mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
319 lines
9.2 KiB
C
319 lines
9.2 KiB
C
/* -*- Mode: C; tab-width: 8 -*-*/
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
/*
|
|
* This file will implement the functions related to key recovery in
|
|
* CMMF
|
|
*/
|
|
|
|
#include "cmmf.h"
|
|
#include "cmmfi.h"
|
|
#include "secitem.h"
|
|
#include "keyhi.h"
|
|
|
|
CMMFKeyRecRepContent*
|
|
CMMF_CreateKeyRecRepContent(void)
|
|
{
|
|
PLArenaPool *poolp;
|
|
CMMFKeyRecRepContent *keyRecContent;
|
|
|
|
poolp = PORT_NewArena(CRMF_DEFAULT_ARENA_SIZE);
|
|
if (poolp == NULL) {
|
|
return NULL;
|
|
}
|
|
keyRecContent = PORT_ArenaZNew(poolp, CMMFKeyRecRepContent);
|
|
if (keyRecContent == NULL) {
|
|
PORT_FreeArena(poolp, PR_FALSE);
|
|
return NULL;
|
|
}
|
|
keyRecContent->poolp = poolp;
|
|
return keyRecContent;
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_DestroyKeyRecRepContent(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
if (inKeyRecRep != NULL && inKeyRecRep->poolp != NULL) {
|
|
int i;
|
|
|
|
if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert != NULL) {
|
|
CERT_DestroyCertificate(inKeyRecRep->newSigCert);
|
|
}
|
|
if (inKeyRecRep->caCerts != NULL) {
|
|
for (i=0; inKeyRecRep->caCerts[i] != NULL; i++) {
|
|
CERT_DestroyCertificate(inKeyRecRep->caCerts[i]);
|
|
}
|
|
}
|
|
if (inKeyRecRep->keyPairHist != NULL) {
|
|
for (i=0; inKeyRecRep->keyPairHist[i] != NULL; i++) {
|
|
if (inKeyRecRep->keyPairHist[i]->certOrEncCert.choice ==
|
|
cmmfCertificate) {
|
|
CERT_DestroyCertificate(inKeyRecRep->keyPairHist[i]->
|
|
certOrEncCert.cert.certificate);
|
|
}
|
|
}
|
|
}
|
|
PORT_FreeArena(inKeyRecRep->poolp, PR_TRUE);
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_KeyRecRepContentSetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep,
|
|
CMMFPKIStatus inPKIStatus)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL && inPKIStatus >= cmmfGranted &&
|
|
inPKIStatus < cmmfNumPKIStatus);
|
|
if (inKeyRecRep == NULL) {
|
|
return SECFailure;
|
|
}
|
|
|
|
return cmmf_PKIStatusInfoSetStatus(&inKeyRecRep->status,
|
|
inKeyRecRep->poolp,
|
|
inPKIStatus);
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_KeyRecRepContentSetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep,
|
|
CERTCertificate *inNewSignCert)
|
|
{
|
|
PORT_Assert (inKeyRecRep != NULL && inNewSignCert != NULL);
|
|
if (inKeyRecRep == NULL || inNewSignCert == NULL) {
|
|
return SECFailure;
|
|
}
|
|
if (!inKeyRecRep->isDecoded && inKeyRecRep->newSigCert) {
|
|
CERT_DestroyCertificate(inKeyRecRep->newSigCert);
|
|
}
|
|
inKeyRecRep->isDecoded = PR_FALSE;
|
|
inKeyRecRep->newSigCert = CERT_DupCertificate(inNewSignCert);
|
|
return (inKeyRecRep->newSigCert == NULL) ? SECFailure : SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_KeyRecRepContentSetCACerts(CMMFKeyRecRepContent *inKeyRecRep,
|
|
CERTCertList *inCACerts)
|
|
{
|
|
SECStatus rv;
|
|
void *mark;
|
|
|
|
PORT_Assert (inKeyRecRep != NULL && inCACerts != NULL);
|
|
if (inKeyRecRep == NULL || inCACerts == NULL) {
|
|
return SECFailure;
|
|
}
|
|
mark = PORT_ArenaMark(inKeyRecRep->poolp);
|
|
rv = cmmf_ExtractCertsFromList(inCACerts, inKeyRecRep->poolp,
|
|
&inKeyRecRep->caCerts);
|
|
if (rv != SECSuccess) {
|
|
PORT_ArenaRelease(inKeyRecRep->poolp, mark);
|
|
} else {
|
|
PORT_ArenaUnmark(inKeyRecRep->poolp, mark);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_KeyRecRepContentSetCertifiedKeyPair(CMMFKeyRecRepContent *inKeyRecRep,
|
|
CERTCertificate *inCert,
|
|
SECKEYPrivateKey *inPrivKey,
|
|
SECKEYPublicKey *inPubKey)
|
|
{
|
|
CMMFCertifiedKeyPair *keyPair;
|
|
CRMFEncryptedValue *dummy;
|
|
PLArenaPool *poolp;
|
|
void *mark;
|
|
SECStatus rv;
|
|
|
|
PORT_Assert (inKeyRecRep != NULL &&
|
|
inCert != NULL &&
|
|
inPrivKey != NULL &&
|
|
inPubKey != NULL);
|
|
if (inKeyRecRep == NULL ||
|
|
inCert == NULL ||
|
|
inPrivKey == NULL ||
|
|
inPubKey == NULL) {
|
|
return SECFailure;
|
|
}
|
|
poolp = inKeyRecRep->poolp;
|
|
mark = PORT_ArenaMark(poolp);
|
|
if (inKeyRecRep->keyPairHist == NULL) {
|
|
inKeyRecRep->keyPairHist = PORT_ArenaNewArray(poolp,
|
|
CMMFCertifiedKeyPair*,
|
|
(CMMF_MAX_KEY_PAIRS+1));
|
|
if (inKeyRecRep->keyPairHist == NULL) {
|
|
goto loser;
|
|
}
|
|
inKeyRecRep->allocKeyPairs = CMMF_MAX_KEY_PAIRS;
|
|
inKeyRecRep->numKeyPairs = 0;
|
|
}
|
|
|
|
if (inKeyRecRep->allocKeyPairs == inKeyRecRep->numKeyPairs) {
|
|
goto loser;
|
|
}
|
|
|
|
keyPair = PORT_ArenaZNew(poolp, CMMFCertifiedKeyPair);
|
|
if (keyPair == NULL) {
|
|
goto loser;
|
|
}
|
|
rv = cmmf_CertOrEncCertSetCertificate(&keyPair->certOrEncCert,
|
|
poolp, inCert);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
keyPair->privateKey = PORT_ArenaZNew(poolp, CRMFEncryptedValue);
|
|
if (keyPair->privateKey == NULL) {
|
|
goto loser;
|
|
}
|
|
dummy = crmf_create_encrypted_value_wrapped_privkey(inPrivKey, inPubKey,
|
|
keyPair->privateKey);
|
|
PORT_Assert(dummy == keyPair->privateKey);
|
|
if (dummy != keyPair->privateKey) {
|
|
crmf_destroy_encrypted_value(dummy, PR_TRUE);
|
|
goto loser;
|
|
}
|
|
inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = keyPair;
|
|
inKeyRecRep->numKeyPairs++;
|
|
inKeyRecRep->keyPairHist[inKeyRecRep->numKeyPairs] = NULL;
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return SECSuccess;
|
|
|
|
loser:
|
|
PORT_ArenaRelease(poolp, mark);
|
|
return SECFailure;
|
|
}
|
|
|
|
CMMFPKIStatus
|
|
CMMF_KeyRecRepContentGetPKIStatusInfoStatus(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
if (inKeyRecRep == NULL) {
|
|
return cmmfNoPKIStatus;
|
|
}
|
|
return cmmf_PKIStatusInfoGetStatus(&inKeyRecRep->status);
|
|
}
|
|
|
|
CERTCertificate*
|
|
CMMF_KeyRecRepContentGetNewSignCert(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
if (inKeyRecRep == NULL ||
|
|
inKeyRecRep->newSigCert == NULL) {
|
|
return NULL;
|
|
}
|
|
/* newSigCert may not be a real certificate, it may be a hand decoded
|
|
* cert structure. This code makes sure we hand off a real, fully formed
|
|
* CERTCertificate to the caller. TODO: This should move into the decode
|
|
* portion so that we never wind up with a half formed CERTCertificate
|
|
* here. In this case the call would be to CERT_DupCertificate.
|
|
*/
|
|
return CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
|
|
&inKeyRecRep->newSigCert->signatureWrap.data,
|
|
NULL, PR_FALSE, PR_TRUE);
|
|
}
|
|
|
|
CERTCertList*
|
|
CMMF_KeyRecRepContentGetCACerts(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
if (inKeyRecRep == NULL || inKeyRecRep->caCerts == NULL) {
|
|
return NULL;
|
|
}
|
|
return cmmf_MakeCertList(inKeyRecRep->caCerts);
|
|
}
|
|
|
|
int
|
|
CMMF_KeyRecRepContentGetNumKeyPairs(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
return (inKeyRecRep == NULL) ? 0 : inKeyRecRep->numKeyPairs;
|
|
}
|
|
|
|
PRBool
|
|
cmmf_KeyRecRepContentIsValidIndex(CMMFKeyRecRepContent *inKeyRecRep,
|
|
int inIndex)
|
|
{
|
|
int numKeyPairs = CMMF_KeyRecRepContentGetNumKeyPairs(inKeyRecRep);
|
|
|
|
return (PRBool)(inIndex >= 0 && inIndex < numKeyPairs);
|
|
}
|
|
|
|
CMMFCertifiedKeyPair*
|
|
CMMF_KeyRecRepContentGetCertKeyAtIndex(CMMFKeyRecRepContent *inKeyRecRep,
|
|
int inIndex)
|
|
{
|
|
CMMFCertifiedKeyPair *newKeyPair;
|
|
SECStatus rv;
|
|
|
|
PORT_Assert(inKeyRecRep != NULL &&
|
|
cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex));
|
|
if (inKeyRecRep == NULL ||
|
|
!cmmf_KeyRecRepContentIsValidIndex(inKeyRecRep, inIndex)) {
|
|
return NULL;
|
|
}
|
|
newKeyPair = PORT_ZNew(CMMFCertifiedKeyPair);
|
|
if (newKeyPair == NULL) {
|
|
return NULL;
|
|
}
|
|
rv = cmmf_CopyCertifiedKeyPair(NULL, newKeyPair,
|
|
inKeyRecRep->keyPairHist[inIndex]);
|
|
if (rv != SECSuccess) {
|
|
CMMF_DestroyCertifiedKeyPair(newKeyPair);
|
|
newKeyPair = NULL;
|
|
}
|
|
return newKeyPair;
|
|
}
|
|
|
|
SECStatus
|
|
CMMF_CertifiedKeyPairUnwrapPrivKey(CMMFCertifiedKeyPair *inKeyPair,
|
|
SECKEYPrivateKey *inPrivKey,
|
|
SECItem *inNickName,
|
|
PK11SlotInfo *inSlot,
|
|
CERTCertDBHandle *inCertdb,
|
|
SECKEYPrivateKey **destPrivKey,
|
|
void *wincx)
|
|
{
|
|
CERTCertificate *cert;
|
|
SECItem keyUsageValue = {siBuffer, NULL, 0};
|
|
unsigned char keyUsage = 0x0;
|
|
SECKEYPublicKey *pubKey;
|
|
SECStatus rv;
|
|
|
|
PORT_Assert(inKeyPair != NULL &&
|
|
inPrivKey != NULL && inCertdb != NULL);
|
|
if (inKeyPair == NULL ||
|
|
inPrivKey == NULL ||
|
|
inKeyPair->privateKey == NULL ||
|
|
inCertdb == NULL) {
|
|
return SECFailure;
|
|
}
|
|
|
|
cert = CMMF_CertifiedKeyPairGetCertificate(inKeyPair, inCertdb);
|
|
CERT_FindKeyUsageExtension(cert, &keyUsageValue);
|
|
if (keyUsageValue.data != NULL) {
|
|
keyUsage = keyUsageValue.data[3];
|
|
PORT_Free(keyUsageValue.data);
|
|
}
|
|
pubKey = CERT_ExtractPublicKey(cert);
|
|
rv = crmf_encrypted_value_unwrap_priv_key(NULL, inKeyPair->privateKey,
|
|
inPrivKey, pubKey,
|
|
inNickName, inSlot, keyUsage,
|
|
destPrivKey, wincx);
|
|
SECKEY_DestroyPublicKey(pubKey);
|
|
CERT_DestroyCertificate(cert);
|
|
return rv;
|
|
}
|
|
|
|
|
|
PRBool
|
|
CMMF_KeyRecRepContentHasCACerts(CMMFKeyRecRepContent *inKeyRecRep)
|
|
{
|
|
PORT_Assert(inKeyRecRep != NULL);
|
|
if (inKeyRecRep == NULL) {
|
|
return PR_FALSE;
|
|
}
|
|
return (PRBool)(inKeyRecRep->caCerts != NULL &&
|
|
inKeyRecRep->caCerts[0] != NULL);
|
|
}
|