1981046 - Need to update to new mechanisms

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P4)

Description

[Robert Relyea]

We have a number of CKM_NSS_ mechanisms that we are still using that need to update to the official PKCS #11 versions of these mechanisms (this will increase compatibility with vendor tokens).

In util/secoid.c
move CKM_NSS_AES_KEY_WRAP to CKM_AES_KEY_WRAP
move CKM_NSS_CHACHA20_POLY1305 to CKM_CHACHA20_POLY1305

ss/ssl3con.c
change CKM_NSS_HKDF_SH256 to CKM_HKDF
change CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH to CKM_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (we can check the token can support this, and if it can't sswitch back)
change CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH to CKM_TLS_EXTENDED_MASTER_KEY_DERIVE_DH (we can check the token can support this, and if it can't sswitch back)

All other occurances are either form mechanisms that are still only implemented as vender specific mechanism, are part of the compatibity setup.

Comment 1

[Robert Relyea]

Attachment: Bug 1981046 Need to update to new mechanisms

lib/softoken/pkcs11c.c
lib/softoken/pkcs11.c

• add support for CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE and CKM_TLS_EXTENDED_MASTER_KEY_DERIVE_DH
  The standard mechanism are based on our Vendor specific mechanism (I submitted the vendor specific mechanism to the PKCS #11 working group.), so the support is basically "do what CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE does".

lib/ssl/ssl3con.c

• use CKM_HKDF_DATA as the mechanism to check for KDF support for ssl_auth_psk.
• add support for CKM_TLS12_EXTENDED_MASTER_KEY_DERIVE and CKM_TLS_EXTENDED_MASTER_KEY_DERIVE_DH
  In this case we want to fall back to the CKM_NSS_ mechanism if the CKM_TLS mechanism don't exist.

lib/util/pkcs11n.h

• CK_TLS12_EXTENDED_MASTER_KEY_DERIVE_PARAMS is identical to CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS. Just make the latter an alias for the former.
  lib/util/secoid.c

• use CK_AES_KEY_WRAP and CKM_CHACHA20_POLY10305. Both of those have been implemented
  in NSS for quite some time.