Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH
--HG--
branch : NSS_TLS13_DRAFT19_BRANCH
  • Loading branch information
martinthomson committed Nov 6, 2017
2 parents 0f52cc4 + c4b7245 commit 0534b47
Show file tree
Hide file tree
Showing 72 changed files with 4,427 additions and 3,079 deletions.
1 change: 1 addition & 0 deletions .hgtags
Expand Up @@ -1590,3 +1590,4 @@ bdf702cc0f766757d8221b1bb9a8a5a12f0183da NSS_3_25_BETA1
cc982d5a9904b9ec478eced92a3eea8ee0ee313a NSS_3_27_BETA1
d36a5c8225914f92c12f8e182d83f5b4727d327b NSS_3_27_BETA2
06ed5314230a8abc5436bdca2cc79e7de7f2828f NSS_3_27_BETA3
32c9bbad265504522441f601333f0b89861a15d1 NSS_3_34_BETA1
2 changes: 1 addition & 1 deletion automation/abi-check/previous-nss-release
@@ -1 +1 @@
NSS_3_33_BRANCH
NSS_3_34_BRANCH
25 changes: 20 additions & 5 deletions automation/buildbot-slave/build.sh
Expand Up @@ -256,26 +256,41 @@ check_abi()
fi
popd

ABI_PROBLEM_FOUND=0
ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
rm -f ${ABI_REPORT}
PREVDIST=${HGDIR}/baseline/dist
NEWDIST=${HGDIR}/dist
ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
for SO in ${ALL_SOs}; do
if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
touch nss/automation/abi-check/expected-report-$SO.txt
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
fi
abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
$PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
> nss/automation/abi-check/new-report-$SO.txt
diff -u nss/automation/abi-check/expected-report-$SO.txt \
nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
> ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
if [ $? -ne 0 ]; then
ABI_PROBLEM_FOUND=1
fi
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
ABI_PROBLEM_FOUND=1
fi

diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
if [ ! -f ${ABI_REPORT} ]; then
ABI_PROBLEM_FOUND=1
fi
done

if [ -s ${ABI_REPORT} ]; then
print_log "FAILED: there are new unexpected ABI changes"
cat ${ABI_REPORT}
return 1
elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then
print_log "FAILED: failure executing the ABI checks"
cat ${ABI_REPORT}
return 1
fi

return 0
Expand Down
195 changes: 168 additions & 27 deletions cmd/certutil/certutil.c
Expand Up @@ -194,6 +194,8 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
PLArenaPool *arena;
void *extHandle;
SECItem signedReq = { siBuffer, NULL, 0 };
SECAlgorithmID signAlg;
SECItem *params = NULL;

arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
Expand All @@ -211,11 +213,25 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,

/* Change cert type to RSA-PSS, if desired. */
if (pssCertificate) {
params = SEC_CreateSignatureAlgorithmParameters(arena,
NULL,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
hashAlgTag,
NULL,
privk);
if (!params) {
PORT_FreeArena(arena, PR_FALSE);
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECU_PrintError(progName, "unable to create RSA-PSS parameters");
return SECFailure;
}

spki->algorithm.parameters.data = NULL;
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
Expand Down Expand Up @@ -256,16 +272,34 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
return SECFailure;
}

/* Sign the request */
signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (signAlgTag == SEC_OID_UNKNOWN) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unknown Key or Hash type");
return SECFailure;
PORT_Memset(&signAlg, 0, sizeof(signAlg));
if (pssCertificate) {
rv = SECOID_SetAlgorithmID(arena, &signAlg,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
} else {
signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (signAlgTag == SEC_OID_UNKNOWN) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unknown Key or Hash type");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
}

rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len,
privk, signAlgTag);
/* Sign the request */
rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq,
encoding->data, encoding->len,
privk, &signAlg);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "signing of data failed");
Expand Down Expand Up @@ -1183,6 +1217,8 @@ luC(enum usage_level ul, const char *command)
" -o output-cert");
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
" --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
Expand Down Expand Up @@ -1516,6 +1552,8 @@ luR(enum usage_level ul, const char *command)
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
Expand Down Expand Up @@ -1693,6 +1731,8 @@ luS(enum usage_level ul, const char *command)
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
" --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
FPS "%-20s Elliptic curve name (ec only)\n",
Expand All @@ -1701,6 +1741,8 @@ luS(enum usage_level ul, const char *command)
"");
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
" --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
Expand Down Expand Up @@ -1864,47 +1906,120 @@ MakeV1Cert(CERTCertDBHandle *handle,
return (cert);
}

static SECStatus
SetSignatureAlgorithm(PLArenaPool *arena,
SECAlgorithmID *signAlg,
SECAlgorithmID *spkiAlg,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey,
PRBool pssSign)
{
SECStatus rv;

if (pssSign ||
SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
SECItem *srcParams;
SECItem *params;

if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
srcParams = &spkiAlg->parameters;
} else {
/* If the issuer's public key is RSA, the parameter field
* of the SPKI should be NULL, which can't be used as a
* basis of RSA-PSS parameters. */
srcParams = NULL;
}
params = SEC_CreateSignatureAlgorithmParameters(arena,
NULL,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
hashAlgTag,
srcParams,
privKey);
if (!params) {
SECU_PrintError(progName, "Could not create RSA-PSS parameters");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, signAlg,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
params);
if (rv != SECSuccess) {
SECU_PrintError(progName, "Could not set signature algorithm id.");
return rv;
}
} else {
KeyType keyType = SECKEY_GetPrivateKeyType(privKey);
SECOidTag algID;

algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
if (algID == SEC_OID_UNKNOWN) {
SECU_PrintError(progName, "Unknown key or hash type for issuer.");
return SECFailure;
}
rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0);
if (rv != SECSuccess) {
SECU_PrintError(progName, "Could not set signature algorithm id.");
return rv;
}
}
return SECSuccess;
}

static SECStatus
SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey, char *issuerNickName,
int certVersion, void *pwarg)
int certVersion, PRBool pssSign, void *pwarg)
{
SECItem der;
SECKEYPrivateKey *caPrivateKey = NULL;
SECStatus rv;
PLArenaPool *arena;
SECOidTag algID;
CERTCertificate *issuer;
void *dummy;

if (!selfsign) {
CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
arena = cert->arena;

if (selfsign) {
issuer = cert;
} else {
issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
if ((CERTCertificate *)NULL == issuer) {
SECU_PrintError(progName, "unable to find issuer with nickname %s",
issuerNickName);
return SECFailure;
rv = SECFailure;
goto done;
}

privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
CERT_DestroyCertificate(issuer);
if (caPrivateKey == NULL) {
SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
return SECFailure;
rv = SECFailure;
CERT_DestroyCertificate(issuer);
goto done;
}
}

arena = cert->arena;

algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
if (algID == SEC_OID_UNKNOWN) {
fprintf(stderr, "Unknown key or hash type for issuer.");
if (pssSign &&
(SECKEY_GetPrivateKeyType(privKey) != rsaKey &&
SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) {
SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s",
issuerNickName);
rv = SECFailure;
if (!selfsign) {
CERT_DestroyCertificate(issuer);
}
goto done;
}

rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
rv = SetSignatureAlgorithm(arena,
&cert->signature,
&issuer->subjectPublicKeyInfo.algorithm,
hashAlgTag,
privKey,
pssSign);
if (!selfsign) {
CERT_DestroyCertificate(issuer);
}
if (rv != SECSuccess) {
fprintf(stderr, "Could not set signature algorithm id.");
goto done;
}

Expand All @@ -1923,7 +2038,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
rv = SECFailure;
goto done;
}

der.len = 0;
Expand All @@ -1936,7 +2052,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
goto done;
}

rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID);
rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len,
privKey, &cert->signature);
if (rv != SECSuccess) {
fprintf(stderr, "Could not sign encoded certificate data.\n");
/* result allocated out of the arena, it will be freed
Expand Down Expand Up @@ -1969,6 +2086,7 @@ CreateCert(
certutilExtnList extnList,
const char *extGeneric,
int certVersion,
PRBool pssSign,
SECItem *certDER)
{
void *extHandle = NULL;
Expand Down Expand Up @@ -2029,7 +2147,7 @@ CreateCert(

rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
*selfsignprivkey, issuerNickName,
certVersion, pwarg);
certVersion, pssSign, pwarg);
if (rv != SECSuccess)
break;

Expand Down Expand Up @@ -2352,6 +2470,7 @@ enum certutilOpts {
opt_GenericExtensions,
opt_NewNickname,
opt_Pss,
opt_PssSign,
opt_Help
};

Expand Down Expand Up @@ -2472,6 +2591,8 @@ static const secuCommandFlag options_init[] =
"new-n" },
{ /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE,
"pss" },
{ /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
"pss-sign" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))

Expand Down Expand Up @@ -3363,6 +3484,25 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}

/* --pss-sign is to sign a certificate with RSA-PSS, even if the
* issuer's key is an RSA key. If the key is an RSA-PSS key, the
* generated signature is always RSA-PSS. */
if (certutil.options[opt_PssSign].activated) {
if (!certutil.commands[cmd_CreateNewCert].activated &&
!certutil.commands[cmd_CreateAndAddCert].activated) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss-sign only works with -C or -S.\n",
progName, commandToRun);
return 255;
}
if (keytype != rsaKey) {
PR_fprintf(PR_STDERR,
"%s -%c: --pss-sign only works with RSA keys.\n",
progName, commandToRun);
return 255;
}
}

/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
Expand Down Expand Up @@ -3500,6 +3640,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certVersion,
certutil.options[opt_PssSign].activated,
&certDER);
if (rv)
goto shutdown;
Expand Down

0 comments on commit 0534b47

Please sign in to comment.