security/nss/lib/pkcs12/p12plcy.c

   1 /* This Source Code Form is subject to the terms of the Mozilla Public
   2  * License, v. 2.0. If a copy of the MPL was not distributed with this
   3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   4
   5 #include "p12plcy.h"
   6 #include "secoid.h"
   7 #include "secport.h"
   8 #include "secpkcs5.h"
   9 #include "secerr.h"
  10
  11 #define PKCS12_NULL 0x0000
  12
  13 typedef struct pkcs12SuiteMapStr {
  14     SECOidTag algTag;
  15     unsigned int keyLengthBits; /* in bits */
  16     unsigned long suite;
  17     PRBool allowed;
  18     PRBool preferred;
  19 } pkcs12SuiteMap;
  20
  21 static pkcs12SuiteMap pkcs12SuiteMaps[] = {
  22     { SEC_OID_RC4, 40, PKCS12_RC4_40, PR_FALSE, PR_FALSE },
  23     { SEC_OID_RC4, 128, PKCS12_RC4_128, PR_FALSE, PR_FALSE },
  24     { SEC_OID_RC2_CBC, 40, PKCS12_RC2_CBC_40, PR_FALSE, PR_TRUE },
  25     { SEC_OID_RC2_CBC, 128, PKCS12_RC2_CBC_128, PR_FALSE, PR_FALSE },
  26     { SEC_OID_DES_CBC, 64, PKCS12_DES_56, PR_FALSE, PR_FALSE },
  27     { SEC_OID_DES_EDE3_CBC, 192, PKCS12_DES_EDE3_168, PR_FALSE, PR_FALSE },
  28     { SEC_OID_AES_128_CBC, 128, PKCS12_AES_CBC_128, PR_FALSE, PR_FALSE },
  29     { SEC_OID_AES_192_CBC, 192, PKCS12_AES_CBC_192, PR_FALSE, PR_FALSE },
  30     { SEC_OID_AES_256_CBC, 256, PKCS12_AES_CBC_256, PR_FALSE, PR_FALSE },
  31     { SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE },
  32     { SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE }
  33 };
  34
  35 /* determine if algid is an algorithm which is allowed */
  36 static PRBool
  37 sec_PKCS12Allowed(SECOidTag alg)
  38 {
  39     PRUint32 policy;
  40     SECStatus rv;
  41
  42     rv = NSS_GetAlgorithmPolicy(alg, &policy);
  43     if (rv != SECSuccess) {
  44         return PR_FALSE;
  45     }
  46     if (policy & NSS_USE_ALG_IN_PKCS12) {
  47         return PR_TRUE;
  48     }
  49     return PR_FALSE;
  50 }
  51
  52 PRBool
  53 SEC_PKCS12DecryptionAllowed(SECAlgorithmID *algid)
  54 {
  55     SECOidTag algId;
  56
  57     algId = SEC_PKCS5GetCryptoAlgorithm(algid);
  58     if (algId == SEC_OID_UNKNOWN) {
  59         return PR_FALSE;
  60     }
  61     return sec_PKCS12Allowed(algId);
  62 }
  63
  64 /* is any encryption allowed? */
  65 PRBool
  66 SEC_PKCS12IsEncryptionAllowed(void)
  67 {
  68     int i;
  69
  70     for (i = 0; pkcs12SuiteMaps[i].algTag != SEC_OID_UNKNOWN; i++) {
  71         /* we're going to return true here if any of the traditional
  72          * algorithms are enabled */
  73         if (sec_PKCS12Allowed(pkcs12SuiteMaps[i].algTag)) {
  74             return PR_TRUE;
  75         }
  76     }
  77
  78     return PR_FALSE;
  79 }
  80
  81 /* keep the traditional enable/disable for old ciphers so old applications
  82  * continue to work. This only works for the traditional pkcs12 values,
  83  * you need to use NSS_SetAlgorithmPolicy directly for other ciphers. */
  84 SECStatus
  85 SEC_PKCS12EnableCipher(long which, int on)
  86 {
  87     int i;
  88     PRUint32 set = on ? NSS_USE_ALG_IN_PKCS12 : 0;
  89     PRUint32 clear = on ? 0 : NSS_USE_ALG_IN_PKCS12;
  90
  91     for (i = 0; pkcs12SuiteMaps[i].suite != 0L; i++) {
  92         if (pkcs12SuiteMaps[i].suite == (unsigned long)which) {
  93             return NSS_SetAlgorithmPolicy(pkcs12SuiteMaps[i].algTag, set, clear);
  94         }
  95     }
  96     PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
  97     return SECFailure;
  98 }
  99
 100 SECStatus
 101 SEC_PKCS12SetPreferredCipher(long which, int on)
 102 {
 103     /* nothing looked at the preferences in the suite maps, so this function
 104      * has always been a noop */
 105     return SECSuccess;
 106 }