[pkg-opensc-commit] [pkcs11-helper] 01/17: NSS crypto engine
Eric Dorland
eric at moszumanska.debian.org
Fri Jan 6 23:39:59 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to tag pkcs11-helper-1.04
in repository pkcs11-helper.
commit ef55ef9844bf1297ca0b710e1d1d6af665377346
Author: alonbl <alonbl at 485eb718-1723-0410-b8a9-88cf21a28c35>
Date: Fri Jun 15 12:42:32 2007 +0000
NSS crypto engine
---
COPYING | 10 ++
ChangeLog | 4 +
configure.ac | 24 ++-
include/pkcs11-helper-1.0/pkcs11h-engines.h | 2 +
lib/pkcs11h-crypto.c | 254 ++++++++++++++++++++++++++++
5 files changed, 293 insertions(+), 1 deletion(-)
diff --git a/COPYING b/COPYING
index a94f6ad..d11553e 100644
--- a/COPYING
+++ b/COPYING
@@ -92,6 +92,16 @@ GnuTLS License (Optional component, for a complete GPLed license, replaces OpenS
Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA.
+NSS License (Optional component, parsing certificates, engine)
+
+ The Original Code is Mozilla Communicator client code, released
+ March 31, 1998.
+
+ The Initial Developer of the Original Code is Netscape
+ Communications Corporation. Portions created by Netscape are
+ Copyright (C) 1998-1999 Netscape Communications Corporation. All
+ Rights Reserved.
+
Doxygen License (Optional component, documentation)
Copyright © 1997-2006 by Dimitri van Heesch.
diff --git a/ChangeLog b/ChangeLog
index 36c2b50..b9e64af 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,10 @@ Copyright (c) 2006 Alon Bar-Lev <alon.barlev at gmail.com>
$Id$
+????-??-?? - Version 1.04
+
+* Added NSS crypto enigne.
+
2007-06-13 - Version 1.03
* Autoconf fixups.
diff --git a/configure.ac b/configure.ac
index a370db9..4a0fe6c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -174,6 +174,12 @@ AC_ARG_ENABLE([crypto-engine-gnutls],
[enable_crypto_engine_gnutls="yes"]
)
+AC_ARG_ENABLE([crypto-engine-nss],
+ [ --disable-crypto-engine-nss Disable NSS crypto engine],
+ ,
+ [enable_crypto_engine_nss="yes"]
+)
+
AC_ARG_ENABLE([crypto-engine-win32],
[ --disable-crypto-engine-win32 Disable win32 native crypto engine on win32 systems],
,
@@ -235,6 +241,7 @@ if test "${have_openssl}" = "no"; then
fi
PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"])
+PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"])
AC_MSG_CHECKING([OpenSSL interface])
if test "${enable_openssl}" = "yes"; then
@@ -278,7 +285,7 @@ AC_MSG_CHECKING([GnuTLS crypto engine])
if test "${enable_crypto_engine_gnutls}" = "yes"; then
if test "${have_gnutls}" = "yes"; then
AC_MSG_RESULT([yes])
- AC_DEFINE([ENABLE_PKCS11H_ENGINE_GNUTLS], [1], [Use GNUTLS crypto engine])
+ AC_DEFINE([ENABLE_PKCS11H_ENGINE_GNUTLS], [1], [Use GnuTLS crypto engine])
CFLAGS="${CFLAGS} ${GNUTLS_CFLAGS}"
LIBS="${LIBS} ${GNUTLS_LIBS}"
else
@@ -288,6 +295,20 @@ else
AC_MSG_RESULT([no])
fi
+AC_MSG_CHECKING([NSS crypto engine])
+if test "${enable_crypto_engine_nss}" = "yes"; then
+ if test "${have_nss}" = "yes"; then
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([ENABLE_PKCS11H_ENGINE_NSS], [1], [Use NSS crypto engine])
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ else
+ AC_MSG_RESULT([no])
+ fi
+else
+ AC_MSG_RESULT([no])
+fi
+
# Checks for header files.
AC_HEADER_STDC
AX_CPP_VARARG_MACRO_ISO
@@ -372,6 +393,7 @@ fi
if test \
"${enable_crypto_engine_openssl}" = "yes" -o \
"${enable_crypto_engine_gnutls}" = "yes" -o \
+ "${enable_crypto_engine_nss}" = "yes" -o \
"${enable_crypto_engine_win32}" = "yes"; then
PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto"
fi
diff --git a/include/pkcs11-helper-1.0/pkcs11h-engines.h b/include/pkcs11-helper-1.0/pkcs11h-engines.h
index 0360f81..1c3221f 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-engines.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-engines.h
@@ -206,6 +206,8 @@ typedef struct pkcs11h_crypto_engine_s {
#define PKCS11H_ENGINE_CRYPTO_GNUTLS ((pkcs11h_engine_crypto_t *)2)
/** Select Win32. */
#define PKCS11H_ENGINE_CRYPTO_WIN32 ((pkcs11h_engine_crypto_t *)3)
+/** Select NSS. */
+#define PKCS11H_ENGINE_CRYPTO_NSS ((pkcs11h_engine_crypto_t *)4)
/** Auto select GPL enigne. */
#define PKCS11H_ENGINE_CRYPTO_GPL ((pkcs11h_engine_crypto_t *)10)
/** @} */
diff --git a/lib/pkcs11h-crypto.c b/lib/pkcs11h-crypto.c
index 8b521c9..01ebab8 100644
--- a/lib/pkcs11h-crypto.c
+++ b/lib/pkcs11h-crypto.c
@@ -64,6 +64,12 @@
#include <gnutls/x509.h>
#endif
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+#define _PKCS11T_H_ /* required so no conflict with ours */
+#include <nss.h>
+#include <cert.h>
+#endif
+
#if defined(ENABLE_PKCS11H_ENGINE_WIN32)
#include <wincrypt.h>
#if !defined(CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT)
@@ -200,6 +206,51 @@ __pkcs11h_crypto_gnutls_certificate_is_issuer (
#endif
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+
+static
+int
+__pkcs11h_crypto_nss_initialize (
+ IN void * const global_data
+);
+
+static
+int
+__pkcs11h_crypto_nss_uninitialize (
+ IN void * const global_data
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_expiration (
+ IN void * const global_data,
+ IN const unsigned char * const blob,
+ IN const size_t blob_size,
+ OUT time_t * const expiration
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_dn (
+ IN void * const global_data,
+ IN const unsigned char * const blob,
+ IN const size_t blob_size,
+ OUT char * const dn,
+ IN const size_t dn_max
+);
+
+static
+int
+__pkcs11h_crypto_nss_certificate_is_issuer (
+ IN void * const global_data,
+ IN const unsigned char * const signer_blob,
+ IN const size_t signer_blob_size,
+ IN const unsigned char * const cert_blob,
+ IN const size_t cert_blob_size
+);
+
+#endif
+
#if defined(ENABLE_PKCS11H_ENGINE_WIN32)
typedef PCCERT_CONTEXT (WINAPI *__CertCreateCertificateContext_t) (
@@ -299,6 +350,17 @@ static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_gnutls = {
__pkcs11h_crypto_gnutls_certificate_is_issuer
};
#endif
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+static int s_nss_data = 0;
+static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_nss = {
+ &s_nss_data,
+ __pkcs11h_crypto_nss_initialize,
+ __pkcs11h_crypto_nss_uninitialize,
+ __pkcs11h_crypto_nss_certificate_get_expiration,
+ __pkcs11h_crypto_nss_certificate_get_dn,
+ __pkcs11h_crypto_nss_certificate_is_issuer
+};
+#endif
#if defined(ENABLE_PKCS11H_ENGINE_WIN32)
static struct __crypto_win32_data_s s_win32_data = { NULL };
static const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_win32 = {
@@ -334,6 +396,8 @@ pkcs11h_engine_setCrypto (
_engine = &_g_pkcs11h_crypto_engine_win32;
#elif defined(ENABLE_PKCS11H_ENGINE_OPENSSL)
_engine = &_g_pkcs11h_crypto_engine_openssl;
+#elif defined(ENABLE_PKCS11H_ENGINE_NSS)
+ _engine = &_g_pkcs11h_crypto_engine_nss;
#elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
_engine = &_g_pkcs11h_crypto_engine_gnutls;
#else
@@ -384,6 +448,14 @@ pkcs11h_engine_setCrypto (
goto cleanup;
#endif
}
+ else if (engine == PKCS11H_ENGINE_CRYPTO_NSS) {
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+ _engine = &_g_pkcs11h_crypto_engine_nss;
+#else
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto cleanup;
+#endif
+ }
else {
_engine = engine;
}
@@ -822,6 +894,188 @@ cleanup:
#endif /* ENABLE_PKCS11H_ENGINE_GNUTLS */
+#if defined(ENABLE_PKCS11H_ENGINE_NSS)
+
+static
+int
+__pkcs11h_crypto_nss_initialize (
+ IN void * const global_data
+) {
+ int ret = FALSE;
+
+ if (NSS_IsInitialized ()) {
+ *(int *)global_data = FALSE;
+ }
+ else {
+ if (NSS_NoDB_Init (NULL) != SECSuccess) {
+ goto cleanup;
+ }
+ *(int *)global_data = TRUE;
+ }
+
+ ret = TRUE;
+
+cleanup:
+
+ return ret;
+}
+
+static
+int
+__pkcs11h_crypto_nss_uninitialize (
+ IN void * const global_data
+) {
+ if (*(int *)global_data != FALSE) {
+ NSS_Shutdown ();
+ }
+
+ return TRUE;
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_expiration (
+ IN void * const global_data,
+ IN const unsigned char * const blob,
+ IN const size_t blob_size,
+ OUT time_t * const expiration
+) {
+ CERTCertificate *cert = NULL;
+ PRTime pr_notBefore, pr_notAfter;
+ time_t notBefore, notAfter;
+ time_t now = time (NULL);
+ int tm_isdst = localtime (&now)->tm_isdst;
+ struct tm *tm1;
+
+ (void)global_data;
+
+ *expiration = (time_t)0;
+
+ /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+ _PKCS11H_ASSERT (blob!=NULL);
+ _PKCS11H_ASSERT (expiration!=NULL);
+
+ if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) {
+ goto cleanup;
+ }
+
+ if (CERT_GetCertTimes (cert, &pr_notBefore, &pr_notAfter) != SECSuccess) {
+ goto cleanup;
+ }
+
+ notBefore = pr_notBefore/1000000;
+ notAfter = pr_notAfter/1000000;
+
+ tm1 = gmtime (¬Before);
+ tm1->tm_isdst = tm_isdst;
+ notBefore = mktime (tm1);
+ tm1 = gmtime (¬After);
+ tm1->tm_isdst = tm_isdst;
+ notAfter = mktime (tm1);
+
+ if (
+ now >= notBefore &&
+ now <= notAfter
+ ) {
+ *expiration = notAfter;
+ }
+
+cleanup:
+
+ if (cert != NULL) {
+ CERT_DestroyCertificate (cert);
+ }
+
+ return *expiration != (time_t)0;
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_get_dn (
+ IN void * const global_data,
+ IN const unsigned char * const blob,
+ IN const size_t blob_size,
+ OUT char * const dn,
+ IN const size_t dn_max
+) {
+ CERTCertificate *cert = NULL;
+
+ (void)global_data;
+
+ /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+ _PKCS11H_ASSERT (blob!=NULL);
+ _PKCS11H_ASSERT (dn!=NULL);
+ _PKCS11H_ASSERT (dn_max>0);
+
+ dn[0] = '\x0';
+
+ if ((cert = CERT_DecodeCertFromPackage ((char *)blob, blob_size)) == NULL) {
+ goto cleanup;
+ }
+
+ if (strlen (cert->subjectName) >= dn_max) {
+ goto cleanup;
+ }
+
+ strcpy (dn, cert->subjectName);
+
+cleanup:
+
+ if (cert != NULL) {
+ CERT_DestroyCertificate (cert);
+ }
+
+ return dn[0] != '\x0';
+}
+
+static
+int
+__pkcs11h_crypto_nss_certificate_is_issuer (
+ IN void * const global_data,
+ IN const unsigned char * const issuer_blob,
+ IN const size_t issuer_blob_size,
+ IN const unsigned char * const cert_blob,
+ IN const size_t cert_blob_size
+) {
+ PKCS11H_BOOL is_issuer = FALSE;
+ CERTCertificate *cert = NULL;
+ CERTCertificate *issuer = NULL;
+
+ (void)global_data;
+
+ /*_PKCS11H_ASSERT (global_data!=NULL); NOT NEEDED*/
+ _PKCS11H_ASSERT (issuer_blob!=NULL);
+ _PKCS11H_ASSERT (cert_blob!=NULL);
+
+ if ((issuer = CERT_DecodeCertFromPackage ((char *)issuer_blob, issuer_blob_size)) == NULL) {
+ goto cleanup;
+ }
+
+ if ((cert = CERT_DecodeCertFromPackage ((char *)cert_blob, cert_blob_size)) == NULL) {
+ goto cleanup;
+ }
+
+ is_issuer = CERT_VerifySignedDataWithPublicKeyInfo (
+ &cert->signatureWrap,
+ &issuer->subjectPublicKeyInfo,
+ NULL
+ ) == SECSuccess;
+
+cleanup:
+
+ if (cert != NULL) {
+ CERT_DestroyCertificate (cert);
+ }
+
+ if (issuer != NULL) {
+ CERT_DestroyCertificate (issuer);
+ }
+
+ return is_issuer;
+}
+
+#endif /* ENABLE_PKCS11H_ENGINE_GNUTLS */
+
#if defined(ENABLE_PKCS11H_ENGINE_WIN32)
static
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git
More information about the pkg-opensc-commit
mailing list