|
 |
6fc53e |
From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
|
|
|
6fc53e |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
6fc53e |
Date: Tue, 17 Mar 2020 12:54:49 -0400
|
|
|
6fc53e |
Subject: [PATCH 1/2] Remove token key checks
|
|
|
6fc53e |
|
|
|
6fc53e |
Previously we enforced strict token key matching: the primary key used
|
|
|
6fc53e |
for the operation must strictly reside on the current PKCS#11 token,
|
|
|
6fc53e |
otherwise JSS would bail. However, NSS has the ability to move the key
|
|
|
6fc53e |
to whichever token best supports the given operation. This means that
|
|
|
6fc53e |
we'd prematurely bail when the operation would succeed if it were
|
|
|
6fc53e |
actually executed. By removing these checks, we still leave the ability
|
|
|
6fc53e |
to generate keys on a specific token, we just allow them to be used on
|
|
|
6fc53e |
whatever token supports the given operation (and the key is allowed to
|
|
|
6fc53e |
be moved to).
|
|
|
6fc53e |
|
|
|
6fc53e |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
6fc53e |
---
|
|
|
6fc53e |
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
|
|
|
6fc53e |
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
|
|
|
6fc53e |
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
|
|
|
6fc53e |
3 files changed, 33 deletions(-)
|
|
|
6fc53e |
|
|
|
6fc53e |
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
|
|
6fc53e |
index 81b600a4..aac411a4 100644
|
|
|
6fc53e |
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
|
|
|
6fc53e |
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
|
|
6fc53e |
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
|
|
|
6fc53e |
if( key==null ) {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is null");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
- if( ! key.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- throw new InvalidKeyException("Key does not reside on the "+
|
|
|
6fc53e |
- "current token");
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
if( ! (key instanceof PK11SymKey) ) {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
|
|
6fc53e |
index 28840a87..eee2984d 100644
|
|
|
6fc53e |
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
|
|
6fc53e |
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
|
|
6fc53e |
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is null");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
try {
|
|
|
6fc53e |
- if( ! key.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
|
|
|
6fc53e |
- key.getOwningToken().getName());
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
if( ! (key instanceof PK11SymKey) ) {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
|
|
6fc53e |
if( key==null ) {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is null");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
- if( ! key.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- throw new InvalidKeyException("Key does not reside on the "+
|
|
|
6fc53e |
- "current token");
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
if( ! (key instanceof PK11PrivKey) ) {
|
|
|
6fc53e |
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
|
|
6fc53e |
throw new InvalidKeyException("key to be wrapped is not a "+
|
|
|
6fc53e |
"PKCS #11 key");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
-/* NSS is capable of moving keys appropriately,
|
|
|
6fc53e |
- so this call is prematurely bailing
|
|
|
6fc53e |
- if( ! symKey.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- throw new InvalidKeyException("key to be wrapped does not live"+
|
|
|
6fc53e |
- " on the same token as the wrapping key");
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
-*/
|
|
|
6fc53e |
}
|
|
|
6fc53e |
|
|
|
6fc53e |
/**
|
|
|
6fc53e |
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
|
|
6fc53e |
throw new InvalidKeyException("key to be wrapped is not a "+
|
|
|
6fc53e |
"PKCS #11 key");
|
|
|
6fc53e |
}
|
|
|
6fc53e |
-/* NSS is capable of moving keys appropriately,
|
|
|
6fc53e |
- so this call is prematurely bailing
|
|
|
6fc53e |
- if( ! privKey.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- throw new InvalidKeyException("key to be wrapped does not live"+
|
|
|
6fc53e |
- " on the same token as the wrapping key");
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
-*/
|
|
|
6fc53e |
}
|
|
|
6fc53e |
|
|
|
6fc53e |
/**
|
|
|
6fc53e |
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
|
|
6fc53e |
index cd732788..7a1a6dad 100644
|
|
|
6fc53e |
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
|
|
6fc53e |
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
|
|
6fc53e |
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
|
|
|
6fc53e |
}
|
|
|
6fc53e |
|
|
|
6fc53e |
hmacKey = (PK11SymKey) key;
|
|
|
6fc53e |
-
|
|
|
6fc53e |
- if( ! key.getOwningToken().equals(token) ) {
|
|
|
6fc53e |
- hmacKey = null;
|
|
|
6fc53e |
- throw new InvalidKeyException(
|
|
|
6fc53e |
- "HMAC key does not live on the same token as this digest");
|
|
|
6fc53e |
- }
|
|
|
6fc53e |
-
|
|
|
6fc53e |
this.digestProxy = initHMAC(token, alg, hmacKey);
|
|
|
6fc53e |
}
|
|
|
6fc53e |
|
|
|
6fc53e |
--
|
|
|
6fc53e |
2.25.1
|
|
|
6fc53e |
|