pkcs11.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 1,963 行 · 第 1/5 页

				(pk11_isTrue(object,CKA_TOKEN))) {
	return CKR_SESSION_READ_ONLY;
    }

    if (pk11_isTrue(object, CKA_TOKEN)) {
	if (slot->DB_loaded == PR_FALSE) {
	    /* we are creating a token object, make sure we load the database
	     * first so we don't get duplicates....
	     * ... NOTE: This assumes we are logged in as well!
	     */
	    pk11_importKeyDB(slot);
	    slot->DB_loaded = PR_TRUE;
	}
    }
	
    /* PKCS #11 object ID's are unique for all objects on a
     * token */
    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
    object->handle = slot->tokenIDCount++;
    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)

    /* get the object class */
    attribute = pk11_FindAttribute(object,CKA_CLASS);
    if (attribute == NULL) {
	return CKR_TEMPLATE_INCOMPLETE;
    }
    object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
    pk11_FreeAttribute(attribute);

    /* now handle the specific. Get a session handle for these functions
     * to use */
    switch (object->objclass) {
    case CKO_DATA:
	crv = pk11_handleDataObject(session,object);
    case CKO_CERTIFICATE:
	crv = pk11_handleCertObject(session,object);
	break;
    case CKO_PRIVATE_KEY:
    case CKO_PUBLIC_KEY:
    case CKO_SECRET_KEY:
	crv = pk11_handleKeyObject(session,object);
	break;
    default:
	crv = CKR_ATTRIBUTE_VALUE_INVALID;
	break;
    }

    /* can't fail from here on out unless the pk_handlXXX functions have
     * failed the request */
    if (crv != CKR_OK) {
	return crv;
    }

    /* now link the object into the slot and session structures */
    object->slot = slot;
    pk11_AddObject(session,object);

    return CKR_OK;
}

/* import a private key as an object. We don't call handle object.
 * because we the private key came from the key DB and we don't want to
 * write back out again */
static PK11Object *
pk11_importPrivateKey(PK11Slot *slot,SECKEYLowPrivateKey *lowPriv,
							SECItem *dbKey)
{
    PK11Object *privateKey;
    CK_KEY_TYPE key_type;
    CK_BBOOL cktrue = CK_TRUE;
    CK_BBOOL ckfalse = CK_FALSE;
    CK_BBOOL sign = CK_TRUE;
    CK_BBOOL recover = CK_TRUE;
    CK_BBOOL decrypt = CK_TRUE;
    CK_BBOOL derive = CK_FALSE;
    CK_RV crv = CKR_OK;
    CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
    unsigned char cka_id[SHA1_LENGTH];

    /*
     * now lets create an object to hang the attributes off of
     */
    privateKey = pk11_NewObject(slot); /* fill in the handle later */
    if (privateKey == NULL) {
	pk11_FreeObject(privateKey);
	return NULL;
    }

    /* Netscape Private Attribute for dealing with database storeage */	
    if (pk11_AddAttributeType(privateKey, CKA_NETSCAPE_DB,
					pk11_item_expand(dbKey)) ) {
	 pk11_FreeObject(privateKey);
	 return NULL;
    }

    /* now force the CKA_ID */
    SHA1_HashBuf(cka_id, (unsigned char *)dbKey->data, (uint32)dbKey->len);
    if (pk11_AddAttributeType(privateKey, CKA_ID, cka_id, sizeof(cka_id))) {
	 pk11_FreeObject(privateKey);
	 return NULL;
    }


    /* Fill in the common Default values */
    if (pk11_AddAttributeType(privateKey,CKA_CLASS, &privClass,
					sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
	 pk11_FreeObject(privateKey);
	 return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_TOKEN, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_PRIVATE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_MODIFIABLE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_LABEL, NULL, 0) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_DERIVE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    /* local: well we really don't know for sure... it could have been an 
     * imported key, but it's not a useful attribute anyway. */
    if (pk11_AddAttributeType(privateKey,CKA_LOCAL, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_SENSITIVE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_EXTRACTABLE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    /* is this really true? Maybe we should just say false here? */
    if (pk11_AddAttributeType(privateKey,CKA_ALWAYS_SENSITIVE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_NEVER_EXTRACTABLE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }

    /* Now Set up the parameters to generate the key (based on mechanism) */
    /* NOTE: for safety sake we *DO NOT* remember critical attributes. PKCS #11
     * will look them up again from the database when it needs them.
     */
    switch (lowPriv->keyType) {
    case rsaKey:
	/* format the keys */
	key_type = CKK_RSA;
	sign = CK_TRUE;
	recover = CK_TRUE;
	decrypt = CK_TRUE;
	derive = CK_FALSE;
        /* now fill in the RSA dependent parameters in the public key */
        crv = pk11_AddAttributeType(privateKey,CKA_MODULUS,
			   pk11_item_expand(&lowPriv->u.rsa.modulus));
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_PRIVATE_EXPONENT,NULL,0);
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_PUBLIC_EXPONENT,
			   pk11_item_expand(&lowPriv->u.rsa.publicExponent));
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_1,NULL,0);
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_PRIME_2,NULL,0);
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_1,NULL,0);
	if (crv != CKR_OK) break;
        crv = pk11_AddAttributeType(privateKey,CKA_EXPONENT_2,NULL,0);
	if (crv != CKR_OK)  break;
        crv = pk11_AddAttributeType(privateKey,CKA_COEFFICIENT,NULL,0);
	break;
    case dsaKey:
	key_type = CKK_DSA;
	sign = CK_TRUE;
	recover = CK_FALSE;
	decrypt = CK_FALSE;
	derive = CK_FALSE;
	crv = pk11_AddAttributeType(privateKey,CKA_PRIME,
			   pk11_item_expand(&lowPriv->u.dsa.params.prime));
	if (crv != CKR_OK) break;
	crv = pk11_AddAttributeType(privateKey,CKA_SUBPRIME,
			   pk11_item_expand(&lowPriv->u.dsa.params.subPrime));
	if (crv != CKR_OK) break;
	crv = pk11_AddAttributeType(privateKey,CKA_BASE,
			   pk11_item_expand(&lowPriv->u.dsa.params.base));
	if (crv != CKR_OK) break;
	crv = pk11_AddAttributeType(privateKey,CKA_VALUE,NULL,0);
	if (crv != CKR_OK) break;
	break;
    case dhKey:
	key_type = CKK_DH;
	sign = CK_FALSE;
	decrypt = CK_FALSE;
	recover = CK_FALSE;
	derive = CK_TRUE;
	crv = CKR_MECHANISM_INVALID;
	break;
    default:
	crv = CKR_MECHANISM_INVALID;
    }

    if (crv != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }


    if (pk11_AddAttributeType(privateKey,CKA_SIGN, &sign,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_SIGN_RECOVER, &recover,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_DECRYPT, &decrypt,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_UNWRAP, &decrypt,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_DERIVE, &derive,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	pk11_FreeObject(privateKey);
	return NULL;
    }
    if (pk11_AddAttributeType(privateKey,CKA_KEY_TYPE,&key_type,
					     sizeof(CK_KEY_TYPE)) != CKR_OK) {
	 pk11_FreeObject(privateKey);
	 return NULL;
    }
    PK11_USE_THREADS(PR_Lock(slot->objectLock);)
    privateKey->handle = slot->tokenIDCount++;
    privateKey->handle |= (PK11_TOKEN_MAGIC | PK11_TOKEN_TYPE_PRIV);
    PK11_USE_THREADS(PR_Unlock(slot->objectLock);)
    privateKey->objclass = privClass;
    privateKey->slot = slot;
    privateKey->inDB = PR_TRUE;

    return privateKey;
}

/* import a private key or cert as a public key object.*/
static PK11Object *
pk11_importPublicKey(PK11Slot *slot,
	SECKEYLowPrivateKey *lowPriv, CERTCertificate *cert, SECItem *dbKey)
{
    PK11Object *publicKey = NULL;
    CK_KEY_TYPE key_type;
    CK_BBOOL cktrue = CK_TRUE;
    CK_BBOOL ckfalse = CK_FALSE;
    CK_BBOOL verify = CK_TRUE;
    CK_BBOOL recover = CK_TRUE;
    CK_BBOOL encrypt = CK_TRUE;
    CK_BBOOL derive = CK_FALSE;
    CK_RV crv = CKR_OK;
    CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
    unsigned char cka_id[SHA1_LENGTH];
    KeyType keyType = nullKey;
    SECKEYPublicKey *pubKey = NULL;
    CK_ATTRIBUTE theTemplate[2];
    PK11ObjectListElement *objectList = NULL;

    if (lowPriv == NULL) {
	pubKey = CERT_ExtractPublicKey(cert);
	if (pubKey == NULL) {
	    goto failed;
	}
	/* pk11_GetPubItem returns data associated with the public key.
	 * one only needs to free the public key. This comment is here
	 * because this sematic would be non-obvious otherwise. All callers
	 * should include this comment.
	 */
	dbKey = pk11_GetPubItem(pubKey);
	if (dbKey == NULL) {
	    goto failed;
	}
    }
    SHA1_HashBuf(cka_id, (unsigned char *)dbKey->data, (uint32)dbKey->len);
    theTemplate[0].type = CKA_ID;
    theTemplate[0].pValue = cka_id;
    theTemplate[0].ulValueLen = sizeof(cka_id);
    theTemplate[1].type = CKA_CLASS;
    theTemplate[1].pValue = &pubClass;
    theTemplate[1].ulValueLen = sizeof(CK_OBJECT_CLASS);
    crv = pk11_searchObjectList(&objectList,slot->tokObjects,
		slot->objectLock, theTemplate, 2, slot->isLoggedIn);
    if ((crv == CKR_OK) && (objectList != NULL)) {
	goto failed;
    }
    /*
     * now lets create an object to hang the attributes off of
     */
    publicKey = pk11_NewObject(slot); /* fill in the handle later */
    if (publicKey == NULL) {
	goto failed;
    }

    /* now force the CKA_ID */
    if (pk11_AddAttributeType(publicKey, CKA_ID, cka_id, sizeof(cka_id))) {
	goto failed;
    }

    /* Fill in the common Default values */
    if (pk11_AddAttributeType(publicKey,CKA_CLASS,&pubClass,
					sizeof(CK_OBJECT_CLASS)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_TOKEN, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_PRIVATE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_MODIFIABLE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_LABEL, NULL, 0) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_START_DATE, NULL, 0) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_END_DATE, NULL, 0) != CKR_OK) {
	goto failed;
    }
    /* local: well we really don't know for sure... it could have been an 
     * imported key, but it's not a useful attribute anyway. */
    if (pk11_AddAttributeType(publicKey,CKA_LOCAL, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_SUBJECT, NULL, 0) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_SENSITIVE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_EXTRACTABLE, &cktrue,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_ALWAYS_SENSITIVE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;
    }
    if (pk11_AddAttributeType(publicKey,CKA_NEVER_EXTRACTABLE, &ckfalse,
					      sizeof(CK_BBOOL)) != CKR_OK) {
	goto failed;