--- a/cmd/bltest/blapitest.c
+++ b/cmd/bltest/blapitest.c
@@ -15,26 +15,24 @@
#include "nssb64.h"
#include "basicutil.h"
#include "plgetopt.h"
#include "softoken.h"
#include "nspr.h"
#include "secport.h"
#include "secoid.h"
#include "nssutil.h"
+#include "ecl-curve.h"
#include "pkcs1_vectors.h"
-#ifndef NSS_DISABLE_ECC
-#include "ecl-curve.h"
SECStatus EC_DecodeParams(const SECItem *encodedParams,
ECParams **ecparams);
SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-#endif
char *progName;
char *testdir = NULL;
#define BLTEST_DEFAULT_CHUNKSIZE 4096
#define WORDSIZE sizeof(unsigned long)
@@ -130,28 +128,24 @@ Usage()
PRINTUSAGE("", "-b", "size of input buffer");
PRINTUSAGE("", "-p", "do performance test");
PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)");
fprintf(stderr, "\n");
PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
PRINTUSAGE("", "", "[-i plaintext] [-o signature] [-k key]");
PRINTUSAGE("", "", "[-b bufsize]");
-#ifndef NSS_DISABLE_ECC
PRINTUSAGE("", "", "[-n curvename]");
-#endif
PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]");
PRINTUSAGE("", "-m", "cipher mode to use");
PRINTUSAGE("", "-i", "file which contains input buffer");
PRINTUSAGE("", "-o", "file for signature");
PRINTUSAGE("", "-k", "file which contains key");
-#ifndef NSS_DISABLE_ECC
PRINTUSAGE("", "-n", "name of curve for EC key generation; one of:");
PRINTUSAGE("", "", " nistp256, nistp384, nistp521");
-#endif
PRINTUSAGE("", "-p", "do performance test");
PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)");
fprintf(stderr, "\n");
PRINTUSAGE(progName, "-V -m mode", "Verify a signed buffer");
PRINTUSAGE("", "", "[-i plaintext] [-s signature] [-k key]");
PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]");
PRINTUSAGE("", "-m", "cipher mode to use");
@@ -364,17 +358,16 @@ dsakey_from_filedata(PLArenaPool *arena,
{
DSAPrivateKey *key;
key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
key->params.arena = arena;
key_from_filedata(arena, &key->params.prime, 0, 5, filedata);
return key;
}
-#ifndef NSS_DISABLE_ECC
static ECPrivateKey *
eckey_from_filedata(PLArenaPool *arena, SECItem *filedata)
{
ECPrivateKey *key;
SECStatus rv;
ECParams *tmpECParams = NULL;
key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
/* read and convert params */
@@ -514,17 +507,16 @@ getECParams(const char *curve)
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
ecparams->data[0] = SEC_ASN1_OBJECT_ID;
ecparams->data[1] = oidData->oid.len;
memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
return ecparams;
}
-#endif /* NSS_DISABLE_ECC */
static void
dump_pqg(PQGParams *pqg)
{
SECU_PrintInteger(stdout, &pqg->prime, "PRIME:", 0);
SECU_PrintInteger(stdout, &pqg->subPrime, "SUBPRIME:", 0);
SECU_PrintInteger(stdout, &pqg->base, "BASE:", 0);
}
@@ -532,32 +524,30 @@ dump_pqg(PQGParams *pqg)
static void
dump_dsakey(DSAPrivateKey *key)
{
dump_pqg(&key->params);
SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
}
-#ifndef NSS_DISABLE_ECC
static void
dump_ecp(ECParams *ecp)
{
/* TODO other fields */
SECU_PrintInteger(stdout, &ecp->base, "BASE POINT:", 0);
}
static void
dump_eckey(ECPrivateKey *key)
{
dump_ecp(&key->ecParams);
SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
}
-#endif
static void
dump_rsakey(RSAPrivateKey *key)
{
SECU_PrintInteger(stdout, &key->version, "VERSION:", 0);
SECU_PrintInteger(stdout, &key->modulus, "MODULUS:", 0);
SECU_PrintInteger(stdout, &key->publicExponent, "PUBLIC EXP:", 0);
SECU_PrintInteger(stdout, &key->privateExponent, "PRIVATE EXP:", 0);
@@ -633,27 +623,25 @@ typedef enum {
bltestCAMELLIA_ECB, /* . */
bltestCAMELLIA_CBC, /* . */
bltestSEED_ECB, /* SEED algorithm */
bltestSEED_CBC, /* SEED algorithm */
bltestCHACHA20, /* ChaCha20 + Poly1305 */
bltestRSA, /* Public Key Ciphers */
bltestRSA_OAEP, /* . (Public Key Enc.) */
bltestRSA_PSS, /* . (Public Key Sig.) */
-#ifndef NSS_DISABLE_ECC
- bltestECDSA, /* . (Public Key Sig.) */
-#endif
- bltestDSA, /* . (Public Key Sig.) */
- bltestMD2, /* Hash algorithms */
- bltestMD5, /* . */
- bltestSHA1, /* . */
- bltestSHA224, /* . */
- bltestSHA256, /* . */
- bltestSHA384, /* . */
- bltestSHA512, /* . */
+ bltestECDSA, /* . (Public Key Sig.) */
+ bltestDSA, /* . (Public Key Sig.) */
+ bltestMD2, /* Hash algorithms */
+ bltestMD5, /* . */
+ bltestSHA1, /* . */
+ bltestSHA224, /* . */
+ bltestSHA256, /* . */
+ bltestSHA384, /* . */
+ bltestSHA512, /* . */
NUMMODES
} bltestCipherMode;
static char *mode_strings[] =
{
"des_ecb",
"des_cbc",
"des3_ecb",
@@ -673,19 +661,17 @@ static char *mode_strings[] =
"camellia_ecb",
"camellia_cbc",
"seed_ecb",
"seed_cbc",
"chacha20_poly1305",
"rsa",
"rsa_oaep",
"rsa_pss",
-#ifndef NSS_DISABLE_ECC
"ecdsa",
-#endif
/*"pqg",*/
"dsa",
"md2",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
@@ -727,38 +713,34 @@ typedef struct
{
bltestIO pqgdata;
unsigned int keysize;
bltestIO keyseed;
bltestIO sigseed;
PQGParams *pqg;
} bltestDSAParams;
-#ifndef NSS_DISABLE_ECC
typedef struct
{
char *curveName;
bltestIO sigseed;
} bltestECDSAParams;
-#endif
typedef struct
{
bltestIO key;
void *privKey;
void *pubKey;
bltestIO sig; /* if doing verify, the signature (which may come
* from sigfile. */
union {
bltestRSAParams rsa;
bltestDSAParams dsa;
-#ifndef NSS_DISABLE_ECC
bltestECDSAParams ecdsa;
-#endif
} cipherParams;
} bltestAsymKeyParams;
typedef struct
{
bltestIO key; /* unused */
PRBool restart;
} bltestHashParams;
@@ -1305,17 +1287,16 @@ dsa_signDigest(void *cx, SECItem *output
SECStatus
dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
{
bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
}
-#ifndef NSS_DISABLE_ECC
SECStatus
ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
{
bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
if (params->cipherParams.ecdsa.sigseed.buf.len > 0) {
return ECDSA_SignDigestWithSeed(
(ECPrivateKey *)params->privKey,
output, input,
@@ -1326,17 +1307,16 @@ ecdsa_signDigest(void *cx, SECItem *outp
}
SECStatus
ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
{
bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input);
}
-#endif
SECStatus
bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
{
PRIntervalTime time1, time2;
bltestSymmKeyParams *desp = &cipherInfo->params.sk;
int minorMode;
int i;
@@ -1806,17 +1786,16 @@ bltest_dsa_init(bltestCipherInfo *cipher
pubkey->publicValue.len = key->publicValue.len;
pubkey->publicValue.data = key->publicValue.data;
asymk->pubKey = pubkey;
cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
}
return SECSuccess;
}
-#ifndef NSS_DISABLE_ECC
SECStatus
bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
{
int i;
ECPrivateKey **dummyKey;
PRIntervalTime time1, time2;
bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
cipherInfo->cx = asymk;
@@ -1872,17 +1851,16 @@ bltest_ecdsa_init(bltestCipherInfo *ciph
pubkey->ecParams.name = key->ecParams.name;
pubkey->publicValue.len = key->publicValue.len;
pubkey->publicValue.data = key->publicValue.data;
asymk->pubKey = pubkey;
cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
}
return SECSuccess;
}
-#endif
/* XXX unfortunately, this is not defined in blapi.h */
SECStatus
md2_HashBuf(unsigned char *dest, const unsigned char *src, PRUint32 src_length)
{
unsigned int len;
MD2Context *cx = MD2_NewContext();
if (cx == NULL)
@@ -2164,35 +2142,29 @@ SHA512_restart(unsigned char *dest, cons
SHA512_End(cx, dest, &len, MD5_LENGTH);
finish:
SHA512_DestroyContext(cx, PR_TRUE);
return rv;
}
SECStatus
pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
-#ifndef NSS_DISABLE_ECC
int keysize, int exponent, char *curveName)
-#else
- int keysize, int exponent)
-#endif
{
int i;
SECStatus rv = SECSuccess;
bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
bltestRSAParams *rsap;
RSAPrivateKey **rsaKey = NULL;
bltestDSAParams *dsap;
DSAPrivateKey **dsaKey = NULL;
-#ifndef NSS_DISABLE_ECC
SECItem *tmpECParamsDER;
ECParams *tmpECParams = NULL;
SECItem ecSerialize[3];
ECPrivateKey **ecKey = NULL;
-#endif
switch (cipherInfo->mode) {
case bltestRSA:
case bltestRSA_PSS:
case bltestRSA_OAEP:
rsap = &asymk->cipherParams.rsa;
rsaKey = (RSAPrivateKey **)&asymk->privKey;
if (keysize > 0) {
SECItem expitem = { 0, 0, 0 };
@@ -2219,17 +2191,16 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
CHECKERROR(rv, __LINE__);
serialize_key(&(*dsaKey)->params.prime, 5, file);
} else {
setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
*dsaKey = dsakey_from_filedata(cipherInfo->arena, &asymk->key.buf);
dsap->keysize = (*dsaKey)->params.prime.len * 8;
}
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
ecKey = (ECPrivateKey **)&asymk->privKey;
if (curveName != NULL) {
tmpECParamsDER = getECParams(curveName);
rv = SECOID_Init();
CHECKERROR(rv, __LINE__);
rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
CHECKERROR(rv, __LINE__);
@@ -2249,17 +2220,16 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
PORT_FreeArena(tmpECParams->arena, PR_TRUE);
rv = SECOID_Shutdown();
CHECKERROR(rv, __LINE__);
} else {
setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
*ecKey = eckey_from_filedata(cipherInfo->arena, &asymk->key.buf);
}
break;
-#endif
default:
return SECFailure;
}
return SECSuccess;
}
SECStatus
cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
@@ -2336,25 +2306,23 @@ cipherInit(bltestCipherInfo *cipherInfo,
break;
case bltestDSA:
if (encrypt) {
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
DSA_MAX_SIGNATURE_LEN);
}
return bltest_dsa_init(cipherInfo, encrypt);
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
if (encrypt) {
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
2 * MAX_ECKEY_LEN);
}
return bltest_ecdsa_init(cipherInfo, encrypt);
break;
-#endif
case bltestMD2:
restart = cipherInfo->params.hash.restart;
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
MD2_LENGTH);
cipherInfo->cipher.hashCipher = (restart) ? md2_restart : md2_HashBuf;
return SECSuccess;
break;
case bltestMD5:
@@ -2639,19 +2607,17 @@ cipherFinish(bltestCipherInfo *cipherInf
case bltestRC5_CBC:
RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
break;
#endif
case bltestRSA: /* keys are alloc'ed within cipherInfo's arena, */
case bltestRSA_PSS: /* will be freed with it. */
case bltestRSA_OAEP:
case bltestDSA:
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
-#endif
case bltestMD2: /* hash contexts are ephemeral */
case bltestMD5:
case bltestSHA1:
case bltestSHA224:
case bltestSHA256:
case bltestSHA384:
case bltestSHA512:
return SECSuccess;
@@ -2817,28 +2783,26 @@ print_td:
break;
case bltestDSA:
if (td) {
fprintf(stdout, "%8s", "pqg_mod");
} else {
fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
}
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
if (td) {
fprintf(stdout, "%12s", "ec_curve");
} else {
ECPrivateKey *key = (ECPrivateKey *)info->params.asymk.privKey;
ECCurveName curveName = key->ecParams.name;
fprintf(stdout, "%12s",
ecCurve_map[curveName] ? ecCurve_map[curveName]->text : "Unsupported curve");
}
break;
-#endif
case bltestMD2:
case bltestMD5:
case bltestSHA1:
case bltestSHA256:
case bltestSHA384:
case bltestSHA512:
default:
break;
@@ -3058,29 +3022,27 @@ get_params(PLArenaPool *arena, bltestPar
load_file_data(arena, ¶ms->asymk.cipherParams.dsa.keyseed, filename,
bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
load_file_data(arena, ¶ms->asymk.cipherParams.dsa.sigseed, filename,
bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
load_file_data(arena, ¶ms->asymk.key, filename, bltestBase64Encoded);
params->asymk.privKey =
(void *)eckey_from_filedata(arena, ¶ms->asymk.key.buf);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
load_file_data(arena, ¶ms->asymk.cipherParams.ecdsa.sigseed,
filename, bltestBase64Encoded);
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
load_file_data(arena, ¶ms->asymk.sig, filename, bltestBase64Encoded);
break;
-#endif
case bltestMD2:
case bltestMD5:
case bltestSHA1:
case bltestSHA224:
case bltestSHA256:
case bltestSHA384:
case bltestSHA512:
/*params->hash.restart = PR_TRUE;*/
@@ -3292,23 +3254,21 @@ dump_file(bltestCipherMode mode, char *f
get_file_data(filename, &item, PR_TRUE);
pqg = pqg_from_filedata(&item);
dump_pqg(pqg);
#endif
DSAPrivateKey *key;
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
key = dsakey_from_filedata(arena, &keydata.buf);
dump_dsakey(key);
-#ifndef NSS_DISABLE_ECC
} else if (mode == bltestECDSA) {
ECPrivateKey *key;
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
key = eckey_from_filedata(arena, &keydata.buf);
dump_eckey(key);
-#endif
}
PORT_FreeArena(arena, PR_FALSE);
return SECFailure;
}
void
ThreadExecTest(void *data)
{
@@ -3585,19 +3545,17 @@ enum {
opt_SigFile,
opt_KeySize,
opt_Hex,
opt_Input,
opt_PQGFile,
opt_Key,
opt_HexWSpc,
opt_Mode,
-#ifndef NSS_DISABLE_ECC
opt_CurveName,
-#endif
opt_Output,
opt_Repetitions,
opt_ZeroBuf,
opt_Rounds,
opt_Seed,
opt_SigSeedFile,
opt_CXReps,
opt_IV,
@@ -3639,19 +3597,17 @@ static secuCommandFlag bltest_options[]
{ /* opt_SigFile */ 'f', PR_TRUE, 0, PR_FALSE },
{ /* opt_KeySize */ 'g', PR_TRUE, 0, PR_FALSE },
{ /* opt_Hex */ 'h', PR_FALSE, 0, PR_FALSE },
{ /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
{ /* opt_PQGFile */ 'j', PR_TRUE, 0, PR_FALSE },
{ /* opt_Key */ 'k', PR_TRUE, 0, PR_FALSE },
{ /* opt_HexWSpc */ 'l', PR_FALSE, 0, PR_FALSE },
{ /* opt_Mode */ 'm', PR_TRUE, 0, PR_FALSE },
-#ifndef NSS_DISABLE_ECC
{ /* opt_CurveName */ 'n', PR_TRUE, 0, PR_FALSE },
-#endif
{ /* opt_Output */ 'o', PR_TRUE, 0, PR_FALSE },
{ /* opt_Repetitions */ 'p', PR_TRUE, 0, PR_FALSE },
{ /* opt_ZeroBuf */ 'q', PR_FALSE, 0, PR_FALSE },
{ /* opt_Rounds */ 'r', PR_TRUE, 0, PR_FALSE },
{ /* opt_Seed */ 's', PR_TRUE, 0, PR_FALSE },
{ /* opt_SigSeedFile */ 't', PR_TRUE, 0, PR_FALSE },
{ /* opt_CXReps */ 'u', PR_TRUE, 0, PR_FALSE },
{ /* opt_IV */ 'v', PR_TRUE, 0, PR_FALSE },
@@ -3674,19 +3630,17 @@ main(int argc, char **argv)
SECStatus rv = SECFailure;
double totalTime = 0.0;
PRIntervalTime time1, time2;
PRFileDesc *outfile = NULL;
bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL;
bltestIOMode ioMode;
int bufsize, exponent, curThrdNum;
-#ifndef NSS_DISABLE_ECC
char *curveName = NULL;
-#endif
int i, commandsEntered;
int inoff, outoff;
int threads = 1;
secuCommand bltest;
bltest.numCommands = sizeof(bltest_commands) / sizeof(secuCommandFlag);
bltest.numOptions = sizeof(bltest_options) / sizeof(secuCommandFlag);
bltest.commands = bltest_commands;
@@ -3912,22 +3866,20 @@ main(int argc, char **argv)
: (bltest.options[opt_HexWSpc].activated) ? bltestHexSpaceDelim
: bltestBinary;
if (bltest.options[opt_Exponent].activated)
exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
else
exponent = 65537;
-#ifndef NSS_DISABLE_ECC
if (bltest.options[opt_CurveName].activated)
curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
else
curveName = NULL;
-#endif
if (bltest.commands[cmd_Verify].activated &&
!bltest.options[opt_SigFile].activated) {
fprintf(stderr, "%s: You must specify a signature file with -f.\n",
progName);
print_usage:
if (cipherInfo) {
@@ -4003,21 +3955,17 @@ main(int argc, char **argv)
} else {
if (bltest.options[opt_KeySize].activated)
keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
else
keysize = 64; /* use 512-bit default */
file = PR_Open("tmp.key", PR_WRONLY | PR_CREATE_FILE, 00660);
}
params->key.mode = bltestBase64Encoded;
-#ifndef NSS_DISABLE_ECC
pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
-#else
- pubkeyInitKey(cipherInfo, file, keysize, exponent);
-#endif
PR_Close(file);
}
/* set up an initialization vector. */
if (cipher_requires_IV(cipherInfo->mode)) {
char *ivstr = NULL;
bltestSymmKeyParams *skp;
file = NULL;
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -1043,25 +1043,20 @@ PrintSyntax(char *progName)
FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-#ifndef NSS_DISABLE_ECC
FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n",
progName);
-#else
- FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n",
- progName);
-#endif /* NSS_DISABLE_ECC */
FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
progName);
FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
progName);
@@ -1243,36 +1238,28 @@ luG(enum usage_level ul, const char *com
int is_my_command = (command && 0 == strcmp(command, "G"));
if (ul == usage_all || !command || is_my_command)
FPS "%-15s Generate a new key pair\n",
"-G");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
" -k key-type");
FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
- " -k key-type");
- FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
- " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
" -y exp");
FPS "%-20s Specify the password file\n",
" -f password-file");
FPS "%-20s Specify the noise file to be used\n",
" -z noisefile");
FPS "%-20s read PQG value from pqgfile (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", "");
FPS "%-20s If a custom token is present, the following curves are also supported:\n", "");
FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
@@ -1284,17 +1271,16 @@ luG(enum usage_level ul, const char *com
FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
FPS "%-20s c2tnb191v2, c2tnb191v3, \n", "");
FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
FPS "%-20s sect131r1, sect131r2\n", "");
-#endif
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "%-20s\n"
"%-20s PKCS #11 key Attributes.\n",
" --keyAttrFlags attrflags", "");
FPS "%-20s Comma separated list of key attribute attribute flags,\n", "");
@@ -1374,19 +1360,17 @@ luK(enum usage_level ul, const char *com
FPS "%-15s List all private keys\n",
"-K");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
" -h token-name ");
FPS "%-20s Key type (\"all\" (default), \"dsa\","
-#ifndef NSS_DISABLE_ECC
" \"ec\","
-#endif
" \"rsa\")\n",
" -k key-type");
FPS "%-20s The nickname of the key or associated certificate\n",
" -n name");
FPS "%-20s Specify the password file\n",
" -f password-file");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
@@ -1519,36 +1503,30 @@ luR(enum usage_level ul, const char *com
FPS "%-15s Generate a certificate request (stdout)\n",
"-R");
if (ul == usage_selected && !is_my_command)
return;
FPS "%-20s Specify the subject name (using RFC1485)\n",
" -s subject");
FPS "%-20s Output the cert request to this file\n",
" -o output-req");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
" -k key-type-or-id");
FPS "%-20s or nickname of the cert key to use \n",
"");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Specify the password file\n",
" -f pwfile");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
" -p phone");
@@ -1704,34 +1682,28 @@ luS(enum usage_level ul, const char *com
FPS "%-20s Specify the nickname of the cert\n",
" -n key-name");
FPS "%-20s Specify the subject name (using RFC1485)\n",
" -s subject");
FPS "%-20s The nickname of the issuer cert\n",
" -c issuer-name");
FPS "%-20s Set the certificate trust attributes (see -A above)\n",
" -t trustargs");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
" -k key-type-or-id");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Self sign\n",
" -x");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
" -w warp-months");
FPS "%-20s Months valid (default is 3)\n",
" -v months-valid");
@@ -2620,22 +2592,20 @@ certutil_main(int argc, char **argv, PRB
if (certutil.options[opt_KeySize].activated) {
keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
PR_fprintf(PR_STDERR,
"%s -g: Keysize must be between %d and %d.\n",
progName, MIN_KEY_BITS, MAX_KEY_BITS);
return 255;
}
-#ifndef NSS_DISABLE_ECC
if (keytype == ecKey) {
PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName);
return 255;
}
-#endif /* NSS_DISABLE_ECC */
}
/* -h specify token name */
if (certutil.options[opt_TokenName].activated) {
if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
slotname = NULL;
else
slotname = certutil.options[opt_TokenName].arg;
@@ -2654,20 +2624,18 @@ certutil_main(int argc, char **argv, PRB
/* -k key type */
if (certutil.options[opt_KeyType].activated) {
char *arg = certutil.options[opt_KeyType].arg;
if (PL_strcmp(arg, "rsa") == 0) {
keytype = rsaKey;
} else if (PL_strcmp(arg, "dsa") == 0) {
keytype = dsaKey;
-#ifndef NSS_DISABLE_ECC
} else if (PL_strcmp(arg, "ec") == 0) {
keytype = ecKey;
-#endif /* NSS_DISABLE_ECC */
} else if (PL_strcmp(arg, "all") == 0) {
keytype = nullKey;
} else {
/* use an existing private/public key pair */
keysource = arg;
}
} else if (certutil.commands[cmd_ListKeys].activated) {
keytype = nullKey;
@@ -2710,26 +2678,20 @@ certutil_main(int argc, char **argv, PRB
srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
} else {
Usage(progName);
}
}
/* -q PQG file or curve name */
if (certutil.options[opt_PQGFile].activated) {
-#ifndef NSS_DISABLE_ECC
if ((keytype != dsaKey) && (keytype != ecKey)) {
PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
" (-k dsa) or a named curve for EC keys (-k ec)\n)",
progName);
-#else /* } */
- if (keytype != dsaKey) {
- PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
- progName);
-#endif /* NSS_DISABLE_ECC */
return 255;
}
}
/* -s subject name */
if (certutil.options[opt_Subject].activated) {
subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
if (!subject) {
--- a/cmd/certutil/keystuff.c
+++ b/cmd/certutil/keystuff.c
@@ -375,17 +375,16 @@ CERTUTIL_FileForRNG(const char *noise)
PK11_RandomUpdate(buf, count);
}
} while (count > 0);
PR_Close(fd);
return SECSuccess;
}
-#ifndef NSS_DISABLE_ECC
typedef struct curveNameTagPairStr {
char *curveName;
SECOidTag curveOidTag;
} CurveNameTagPair;
static CurveNameTagPair nameTagPair[] =
{
{ "sect163k1", SEC_OID_SECG_EC_SECT163K1 },
@@ -490,28 +489,27 @@ getECParams(const char *curve)
if ((curveOidTag == SEC_OID_UNKNOWN) ||
(oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
return NULL;
}
ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
- /*
+ /*
* ecparams->data needs to contain the ASN encoding of an object ID (OID)
- * representing the named curve. The actual OID is in
+ * representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
ecparams->data[0] = SEC_ASN1_OBJECT_ID;
ecparams->data[1] = oidData->oid.len;
memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
return ecparams;
}
-#endif /* NSS_DISABLE_ECC */
SECKEYPrivateKey *
CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
int publicExponent, const char *noise,
SECKEYPublicKey **pubkeyp, const char *pqgFile,
PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
CK_FLAGS opFlagsOff, secuPWData *pwdata)
{
@@ -559,24 +557,22 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
if (dsaparams == NULL)
return NULL;
params = dsaparams;
} else {
/* cast away const, and don't set dsaparams */
params = (void *)&default_pqg_params;
}
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
mechanism = CKM_EC_KEY_PAIR_GEN;
/* For EC keys, PQGFile determines EC parameters */
if ((params = (void *)getECParams(pqgFile)) == NULL)
return NULL;
break;
-#endif /* NSS_DISABLE_ECC */
default:
return NULL;
}
fprintf(stderr, "\n\n");
fprintf(stderr, "Generating key. This may take a few moments...\n\n");
privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
@@ -584,18 +580,16 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
opFlagsOff,
pwdata /*wincx*/);
/* free up the params */
switch (keytype) {
case dsaKey:
if (dsaparams)
CERTUTIL_DestroyParamsPQG(dsaparams);
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
SECITEM_FreeItem((SECItem *)params, PR_TRUE);
break;
-#endif
default: /* nothing to free */
break;
}
return privKey;
}
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -30,23 +30,21 @@
#undef CK_NEED_ARG_LIST
#undef __PASTE
#define SSL3_RANDOM_LENGTH 32
#if 0
#include "../../lib/freebl/mpi/mpi.h"
#endif
-#ifndef NSS_DISABLE_ECC
extern SECStatus
EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
extern SECStatus
EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-#endif
#define ENCRYPT 1
#define DECRYPT 0
#define BYTE unsigned char
#define DEFAULT_RSA_PUBLIC_EXPONENT 0x10001
#define RSA_MAX_TEST_MODULUS_BITS 4096
#define RSA_MAX_TEST_MODULUS_BYTES RSA_MAX_TEST_MODULUS_BITS / 8
#define RSA_MAX_TEST_EXPONENT_BYTES 8
@@ -2089,17 +2087,16 @@ get_next_line(FILE *req, char *key, char
} else {
writeto[w++] = c;
}
}
writeto[w] = '\0';
return (c == EOF) ? -1 : ignore;
}
-#ifndef NSS_DISABLE_ECC
typedef struct curveNameTagPairStr {
char *curveName;
SECOidTag curveOidTag;
} CurveNameTagPair;
#define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP192R1
/* #define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP160R1 */
@@ -2953,17 +2950,16 @@ ecdsa_sigver_test(char *reqfn)
}
}
loser:
if (ecpub.ecParams.arena != NULL) {
PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
}
fclose(ecdsareq);
}
-#endif /* NSS_DISABLE_ECC */
PRBool
isblankline(char *b)
{
while (isspace(*b))
b++;
if ((*b == '\n') || (*b == 0)) {
return PR_TRUE;
@@ -6089,17 +6085,16 @@ main(int argc, char **argv)
dsa_pqgver_test(argv[3]);
} else if (strcmp(argv[2], "siggen") == 0) {
/* Signature Generation Test */
dsa_siggen_test(argv[3]);
} else if (strcmp(argv[2], "sigver") == 0) {
/* Signature Verification Test */
dsa_sigver_test(argv[3]);
}
-#ifndef NSS_DISABLE_ECC
/*************/
/* ECDSA */
/*************/
} else if (strcmp(argv[1], "ecdsa") == 0) {
/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
if (strcmp(argv[2], "keypair") == 0) {
/* Key Pair Generation Test */
ecdsa_keypair_test(argv[3]);
@@ -6108,17 +6103,16 @@ main(int argc, char **argv)
ecdsa_pkv_test(argv[3]);
} else if (strcmp(argv[2], "siggen") == 0) {
/* Signature Generation Test */
ecdsa_siggen_test(argv[3]);
} else if (strcmp(argv[2], "sigver") == 0) {
/* Signature Verification Test */
ecdsa_sigver_test(argv[3]);
}
-#endif /* NSS_DISABLE_ECC */
/*************/
/* RNG */
/*************/
} else if (strcmp(argv[1], "rng") == 0) {
/* argv[2]=vst|mct argv[3]=<test name>.req */
if (strcmp(argv[2], "vst") == 0) {
/* Variable Seed Test */
rng_vst(argv[3]);
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1404,17 +1404,16 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7
SECU_PrintTimeChoice(out, value, om, level + 1);
break;
}
}
}
}
}
-#ifndef NSS_DISABLE_ECC
static void
secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
{
SECItem curveOID = { siBuffer, NULL, 0 };
SECU_Indent(out, level);
fprintf(out, "%s:\n", m);
SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level + 1);
@@ -1423,17 +1422,16 @@ secu_PrintECPublicKey(FILE *out, SECKEYP
*/
if ((pk->u.ec.DEREncodedParams.len > 2) &&
(pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
curveOID.len = pk->u.ec.DEREncodedParams.data[1];
curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
SECU_PrintObjectID(out, &curveOID, "Curve", level + 1);
}
}
-#endif /* NSS_DISABLE_ECC */
void
SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
{
SECU_Indent(out, level);
fprintf(out, "%s:\n", m);
SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level + 1);
SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level + 1);
@@ -1471,21 +1469,19 @@ secu_PrintSubjectPublicKeyInfo(FILE *out
case rsaKey:
SECU_PrintRSAPublicKey(out, pk, "RSA Public Key", level + 1);
break;
case dsaKey:
SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1);
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
break;
-#endif
case dhKey:
case fortezzaKey:
case keaKey:
SECU_Indent(out, level);
fprintf(out, "unable to format this SPKI algorithm type\n");
goto loser;
default:
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -160,19 +160,17 @@ PrintUsageHeader(const char *progName)
{
fprintf(stderr,
"Usage: %s -n rsa_nickname -p port [-BDENRZbjlmrsuvx] [-w password]\n"
" [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n"
" [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
" [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
-#ifndef NSS_DISABLE_ECC
" [-e ec_nickname]"
-#endif /* NSS_DISABLE_ECC */
"\n"
" -U [0|1] -H [0|1|2] -W [0|1]\n"
"\n",
progName);
}
static void
PrintParameterUsage()
@@ -2338,25 +2336,23 @@ main(int argc, char **argv)
case 'c':
cipherString = PORT_Strdup(optstate->value);
break;
case 'd':
dir = optstate->value;
break;
-#ifndef NSS_DISABLE_ECC
case 'e':
if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) {
Usage(progName);
break;
}
certNicknameArray[certNicknameIndex++] = PORT_Strdup(optstate->value);
break;
-#endif /* NSS_DISABLE_ECC */
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = pwfile = PORT_Strdup(optstate->value);
break;
case 'g':
testBulk = PR_TRUE;
@@ -2676,19 +2672,17 @@ main(int argc, char **argv)
exit(10);
}
privKey[i] = PK11_FindKeyByAnyCert(cert[i], &pwdata);
if (privKey[i] == NULL) {
fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n",
certNicknameArray[i]);
exit(11);
}
-#ifdef NSS_DISABLE_ECC
if (privKey[i]->keyType != ecKey)
-#endif
setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata);
}
if (configureWeakDHE > 0) {
fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n");
rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
if (rv != SECSuccess) {
goto cleanup;
--- a/coreconf/config.mk
+++ b/coreconf/config.mk
@@ -141,20 +141,16 @@ endif
#######################################################################
-include $(MKDEPENDENCIES)
#######################################################################
# [16.0] Global environ ment defines
#######################################################################
-ifdef NSS_DISABLE_ECC
-DEFINES += -DNSS_DISABLE_ECC
-endif
-
ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
endif
ifdef BUILD_LIBPKIX_TESTS
DEFINES += -DBUILD_LIBPKIX_TESTS
endif
--- a/lib/freebl/ec.c
+++ b/lib/freebl/ec.c
@@ -10,18 +10,16 @@
#include "prerr.h"
#include "secerr.h"
#include "secmpi.h"
#include "secitem.h"
#include "mplogic.h"
#include "ec.h"
#include "ecl.h"
-#ifndef NSS_DISABLE_ECC
-
static const ECMethod kMethods[] = {
{ ECCurve25519,
ec_Curve25519_pt_mul,
ec_Curve25519_pt_validate }
};
static const ECMethod *
ec_get_method_from_name(ECCurveName name)
@@ -178,28 +176,26 @@ cleanup:
mp_clear(&b);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
}
-#endif /* NSS_DISABLE_ECC */
/* Generates a new EC key pair. The private key is a supplied
* value and the public key is the result of performing a scalar
* point multiplication of that value with the curve's base point.
*/
SECStatus
ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
const unsigned char *privKeyBytes, int privKeyLen)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
PLArenaPool *arena;
ECPrivateKey *key;
mp_int k;
mp_err err = MP_OKAY;
int len;
#if EC_DEBUG
printf("ec_NewKey called\n");
@@ -304,42 +300,34 @@ cleanup:
if (rv) {
PORT_FreeArena(arena, PR_TRUE);
}
#if EC_DEBUG
printf("ec_NewKey returning %s\n",
(rv == SECSuccess) ? "success" : "failure");
#endif
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
/* Generates a new EC key pair. The private key is a supplied
* random value (in seed) and the public key is the result of
* performing a scalar point multiplication of that value with
* the curve's base point.
*/
SECStatus
EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey,
const unsigned char *seed, int seedlen)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
rv = ec_NewKey(ecParams, privKey, seed, seedlen);
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
-#ifndef NSS_DISABLE_ECC
/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
* modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
* random number generator.
*
* Parameters
* - order: a buffer that holds the curve's group order
* - len: the length in octets of the order buffer
*
@@ -386,27 +374,25 @@ cleanup:
rv = SECFailure;
}
if (rv != SECSuccess && privKeyBytes) {
PORT_ZFree(privKeyBytes, 2 * len);
privKeyBytes = NULL;
}
return privKeyBytes;
}
-#endif /* NSS_DISABLE_ECC */
/* Generates a new EC key pair. The private key is a random value and
* the public key is the result of performing a scalar point multiplication
* of that value with the curve's base point.
*/
SECStatus
EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
int len;
unsigned char *privKeyBytes = NULL;
if (!ecParams) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -420,33 +406,29 @@ EC_NewKey(ECParams *ecParams, ECPrivateK
cleanup:
if (privKeyBytes) {
PORT_ZFree(privKeyBytes, len);
}
#if EC_DEBUG
printf("EC_NewKey returning %s\n",
(rv == SECSuccess) ? "success" : "failure");
#endif
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
/* Validates an EC public key as described in Section 5.2.2 of
* X9.62. The ECDH primitive when used without the cofactor does
* not address small subgroup attacks, which may occur when the
* public key is not valid. These attacks can be prevented by
* validating the public key before using ECDH.
*/
SECStatus
EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
{
-#ifndef NSS_DISABLE_ECC
mp_int Px, Py;
ECGroup *group = NULL;
SECStatus rv = SECFailure;
mp_err err = MP_OKAY;
int len;
if (!ecParams || !publicValue || !ecParams->name) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -520,20 +502,16 @@ cleanup:
ECGroup_free(group);
mp_clear(&Px);
mp_clear(&Py);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
return rv;
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
- return SECFailure;
-#endif /* NSS_DISABLE_ECC */
}
/*
** Performs an ECDH key derivation by computing the scalar point
** multiplication of privateValue and publicValue (with or without the
** cofactor) and returns the x-coordinate of the resulting elliptic
** curve point in derived secret. If successful, derivedSecret->data
** is set to the address of the newly allocated buffer containing the
@@ -544,17 +522,16 @@ cleanup:
SECStatus
ECDH_Derive(SECItem *publicValue,
ECParams *ecParams,
SECItem *privateValue,
PRBool withCofactor,
SECItem *derivedSecret)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
unsigned int len = 0;
SECItem pointQ = { siBuffer, NULL, 0 };
mp_int k; /* to hold the private value */
mp_int cofactor;
mp_err err = MP_OKAY;
#if EC_DEBUG
int i;
#endif
@@ -649,33 +626,29 @@ cleanup:
if (err) {
MP_TO_SEC_ERROR(err);
}
if (pointQ.data) {
PORT_ZFree(pointQ.data, pointQ.len);
}
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
/* Computes the ECDSA signature (a concatenation of two values r and s)
* on the digest using the given key and the random value kb (used in
* computing s).
*/
SECStatus
ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
const SECItem *digest, const unsigned char *kb, const int kblen)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
mp_int x1;
mp_int d, k; /* private key, random integer */
mp_int r, s; /* tuple (r, s) is the signature */
mp_int t; /* holding tmp values */
mp_int n;
mp_err err = MP_OKAY;
ECParams *ecParams = NULL;
SECItem kGpoint = { siBuffer, NULL, 0 };
@@ -894,32 +867,28 @@ cleanup:
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
#if EC_DEBUG
printf("ECDSA signing with seed %s\n",
(rv == SECSuccess) ? "succeeded" : "failed");
#endif
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
/*
** Computes the ECDSA signature on the digest using the given key
** and a random seed.
*/
SECStatus
ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
int len;
unsigned char *kBytes = NULL;
if (!key) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -936,19 +905,16 @@ cleanup:
if (kBytes) {
PORT_ZFree(kBytes, len);
}
#if EC_DEBUG
printf("ECDSA signing %s\n",
(rv == SECSuccess) ? "succeeded" : "failed");
#endif
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
/*
** Checks the signature on the given digest using the key provided.
**
** The key argument must represent a valid EC public key (a point on
@@ -956,17 +922,16 @@ cleanup:
** of this function is undefined. In cases where a public key might
** not be valid, use EC_ValidatePublicKey to check.
*/
SECStatus
ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
const SECItem *digest)
{
SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
mp_int r_, s_; /* tuple (r', s') is received signature) */
mp_int c, u1, u2, v; /* intermediate values used in verification */
mp_int x1;
mp_int n;
mp_err err = MP_OKAY;
ECParams *ecParams = NULL;
SECItem pointC = { siBuffer, NULL, 0 };
int slen; /* length in bytes of a half signature (r or s) */
@@ -1156,14 +1121,11 @@ cleanup:
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
#if EC_DEBUG
printf("ECDSA verification %s\n",
(rv == SECSuccess) ? "succeeded" : "failed");
#endif
-#else
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
return rv;
}
--- a/lib/freebl/ecdecode.c
+++ b/lib/freebl/ecdecode.c
@@ -1,14 +1,12 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef NSS_DISABLE_ECC
-
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include "blapi.h"
#include "secoid.h"
#include "secitem.h"
#include "secerr.h"
@@ -247,10 +245,8 @@ EC_GetPointSize(const ECParams *params)
return sizeInBytes * 2 + 1;
}
if (name == ECCurve25519) {
/* Only X here */
return curveParams->scalarSize;
}
return curveParams->pointSize - 1;
}
-
-#endif /* NSS_DISABLE_ECC */
--- a/lib/freebl/manifest.mn
+++ b/lib/freebl/manifest.mn
@@ -98,24 +98,20 @@ PRIVATE_EXPORTS = \
eclt.h \
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h
-ifndef NSS_DISABLE_ECC
ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \
ecp_aff.c ecp_jac.c ecp_mont.c \
ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \
ecp_256_32.c ecp_25519.c
-else
-ECL_SRCS = $(NULL)
-endif
SHA_SRCS = sha_fast.c
MPCPU_SRCS = mpcpucache.c
VERIFIED_SRCS = $(NULL)
CSRCS = \
freeblver.c \
ldvector.c \
sysrand.c \
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -148,17 +148,16 @@ const SEC_ASN1Template SECKEY_DSAPrivate
};
const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.privateValue) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.base) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) },
};
-#ifndef NSS_DISABLE_ECC
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.ec.version) },
{ SEC_ASN1_OCTET_STRING,
offsetof(SECKEYRawPrivateKey, u.ec.privateValue) },
@@ -173,17 +172,16 @@ const SEC_ASN1Template SECKEY_ECPrivateK
* can't do scalar mult on ECs to get a raw point with PK11 APIs. */
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
SEC_ASN1_XTRN | 1,
offsetof(SECKEYRawPrivateKey, u.ec.publicValue),
SEC_ASN1_SUB(SEC_BitStringTemplate) },
{ 0 }
};
-#endif /* NSS_DISABLE_ECC */
const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(SECKEYEncryptedPrivateKeyInfo, algorithm),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
{ SEC_ASN1_OCTET_STRING,
@@ -477,17 +475,16 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
attrs++;
PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data,
lpk->u.dh.base.len);
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data,
lpk->u.dh.privateValue.len);
attrs++;
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
keyType = CKK_EC;
if (lpk->u.ec.publicValue.len == 0) {
goto loser;
}
if (PK11_IsInternal(slot)) {
PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
lpk->u.ec.publicValue.data,
@@ -520,17 +517,16 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
attrs++;
PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.ec.privateValue.data,
lpk->u.ec.privateValue.len);
attrs++;
PK11_SETATTRS(attrs, CKA_EC_POINT, lpk->u.ec.publicValue.data,
lpk->u.ec.publicValue.len);
attrs++;
break;
-#endif /* NSS_DISABLE_ECC */
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
PORT_Assert(signedattr != NULL);
signedcount = attrs - signedattr;
@@ -601,25 +597,23 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK
goto loser;
}
prepare_dh_priv_key_export_for_asn1(lpk);
keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = dhKey;
break;
-#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
prepare_ec_priv_key_export_for_asn1(lpk);
keyTemplate = SECKEY_ECPrivateKeyExportTemplate;
paramTemplate = NULL;
paramDest = NULL;
lpk->keyType = ecKey;
break;
-#endif /* NSS_DISABLE_ECC */
default:
keyTemplate = NULL;
paramTemplate = NULL;
paramDest = NULL;
break;
}
@@ -628,29 +622,27 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK
}
/* decode the private key and any algorithm parameters */
rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
if (rv != SECSuccess) {
goto loser;
}
-#ifndef NSS_DISABLE_ECC
if (lpk->keyType == ecKey) {
/* Convert length in bits to length in bytes. */
lpk->u.ec.publicValue.len >>= 3;
/* Always override curveOID, we're ignoring any given value. */
rv = SECITEM_CopyItem(arena, &lpk->u.ec.curveOID,
&pki->algorithm.parameters);
if (rv != SECSuccess) {
goto loser;
}
}
-#endif /* NSS_DISABLE_ECC */
if (paramDest && paramTemplate) {
rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
if (rv != SECSuccess) {
goto loser;
}
}
--- a/lib/softoken/legacydb/keydb.c
+++ b/lib/softoken/legacydb/keydb.c
@@ -1132,22 +1132,20 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHa
case NSSLOWKEYDSAKey:
namekey.data = pubkey->u.dsa.publicValue.data;
namekey.size = pubkey->u.dsa.publicValue.len;
break;
case NSSLOWKEYDHKey:
namekey.data = pubkey->u.dh.publicValue.data;
namekey.size = pubkey->u.dh.publicValue.len;
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
namekey.data = pubkey->u.ec.publicValue.data;
namekey.size = pubkey->u.ec.publicValue.len;
break;
-#endif /* NSS_DISABLE_ECC */
default:
/* XXX We don't do Fortezza or DH yet. */
return PR_FALSE;
}
if (handle->version != 3) {
unsigned char buf[SHA1_LENGTH];
SHA1_HashBuf(buf, namekey.data, namekey.size);
@@ -1462,22 +1460,20 @@ seckey_encrypt_private_key(PLArenaPool *
SDB *sdbpw, SECItem *result)
{
NSSLOWKEYPrivateKeyInfo *pki = NULL;
SECStatus rv = SECFailure;
PLArenaPool *temparena = NULL;
SECItem *der_item = NULL;
SECItem *cipherText = NULL;
SECItem *dummy = NULL;
-#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
SECItem *fordebug = NULL;
#endif
int savelen;
-#endif
temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
if (temparena == NULL)
goto loser;
/* allocate structures */
pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena,
sizeof(NSSLOWKEYPrivateKeyInfo));
@@ -1543,17 +1539,16 @@ seckey_encrypt_private_key(PLArenaPool *
}
rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
if (rv == SECFailure) {
goto loser;
}
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
lg_prepare_low_ec_priv_key_for_asn1(pk);
/* Public value is encoded as a bit string so adjust length
* to be in bits before ASN encoding and readjust
* immediately after.
*
* Since the SECG specification recommends not including the
* parameters as part of ECPrivateKey, we zero out the curveOID
@@ -1584,17 +1579,16 @@ seckey_encrypt_private_key(PLArenaPool *
#ifdef EC_DEBUG
fordebug = &(pki->privateKey);
SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey",
pk->keyType, fordebug);
#endif
break;
-#endif /* NSS_DISABLE_ECC */
default:
/* We don't support DH or Fortezza private keys yet */
PORT_Assert(PR_FALSE);
break;
}
/* setup encrypted private key info */
dummy = SEC_ASN1EncodeItem(temparena, der_item, pki,
@@ -1804,17 +1798,16 @@ seckey_decrypt_private_key(SECItem *epki
lg_prepare_low_dh_priv_key_for_asn1(pk);
if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
&pki->privateKey))
break;
rv = SEC_QuickDERDecodeItem(permarena, pk,
lg_nsslowkey_DHPrivateKeyTemplate,
&newPrivateKey);
break;
-#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
pk->keyType = NSSLOWKEYECKey;
lg_prepare_low_ec_priv_key_for_asn1(pk);
#ifdef EC_DEBUG
fordebug = &pki->privateKey;
SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey",
pk->keyType, fordebug);
@@ -1844,17 +1837,16 @@ seckey_decrypt_private_key(SECItem *epki
if (rv != SECSuccess)
goto loser;
if (pk->u.ec.publicValue.len != 0) {
pk->u.ec.publicValue.len >>= 3;
}
break;
-#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
break;
}
} else if (PORT_GetError() == SEC_ERROR_BAD_DER) {
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
goto loser;
}
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -416,21 +416,19 @@ lg_GetPubItem(NSSLOWKEYPublicKey *pubKey
pubItem = &pubKey->u.rsa.modulus;
break;
case NSSLOWKEYDSAKey:
pubItem = &pubKey->u.dsa.publicValue;
break;
case NSSLOWKEYDHKey:
pubItem = &pubKey->u.dh.publicValue;
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubItem = &pubKey->u.ec.publicValue;
break;
-#endif /* NSS_DISABLE_ECC */
default:
break;
}
return pubItem;
}
static CK_RV
lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
@@ -539,17 +537,16 @@ lg_FindDHPublicKeyAttribute(NSSLOWKEYPub
return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
key->u.dh.base.len);
default:
break;
}
return lg_invalidAttribute(attribute);
}
-#ifndef NSS_DISABLE_ECC
static CK_RV
lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute)
{
unsigned char hash[SHA1_LENGTH];
CK_KEY_TYPE keyType = CKK_EC;
switch (type) {
@@ -589,17 +586,16 @@ lg_FindECPublicKeyAttribute(NSSLOWKEYPub
SECITEM_FreeItem(pubValue, PR_TRUE);
return crv;
}
default:
break;
}
return lg_invalidAttribute(attribute);
}
-#endif /* NSS_DISABLE_ECC */
static CK_RV
lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute)
{
NSSLOWKEYPublicKey *key;
CK_RV crv;
char *label;
@@ -640,20 +636,18 @@ lg_FindPublicKeyAttribute(LGObjectCache
switch (key->keyType) {
case NSSLOWKEYRSAKey:
return lg_FindRSAPublicKeyAttribute(key, type, attribute);
case NSSLOWKEYDSAKey:
return lg_FindDSAPublicKeyAttribute(key, type, attribute);
case NSSLOWKEYDHKey:
return lg_FindDHPublicKeyAttribute(key, type, attribute);
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
return lg_FindECPublicKeyAttribute(key, type, attribute);
-#endif /* NSS_DISABLE_ECC */
default:
break;
}
return lg_invalidAttribute(attribute);
}
static CK_RV
@@ -930,17 +924,16 @@ lg_FindDHPrivateKeyAttribute(NSSLOWKEYPr
key->u.dh.publicValue.data,
key->u.dh.publicValue.len);
default:
break;
}
return lg_invalidAttribute(attribute);
}
-#ifndef NSS_DISABLE_ECC
static CK_RV
lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute, SDB *sdbpw)
{
unsigned char hash[SHA1_LENGTH];
CK_KEY_TYPE keyType = CKK_EC;
switch (type) {
@@ -968,17 +961,16 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
return lg_CopyAttributeSigned(attribute, type,
key->u.ec.publicValue.data,
key->u.ec.publicValue.len);
default:
break;
}
return lg_invalidAttribute(attribute);
}
-#endif /* NSS_DISABLE_ECC */
static CK_RV
lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
CK_ATTRIBUTE *attribute)
{
NSSLOWKEYPrivateKey *key;
char *label;
CK_RV crv;
@@ -1015,20 +1007,18 @@ lg_FindPrivateKeyAttribute(LGObjectCache
}
switch (key->keyType) {
case NSSLOWKEYRSAKey:
return lg_FindRSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
case NSSLOWKEYDSAKey:
return lg_FindDSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
case NSSLOWKEYDHKey:
return lg_FindDHPrivateKeyAttribute(key, type, attribute, obj->sdb);
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
return lg_FindECPrivateKeyAttribute(key, type, attribute, obj->sdb);
-#endif /* NSS_DISABLE_ECC */
default:
break;
}
return lg_invalidAttribute(attribute);
}
static CK_RV
--- a/lib/softoken/legacydb/lgcreate.c
+++ b/lib/softoken/legacydb/lgcreate.c
@@ -393,44 +393,39 @@ static CK_RV
lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
{
CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
CK_RV crv = CKR_OK;
NSSLOWKEYPrivateKey *priv;
SECItem pubKeySpace = { siBuffer, NULL, 0 };
SECItem *pubKey;
-#ifndef NSS_DISABLE_ECC
SECItem pubKey2Space = { siBuffer, NULL, 0 };
PLArenaPool *arena = NULL;
-#endif /* NSS_DISABLE_ECC */
NSSLOWKEYDBHandle *keyHandle = NULL;
switch (key_type) {
case CKK_RSA:
pubKeyAttr = CKA_MODULUS;
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
pubKeyAttr = CKA_EC_POINT;
break;
-#endif /* NSS_DISABLE_ECC */
case CKK_DSA:
case CKK_DH:
break;
default:
return CKR_ATTRIBUTE_VALUE_INVALID;
}
pubKey = &pubKeySpace;
crv = lg_Attribute2SSecItem(NULL, pubKeyAttr, templ, count, pubKey);
if (crv != CKR_OK)
return crv;
-#ifndef NSS_DISABLE_ECC
if (key_type == CKK_EC) {
SECStatus rv;
/*
* for ECC, use the decoded key first.
*/
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
crv = CKR_HOST_MEMORY;
@@ -443,17 +438,16 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
/* decode didn't work, just try the pubKey */
PORT_FreeArena(arena, PR_FALSE);
arena = NULL;
} else {
/* try the decoded pub key first */
pubKey = &pubKey2Space;
}
}
-#endif /* NSS_DISABLE_ECC */
PORT_Assert(pubKey->data);
if (pubKey->data == NULL) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
goto done;
}
keyHandle = lg_getKeyDB(sdb);
if (keyHandle == NULL) {
@@ -464,41 +458,38 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
unsigned char buf[SHA1_LENGTH];
SHA1_HashBuf(buf, pubKey->data, pubKey->len);
PORT_Memcpy(pubKey->data, buf, sizeof(buf));
pubKey->len = sizeof(buf);
}
/* make sure the associated private key already exists */
/* only works if we are logged in */
priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/);
-#ifndef NSS_DISABLE_ECC
if (priv == NULL && pubKey == &pubKey2Space) {
/* no match on the decoded key, match the original pubkey */
pubKey = &pubKeySpace;
priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey,
sdb /*password*/);
}
-#endif
if (priv == NULL) {
/* the legacy database can only 'store' public keys which already
* have their corresponding private keys in the database */
crv = CKR_ATTRIBUTE_VALUE_INVALID;
goto done;
}
lg_nsslowkey_DestroyPrivateKey(priv);
crv = CKR_OK;
*handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB);
done:
PORT_Free(pubKeySpace.data);
-#ifndef NSS_DISABLE_ECC
- if (arena)
+ if (arena) {
PORT_FreeArena(arena, PR_FALSE);
-#endif
+ }
return crv;
}
/* make a private key from a verified object */
static NSSLOWKEYPrivateKey *
lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
CK_KEY_TYPE key_type, CK_RV *crvp)
@@ -608,17 +599,16 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB, templ, count,
&privKey->u.dh.publicValue);
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
}
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count,
&privKey->u.ec.ecParams.DEREncoding);
if (crv != CKR_OK)
break;
/* Fill out the rest of the ecParams structure
@@ -641,17 +631,16 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
}
rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
if (rv != SECSuccess)
crv = CKR_HOST_MEMORY;
break;
-#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
*crvp = crv;
if (crv != CKR_OK) {
PORT_FreeArena(arena, PR_FALSE);
--- a/lib/softoken/legacydb/lowcert.c
+++ b/lib/softoken/legacydb/lowcert.c
@@ -818,17 +818,16 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
case SEC_OID_X942_DIFFIE_HELMAN_KEY:
pubk->keyType = NSSLOWKEYDHKey;
prepare_low_dh_pub_key_for_asn1(pubk);
rv = SEC_QuickDERDecodeItem(arena, pubk,
nsslowcert_DHPublicKeyTemplate, &os);
if (rv == SECSuccess)
return pubk;
break;
-#ifndef NSS_DISABLE_ECC
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
pubk->keyType = NSSLOWKEYECKey;
/* Since PKCS#11 directly takes the DER encoding of EC params
* and public value, we don't need any decoding here.
*/
rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding,
&spki.algorithm.parameters);
if (rv != SECSuccess)
@@ -840,17 +839,16 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
&pubk->u.ec.ecParams) != SECSuccess)
break;
rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
if (rv == SECSuccess)
return pubk;
break;
-#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
break;
}
lg_nsslowkey_DestroyPublicKey(pubk);
return NULL;
}
--- a/lib/softoken/legacydb/lowkey.c
+++ b/lib/softoken/legacydb/lowkey.c
@@ -94,18 +94,16 @@ const SEC_ASN1Template lg_nsslowkey_DHPr
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
{ 0 }
};
-#ifndef NSS_DISABLE_ECC
-
/* NOTE: The SECG specification allows the private key structure
* to contain curve parameters but recommends that they be stored
* in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
* instead.
*/
const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
@@ -188,17 +186,16 @@ LGEC_CopyParams(PLArenaPool *arena, ECPa
goto loser;
}
return SECSuccess;
loser:
return SECFailure;
}
-#endif /* NSS_DISABLE_ECC */
/*
* See bugzilla bug 125359
* Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
* all of the templates above that en/decode into integers must be converted
* from ASN.1's signed integer type. This is done by marking either the
* source or destination (encoding or decoding, respectively) type as
* siUnsignedInteger.
*/
@@ -238,34 +235,32 @@ void
lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
{
key->u.dh.prime.type = siUnsignedInteger;
key->u.dh.base.type = siUnsignedInteger;
key->u.dh.publicValue.type = siUnsignedInteger;
key->u.dh.privateValue.type = siUnsignedInteger;
}
-#ifndef NSS_DISABLE_ECC
void
lg_prepare_low_ecparams_for_asn1(ECParams *params)
{
params->DEREncoding.type = siUnsignedInteger;
params->curveOID.type = siUnsignedInteger;
}
void
lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
{
key->u.ec.version.type = siUnsignedInteger;
key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
key->u.ec.privateValue.type = siUnsignedInteger;
key->u.ec.publicValue.type = siUnsignedInteger;
}
-#endif /* NSS_DISABLE_ECC */
void
lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
{
if (privk && privk->arena) {
PORT_FreeArena(privk->arena, PR_TRUE);
}
}
@@ -357,17 +352,16 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
if (rv != SECSuccess)
break;
rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
&privk->u.dh.base);
if (rv == SECSuccess)
return pubk;
}
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
sizeof(NSSLOWKEYPublicKey));
if (pubk != NULL) {
SECStatus rv;
pubk->arena = arena;
pubk->keyType = privk->keyType;
@@ -378,17 +372,16 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
pubk->u.ec.ecParams.arena = arena;
/* Copy the rest of the params */
rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
&(privk->u.ec.ecParams));
if (rv == SECSuccess)
return pubk;
}
break;
-#endif /* NSS_DISABLE_ECC */
/* No Fortezza in Low Key implementations (Fortezza keys aren't
* stored in our data base */
default:
break;
}
PORT_FreeArena(arena, PR_FALSE);
return NULL;
--- a/lib/softoken/legacydb/lowkeyi.h
+++ b/lib/softoken/legacydb/lowkeyi.h
@@ -21,20 +21,18 @@ SEC_BEGIN_PROTOS
* from ASN.1's signed integer type. This is done by marking either the
* source or destination (encoding or decoding, respectively) type as
* siUnsignedInteger.
*/
extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifndef NSS_DISABLE_ECC
extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_DISABLE_ECC */
typedef char *(*NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
/*
** Open a key database.
*/
extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
const char *domain,
@@ -129,23 +127,22 @@ nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWK
extern NSSLOWKEYPrivateKey *
nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
SDB *sdb);
extern char *
nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
SECItem *modulus, SDB *sdb);
-#ifndef NSS_DISABLE_ECC
/*
* smaller version of EC_FillParams. In this code, we only need
* oid and DER data.
*/
SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
ECParams *params);
/* Copy all of the fields from srcParams into dstParams */
SECStatus LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-#endif
+
SEC_END_PROTOS
#endif /* _LOWKEYI_H_ */
--- a/lib/softoken/legacydb/lowkeyti.h
+++ b/lib/softoken/legacydb/lowkeyti.h
@@ -37,20 +37,18 @@ typedef struct NSSLOWKEYDBHandleStr NSSL
** Typedef for callback to get a password "key".
*/
extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[];
extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
-#ifndef NSS_DISABLE_ECC
#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_DISABLE_ECC */
extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
/*
* PKCS #8 attributes
*/
struct NSSLOWKEYAttributeStr {
--- a/lib/softoken/lowkey.c
+++ b/lib/softoken/lowkey.c
@@ -3,20 +3,17 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "lowkeyi.h"
#include "secoid.h"
#include "secitem.h"
#include "secder.h"
#include "base64.h"
#include "secasn1.h"
#include "secerr.h"
-
-#ifndef NSS_DISABLE_ECC
#include "softoken.h"
-#endif
SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
{ SEC_ASN1_SEQUENCE,
@@ -85,18 +82,16 @@ const SEC_ASN1Template nsslowkey_DHPriva
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
{ 0 }
};
-#ifndef NSS_DISABLE_ECC
-
/* NOTE: The SECG specification allows the private key structure
* to contain curve parameters but recommends that they be stored
* in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
* instead.
*/
const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
{ SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
@@ -112,17 +107,16 @@ const SEC_ASN1Template nsslowkey_ECPriva
SEC_ASN1_SUB(SEC_ObjectIDTemplate) },
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
SEC_ASN1_XTRN | 1,
offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue),
SEC_ASN1_SUB(SEC_BitStringTemplate) },
{ 0 }
};
-#endif /* NSS_DISABLE_ECC */
/*
* See bugzilla bug 125359
* Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
* all of the templates above that en/decode into integers must be converted
* from ASN.1's signed integer type. This is done by marking either the
* source or destination (encoding or decoding, respectively) type as
* siUnsignedInteger.
*/
@@ -168,34 +162,32 @@ void
prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
{
key->u.dh.prime.type = siUnsignedInteger;
key->u.dh.base.type = siUnsignedInteger;
key->u.dh.publicValue.type = siUnsignedInteger;
key->u.dh.privateValue.type = siUnsignedInteger;
}
-#ifndef NSS_DISABLE_ECC
void
prepare_low_ecparams_for_asn1(ECParams *params)
{
params->DEREncoding.type = siUnsignedInteger;
params->curveOID.type = siUnsignedInteger;
}
void
prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
{
key->u.ec.version.type = siUnsignedInteger;
key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
key->u.ec.privateValue.type = siUnsignedInteger;
key->u.ec.publicValue.type = siUnsignedInteger;
}
-#endif /* NSS_DISABLE_ECC */
void
nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
{
if (privk && privk->arena) {
PORT_FreeArena(privk->arena, PR_TRUE);
}
}
@@ -320,17 +312,16 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
if (rv != SECSuccess)
break;
rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
&privk->u.dh.base);
if (rv == SECSuccess)
return pubk;
}
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
sizeof(NSSLOWKEYPublicKey));
if (pubk != NULL) {
SECStatus rv;
pubk->arena = arena;
pubk->keyType = privk->keyType;
@@ -341,17 +332,16 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
pubk->u.ec.ecParams.arena = arena;
/* Copy the rest of the params */
rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
&(privk->u.ec.ecParams));
if (rv == SECSuccess)
return pubk;
}
break;
-#endif /* NSS_DISABLE_ECC */
/* No Fortezza in Low Key implementations (Fortezza keys aren't
* stored in our data base */
default:
break;
}
PORT_FreeArena(arena, PR_FALSE);
return NULL;
@@ -458,17 +448,16 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivat
&(privKey->u.dh.prime));
if (rv != SECSuccess)
break;
rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
&(privKey->u.dh.base));
if (rv != SECSuccess)
break;
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
&(privKey->u.ec.version));
if (rv != SECSuccess)
break;
rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
&(privKey->u.ec.publicValue));
if (rv != SECSuccess)
@@ -479,17 +468,16 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivat
break;
returnKey->u.ec.ecParams.arena = poolp;
/* Copy the rest of the params */
rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
&(privKey->u.ec.ecParams));
if (rv != SECSuccess)
break;
break;
-#endif /* NSS_DISABLE_ECC */
default:
rv = SECFailure;
}
loser:
if (rv != SECSuccess) {
PORT_FreeArena(poolp, PR_TRUE);
--- a/lib/softoken/lowkeyi.h
+++ b/lib/softoken/lowkeyi.h
@@ -20,20 +20,18 @@ SEC_BEGIN_PROTOS
* source or destination (encoding or decoding, respectively) type as
* siUnsignedInteger.
*/
extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifndef NSS_DISABLE_ECC
extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
extern void prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_DISABLE_ECC */
/*
** Destroy a private key object.
** "key" the object
** "freeit" if PR_TRUE then free the object as well as its sub-objects
*/
extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
--- a/lib/softoken/lowkeyti.h
+++ b/lib/softoken/lowkeyti.h
@@ -15,20 +15,18 @@
** Typedef for callback to get a password "key".
*/
extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
-#ifndef NSS_DISABLE_ECC
#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_DISABLE_ECC */
extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
/*
* PKCS #8 attributes
*/
struct NSSLOWKEYAttributeStr {
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -277,23 +277,21 @@ static const struct mechanismList mechan
{ CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
{ CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
{ CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE },
{ CKM_DSA_SHA1, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
/* -------------------- Diffie Hellman Operations --------------------- */
/* no diffie hellman yet */
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
{ CKM_DH_PKCS_DERIVE, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE }, PR_TRUE },
-#ifndef NSS_DISABLE_ECC
/* -------------------- Elliptic Curve Operations --------------------- */
{ CKM_EC_KEY_PAIR_GEN, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDH1_DERIVE, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_DERIVE | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA_SHA1, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
-#endif /* NSS_DISABLE_ECC */
/* ------------------------- RC2 Operations --------------------------- */
{ CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE },
{ CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
{ CKM_RC2_CBC, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
{ CKM_RC2_MAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
{ CKM_RC2_MAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
{ CKM_RC2_CBC_PAD, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
/* ------------------------- RC4 Operations --------------------------- */
@@ -926,31 +924,29 @@ sftk_handlePublicKeyObject(SFTKSession *
return crv;
}
verify = CK_FALSE;
derive = CK_TRUE;
encrypt = CK_FALSE;
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
}
if (!sftk_hasAttribute(object, CKA_EC_POINT)) {
return CKR_TEMPLATE_INCOMPLETE;
}
derive = CK_TRUE; /* for ECDH */
verify = CK_TRUE; /* for ECDSA */
encrypt = CK_FALSE;
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#endif /* NSS_DISABLE_ECC */
default:
return CKR_ATTRIBUTE_VALUE_INVALID;
}
/* make sure the required fields exist */
crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0);
if (crv != CKR_OK)
return crv;
@@ -1109,30 +1105,28 @@ sftk_handlePrivateKeyObject(SFTKSession
}
if (!sftk_hasAttribute(object, CKA_VALUE)) {
return CKR_TEMPLATE_INCOMPLETE;
}
encrypt = CK_FALSE;
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
}
if (!sftk_hasAttribute(object, CKA_VALUE)) {
return CKR_TEMPLATE_INCOMPLETE;
}
encrypt = CK_FALSE;
sign = CK_TRUE;
recover = CK_FALSE;
wrap = CK_FALSE;
break;
-#endif /* NSS_DISABLE_ECC */
case CKK_NSS_JPAKE_ROUND1:
if (!sftk_hasAttribute(object, CKA_PRIME) ||
!sftk_hasAttribute(object, CKA_SUBPRIME) ||
!sftk_hasAttribute(object, CKA_BASE)) {
return CKR_TEMPLATE_INCOMPLETE;
}
/* fall through */
case CKK_NSS_JPAKE_ROUND2:
@@ -1773,17 +1767,16 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
break;
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.base,
object, CKA_BASE);
if (crv != CKR_OK)
break;
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
object, CKA_VALUE);
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
pubKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
&pubKey->u.ec.ecParams.DEREncoding,
object, CKA_EC_PARAMS);
if (crv != CKR_OK)
break;
@@ -1832,17 +1825,16 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
}
/* replace our previous with the decoded key */
pubKey->u.ec.publicValue = publicValue;
break;
}
crv = CKR_ATTRIBUTE_VALUE_INVALID;
}
break;
-#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
*crvp = crv;
if (crv != CKR_OK) {
PORT_FreeArena(arena, PR_FALSE);
return NULL;
@@ -1942,17 +1934,16 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
itemTemplateCount++;
SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
&privKey->u.dh.privateValue, CKA_VALUE);
itemTemplateCount++;
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
&privKey->u.ec.ecParams.DEREncoding,
object, CKA_EC_PARAMS);
if (crv != CKR_OK)
break;
@@ -1987,17 +1978,16 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
* http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561
*/
#if defined(__arm__) && !defined(__thumb__) && defined(__GNUC__)
*crvp = CKR_HOST_MEMORY;
break;
#endif
}
break;
-#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (crv == CKR_OK && itemTemplateCount != 0) {
PORT_Assert(itemTemplateCount > 0);
PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE);
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -60,30 +60,28 @@ typedef struct {
} SSL3RSAPreMasterSecret;
static void
sftk_Null(void *data, PRBool freeit)
{
return;
}
-#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
#define SEC_PRINT(str1, str2, num, sitem) \
printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
str1, str2, num, sitem->len); \
for (i = 0; i < sitem->len; i++) { \
printf("%02x:", sitem->data[i]); \
} \
printf("\n")
#else
#undef EC_DEBUG
#define SEC_PRINT(a, b, c, d)
#endif
-#endif /* NSS_DISABLE_ECC */
/*
* free routines.... Free local type allocated data, and convert
* other free routines to the destroy signature.
*/
static void
sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
{
@@ -119,17 +117,16 @@ sftk_MapCryptError(int error)
case SEC_ERROR_BAD_SIGNATURE:
return CKR_SIGNATURE_INVALID;
case SEC_ERROR_INVALID_KEY:
return CKR_KEY_SIZE_RANGE;
case SEC_ERROR_BAD_KEY: /* an EC public key that fails validation */
return CKR_KEY_SIZE_RANGE; /* the closest error code */
case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
return CKR_TEMPLATE_INCONSISTENT;
- /* EC functions set this error if NSS_DISABLE_ECC is defined */
case SEC_ERROR_UNSUPPORTED_KEYALG:
return CKR_MECHANISM_INVALID;
case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
return CKR_DOMAIN_PARAMS_INVALID;
/* key pair generation failed after max number of attempts */
case SEC_ERROR_NEED_RANDOM:
return CKR_FUNCTION_FAILED;
}
@@ -2412,17 +2409,16 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
*sigLen = signature.len;
return rv;
}
-#ifndef NSS_DISABLE_ECC
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
{
SECItem signature, digest;
NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
signature.data = (unsigned char *)sigBuf;
@@ -2447,17 +2443,16 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
digest.len = dataLen;
rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
*sigLen = signature.len;
return rv;
}
-#endif /* NSS_DISABLE_ECC */
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
* to data in a single Sign operation (which often looks a lot like an
* encrypt, with data coming in and data going out).
* (2) Hash based signing, where we continually hash the data, then apply
* some sort of signature to the end.
@@ -2607,17 +2602,16 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
}
context->cipherInfo = privKey;
context->update = (SFTKCipher)nsc_DSA_Sign_Stub;
context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
context->maxLen = DSA_MAX_SIGNATURE_LEN;
break;
-#ifndef NSS_DISABLE_ECC
case CKM_ECDSA_SHA1:
context->multi = PR_TRUE;
crv = sftk_doSubSHA1(context);
if (crv != CKR_OK)
break;
/* fall through */
case CKM_ECDSA:
if (key_type != CKK_EC) {
@@ -2630,17 +2624,16 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
break;
}
context->cipherInfo = privKey;
context->update = (SFTKCipher)nsc_ECDSASignStub;
context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
context->maxLen = MAX_ECKEY_LEN * 2;
break;
-#endif /* NSS_DISABLE_ECC */
#define INIT_HMAC_MECH(mmm) \
case CKM_##mmm##_HMAC_GENERAL: \
PORT_Assert(pMechanism->pParameter); \
if (!pMechanism->pParameter) { \
crv = CKR_MECHANISM_PARAM_INVALID; \
break; \
} \
@@ -3298,17 +3291,16 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
pubKey = sftk_GetPubKey(key, CKK_DSA, &crv);
if (pubKey == NULL) {
break;
}
context->cipherInfo = pubKey;
context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
context->destroy = sftk_Null;
break;
-#ifndef NSS_DISABLE_ECC
case CKM_ECDSA_SHA1:
context->multi = PR_TRUE;
crv = sftk_doSubSHA1(context);
if (crv != CKR_OK)
break;
/* fall through */
case CKM_ECDSA:
if (key_type != CKK_EC) {
@@ -3319,17 +3311,16 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
if (pubKey == NULL) {
crv = CKR_HOST_MEMORY;
break;
}
context->cipherInfo = pubKey;
context->verify = (SFTKVerify)nsc_ECDSAVerifyStub;
context->destroy = sftk_Null;
break;
-#endif /* NSS_DISABLE_ECC */
INIT_HMAC_MECH(MD2)
INIT_HMAC_MECH(MD5)
INIT_HMAC_MECH(SHA224)
INIT_HMAC_MECH(SHA256)
INIT_HMAC_MECH(SHA384)
INIT_HMAC_MECH(SHA512)
@@ -4619,22 +4610,20 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
signature_length = modulusLen;
mech.mechanism = CKM_RSA_PKCS;
break;
case CKK_DSA:
signature_length = DSA_MAX_SIGNATURE_LEN;
pairwise_digest_length = subPrimeLen;
mech.mechanism = CKM_DSA;
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
signature_length = MAX_ECKEY_LEN * 2;
mech.mechanism = CKM_ECDSA;
break;
-#endif
default:
return CKR_DEVICE_ERROR;
}
/* Allocate space for signature data. */
signature = (unsigned char *)PORT_ZAlloc(signature_length);
if (signature == NULL) {
return CKR_HOST_MEMORY;
@@ -4741,22 +4730,20 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* DSA */
PQGParams pqgParam;
DHParams dhParam;
DSAPrivateKey *dsaPriv;
/* Diffie Hellman */
DHPrivateKey *dhPriv;
-#ifndef NSS_DISABLE_ECC
/* Elliptic Curve Cryptography */
SECItem ecEncodedParams; /* DER Encoded parameters */
ECPrivateKey *ecPriv;
ECParams *ecParams;
-#endif /* NSS_DISABLE_ECC */
CHECK_FORK();
if (!slot) {
return CKR_SESSION_HANDLE_INVALID;
}
/*
* now lets create an object to hang the attributes off of
@@ -5092,17 +5079,16 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
sftk_item_expand(&dhPriv->privateValue));
dhgn_done:
/* should zeroize, since this function doesn't. */
PORT_FreeArena(dhPriv->arena, PR_TRUE);
break;
-#ifndef NSS_DISABLE_ECC
case CKM_EC_KEY_PAIR_GEN:
sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS);
sftk_DeleteAttributeType(privateKey, CKA_VALUE);
sftk_DeleteAttributeType(privateKey, CKA_NETSCAPE_DB);
key_type = CKK_EC;
/* extract the necessary parameters and copy them to private keys */
crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey,
@@ -5161,17 +5147,16 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
goto ecgn_done;
crv = sftk_AddAttributeType(privateKey, CKA_NETSCAPE_DB,
sftk_item_expand(&ecPriv->publicValue));
ecgn_done:
/* should zeroize, since this function doesn't. */
PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
break;
-#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_MECHANISM_INVALID;
}
if (crv != CKR_OK) {
sftk_FreeObject(privateKey);
sftk_FreeObject(publicKey);
@@ -5291,22 +5276,20 @@ sftk_PackagePrivateKey(SFTKObject *key,
NSSLOWKEYPrivateKey *lk = NULL;
NSSLOWKEYPrivateKeyInfo *pki = NULL;
SFTKAttribute *attribute = NULL;
PLArenaPool *arena = NULL;
SECOidTag algorithm = SEC_OID_UNKNOWN;
void *dummy, *param = NULL;
SECStatus rv = SECSuccess;
SECItem *encodedKey = NULL;
-#ifndef NSS_DISABLE_ECC
#ifdef EC_DEBUG
SECItem *fordebug;
#endif
int savelen;
-#endif
if (!key) {
*crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
return NULL;
}
attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
if (!attribute) {
@@ -5348,17 +5331,16 @@ sftk_PackagePrivateKey(SFTKObject *key,
prepare_low_dsa_priv_key_export_for_asn1(lk);
dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
nsslowkey_DSAPrivateKeyExportTemplate);
prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
nsslowkey_PQGParamsTemplate);
algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
break;
-#ifndef NSS_DISABLE_ECC
case NSSLOWKEYECKey:
prepare_low_ec_priv_key_for_asn1(lk);
/* Public value is encoded as a bit string so adjust length
* to be in bits before ASN encoding and readjust
* immediately after.
*
* Since the SECG specification recommends not including the
* parameters as part of ECPrivateKey, we zero out the curveOID
@@ -5377,17 +5359,16 @@ sftk_PackagePrivateKey(SFTKObject *key,
SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
fordebug);
#endif
param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
break;
-#endif /* NSS_DISABLE_ECC */
case NSSLOWKEYDHKey:
default:
dummy = NULL;
break;
}
if (!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
@@ -5636,53 +5617,49 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
case SEC_OID_ANSIX9_DSA_SIGNATURE:
keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
paramTemplate = nsslowkey_PQGParamsTemplate;
paramDest = &(lpk->u.dsa.params);
lpk->keyType = NSSLOWKEYDSAKey;
prepare_low_dsa_priv_key_export_for_asn1(lpk);
prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
break;
-/* case NSSLOWKEYDHKey: */
-#ifndef NSS_DISABLE_ECC
+ /* case NSSLOWKEYDHKey: */
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
keyTemplate = nsslowkey_ECPrivateKeyTemplate;
paramTemplate = NULL;
paramDest = &(lpk->u.ec.ecParams.DEREncoding);
lpk->keyType = NSSLOWKEYECKey;
prepare_low_ec_priv_key_for_asn1(lpk);
prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
break;
-#endif /* NSS_DISABLE_ECC */
default:
keyTemplate = NULL;
paramTemplate = NULL;
paramDest = NULL;
break;
}
if (!keyTemplate) {
goto loser;
}
/* decode the private key and any algorithm parameters */
rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
-#ifndef NSS_DISABLE_ECC
if (lpk->keyType == NSSLOWKEYECKey) {
/* convert length in bits to length in bytes */
lpk->u.ec.publicValue.len >>= 3;
rv = SECITEM_CopyItem(arena,
&(lpk->u.ec.ecParams.DEREncoding),
&(pki->algorithm.parameters));
if (rv != SECSuccess) {
goto loser;
}
}
-#endif /* NSS_DISABLE_ECC */
if (rv != SECSuccess) {
goto loser;
}
if (paramDest && paramTemplate) {
rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
if (rv != SECSuccess) {
@@ -5785,18 +5762,17 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
break;
#ifdef notdef
case NSSLOWKEYDHKey:
template = dhTemplate;
templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE);
keyType = CKK_DH;
break;
#endif
-/* what about fortezza??? */
-#ifndef NSS_DISABLE_ECC
+ /* what about fortezza??? */
case NSSLOWKEYECKey:
keyType = CKK_EC;
crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
if (crv != CKR_OK)
break;
crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
sizeof(keyType));
if (crv != CKR_OK)
@@ -5818,17 +5794,16 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
if (crv != CKR_OK)
break;
crv = sftk_AddAttributeType(key, CKA_VALUE,
sftk_item_expand(&lpk->u.ec.privateValue));
if (crv != CKR_OK)
break;
/* XXX Do we need to decode the EC Params here ?? */
break;
-#endif /* NSS_DISABLE_ECC */
default:
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
loser:
if (lpk) {
nsslowkey_DestroyPrivateKey(lpk);
@@ -6148,17 +6123,16 @@ sftk_MapKeySize(CK_KEY_TYPE keyType)
return 24;
/* IDEA and CAST need to be added */
default:
break;
}
return 0;
}
-#ifndef NSS_DISABLE_ECC
/* Inputs:
* key_len: Length of derived key to be generated.
* SharedSecret: a shared secret that is the output of a key agreement primitive.
* SharedInfo: (Optional) some data shared by the entities computing the secret key.
* SharedInfoLen: the length in octets of SharedInfo
* Hash: The hash function to be used in the KDF
* HashLen: the length in octets of the output of Hash
* Output:
@@ -6261,17 +6235,16 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_UL
return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH);
else if (kdf == CKD_SHA512_KDF)
return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH);
else
return CKR_MECHANISM_INVALID;
}
-#endif /* NSS_DISABLE_ECC */
/*
* SSL Key generation given pre master secret
*/
#define NUM_MIXERS 9
static const char *const mixers[NUM_MIXERS] = {
"A",
"BB",
@@ -7237,17 +7210,16 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
PORT_ZFree(derived.data, derived.len);
} else
crv = CKR_HOST_MEMORY;
break;
}
-#ifndef NSS_DISABLE_ECC
case CKM_ECDH1_DERIVE:
case CKM_ECDH1_COFACTOR_DERIVE: {
SECItem ecScalar, ecPoint;
SECItem tmp;
PRBool withCofactor = PR_FALSE;
unsigned char *secret;
unsigned char *keyData = NULL;
unsigned int secretlen, pubKeyLen;
@@ -7377,17 +7349,16 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Free(ecScalar.data);
if (privKey != sourceKey->objectInfo)
nsslowkey_DestroyPrivateKey(privKey);
if (arena) {
PORT_FreeArena(arena, PR_FALSE);
}
break;
}
-#endif /* NSS_DISABLE_ECC */
/* See RFC 5869 and CK_NSS_HKDFParams for documentation. */
case CKM_NSS_HKDF_SHA1:
hashType = HASH_AlgSHA1;
goto hkdf;
case CKM_NSS_HKDF_SHA256:
hashType = HASH_AlgSHA256;
goto hkdf;
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1256,23 +1256,21 @@ static const CK_ATTRIBUTE_TYPE dsaPubKey
static const CK_ULONG dsaPubKeyAttrsCount =
sizeof(dsaPubKeyAttrs) / sizeof(dsaPubKeyAttrs[0]);
static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
CKA_PRIME, CKA_BASE, CKA_VALUE
};
static const CK_ULONG dhPubKeyAttrsCount =
sizeof(dhPubKeyAttrs) / sizeof(dhPubKeyAttrs[0]);
-#ifndef NSS_DISABLE_ECC
static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
CKA_EC_PARAMS, CKA_EC_POINT
};
static const CK_ULONG ecPubKeyAttrsCount =
sizeof(ecPubKeyAttrs) / sizeof(ecPubKeyAttrs[0]);
-#endif
static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB
};
static const CK_ULONG commonPrivKeyAttrsCount =
sizeof(commonPrivKeyAttrs) / sizeof(commonPrivKeyAttrs[0]);
@@ -1289,23 +1287,21 @@ static const CK_ATTRIBUTE_TYPE dsaPrivKe
static const CK_ULONG dsaPrivKeyAttrsCount =
sizeof(dsaPrivKeyAttrs) / sizeof(dsaPrivKeyAttrs[0]);
static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
CKA_PRIME, CKA_BASE, CKA_VALUE
};
static const CK_ULONG dhPrivKeyAttrsCount =
sizeof(dhPrivKeyAttrs) / sizeof(dhPrivKeyAttrs[0]);
-#ifndef NSS_DISABLE_ECC
static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
CKA_EC_PARAMS, CKA_VALUE
};
static const CK_ULONG ecPrivKeyAttrsCount =
sizeof(ecPrivKeyAttrs) / sizeof(ecPrivKeyAttrs[0]);
-#endif
static const CK_ATTRIBUTE_TYPE certAttrs[] = {
CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
};
static const CK_ULONG certAttrsCount =
sizeof(certAttrs) / sizeof(certAttrs[0]);
static const CK_ATTRIBUTE_TYPE trustAttrs[] = {
@@ -1400,22 +1396,20 @@ stfk_CopyTokenPrivateKey(SFTKObject *des
case CKK_DSA:
crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
dsaPrivKeyAttrsCount);
break;
case CKK_DH:
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
dhPrivKeyAttrsCount);
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
ecPrivKeyAttrsCount);
break;
-#endif
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
* of token keys into our database. */
}
fail:
return crv;
}
@@ -1462,22 +1456,20 @@ stfk_CopyTokenPublicKey(SFTKObject *dest
case CKK_DSA:
crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
dsaPubKeyAttrsCount);
break;
case CKK_DH:
crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
dhPubKeyAttrsCount);
break;
-#ifndef NSS_DISABLE_ECC
case CKK_EC:
crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
ecPubKeyAttrsCount);
break;
-#endif
default:
crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
* of token keys into our database. */
}
fail:
return crv;
}
CK_RV
--- a/lib/softoken/softkver.h
+++ b/lib/softoken/softkver.h
@@ -3,21 +3,17 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _SOFTKVER_H_
#define _SOFTKVER_H_
-#ifndef NSS_DISABLE_ECC
#define SOFTOKEN_ECC_STRING " Basic ECC"
-#else
-#define SOFTOKEN_ECC_STRING ""
-#endif
/*
* Softoken's major version, minor version, patch level, build number,
* and whether this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -58,20 +58,16 @@
# HOST - test machine host name
# DOMSUF - test machine domain name
#
# Optional environment variables to specify build to use:
# -------------------------------------------------------
# BUILT_OPT - use optimized/debug build
# USE_64 - use 64bit/32bit build
#
-# Optional environment variables to enable specific NSS features:
-# ---------------------------------------------------------------
-# NSS_DISABLE_ECC - disable ECC
-#
# Optional environment variables to select which cycles/suites to test:
# ---------------------------------------------------------------------
# NSS_CYCLES - list of cycles to run (separated by space
# character)
# - by default all cycles are tested
#
# NSS_TESTS - list of all test suites to run (separated by space
# character, without trailing .sh)
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -41,21 +41,17 @@ cert_init()
cd ../common
. ./init.sh
fi
if [ -z "${IOPR_CERT_SOURCED}" ]; then
. ../iopr/cert_iopr.sh
fi
SCRIPTNAME="cert.sh"
CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "Certutil and Crlutil Tests with ECC"
- else
- html_head "Certutil and Crlutil Tests"
- fi
+ html_head "Certutil and Crlutil Tests"
LIBDIR="${DIST}/${OBJDIR}/lib"
ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
if [ ! "${ROOTCERTSFILE}" ] ; then
html_failed "Looking for root certs module."
cert_log "ERROR: Root certs module not found."
Exit 5 "Fatal - Root certs module not found."
@@ -295,24 +291,22 @@ cert_create_cert()
CU_ACTION="Import DSA Root CA for $CERTNAME"
certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Import EC Root CA for $CERTNAME"
certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
-d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
- fi
cert_add_cert "$5"
return $?
}
############################# cert_add_cert ############################
# local shell function to add client certs to an existing CERT DB
# generate request
@@ -397,17 +391,16 @@ cert_add_cert()
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
#
# Generate and add EC cert
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CURVE="secp384r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
@@ -449,17 +442,16 @@ cert_add_cert()
CU_ACTION="Import $CERTNAME's mixed EC Cert"
certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
if [ "$RET" -ne 0 ]; then
return $RET
fi
cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
- fi
return 0
}
################################# cert_all_CA ################################
# local shell function to build the additional Temp. Certificate Authority (CA)
# used for the "real life" ssl test with 2 different CA's in the
# client and in the server's dir
@@ -516,17 +508,16 @@ cert_all_CA()
rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
# dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Create EC version of TestCA
CA_CURVE="secp521r1"
ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
#
# Create EC versions of the intermediate CA certs
ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
@@ -541,18 +532,16 @@ cert_all_CA()
ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
# ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last
# in the chain
-
- fi
}
################################# cert_CA ################################
# local shell function to build the Temp. Certificate Authority (CA)
# used for testing purposes, creating a CA Certificate and a root cert
##########################################################################
cert_CA()
{
@@ -827,17 +816,16 @@ cert_smime_client()
CU_ACTION="Import Eve's cert into Alice's DB"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
CU_ACTION="Import Eve's cert into Bob's DB"
certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
-i ${R_EVEDIR}/Eve.cert 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Importing EC Certificates =============================="
CU_ACTION="Import Bob's EC cert into Alice's db"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_BOBDIR}/Bob-ec.cert 2>&1
CU_ACTION="Import Dave's EC cert into Alice's DB"
certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
-i ${R_DAVEDIR}/Dave-ec.cert 2>&1
@@ -851,17 +839,16 @@ cert_smime_client()
## inside Eve's ECC and non-ECC certs are different.
# CU_ACTION="Import Eve's EC cert into Alice's DB"
# certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
# CU_ACTION="Import Eve's EC cert into Bob's DB"
# certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
# -i ${R_EVEDIR}/Eve-ec.cert 2>&1
- fi
if [ "$CERTFAILED" != 0 ] ; then
cert_log "ERROR: SMIME failed $RET"
else
cert_log "SUCCESS: SMIME passed"
fi
}
@@ -942,17 +929,16 @@ cert_extended_ssl()
certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
# CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)"
# certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
# 2>&1
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
EC_CURVE="secp256r1"
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
@@ -988,17 +974,16 @@ cert_extended_ssl()
CU_ACTION="Import $CERTNAME's mixed EC Cert -t u,u,u (ext)"
certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
# CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
# certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
# 2>&1
- fi
echo "Importing all the server's own CA chain into the servers DB"
for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then
T="-t C,C,C"
else
@@ -1077,17 +1062,16 @@ cert_extended_ssl()
# CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
# certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
#
# done with mixed DSA certs
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
#
# Repeat the above for EC certs
#
CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
-z "${R_NOISE_FILE}" -o req 2>&1
@@ -1124,17 +1108,16 @@ cert_extended_ssl()
-f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
# CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
# certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
# -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
#
# done with mixed EC certs
#
- fi
echo "Importing all the client's own CA chain into the servers DB"
for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
do
N=`basename $CA | sed -e "s/.ca.cert//"`
if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then
T="-t T,C,C"
else
@@ -1171,20 +1154,18 @@ cert_ssl()
CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
cert_add_cert
CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
- certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
- fi
+ CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+ certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
# cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
# echo "************* Copying CA files to ${SERVERDIR}"
# cp ${CADIR}/*.db .
# hw_acc
# CU_ACTION="Creating ${CERTNAME}'s Server Cert"
# CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
# certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
# -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
@@ -1291,17 +1272,16 @@ MODSCRIPT
############################## cert_eccurves ###########################
# local shell function to create server certs for all EC curves
########################################################################
cert_eccurves()
{
################# Creating Certs for EC curves test ########################
#
- if [ -z "$NSS_DISABLE_ECC" ] ; then
echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
echo " EC Curves Test Certificates ------------------------------------"
cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
CU_ACTION="Initializing EC Curve's Cert DB"
certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
@@ -1332,18 +1312,16 @@ cert_eccurves()
fi
if [ $RET -eq 0 ] ; then
CU_ACTION="Import $CERTNAME's EC Cert"
certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
fi
done
-
- fi # $NSS_DISABLE_ECC
}
########################### cert_extensions_test #############################
# local shell function to test cert extensions generation
##############################################################################
cert_extensions_test()
{
COUNT=`expr ${COUNT} + 1`
@@ -1685,32 +1663,30 @@ addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END
addext reasonCode 0 4
addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)"
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-dsa
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
# Until Bug 292285 is resolved, do not encode x400 Addresses. After
# the bug is resolved, reintroduce "x400Address:x400Address" within
# addext issuerAltNames ...
crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
addext reasonCode 0 4
addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or-ec
- fi
echo test > file
############################# Modification ##################################
echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
sleep 2
CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
@@ -1731,27 +1707,25 @@ EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_END} $CRL_GRP_DATE
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by adding one more cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
-o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_END} $CRL_GRP_DATE
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_1}_or1-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
- fi
########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
CU_ACTION="Modify CRL by removing one cert"
sleep 2
CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
-i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
@@ -1770,26 +1744,24 @@ EOF_CRLINI
update=$CRLUPDATE
rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Modify CRL (ECC) by removing one cert"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
-i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
update=$CRLUPDATE
rmcert ${UNREVOKED_CERT_GRP_1}
EOF_CRLINI
chmod 600 ${CRL_FILE_GRP_1}-ec
TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
- fi
########### Creating second CRL which includes groups 1 and 2 ##############
CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2 ==============="
sleep 2
CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
@@ -1799,28 +1771,26 @@ EOF_CRLINI
-i ${CRL_FILE_GRP_1} <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
addext invalidityDate 0 $CRLUPDATE
rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
-i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
addext invalidityDate 0 $CRLUPDATE
rmcert ${UNREVOKED_CERT_GRP_2}
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_2}-ec
- fi
########### Creating second CRL which includes groups 1, 2 and 3 ##############
CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3 ==============="
@@ -1832,43 +1802,39 @@ EOF_CRLINI
-i ${CRL_FILE_GRP_2} <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
rmcert ${UNREVOKED_CERT_GRP_3}
addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
-i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
update=$CRLUPDATE
addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
rmcert ${UNREVOKED_CERT_GRP_3}
addext crlNumber 0 2
EOF_CRLINI
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
chmod 600 ${CRL_FILE_GRP_3}-ec
- fi
############ Importing Server CA Issued CRL for certs of first group #######
echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
CU_ACTION="Importing CRL for groups 1"
crlu -D -n TestCA -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- if [ -z "$NSS_DISABLE_ECC" ] ; then
CU_ACTION="Importing CRL (ECC) for groups 1"
crlu -D -n TestCA-ec -f "${R_PWFILE}" -d "${R_SERVERDIR}"
crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
-d "${R_SERVERDIR}"
CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
- fi
if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
else
cert_log "SUCCESS: SSL CRL prep passed"
fi
}
--- a/tests/remote/Makefile
+++ b/tests/remote/Makefile
@@ -75,17 +75,16 @@ package_for_testing:
cat $(PCFG) >> $(RTSH)
echo 'export NSS_TESTS=$(NSS_TESTS)' >> $(RTSH)
echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)' >> $(RTSH)
echo 'export NSS_CYCLES=$(NSS_CYCLES)' >> $(RTSH)
echo 'export USE_64=$(USE_64)' >> $(RTSH)
echo 'export BUILD_OPT=$(BUILD_OPT)' >> $(RTSH)
echo 'export PKITS_DATA=$(PKITS_DATA)' >> $(RTSH)
- echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)' >> $(RTSH)
echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)' >> $(RTSH)
ifeq ($(OS_TARGET),Android)
# Android doesn't support FIPS tests, because
# dladdr does not return a full path for implicitly loaded libraries
echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
endif
ifeq ($(CROSS_COMPILE),1)
# execute signing on test system
--- a/tests/smime/smime.sh
+++ b/tests/smime/smime.sh
@@ -35,21 +35,17 @@ smime_init()
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=smime.sh
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "S/MIME Tests with ECC"
- else
- html_head "S/MIME Tests"
- fi
+ html_head "S/MIME Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
}
SMIMEDIR=${HOSTDIR}/smime
R_SMIMEDIR=../smime
mkdir -p ${SMIMEDIR}
@@ -80,39 +76,37 @@ smime_sign()
${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
echo "diff alice.txt alice.data.${HASH}"
diff alice.txt alice.data.${HASH}
html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
# Test ECDSA signing for all hash algorithms.
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
- echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
- ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
- html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+ echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+ echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+ html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
- echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
- ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
- html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+ echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR}
+ html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
- echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
- echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
- ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
- html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+ echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+ echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+ html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
- echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
- ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
- html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+ echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+ ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+ html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
- echo "diff alice.txt alice-ec.data.${HASH}"
- diff alice.txt alice-ec.data.${HASH}
- html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
- fi
+ echo "diff alice.txt alice-ec.data.${HASH}"
+ diff alice.txt alice-ec.data.${HASH}
+ html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
}
smime_p7()
{
echo "$SCRIPTNAME: p7 util Data Tests ------------------------------"
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -91,25 +91,18 @@ ssl_init()
EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- ECC_STRING=" - with ECC"
- # List of cipher suites to test, including ECC cipher suites.
- CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
- else
- ECC_STRING=""
- # List of cipher suites to test, excluding ECC cipher suites.
- CIPHER_SUITES="-c ${NON_EC_SUITES}"
- fi
+ # List of cipher suites to test, including ECC cipher suites.
+ CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
if [ "${OS_ARCH}" != "WINNT" ]; then
ulimit -n 1000 # make sure we have enough file descriptors
fi
cd ${CLIENTDIR}
}
@@ -213,18 +206,17 @@ kill_selfserv()
# also: wait until the server is up and running
########################################################################
start_selfserv()
{
if [ -n "$testname" ] ; then
echo "$SCRIPTNAME: $testname ----"
fi
sparam=`echo $sparam | sed -e 's;_; ;g'`
- if [ -z "$NSS_DISABLE_ECC" ] && \
- [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
+ if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1" ] ; then
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
else
ECC_OPTIONS=""
fi
echo "selfserv starting at `date`"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
echo " -V ssl3:tls1.2 $verbose -H 1 &"
@@ -270,33 +262,33 @@ ignore_blank_lines()
}
############################## ssl_cov #################################
# local shell function to perform SSL Cipher Coverage tests
########################################################################
ssl_cov()
{
#verbose="-v"
- html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
sparam="$CIPHER_SUITES"
start_selfserv # Launch the server
VMIN="ssl3"
VMAX="tls1.1"
ignore_blank_lines ${SSLCOV} | \
while read ectype testmax param testname
do
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
else
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
VMAX="tls1.0"
fi
if [ "$testmax" = "TLS11" ]; then
@@ -326,29 +318,29 @@ ssl_cov()
}
############################## ssl_auth ################################
# local shell function to perform SSL Client Authentication tests
########################################################################
ssl_auth()
{
#verbose="-v"
- html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
ignore_blank_lines ${SSLAUTH} | \
while read ectype value sparam cparam testname
do
echo "${testname}" | grep "don't require client auth" > /dev/null
CAUTH=$?
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ elif [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
else
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
if [ "$ectype" = "SNI" ]; then
cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
fi
start_selfserv
@@ -470,17 +462,17 @@ ssl_stapling_stress()
P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
}
############################ ssl_stapling ##############################
# local shell function to perform SSL Cert Status (OCSP Stapling) tests
########################################################################
ssl_stapling()
{
- html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
# tstclnt Exit code:
# 0: have fresh and valid revocation data, status good
# 1: cert failed to verify, prior to revocation checking
# 2: missing, old or invalid revocation data
# 3: have fresh and valid revocation data, status revoked
# selfserv modes
@@ -503,17 +495,17 @@ ssl_stapling()
}
############################ ssl_signed_cert_timestamps #################
# local shell function to perform SSL Signed Certificate Timestamp tests
#########################################################################
ssl_signed_cert_timestamps()
{
#verbose="-v"
- html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname="ssl_signed_cert_timestamps"
value=0
if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
return 0
fi
@@ -541,29 +533,29 @@ ssl_signed_cert_timestamps()
}
############################## ssl_stress ##############################
# local shell function to perform SSL stress test
########################################################################
ssl_stress()
{
- html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
ignore_blank_lines ${SSLSTRESS} | \
while read ectype value sparam cparam testname
do
echo "${testname}" | grep "client auth" > /dev/null
CAUTH=$?
echo "${testname}" | grep "no login" > /dev/null
NOLOGIN=$?
if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
- elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ elif [ "$ectype" = "ECC" -a ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "${NOLOGIN}" -eq 0 ] && \
[ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then
echo "$SCRIPTNAME: skipping $testname for $NORM_EXT"
else
cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
@@ -607,28 +599,28 @@ ssl_stress()
}
############################ ssl_crl_ssl ###############################
# local shell function to perform SSL test with/out revoked certs tests
########################################################################
ssl_crl_ssl()
{
#verbose="-v"
- html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ html_head "CRL SSL Client Tests $NORM_EXT"
# Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
# Cert number $UNREVOKED_CERT_GRP_1 was not revoked
CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
ignore_blank_lines ${SSLAUTH} | \
while read ectype value sparam cparam testname
do
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" = "SNI" ]; then
continue
else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
@@ -685,17 +677,17 @@ ssl_crl_ssl()
}
############################## ssl_cov #################################
# local shell function to perform SSL Policy tests
########################################################################
ssl_policy()
{
#verbose="-v"
- html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+ html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
testname=""
sparam="$CIPHER_SUITES"
if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
return;
fi
@@ -707,17 +699,17 @@ ssl_policy()
VMIN="ssl3"
VMAX="tls1.2"
ignore_blank_lines ${SSLPOLICY} | \
while read value ectype testmax param policy testname
do
VMIN="ssl3"
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
else
echo "$SCRIPTNAME: running $testname ----------------------------"
VMAX="ssl3"
if [ "$testmax" = "TLS10" ]; then
VMAX="tls1.0"
fi
if [ "$testmax" = "TLS11" ]; then
@@ -886,33 +878,33 @@ GET crl://${SERVERDIR}/root.crl_${grpBeg
########################### ssl_crl_cache ##############################
# local shell function to perform SSL test for crl cache functionality
# with/out revoked certs
########################################################################
ssl_crl_cache()
{
#verbose="-v"
- html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+ html_head "Cache CRL SSL Client Tests $NORM_EXT"
SSLAUTH_TMP=${TMP}/authin.tl.tmp
SERV_ARG=-r_-r
rm -f ${SSLAUTH_TMP}
echo ${SSLAUTH_TMP}
grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
echo $?
while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
do
sparam=$SERV_ARG
start_selfserv
exec < ${SSLAUTH_TMP}
while read ectype value sparam cparam testname
do
[ "$ectype" = "" ] && continue
- if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+ if [ "$ectype" = "ECC" ] ; then
echo "$SCRIPTNAME: skipping $testname (ECC only)"
elif [ "$ectype" = "SNI" ]; then
continue
else
servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
pwd=`echo $cparam | grep nss`
user=`echo $cparam | grep TestUser`
_cparam=$cparam
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -71,21 +71,17 @@ tools_init()
. ./init.sh
fi
if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here
cd ../cert
. ./cert.sh
fi
SCRIPTNAME=tools.sh
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- html_head "Tools Tests with ECC"
- else
- html_head "Tools Tests"
- fi
+ html_head "Tools Tests"
grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
}
TOOLSDIR=${HOSTDIR}/tools
COPYDIR=${TOOLSDIR}/copydir
SIGNDIR=${TOOLSDIR}/signdir
@@ -392,40 +388,38 @@ tools_p12_export_with_invalid_ciphers()
# Repeats the test with ECC if enabled.
########################################################################
tools_p12_export_list_import_with_default_ciphers()
{
echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
export_list_import "DEFAULT" "DEFAULT"
- if [ -z "$NSS_DISABLE_ECC" ] ; then
- echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
- echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
- echo " -w ${R_PWFILE}"
- ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
- -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
- check_tmpfile
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+ echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+ check_tmpfile
- echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
- echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
- ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
- check_tmpfile
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+ echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+ check_tmpfile
- echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
- echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
- ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
- ret=$?
- html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
- check_tmpfile
- fi
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+ echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+ check_tmpfile
}
############################## tools_p12 ###############################
# local shell function to test basic functionality of pk12util
########################################################################
tools_p12()
{
tools_p12_export_list_import_with_default_ciphers