michael@0: /* michael@0: * Signature stuff. michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include michael@0: #include "cryptohi.h" michael@0: #include "sechash.h" michael@0: #include "secder.h" michael@0: #include "keyhi.h" michael@0: #include "secoid.h" michael@0: #include "secdig.h" michael@0: #include "pk11func.h" michael@0: #include "secerr.h" michael@0: #include "keyi.h" michael@0: michael@0: struct SGNContextStr { michael@0: SECOidTag signalg; michael@0: SECOidTag hashalg; michael@0: void *hashcx; michael@0: const SECHashObject *hashobj; michael@0: SECKEYPrivateKey *key; michael@0: }; michael@0: michael@0: SGNContext * michael@0: SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *key) michael@0: { michael@0: SGNContext *cx; michael@0: SECOidTag hashalg, signalg; michael@0: KeyType keyType; michael@0: SECStatus rv; michael@0: michael@0: /* OK, map a PKCS #7 hash and encrypt algorithm into michael@0: * a standard hashing algorithm. Why did we pass in the whole michael@0: * PKCS #7 algTag if we were just going to change here you might michael@0: * ask. Well the answer is for some cards we may have to do the michael@0: * hashing on card. It may not support CKM_RSA_PKCS sign algorithm, michael@0: * it may just support CKM_SHA1_RSA_PKCS and/or CKM_MD5_RSA_PKCS. michael@0: */ michael@0: /* we have a private key, not a public key, so don't pass it in */ michael@0: rv = sec_DecodeSigAlg(NULL, alg, NULL, &signalg, &hashalg); michael@0: if (rv != SECSuccess) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); michael@0: return 0; michael@0: } michael@0: keyType = seckey_GetKeyType(signalg); michael@0: michael@0: /* verify our key type */ michael@0: if (key->keyType != keyType && michael@0: !((key->keyType == dsaKey) && (keyType == fortezzaKey)) ) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); michael@0: return 0; michael@0: } michael@0: michael@0: cx = (SGNContext*) PORT_ZAlloc(sizeof(SGNContext)); michael@0: if (cx) { michael@0: cx->hashalg = hashalg; michael@0: cx->signalg = signalg; michael@0: cx->key = key; michael@0: } michael@0: return cx; michael@0: } michael@0: michael@0: void michael@0: SGN_DestroyContext(SGNContext *cx, PRBool freeit) michael@0: { michael@0: if (cx) { michael@0: if (cx->hashcx != NULL) { michael@0: (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); michael@0: cx->hashcx = NULL; michael@0: } michael@0: if (freeit) { michael@0: PORT_ZFree(cx, sizeof(SGNContext)); michael@0: } michael@0: } michael@0: } michael@0: michael@0: SECStatus michael@0: SGN_Begin(SGNContext *cx) michael@0: { michael@0: if (cx->hashcx != NULL) { michael@0: (*cx->hashobj->destroy)(cx->hashcx, PR_TRUE); michael@0: cx->hashcx = NULL; michael@0: } michael@0: michael@0: cx->hashobj = HASH_GetHashObjectByOidTag(cx->hashalg); michael@0: if (!cx->hashobj) michael@0: return SECFailure; /* error code is already set */ michael@0: michael@0: cx->hashcx = (*cx->hashobj->create)(); michael@0: if (cx->hashcx == NULL) michael@0: return SECFailure; michael@0: michael@0: (*cx->hashobj->begin)(cx->hashcx); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: SECStatus michael@0: SGN_Update(SGNContext *cx, const unsigned char *input, unsigned int inputLen) michael@0: { michael@0: if (cx->hashcx == NULL) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: (*cx->hashobj->update)(cx->hashcx, input, inputLen); michael@0: return SECSuccess; michael@0: } michael@0: michael@0: /* XXX Old template; want to expunge it eventually. */ michael@0: static DERTemplate SECAlgorithmIDTemplate[] = { michael@0: { DER_SEQUENCE, michael@0: 0, NULL, sizeof(SECAlgorithmID) }, michael@0: { DER_OBJECT_ID, michael@0: offsetof(SECAlgorithmID,algorithm), }, michael@0: { DER_OPTIONAL | DER_ANY, michael@0: offsetof(SECAlgorithmID,parameters), }, michael@0: { 0, } michael@0: }; michael@0: michael@0: /* michael@0: * XXX OLD Template. Once all uses have been switched over to new one, michael@0: * remove this. michael@0: */ michael@0: static DERTemplate SGNDigestInfoTemplate[] = { michael@0: { DER_SEQUENCE, michael@0: 0, NULL, sizeof(SGNDigestInfo) }, michael@0: { DER_INLINE, michael@0: offsetof(SGNDigestInfo,digestAlgorithm), michael@0: SECAlgorithmIDTemplate, }, michael@0: { DER_OCTET_STRING, michael@0: offsetof(SGNDigestInfo,digest), }, michael@0: { 0, } michael@0: }; michael@0: michael@0: SECStatus michael@0: SGN_End(SGNContext *cx, SECItem *result) michael@0: { michael@0: unsigned char digest[HASH_LENGTH_MAX]; michael@0: unsigned part1; michael@0: int signatureLen; michael@0: SECStatus rv; michael@0: SECItem digder, sigitem; michael@0: PLArenaPool *arena = 0; michael@0: SECKEYPrivateKey *privKey = cx->key; michael@0: SGNDigestInfo *di = 0; michael@0: michael@0: result->data = 0; michael@0: digder.data = 0; michael@0: michael@0: /* Finish up digest function */ michael@0: if (cx->hashcx == NULL) { michael@0: PORT_SetError(SEC_ERROR_INVALID_ARGS); michael@0: return SECFailure; michael@0: } michael@0: (*cx->hashobj->end)(cx->hashcx, digest, &part1, sizeof(digest)); michael@0: michael@0: michael@0: if (privKey->keyType == rsaKey) { michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if ( !arena ) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Construct digest info */ michael@0: di = SGN_CreateDigestInfo(cx->hashalg, digest, part1); michael@0: if (!di) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Der encode the digest as a DigestInfo */ michael@0: rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, michael@0: di); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: } else { michael@0: digder.data = digest; michael@0: digder.len = part1; michael@0: } michael@0: michael@0: /* michael@0: ** Encrypt signature after constructing appropriate PKCS#1 signature michael@0: ** block michael@0: */ michael@0: signatureLen = PK11_SignatureLen(privKey); michael@0: if (signatureLen <= 0) { michael@0: PORT_SetError(SEC_ERROR_INVALID_KEY); michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: sigitem.len = signatureLen; michael@0: sigitem.data = (unsigned char*) PORT_Alloc(signatureLen); michael@0: michael@0: if (sigitem.data == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: rv = PK11_Sign(privKey, &sigitem, &digder); michael@0: if (rv != SECSuccess) { michael@0: PORT_Free(sigitem.data); michael@0: sigitem.data = NULL; michael@0: goto loser; michael@0: } michael@0: michael@0: if ((cx->signalg == SEC_OID_ANSIX9_DSA_SIGNATURE) || michael@0: (cx->signalg == SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { michael@0: /* DSAU_EncodeDerSigWithLen works for DSA and ECDSA */ michael@0: rv = DSAU_EncodeDerSigWithLen(result, &sigitem, sigitem.len); michael@0: PORT_Free(sigitem.data); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: } else { michael@0: result->len = sigitem.len; michael@0: result->data = sigitem.data; michael@0: } michael@0: michael@0: loser: michael@0: SGN_DestroyDigestInfo(di); michael@0: if (arena != NULL) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: /************************************************************************/ michael@0: michael@0: /* michael@0: ** Sign a block of data returning in result a bunch of bytes that are the michael@0: ** signature. Returns zero on success, an error code on failure. michael@0: */ michael@0: SECStatus michael@0: SEC_SignData(SECItem *res, const unsigned char *buf, int len, michael@0: SECKEYPrivateKey *pk, SECOidTag algid) michael@0: { michael@0: SECStatus rv; michael@0: SGNContext *sgn; michael@0: michael@0: michael@0: sgn = SGN_NewContext(algid, pk); michael@0: michael@0: if (sgn == NULL) michael@0: return SECFailure; michael@0: michael@0: rv = SGN_Begin(sgn); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: michael@0: rv = SGN_Update(sgn, buf, len); michael@0: if (rv != SECSuccess) michael@0: goto loser; michael@0: michael@0: rv = SGN_End(sgn, res); michael@0: michael@0: loser: michael@0: SGN_DestroyContext(sgn, PR_TRUE); michael@0: return rv; michael@0: } michael@0: michael@0: /************************************************************************/ michael@0: michael@0: DERTemplate CERTSignedDataTemplate[] = michael@0: { michael@0: { DER_SEQUENCE, michael@0: 0, NULL, sizeof(CERTSignedData) }, michael@0: { DER_ANY, michael@0: offsetof(CERTSignedData,data), }, michael@0: { DER_INLINE, michael@0: offsetof(CERTSignedData,signatureAlgorithm), michael@0: SECAlgorithmIDTemplate, }, michael@0: { DER_BIT_STRING, michael@0: offsetof(CERTSignedData,signature), }, michael@0: { 0, } michael@0: }; michael@0: michael@0: SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) michael@0: michael@0: const SEC_ASN1Template CERT_SignedDataTemplate[] = michael@0: { michael@0: { SEC_ASN1_SEQUENCE, michael@0: 0, NULL, sizeof(CERTSignedData) }, michael@0: { SEC_ASN1_ANY, michael@0: offsetof(CERTSignedData,data), }, michael@0: { SEC_ASN1_INLINE | SEC_ASN1_XTRN, michael@0: offsetof(CERTSignedData,signatureAlgorithm), michael@0: SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate), }, michael@0: { SEC_ASN1_BIT_STRING, michael@0: offsetof(CERTSignedData,signature), }, michael@0: { 0, } michael@0: }; michael@0: michael@0: SEC_ASN1_CHOOSER_IMPLEMENT(CERT_SignedDataTemplate) michael@0: michael@0: michael@0: SECStatus michael@0: SEC_DerSignData(PLArenaPool *arena, SECItem *result, michael@0: const unsigned char *buf, int len, SECKEYPrivateKey *pk, michael@0: SECOidTag algID) michael@0: { michael@0: SECItem it; michael@0: CERTSignedData sd; michael@0: SECStatus rv; michael@0: michael@0: it.data = 0; michael@0: michael@0: /* XXX We should probably have some asserts here to make sure the key type michael@0: * and algID match michael@0: */ michael@0: michael@0: if (algID == SEC_OID_UNKNOWN) { michael@0: switch(pk->keyType) { michael@0: case rsaKey: michael@0: algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; michael@0: break; michael@0: case dsaKey: michael@0: /* get Signature length (= q_len*2) and work from there */ michael@0: switch (PK11_SignatureLen(pk)) { michael@0: case 448: michael@0: algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; michael@0: break; michael@0: case 512: michael@0: algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; michael@0: break; michael@0: default: michael@0: algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; michael@0: break; michael@0: } michael@0: break; michael@0: case ecKey: michael@0: algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST; michael@0: break; michael@0: default: michael@0: PORT_SetError(SEC_ERROR_INVALID_KEY); michael@0: return SECFailure; michael@0: } michael@0: } michael@0: michael@0: /* Sign input buffer */ michael@0: rv = SEC_SignData(&it, buf, len, pk, algID); michael@0: if (rv) goto loser; michael@0: michael@0: /* Fill out SignedData object */ michael@0: PORT_Memset(&sd, 0, sizeof(sd)); michael@0: sd.data.data = (unsigned char*) buf; michael@0: sd.data.len = len; michael@0: sd.signature.data = it.data; michael@0: sd.signature.len = it.len << 3; /* convert to bit string */ michael@0: rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algID, 0); michael@0: if (rv) goto loser; michael@0: michael@0: /* DER encode the signed data object */ michael@0: rv = DER_Encode(arena, result, CERTSignedDataTemplate, &sd); michael@0: /* FALL THROUGH */ michael@0: michael@0: loser: michael@0: PORT_Free(it.data); michael@0: return rv; michael@0: } michael@0: michael@0: SECStatus michael@0: SGN_Digest(SECKEYPrivateKey *privKey, michael@0: SECOidTag algtag, SECItem *result, SECItem *digest) michael@0: { michael@0: int modulusLen; michael@0: SECStatus rv; michael@0: SECItem digder; michael@0: PLArenaPool *arena = 0; michael@0: SGNDigestInfo *di = 0; michael@0: michael@0: michael@0: result->data = 0; michael@0: michael@0: if (privKey->keyType == rsaKey) { michael@0: michael@0: arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); michael@0: if ( !arena ) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Construct digest info */ michael@0: di = SGN_CreateDigestInfo(algtag, digest->data, digest->len); michael@0: if (!di) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: /* Der encode the digest as a DigestInfo */ michael@0: rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, michael@0: di); michael@0: if (rv != SECSuccess) { michael@0: goto loser; michael@0: } michael@0: } else { michael@0: digder.data = digest->data; michael@0: digder.len = digest->len; michael@0: } michael@0: michael@0: /* michael@0: ** Encrypt signature after constructing appropriate PKCS#1 signature michael@0: ** block michael@0: */ michael@0: modulusLen = PK11_SignatureLen(privKey); michael@0: if (modulusLen <= 0) { michael@0: PORT_SetError(SEC_ERROR_INVALID_KEY); michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: result->len = modulusLen; michael@0: result->data = (unsigned char*) PORT_Alloc(modulusLen); michael@0: michael@0: if (result->data == NULL) { michael@0: rv = SECFailure; michael@0: goto loser; michael@0: } michael@0: michael@0: rv = PK11_Sign(privKey, result, &digder); michael@0: if (rv != SECSuccess) { michael@0: PORT_Free(result->data); michael@0: result->data = NULL; michael@0: } michael@0: michael@0: loser: michael@0: SGN_DestroyDigestInfo(di); michael@0: if (arena != NULL) { michael@0: PORT_FreeArena(arena, PR_FALSE); michael@0: } michael@0: return rv; michael@0: } michael@0: michael@0: SECOidTag michael@0: SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag) michael@0: { michael@0: SECOidTag sigTag = SEC_OID_UNKNOWN; michael@0: michael@0: switch (keyType) { michael@0: case rsaKey: michael@0: switch (hashAlgTag) { michael@0: case SEC_OID_MD2: michael@0: sigTag = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_MD5: michael@0: sigTag = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_UNKNOWN: /* default for RSA if not specified */ michael@0: case SEC_OID_SHA1: michael@0: sigTag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_SHA224: michael@0: sigTag = SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_SHA256: michael@0: sigTag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_SHA384: michael@0: sigTag = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION; break; michael@0: case SEC_OID_SHA512: michael@0: sigTag = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; break; michael@0: default: michael@0: break; michael@0: } michael@0: break; michael@0: case dsaKey: michael@0: switch (hashAlgTag) { michael@0: case SEC_OID_UNKNOWN: /* default for DSA if not specified */ michael@0: case SEC_OID_SHA1: michael@0: sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST; break; michael@0: case SEC_OID_SHA224: michael@0: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST; break; michael@0: case SEC_OID_SHA256: michael@0: sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST; break; michael@0: default: michael@0: break; michael@0: } michael@0: break; michael@0: case ecKey: michael@0: switch (hashAlgTag) { michael@0: case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */ michael@0: case SEC_OID_SHA1: michael@0: sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE; break; michael@0: case SEC_OID_SHA224: michael@0: sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE; break; michael@0: case SEC_OID_SHA256: michael@0: sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE; break; michael@0: case SEC_OID_SHA384: michael@0: sigTag = SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE; break; michael@0: case SEC_OID_SHA512: michael@0: sigTag = SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE; break; michael@0: default: michael@0: break; michael@0: } michael@0: default: michael@0: break; michael@0: } michael@0: return sigTag; michael@0: }