Home | History | Annotate | Download | only in ssl
      1 /*
      2  * Platform specific crypto wrappers
      3  *
      4  * ***** BEGIN LICENSE BLOCK *****
      5  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
      6  *
      7  * The contents of this file are subject to the Mozilla Public License Version
      8  * 1.1 (the "License"); you may not use this file except in compliance with
      9  * the License. You may obtain a copy of the License at
     10  * http://www.mozilla.org/MPL/
     11  *
     12  * Software distributed under the License is distributed on an "AS IS" basis,
     13  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
     14  * for the specific language governing rights and limitations under the
     15  * License.
     16  *
     17  * The Original Code is the Netscape security libraries.
     18  *
     19  * The Initial Developer of the Original Code is
     20  * Netscape Communications Corporation.
     21  * Portions created by the Initial Developer are Copyright (C) 1994-2000
     22  * the Initial Developer. All Rights Reserved.
     23  *
     24  * Contributor(s):
     25  *   Ryan Sleevi <ryan.sleevi (at) gmail.com>
     26  *
     27  * Alternatively, the contents of this file may be used under the terms of
     28  * either the GNU General Public License Version 2 or later (the "GPL"), or
     29  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
     30  * in which case the provisions of the GPL or the LGPL are applicable instead
     31  * of those above. If you wish to allow use of your version of this file only
     32  * under the terms of either the GPL or the LGPL, and not to allow others to
     33  * use your version of this file under the terms of the MPL, indicate your
     34  * decision by deleting the provisions above and replace them with the notice
     35  * and other provisions required by the GPL or the LGPL. If you do not delete
     36  * the provisions above, a recipient may use your version of this file under
     37  * the terms of any one of the MPL, the GPL or the LGPL.
     38  *
     39  * ***** END LICENSE BLOCK ***** */
     40 /* $Id$ */
     41 #include "certt.h"
     42 #include "cryptohi.h"
     43 #include "keythi.h"
     44 #include "nss.h"
     45 #include "secitem.h"
     46 #include "ssl.h"
     47 #include "sslimpl.h"
     48 #include "prerror.h"
     49 #include "prinit.h"
     50 
     51 #ifdef NSS_PLATFORM_CLIENT_AUTH
     52 #ifdef XP_WIN32
     53 #include <NCrypt.h>
     54 #endif
     55 #endif
     56 
     57 #ifdef NSS_PLATFORM_CLIENT_AUTH
     58 CERTCertificateList*
     59 hack_NewCertificateListFromCertList(CERTCertList* list)
     60 {
     61     CERTCertificateList * chain = NULL;
     62     PLArenaPool * arena = NULL;
     63     CERTCertListNode * node;
     64     int len;
     65 
     66     if (CERT_LIST_EMPTY(list))
     67         goto loser;
     68 
     69     arena = PORT_NewArena(4096);
     70     if (arena == NULL)
     71         goto loser;
     72 
     73     for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
     74         len++, node = CERT_LIST_NEXT(node)) {
     75     }
     76 
     77     chain = PORT_ArenaNew(arena, CERTCertificateList);
     78     if (chain == NULL)
     79         goto loser;
     80 
     81     chain->certs = PORT_ArenaNewArray(arena, SECItem, len);
     82     if (!chain->certs)
     83         goto loser;
     84     chain->len = len;
     85 
     86     for (len = 0, node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
     87         len++, node = CERT_LIST_NEXT(node)) {
     88         // Check to see if the last cert to be sent is a self-signed cert,
     89         // and if so, omit it from the list of certificates. However, if
     90         // there is only one cert (len == 0), include the cert, as it means
     91         // the EE cert is self-signed.
     92         if (len > 0 && (len == chain->len - 1) && node->cert->isRoot) {
     93             chain->len = len;
     94             break;
     95         }
     96         SECITEM_CopyItem(arena, &chain->certs[len], &node->cert->derCert);
     97     }
     98 
     99     chain->arena = arena;
    100     return chain;
    101 
    102 loser:
    103     if (arena) {
    104         PORT_FreeArena(arena, PR_FALSE);
    105     }
    106     return NULL;
    107 }
    108 
    109 #if defined(XP_WIN32)
    110 typedef SECURITY_STATUS (WINAPI *NCryptFreeObjectFunc)(NCRYPT_HANDLE);
    111 typedef SECURITY_STATUS (WINAPI *NCryptSignHashFunc)(
    112     NCRYPT_KEY_HANDLE /* hKey */,
    113     VOID* /* pPaddingInfo */,
    114     PBYTE /* pbHashValue */,
    115     DWORD /* cbHashValue */,
    116     PBYTE /* pbSignature */,
    117     DWORD /* cbSignature */,
    118     DWORD* /* pcbResult */,
    119     DWORD /* dwFlags */);
    120 
    121 static PRCallOnceType cngFunctionsInitOnce;
    122 static const PRCallOnceType pristineCallOnce;
    123 
    124 static PRLibrary *ncrypt_library = NULL;
    125 static NCryptFreeObjectFunc pNCryptFreeObject = NULL;
    126 static NCryptSignHashFunc pNCryptSignHash = NULL;
    127 
    128 static SECStatus
    129 ssl_ShutdownCngFunctions(void *appData, void *nssData)
    130 {
    131     pNCryptSignHash = NULL;
    132     pNCryptFreeObject = NULL;
    133     if (ncrypt_library) {
    134         PR_UnloadLibrary(ncrypt_library);
    135         ncrypt_library = NULL;
    136     }
    137 
    138     cngFunctionsInitOnce = pristineCallOnce;
    139 
    140     return SECSuccess;
    141 }
    142 
    143 static PRStatus
    144 ssl_InitCngFunctions(void)
    145 {
    146     SECStatus rv;
    147 
    148     ncrypt_library = PR_LoadLibrary("ncrypt.dll");
    149     if (ncrypt_library == NULL)
    150         goto loser;
    151 
    152     pNCryptFreeObject = (NCryptFreeObjectFunc)PR_FindFunctionSymbol(
    153         ncrypt_library, "NCryptFreeObject");
    154     if (pNCryptFreeObject == NULL)
    155         goto loser;
    156 
    157     pNCryptSignHash = (NCryptSignHashFunc)PR_FindFunctionSymbol(
    158         ncrypt_library, "NCryptSignHash");
    159     if (pNCryptSignHash == NULL)
    160         goto loser;
    161 
    162     rv = NSS_RegisterShutdown(ssl_ShutdownCngFunctions, NULL);
    163     if (rv != SECSuccess)
    164         goto loser;
    165 
    166     return PR_SUCCESS;
    167 
    168 loser:
    169     pNCryptSignHash = NULL;
    170     pNCryptFreeObject = NULL;
    171     if (ncrypt_library) {
    172         PR_UnloadLibrary(ncrypt_library);
    173         ncrypt_library = NULL;
    174     }
    175 
    176     return PR_FAILURE;
    177 }
    178 
    179 static SECStatus
    180 ssl_InitCng(void)
    181 {
    182     if (PR_CallOnce(&cngFunctionsInitOnce, ssl_InitCngFunctions) != PR_SUCCESS)
    183         return SECFailure;
    184     return SECSuccess;
    185 }
    186 
    187 void
    188 ssl_FreePlatformKey(PlatformKey key)
    189 {
    190     if (!key)
    191         return;
    192 
    193     if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
    194         if (ssl_InitCng() == SECSuccess) {
    195             (*pNCryptFreeObject)(key->hNCryptKey);
    196         }
    197     } else {
    198         CryptReleaseContext(key->hCryptProv, 0);
    199     }
    200     PORT_Free(key);
    201 }
    202 
    203 static SECStatus
    204 ssl3_CngPlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
    205                            PRBool isTLS, KeyType keyType)
    206 {
    207     SECStatus       rv                = SECFailure;
    208     SECURITY_STATUS ncrypt_status;
    209     PRBool          doDerEncode       = PR_FALSE;
    210     SECItem         hashItem;
    211     DWORD           signatureLen      = 0;
    212     DWORD           dwFlags           = 0;
    213     VOID           *pPaddingInfo      = NULL;
    214 
    215     /* Always encode using PKCS#1 block type. */
    216     BCRYPT_PKCS1_PADDING_INFO rsaPaddingInfo;
    217 
    218     if (key->dwKeySpec != CERT_NCRYPT_KEY_SPEC) {
    219         PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
    220         return SECFailure;
    221     }
    222     if (ssl_InitCng() != SECSuccess) {
    223         PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
    224         return SECFailure;
    225     }
    226 
    227     switch (keyType) {
    228         case rsaKey:
    229             switch (hash->hashAlg) {
    230                 case SEC_OID_UNKNOWN:
    231                     /* No OID/encoded DigestInfo. */
    232                     rsaPaddingInfo.pszAlgId = NULL;
    233                     break;
    234                 case SEC_OID_SHA1:
    235                     rsaPaddingInfo.pszAlgId = BCRYPT_SHA1_ALGORITHM;
    236                     break;
    237                 case SEC_OID_SHA256:
    238                     rsaPaddingInfo.pszAlgId = BCRYPT_SHA256_ALGORITHM;
    239                     break;
    240                 case SEC_OID_SHA384:
    241                     rsaPaddingInfo.pszAlgId = BCRYPT_SHA384_ALGORITHM;
    242                     break;
    243                 case SEC_OID_SHA512:
    244                     rsaPaddingInfo.pszAlgId = BCRYPT_SHA512_ALGORITHM;
    245                     break;
    246                 default:
    247                     PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
    248                     return SECFailure;
    249             }
    250             hashItem.data = hash->u.raw;
    251             hashItem.len  = hash->len;
    252             dwFlags       = BCRYPT_PAD_PKCS1;
    253             pPaddingInfo  = &rsaPaddingInfo;
    254             break;
    255         case dsaKey:
    256         case ecKey:
    257             if (keyType == ecKey) {
    258                 doDerEncode = PR_TRUE;
    259             } else {
    260                 doDerEncode = isTLS;
    261             }
    262             if (hash->hashAlg == SEC_OID_UNKNOWN) {
    263                 hashItem.data = hash->u.s.sha;
    264                 hashItem.len  = sizeof(hash->u.s.sha);
    265             } else {
    266                 hashItem.data = hash->u.raw;
    267                 hashItem.len  = hash->len;
    268             }
    269             break;
    270         default:
    271             PORT_SetError(SEC_ERROR_INVALID_KEY);
    272             goto done;
    273     }
    274     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
    275 
    276     ncrypt_status = (*pNCryptSignHash)(key->hNCryptKey, pPaddingInfo,
    277                                        (PBYTE)hashItem.data, hashItem.len,
    278                                        NULL, 0, &signatureLen, dwFlags);
    279     if (FAILED(ncrypt_status) || signatureLen == 0) {
    280         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, ncrypt_status);
    281         goto done;
    282     }
    283 
    284     buf->data = (unsigned char *)PORT_Alloc(signatureLen);
    285     if (!buf->data) {
    286         goto done;    /* error code was set. */
    287     }
    288 
    289     ncrypt_status = (*pNCryptSignHash)(key->hNCryptKey, pPaddingInfo,
    290                                        (PBYTE)hashItem.data, hashItem.len,
    291                                        (PBYTE)buf->data, signatureLen,
    292                                        &signatureLen, dwFlags);
    293     if (FAILED(ncrypt_status) || signatureLen == 0) {
    294         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, ncrypt_status);
    295         goto done;
    296     }
    297 
    298     buf->len = signatureLen;
    299 
    300     if (doDerEncode) {
    301         SECItem   derSig = {siBuffer, NULL, 0};
    302 
    303         /* This also works for an ECDSA signature */
    304         rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
    305         if (rv == SECSuccess) {
    306             PORT_Free(buf->data);     /* discard unencoded signature. */
    307             *buf = derSig;            /* give caller encoded signature. */
    308         } else if (derSig.data) {
    309             PORT_Free(derSig.data);
    310         }
    311     } else {
    312         rv = SECSuccess;
    313     }
    314 
    315     PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len));
    316 
    317 done:
    318     if (rv != SECSuccess && buf->data) {
    319         PORT_Free(buf->data);
    320         buf->data = NULL;
    321         buf->len = 0;
    322     }
    323 
    324     return rv;
    325 }
    326 
    327 static SECStatus
    328 ssl3_CAPIPlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
    329                             PRBool isTLS, KeyType keyType)
    330 {
    331     SECStatus    rv             = SECFailure;
    332     PRBool       doDerEncode    = PR_FALSE;
    333     SECItem      hashItem;
    334     DWORD        argLen         = 0;
    335     DWORD        signatureLen   = 0;
    336     ALG_ID       hashAlg        = 0;
    337     HCRYPTHASH   hHash          = 0;
    338     DWORD        hashLen        = 0;
    339     unsigned int i              = 0;
    340 
    341     buf->data = NULL;
    342 
    343     switch (hash->hashAlg) {
    344         case SEC_OID_UNKNOWN:
    345             hashAlg = 0;
    346             break;
    347         case SEC_OID_SHA1:
    348             hashAlg = CALG_SHA1;
    349             break;
    350         case SEC_OID_SHA256:
    351             hashAlg = CALG_SHA_256;
    352             break;
    353         case SEC_OID_SHA384:
    354             hashAlg = CALG_SHA_384;
    355             break;
    356         case SEC_OID_SHA512:
    357             hashAlg = CALG_SHA_512;
    358             break;
    359         default:
    360             PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
    361             return SECFailure;
    362     }
    363 
    364     switch (keyType) {
    365         case rsaKey:
    366             if (hashAlg == 0) {
    367                 hashAlg = CALG_SSL3_SHAMD5;
    368             }
    369             hashItem.data = hash->u.raw;
    370             hashItem.len = hash->len;
    371             break;
    372         case dsaKey:
    373         case ecKey:
    374             if (keyType == ecKey) {
    375                 doDerEncode = PR_TRUE;
    376             } else {
    377                 doDerEncode = isTLS;
    378             }
    379             if (hashAlg == 0) {
    380                 hashAlg = CALG_SHA1;
    381                 hashItem.data = hash->u.s.sha;
    382                 hashItem.len = sizeof(hash->u.s.sha);
    383             } else {
    384                 hashItem.data = hash->u.raw;
    385                 hashItem.len = hash->len;
    386             }
    387             break;
    388         default:
    389             PORT_SetError(SEC_ERROR_INVALID_KEY);
    390             goto done;
    391     }
    392     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
    393 
    394     if (!CryptCreateHash(key->hCryptProv, hashAlg, 0, 0, &hHash)) {
    395         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, GetLastError());
    396         goto done;
    397     }
    398     argLen = sizeof(hashLen);
    399     if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&hashLen, &argLen, 0)) {
    400         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, GetLastError());
    401         goto done;
    402     }
    403     if (hashLen != hashItem.len) {
    404         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, 0);
    405         goto done;
    406     }
    407     if (!CryptSetHashParam(hHash, HP_HASHVAL, (BYTE*)hashItem.data, 0)) {
    408         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, GetLastError());
    409         goto done;
    410     }
    411     if (!CryptSignHash(hHash, key->dwKeySpec, NULL, 0,
    412                        NULL, &signatureLen) || signatureLen == 0) {
    413         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, GetLastError());
    414         goto done;
    415     }
    416     buf->data = (unsigned char *)PORT_Alloc(signatureLen);
    417     if (!buf->data)
    418         goto done;    /* error code was set. */
    419 
    420     if (!CryptSignHash(hHash, key->dwKeySpec, NULL, 0,
    421                        (BYTE*)buf->data, &signatureLen)) {
    422         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, GetLastError());
    423         goto done;
    424     }
    425     buf->len = signatureLen;
    426 
    427     /* CryptoAPI signs in little-endian, so reverse */
    428     for (i = 0; i < buf->len / 2; ++i) {
    429         unsigned char tmp = buf->data[i];
    430         buf->data[i] = buf->data[buf->len - 1 - i];
    431         buf->data[buf->len - 1 - i] = tmp;
    432     }
    433     if (doDerEncode) {
    434         SECItem   derSig = {siBuffer, NULL, 0};
    435 
    436         /* This also works for an ECDSA signature */
    437         rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
    438         if (rv == SECSuccess) {
    439             PORT_Free(buf->data);     /* discard unencoded signature. */
    440             *buf = derSig;            /* give caller encoded signature. */
    441         } else if (derSig.data) {
    442             PORT_Free(derSig.data);
    443         }
    444     } else {
    445         rv = SECSuccess;
    446     }
    447 
    448     PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len));
    449 done:
    450     if (hHash)
    451         CryptDestroyHash(hHash);
    452     if (rv != SECSuccess && buf->data) {
    453         PORT_Free(buf->data);
    454         buf->data = NULL;
    455     }
    456     return rv;
    457 }
    458 
    459 SECStatus
    460 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
    461                         PRBool isTLS, KeyType keyType)
    462 {
    463     if (key->dwKeySpec == CERT_NCRYPT_KEY_SPEC) {
    464         return ssl3_CngPlatformSignHashes(hash, key, buf, isTLS, keyType);
    465     }
    466     return ssl3_CAPIPlatformSignHashes(hash, key, buf, isTLS, keyType);
    467 }
    468 
    469 #elif defined(XP_MACOSX)
    470 #include <Security/cssm.h>
    471 
    472 void
    473 ssl_FreePlatformKey(PlatformKey key)
    474 {
    475     CFRelease(key);
    476 }
    477 
    478 #define SSL_MAX_DIGEST_INFO_PREFIX 20
    479 
    480 /* ssl3_GetDigestInfoPrefix sets |out| and |out_len| to point to a buffer that
    481  * contains ASN.1 data that should be prepended to a hash of the given type in
    482  * order to create a DigestInfo structure that is valid for use in a PKCS #1
    483  * v1.5 RSA signature. |out_len| will not be set to a value greater than
    484  * SSL_MAX_DIGEST_INFO_PREFIX. */
    485 static SECStatus
    486 ssl3_GetDigestInfoPrefix(SECOidTag hashAlg,
    487                          const SSL3Opaque** out, unsigned int *out_len)
    488 {
    489     /* These are the DER encoding of ASN.1 DigestInfo structures:
    490      *   DigestInfo ::= SEQUENCE {
    491      *     digestAlgorithm AlgorithmIdentifier,
    492      *     digest OCTET STRING
    493      *   }
    494      * See PKCS #1 v2.2 Section 9.2, Note 1.
    495      */
    496     static const unsigned char kSHA1[] = {
    497         0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
    498         0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
    499     };
    500     static const unsigned char kSHA224[] = {
    501         0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
    502         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05,
    503         0x00, 0x04, 0x1c
    504     };
    505     static const unsigned char kSHA256[] = {
    506         0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
    507         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
    508         0x00, 0x04, 0x20
    509     };
    510     static const unsigned char kSHA384[] = {
    511         0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
    512         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
    513         0x00, 0x04, 0x30
    514     };
    515     static const unsigned char kSHA512[] = {
    516         0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
    517         0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
    518         0x00, 0x04, 0x40
    519     };
    520 
    521     switch (hashAlg) {
    522     case SEC_OID_UNKNOWN:
    523         *out_len = 0;
    524         break;
    525     case SEC_OID_SHA1:
    526         *out = kSHA1;
    527         *out_len = sizeof(kSHA1);
    528         break;
    529     case SEC_OID_SHA224:
    530         *out = kSHA224;
    531         *out_len = sizeof(kSHA224);
    532         break;
    533     case SEC_OID_SHA256:
    534         *out = kSHA256;
    535         *out_len = sizeof(kSHA256);
    536         break;
    537     case SEC_OID_SHA384:
    538         *out = kSHA384;
    539         *out_len = sizeof(kSHA384);
    540         break;
    541     case SEC_OID_SHA512:
    542         *out = kSHA512;
    543         *out_len = sizeof(kSHA512);
    544         break;
    545     default:
    546         PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
    547         return SECFailure;
    548     }
    549 
    550     return SECSuccess;
    551 }
    552 
    553 SECStatus
    554 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
    555                         PRBool isTLS, KeyType keyType)
    556 {
    557     SECStatus       rv                  = SECFailure;
    558     PRBool          doDerEncode         = PR_FALSE;
    559     unsigned int    signatureLen;
    560     OSStatus        status              = noErr;
    561     CSSM_CSP_HANDLE cspHandle           = 0;
    562     const CSSM_KEY *cssmKey             = NULL;
    563     CSSM_ALGORITHMS sigAlg;
    564     CSSM_ALGORITHMS digestAlg;
    565     const CSSM_ACCESS_CREDENTIALS * cssmCreds = NULL;
    566     CSSM_RETURN     cssmRv;
    567     CSSM_DATA       hashData;
    568     CSSM_DATA       signatureData;
    569     CSSM_CC_HANDLE  cssmSignature       = 0;
    570     const SSL3Opaque* prefix;
    571     unsigned int    prefixLen;
    572     SSL3Opaque      prefixAndHash[SSL_MAX_DIGEST_INFO_PREFIX + HASH_LENGTH_MAX];
    573 
    574     buf->data = NULL;
    575 
    576     status = SecKeyGetCSPHandle(key, &cspHandle);
    577     if (status != noErr) {
    578         PORT_SetError(SEC_ERROR_INVALID_KEY);
    579         goto done;
    580     }
    581 
    582     status = SecKeyGetCSSMKey(key, &cssmKey);
    583     if (status != noErr || !cssmKey) {
    584         PORT_SetError(SEC_ERROR_NO_KEY);
    585         goto done;
    586     }
    587 
    588     /* SecKeyGetBlockSize wasn't addeded until OS X 10.6 - but the
    589      * needed information is readily available on the key itself.
    590      */
    591     signatureLen = (cssmKey->KeyHeader.LogicalKeySizeInBits + 7) / 8;
    592 
    593     if (signatureLen == 0) {
    594         PORT_SetError(SEC_ERROR_INVALID_KEY);
    595         goto done;
    596     }
    597 
    598     buf->data = (unsigned char *)PORT_Alloc(signatureLen);
    599     if (!buf->data)
    600         goto done;    /* error code was set. */
    601 
    602     sigAlg = cssmKey->KeyHeader.AlgorithmId;
    603     digestAlg = CSSM_ALGID_NONE;
    604 
    605     switch (keyType) {
    606         case rsaKey:
    607             PORT_Assert(sigAlg == CSSM_ALGID_RSA);
    608             if (ssl3_GetDigestInfoPrefix(hash->hashAlg, &prefix, &prefixLen) !=
    609                 SECSuccess) {
    610                 goto done;
    611             }
    612             if (prefixLen + hash->len > sizeof(prefixAndHash)) {
    613                 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
    614                 goto done;
    615             }
    616             memcpy(prefixAndHash, prefix, prefixLen);
    617             memcpy(prefixAndHash + prefixLen, hash->u.raw, hash->len);
    618             hashData.Data   = prefixAndHash;
    619             hashData.Length = prefixLen + hash->len;
    620             break;
    621         case dsaKey:
    622         case ecKey:
    623             if (keyType == ecKey) {
    624                 PORT_Assert(sigAlg == CSSM_ALGID_ECDSA);
    625                 doDerEncode = PR_TRUE;
    626             } else {
    627                 PORT_Assert(sigAlg == CSSM_ALGID_DSA);
    628                 doDerEncode = isTLS;
    629             }
    630             if (hash->hashAlg == SEC_OID_UNKNOWN) {
    631                 hashData.Data   = hash->u.s.sha;
    632                 hashData.Length = sizeof(hash->u.s.sha);
    633             } else {
    634                 hashData.Data   = hash->u.raw;
    635                 hashData.Length = hash->len;
    636             }
    637             break;
    638         default:
    639             PORT_SetError(SEC_ERROR_INVALID_KEY);
    640             goto done;
    641     }
    642     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashData.Data, hashData.Length));
    643 
    644     /* TODO(rsleevi): Should it be kSecCredentialTypeNoUI? In Win32, at least,
    645      * you can prevent the UI by setting the provider handle on the
    646      * certificate to be opened with CRYPT_SILENT, but is there an equivalent?
    647      */
    648     status = SecKeyGetCredentials(key, CSSM_ACL_AUTHORIZATION_SIGN,
    649                                   kSecCredentialTypeDefault, &cssmCreds);
    650     if (status != noErr) {
    651         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, status);
    652         goto done;
    653     }
    654 
    655     signatureData.Length = signatureLen;
    656     signatureData.Data   = (uint8*)buf->data;
    657 
    658     cssmRv = CSSM_CSP_CreateSignatureContext(cspHandle, sigAlg, cssmCreds,
    659                                              cssmKey, &cssmSignature);
    660     if (cssmRv) {
    661         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, cssmRv);
    662         goto done;
    663     }
    664 
    665     /* See "Apple Cryptographic Service Provider Functional Specification" */
    666     if (cssmKey->KeyHeader.AlgorithmId == CSSM_ALGID_RSA) {
    667         /* To set RSA blinding for RSA keys */
    668         CSSM_CONTEXT_ATTRIBUTE blindingAttr;
    669         blindingAttr.AttributeType   = CSSM_ATTRIBUTE_RSA_BLINDING;
    670         blindingAttr.AttributeLength = sizeof(uint32);
    671         blindingAttr.Attribute.Uint32 = 1;
    672         cssmRv = CSSM_UpdateContextAttributes(cssmSignature, 1, &blindingAttr);
    673         if (cssmRv) {
    674             PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, cssmRv);
    675             goto done;
    676         }
    677     }
    678 
    679     cssmRv = CSSM_SignData(cssmSignature, &hashData, 1, digestAlg,
    680                            &signatureData);
    681     if (cssmRv) {
    682         PR_SetError(SSL_ERROR_SIGN_HASHES_FAILURE, cssmRv);
    683         goto done;
    684     }
    685     buf->len = signatureData.Length;
    686 
    687     if (doDerEncode) {
    688         SECItem derSig = {siBuffer, NULL, 0};
    689 
    690         /* This also works for an ECDSA signature */
    691         rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
    692         if (rv == SECSuccess) {
    693             PORT_Free(buf->data);     /* discard unencoded signature. */
    694             *buf = derSig;            /* give caller encoded signature. */
    695         } else if (derSig.data) {
    696             PORT_Free(derSig.data);
    697         }
    698     } else {
    699         rv = SECSuccess;
    700     }
    701 
    702     PRINT_BUF(60, (NULL, "signed hashes", buf->data, buf->len));
    703 done:
    704     /* cspHandle, cssmKey, and cssmCreds are owned by the SecKeyRef and
    705      * should not be freed. When the PlatformKey is freed, they will be
    706      * released.
    707      */
    708     if (cssmSignature)
    709         CSSM_DeleteContext(cssmSignature);
    710 
    711     if (rv != SECSuccess && buf->data) {
    712         PORT_Free(buf->data);
    713         buf->data = NULL;
    714     }
    715     return rv;
    716 }
    717 #else
    718 void
    719 ssl_FreePlatformKey(PlatformKey key)
    720 {
    721 }
    722 
    723 SECStatus
    724 ssl3_PlatformSignHashes(SSL3Hashes *hash, PlatformKey key, SECItem *buf,
    725                         PRBool isTLS, KeyType keyType)
    726 {
    727     PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
    728     return SECFailure;
    729 }
    730 #endif
    731 
    732 #endif /* NSS_PLATFORM_CLIENT_AUTH */
    733