Skip to content

Commit

Permalink
Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r…
Browse files Browse the repository at this point in the history 
…=rrelyea
  • Loading branch information
@ueno
ueno committed Dec 15, 2016
1 parent 97a58c0 commit b1d3ac1
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 5 deletions.
4 changes: 4 additions & 0 deletions lib/pk11wrap/pk11mech.c
View file
Expand Up @@ -612,6 +612,10 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
Expand Down
14 changes: 13 additions & 1 deletion lib/pkcs12/p12d.c
View file
Expand Up @@ -1335,11 +1335,23 @@ sec_pkcs12_decoder_verify_mac(SEC_PKCS12DecoderContext *p12dcx)
case SEC_OID_MD2:
integrityMech = CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN;
break;
case SEC_OID_SHA224:
integrityMech = CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN;
break;
case SEC_OID_SHA256:
integrityMech = CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN;
break;
case SEC_OID_SHA384:
integrityMech = CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN;
break;
case SEC_OID_SHA512:
integrityMech = CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN;
break;
default:
goto loser;
}

symKey = PK11_KeyGen(NULL, integrityMech, params, 20, NULL);
symKey = PK11_KeyGen(NULL, integrityMech, params, 0, NULL);
PK11_DestroyPBEParams(params);
params = NULL;
if (!symKey)
Expand Down
11 changes: 7 additions & 4 deletions lib/softoken/lowpbe.c
View file
Expand Up @@ -408,7 +408,6 @@ nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
return result;
}

#define HMAC_BUFFER 64
#define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y))
#define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y))
/*
Expand All @@ -430,6 +429,7 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject,
int iter;
unsigned char *iterBuf;
void *hash = NULL;
unsigned int bufferLength;

arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
Expand All @@ -439,8 +439,11 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject,
/* how many hash object lengths are needed */
c = (bytesNeeded + (hashLength - 1)) / hashLength;

/* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */
bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64);

/* initialize our buffers */
D.len = HMAC_BUFFER;
D.len = bufferLength;
/* B and D are the same length, use one alloc go get both */
D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2);
B.len = D.len;
Expand All @@ -452,8 +455,8 @@ nsspkcs5_PKCS12PBE(const SECHashObject *hashObject,
goto loser;
}

SLen = NSSPBE_ROUNDUP(salt->len, HMAC_BUFFER);
PLen = NSSPBE_ROUNDUP(pwitem->len, HMAC_BUFFER);
SLen = NSSPBE_ROUNDUP(salt->len, bufferLength);
PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength);
I.len = SLen + PLen;
I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len);
if (I.data == NULL) {
Expand Down
4 changes: 4 additions & 0 deletions lib/softoken/pkcs11.c
View file
Expand Up @@ -480,6 +480,10 @@ static const struct mechanismList mechanisms[] = {
{ CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN, { 20, 20, CKF_GENERATE }, PR_TRUE },
{ CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
{ CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
{ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 28, 28, CKF_GENERATE }, PR_TRUE },
{ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE },
{ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_TRUE },
{ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 64, 64, CKF_GENERATE }, PR_TRUE },
/* ------------------ AES Key Wrap (also encrypt) ------------------- */
{ CKM_NETSCAPE_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
{ CKM_NETSCAPE_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
Expand Down
20 changes: 20 additions & 0 deletions lib/softoken/pkcs11c.c
View file
Expand Up @@ -3971,6 +3971,22 @@ nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
params->hashType = HASH_AlgMD2;
params->keyLen = 16;
break;
case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
params->hashType = HASH_AlgSHA224;
params->keyLen = 28;
break;
case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
params->hashType = HASH_AlgSHA256;
params->keyLen = 32;
break;
case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
params->hashType = HASH_AlgSHA384;
params->keyLen = 48;
break;
case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
params->hashType = HASH_AlgSHA512;
params->keyLen = 64;
break;
default:
PORT_FreeArena(arena, PR_TRUE);
return CKR_MECHANISM_INVALID;
Expand Down Expand Up @@ -4189,6 +4205,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSession,
case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
key_gen_type = nsc_pbe;
key_type = CKK_GENERIC_SECRET;
crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param);
Expand Down
6 changes: 6 additions & 0 deletions lib/util/pkcs11n.h
View file
Expand Up @@ -222,6 +222,12 @@
#define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27)
#define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28)

/* Additional PKCS #12 PBE algorithms defined in v1.1 */
#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKM_NSS + 29)
#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKM_NSS + 30)
#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKM_NSS + 31)
#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKM_NSS + 32)

/*
* HISTORICAL:
* Do not attempt to use these. They are only used by NETSCAPE's internal
Expand Down

0 comments on commit b1d3ac1

Please sign in to comment.