1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/softoken/jpakesftk.c Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,350 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#include "seccomon.h"
1.9 +#include "secerr.h"
1.10 +#include "blapi.h"
1.11 +#include "pkcs11i.h"
1.12 +#include "softoken.h"
1.13 +
1.14 +static CK_RV
1.15 +jpake_mapStatus(SECStatus rv, CK_RV invalidArgsMapping) {
1.16 + int err;
1.17 + if (rv == SECSuccess)
1.18 + return CKR_OK;
1.19 + err = PORT_GetError();
1.20 + switch (err) {
1.21 + /* XXX: SEC_ERROR_INVALID_ARGS might be caused by invalid template
1.22 + parameters. */
1.23 + case SEC_ERROR_INVALID_ARGS: return invalidArgsMapping;
1.24 + case SEC_ERROR_BAD_SIGNATURE: return CKR_SIGNATURE_INVALID;
1.25 + case SEC_ERROR_NO_MEMORY: return CKR_HOST_MEMORY;
1.26 + }
1.27 + return CKR_FUNCTION_FAILED;
1.28 +}
1.29 +
1.30 +/* If key is not NULL then the gx value will be stored as an attribute with
1.31 + the type given by the gxAttrType parameter. */
1.32 +static CK_RV
1.33 +jpake_Sign(PLArenaPool * arena, const PQGParams * pqg, HASH_HashType hashType,
1.34 + const SECItem * signerID, const SECItem * x,
1.35 + CK_NSS_JPAKEPublicValue * out)
1.36 +{
1.37 + SECItem gx, gv, r;
1.38 + CK_RV crv;
1.39 +
1.40 + PORT_Assert(arena != NULL);
1.41 +
1.42 + gx.data = NULL;
1.43 + gv.data = NULL;
1.44 + r.data = NULL;
1.45 + crv = jpake_mapStatus(JPAKE_Sign(arena, pqg, hashType, signerID, x, NULL,
1.46 + NULL, &gx, &gv, &r),
1.47 + CKR_MECHANISM_PARAM_INVALID);
1.48 + if (crv == CKR_OK) {
1.49 + if ((out->pGX != NULL && out->ulGXLen >= gx.len) ||
1.50 + (out->pGV != NULL && out->ulGVLen >= gv.len) ||
1.51 + (out->pR != NULL && out->ulRLen >= r.len)) {
1.52 + PORT_Memcpy(out->pGX, gx.data, gx.len);
1.53 + PORT_Memcpy(out->pGV, gv.data, gv.len);
1.54 + PORT_Memcpy(out->pR, r.data, r.len);
1.55 + out->ulGXLen = gx.len;
1.56 + out->ulGVLen = gv.len;
1.57 + out->ulRLen = r.len;
1.58 + } else {
1.59 + crv = CKR_MECHANISM_PARAM_INVALID;
1.60 + }
1.61 + }
1.62 + return crv;
1.63 +}
1.64 +
1.65 +static CK_RV
1.66 +jpake_Verify(PLArenaPool * arena, const PQGParams * pqg,
1.67 + HASH_HashType hashType, const SECItem * signerID,
1.68 + const CK_BYTE * peerIDData, CK_ULONG peerIDLen,
1.69 + const CK_NSS_JPAKEPublicValue * publicValueIn)
1.70 +{
1.71 + SECItem peerID, gx, gv, r;
1.72 + peerID.data = (unsigned char *) peerIDData; peerID.len = peerIDLen;
1.73 + gx.data = publicValueIn->pGX; gx.len = publicValueIn->ulGXLen;
1.74 + gv.data = publicValueIn->pGV; gv.len = publicValueIn->ulGVLen;
1.75 + r.data = publicValueIn->pR; r.len = publicValueIn->ulRLen;
1.76 + return jpake_mapStatus(JPAKE_Verify(arena, pqg, hashType, signerID, &peerID,
1.77 + &gx, &gv, &r),
1.78 + CKR_MECHANISM_PARAM_INVALID);
1.79 +}
1.80 +
1.81 +#define NUM_ELEM(x) (sizeof (x) / sizeof (x)[0])
1.82 +
1.83 +/* If the template has the key type set, ensure that it was set to the correct
1.84 + * value. If the template did not have the key type set, set it to the
1.85 + * correct value.
1.86 + */
1.87 +static CK_RV
1.88 +jpake_enforceKeyType(SFTKObject * key, CK_KEY_TYPE keyType) {
1.89 + CK_RV crv;
1.90 + SFTKAttribute * keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE);
1.91 + if (keyTypeAttr != NULL) {
1.92 + crv = *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType
1.93 + ? CKR_OK
1.94 + : CKR_TEMPLATE_INCONSISTENT;
1.95 + sftk_FreeAttribute(keyTypeAttr);
1.96 + } else {
1.97 + crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof keyType);
1.98 + }
1.99 + return crv;
1.100 +}
1.101 +
1.102 +static CK_RV
1.103 +jpake_MultipleSecItem2Attribute(SFTKObject * key, const SFTKItemTemplate * attrs,
1.104 + size_t attrsCount)
1.105 +{
1.106 + size_t i;
1.107 +
1.108 + for (i = 0; i < attrsCount; ++i) {
1.109 + CK_RV crv = sftk_forceAttribute(key, attrs[i].type, attrs[i].item->data,
1.110 + attrs[i].item->len);
1.111 + if (crv != CKR_OK)
1.112 + return crv;
1.113 + }
1.114 + return CKR_OK;
1.115 +}
1.116 +
1.117 +CK_RV
1.118 +jpake_Round1(HASH_HashType hashType, CK_NSS_JPAKERound1Params * params,
1.119 + SFTKObject * key)
1.120 +{
1.121 + CK_RV crv;
1.122 + PQGParams pqg;
1.123 + PLArenaPool * arena;
1.124 + SECItem signerID;
1.125 + SFTKItemTemplate templateAttrs[] = {
1.126 + { CKA_PRIME, &pqg.prime },
1.127 + { CKA_SUBPRIME, &pqg.subPrime },
1.128 + { CKA_BASE, &pqg.base },
1.129 + { CKA_NSS_JPAKE_SIGNERID, &signerID }
1.130 + };
1.131 + SECItem x2, gx1, gx2;
1.132 + const SFTKItemTemplate generatedAttrs[] = {
1.133 + { CKA_NSS_JPAKE_X2, &x2 },
1.134 + { CKA_NSS_JPAKE_GX1, &gx1 },
1.135 + { CKA_NSS_JPAKE_GX2, &gx2 },
1.136 + };
1.137 + SECItem x1;
1.138 +
1.139 + PORT_Assert(params != NULL);
1.140 + PORT_Assert(key != NULL);
1.141 +
1.142 + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
1.143 + if (arena == NULL)
1.144 + crv = CKR_HOST_MEMORY;
1.145 +
1.146 + crv = sftk_MultipleAttribute2SecItem(arena, key, templateAttrs,
1.147 + NUM_ELEM(templateAttrs));
1.148 +
1.149 + if (crv == CKR_OK && (signerID.data == NULL || signerID.len == 0))
1.150 + crv = CKR_TEMPLATE_INCOMPLETE;
1.151 +
1.152 + /* generate x1, g^x1 and the proof of knowledge of x1 */
1.153 + if (crv == CKR_OK) {
1.154 + x1.data = NULL;
1.155 + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x1),
1.156 + CKR_TEMPLATE_INCONSISTENT);
1.157 + }
1.158 + if (crv == CKR_OK)
1.159 + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x1, ¶ms->gx1);
1.160 +
1.161 + /* generate x2, g^x2 and the proof of knowledge of x2 */
1.162 + if (crv == CKR_OK) {
1.163 + x2.data = NULL;
1.164 + crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x2),
1.165 + CKR_TEMPLATE_INCONSISTENT);
1.166 + }
1.167 + if (crv == CKR_OK)
1.168 + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2, ¶ms->gx2);
1.169 +
1.170 + /* Save the values needed for round 2 into CKA_VALUE */
1.171 + if (crv == CKR_OK) {
1.172 + gx1.data = params->gx1.pGX;
1.173 + gx1.len = params->gx1.ulGXLen;
1.174 + gx2.data = params->gx2.pGX;
1.175 + gx2.len = params->gx2.ulGXLen;
1.176 + crv = jpake_MultipleSecItem2Attribute(key, generatedAttrs,
1.177 + NUM_ELEM(generatedAttrs));
1.178 + }
1.179 +
1.180 + PORT_FreeArena(arena, PR_TRUE);
1.181 + return crv;
1.182 +}
1.183 +
1.184 +CK_RV
1.185 +jpake_Round2(HASH_HashType hashType, CK_NSS_JPAKERound2Params * params,
1.186 + SFTKObject * sourceKey, SFTKObject * key)
1.187 +{
1.188 + CK_RV crv;
1.189 + PLArenaPool * arena;
1.190 + PQGParams pqg;
1.191 + SECItem signerID, x2, gx1, gx2;
1.192 + SFTKItemTemplate sourceAttrs[] = {
1.193 + { CKA_PRIME, &pqg.prime },
1.194 + { CKA_SUBPRIME, &pqg.subPrime },
1.195 + { CKA_BASE, &pqg.base },
1.196 + { CKA_NSS_JPAKE_SIGNERID, &signerID },
1.197 + { CKA_NSS_JPAKE_X2, &x2 },
1.198 + { CKA_NSS_JPAKE_GX1, &gx1 },
1.199 + { CKA_NSS_JPAKE_GX2, &gx2 },
1.200 + };
1.201 + SECItem x2s, gx3, gx4;
1.202 + const SFTKItemTemplate copiedAndGeneratedAttrs[] = {
1.203 + { CKA_NSS_JPAKE_SIGNERID, &signerID },
1.204 + { CKA_PRIME, &pqg.prime },
1.205 + { CKA_SUBPRIME, &pqg.subPrime },
1.206 + { CKA_NSS_JPAKE_X2, &x2 },
1.207 + { CKA_NSS_JPAKE_X2S, &x2s },
1.208 + { CKA_NSS_JPAKE_GX1, &gx1 },
1.209 + { CKA_NSS_JPAKE_GX2, &gx2 },
1.210 + { CKA_NSS_JPAKE_GX3, &gx3 },
1.211 + { CKA_NSS_JPAKE_GX4, &gx4 }
1.212 + };
1.213 + SECItem peerID;
1.214 +
1.215 + PORT_Assert(params != NULL);
1.216 + PORT_Assert(sourceKey != NULL);
1.217 + PORT_Assert(key != NULL);
1.218 +
1.219 + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
1.220 + if (arena == NULL)
1.221 + crv = CKR_HOST_MEMORY;
1.222 +
1.223 + /* TODO: check CKK_NSS_JPAKE_ROUND1 */
1.224 +
1.225 + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs,
1.226 + NUM_ELEM(sourceAttrs));
1.227 +
1.228 + /* Get the peer's ID out of the template and sanity-check it. */
1.229 + if (crv == CKR_OK)
1.230 + crv = sftk_Attribute2SecItem(arena, &peerID, key,
1.231 + CKA_NSS_JPAKE_PEERID);
1.232 + if (crv == CKR_OK && (peerID.data == NULL || peerID.len == 0))
1.233 + crv = CKR_TEMPLATE_INCOMPLETE;
1.234 + if (crv == CKR_OK && SECITEM_CompareItem(&signerID, &peerID) == SECEqual)
1.235 + crv = CKR_TEMPLATE_INCONSISTENT;
1.236 +
1.237 + /* Verify zero-knowledge proofs for g^x3 and g^x4 */
1.238 + if (crv == CKR_OK)
1.239 + crv = jpake_Verify(arena, &pqg, hashType, &signerID,
1.240 + peerID.data, peerID.len, ¶ms->gx3);
1.241 + if (crv == CKR_OK)
1.242 + crv = jpake_Verify(arena, &pqg, hashType, &signerID,
1.243 + peerID.data, peerID.len, ¶ms->gx4);
1.244 +
1.245 + /* Calculate the base and x2s for A=base^x2s */
1.246 + if (crv == CKR_OK) {
1.247 + SECItem s;
1.248 + s.data = params->pSharedKey;
1.249 + s.len = params->ulSharedKeyLen;
1.250 + gx3.data = params->gx3.pGX;
1.251 + gx3.len = params->gx3.ulGXLen;
1.252 + gx4.data = params->gx4.pGX;
1.253 + gx4.len = params->gx4.ulGXLen;
1.254 + pqg.base.data = NULL;
1.255 + x2s.data = NULL;
1.256 + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime,
1.257 + &gx1, &gx3, &gx4, &pqg.base,
1.258 + &x2, &s, &x2s),
1.259 + CKR_MECHANISM_PARAM_INVALID);
1.260 + }
1.261 +
1.262 + /* Generate A=base^x2s and its zero-knowledge proof. */
1.263 + if (crv == CKR_OK)
1.264 + crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2s, ¶ms->A);
1.265 +
1.266 + /* Copy P and Q from the ROUND1 key to the ROUND2 key and save the values
1.267 + needed for the final key material derivation into CKA_VALUE. */
1.268 + if (crv == CKR_OK)
1.269 + crv = sftk_forceAttribute(key, CKA_PRIME, pqg.prime.data,
1.270 + pqg.prime.len);
1.271 + if (crv == CKR_OK)
1.272 + crv = sftk_forceAttribute(key, CKA_SUBPRIME, pqg.subPrime.data,
1.273 + pqg.subPrime.len);
1.274 + if (crv == CKR_OK) {
1.275 + crv = jpake_MultipleSecItem2Attribute(key, copiedAndGeneratedAttrs,
1.276 + NUM_ELEM(copiedAndGeneratedAttrs));
1.277 + }
1.278 +
1.279 + if (crv == CKR_OK)
1.280 + crv = jpake_enforceKeyType(key, CKK_NSS_JPAKE_ROUND2);
1.281 +
1.282 + PORT_FreeArena(arena, PR_TRUE);
1.283 + return crv;
1.284 +}
1.285 +
1.286 +CK_RV
1.287 +jpake_Final(HASH_HashType hashType, const CK_NSS_JPAKEFinalParams * param,
1.288 + SFTKObject * sourceKey, SFTKObject * key)
1.289 +{
1.290 + PLArenaPool * arena;
1.291 + SECItem K;
1.292 + PQGParams pqg;
1.293 + CK_RV crv;
1.294 + SECItem peerID, signerID, x2s, x2, gx1, gx2, gx3, gx4;
1.295 + SFTKItemTemplate sourceAttrs[] = {
1.296 + { CKA_NSS_JPAKE_PEERID, &peerID },
1.297 + { CKA_NSS_JPAKE_SIGNERID, &signerID },
1.298 + { CKA_PRIME, &pqg.prime },
1.299 + { CKA_SUBPRIME, &pqg.subPrime },
1.300 + { CKA_NSS_JPAKE_X2, &x2 },
1.301 + { CKA_NSS_JPAKE_X2S, &x2s },
1.302 + { CKA_NSS_JPAKE_GX1, &gx1 },
1.303 + { CKA_NSS_JPAKE_GX2, &gx2 },
1.304 + { CKA_NSS_JPAKE_GX3, &gx3 },
1.305 + { CKA_NSS_JPAKE_GX4, &gx4 }
1.306 + };
1.307 +
1.308 + PORT_Assert(param != NULL);
1.309 + PORT_Assert(sourceKey != NULL);
1.310 + PORT_Assert(key != NULL);
1.311 +
1.312 + arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
1.313 + if (arena == NULL)
1.314 + crv = CKR_HOST_MEMORY;
1.315 +
1.316 + /* TODO: verify key type CKK_NSS_JPAKE_ROUND2 */
1.317 +
1.318 + crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs,
1.319 + NUM_ELEM(sourceAttrs));
1.320 +
1.321 + /* Calculate base for B=base^x4s */
1.322 + if (crv == CKR_OK) {
1.323 + pqg.base.data = NULL;
1.324 + crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime,
1.325 + &gx1, &gx2, &gx3, &pqg.base,
1.326 + NULL, NULL, NULL),
1.327 + CKR_MECHANISM_PARAM_INVALID);
1.328 + }
1.329 +
1.330 + /* Verify zero-knowledge proof for B */
1.331 + if (crv == CKR_OK)
1.332 + crv = jpake_Verify(arena, &pqg, hashType, &signerID,
1.333 + peerID.data, peerID.len, ¶m->B);
1.334 + if (crv == CKR_OK) {
1.335 + SECItem B;
1.336 + B.data = param->B.pGX;
1.337 + B.len = param->B.ulGXLen;
1.338 + K.data = NULL;
1.339 + crv = jpake_mapStatus(JPAKE_Final(arena, &pqg.prime, &pqg.subPrime,
1.340 + &x2, &gx4, &x2s, &B, &K),
1.341 + CKR_MECHANISM_PARAM_INVALID);
1.342 + }
1.343 +
1.344 + /* Save key material into CKA_VALUE. */
1.345 + if (crv == CKR_OK)
1.346 + crv = sftk_forceAttribute(key, CKA_VALUE, K.data, K.len);
1.347 +
1.348 + if (crv == CKR_OK)
1.349 + crv = jpake_enforceKeyType(key, CKK_GENERIC_SECRET);
1.350 +
1.351 + PORT_FreeArena(arena, PR_TRUE);
1.352 + return crv;
1.353 +}
