1 /*
2 * Signature stuff.
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is the Netscape security libraries.
18 *
19 * The Initial Developer of the Original Code is
20 * Netscape Communications Corporation.
21 * Portions created by the Initial Developer are Copyright (C) 1994-2000
22 * the Initial Developer. All Rights Reserved.
23 *
24 * Contributor(s):
25 * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either the GNU General Public License Version 2 or later (the "GPL"), or
29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
40
41 #include "crypto/third_party/nss/chromium-nss.h"
42
43 #include <vector>
44
45 #include <cryptohi.h>
46 #include <pk11pub.h>
47 #include <secerr.h>
48 #include <sechash.h>
49
50 #include "base/basictypes.h"
51 #include "base/logging.h"
52 #include "build/build_config.h"
53
DerSignData(PLArenaPool * arena,SECItem * result,SECItem * input,SECKEYPrivateKey * key,SECOidTag algo_id)54 SECStatus DerSignData(PLArenaPool *arena,
55 SECItem *result,
56 SECItem *input,
57 SECKEYPrivateKey *key,
58 SECOidTag algo_id) {
59 if (key->keyType != ecKey) {
60 return SEC_DerSignData(arena, result, input->data, input->len, key,
61 algo_id);
62 }
63
64 // NSS has a private function sec_DecodeSigAlg it uses to figure out the
65 // correct hash from the algorithm id.
66 HASH_HashType hash_type;
67 switch (algo_id) {
68 case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
69 hash_type = HASH_AlgSHA1;
70 break;
71 #ifdef SHA224_LENGTH
72 case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
73 hash_type = HASH_AlgSHA224;
74 break;
75 #endif
76 case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
77 hash_type = HASH_AlgSHA256;
78 break;
79 case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
80 hash_type = HASH_AlgSHA384;
81 break;
82 case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
83 hash_type = HASH_AlgSHA512;
84 break;
85 default:
86 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
87 return SECFailure;
88 }
89
90 // Hash the input.
91 std::vector<uint8> hash_data(HASH_ResultLen(hash_type));
92 SECStatus rv = HASH_HashBuf(
93 hash_type, &hash_data[0], input->data, input->len);
94 if (rv != SECSuccess)
95 return rv;
96 SECItem hash = {siBuffer, &hash_data[0],
97 static_cast<unsigned int>(hash_data.size())};
98
99 // Compute signature of hash.
100 int signature_len = PK11_SignatureLen(key);
101 std::vector<uint8> signature_data(signature_len);
102 SECItem sig = {siBuffer, &signature_data[0],
103 static_cast<unsigned int>(signature_len)};
104 rv = PK11_Sign(key, &sig, &hash);
105 if (rv != SECSuccess)
106 return rv;
107
108 CERTSignedData sd;
109 PORT_Memset(&sd, 0, sizeof(sd));
110 // Fill in tbsCertificate.
111 sd.data.data = (unsigned char*) input->data;
112 sd.data.len = input->len;
113
114 // Fill in signatureAlgorithm.
115 rv = SECOID_SetAlgorithmID(arena, &sd.signatureAlgorithm, algo_id, 0);
116 if (rv != SECSuccess)
117 return rv;
118
119 // Fill in signatureValue.
120 rv = DSAU_EncodeDerSigWithLen(&sd.signature, &sig, sig.len);
121 if (rv != SECSuccess)
122 return rv;
123 sd.signature.len <<= 3; // Convert to bit string.
124
125 // DER encode the signed data object.
126 void* encode_result = SEC_ASN1EncodeItem(
127 arena, result, &sd, SEC_ASN1_GET(CERT_SignedDataTemplate));
128
129 PORT_Free(sd.signature.data);
130
131 return encode_result ? SECSuccess : SECFailure;
132 }
133