Commit 0534b472 authored by Martin Thomson's avatar Martin Thomson

Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH

--HG--
branch : NSS_TLS13_DRAFT19_BRANCH
parents 0f52cc48 c4b72458
......@@ -1590,3 +1590,4 @@ bdf702cc0f766757d8221b1bb9a8a5a12f0183da NSS_3_25_BETA1
cc982d5a9904b9ec478eced92a3eea8ee0ee313a NSS_3_27_BETA1
d36a5c8225914f92c12f8e182d83f5b4727d327b NSS_3_27_BETA2
06ed5314230a8abc5436bdca2cc79e7de7f2828f NSS_3_27_BETA3
32c9bbad265504522441f601333f0b89861a15d1 NSS_3_34_BETA1
......@@ -256,26 +256,41 @@ check_abi()
fi
popd
ABI_PROBLEM_FOUND=0
ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
rm -f ${ABI_REPORT}
PREVDIST=${HGDIR}/baseline/dist
NEWDIST=${HGDIR}/dist
ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
for SO in ${ALL_SOs}; do
if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
touch nss/automation/abi-check/expected-report-$SO.txt
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
fi
abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
$PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
> nss/automation/abi-check/new-report-$SO.txt
diff -u nss/automation/abi-check/expected-report-$SO.txt \
nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
> ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
if [ $? -ne 0 ]; then
ABI_PROBLEM_FOUND=1
fi
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
ABI_PROBLEM_FOUND=1
fi
diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
if [ ! -f ${ABI_REPORT} ]; then
ABI_PROBLEM_FOUND=1
fi
done
if [ -s ${ABI_REPORT} ]; then
print_log "FAILED: there are new unexpected ABI changes"
cat ${ABI_REPORT}
return 1
elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then
print_log "FAILED: failure executing the ABI checks"
cat ${ABI_REPORT}
return 1
fi
return 0
......
......@@ -194,6 +194,8 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
PLArenaPool *arena;
void *extHandle;
SECItem signedReq = { siBuffer, NULL, 0 };
SECAlgorithmID signAlg;
SECItem *params = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
......@@ -211,11 +213,25 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
/* Change cert type to RSA-PSS, if desired. */
if (pssCertificate) {
params = SEC_CreateSignatureAlgorithmParameters(arena,
NULL,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
hashAlgTag,
NULL,
privk);
if (!params) {
PORT_FreeArena(arena, PR_FALSE);
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECU_PrintError(progName, "unable to create RSA-PSS parameters");
return SECFailure;
}
spki->algorithm.parameters.data = NULL;
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
......@@ -256,16 +272,34 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
return SECFailure;
}
/* Sign the request */
signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (signAlgTag == SEC_OID_UNKNOWN) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unknown Key or Hash type");
return SECFailure;
PORT_Memset(&signAlg, 0, sizeof(signAlg));
if (pssCertificate) {
rv = SECOID_SetAlgorithmID(arena, &signAlg,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
} else {
signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (signAlgTag == SEC_OID_UNKNOWN) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unknown Key or Hash type");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
}
rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len,
privk, signAlgTag);
/* Sign the request */
rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq,
encoding->data, encoding->len,
privk, &signAlg);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "signing of data failed");
......@@ -1183,6 +1217,8 @@ luC(enum usage_level ul, const char *command)
" -o output-cert");
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
" --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
......@@ -1516,6 +1552,8 @@ luR(enum usage_level ul, const char *command)
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
......@@ -1693,6 +1731,8 @@ luS(enum usage_level ul, const char *command)
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
......@@ -1701,6 +1741,8 @@ luS(enum usage_level ul, const char *command)
"");
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
" --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
......@@ -1864,47 +1906,120 @@ MakeV1Cert(CERTCertDBHandle *handle,
return (cert);
}
static SECStatus
SetSignatureAlgorithm(PLArenaPool *arena,
SECAlgorithmID *signAlg,
SECAlgorithmID *spkiAlg,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey,
PRBool pssSign)
{
SECStatus rv;
if (pssSign ||
SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
SECItem *srcParams;
SECItem *params;
if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
srcParams = &spkiAlg->parameters;
} else {
/* If the issuer's public key is RSA, the parameter field
* of the SPKI should be NULL, which can't be used as a
* basis of RSA-PSS parameters. */
srcParams = NULL;
}
params = SEC_CreateSignatureAlgorithmParameters(arena,
NULL,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
hashAlgTag,
srcParams,
privKey);
if (!params) {
SECU_PrintError(progName, "Could not create RSA-PSS parameters");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, signAlg,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
params);
if (rv != SECSuccess) {
SECU_PrintError(progName, "Could not set signature algorithm id.");
return rv;
}
} else {
KeyType keyType = SECKEY_GetPrivateKeyType(privKey);
SECOidTag algID;
algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (algID == SEC_OID_UNKNOWN) {
SECU_PrintError(progName, "Unknown key or hash type for issuer.");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0);
if (rv != SECSuccess) {
SECU_PrintError(progName, "Could not set signature algorithm id.");
return rv;
}
}
return SECSuccess;
}
static SECStatus
SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey, char *issuerNickName,
int certVersion, void *pwarg)
int certVersion, PRBool pssSign, void *pwarg)
{
SECItem der;
SECKEYPrivateKey *caPrivateKey = NULL;
SECStatus rv;
PLArenaPool *arena;
SECOidTag algID;
CERTCertificate *issuer;
void *dummy;
if (!selfsign) {
CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
arena = cert->arena;
if (selfsign) {
issuer = cert;
} else {
issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
if ((CERTCertificate *)NULL == issuer) {
SECU_PrintError(progName, "unable to find issuer with nickname %s",
issuerNickName);
return SECFailure;
rv = SECFailure;
goto done;
}
privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
CERT_DestroyCertificate(issuer);
if (caPrivateKey == NULL) {
SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
return SECFailure;
rv = SECFailure;
CERT_DestroyCertificate(issuer);
goto done;
}
}
arena = cert->arena;
algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
if (algID == SEC_OID_UNKNOWN) {
fprintf(stderr, "Unknown key or hash type for issuer.");
if (pssSign &&
(SECKEY_GetPrivateKeyType(privKey) != rsaKey &&
SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) {
SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s",
issuerNickName);
rv = SECFailure;
if (!selfsign) {
CERT_DestroyCertificate(issuer);
}
goto done;
}
rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
rv = SetSignatureAlgorithm(arena,
&cert->signature,
&issuer->subjectPublicKeyInfo.algorithm,
hashAlgTag,
privKey,
pssSign);
if (!selfsign) {
CERT_DestroyCertificate(issuer);
}
if (rv != SECSuccess) {
fprintf(stderr, "Could not set signature algorithm id.");
goto done;
}
......@@ -1923,7 +2038,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
rv = SECFailure;
goto done;
}
der.len = 0;
......@@ -1936,7 +2052,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
goto done;
}
rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID);
rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len,
privKey, &cert->signature);
if (rv != SECSuccess) {
fprintf(stderr, "Could not sign encoded certificate data.\n");
/* result allocated out of the arena, it will be freed
......@@ -1969,6 +2086,7 @@ CreateCert(
certutilExtnList extnList,
const char *extGeneric,
int certVersion,
PRBool pssSign,
SECItem *certDER)
{
void *extHandle = NULL;
......@@ -2029,7 +2147,7 @@ CreateCert(
rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
*selfsignprivkey, issuerNickName,
certVersion, pwarg);
certVersion, pssSign, pwarg);
if (rv != SECSuccess)
break;
......@@ -2352,6 +2470,7 @@ enum certutilOpts {
opt_GenericExtensions,
opt_NewNickname,
opt_Pss,
opt_PssSign,
opt_Help
};
......@@ -2472,6 +2591,8 @@ static const secuCommandFlag options_init[] =
"new-n" },
{ /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE,
"pss" },
{ /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
"pss-sign" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
......@@ -3363,6 +3484,25 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}
/* --pss-sign is to sign a certificate with RSA-PSS, even if the
* issuer's key is an RSA key. If the key is an RSA-PSS key, the
* generated signature is always RSA-PSS. */
if (certutil.options[opt_PssSign].activated) {
if (!certutil.commands[cmd_CreateNewCert].activated &&
!certutil.commands[cmd_CreateAndAddCert].activated) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss-sign only works with -C or -S.\n",
progName, commandToRun);
return 255;
}
if (keytype != rsaKey) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss-sign only works with RSA keys.\n",
progName, commandToRun);
return 255;
}
}
/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
......@@ -3500,6 +3640,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certVersion,
certutil.options[opt_PssSign].activated,
&certDER);
if (rv)
goto shutdown;
......
......@@ -1312,15 +1312,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
return;
}
if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
return;
}
if (a->parameters.len == 0 ||
(a->parameters.len == 2 &&
PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
/* No arguments or NULL argument */
} else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
} else {
/* Print args to algorithm */
SECU_PrintAsHex(out, &a->parameters, "Args", level + 1);
......
......@@ -10,7 +10,9 @@
#include <errno.h>
#include <stdio.h>
#include "nss.h"
#include "secport.h"
#include "secutil.h"
#include "ssl.h"
int
......@@ -19,6 +21,43 @@ main(int argc, char **argv)
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i;
int errCount = 0;
SECStatus rv;
PRErrorCode err;
char *certDir = NULL;
/* load policy from $SSL_DIR/pkcs11.txt, for testing */
certDir = SECU_DefaultSSLDir();
if (certDir) {
rv = NSS_Init(certDir);
} else {
rv = NSS_NoDB_Init(NULL);
}
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
goto out;
}
/* apply policy */
rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
PORT_ErrorToString(err));
goto out;
}
/* update the default cipher suites according to the policy */
rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
PORT_ErrorToString(err));
goto out;
}
fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
......@@ -58,5 +97,14 @@ main(int argc, char **argv)
info.isFIPS ? "FIPS" : "",
info.nonStandard ? "nonStandard" : "");
}
out:
rv = NSS_Shutdown();
if (rv != SECSuccess) {
err = PR_GetError();
++errCount;
fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
}
return errCount;
}
......@@ -63,6 +63,7 @@ NSS_SRCDIRS = \
pp \
pwdecrypt \
rsaperf \
rsapoptst \
sdrtest \
selfserv \
signtool \
......
......@@ -23,7 +23,7 @@ static const struct test_args test_array[] = {
{ "d_n_q", 0x02, "private exponent, modulus, prime2" },
{ "d_p_q", 0x04, "private exponent, prime1, prime2" },
{ "e_d_q", 0x08, "public exponent, private exponent, prime2" },
{ "e_d_n", 0x10, "public exponent, private exponent, moduls" }
{ "e_d_n", 0x10, "public exponent, private exponent, modulus" }
};
static const int test_array_size =
(sizeof(test_array) / sizeof(struct test_args));
......@@ -58,6 +58,7 @@ const static CK_ATTRIBUTE rsaTemplate[] = {
{ CKA_TOKEN, NULL, 0 },
{ CKA_SENSITIVE, NULL, 0 },
{ CKA_PRIVATE, NULL, 0 },
{ CKA_ID, NULL, 0 },
{ CKA_MODULUS, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
{ CKA_PRIVATE_EXPONENT, NULL, 0 },
......@@ -123,46 +124,77 @@ fail:
#define ATTR_STRING(x) getNameFromAttribute(x)
static void
dumphex(FILE *file, const unsigned char *cpval, int start, int end)
{
int i;
for (i = start; i < end; i++) {
if ((i % 16) == 0)
fprintf(file, "\n ");
fprintf(file, " %02x", cpval[i]);
}
return;
}
void
dumpTemplate(CK_ATTRIBUTE *template, int start, int end)
dumpTemplate(FILE *file, const CK_ATTRIBUTE *template, int start, int end)
{
int i, j;
for (i = 0; i < end; i++) {
int i;
for (i = start; i < end; i++) {
unsigned char cval;
CK_ULONG ulval;
unsigned char *cpval;
const unsigned char *cpval;
fprintf(stderr, "%s:", ATTR_STRING(template[i].type));
fprintf(file, "%s:", ATTR_STRING(template[i].type));
switch (template[i].ulValueLen) {
case 1:
cval = *(unsigned char *)template[i].pValue;
switch (cval) {
case 0:
fprintf(stderr, " false");
fprintf(file, " false");
break;
case 1:
fprintf(stderr, " true");
fprintf(file, " true");
break;
default:
fprintf(stderr, " %d (=0x%02x,'%c')", cval, cval, cval);
fprintf(file, " %d (=0x%02x,'%c')", cval, cval, cval);
break;
}
break;
case sizeof(CK_ULONG):
ulval = *(CK_ULONG *)template[i].pValue;
fprintf(stderr, " %ld (=0x%04lx)", ulval, ulval);
fprintf(file, " %ld (=0x%04lx)", ulval, ulval);
break;
default:
cpval = (unsigned char *)template[i].pValue;
for (j = 0; j < template[i].ulValueLen; j++) {
if ((j % 16) == 0)
fprintf(stderr, "\n ");
fprintf(stderr, " %02x", cpval[j]);
}
cpval = (const unsigned char *)template[i].pValue;
dumphex(file, cpval, 0, template[i].ulValueLen);
break;
}
fprintf(stderr, "\n");
fprintf(file, "\n");
}
}
void
dumpItem(FILE *file, const SECItem *item)
{
const unsigned char *cpval;
if (item == NULL) {
fprintf(file, " pNULL ");
return;
}
if (item->data == NULL) {
fprintf(file, " NULL ");
return;
}
if (item->len == 0) {
fprintf(file, " Empty ");
return;
}
cpval = item->data;
dumphex(file, cpval, 0, item->len);
fprintf(file, " ");
return;
}
PRBool
......@@ -191,6 +223,9 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src,
}
for (i = 0; i < RSA_ATTRIBUTES; i++) {
if (srcTemplate[i].type == CKA_ID) {
continue; /* we purposefully make the CKA_ID different */
}
if (srcTemplate[i].ulValueLen != destTemplate[i].ulValueLen) {
printf("key->%s not equal src_len = %ld, dest_len=%ld\n",
ATTR_STRING(srcTemplate[i].type),
......@@ -204,18 +239,22 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src,
}
if (!areEqual) {
fprintf(stderr, "original key:\n");
dumpTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
dumpTemplate(stderr, srcTemplate, 0, RSA_ATTRIBUTES);
fprintf(stderr, "created key:\n");
dumpTemplate(destTemplate, 0, RSA_ATTRIBUTES);
dumpTemplate(stderr, destTemplate, 0, RSA_ATTRIBUTES);
}
resetTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
resetTemplate(destTemplate, 0, RSA_ATTRIBUTES);
return areEqual;
}
static int exp_exp_prime_fail_count = 0;
#define LEAK_ID 0xf
static int
doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
int mask, void *pwarg)
int mask, int round, void *pwarg)
{
SECKEYPrivateKey *rsaPrivKey;
SECKEYPublicKey *rsaPubKey;
......@@ -227,7 +266,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY;
CK_KEY_TYPE key_type = CKK_RSA;
CK_BBOOL ck_false = CK_FALSE;
CK_BYTE cka_id[2] = { 0, 0 };
int failed = 0;
int leak_found; /* did we find the expected leak */
int expect_leak = 0; /* are we expecting a leak? */
rsaParams.pe = exponent;
rsaParams.keySizeInBits = keySize;
......@@ -259,11 +301,15 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
tstTemplate[3].ulValueLen = sizeof(ck_false);
tstTemplate[4].pValue = &ck_false;
tstTemplate[4].ulValueLen = sizeof(ck_false);
tstHeaderCount = 5;
tstTemplate[5].pValue = &cka_id[0];
tstTemplate[5].ulValueLen = sizeof(cka_id);
tstHeaderCount = 6;
cka_id[0] = round;
if (mask & 1) {
printf("%s\n", test_array[1].description);
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
cka_id[1] = 0;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PUBLIC_EXPONENT);
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
......@@ -271,10 +317,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount + 2, CKA_PRIME_1);
tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
tstHeaderCount +
3,
PR_FALSE);
tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
tstHeaderCount +
3,
PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: pubExp mod p\n");
failed = 1;
......@@ -290,6 +336,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
printf("%s\n", test_array[2].description);
/* test the basic2 case, public exponent, modulus, prime2 */
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
cka_id[1] = 1;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PUBLIC_EXPONENT);
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
......@@ -299,10 +346,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
/* test with q in the prime1 position */
tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
tstHeaderCount +
3,
PR_FALSE);
tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
tstHeaderCount +
3,
PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: pubExp mod q\n");
failed = 1;
......@@ -318,6 +365,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
printf("%s\n", test_array[3].description);
/* test the medium case, private exponent, prime1, prime2 */
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
cka_id[1] = 2;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PRIVATE_EXPONENT);
......@@ -329,10 +377,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
tstTemplate[tstHeaderCount + 1].type = CKA_PRIME_2;
tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,