Merge branch 'f14' into f13

This commit is contained in:
Elio Maldonado 2011-02-25 09:30:30 -08:00
commit 85c352f22b
9 changed files with 349 additions and 468 deletions

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
nss-3.12.8-stripped.tar.bz2
nss-pem-20100809.tar.bz2
nss-3.12.9-stripped.tar.bz2
nss-pem-20101125.tar.bz2
blank-cert8.db
blank-key3.db
blank-secmod.db

View File

@ -1,237 +0,0 @@
From 8bd0a0427e034262ff982fed98ca5e8c623165db Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mon, 12 Jul 2010 16:31:01 -0600
Subject: [PATCH] Add support for PKCS#8 encoded private keys
The code supports PKCS#1 encoded RSA private keys that begin with the
BEGIN RSA PRIVATE KEY header in PEM files. This patch adds support for
RSA private keys encoded in PEM files that begin with the header
BEGIN PRIVATE KEY which are in PKCS#8 format.
---
prsa.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++------------------
util.c | 3 +-
2 files changed, 110 insertions(+), 43 deletions(-)
diff --git a/prsa.c b/prsa.c
index 5b2f379..8d4fb92 100644
--- a/mozilla/security/nss/lib/ckfw/pem/prsa.c
+++ b/mozilla/security/nss/lib/ckfw/pem/prsa.c
@@ -63,6 +63,35 @@ const SEC_ASN1Template pem_RSAPrivateKeyTemplate[] = {
{0}
};
+static const SEC_ASN1Template pem_AttributeTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue),
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
+ { 0 }
+};
+
+static const SEC_ASN1Template pem_SetOfAttributeTemplate[] = {
+ { SEC_ASN1_SET_OF, 0, pem_AttributeTemplate },
+};
+
+const SEC_ASN1Template pem_PrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+ { SEC_ASN1_INTEGER,
+ offsetof(NSSLOWKEYPrivateKeyInfo,version) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYPrivateKeyInfo,algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKeyInfo,privateKey) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+ pem_SetOfAttributeTemplate },
+ { 0 }
+};
+
/* Declarations */
SECStatus pem_RSA_Sign(pemLOWKEYPrivateKey * key, unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
@@ -116,6 +145,79 @@ pem_DestroyPrivateKey(pemLOWKEYPrivateKey * privk)
nss_ZFreeIf(privk);
}
+/* decode and parse the rawkey into the lpk structure */
+static pemLOWKEYPrivateKey *
+pem_getPrivateKey(PLArenaPool *arena, SECItem *rawkey, CK_RV * pError, NSSItem *modulus)
+{
+ pemLOWKEYPrivateKey *lpk = NULL;
+ SECStatus rv = SECFailure;
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ SECItem *keysrc = NULL;
+
+ /* make sure SECOID is initialized - not sure why we have to do this outside of nss_Init */
+ if (SECSuccess != (rv = SECOID_Init())) {
+ *pError = CKR_GENERAL_ERROR;
+ return NULL; /* wha???? */
+ }
+
+ pki = (NSSLOWKEYPrivateKeyInfo*)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+ if(!pki) {
+ *pError = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ /* let's first see if this is a "raw" RSA private key or an RSA private key in PKCS#8 format */
+ rv = SEC_ASN1DecodeItem(arena, pki, pem_PrivateKeyInfoTemplate, rawkey);
+ if (rv != SECSuccess) {
+ /* not PKCS#8 - assume it's a "raw" RSA private key */
+ keysrc = rawkey;
+ } else if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_ENCRYPTION) {
+ keysrc = &pki->privateKey;
+ } else { /* unsupported */
+ *pError = CKR_FUNCTION_NOT_SUPPORTED;
+ goto done;
+ }
+
+ lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
+ sizeof(pemLOWKEYPrivateKey));
+ if (lpk == NULL) {
+ *pError = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ lpk->arena = arena;
+ lpk->keyType = pemLOWKEYRSAKey;
+ prepare_low_rsa_priv_key_for_asn1(lpk);
+
+ /* I don't know what this is supposed to accomplish. We free the old
+ modulus data and set it again, making a copy of the new data.
+ But we just allocated a new empty key structure above with
+ nss_ZAlloc. So lpk->u.rsa.modulus.data is NULL and
+ lpk->u.rsa.modulus.len. If the intention is to free the old
+ modulus data, why not just set it to NULL after freeing? Why
+ go through this unnecessary and confusing copying code?
+ */
+ if (modulus) {
+ nss_ZFreeIf(modulus->data);
+ modulus->data = (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
+ modulus->size = lpk->u.rsa.modulus.len;
+ nsslibc_memcpy(modulus->data, lpk->u.rsa.modulus.data,
+ lpk->u.rsa.modulus.len);
+ }
+
+ /* decode the private key and any algorithm parameters */
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+ keysrc);
+
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+done:
+ return lpk;
+}
+
void
pem_PopulateModulusExponent(pemInternalObject * io)
{
@@ -123,7 +225,7 @@ pem_PopulateModulusExponent(pemInternalObject * io)
const NSSItem *keyType = pem_FetchAttribute(io, CKA_KEY_TYPE);
pemLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
- SECStatus rv;
+ CK_RV pError = 0;
/* make sure we have the right objects */
if (((const NSSItem *) NULL == classItem) ||
@@ -140,26 +242,12 @@ pem_PopulateModulusExponent(pemInternalObject * io)
return;
}
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
- sizeof(pemLOWKEYPrivateKey));
+ lpk = pem_getPrivateKey(arena, io->u.key.key.privateKey, &pError, NULL);
if (lpk == NULL) {
PORT_FreeArena(arena, PR_FALSE);
return;
}
- lpk->arena = arena;
- lpk->keyType = pemLOWKEYRSAKey;
- prepare_low_rsa_priv_key_for_asn1(lpk);
-
- /* decode the private key and any algorithm parameters */
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- io->u.key.key.privateKey);
-
- if (rv != SECSuccess) {
- PORT_FreeArena(arena, PR_FALSE);
- return;
- }
-
nss_ZFreeIf(io->u.key.key.modulus.data);
io->u.key.key.modulus.data =
(void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
@@ -252,13 +340,6 @@ pem_mdCryptoOperationRSAPriv_Create
pemInternalCryptoOperationRSAPriv *iOperation;
pemLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
- SECStatus rv;
-
- arena = PORT_NewArena(2048);
- if (!arena) {
- *pError = CKR_HOST_MEMORY;
- return (NSSCKMDCryptoOperation *) NULL;
- }
/* make sure we have the right objects */
if (((const NSSItem *) NULL == classItem) ||
@@ -271,30 +352,15 @@ pem_mdCryptoOperationRSAPriv_Create
return (NSSCKMDCryptoOperation *) NULL;
}
- lpk = (pemLOWKEYPrivateKey *) nss_ZAlloc(NULL,
- sizeof (pemLOWKEYPrivateKey));
- if (lpk == NULL) {
+ arena = PORT_NewArena(2048);
+ if (!arena) {
*pError = CKR_HOST_MEMORY;
return (NSSCKMDCryptoOperation *) NULL;
}
- lpk->arena = arena;
- lpk->keyType = pemLOWKEYRSAKey;
- prepare_low_rsa_priv_key_for_asn1(lpk);
- nss_ZFreeIf(iKey->u.key.key.modulus.data);
- iKey->u.key.key.modulus.data =
- (void *) nss_ZAlloc(NULL, lpk->u.rsa.modulus.len);
- iKey->u.key.key.modulus.size = lpk->u.rsa.modulus.len;
- nsslibc_memcpy(iKey->u.key.key.modulus.data, lpk->u.rsa.modulus.data,
- lpk->u.rsa.modulus.len);
-
- /* decode the private key and any algorithm parameters */
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- iKey->u.key.key.privateKey);
-
- if (rv != SECSuccess) {
+ lpk = pem_getPrivateKey(arena, iKey->u.key.key.privateKey, pError, &iKey->u.key.key.modulus);
+ if (lpk == NULL) {
PORT_FreeArena(arena, PR_FALSE);
- *pError = CKR_HOST_MEMORY;
return (NSSCKMDCryptoOperation *) NULL;
}
diff --git a/util.c b/util.c
index a6ca094..d02ee87 100644
--- a/mozilla/security/nss/lib/ckfw/pem/util.c
+++ b/mozilla/security/nss/lib/ckfw/pem/util.c
@@ -164,7 +164,8 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
int key = 0;
while ((asc) && ((body = strstr(asc, "-----BEGIN")) != NULL)) {
key = 0;
- if (strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) {
+ if ((strncmp(body, "-----BEGIN RSA PRIVATE KEY", 25) == 0) ||
+ (strncmp(body, "-----BEGIN PRIVATE KEY", 21) == 0)) {
key = 1;
c = body;
body = strchr(body, '\n');
--
1.5.5.6

View File

@ -1,35 +0,0 @@
From 9b7334b61cf3277e5eb48b716f6719b4636e2572 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mon, 12 Jul 2010 17:21:01 -0600
Subject: [PATCH] Do not define SEC_SkipTemplate
Building NSS with PEM support gives an error in pbobject due to multiple
definitions of SEC_SkipTemplate. This is already defined in libnssutil
---
pobject.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/pobject.c b/pobject.c
index 81b9028..48f5e78 100644
--- a/mozilla/security/nss/lib/ckfw/pem/pobject.c
+++ b/mozilla/security/nss/lib/ckfw/pem/pobject.c
@@ -172,6 +172,8 @@ static const NSSItem pem_trusted = {
(void *) &ckt_netscape_trusted, (PRUint32) sizeof(CK_TRUST)
};
+/* SEC_SkipTemplate is already defined and exported by libnssutil */
+#ifdef SEC_SKIP_TEMPLATE
/*
* Template for skipping a subitem.
*
@@ -182,6 +184,7 @@ static const NSSItem pem_trusted = {
const SEC_ASN1Template SEC_SkipTemplate[] = {
{SEC_ASN1_SKIP}
};
+#endif
/*
* Find the subjectName in a DER encoded certificate
--
1.5.5.6

View File

@ -0,0 +1,196 @@
Index: ./mozilla/security/nss/lib/pk11wrap/pk11load.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v
retrieving revision 1.30
retrieving revision 1.30.2.2
diff -u -p -r1.30 -r1.30.2.2
--- ./mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Apr 2010 07:22:54 -0000 1.30
+++ ./mozilla/security/nss/lib/pk11wrap/pk11load.c 27 Jan 2011 01:35:46 -0000 1.30.2.2
@@ -178,8 +178,8 @@ secmod_handleReload(SECMODModule *oldMod
char *oldModuleSpec;
if (secmod_IsInternalKeySlot(newModule)) {
- pk11_SetInternalKeySlot(slot);
- }
+ pk11_SetInternalKeySlotIfFirst(slot);
+ }
newID = slot->slotID;
PK11_FreeSlot(slot);
for (thisChild=children, thisID=ids; thisChild && *thisChild;
@@ -550,6 +550,11 @@ secmod_LoadPKCS11Module(SECMODModule *mo
/* look down the slot info table */
PK11_LoadSlotList(mod->slots[i],mod->slotInfo,mod->slotInfoCount);
SECMOD_SetRootCerts(mod->slots[i],mod);
+ /* explicitly mark the internal slot as such if IsInternalKeySlot()
+ * is set */
+ if (secmod_IsInternalKeySlot(mod) && (i == (mod->isFIPS ? 0 : 1))) {
+ pk11_SetInternalKeySlotIfFirst(mod->slots[i]);
+ }
}
mod->slotCount = slotCount;
mod->slotInfoCount = 0;
Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v
retrieving revision 1.13
retrieving revision 1.13.2.2
diff -u -p -r1.13 -r1.13.2.2
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Oct 2009 23:04:46 -0000 1.13
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 27 Jan 2011 01:35:46 -0000 1.13.2.2
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
+void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
/*********************************************************************
* Mechanism Mapping functions
Index: ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11slot.c,v
retrieving revision 1.101
retrieving revision 1.101.2.3
diff -u -p -r1.101 -r1.101.2.3
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 3 Apr 2010 18:27:31 -0000 1.101
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 27 Jan 2011 01:35:46 -0000 1.101.2.3
@@ -1349,7 +1349,7 @@ pk11_isRootSlot(PK11SlotInfo *slot)
* times as tokens are removed and re-inserted.
*/
void
-PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
+PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
{
SECStatus rv;
char *tmp;
@@ -1726,6 +1726,12 @@ PK11_NeedUserInit(PK11SlotInfo *slot)
}
static PK11SlotInfo *pk11InternalKeySlot = NULL;
+
+/*
+ * Set a new default internal keyslot. If one has already been set, clear it.
+ * Passing NULL falls back to the NSS normally selected default internal key
+ * slot.
+ */
void
pk11_SetInternalKeySlot(PK11SlotInfo *slot)
{
@@ -1735,6 +1741,20 @@ pk11_SetInternalKeySlot(PK11SlotInfo *sl
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
}
+/*
+ * Set a new default internal keyslot if the normal key slot has not already
+ * been overridden. Subsequent calls to this function will be ignored unless
+ * pk11_SetInternalKeySlot is used to clear the current default.
+ */
+void
+pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot)
+{
+ if (pk11InternalKeySlot) {
+ return;
+ }
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+}
+
/* get the internal key slot. FIPS has only one slot for both key slots and
* default slots */
Index: ./mozilla/security/nss/lib/sysinit/nsssysinit.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v
retrieving revision 1.2
retrieving revision 1.2.2.2
diff -u -p -r1.2 -r1.2.2.2
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c 6 Feb 2010 04:56:37 -0000 1.2
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 26 Jan 2011 00:52:31 -0000 1.2.2.2
@@ -221,16 +221,16 @@ getFIPSMode(void)
* 2 for the key slot, and
* 3 for the crypto operations slot fips
*/
-#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
+#define CIPHER_ORDER_FLAGS "cipherOrder=100"
#define SLOT_FLAGS \
"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
" askpw=any timeout=30 ]"
static const char *nssDefaultFlags =
- ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
+ CIPHER_ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " } ";
static const char *nssDefaultFIPSFlags =
- ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
+ CIPHER_ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " } ";
/*
* This function builds the list of databases and modules to load, and sets
@@ -270,7 +270,7 @@ get_list(char *filename, char *stripped_
"library= "
"module=\"NSS User database\" "
"parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
- "NSS=\"%sflags=internal%s\"",
+ "NSS=\"trustOrder=75 %sflags=internal%s\"",
userdb, stripped_parameters, nssflags,
isFIPS ? ",FIPS" : "");
@@ -284,30 +284,6 @@ get_list(char *filename, char *stripped_
userdb, stripped_parameters);
}
-#if 0
- /* This doesn't actually work. If we register
- both this and the sysdb (in either order)
- then only one of them actually shows up */
-
- /* Using a NULL filename as a Boolean flag to
- * prevent registering both an application-defined
- * db and the system db. rhbz #546211.
- */
- PORT_Assert(filename);
- if (sysdb && PL_CompareStrings(filename, sysdb))
- filename = NULL;
- else if (userdb && PL_CompareStrings(filename, userdb))
- filename = NULL;
-
- if (filename && !userIsRoot()) {
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
- }
-#endif
-
/* now the system database (always read only unless it's root) */
if (sysdb) {
const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
@@ -315,7 +291,7 @@ get_list(char *filename, char *stripped_
"library= "
"module=\"NSS system database\" "
"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
+ "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
}
/* that was the last module */
@@ -372,9 +348,9 @@ overlapstrcpy(char *target, char *src)
/* determine what options the user was trying to open this database with */
/* filename is the directory pointed to by configdir= */
-/* stripped is the rest of the paramters with configdir= stripped out */
+/* stripped is the rest of the parameters with configdir= stripped out */
static SECStatus
-parse_paramters(char *parameters, char **filename, char **stripped)
+parse_parameters(char *parameters, char **filename, char **stripped)
{
char *sourcePrev;
char *sourceCurr;
@@ -423,7 +399,7 @@ NSS_ReturnModuleSpecData(unsigned long f
char **retString = NULL;
SECStatus rv;
- rv = parse_paramters(parameters, &filename, &stripped);
+ rv = parse_parameters(parameters, &filename, &stripped);
if (rv != SECSuccess) {
/* use defaults */
filename = getSystemDB();

View File

@ -1,65 +0,0 @@
diff -up ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig ./mozilla/security/nss/lib/sysinit/nsssysinit.c
--- ./mozilla/security/nss/lib/sysinit/nsssysinit.c.orig 2010-06-17 09:17:30.732643399 -0700
+++ ./mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-06-17 09:20:22.691642397 -0700
@@ -263,9 +263,18 @@ get_list(char *filename, char *stripped_
sysdb = getSystemDB();
userdb = getUserDB();
- /* Don't open root's user DB */
+ /* return a list of databases to open. First the system database. */
+ if (sysdb) {
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+ module_list[next++] = PR_smprintf(
+ "library= "
+ "module=\"NSS system database\" "
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
+ }
+
+ /* Next the user database, but not for root. */
if (userdb != NULL && !userIsRoot()) {
- /* return a list of databases to open. First the user Database */
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS User database\" "
@@ -284,40 +293,6 @@ get_list(char *filename, char *stripped_
userdb, stripped_parameters);
}
-#if 0
- /* This doesn't actually work. If we register
- both this and the sysdb (in either order)
- then only one of them actually shows up */
-
- /* Using a NULL filename as a Boolean flag to
- * prevent registering both an application-defined
- * db and the system db. rhbz #546211.
- */
- PORT_Assert(filename);
- if (sysdb && PL_CompareStrings(filename, sysdb))
- filename = NULL;
- else if (userdb && PL_CompareStrings(filename, userdb))
- filename = NULL;
-
- if (filename && !userIsRoot()) {
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
- }
-#endif
-
- /* now the system database (always read only unless it's root) */
- if (sysdb) {
- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS system database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
- "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
- }
-
/* that was the last module */
module_list[next] = 0;

View File

@ -1,127 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 2010-06-06 18:27:27.256318318 -0700
+++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c 2010-06-06 20:45:28.158442982 -0700
@@ -151,7 +151,7 @@ GetCertFields(unsigned char *cert, int c
buf = issuer->data + issuer->len;
/* only wanted issuer/SN */
- if (valid == NULL) {
+ if (subject == NULL || valid == NULL || subjkey == NULL) {
return SECSuccess;
}
/* validity */
@@ -219,53 +219,93 @@ CreateObject(CK_OBJECT_CLASS objClass,
memset(&o->u.trust, 0, sizeof(o->u.trust));
break;
}
+
+ o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
+ if (o->nickname == NULL)
+ goto fail;
+ strcpy(o->nickname, nickname);
+
+ sprintf(id, "%d", objid);
+ len = strlen(id) + 1; /* zero terminate */
+ o->id.data = (void *) nss_ZAlloc(NULL, len);
+ if (o->id.data == NULL)
+ goto fail;
+ (void) nsslibc_memcpy(o->id.data, id, len);
+ o->id.size = len;
+
o->objClass = objClass;
o->type = type;
o->slotID = slotID;
+
o->derCert = nss_ZNEW(NULL, SECItem);
+ if (o->derCert == NULL)
+ goto fail;
o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
+ if (o->derCert->data == NULL)
+ goto fail;
o->derCert->len = certDER->len;
nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
switch (objClass) {
case CKO_CERTIFICATE:
case CKO_NETSCAPE_TRUST:
- GetCertFields(o->derCert->data,
- o->derCert->len, &issuer, &serial,
- &derSN, &subject, &valid, &subjkey);
+ if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
+ &issuer, &serial, &derSN, &subject,
+ &valid, &subjkey))
+ goto fail;
o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
+ if (o->u.cert.subject.data == NULL)
+ goto fail;
o->u.cert.subject.size = subject.len;
nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
+ if (o->u.cert.issuer.data == NULL) {
+ nss_ZFreeIf(o->u.cert.subject.data);
+ goto fail;
+ }
o->u.cert.issuer.size = issuer.len;
nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
+ if (o->u.cert.serial.data == NULL) {
+ nss_ZFreeIf(o->u.cert.issuer.data);
+ nss_ZFreeIf(o->u.cert.subject.data);
+ goto fail;
+ }
o->u.cert.serial.size = serial.len;
nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
break;
case CKO_PRIVATE_KEY:
o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
+ if (o->u.key.key.privateKey == NULL)
+ goto fail;
o->u.key.key.privateKey->data =
(void *) nss_ZAlloc(NULL, keyDER->len);
+ if (o->u.key.key.privateKey->data == NULL) {
+ nss_ZFreeIf(o->u.key.key.privateKey);
+ goto fail;
+ }
o->u.key.key.privateKey->len = keyDER->len;
nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
keyDER->len);
}
- o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
- strcpy(o->nickname, nickname);
-
- sprintf(id, "%d", objid);
-
- len = strlen(id) + 1; /* zero terminate */
- o->id.data = (void *) nss_ZAlloc(NULL, len);
- (void) nsslibc_memcpy(o->id.data, id, len);
- o->id.size = len;
return o;
+
+fail:
+ if (o) {
+ if (o->derCert) {
+ nss_ZFreeIf(o->derCert->data);
+ nss_ZFreeIf(o->derCert);
+ }
+ nss_ZFreeIf(o->id.data);
+ nss_ZFreeIf(o->nickname);
+ nss_ZFreeIf(o);
+ }
+ return NULL;
}
pemInternalObject *
@@ -306,6 +346,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
/* object not found, we need to create it */
pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
filename, objid, slotID);
+ if (io == NULL)
+ return NULL;
io->gobjIndex = count;

52
nsspem-642433.patch Normal file
View File

@ -0,0 +1,52 @@
diff -up ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 ./mozilla/security/nss/lib/ckfw/pem/util.c
--- ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 2010-11-25 10:49:27.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/util.c 2010-12-08 08:02:02.618304926 -0800
@@ -96,9 +96,6 @@ static SECItem *AllocItem(SECItem * item
return (result);
loser:
- if (result != NULL) {
- SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE);
- }
return (NULL);
}
@@ -110,7 +107,7 @@ static SECStatus FileToItem(SECItem * ds
prStatus = PR_GetOpenFileInfo(src, &info);
- if (prStatus != PR_SUCCESS) {
+ if (prStatus != PR_SUCCESS || info.type == PR_FILE_DIRECTORY) {
return SECFailure;
}
@@ -126,8 +123,7 @@ static SECStatus FileToItem(SECItem * ds
return SECSuccess;
loser:
- SECITEM_FreeItem(dst, PR_FALSE);
- nss_ZFreeIf(dst);
+ nss_ZFreeIf(dst->data);
return SECFailure;
}
@@ -153,6 +149,10 @@ ReadDERFromFile(SECItem *** derlist, cha
/* Read in ascii data */
rv = FileToItem(&filedata, inFile);
+ if (rv != SECSuccess) {
+ PR_Close(inFile);
+ return -1;
+ }
asc = (char *) filedata.data;
if (!asc) {
PR_Close(inFile);
@@ -252,7 +252,7 @@ ReadDERFromFile(SECItem *** derlist, cha
} else {
/* Read in binary der */
rv = FileToItem(der, inFile);
- if (rv) {
+ if (rv != SECSuccess) {
PR_Close(inFile);
return -1;
}

View File

@ -1,5 +1,5 @@
248bc97cb3fd613b23d66fd1d9d8d60a nss-3.12.8-stripped.tar.bz2
765fa031d5affa91ab824dd981777ddf nss-pem-20100809.tar.bz2
b3dda60fc3d22d1b02b2330428a2b759 nss-3.12.9-stripped.tar.bz2
e63cddf74c07f0d818d1052ecc6fbb1f nss-pem-20101125.tar.bz2
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db

View File

@ -0,0 +1,97 @@
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11pars.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c.jss 2011-02-11 07:45:38.324083242 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 2011-02-11 07:48:14.514166538 -0800
@@ -258,6 +258,19 @@ secmod_IsInternalKeySlot(SECMODModule *m
return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
}
+void
+secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val)
+{
+ char flags = (char) mod->internal;
+
+ if (val) {
+ flags |= SECMOD_FLAG_INTERNAL_KEY_SLOT;
+ } else {
+ flags &= ~SECMOD_FLAG_INTERNAL_KEY_SLOT;
+ }
+ mod->internal = flags;
+}
+
/* forward declarations */
static int secmod_escapeSize(const char *string, char quote);
static char *secmod_addEscape(const char *string, char quote);
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h.jss 2011-02-11 07:47:45.037226877 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2011-02-11 07:48:28.854164207 -0800
@@ -115,6 +115,7 @@ void PK11_InitSlot(SECMODModule *mod,CK_
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
void pk11_SetInternalKeySlot(PK11SlotInfo *slot);
+PK11SlotInfo *pk11_SwapInternalKeySlot(PK11SlotInfo *slot);
void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot);
/*********************************************************************
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11slot.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11slot.c.jss 2011-02-11 07:41:11.258746774 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11slot.c 2011-02-11 07:48:51.291595867 -0800
@@ -1755,6 +1755,18 @@ pk11_SetInternalKeySlotIfFirst(PK11SlotI
pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
}
+/*
+ * Swap out a default internal keyslot. Caller owns the Slot Reference
+ */
+PK11SlotInfo *
+pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
+{
+ PK11SlotInfo *swap = pk11InternalKeySlot;
+
+ pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL;
+ return swap;
+}
+
/* get the internal key slot. FIPS has only one slot for both key slots and
* default slots */
diff -up ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss ./mozilla/security/nss/lib/pk11wrap/pk11util.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c.jss 2011-02-11 07:40:23.748066635 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 2011-02-11 07:49:19.674611909 -0800
@@ -483,13 +483,25 @@ SECMOD_DeleteInternalModule(const char *
NULL, SECMOD_FIPS_FLAGS);
}
if (newModule) {
+ PK11SlotInfo *slot;
newModule->libraryParams =
PORT_ArenaStrdup(newModule->arena,mlp->module->libraryParams);
+ /* if an explicit internal key slot has been set, reset it */
+ slot = pk11_SwapInternalKeySlot(NULL);
+ if (slot) {
+ secmod_SetInternalKeySlotFlag(newModule, PR_TRUE);
+ }
rv = SECMOD_AddModule(newModule);
if (rv != SECSuccess) {
+ /* load failed, restore the internal key slot */
+ pk11_SetInternalKeySlot(slot);
SECMOD_DestroyModule(newModule);
newModule = NULL;
}
+ /* free the old explicit internal key slot, we now have a new one */
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
}
if (newModule == NULL) {
SECMODModuleList *last = NULL,*mlp2;
diff -up ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss ./mozilla/security/nss/lib/pk11wrap/secmodi.h
--- ./mozilla/security/nss/lib/pk11wrap/secmodi.h.jss 2011-02-11 07:39:04.685590962 -0800
+++ ./mozilla/security/nss/lib/pk11wrap/secmodi.h 2011-02-11 07:49:28.120021571 -0800
@@ -90,6 +90,8 @@ SECStatus secmod_LoadPKCS11Module(SECMOD
SECStatus SECMOD_UnloadModule(SECMODModule *);
void SECMOD_SetInternalModule(SECMODModule *);
PRBool secmod_IsInternalKeySlot(SECMODModule *);
+void secmod_SetInternalKeySlotFlag(SECMODModule *mod, PRBool val);
+
/* tools for checking if we are loading the same database twice */
typedef struct SECMODConfigListStr SECMODConfigList;