PKIFNSS.cpp

Go to the documentation of this file.

#include "PKIFNSS.h"
#include "PKIFNSSHelper.h"

#include "PKIFNSSDatabase.h"
#include "PKIFNSSCredential.h"

#include "ToolkitUtils.h"
#include "PKIFCryptoErrors.h"
#include "PKIFNSSErrors.h"
#include "PKIFCryptoException.h"
#include "KeyUsage.h"

#include <sstream>

#include "PKIFNSSConfig.h"
#include "PKIFNSSUtils.h"
#include "nspr.h"

#include "boost/numeric/conversion/cast.hpp"

using boost::numeric_cast;
using boost::bad_numeric_cast;

using namespace std;

static bool s_nssKVHashesBuilt = false;
struct CPKIFNSSImpl
{
    string m_dbdir;
    CERTCertDBHandle * m_certDbHandle;

};

CPKIFNSS::CPKIFNSS(
    const std::string & dbdir)
:m_impl(new CPKIFNSSImpl)
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    m_impl->m_dbdir = dbdir;
}
CPKIFNSS::~CPKIFNSS()
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    if(!m_impl) {
        delete m_impl;
        m_impl = 0;
    }
}

// make sure NSS has been initialized using the appropriate database directory
// throws if it hasn't
void CPKIFNSS::Initialize()
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    if(!CPKIFNSSHelper::NSSAvaliable()) {
        RAISE_CRYPTO_EXCEPTION("NSS could not be loaded.",thisComponent,PKIFNSS_INIT_FAILED,this);
    }
    CPKIFNSSDatabase::GetInstance(m_impl->m_dbdir);
    m_impl->m_certDbHandle = CERT_GetDefaultCertDB();
}

void CPKIFNSS::GetKeyList(
    CPKIFCredentialList& v,
    CPKIFKeyUsagePtr& ku)
{
    bitset<9> tmp = ku->GetKeyUsage();
    GetKeyList(v, &tmp);
}

void CPKIFNSS::GetKeyList(
    CPKIFCredentialList& v,
    std::bitset<9>* ku)
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    PK11SlotList * slots = 0;
    PK11SlotListElement * i = 0;
    
    // this will return all soft and hard tokens in the database
    slots = PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,NULL);
    if(slots) {
        // step through each token and list private keys
        for(i = slots->head; 0 != i; i = i->next) {
            PK11SlotInfo * slot = i->slot;
            SECKEYPrivateKeyList * keys = 0;
            SECKEYPrivateKeyListNode * j = 0;
            if(PK11_NeedLogin(slot)) {
                PK11_Authenticate(slot,PR_TRUE,NULL);
            }
            keys = PK11_ListPrivateKeysInSlot(slot);
            if(!keys) {
                continue;
            }
            // go through private keys and inspect keys that have an associated cert; we're can't use
            // ones that don't anyway
            for(j = PRIVKEY_LIST_HEAD(keys); !PRIVKEY_LIST_END(j,keys); j = PRIVKEY_LIST_NEXT(j)) {
                CERTCertificate * nssCert = PK11_GetCertFromPrivateKey(j->key);
                if(nssCert) {
                    // if the caller requested a particular key usage, check that
                    if(ku) {
                        SECItem nssKU;
                        SECStatus rv = CERT_FindKeyUsageExtension(nssCert,&nssKU);
                        if(SECSuccess == rv) {
                            if(keyUsageTest(nssKU.data,ku)) {
                                // got a usable key with appropriate key usage, add it
                                CPKIFCredentialPtr tmp(new CPKIFNSSCredential(j->key,&nssCert->derCert));
                                v.push_back(tmp);
                            }
                            PR_Free(nssKU.data);
                        }
                    } else {
                        CPKIFCredentialPtr tmp(new CPKIFNSSCredential(j->key,&nssCert->derCert));
                        v.push_back(tmp);
                    }
                    CERT_DestroyCertificate(nssCert);
                }
            }
            SECKEY_DestroyPrivateKeyList(keys);
        }
        PK11_FreeSlotList(slots);
    }
}
bool CPKIFNSS::OwnsKey(
    const CPKIFCredential& keyID) const
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    // since there can only be one instance of the NSS database, if we
    // see an NSS key we can act like we own it.
    const CPKIFNSSCredential * nsskey = dynamic_cast<const CPKIFNSSCredential *>(&keyID);
    return (0 != nsskey);
}
CPKIFCredentialPtr CPKIFNSS::MakeKeyID(
    const std::string& asciiHexKeyID)
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    if(!m_impl->m_certDbHandle) {
        RAISE_CRYPTO_EXCEPTION("CPKIFNSS instance not initialized.", thisComponent, COMMON_NOT_INITIALIZED, this);
    }
    if(!s_nssKVHashesBuilt) {
        NSSCMSRecipient * recip = 0;
        PK11_FindCertAndKeyByRecipientListNew(&recip,0);
        s_nssKVHashesBuilt = true;
    }
    CPKIFCredentialPtr nullCred;
    const char * hex = asciiHexKeyID.c_str();
    unsigned int len = 0;

    try 
    {
        len = numeric_cast<unsigned int>(asciiHexKeyID.length()/2);
    }
    catch(bad_numeric_cast &) 
    {
        throw CPKIFException(TOOLKIT_CRYPTO, COMMON_INVALID_INPUT, "Key identifier is an impossibly long number.");
    }

    unsigned char * bin = new unsigned char[len];
    if(0 != atob((char *)bin,const_cast<char *>(hex),&len)) {
        delete[] bin;
        RAISE_CRYPTO_EXCEPTION("Key ID contains invalid characters.",thisComponent,COMMON_INVALID_INPUT,this);
    }
    SECItem siSKID;
    siSKID.data = bin;
    siSKID.len = len;
    siSKID.type = siBuffer;

    // XXX TESTING TODO: Confirm that this is the right thing for NSS and SKIDs 
    // (i.e. that it doesn't need to be DER-encoded first)
    CERTCertificate * nssCert = CERT_FindCertBySubjectKeyID(m_impl->m_certDbHandle,&siSKID);
    delete[] bin;
    if(!nssCert) {
        return nullCred;
    }
    SECKEYPrivateKey * nssPrivateKey = 0;
    nssPrivateKey = PK11_FindKeyByAnyCert(nssCert,0);
    if(!nssPrivateKey) {
        CERT_DestroyCertificate(nssCert);
        return nullCred;
    }
    CPKIFNSSCredential * cred = new CPKIFNSSCredential(nssPrivateKey,&nssCert->derCert);
    CERT_DestroyCertificate(nssCert);
    return CPKIFCredentialPtr(cred);
}
void CPKIFNSS::Sign(
    const CPKIFCredential& key, 
    unsigned char* pHashData, 
    int nHashDataLen, 
    unsigned char* pSignature, 
    int* nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    const CPKIFNSSCredential * nssKey = dynamic_cast<const CPKIFNSSCredential *>(&key);
    if(!nssKey) {
        RAISE_CRYPTO_EXCEPTION("NSS Crypto colleague was given a non-NSS credential",
            thisComponent,CRYPTO_UNRECOGNIZED_CREDENTIAL,this);
    }
    SECItem sig;
    sig.len = *nSignatureLen;
    sig.data = new unsigned char[sig.len];
    sig.type = siBuffer;
    SECItem hash;
    hash.data = pHashData;
    hash.len = nHashDataLen;
    hash.type = siBuffer;
    sig.len = PK11_SignatureLen(nssKey->m_privateKey);
    sig.data = new unsigned char[sig.len];
    sig.type = siBuffer;
    SECOidTag tag = NSSHashAlg(hashAlg);
    //SECStatus rv = PK11_Sign(nssKey->m_privateKey,&sig,&hash);
    SECStatus rv = SGN_Digest(nssKey->m_privateKey,tag,&sig,&hash);
    if(SECSuccess != rv) {
        RAISE_CRYPTO_EXCEPTION("NSS Signature generation failed.",thisComponent,CRYPTO_SIGN_FAILED,this);
    }

    try
    {
        int tmpLen = numeric_cast<int>(sig.len);
        if(*nSignatureLen < tmpLen) 
        {
            PR_Free(sig.data);
            RAISE_CRYPTO_EXCEPTION("Supplied signature buffer is too small", thisComponent,COMMON_INVALID_INPUT,this);
        }
    }
    catch(bad_numeric_cast &) 
    {
        PR_Free(sig.data);
        RAISE_CRYPTO_EXCEPTION("Supplied signature size is too large", thisComponent,COMMON_INVALID_INPUT,this);
    }
    
    memcpy(pSignature,sig.data,sig.len);
    *nSignatureLen = sig.len;
    PR_Free(sig.data);
}

void CPKIFNSS::Decrypt(
    const CPKIFCredential& key,
    unsigned char* pData,
    int nDataLen, 
    unsigned char* pResult,
    int* pnResultLen)
{
    LOG_STRING_DEBUG(__FUNCTION__,TOOLKIT_CRYPTO_NSS,0,this);
    const CPKIFNSSCredential * nssKey = dynamic_cast<const CPKIFNSSCredential *>(&key);
    if(!nssKey) {
        RAISE_CRYPTO_EXCEPTION("NSS Crypto colleague was given a non-NSS credential",
            thisComponent,CRYPTO_UNRECOGNIZED_CREDENTIAL,this);
    }
    int maxLen = *pnResultLen;
    unsigned int realOut = 0;
    SECStatus rv = PK11_PrivDecryptPKCS1(nssKey->m_privateKey, pResult, &realOut, maxLen, pData, nDataLen);
    *pnResultLen = realOut;
    if(SECSuccess != rv) {
        RAISE_CRYPTO_EXCEPTION("NSS Asymmetric decryption failed.",thisComponent,CRYPTO_DECRYPT_FAILED,this);
    }
}
void CPKIFNSS::Encrypt(
    const CPKIFCredential& key,
    unsigned char* pData, 
    int nDataLen, 
    unsigned char* pResult, 
    int* pnResultLen)
{
    RAISE_CRYPTO_EXCEPTION("Encryption is unimplemented for stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
}
bool CPKIFNSS::Verify(
    const CPKIFCredential& key,
    unsigned char* pHashData, 
    int nHashDataLen, 
    unsigned char* pSignature, 
    int nSignatureLen,
    PKIFCRYPTO::HASH_ALG hashAlg
    )
{
    RAISE_CRYPTO_EXCEPTION("Verification is unimplemented for stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
    return false;
}
IPKIFCryptContext* CPKIFNSS::CryptInit(
    CPKIFCredentialPtr& key,
    bool pad)
{
    RAISE_CRYPTO_EXCEPTION("Context-based operations are unimplemented for NSS stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
    return 0;
}
void CPKIFNSS::Decrypt(
    IPKIFCryptContext* cryptContext, 
    unsigned char* pData, 
    int nDataLen, 
    unsigned char* pResult, 
    int* pnResultLen, 
    bool final)
{
    RAISE_CRYPTO_EXCEPTION("Context-based decryption is unimplemented for stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
}
void CPKIFNSS::Encrypt(IPKIFCryptContext* cryptContext, unsigned char* pData, int nDataLen, unsigned char* pResult, int* pnResultLen, bool final)
{
    RAISE_CRYPTO_EXCEPTION("Encryption is unimplemented for stored key material.",thisComponent,COMMON_NOT_IMPLEMENTED,this);
}