Bug 1353325, Backed out changeset 7e62307b5cf4 for build failure.
authorKai Engert <kaie@kuix.de>
Thu, 06 Apr 2017 22:38:58 +0200
changeset 13291 7228445b43ac095ebc0eee330d6a351b898ebbdd
parent 13290 7e62307b5cf413080b399a45edb18082a9b71f6e
child 13292 ef11922df67881332f1fa200c7ae21b9c30cec76
push id2145
push userkaie@kuix.de
push dateThu, 06 Apr 2017 20:39:11 +0000
bugs1353325
Bug 1353325, Backed out changeset 7e62307b5cf4 for build failure.
lib/pkcs12/p12d.c
lib/pkcs12/p12e.c
lib/pkcs12/p12local.c
lib/pkcs12/p12local.h
--- a/lib/pkcs12/p12d.c
+++ b/lib/pkcs12/p12d.c
@@ -172,53 +172,69 @@ sec_pkcs12_proper_version(sec_PKCS12PFXI
 
 /* retrieve the key for decrypting the safe contents */
 static PK11SymKey *
 sec_pkcs12_decoder_get_decrypt_key(void *arg, SECAlgorithmID *algid)
 {
     SEC_PKCS12DecoderContext *p12dcx = (SEC_PKCS12DecoderContext *)arg;
     PK11SlotInfo *slot;
     PK11SymKey *bulkKey;
-    SECItem pwitem = { 0 };
+    SECItem *pwitem;
+    SECItem decodedPwitem = { 0 };
     SECOidTag algorithm;
 
     if (!p12dcx) {
         return NULL;
     }
 
     /* if no slot specified, use the internal key slot */
     if (p12dcx->slot) {
         slot = PK11_ReferenceSlot(p12dcx->slot);
     } else {
         slot = PK11_GetInternalKeySlot();
     }
 
     algorithm = SECOID_GetAlgorithmTag(algid);
-    if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm, p12dcx->pwitem))
-        return NULL;
-
-    bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
+    pwitem = p12dcx->pwitem;
+
+    /* here we assume that the password is already encoded into
+     * BMPString by the caller.  if the encryption scheme is not the
+     * one defined in PKCS #12, decode the password back into
+     * UTF-8. */
+    if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) {
+        if (!sec_pkcs12_convert_item_to_unicode(NULL, &decodedPwitem,
+                                                p12dcx->pwitem,
+                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            return NULL;
+        }
+        pwitem = &decodedPwitem;
+    }
+
+    bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+                             PR_FALSE, p12dcx->wincx);
     /* some tokens can't generate PBE keys on their own, generate the
      * key in the internal slot, and let the Import code deal with it,
      * (if the slot can't generate PBEs, then we need to use the internal
      * slot anyway to unwrap). */
     if (!bulkKey && !PK11_IsInternal(slot)) {
         PK11_FreeSlot(slot);
         slot = PK11_GetInternalKeySlot();
-        bulkKey = PK11_PBEKeyGen(slot, algid, &pwitem, PR_FALSE, p12dcx->wincx);
+        bulkKey = PK11_PBEKeyGen(slot, algid, pwitem,
+                                 PR_FALSE, p12dcx->wincx);
     }
     PK11_FreeSlot(slot);
 
     /* set the password data on the key */
     if (bulkKey) {
         PK11_SetSymKeyUserData(bulkKey, p12dcx->pwitem, NULL);
     }
 
-    if (pwitem.data) {
-        SECITEM_ZfreeItem(&pwitem, PR_FALSE);
+    if (decodedPwitem.data) {
+        SECITEM_ZfreeItem(&decodedPwitem, PR_FALSE);
     }
 
     return bulkKey;
 }
 
 /* XXX this needs to be modified to handle enveloped data.  most
  * likely, it should mirror the routines for SMIME in that regard.
  */
@@ -2455,35 +2471,23 @@ sec_pkcs12_add_key(sec_PKCS12SafeBag *ke
 
     switch (SECOID_FindOIDTag(&key->safeBagType)) {
         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
             rv = PK11_ImportPrivateKeyInfo(key->slot,
                                            key->safeBagContent.pkcs8KeyBag,
                                            nickName, publicValue, PR_TRUE, PR_TRUE,
                                            keyUsage, wincx);
             break;
-        case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: {
-            SECItem pwitem = { 0 };
-            SECAlgorithmID *algid =
-                &key->safeBagContent.pkcs8ShroudedKeyBag->algorithm;
-            SECOidTag algorithm = SECOID_GetAlgorithmTag(algid);
-
-            if (!sec_pkcs12_decode_password(NULL, &pwitem, algorithm,
-                                            key->pwitem))
-                return SECFailure;
+        case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID:
             rv = PK11_ImportEncryptedPrivateKeyInfo(key->slot,
                                                     key->safeBagContent.pkcs8ShroudedKeyBag,
-                                                    &pwitem, nickName, publicValue,
+                                                    key->pwitem, nickName, publicValue,
                                                     PR_TRUE, PR_TRUE, keyType, keyUsage,
                                                     wincx);
-            if (&pwitem.data) {
-                SECITEM_ZfreeItem(&pwitem, PR_FALSE);
-            }
             break;
-        }
         default:
             key->error = SEC_ERROR_PKCS12_UNSUPPORTED_VERSION;
             key->problem = PR_TRUE;
             if (nickName) {
                 SECITEM_ZfreeItem(nickName, PR_TRUE);
             }
             return SECFailure;
     }
--- a/lib/pkcs12/p12e.c
+++ b/lib/pkcs12/p12e.c
@@ -392,19 +392,28 @@ SEC_PKCS12CreatePasswordPrivSafe(SEC_PKC
                                                        p12ctxt->pwfnarg);
     }
     if (!safeInfo->cinfo) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
     }
     safeInfo->arena = p12ctxt->arena;
 
-    if (!sec_pkcs12_encode_password(NULL, &uniPwitem, privAlg, pwitem)) {
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-        goto loser;
+    if (sec_pkcs12_is_pkcs12_pbe_algorithm(privAlg)) {
+        /* convert the password to unicode */
+        if (!sec_pkcs12_convert_item_to_unicode(NULL, &uniPwitem, pwitem,
+                                                PR_TRUE, PR_TRUE, PR_TRUE)) {
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            goto loser;
+        }
+    } else {
+        if (SECITEM_CopyItem(NULL, &uniPwitem, pwitem) != SECSuccess) {
+            PORT_SetError(SEC_ERROR_NO_MEMORY);
+            goto loser;
+        }
     }
     if (SECITEM_CopyItem(p12ctxt->arena, &safeInfo->pwitem, &uniPwitem) != SECSuccess) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         goto loser;
     }
 
     /* generate the encryption key */
     slot = PK11_ReferenceSlot(p12ctxt->slot);
@@ -1207,18 +1216,18 @@ SEC_PKCS12AddKeyForCert(SEC_PKCS12Export
         keyType = SEC_OID_PKCS12_V1_KEY_BAG_ID;
         SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
     } else {
 
         /* extract the key encrypted */
         SECKEYEncryptedPrivateKeyInfo *epki = NULL;
         PK11SlotInfo *slot = NULL;
 
-        if (!sec_pkcs12_encode_password(p12ctxt->arena, &uniPwitem, algorithm,
-                                        pwitem)) {
+        if (!sec_pkcs12_convert_item_to_unicode(p12ctxt->arena, &uniPwitem,
+                                                pwitem, PR_TRUE, PR_TRUE, PR_TRUE)) {
             PORT_SetError(SEC_ERROR_NO_MEMORY);
             goto loser;
         }
 
         /* we want to make sure to take the key out of the key slot */
         if (PK11_IsInternal(p12ctxt->slot)) {
             slot = PK11_GetInternalKeySlot();
         } else {
--- a/lib/pkcs12/p12local.c
+++ b/lib/pkcs12/p12local.c
@@ -971,56 +971,16 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
         case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
         case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
             return PR_TRUE;
         default:
             return PR_FALSE;
     }
 }
 
-/* this function decodes a password from Unicode if necessary,
- * according to the PBE algorithm.
- *
- * we assume that the pwitem is already encoded in Unicode by the
- * caller.  if the encryption scheme is not the one defined in PKCS
- * #12, decode the pwitem back into UTF-8. */
-PRBool
-sec_pkcs12_decode_password(PLArenaPool *arena,
-                           SECItem *result,
-                           SECOidTag algorithm,
-                           const SECItem *pwitem)
-{
-    if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
-        return sec_pkcs12_convert_item_to_unicode(arena, result,
-                                                  (SECItem *)pwitem,
-                                                  PR_TRUE, PR_FALSE, PR_FALSE);
-
-    return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
-}
-
-/* this function encodes a password into Unicode if necessary,
- * according to the PBE algorithm.
- *
- * we assume that the pwitem holds a raw password.  if the encryption
- * scheme is the one defined in PKCS #12, encode the password into
- * BMPString. */
-PRBool
-sec_pkcs12_encode_password(PLArenaPool *arena,
-                           SECItem *result,
-                           SECOidTag algorithm,
-                           const SECItem *pwitem)
-{
-    if (sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
-        return sec_pkcs12_convert_item_to_unicode(arena, result,
-                                                  (SECItem *)pwitem,
-                                                  PR_TRUE, PR_TRUE, PR_TRUE);
-
-    return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
-}
-
 /* pkcs 12 templates */
 static const SEC_ASN1TemplateChooserPtr sec_pkcs12_shroud_chooser =
     sec_pkcs12_choose_shroud_type;
 
 const SEC_ASN1Template SEC_PKCS12CodedSafeBagTemplate[] =
     {
       { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SEC_PKCS12SafeBag) },
       { SEC_ASN1_OBJECT_ID, offsetof(SEC_PKCS12SafeBag, safeBagType) },
--- a/lib/pkcs12/p12local.h
+++ b/lib/pkcs12/p12local.h
@@ -52,18 +52,9 @@ extern SEC_PKCS12AuthenticatedSafe *sec_
 extern SEC_PKCS12DecoderContext *
 sec_PKCS12ConvertOldSafeToNew(PLArenaPool *arena, PK11SlotInfo *slot,
                               PRBool swapUnicode, SECItem *pwitem,
                               void *wincx, SEC_PKCS12SafeContents *safe,
                               SEC_PKCS12Baggage *baggage);
 
 extern PRBool sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm);
 
-extern PRBool sec_pkcs12_decode_password(PLArenaPool *arena,
-                                         SECItem *result,
-                                         SECOidTag algorithm,
-                                         const SECItem *pwitem);
-extern PRBool sec_pkcs12_encode_password(PLArenaPool *arena,
-                                         SECItem *result,
-                                         SECOidTag algorithm,
-                                         const SECItem *pwitem);
-
 #endif