From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Tue, 17 Mar 2020 12:54:49 -0400 Subject: [PATCH 1/2] Remove token key checks Previously we enforced strict token key matching: the primary key used for the operation must strictly reside on the current PKCS#11 token, otherwise JSS would bail. However, NSS has the ability to move the key to whichever token best supports the given operation. This means that we'd prematurely bail when the operation would succeed if it were actually executed. By removing these checks, we still leave the ability to generate keys on a specific token, we just allow them to be used on whatever token supports the given operation (and the key is allowed to be moved to). Signed-off-by: Alexander Scheel --- org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ---- org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 ------------------- org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------ 3 files changed, 33 deletions(-) diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java index 81b600a4..aac411a4 100644 --- a/org/mozilla/jss/pkcs11/PK11Cipher.java +++ b/org/mozilla/jss/pkcs11/PK11Cipher.java @@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher { if( key==null ) { throw new InvalidKeyException("Key is null"); } - if( ! key.getOwningToken().equals(token) ) { - throw new InvalidKeyException("Key does not reside on the "+ - "current token"); - } if( ! (key instanceof PK11SymKey) ) { throw new InvalidKeyException("Key is not a PKCS #11 key"); } diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java index 28840a87..eee2984d 100644 --- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java +++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java @@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper { throw new InvalidKeyException("Key is null"); } try { - if( ! key.getOwningToken().equals(token) ) { - throw new InvalidKeyException("Key does not reside on the current token: key owning token="+ - key.getOwningToken().getName()); - } if( ! (key instanceof PK11SymKey) ) { throw new InvalidKeyException("Key is not a PKCS #11 key"); } @@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper { if( key==null ) { throw new InvalidKeyException("Key is null"); } - if( ! key.getOwningToken().equals(token) ) { - throw new InvalidKeyException("Key does not reside on the "+ - "current token"); - } if( ! (key instanceof PK11PrivKey) ) { throw new InvalidKeyException("Key is not a PKCS #11 key"); } @@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper { throw new InvalidKeyException("key to be wrapped is not a "+ "PKCS #11 key"); } -/* NSS is capable of moving keys appropriately, - so this call is prematurely bailing - if( ! symKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -*/ } /** @@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper { throw new InvalidKeyException("key to be wrapped is not a "+ "PKCS #11 key"); } -/* NSS is capable of moving keys appropriately, - so this call is prematurely bailing - if( ! privKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -*/ } /** diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java index cd732788..7a1a6dad 100644 --- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java +++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java @@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest { } hmacKey = (PK11SymKey) key; - - if( ! key.getOwningToken().equals(token) ) { - hmacKey = null; - throw new InvalidKeyException( - "HMAC key does not live on the same token as this digest"); - } - this.digestProxy = initHMAC(token, alg, hmacKey); } -- 2.25.1