[pkg-opensc-commit] [pkcs11-helper] 112/253: NSS crypto engine

Eric Dorland eric at moszumanska.debian.org
Fri Jan 6 23:39:10 UTC 2017 

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository pkcs11-helper.

commit 8287b4d6965a697905b7259bb737f43b7f56b993
Author: Alon Bar-Lev <alon.barlev at gmail.com>
Date:   Fri Jun 15 12:42:32 2007 +0000

    NSS crypto engine
---
 COPYING                                     |  10 ++
 ChangeLog                                   |   4 +
 configure.ac                                |  24 ++-
 include/pkcs11-helper-1.0/pkcs11h-engines.h |   2 +
 lib/pkcs11h-crypto.c                        | 254 ++++++++++++++++++++++++++++
 5 files changed, 293 insertions(+), 1 deletion(-)

diff --git a/COPYING b/COPYING
index a94f6ad..d11553e 100644
--- a/COPYING
+++ b/COPYING
@@ -92,6 +92,16 @@ GnuTLS License (Optional component, for a complete GPLed license, replaces OpenS
 	Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
 	USA.
 
+NSS License (Optional component, parsing certificates, engine)
+
+	The Original Code is Mozilla Communicator client code, released
+	March 31, 1998.
+
+	The Initial Developer of the Original Code is Netscape
+	Communications Corporation. Portions created by Netscape are
+	Copyright (C) 1998-1999 Netscape Communications Corporation. All
+	Rights Reserved.
+
 Doxygen License (Optional component, documentation)
 
 	Copyright © 1997-2006 by Dimitri van Heesch.
diff --git a/ChangeLog b/ChangeLog
index 36c2b50..b9e64af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@ Copyright (c) 2006 Alon Bar-Lev <alon.barlev at gmail.com>
 
 $Id$
 
+????-??-?? - Version 1.04
+
+* Added NSS crypto enigne.
+
 2007-06-13 - Version 1.03
 
 * Autoconf fixups.
diff --git a/configure.ac b/configure.ac
index a370db9..4a0fe6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -174,6 +174,12 @@ AC_ARG_ENABLE([crypto-engine-gnutls],
 	[enable_crypto_engine_gnutls="yes"]
 )
 
+AC_ARG_ENABLE([crypto-engine-nss],
+	[  --disable-crypto-engine-nss   Disable NSS crypto engine],
+	,
+	[enable_crypto_engine_nss="yes"]
+)
+
 AC_ARG_ENABLE([crypto-engine-win32],
 	[  --disable-crypto-engine-win32     Disable win32 native crypto engine on win32 systems],
 	,
@@ -235,6 +241,7 @@ if test "${have_openssl}" = "no"; then
 fi
 
 PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"])
+PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"])
 
 AC_MSG_CHECKING([OpenSSL interface])
 if test "${enable_openssl}" = "yes"; then
@@ -278,7 +285,7 @@ AC_MSG_CHECKING([GnuTLS crypto engine])
 if test "${enable_crypto_engine_gnutls}" = "yes"; then
 	if test "${have_gnutls}" = "yes"; then
 		AC_MSG_RESULT([yes])
-		AC_DEFINE([ENABLE_PKCS11H_ENGINE_GNUTLS], [1], [Use GNUTLS crypto engine])
+		AC_DEFINE([ENABLE_PKCS11H_ENGINE_GNUTLS], [1], [Use GnuTLS crypto engine])
 		CFLAGS="${CFLAGS} ${GNUTLS_CFLAGS}"
 		LIBS="${LIBS} ${GNUTLS_LIBS}"
 	else
@@ -288,6 +295,20 @@ else
 	AC_MSG_RESULT([no])
 fi
 
+AC_MSG_CHECKING([NSS crypto engine])
+if test "${enable_crypto_engine_nss}" = "yes"; then
+	if test "${have_nss}" = "yes"; then
+		AC_MSG_RESULT([yes])
+		AC_DEFINE([ENABLE_PKCS11H_ENGINE_NSS], [1], [Use NSS crypto engine])
+		CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+		LIBS="${LIBS} ${NSS_LIBS}"
+	else
+		AC_MSG_RESULT([no])
+	fi
+else
+	AC_MSG_RESULT([no])
+fi
+
 # Checks for header files.
 AC_HEADER_STDC
 AX_CPP_VARARG_MACRO_ISO
@@ -372,6 +393,7 @@ fi
 if test \
 	"${enable_crypto_engine_openssl}" = "yes" -o \
 	"${enable_crypto_engine_gnutls}" = "yes" -o \
+	"${enable_crypto_engine_nss}" = "yes" -o \
 	"${enable_crypto_engine_win32}" = "yes"; then
 	PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto"
 fi
diff --git a/include/pkcs11-helper-1.0/pkcs11h-engines.h b/include/pkcs11-helper-1.0/pkcs11h-engines.h
index 0360f81..1c3221f 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-engines.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-engines.h
@@ -206,6 +206,8 @@ typedef struct pkcs11h_crypto_engine_s {
 #define PKCS11H_ENGINE_CRYPTO_GNUTLS	((pkcs11h_engine_crypto_t *)2)
 /** Select Win32. */
 #define PKCS11H_ENGINE_CRYPTO_WIN32	((pkcs11h_engine_crypto_t *)3)
+/** Select NSS. */
+#define PKCS11H_ENGINE_CRYPTO_NSS	((pkcs11h_engine_crypto_t *)4)
 /** Auto select GPL enigne. */
 #define PKCS11H_ENGINE_CRYPTO_GPL	((pkcs11h_engine_crypto_t *)10)
 /** @} */
diff --git a/lib/pkcs11h-crypto.c b/lib/pkcs11h-crypto.c
index 8b521c9..01ebab8 100644
--- a/lib/pkcs11h-crypto.c
+++ b/lib/pkcs11h-crypto.c
@@ -64,6 +64,12 @@
 #include <gnutls/x509.h>
 #endif
 
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+#define _PKCS11T_H_ /* required so no conflict with ours */
+#include <nss.h>
+#include <cert.h>
+#endif
+
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 #include <wincrypt.h>
 #if !defined(CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT)
@@ -200,6 +206,51 @@ __pkcs11h_crypto_gnutls_certificate_is_issuer (
 
 #endif
 
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+
+static
+int
+__pkcs11h_crypto_nss_initialize (
+	IN void * const global_data
+);
+
+static
+int
+__pkcs11h_crypto_nss_uninitialize (
+	IN void * const global_data
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_expiration (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT time_t * const expiration
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_dn (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT char * const dn,
+	IN const size_t dn_max
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_is_issuer (
+	IN void * const global_data,
+	IN const unsigned char * const signer_blob,
+	IN const size_t signer_blob_size,
+	IN const unsigned char * const cert_blob,
+	IN const size_t cert_blob_size
+);
+
+#endif
+
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 
 typedef PCCERT_CONTEXT (WINAPI *__CertCreateCertificateContext_t) (
@@ -299,6 +350,17 @@ static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_gnutls = {
 	__pkcs11h_crypto_gnutls_certificate_is_issuer
 };
 #endif
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+static int s_nss_data = 0;
+static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_nss = {
+	&s_nss_data,
+	__pkcs11h_crypto_nss_initialize,
+	__pkcs11h_crypto_nss_uninitialize,
+	__pkcs11h_crypto_nss_certificate_get_expiration,
+	__pkcs11h_crypto_nss_certificate_get_dn,
+	__pkcs11h_crypto_nss_certificate_is_issuer
+};
+#endif
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 static struct __crypto_win32_data_s s_win32_data = { NULL };
 static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_win32 = {
@@ -334,6 +396,8 @@ pkcs11h_engine_setCrypto (
 		_engine = &_g_pkcs11h_crypto_engine_win32;
 #elif defined(ENABLE_PKCS11H_ENGINE_OPENSSL)
 		_engine = &_g_pkcs11h_crypto_engine_openssl;
+#elif defined(ENABLE_PKCS11H_ENGINE_NSS)
+		_engine = &_g_pkcs11h_crypto_engine_nss;
 #elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
 		_engine = &_g_pkcs11h_crypto_engine_gnutls;
 #else
@@ -384,6 +448,14 @@ pkcs11h_engine_setCrypto (
 		goto cleanup;
 #endif
 	}
+	else if (engine == PKCS11H_ENGINE_CRYPTO_NSS) {
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+		_engine = &_g_pkcs11h_crypto_engine_nss;
+#else
+		rv = CKR_ATTRIBUTE_VALUE_INVALID;
+		goto cleanup;
+#endif
+	}
 	else {
 		_engine = engine;
 	}
@@ -822,6 +894,188 @@ cleanup:
 
 #endif				/* ENABLE_PKCS11H_ENGINE_GNUTLS */
 
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+
+static
+int
+__pkcs11h_crypto_nss_initialize (
+	IN void * const global_data
+) {
+	int ret = FALSE;
+
+	if (NSS_IsInitialized ()) {
+		*(int *)global_data = FALSE;
+	}
+	else {
+		if (NSS_NoDB_Init (NULL) != SECSuccess) {
+			goto cleanup;
+		}
+		*(int *)global_data = TRUE;
+	}
+
+	ret = TRUE;
+
+cleanup:
+
+	return ret;
+}
+
+static
+int
+__pkcs11h_crypto_nss_uninitialize (
+	IN void * const global_data
+) {
+	if (*(int *)global_data != FALSE) {
+		NSS_Shutdown ();
+	}
+
+	return TRUE;
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_expiration (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT time_t * const expiration
+) {
+	CERTCertificate *cert = NULL;
+	PRTime pr_notBefore, pr_notAfter;
+	time_t notBefore, notAfter;
+	time_t now = time (NULL);
+	int tm_isdst = localtime (&now)->tm_isdst;
+	struct tm *tm1;
+
+	(void)global_data;
+
+	*expiration = (time_t)0;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (blob!=NULL);
+	_PKCS11H_ASSERT (expiration!=NULL);
+
+	if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) {
+		goto cleanup;
+	}
+
+	if (CERT_GetCertTimes (cert, &pr_notBefore, &pr_notAfter) != SECSuccess) {
+		goto cleanup;
+	}
+
+	notBefore = pr_notBefore/1000000;
+	notAfter = pr_notAfter/1000000;
+
+	tm1 = gmtime (&notBefore);
+	tm1->tm_isdst = tm_isdst;
+	notBefore = mktime (tm1);
+	tm1 = gmtime (&notAfter);
+	tm1->tm_isdst = tm_isdst;
+	notAfter = mktime (tm1);
+
+	if (
+		now >= notBefore &&
+		now <= notAfter
+	) {
+		*expiration = notAfter;
+	}
+
+cleanup:
+
+	if (cert != NULL) {
+		CERT_DestroyCertificate (cert);
+	}
+
+	return *expiration != (time_t)0;
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_dn (
+	IN void * const global_data,
+	IN const unsigned char * const blob,
+	IN const size_t blob_size,
+	OUT char * const dn,
+	IN const size_t dn_max
+) {
+	CERTCertificate *cert = NULL;
+
+	(void)global_data;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (blob!=NULL);
+	_PKCS11H_ASSERT (dn!=NULL);
+	_PKCS11H_ASSERT (dn_max>0);
+
+	dn[0] = '\x0';
+
+	if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) {
+		goto cleanup;
+	}
+
+	if (strlen (cert->subjectName) >= dn_max) {
+		goto cleanup;
+	}
+
+	strcpy (dn, cert->subjectName);
+
+cleanup:
+
+	if (cert != NULL) {
+		CERT_DestroyCertificate (cert);
+	}
+
+	return dn[0] != '\x0';
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_is_issuer (
+	IN void * const global_data,
+	IN const unsigned char * const issuer_blob,
+	IN const size_t issuer_blob_size,
+	IN const unsigned char * const cert_blob,
+	IN const size_t cert_blob_size
+) {
+	PKCS11H_BOOL is_issuer = FALSE;
+	CERTCertificate *cert = NULL;
+	CERTCertificate *issuer = NULL;
+
+	(void)global_data;
+
+	/*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+	_PKCS11H_ASSERT (issuer_blob!=NULL);
+	_PKCS11H_ASSERT (cert_blob!=NULL);
+
+	if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) {
+		goto cleanup;
+	}
+
+	if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) {
+		goto cleanup;
+	}
+
+	is_issuer = CERT_VerifySignedDataWithPublicKeyInfo (
+		&cert->signatureWrap,
+		&issuer->subjectPublicKeyInfo,
+		NULL
+	) == SECSuccess;
+
+cleanup:
+
+	if (cert != NULL) {
+		CERT_DestroyCertificate (cert);
+	}
+
+	if (issuer != NULL) {
+		CERT_DestroyCertificate (issuer);
+	}
+
+	return is_issuer;
+}
+
+#endif				/* ENABLE_PKCS11H_ENGINE_GNUTLS */
+
 #if defined(ENABLE_PKCS11H_ENGINE_WIN32)
 
 static

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git

More information about the pkg-opensc-commit mailing list