SLFO-pool/mozilla-nss
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:main
Branches Tags
SLFO-pool:main SLFO-pool:1.1
...
pull from: SLFO-pool:1.1
Branches Tags
SLFO-pool:main SLFO-pool:1.1

1 Commits
main ... 1.1

Author SHA256 Message Date
Adrian Schröter
e2f65ebffa Sync from SUSE:SLFO:1.1 mozilla-nss revision ff52ec8ee503ff181cd700af5bf213ad 2025-04-15 22:12:02 +02:00
4 changed files with 16 additions and 305 deletions
Expand all files Collapse all files

32
mozilla-nss.changes
View File

@@ -1,35 +1,3 @@
-------------------------------------------------------------------
Mon Mar 10 07:43:37 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- Add nss-reproducible-chksums.patch to make NSS-build reproducible
Use key from openssl (bsc#1081723)
-------------------------------------------------------------------
Sat Mar 1 12:17:57 UTC 2025 - Hans Petter Jansson <hpj@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to exclude the
SHA-1 hash from SLI approval.
-------------------------------------------------------------------
Tue Nov 26 23:56:12 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to not pass in
bad targetKeyLength parameters when checking for FIPS approval
after keygen. This was causing false rejections.
-------------------------------------------------------------------
Tue Nov 12 15:54:48 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to approve
RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
-------------------------------------------------------------------
Fri Aug 2 14:58:59 UTC 2024 - Hans Petter Jansson <hpj@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-------------------------------------------------------------------
Mon Jul 29 12:44:11 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>

12
mozilla-nss.spec
View File

@@ -82,7 +82,6 @@ Patch49: nss-allow-slow-tests-s390x.patch
Patch50: nss-fips-bsc1223724.patch
Patch51: nss-fips-aes-gcm-restrict.patch
Patch52: nss-fips-safe-memset.patch
Patch53: nss-reproducible-chksums.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -250,7 +249,6 @@ cd nss
# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
%patch -P 52 -p1
%endif
%patch -P 53 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
@@ -445,15 +443,15 @@ install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
# create shlib sigs after extracting debuginfo with a hard-coded key to produce reproducible checksums, using the same key that openssl uses.
# create shlib sigs after extracting debuginfo
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%__os_install_post \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreebl3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreebl3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
%{nil}
%post -p /sbin/ldconfig

42
nss-fips-approved-crypto-non-ec.patch
View File

@@ -426,8 +426,8 @@ Index: nss/lib/softoken/pkcs11c.c
return crv;
}
+ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, 0);
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, 0);
+ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, bitSize);
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, bitSize);
+ session->lastOpWasFIPS = privateKey->isFIPS;
+
*phPrivateKey = privateKey->handle;
@@ -636,20 +636,7 @@ Index: nss/lib/softoken/fips_algorithms.h
/* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
@@ -79,30 +107,42 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
@@ -88,21 +116,33 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
/* ------------------------- DSA Operations --------------------------- */
@@ -855,16 +842,7 @@ Index: nss/lib/softoken/pkcs11u.c
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
@@ -2344,7 +2350,7 @@ sftk_getKeyLength(SFTKObject *source)
* key length is CKA_VALUE, which is the default */
keyType = CKK_INVALID_KEY_TYPE;
}
- if (keyType == CKK_EC) {
+ if (keyType == CKK_EC || keyType == CKK_EC_MONTGOMERY) {
SECOidTag curve = sftk_quickGetECCCurveOid(source);
switch (curve) {
case SEC_OID_CURVE25519:
@@ -2386,14 +2392,53 @@ sftk_getKeyLength(SFTKObject *source)
@@ -2386,14 +2392,55 @@ sftk_getKeyLength(SFTKObject *source)
return keyLength;
}
@@ -874,6 +852,8 @@ Index: nss/lib/softoken/pkcs11u.c
+ switch (hash) {
+ case CKM_AES_CMAC:
+ return allowCMAC;
+ case CKM_SHA_1:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224:
+ case CKM_SHA224_HMAC:
+ return allowSmall;
@@ -919,7 +899,7 @@ Index: nss/lib/softoken/pkcs11u.c
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@@ -2409,10 +2454,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2409,10 +2456,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
case SFTKFIPSNone:
return PR_FALSE;
@@ -949,7 +929,7 @@ Index: nss/lib/softoken/pkcs11u.c
case SFTKFIPSAEAD: {
if (mech->ulParameterLen == 0) {
/* AEAD ciphers are only in FIPS mode if we are using the
@@ -2440,11 +2502,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2440,11 +2504,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (hashObj == NULL) {
return PR_FALSE;
}
@@ -994,7 +974,7 @@ Index: nss/lib/softoken/pkcs11u.c
default:
break;
}
@@ -2455,7 +2550,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2455,7 +2552,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
PRBool
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
@@ -1003,7 +983,7 @@ Index: nss/lib/softoken/pkcs11u.c
{
#ifndef NSS_HAS_FIPS_INDICATORS
return PR_FALSE;
@@ -2468,18 +2563,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2468,18 +2565,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
if (!sftk_isFIPS(slot->slotID)) {
return PR_FALSE;
}
@@ -1043,7 +1023,7 @@ Index: nss/lib/softoken/pkcs11u.c
keyLength = sftk_getKeyLength(source);
/* check against our algorithm array */
@@ -2487,13 +2599,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2487,13 +2601,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
/* if we match the number of records exactly, then we are an
* approved algorithm in the approved mode with an approved key */

235
nss-reproducible-chksums.patch
View File

@@ -1,235 +0,0 @@
commit 759ac09c2697b77c27b92aba69b267d4b11126d9
Author: Martin Sirringhaus <martin.sirringhaus@suse.com>
Date: Mon Jul 22 16:03:58 2024 +0200
Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=#nss-reviewers)
Differential Revision: https://phabricator.services.mozilla.com/D217282
diff --git a/cmd/shlibsign/Makefile b/cmd/shlibsign/Makefile
index a1192055c1..eb68618157 100644
--- a/cmd/shlibsign/Makefile
+++ b/cmd/shlibsign/Makefile
@@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
- $(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
- -L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
- -lnspr4 \
- $(NULL)
-
-endif
-
+include ../platlibs.mk
# sign any and all shared libraries that contain the word freebl
ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
index 5745426ba4..55c6c9ac09 100644
--- a/cmd/shlibsign/shlibsign.c
+++ b/cmd/shlibsign/shlibsign.c
@@ -54,6 +54,7 @@
/* nss headers for definition of HASH_HashType */
#include "hasht.h"
+#include "secitem.h"
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
@@ -86,6 +87,8 @@ static HashTable hashTable[] = {
MKHASH("sha512", SHA512)
};
static size_t hashTableSize = PR_ARRAY_SIZE(hashTable);
+// Arbitrary value for now, to avoid memory allocations
+#define MAX_CLI_KEYLENGTH 64
const HashTable *
findHash(const char *hashName)
@@ -111,7 +114,7 @@ usage(const char *program_name)
PR_fprintf(debug_out,
"Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
" [-F] [-p pwd] -[P dbprefix ] [-t hash]"
- " [-D] [-k keysize] [-c]"
+ " [-D] [-k keysize] [-c] [-K key]"
"-i shared_library_name\n",
program_name);
PR_fprintf(debug_out, "Valid Hashes: ");
@@ -136,6 +139,7 @@ long_usage(const char *program_name)
PR_fprintf(debug_out, "\t-t <hash> Hash for HMAC/or DSA\n");
PR_fprintf(debug_out, "\t-D Sign with DSA rather than HMAC\n");
PR_fprintf(debug_out, "\t-k <keysize> size of the DSA key\n");
+ PR_fprintf(debug_out, "\t-K <key> key-material to use for hmac (hex-string, without leading 0x)\n");
PR_fprintf(debug_out, "\t-c Use compatible versions for old NSS\n");
PR_fprintf(debug_out, "\t-P <prefix> database prefix\n");
PR_fprintf(debug_out, "\t-f <file> password File : echo pw > file \n");
@@ -1067,7 +1071,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
CK_RV
shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
- CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd,
+ CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd,
PRFileDesc *ofd, const HashTable *hash)
{
CK_MECHANISM hmacMech = { 0, NULL, 0 };
@@ -1098,40 +1102,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
"Internal error:Could find sha256 entry in table.\n");
}
- hmacKeyTemplate[0].type = CKA_TOKEN;
- hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
- hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[1].type = CKA_PRIVATE;
- hmacKeyTemplate[1].pValue = &cktrue;
- hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[2].type = CKA_SENSITIVE;
- hmacKeyTemplate[2].pValue = &ckfalse;
- hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[3].type = CKA_SIGN;
- hmacKeyTemplate[3].pValue = &cktrue;
- hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
- hmacKeyTemplate[4].pValue = &ckfalse;
- hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[5].type = CKA_VALUE_LEN;
- hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
- hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
- hmacKeyTemplate[6].type = CKA_KEY_TYPE;
- hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
- hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
- hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
- hmacMech.mechanism = hash->hmac;
+ if (key == NULL) {
+ hmacKeyTemplate[0].type = CKA_TOKEN;
+ hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
+ hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[1].type = CKA_PRIVATE;
+ hmacKeyTemplate[1].pValue = &cktrue;
+ hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[2].type = CKA_SENSITIVE;
+ hmacKeyTemplate[2].pValue = &ckfalse;
+ hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[3].type = CKA_SIGN;
+ hmacKeyTemplate[3].pValue = &cktrue;
+ hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
+ hmacKeyTemplate[4].pValue = &ckfalse;
+ hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[5].type = CKA_VALUE_LEN;
+ hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
+ hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
+ hmacKeyTemplate[6].type = CKA_KEY_TYPE;
+ hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
+ hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
+ hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
+
+ /* Generate a DSA key pair */
+ logIt("Generate an HMAC key ... \n");
+ crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
+ hmacKeyTemplate,
+ PR_ARRAY_SIZE(hmacKeyTemplate),
+ &hHMACKey);
+ } else {
+ SECItem keyitem = { 0 };
+ if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) {
+ pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv);
+ return crv;
+ }
+
+ CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY;
+ CK_ATTRIBUTE hmacKeyObject[] = {
+ {
+ .type = CKA_CLASS,
+ .pValue = &secret_key_obj_class,
+ .ulValueLen = sizeof(CK_OBJECT_CLASS),
+ },
+ {
+ .type = CKA_KEY_TYPE,
+ .pValue = (void *)&hash->keyType,
+ .ulValueLen = sizeof(hash->keyType),
+ },
+ {
+ .type = CKA_VALUE,
+ .pValue = keyitem.data,
+ .ulValueLen = keyitem.len,
+ },
+ {
+ .type = CKA_SIGN,
+ .pValue = &cktrue,
+ .ulValueLen = sizeof(cktrue),
+ },
+ };
+ logIt("Using static HMAC key ... \n");
+ crv = pFunctionList->C_CreateObject(hRwSession,
+ hmacKeyObject,
+ PR_ARRAY_SIZE(hmacKeyObject),
+ &hHMACKey);
+ }
- /* Generate a DSA key pair */
- logIt("Generate an HMAC key ... \n");
- crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
- hmacKeyTemplate,
- PR_ARRAY_SIZE(hmacKeyTemplate),
- &hHMACKey);
if (crv != CKR_OK) {
pk11error("HMAC key generation failed", crv);
return crv;
}
+ hmacMech.mechanism = hash->hmac;
/* compute the digest */
memset(sign, 0, sizeof(sign));
@@ -1256,6 +1298,7 @@ main(int argc, char **argv)
static PRBool useDSA = PR_FALSE;
PRBool successful = PR_FALSE;
const HashTable *hash = NULL;
+ char *key = NULL;
#ifdef USES_LINKS
int ret;
@@ -1279,7 +1322,7 @@ main(int argc, char **argv)
program_name = strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
- optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc");
+ optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc");
if (optstate == NULL) {
lperror("PL_CreateOptState failed");
return 1;
@@ -1329,6 +1372,14 @@ main(int argc, char **argv)
keySize = atoi(optstate->value);
break;
+ case 'K':
+ if (!optstate->value) {
+ PL_DestroyOptState(optstate);
+ usage(program_name);
+ }
+ key = PL_strdup(optstate->value);
+ break;
+
case 'f':
if (!optstate->value) {
PL_DestroyOptState(optstate);
@@ -1567,7 +1618,7 @@ main(int argc, char **argv)
keySize, ifd, ofd, hash);
} else {
crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession,
- keySize, ifd, ofd, hash);
+ keySize, key, ifd, ofd, hash);
}
if (crv == CKR_INTERNAL_OUT_FAILURE) {
lperror(output_file);