|
 |
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700
|
|
|
b93447 |
@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
|
|
|
b93447 |
status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param,
|
|
|
b93447 |
&wrapped, NULL /* wincx */ );
|
|
|
b93447 |
if(status != SECSuccess) {
|
|
|
b93447 |
- JSS_throwMsg(env, TOKEN_EXCEPTION,
|
|
|
b93447 |
- "Wrapping operation failed on token");
|
|
|
b93447 |
+ char err[256] = {0};
|
|
|
b93447 |
+ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError());
|
|
|
b93447 |
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
|
|
|
b93447 |
goto finish;
|
|
|
b93447 |
}
|
|
|
b93447 |
PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL);
|
|
|
b93447 |
@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
|
|
|
b93447 |
int numAttribs = 0;
|
|
|
b93447 |
CK_TOKEN_INFO tokenInfo;
|
|
|
b93447 |
|
|
|
b93447 |
+ /* ideal defaults */
|
|
|
b93447 |
PRBool isSensitive = PR_TRUE;
|
|
|
b93447 |
PRBool isExtractable = PR_FALSE;
|
|
|
b93447 |
- /* special case nethsm*/
|
|
|
b93447 |
+
|
|
|
b93447 |
+ /* special case nethsm and lunasa*/
|
|
|
b93447 |
CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
|
|
|
b93447 |
+ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
|
|
|
b93447 |
PRBool isNethsm = PR_TRUE;
|
|
|
b93447 |
+ PRBool isLunasa = PR_TRUE;
|
|
|
b93447 |
|
|
|
b93447 |
if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
|
|
|
b93447 |
/* exception was thrown */
|
|
|
b93447 |
@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
|
|
|
b93447 |
break;
|
|
|
b93447 |
}
|
|
|
b93447 |
}
|
|
|
b93447 |
+ ix = 0;
|
|
|
b93447 |
+ for(ix=0; ix < 4; ix++) {
|
|
|
b93447 |
+ if (tokenInfo.label[ix] != lunasaLabel[ix]) {
|
|
|
b93447 |
+ isLunasa = PR_FALSE;
|
|
|
b93447 |
+ break;
|
|
|
b93447 |
+ }
|
|
|
b93447 |
+ }
|
|
|
b93447 |
|
|
|
b93447 |
} else {
|
|
|
b93447 |
isNethsm = PR_FALSE;
|
|
|
b93447 |
+ isLunasa = PR_FALSE;
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
/* get unwrapping key */
|
|
|
b93447 |
@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
|
|
|
b93447 |
}
|
|
|
b93447 |
keyType = PK11_GetKeyType(keyTypeMech, 0);
|
|
|
b93447 |
|
|
|
b93447 |
+ /* special case nethsm and lunasa*/
|
|
|
b93447 |
if( isNethsm ) {
|
|
|
b93447 |
isSensitive = PR_FALSE;
|
|
|
b93447 |
isExtractable = PR_FALSE;
|
|
|
b93447 |
+ } else if ( isLunasa) {
|
|
|
b93447 |
+ isSensitive = PR_FALSE;
|
|
|
b93447 |
+ isExtractable = PR_TRUE;
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
-setAttrs:
|
|
|
b93447 |
/* figure out which operations to enable for this key */
|
|
|
b93447 |
switch (keyType) {
|
|
|
b93447 |
case CKK_RSA:
|
|
|
b93447 |
+ numAttribs = 3;
|
|
|
b93447 |
attribs[0] = CKA_SIGN;
|
|
|
b93447 |
attribs[1] = CKA_SIGN_RECOVER;
|
|
|
b93447 |
attribs[2] = CKA_UNWRAP;
|
|
|
b93447 |
if (isExtractable) {
|
|
|
b93447 |
attribs[3] = CKA_EXTRACTABLE;
|
|
|
b93447 |
numAttribs = 4;
|
|
|
b93447 |
- } else {
|
|
|
b93447 |
- numAttribs = 3;
|
|
|
b93447 |
}
|
|
|
b93447 |
break;
|
|
|
b93447 |
case CKK_DSA:
|
|
|
b93447 |
@@ -459,7 +474,9 @@ setAttrs:
|
|
|
b93447 |
&label, pubValue, token, isSensitive /*sensitive*/, keyType,
|
|
|
b93447 |
attribs, numAttribs, NULL /*wincx*/);
|
|
|
b93447 |
if( privk == NULL ) {
|
|
|
b93447 |
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
|
|
|
b93447 |
+ char err[256] = {0};
|
|
|
b93447 |
+ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
|
|
|
b93447 |
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
|
|
|
b93447 |
goto finish;
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700
|
|
|
b93447 |
@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke
|
|
|
b93447 |
throw new InvalidKeyException("key to be wrapped is not a "+
|
|
|
b93447 |
"PKCS #11 key");
|
|
|
b93447 |
}
|
|
|
b93447 |
+/* NSS is capable of moving keys appropriately,
|
|
|
b93447 |
+ so this call is prematurely bailing
|
|
|
b93447 |
if( ! symKey.getOwningToken().equals(token) ) {
|
|
|
b93447 |
throw new InvalidKeyException("key to be wrapped does not live"+
|
|
|
b93447 |
" on the same token as the wrapping key");
|
|
|
b93447 |
}
|
|
|
b93447 |
+*/
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
/**
|
|
|
b93447 |
@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke
|
|
|
b93447 |
throw new InvalidKeyException("key to be wrapped is not a "+
|
|
|
b93447 |
"PKCS #11 key");
|
|
|
b93447 |
}
|
|
|
b93447 |
+/* NSS is capable of moving keys appropriately,
|
|
|
b93447 |
+ so this call is prematurely bailing
|
|
|
b93447 |
if( ! privKey.getOwningToken().equals(token) ) {
|
|
|
b93447 |
throw new InvalidKeyException("key to be wrapped does not live"+
|
|
|
b93447 |
" on the same token as the wrapping key");
|
|
|
b93447 |
}
|
|
|
b93447 |
+*/
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
/**
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700
|
|
|
b93447 |
@@ -135,10 +135,13 @@ public final class PK11Token implements
|
|
|
b93447 |
getKeyWrapper(KeyWrapAlgorithm algorithm)
|
|
|
b93447 |
throws NoSuchAlgorithmException, TokenException
|
|
|
b93447 |
{
|
|
|
b93447 |
+/* NSS is capable of finding the right token to do algorithm,
|
|
|
b93447 |
+ so this call is prematurely bailing
|
|
|
b93447 |
if( ! doesAlgorithm(algorithm) ) {
|
|
|
b93447 |
throw new NoSuchAlgorithmException(
|
|
|
b93447 |
algorithm+" is not supported by this token");
|
|
|
b93447 |
}
|
|
|
b93447 |
+*/
|
|
|
b93447 |
return new PK11KeyWrapper(this, algorithm);
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
|
|
b93447 |
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700
|
|
|
b93447 |
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700
|
|
|
b93447 |
@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp
|
|
|
b93447 |
}
|
|
|
b93447 |
|
|
|
b93447 |
KeyWrapper wrapper = token.getKeyWrapper(
|
|
|
b93447 |
- KeyWrapAlgorithm.DES3_CBC);
|
|
|
b93447 |
+ KeyWrapAlgorithm.DES3_CBC_PAD);
|
|
|
b93447 |
wrapper.initWrap(key, params);
|
|
|
b93447 |
byte encrypted[] = wrapper.wrap(pri);
|
|
|
b93447 |
|
|
|
b93447 |
@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp
|
|
|
b93447 |
return epki;
|
|
|
b93447 |
|
|
|
b93447 |
} catch (Exception e) {
|
|
|
b93447 |
+ System.out.println("createPBE: exception:"+e.toString());
|
|
|
b93447 |
Assert.notReached("EncryptedPrivateKeyInfo exception:"
|
|
|
b93447 |
+".createPBE");
|
|
|
b93447 |
}
|