
|
||
|
inPubKey != NULL);
|
||
|
if (inKeyRecRep == NULL ||
|
||
|
inCert == NULL ||
|
||
|
inPrivKey == NULL ||
|
||
|
inPubKey == NULL) {
|
||
|
return SECFailure;
|
||
|
}
|
||
|
poolp = inKeyRecRep->poolp;
|
||
|
mark = PORT_ArenaMark(poolp);
|
||
|
if (inKeyRecRep->keyPairHist == NULL) {
|
||
|
inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp,
|
||
|
CMMFCertifiedKeyPair*,
|
||
|
(CMMF_MAX_KEY_PAIRS+1));
|
||
|
if (inKeyRecRep->keyPairHist == NULL) {
|
||
|
goto loser;
|
||
|
}
|
||
|
inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
|
||
|
inKeyRecRep->numKeyPairs = 0;
|
||
|
}
|
||
|
|
||
|
if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
|
||
|
goto loser;
|
||
|
}
|
||
|
|
||
|
keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
|
||
|
if (keyPair == NULL) {
|
||
|
goto loser;
|
||
|
}
|
||
|
rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
|
||
|
poolp, inCert);
|
||
|
if (rv != SECSuccess) {
|
||
|
goto loser;
|
||
|
}
|
||
|
keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
|
||
|
if (keyPair->privateKey == NULL) {
|
||
|
goto loser;
|
||
|
}
|
||
|
dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey,
|
||
|
keyPair->privateKey);
|
||
|
PORT_Assert(dummy == keyPair->privateKey);
|
||
|
if (dummy != keyPair->privateKey) {
|
||
|
crmf_destroy_encrypted_value(dummy, PR_TRUE);
|
||
|
goto loser;
|
||
|
}
|
||
|
inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
|
||
|
inKeyRecRep->numKeyPairs++;
|
||
|
inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
|
||
|
PORT_ArenaUnmark(poolp, mark);
|
||
|
return SECSuccess;
|
||
|
|
||
|
loser:
|
||
|
PORT_ArenaRelease(poolp, mark);
|
||
|
return SECFailure;
|
||
|
}
|
||
|
|
||
|
CMMFPKIStatus
|
||
|
CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
if (inKeyRecRep == NULL) {
|
||
|
return cmmfNoPKIStatus;
|
||
|
}
|
||
|
return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
|
||
|
}
|
||
|
|
||
|
CERTCertificate*
|
||
|
CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
if (inKeyRecRep == NULL ||
|
||
|
inKeyRecRep->newSigCert == NULL) {
|
||
|
return NULL;
|
||
|
}
|
||
|
/* newSigCert may not be a real certificate, it may be a hand decoded
|
||
|
* cert structure. This code makes sure we hand off a real, fully formed
|
||
|
* CERTCertificate to the caller. TODO: This should move into the decode
|
||
|
* portion so that we never wind up with a half formed CERTCertificate
|
||
|
* here. In this case the call would be to CERT_DupCertificate.
|
||
|
*/
|
||
|
return CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
||
|
&inKeyRecRep->newSigCert->signatureWrap.data,
|
||
|
NULL, PR_FALSE, PR_TRUE);
|
||
|
}
|
||
|
|
||
|
CERTCertList*
|
||
|
CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
|
||
|
return NULL;
|
||
|
}
|
||
|
return cmmf_MakeCertList(inKeyRecRep->caCerts);
|
||
|
}
|
||
|
|
||
|
int
|
||
|
CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
|
||
|
}
|
||
|
|
||
|
PRBool
|
||
|
cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
int inIndex)
|
||
|
{
|
||
|
int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
|
||
|
|
||
|
return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
|
||
|
}
|
||
|
|
||
|
CMMFCertifiedKeyPair*
|
||
|
CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
|
||
|
int inIndex)
|
||
|
{
|
||
|
CMMFCertifiedKeyPair *newKeyPair;
|
||
|
SECStatus rv;
|
||
|
|
||
|
PORT_Assert(inKeyRecRep != NULL &&
|
||
|
cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
|
||
|
if (inKeyRecRep == NULL ||
|
||
|
!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
|
||
|
return NULL;
|
||
|
}
|
||
|
newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
|
||
|
if (newKeyPair == NULL) {
|
||
|
return NULL;
|
||
|
}
|
||
|
rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair,
|
||
|
inKeyRecRep->keyPairHist[inIndex]);
|
||
|
if (rv != SECSuccess) {
|
||
|
CMMF_DestroyCertifiedKeyPair(newKeyPair);
|
||
|
newKeyPair = NULL;
|
||
|
}
|
||
|
return newKeyPair;
|
||
|
}
|
||
|
|
||
|
SECStatus
|
||
|
CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
|
||
|
SECKEYPrivateKey *inPrivKey,
|
||
|
SECItem *inNickName,
|
||
|
PK11SlotInfo *inSlot,
|
||
|
CERTCertDBHandle *inCertdb,
|
||
|
SECKEYPrivateKey **destPrivKey,
|
||
|
void *wincx)
|
||
|
{
|
||
|
CERTCertificate *cert;
|
||
|
SECItem keyUsageValue = {siBuffer, NULL, 0};
|
||
|
unsigned char keyUsage = 0x0;
|
||
|
SECKEYPublicKey *pubKey;
|
||
|
SECStatus rv;
|
||
|
|
||
|
PORT_Assert(inKeyPair != NULL &&
|
||
|
inPrivKey != NULL && inCertdb != NULL);
|
||
|
if (inKeyPair == NULL ||
|
||
|
inPrivKey == NULL ||
|
||
|
inKeyPair->privateKey == NULL ||
|
||
|
inCertdb == NULL) {
|
||
|
return SECFailure;
|
||
|
}
|
||
|
|
||
|
cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
|
||
|
CERT_FindKeyUsageExtension(cert, &keyUsageValue);
|
||
|
if (keyUsageValue.data != NULL) {
|
||
|
keyUsage = keyUsageValue.data[3];
|
||
|
PORT_Free(keyUsageValue.data);
|
||
|
}
|
||
|
pubKey = CERT_ExtractPublicKey(cert);
|
||
|
rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
|
||
|
inPrivKey, pubKey,
|
||
|
inNickName, inSlot, keyUsage,
|
||
|
destPrivKey, wincx);
|
||
|
SECKEY_DestroyPublicKey(pubKey);
|
||
|
CERT_DestroyCertificate(cert);
|
||
|
return rv;
|
||
|
}
|
||
|
|
||
|
|
||
|
PRBool
|
||
|
CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
|
||
|
{
|
||
|
PORT_Assert(inKeyRecRep != NULL);
|
||
|
if (inKeyRecRep == NULL) {
|
||
|
return PR_FALSE;
|
||
|
}
|
||
|
return (PRBool)(inKeyRecRep->caCerts != NULL &&
|
||
|
inKeyRecRep->caCerts[0] != NULL);
|
||
|
}
|