diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-08-13 14:54:35 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-08-22 16:11:45 -0400 |
| commit | c567b8fcb4e4851d6db19946cce8c4d5e75535f5 (patch) | |
| tree | 8bf8abfe334d38dccdbc40c36ba923e2a676206f /src/lib/crypt_ops | |
| parent | 7c5339677fd4d524a95bc8c18af223f710ca94e2 (diff) | |
| download | tor-c567b8fcb4e4851d6db19946cce8c4d5e75535f5.tar.gz tor-c567b8fcb4e4851d6db19946cce8c4d5e75535f5.zip | |
NSS support for x509 certs
7 unit tests are failing at this point, but they're all TLS-related.
Diffstat (limited to 'src/lib/crypt_ops')
| -rw-r--r-- | src/lib/crypt_ops/crypto_nss_mgt.c | 9 | ||||
| -rw-r--r-- | src/lib/crypt_ops/crypto_rsa.h | 10 | ||||
| -rw-r--r-- | src/lib/crypt_ops/crypto_rsa_nss.c | 27 |
3 files changed, 46 insertions, 0 deletions
diff --git a/src/lib/crypt_ops/crypto_nss_mgt.c b/src/lib/crypt_ops/crypto_nss_mgt.c index 85b18e00cd..187f556bd2 100644 --- a/src/lib/crypt_ops/crypto_nss_mgt.c +++ b/src/lib/crypt_ops/crypto_nss_mgt.c @@ -69,6 +69,15 @@ crypto_nss_early_init(void) crypto_nss_log_errors(LOG_ERR, "setting cipher policy"); tor_assert_unreached(); } + + /* We need to override the default here, or NSS will reject all the + * legacy Tor certificates. */ + SECStatus rv = NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 1024); + if (rv != SECSuccess) { + log_err(LD_CRYPTO, "Unable to set NSS min RSA key size"); + crypto_nss_log_errors(LOG_ERR, "setting cipher option."); + tor_assert_unreached(); + } } void diff --git a/src/lib/crypt_ops/crypto_rsa.h b/src/lib/crypt_ops/crypto_rsa.h index afc6c4201c..aaf32ec1b0 100644 --- a/src/lib/crypt_ops/crypto_rsa.h +++ b/src/lib/crypt_ops/crypto_rsa.h @@ -121,6 +121,16 @@ MOCK_DECL(struct evp_pkey_st *, crypto_pk_get_openssl_evp_pkey_,( crypto_pk_t *env,int private)); #endif +#ifdef ENABLE_NSS +struct SECKEYPublicKeyStr; +struct SECKEYPrivateKeyStr; +crypto_pk_t *crypto_pk_new_from_nss_pubkey(struct SECKEYPublicKeyStr *pub); +const struct SECKEYPublicKeyStr *crypto_pk_get_nss_pubkey( + const crypto_pk_t *key); +const struct SECKEYPrivateKeyStr *crypto_pk_get_nss_privkey( + const crypto_pk_t *key); +#endif + void crypto_pk_assign_public(crypto_pk_t *dest, const crypto_pk_t *src); void crypto_pk_assign_private(crypto_pk_t *dest, const crypto_pk_t *src); diff --git a/src/lib/crypt_ops/crypto_rsa_nss.c b/src/lib/crypt_ops/crypto_rsa_nss.c index 0411687b9a..517faa5c7b 100644 --- a/src/lib/crypt_ops/crypto_rsa_nss.c +++ b/src/lib/crypt_ops/crypto_rsa_nss.c @@ -47,6 +47,33 @@ crypto_pk_key_is_private(const crypto_pk_t *key) return key && key->seckey; } +/** used by tortls.c: wrap a SecKEYPublicKey in a crypto_pk_t. Take ownership + * of the RSA object. */ +crypto_pk_t * +crypto_pk_new_from_nss_pubkey(struct SECKEYPublicKeyStr *pub) +{ + crypto_pk_t *result = tor_malloc_zero(sizeof(crypto_pk_t)); + result->pubkey = pub; + return result; +} + +/** Return the SECKEYPublicKey for the provided crypto_pk_t. */ +const SECKEYPublicKey * +crypto_pk_get_nss_pubkey(const crypto_pk_t *key) +{ + tor_assert(key); + return key->pubkey; +} + +/** Return the SECKEYPrivateKey for the provided crypto_pk_t, or NULL if it + * does not exist. */ +const SECKEYPrivateKey * +crypto_pk_get_nss_privkey(const crypto_pk_t *key) +{ + tor_assert(key); + return key->seckey; +} + #ifdef ENABLE_OPENSSL /** used by tortls.c: wrap an RSA* in a crypto_pk_t. Take ownership of the * RSA object. */ |