ckfw/capi/cfind.c

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef CKCAPI_H
#include "ckcapi.h"
#endif /* CKCAPI_H */

/*
 * ckcapi/cfind.c
 *
 * This file implements the NSSCKMDFindObjects object for the
 * "capi" cryptoki module.
 */

struct ckcapiFOStr {
    NSSArena *arena;
    CK_ULONG n;
    CK_ULONG i;
    ckcapiInternalObject **objs;
};

static void
ckcapi_mdFindObjects_Final(
    NSSCKMDFindObjects *mdFindObjects,
    NSSCKFWFindObjects *fwFindObjects,
    NSSCKMDSession *mdSession,
    NSSCKFWSession *fwSession,
    NSSCKMDToken *mdToken,
    NSSCKFWToken *fwToken,
    NSSCKMDInstance *mdInstance,
    NSSCKFWInstance *fwInstance)
{
    struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
    NSSArena *arena = fo->arena;
    PRUint32 i;

    /* walk down an free the unused 'objs' */
    for (i = fo->i; i < fo->n; i++) {
        nss_ckcapi_DestroyInternalObject(fo->objs[i]);
    }

    nss_ZFreeIf(fo->objs);
    nss_ZFreeIf(fo);
    nss_ZFreeIf(mdFindObjects);
    if ((NSSArena *)NULL != arena) {
        NSSArena_Destroy(arena);
    }

    return;
}

static NSSCKMDObject *
ckcapi_mdFindObjects_Next(
    NSSCKMDFindObjects *mdFindObjects,
    NSSCKFWFindObjects *fwFindObjects,
    NSSCKMDSession *mdSession,
    NSSCKFWSession *fwSession,
    NSSCKMDToken *mdToken,
    NSSCKFWToken *fwToken,
    NSSCKMDInstance *mdInstance,
    NSSCKFWInstance *fwInstance,
    NSSArena *arena,
    CK_RV *pError)
{
    struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
    ckcapiInternalObject *io;

    if (fo->i == fo->n) {
        *pError = CKR_OK;
        return (NSSCKMDObject *)NULL;
    }

    io = fo->objs[fo->i];
    fo->i++;

    return nss_ckcapi_CreateMDObject(arena, io, pError);
}

static CK_BBOOL
ckcapi_attrmatch(
    CK_ATTRIBUTE_PTR a,
    ckcapiInternalObject *o)
{
    PRBool prb;
    const NSSItem *b;

    b = nss_ckcapi_FetchAttribute(o, a->type);
    if (b == NULL) {
        return CK_FALSE;
    }

    if (a->ulValueLen != b->size) {
        /* match a decoded serial number */
        if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
            unsigned int len;
            unsigned char *data;

            data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
            if ((len == a->ulValueLen) &&
                nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
                return CK_TRUE;
            }
        }
        return CK_FALSE;
    }

    prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);

    if (PR_TRUE == prb) {
        return CK_TRUE;
    } else {
        return CK_FALSE;
    }
}

static CK_BBOOL
ckcapi_match(
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    ckcapiInternalObject *o)
{
    CK_ULONG i;

    for (i = 0; i < ulAttributeCount; i++) {
        if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
            return CK_FALSE;
        }
    }

    /* Every attribute passed */
    return CK_TRUE;
}

#define CKAPI_ITEM_CHUNK 20

#define PUT_Object(obj, err)                                                    \
    {                                                                           \
        if (count >= size) {                                                    \
            *listp = *listp ? nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
                                                (size +                         \
                                                 CKAPI_ITEM_CHUNK))             \
                            : nss_ZNEWARRAY(NULL, ckcapiInternalObject *,       \
                                            (size +                             \
                                             CKAPI_ITEM_CHUNK));                \
            if ((ckcapiInternalObject **)NULL == *listp) {                      \
                err = CKR_HOST_MEMORY;                                          \
                goto loser;                                                     \
            }                                                                   \
            size += CKAPI_ITEM_CHUNK;                                           \
        }                                                                       \
        (*listp)[count] = (obj);                                                \
        count++;                                                                \
    }

/*
 * pass parameters back through the callback.
 */
typedef struct BareCollectParamsStr {
    CK_OBJECT_CLASS objClass;
    CK_ATTRIBUTE_PTR pTemplate;
    CK_ULONG ulAttributeCount;
    ckcapiInternalObject ***listp;
    PRUint32 size;
    PRUint32 count;
} BareCollectParams;

/* collect_bare's callback. Called for each object that
 * supposedly has a PROVINDER_INFO property */
static BOOL WINAPI
doBareCollect(
    const CRYPT_HASH_BLOB *msKeyID,
    DWORD flags,
    void *reserved,
    void *args,
    DWORD cProp,
    DWORD *propID,
    void **propData,
    DWORD *propSize)
{
    BareCollectParams *bcp = (BareCollectParams *)args;
    PRUint32 size = bcp->size;
    PRUint32 count = bcp->count;
    ckcapiInternalObject ***listp = bcp->listp;
    ckcapiInternalObject *io = NULL;
    DWORD i;
    CRYPT_KEY_PROV_INFO *keyProvInfo = NULL;
    void *idData;
    CK_RV error;

    /* make sure there is a Key Provider Info property */
    for (i = 0; i < cProp; i++) {
        if (CERT_KEY_PROV_INFO_PROP_ID == propID[i]) {
            keyProvInfo = (CRYPT_KEY_PROV_INFO *)propData[i];
            break;
        }
    }
    if ((CRYPT_KEY_PROV_INFO *)NULL == keyProvInfo) {
        return 1;
    }

    /* copy the key ID */
    idData = nss_ZNEWARRAY(NULL, char, msKeyID->cbData);
    if ((void *)NULL == idData) {
        goto loser;
    }
    nsslibc_memcpy(idData, msKeyID->pbData, msKeyID->cbData);

    /* build a bare internal object */
    io = nss_ZNEW(NULL, ckcapiInternalObject);
    if ((ckcapiInternalObject *)NULL == io) {
        goto loser;
    }
    io->type = ckcapiBareKey;
    io->objClass = bcp->objClass;
    io->u.key.provInfo = *keyProvInfo;
    io->u.key.provInfo.pwszContainerName =
        nss_ckcapi_WideDup(keyProvInfo->pwszContainerName);
    io->u.key.provInfo.pwszProvName =
        nss_ckcapi_WideDup(keyProvInfo->pwszProvName);
    io->u.key.provName = nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
    io->u.key.containerName =
        nss_ckcapi_WideToUTF8(keyProvInfo->pwszContainerName);
    io->u.key.hProv = 0;
    io->idData = idData;
    io->id.data = idData;
    io->id.size = msKeyID->cbData;
    idData = NULL;

    /* see if it matches */
    if (CK_FALSE == ckcapi_match(bcp->pTemplate, bcp->ulAttributeCount, io)) {
        goto loser;
    }
    PUT_Object(io, error);
    bcp->size = size;
    bcp->count = count;
    return 1;

loser:
    if (io) {
        nss_ckcapi_DestroyInternalObject(io);
    }
    nss_ZFreeIf(idData);
    return 1;
}

/*
 * collect the bare keys running around
 */
static PRUint32
collect_bare(
    CK_OBJECT_CLASS objClass,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    ckcapiInternalObject ***listp,
    PRUint32 *sizep,
    PRUint32 count,
    CK_RV *pError)
{
    BOOL rc;
    BareCollectParams bareCollectParams;

    bareCollectParams.objClass = objClass;
    bareCollectParams.pTemplate = pTemplate;
    bareCollectParams.ulAttributeCount = ulAttributeCount;
    bareCollectParams.listp = listp;
    bareCollectParams.size = *sizep;
    bareCollectParams.count = count;

    rc = CryptEnumKeyIdentifierProperties(NULL, CERT_KEY_PROV_INFO_PROP_ID, 0,
                                          NULL, NULL, &bareCollectParams, doBareCollect);

    *sizep = bareCollectParams.size;
    return bareCollectParams.count;
}

/* find all the certs that represent the appropriate object (cert, priv key, or
 *  pub key) in the cert store.
 */
static PRUint32
collect_class(
    CK_OBJECT_CLASS objClass,
    LPCSTR storeStr,
    PRBool hasID,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    ckcapiInternalObject ***listp,
    PRUint32 *sizep,
    PRUint32 count,
    CK_RV *pError)
{
    PRUint32 size = *sizep;
    ckcapiInternalObject *next = NULL;
    HCERTSTORE hStore;
    PCCERT_CONTEXT certContext = NULL;
    PRBool isKey =
        (objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);

    hStore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
    if (NULL == hStore) {
        return count; /* none found does not imply an error */
    }

    /* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
   * have to enumerate all the certificates */
    while ((PCERT_CONTEXT)NULL !=
           (certContext = CertEnumCertificatesInStore(hStore, certContext))) {
        /* first filter out non user certs if we are looking for keys */
        if (isKey) {
            /* make sure there is a Key Provider Info property */
            CRYPT_KEY_PROV_INFO *keyProvInfo;
            DWORD size = 0;
            BOOL rv;
            rv = CertGetCertificateContextProperty(certContext,
                                                   CERT_KEY_PROV_INFO_PROP_ID, NULL, &size);
            if (!rv) {
                int reason = GetLastError();
                /* we only care if it exists, we don't really need to fetch it yet */
                if (reason == CRYPT_E_NOT_FOUND) {
                    continue;
                }
            }
            /* filter out the non-microsoft providers */
            keyProvInfo = (CRYPT_KEY_PROV_INFO *)nss_ZAlloc(NULL, size);
            if (keyProvInfo) {
                rv = CertGetCertificateContextProperty(certContext,
                                                       CERT_KEY_PROV_INFO_PROP_ID, keyProvInfo, &size);
                if (rv) {
                    char *provName =
                        nss_ckcapi_WideToUTF8(keyProvInfo->pwszProvName);
                    nss_ZFreeIf(keyProvInfo);

                    if (provName &&
                        (strncmp(provName, "Microsoft", sizeof("Microsoft") - 1) != 0)) {
                        continue;
                    }
                } else {
                    int reason =
                        GetLastError();
                    /* we only care if it exists, we don't really need to fetch it yet */
                    nss_ZFreeIf(keyProvInfo);
                    if (reason ==
                        CRYPT_E_NOT_FOUND) {
                        continue;
                    }
                }
            }
        }

        if ((ckcapiInternalObject *)NULL == next) {
            next = nss_ZNEW(NULL, ckcapiInternalObject);
            if ((ckcapiInternalObject *)NULL == next) {
                *pError = CKR_HOST_MEMORY;
                goto loser;
            }
        }
        next->type = ckcapiCert;
        next->objClass = objClass;
        next->u.cert.certContext = certContext;
        next->u.cert.hasID = hasID;
        next->u.cert.certStore = storeStr;
        if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next)) {
            /* clear cached values that may be dependent on our old certContext */
            memset(&next->u.cert, 0, sizeof(next->u.cert));
            /* get a 'permanent' context */
            next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
            next->objClass = objClass;
            next->u.cert.certContext = certContext;
            next->u.cert.hasID = hasID;
            next->u.cert.certStore = storeStr;
            PUT_Object(next, *pError);
            next = NULL; /* need to allocate a new one now */
        } else {
            /* don't cache the values we just loaded */
            memset(&next->u.cert, 0, sizeof(next->u.cert));
        }
    }
loser:
    CertCloseStore(hStore, 0);
    nss_ZFreeIf(next);
    *sizep = size;
    return count;
}

NSS_IMPLEMENT PRUint32
nss_ckcapi_collect_all_certs(
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    ckcapiInternalObject ***listp,
    PRUint32 *sizep,
    PRUint32 count,
    CK_RV *pError)
{
    count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    /*count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate,
                        ulAttributeCount, listp, sizep, count, pError); */
    count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate,
                          ulAttributeCount, listp, sizep, count, pError);
    return count;
}

CK_OBJECT_CLASS
ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate,
                      CK_ULONG ulAttributeCount)
{
    CK_ULONG i;

    for (i = 0; i < ulAttributeCount; i++) {
        if (pTemplate[i].type == CKA_CLASS) {
            return *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
        }
    }
    /* need to return a value that says 'fetch them all' */
    return CK_INVALID_HANDLE;
}

static PRUint32
collect_objects(
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    ckcapiInternalObject ***listp,
    CK_RV *pError)
{
    PRUint32 i;
    PRUint32 count = 0;
    PRUint32 size = 0;
    CK_OBJECT_CLASS objClass;

    /*
     * first handle the static build in objects (if any)
     */
    for (i = 0; i < nss_ckcapi_nObjects; i++) {
        ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];

        if (CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o)) {
            PUT_Object(o, *pError);
        }
    }

    /*
     * now handle the various object types
     */
    objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
    *pError = CKR_OK;
    switch (objClass) {
        case CKO_CERTIFICATE:
            count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
                                                 &size, count, pError);
            break;
        case CKO_PUBLIC_KEY:
            count = collect_class(objClass, "My", PR_TRUE, pTemplate,
                                  ulAttributeCount, listp, &size, count, pError);
            count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
                                 &size, count, pError);
            break;
        case CKO_PRIVATE_KEY:
            count = collect_class(objClass, "My", PR_TRUE, pTemplate,
                                  ulAttributeCount, listp, &size, count, pError);
            count = collect_bare(objClass, pTemplate, ulAttributeCount, listp,
                                 &size, count, pError);
            break;
        /* all of them */
        case CK_INVALID_HANDLE:
            count = nss_ckcapi_collect_all_certs(pTemplate, ulAttributeCount, listp,
                                                 &size, count, pError);
            count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate,
                                  ulAttributeCount, listp, &size, count, pError);
            count = collect_bare(CKO_PUBLIC_KEY, pTemplate, ulAttributeCount, listp,
                                 &size, count, pError);
            count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate,
                                  ulAttributeCount, listp, &size, count, pError);
            count = collect_bare(CKO_PRIVATE_KEY, pTemplate, ulAttributeCount, listp,
                                 &size, count, pError);
            break;
        default:
            goto done; /* no other object types we understand in this module */
    }
    if (CKR_OK != *pError) {
        goto loser;
    }

done:
    return count;
loser:
    nss_ZFreeIf(*listp);
    return 0;
}

NSS_IMPLEMENT NSSCKMDFindObjects *
nss_ckcapi_FindObjectsInit(
    NSSCKFWSession *fwSession,
    CK_ATTRIBUTE_PTR pTemplate,
    CK_ULONG ulAttributeCount,
    CK_RV *pError)
{
    /* This could be made more efficient.  I'm rather rushed. */
    NSSArena *arena;
    NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
    struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
    ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;

    arena = NSSArena_Create();
    if ((NSSArena *)NULL == arena) {
        goto loser;
    }

    rv = nss_ZNEW(arena, NSSCKMDFindObjects);
    if ((NSSCKMDFindObjects *)NULL == rv) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
    }

    fo = nss_ZNEW(arena, struct ckcapiFOStr);
    if ((struct ckcapiFOStr *)NULL == fo) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
    }

    fo->arena = arena;
    /* fo->n and fo->i are already zero */

    rv->etc = (void *)fo;
    rv->Final = ckcapi_mdFindObjects_Final;
    rv->Next = ckcapi_mdFindObjects_Next;
    rv->null = (void *)NULL;

    fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
    if (*pError != CKR_OK) {
        goto loser;
    }

    fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
    if ((ckcapiInternalObject **)NULL == fo->objs) {
        *pError = CKR_HOST_MEMORY;
        goto loser;
    }

    (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
    nss_ZFreeIf(temp);
    temp = (ckcapiInternalObject **)NULL;

    return rv;

loser:
    nss_ZFreeIf(temp);
    nss_ZFreeIf(fo);
    nss_ZFreeIf(rv);
    if ((NSSArena *)NULL != arena) {
        NSSArena_Destroy(arena);
    }
    return (NSSCKMDFindObjects *)NULL;
}