diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-24 02:27:47 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-26 11:43:54 -0500 |
commit | 621d9e5c413e561293d7484b93882d985b3fe15f (patch) | |
tree | 638f3d75761c121d9a8fb50b52a12a6686c5ac5c /base/native-tools | |
parent | 40d3643b8d91886bf210aa27f711731c81a11e49 (diff) | |
download | pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.gz pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.xz pki-621d9e5c413e561293d7484b93882d985b3fe15f.zip |
Removed unnecessary pki folder.
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
Diffstat (limited to 'base/native-tools')
55 files changed, 24309 insertions, 0 deletions
diff --git a/base/native-tools/CMakeLists.txt b/base/native-tools/CMakeLists.txt new file mode 100644 index 000000000..0ccebe578 --- /dev/null +++ b/base/native-tools/CMakeLists.txt @@ -0,0 +1,3 @@ +project(native-tools) + +add_subdirectory(src) diff --git a/base/native-tools/LICENSE b/base/native-tools/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/native-tools/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/native-tools/doc/README b/base/native-tools/doc/README new file mode 100644 index 000000000..01b11a7a3 --- /dev/null +++ b/base/native-tools/doc/README @@ -0,0 +1,55 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# + Certificate System + Native Command Line Utilities + + +Command Line Utility Purpose +============================================================================== +bulkissuance A command line utility utilized + to send either a KEYGEN or CRMF + enrollment request to the bulk + issuance interface for the + automatic creation of + certificates. + +bulkissuance.data An example data file for use + with the bulkissuance tool. + +revoker A command line tool which may be + conveniently utilized to + automate user management scripts + used to revoke certificates. + +setpin A command line tool utilized + to enable Certificate + System to utilize PIN-based + authentication. + +setpin.conf The configuration file utilized + by the setpin command line + utility. + +tkstool A command line tool utilized + to construct DES 2 symmetric + keys utilized in conjunction + with the Certificate + System Token Key Service + subsystem. + diff --git a/base/native-tools/src/CMakeLists.txt b/base/native-tools/src/CMakeLists.txt new file mode 100644 index 000000000..c727a9a49 --- /dev/null +++ b/base/native-tools/src/CMakeLists.txt @@ -0,0 +1,5 @@ +add_subdirectory(p7tool) +add_subdirectory(revoker) +add_subdirectory(setpin) +add_subdirectory(sslget) +add_subdirectory(tkstool) diff --git a/base/native-tools/src/bulkissuance/CMakeLists.txt b/base/native-tools/src/bulkissuance/CMakeLists.txt new file mode 100644 index 000000000..31df27306 --- /dev/null +++ b/base/native-tools/src/bulkissuance/CMakeLists.txt @@ -0,0 +1,37 @@ +project(bulkissuance C) + +set(BULKISSUANCE_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(BULKISSUANCE_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} +) + +set(bulkissuance_SRCS + bulkissuance.c + getopt.c +) + +include_directories(${BULKISSUANCE_PRIVATE_INCLUDE_DIRS}) + +add_executable(bulkissuance ${bulkissuance_SRCS}) + +target_link_libraries(bulkissuance ${BULKISSUANCE_LINK_LIBRARIES}) + +install( + TARGETS bulkissuance + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) + +install( + FILES + bulkissuance.data + DESTINATION + ${SHARE_INSTALL_PREFIX}/pki/native-tools/ +) diff --git a/base/native-tools/src/bulkissuance/bulkissuance.c b/base/native-tools/src/bulkissuance/bulkissuance.c new file mode 100644 index 000000000..ec33e8a7a --- /dev/null +++ b/base/native-tools/src/bulkissuance/bulkissuance.c @@ -0,0 +1,807 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +/* vi: set ts=4 sw=4 : */ +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +#include <stdio.h> +#include <string.h> +#include <time.h> + +#if defined(XP_UNIX) +#include <unistd.h> +#endif + +#include "ssl.h" + +#include "prerror.h" + +#include "pk11func.h" +#include "secitem.h" + + +#include <stdlib.h> +#include <errno.h> +#include <fcntl.h> +#include <stdarg.h> + +#include "nspr.h" +#include "prio.h" +#include "prnetdb.h" +#include "nss.h" + +/*from nss2.8.4 secopt.h*/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +extern int opterr; +extern int optind; +extern int optopt; +extern char *optarg; + +#ifdef _WIN32 +static void do_opterr(const char *s, int c, char * const av[]); +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int getopt(int ac, char * const av[], const char * opts); +#else +#if defined(LINUX) +#include <getopt.h> +#endif +#endif /* XP_PC */ +/*end secopt.h*/ + +#define VERSIONSTRING "$Revision$ ($Date$)" +#define MAXLEN 50000 + +#ifndef PORT_Sprintf +#define PORT_Sprintf sprintf +#endif + +#ifndef PORT_Strstr +#define PORT_Strstr strstr +#endif + +#ifndef PORT_Malloc +#define PORT_Malloc PR_Malloc +#endif + +#define RD_BUF_SIZE (60 * 1024) + +#define PRINTF if (verbose) printf +#define FPRINTF if (verbose) fprintf +#define FPUTS if (verbose) fputs + +#define MAX_SERIAL_LEN 8192 + +int MakeCertOK=1; + +int verbose; +SECItem bigBuf; + + +static char *ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *passwd = NULL; + + if ( (!retry) && arg ) { + passwd = PL_strdup((char *)arg); + } + + return passwd; +} + +static void +Usage(const char *progName) +{ + fprintf( stderr, + "\n" ); + fprintf( stderr, + "Description: A command-line utility used to send either a KEYGEN or a\n" + " Certificate Request Message Format (CRMF) enrollment\n" + " request to the bulk issuance interface of a\n" + " Certificate Authority (CA) for the automatic\n" + " creation of certificates.\n\n\n" ); + fprintf( stderr, + "Usage:\n\n" + " %s -n rsa_nickname [-p password | -w pwfile ]\n" + " [-d dbdir] [-v] [-V] [-f inputFile] hostname[:port]\n\n" + " where:\n\n" + " -n rsa_nickname nickname of the Agent Certificate\n" + " [-p password | -w pwfile] password OR file containing password\n" + " [-d dbdir] database directory\n" + " [-v] verbose mode\n" + " [-V] version of %s\n" + " [-f inputFile] file containing an http request\n" + " which gets sent to the hostname[:port]\n" + " hostname[:port] machine name with optional port address\n\n\n", + progName, progName ); + fprintf( stderr, + "Example (using the example inputFile called \"bulkissuance.data\"):\n\n" ); + fprintf( stderr, + " (1) cd <server-root>/bin/cert/tools\n" ); + fprintf( stderr, + " (2) cp <client-database>/cert8.db .\n" ); + fprintf( stderr, + " (3) cp <client-database>/key3.db .\n" ); + fprintf( stderr, + " (4) Ensure that the agent certificate is\n" + " inside these cert8.db/key3.db databases.\n" + " (for this example, call it \"CS Agent\'s CS ID\")\n" ); + fprintf( stderr, + " (5) ./bulkissuance.sh -n \"CS Agent\'s CS ID\" -p password\n" + " -d . -f bulkissuance.data example.com:8100\n\n" ); + exit( 1 ); +} + + +static void +errWarn(const char * funcString) +{ + PRErrorCode perr = PR_GetError(); + + FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); +} + +static void +errExit(const char * funcString) +{ + errWarn(funcString); + exit(1); +} + +/* This invokes the "default" AuthCert handler in libssl. +** The only reason to use this one is that it prints out info as it goes. +*/ +static SECStatus +mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, + PRBool isServer) +{ + SECStatus rv; + CERTCertificate * peerCert; + + peerCert = SSL_PeerCertificate(fd); + + PRINTF("Subject: %s\nIssuer : %s\n", + peerCert->subjectName, peerCert->issuerName); + /* invoke the "default" AuthCert handler. */ + rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); + + if (rv == SECSuccess) { + FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); + } + /* error, if any, will be displayed by the Bad Cert Handler. */ + return rv; +} + +static SECStatus +myBadCertHandler( void *arg, PRFileDesc *fd) +{ + /* int err = PR_GetError(); */ + /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", + err, SECU_Strerror(err)); */ + return (MakeCertOK ? SECSuccess : SECFailure); +} + + +static SECStatus +my_GetClientAuthData(void * arg, + PRFileDesc * sock, + struct CERTDistNamesStr * caNames, + struct CERTCertificateStr ** pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privkey = NULL; + char * chosenNickName = (char *)arg; /* CONST */ + void * proto_win = NULL; + SECStatus rv = SECFailure; + + FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); + + proto_win = SSL_RevealPinArg(sock); + + if (chosenNickName) { + cert = PK11_FindCertFromNickname(chosenNickName, proto_win); + FPRINTF(stderr," mygetclientauthdata - cert = %p\n", cert); + if ( cert ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + FPRINTF(stderr," mygetclientauthdata - privkey = %p\n", privkey); + if ( privkey ) { + rv = SECSuccess; + } else { + CERT_DestroyCertificate(cert); + } + } + } else { /* no name given, automatically find the right cert. */ + CERTCertNicknames * names; + int i; + + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), + SEC_CERT_NICKNAMES_USER, proto_win); + if (names != NULL) { + for (i = 0; i < names->numnicknames; i++) { + cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); + if ( !cert ) + continue; + /* Only check unexpired certs */ + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != + secCertTimeValid ) { + CERT_DestroyCertificate(cert); + continue; + } + rv = NSS_CmpCertChainWCANames(cert, caNames); + if ( rv == SECSuccess ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + if ( privkey ) + break; + } + rv = SECFailure; + CERT_DestroyCertificate(cert); + } + CERT_FreeNicknames(names); + } + } + if (rv == SECSuccess) { + *pRetCert = cert; + *pRetKey = privkey; + } + return rv; +} + + + + +static void +printSecurityInfo(PRFileDesc *fd) +{ + char * cp; /* bulk cipher name */ + char * ip; /* cert issuer DN */ + char * sp; /* cert subject DN */ + int op; /* High, Low, Off */ + int kp0; /* total key bits */ + int kp1; /* secret key bits */ + int result; + + static int only_once; + + if (! only_once++ && fd) { + result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); + if (result != SECSuccess) + return; +#if 0 + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" + "subject DN: %s\n" + "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); +#else + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", + cp, kp1, kp0, op); +#endif + PR_Free(cp); + PR_Free(ip); + PR_Free(sp); + } + +} + + +PRBool useModelSocket = PR_TRUE; + +static const char outHeader[] = { + "HTTP/1.0 200 OK\r\n" + "Server: Netscape-Enterprise/2.0a\r\n" + "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" + "Content-type: text/plain\r\n" + "\r\n" +}; + + +static PRInt32 +do_writes( + void * a +) +{ + PRFileDesc * ssl_sock = (PRFileDesc *)a; + PRUint32 sent = 0; + PRInt32 count = 0; + + while (sent < bigBuf.len) { + + count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); + if (count < 0) { + errWarn("PR_Write bigBuf"); + exit(4); + break; + } + FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); + FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); + + sent += (PRUint32)count; + } + if (count >= 0) { /* last write didn't fail. */ + FPRINTF(stderr, "do_writes shutting down send socket\n"); + /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ + } + + FPRINTF(stderr, "do_writes exiting with (failure = %d)\n", + (sent < bigBuf.len) == SECFailure); + return (sent < bigBuf.len) ? SECFailure : SECSuccess; +} + + + + +static SECStatus +do_io( PRFileDesc *ssl_sock, int connection) +{ + int countRead = 0; + PRInt32 rv; + char *buf; + int first=1; + + buf = PR_Malloc(RD_BUF_SIZE); + if (!buf) exit(5); + + + /* send the http request here. */ + + rv = do_writes(ssl_sock); + + if (rv == SECFailure) { + errWarn("returning from after calling do_writes"); + PR_Free(buf); + buf = 0; + exit(6); + } + printSecurityInfo(ssl_sock); + + /* read until EOF */ + while (1) { + rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); + if (rv == 0) { + break; /* EOF */ + } + if (rv < 0) { + errWarn("PR_Read"); + exit(1); + } + + countRead += rv; + FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", + connection, rv, countRead ); + FPRINTF(stderr, "these bytes read: "); + if (verbose) { + PR_Write(PR_STDERR,buf,rv); + } + + if (first) { + first=0; + if (rv < 13) { + errWarn("not enough bytes read in first read"); + exit(2); + } else { + if ( ! PL_strnstr(buf,"200",13)) { + exit(3); + } + } + } + } + PR_Free(buf); + buf = 0; + + /* Caller closes the socket. */ + + FPRINTF(stderr, + "connection %d read %d bytes total. -----------------------------\n", + connection, countRead); + + return SECSuccess; /* success */ +} + +static int +do_connect( + PRNetAddr *addr, + PRFileDesc *model_sock, + int connection) +{ + PRFileDesc * ssl_sock; + PRFileDesc * tcp_sock; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; + PRSocketOptionData opt; + + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); + if (tcp_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(tcp_sock, &opt); + if (prStatus != PR_SUCCESS) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; + } + + prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(6); + } + + ssl_sock = SSL_ImportFD(model_sock, tcp_sock); + /* XXX if this import fails, close tcp_sock and return. */ + if (!ssl_sock) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); + } + + rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); + if (rv != SECSuccess) { + errWarn("SSL_ResetHandshake"); + exit(8); + } + + result = do_io( ssl_sock, connection); + + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } + return SECSuccess; +} + +#if 0 +/* Returns IP address for hostname as PRUint32 in Host Byte Order. +** Since the value returned is an integer (not a string of bytes), +** it is inherently in Host Byte Order. +*/ +static PRUint32 +getIPAddress(const char * hostName) +{ + const unsigned char *p; + PRStatus prStatus; + PRUint32 rv; + PRHostEnt prHostEnt; + char scratch[PR_NETDB_BUF_SIZE]; + + prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); + if (prStatus != PR_SUCCESS) + errExit("PR_GetHostByName"); + +#undef h_addr +#define h_addr h_addr_list[0] /* address, for backward compatibility */ + + p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ + FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); + rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + return rv; +} +#endif + +static void +client_main( + unsigned short port, + int connections, + SECKEYPrivateKey ** privKey, + CERTCertificate ** cert, + const char * hostName, + char * nickName) +{ + PRFileDesc *model_sock = NULL; + int rv; + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + + + FPRINTF(stderr, "port: %d\n", port); + + /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ + NSS_SetDomesticPolicy(); + + /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + /* SSL_CipherPrefSetDefault(0xC005 */ + /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */ + /*, PR_TRUE); */ + + /* + * Rifle through the values for the host + */ + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } + + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); + + model_sock = PR_OpenTCPSocket( family ); + if (model_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + /* Should we really be re-using the same socket? */ + model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ + if (model_sock == NULL) { + errExit("SSL_ImportFD"); + } + + /* enable ECC cipher also */ + + /* do SSL configuration. */ + + rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); + if (rv < 0) { + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); + } + + SSL_SetURL(model_sock, hostName); + + SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, + (void *)CERT_GetDefaultCertDB()); + + SSL_BadCertHook(model_sock, myBadCertHandler, NULL); + + SSL_GetClientAuthDataHook(model_sock, + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); + + /* I'm not going to set the HandshakeCallback function. */ + + /* end of ssl configuration. */ + + rv = do_connect(&addr, model_sock, 1); + + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } +} + + +static SECStatus +createRequest(char *progName, char *path) +{ + char *temp; + char * newstr; + FILE *fp; + + temp = (char *)malloc(MAXLEN); + fp = fopen(path, "r"); + if (fp == NULL) { + fputs("Input file must be provided on command line in this version" + " of bulk issuance client.\n", stderr); + Usage(progName); + } else { + temp = fgets(temp, MAXLEN, fp); + if (temp == NULL) { + fclose(fp); + fputs("File is empty\n", stderr); + exit(1); + } + + fclose(fp); + } + + newstr = PR_smprintf("%s\r\n\r\n", temp); +/* + "GET /ca/bulkissuance?csrRequestorName=++&CN=a&UID=a&E=a&OU=&O=&C=US&email=true&ssl_client=true&digital_signature=true&non_repudiation=true&key_encipherment=true&challengePassword=&confirmChallengePassword=&csrRequestorEmail=a&csrRequestorPhone=&csrRequestorComments=&CRMFRequest=MIICTDCB%2BzCB8wICJ4EwgbWAAQKlQDA%2BMQswCQYDVQQGEwJVUzERMA8GCgmSJomT%0D%0A8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0BCQEWAWGmXDANBgkqhkiG%0D%0A9w0BAQEFAANLADBIAkEA3R3vkvw3%2F4f5eDJZszB2%2B8BhWtNgwX97KV%2FydZ1kPlei%0D%0AcJwIcHfLbp6tRYs2iKAxbTuw01H1P9gdUIx1nY7R0QIDAQABqRAwDgYDVR0PAQH%2F%0D%0ABAQDAgUgMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNhdG9yADAWBgkrBgEFBQcF%0D%0AAQEMCXJlZ1Rva2VuAKIDgQEBMIIBSjCB8wICRGswgbWAAQKlQDA%2BMQswCQYDVQQG%0D%0AEwJVUzERMA8GCgmSJomT8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0B%0D%0ACQEWAWGmXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuf9KVCouLB6rKI290XpSghLe%0D%0APtYxSBdGv5gnzYVyokz9DPSSTeRBCUQDGWCVMIgMrUMABK0tkXPlVrD8lylVWQID%0D%0AAQABqRAwDgYDVR0PAQH%2FBAQDAgeAMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNh%0D%0AdG9yADAWBgkrBgEFBQcFAQEMCXJlZ1Rva2VuAKFSMA0GCSqGSIb3DQEBBQUAA0EA%0D%0Aq0tNDOzqcDI%2BwQ6gZMsCbYLh7MBBAzJo8Z67ddx%2BOS%2FZjCAtAbdabeazQnu0UOfN%0D%0A0HwLPDcNuurcvw4y604ang%3D%3D&cmmfResponse=true&certNickname=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&subject=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&requestFormat=keygen&certType=client HTTP/1.0\r\n" + "Content-Type: application/x-www-form-urlencoded\r\n" + "\r\n"); +*/ + + bigBuf.data = (unsigned char *)newstr; + + FPUTS((char *)bigBuf.data, stderr); + + bigBuf.len = PORT_Strlen((char *)bigBuf.data); + + free(temp); + + return SECSuccess; +} + +int +main(int argc, char **argv) +{ + const char * dir = "."; + char * hostName = NULL; + char * nickName = NULL; + char * progName = NULL; + char * tmp = NULL; + CERTCertificate * cert [kt_kea_size] = { NULL }; + SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + int optchar; + int connections = 1; + int tmpI; + unsigned short port = 443; + SECStatus rv; + char * passwd = NULL; + char * passwdfile = NULL; + char path[1000]; + FILE *fp; + char pwbuf[256]; + int co; + char *crlf; + + /* Call the NSPR initialization routines */ + PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + tmp = strrchr(argv[0], '/'); + tmp = tmp ? tmp + 1 : argv[0]; + progName = strrchr(tmp, '\\'); + progName = progName ? progName + 1 : tmp; + + + while ((optchar = getopt(argc, argv, "Vd:n:p:f:v")) != -1) { + switch(optchar) { + + case 'V': + PRINTF("%s\n",VERSIONSTRING); + break; + + case 'd': + dir = optarg; + break; + + case 'n': + nickName = optarg; + break; + + case 'p': + passwd = optarg; + break; + + case 'w': + passwdfile = optarg; + break; + + case 'v': + verbose++; + break; + + case 'f': + strcpy(path, optarg); + break; + + default: + case '?': + Usage(progName); + break; + + } + } + if (optind != argc - 1) + Usage(progName); + + hostName = argv[optind]; + tmp = strchr(hostName, ':'); + if (tmp) { + *tmp++ = 0; + tmpI = atoi(tmp); + if (tmpI <= 0) + Usage(progName); + port = (unsigned short)tmpI; + } + + if (!nickName) + Usage(progName); + + createRequest(progName, path); + + if (passwdfile) { + fp = fopen(passwdfile,"r"); + if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } + co = fread(pwbuf,1,256,fp); + pwbuf[co] = '\0'; + crlf = PL_strchr(pwbuf,'\n'); + if (crlf) { + *crlf = '\0'; + } + passwd = pwbuf; + } + + /* set our password function */ + if (passwd == NULL) { + PRINTF("Password must be provided on command line in this version of revoker.\n"); + Usage(progName); + } + PK11_SetPasswordFunc(ownPasswd); + + /* Call the libsec initialization routines */ + rv = NSS_Init(dir); + if (rv != SECSuccess) { + fputs("NSS_Init failed.\n", stderr); + exit(1); + } + + cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); + if (cert[kt_rsa] == NULL) { + fprintf(stderr, "Can't find certificate %s\n", nickName); + exit(1); + } + + privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); + if (privKey[kt_rsa] == NULL) { + fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); + exit(1); + } + + + client_main(port, connections, privKey, cert, hostName, nickName); + + NSS_Shutdown(); + PR_Cleanup(); + return 0; +} + diff --git a/base/native-tools/src/bulkissuance/bulkissuance.data b/base/native-tools/src/bulkissuance/bulkissuance.data new file mode 100644 index 000000000..1d68c26a1 --- /dev/null +++ b/base/native-tools/src/bulkissuance/bulkissuance.data @@ -0,0 +1 @@ +GET /ca/agent/ca/bulkissuance?csrRequestorName=++&CN=a&UID=a&E=a&OU=&O=&C=US&email=true&ssl_client=true&digital_signature=true&non_repudiation=true&key_encipherment=true&challengePassword=&confirmChallengePassword=&csrRequestorEmail=a&csrRequestorPhone=&csrRequestorComments=&CRMFRequest=MIICTDCB%2BzCB8wICJ4EwgbWAAQKlQDA%2BMQswCQYDVQQGEwJVUzERMA8GCgmSJomT%0D%0A8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0BCQEWAWGmXDANBgkqhkiG%0D%0A9w0BAQEFAANLADBIAkEA3R3vkvw3%2F4f5eDJZszB2%2B8BhWtNgwX97KV%2FydZ1kPlei%0D%0AcJwIcHfLbp6tRYs2iKAxbTuw01H1P9gdUIx1nY7R0QIDAQABqRAwDgYDVR0PAQH%2F%0D%0ABAQDAgUgMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNhdG9yADAWBgkrBgEFBQcF%0D%0AAQEMCXJlZ1Rva2VuAKIDgQEBMIIBSjCB8wICRGswgbWAAQKlQDA%2BMQswCQYDVQQG%0D%0AEwJVUzERMA8GCgmSJomT8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0B%0D%0ACQEWAWGmXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuf9KVCouLB6rKI290XpSghLe%0D%0APtYxSBdGv5gnzYVyokz9DPSSTeRBCUQDGWCVMIgMrUMABK0tkXPlVrD8lylVWQID%0D%0AAQABqRAwDgYDVR0PAQH%2FBAQDAgeAMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNh%0D%0AdG9yADAWBgkrBgEFBQcFAQEMCXJlZ1Rva2VuAKFSMA0GCSqGSIb3DQEBBQUAA0EA%0D%0Aq0tNDOzqcDI%2BwQ6gZMsCbYLh7MBBAzJo8Z67ddx%2BOS%2FZjCAtAbdabeazQnu0UOfN%0D%0A0HwLPDcNuurcvw4y604ang%3D%3D&cmmfResponse=true&certNickname=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&subject=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&requestFormat=CRMF&certType=client HTTP/1.0 diff --git a/base/native-tools/src/bulkissuance/getopt.c b/base/native-tools/src/bulkissuance/getopt.c new file mode 100644 index 000000000..7554e1a14 --- /dev/null +++ b/base/native-tools/src/bulkissuance/getopt.c @@ -0,0 +1,126 @@ +/** BEGIN COPYRIGHT BLOCK + * + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * END COPYRIGHT BLOCK **/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +#include <stdio.h> +#include <string.h> /* for str*() */ +#include <io.h> /* for write() */ + +int opterr = 1; /* boolean flag, says "report error on stderr." */ +int optind = 1; /* index to element of argv from which options are + ** being parsed. */ +int optopt = 0; /* option character */ +char *optarg; /* ptr to option's parameter arg. */ + +#ifdef _WIN32 +static void +do_opterr(const char *s, int c, char * const av[]) +{ + if (opterr) { + char buff[2]; + int fd = _fileno(stderr); + + buff[0] = (char)c; + buff[1] = '\n'; + (void)write(fd, av[0], strlen(av[0])); + (void)write(fd, s, strlen(s)); + (void)write(fd, buff, 2); + } +} +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int +getopt(int ac, char * const av[], const char * opts) +{ + static int i = 1; /* offset of current option char in current arg. */ + char *p; /* opt char in opts that matched. */ + + /* Move to next value from argv? */ + if (i == 1) { + if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') + return EOF; + if (strcmp(av[optind], "--") == 0) { + optind++; + return EOF; + } + } + + /* Get next option character. */ + if ((optopt = av[optind][i]) == ':' || + (p = strchr(opts, optopt)) == NULL) { + ERR(": illegal option -- ", optopt); + if (av[optind][++i] == '\0') { + optind++; + i = 1; + } + return '?'; + } + + /* Snarf argument? */ + if (*++p == ':') { + if (av[optind][i + 1] != '\0') + optarg = &av[optind++][i + 1]; + else { + if (++optind >= ac) { + ERR(": option requires an argument -- ", optopt); + i = 1; + return '?'; + } + optarg = av[optind++]; + } + i = 1; + } else { + if (av[optind][++i] == '\0') { + i = 1; + optind++; + } + optarg = NULL; + } + + return optopt; +} + +#endif /* XP_PC */ diff --git a/base/native-tools/src/p7tool/CMakeLists.txt b/base/native-tools/src/p7tool/CMakeLists.txt new file mode 100644 index 000000000..6adfbedb7 --- /dev/null +++ b/base/native-tools/src/p7tool/CMakeLists.txt @@ -0,0 +1,33 @@ +project(p7tool C) + +set(P7TOOL_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(P7TOOL_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} +) + +set(p7tool_SRCS + secerror.c + secpwd.c + secutil.c + pppolicy.c + p7tool.c +) + +include_directories(${P7TOOL_PRIVATE_INCLUDE_DIRS}) + +add_executable(p7tool ${p7tool_SRCS}) + +target_link_libraries(p7tool ${P7TOOL_LINK_LIBRARIES}) + +install( + TARGETS p7tool + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) diff --git a/base/native-tools/src/p7tool/NSPRerrs.h b/base/native-tools/src/p7tool/NSPRerrs.h new file mode 100644 index 000000000..f0bc8b77e --- /dev/null +++ b/base/native-tools/src/p7tool/NSPRerrs.h @@ -0,0 +1,161 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/NSPRerrs.h + */ + +/* General NSPR 2.0 errors */ +/* Caller must #include "prerror.h" */ + +ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." ) +ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." ) +ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." ) +ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." ) +ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." ) +ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." ) +ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." ) +ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." ) +ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." ) +ER2( PR_IO_ERROR, "I/O function error." ) +ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." ) +ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." ) +ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." ) +ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." ) +ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." ) +ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." ) +ER2( PR_IS_CONNECTED_ERROR, "Already connected." ) +ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." ) +ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." ) +ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." ) +ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." ) +ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." ) +ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." ) +ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." ) +ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." ) +ER2( PR_FIND_SYMBOL_ERROR, +"Symbol not found in any of the loaded dynamic libraries." ) +ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." ) +ER2( PR_DIRECTORY_LOOKUP_ERROR, +"A directory lookup on a network address has failed." ) +ER2( PR_TPD_RANGE_ERROR, +"Attempt to access a TPD key that is out of range." ) +ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." ) +ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." ) +ER2( PR_NOT_SOCKET_ERROR, +"Network operation attempted on non-network file descriptor." ) +ER2( PR_NOT_TCP_SOCKET_ERROR, +"TCP-specific function attempted on a non-TCP file descriptor." ) +ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." ) +ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." ) +ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, +"The requested operation is not supported by the platform." ) +ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, +"The host operating system does not support the protocol requested." ) +ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." ) +ER2( PR_BUFFER_OVERFLOW_ERROR, +"The value requested is too large to be stored in the data buffer provided." ) +ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." ) +ER2( PR_RANGE_ERROR, "Unused." ) +ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." ) +ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." ) +ER2( PR_FILE_TOO_BIG_ERROR, +"Write would result in file larger than the system allows." ) +ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." ) +ER2( PR_PIPE_ERROR, "Unused." ) +ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." ) +ER2( PR_IS_DIRECTORY_ERROR, +"Cannot perform a normal file operation on a directory." ) +ER2( PR_LOOP_ERROR, "Symbolic link loop." ) +ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." ) +ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." ) +ER2( PR_NOT_DIRECTORY_ERROR, +"Cannot perform directory operation on a normal file." ) +ER2( PR_READ_ONLY_FILESYSTEM_ERROR, +"Cannot write to a read-only file system." ) +ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, +"Cannot delete a directory that is not empty." ) +ER2( PR_FILESYSTEM_MOUNTED_ERROR, +"Cannot delete or rename a file object while the file system is busy." ) +ER2( PR_NOT_SAME_DEVICE_ERROR, +"Cannot rename a file to a file system on another device." ) +ER2( PR_DIRECTORY_CORRUPTED_ERROR, +"The directory object in the file system is corrupted." ) +ER2( PR_FILE_EXISTS_ERROR, +"Cannot create or rename a filename that already exists." ) +ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, +"Directory is full. No additional filenames may be added." ) +ER2( PR_INVALID_DEVICE_STATE_ERROR, +"The required device was in an invalid state." ) +ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." ) +ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." ) +ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." ) +ER2( PR_FILE_SEEK_ERROR, "Seek error." ) +ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." ) +ER2( PR_IN_PROGRESS_ERROR, +"Operation is still in progress (probably a non-blocking connect)." ) +ER2( PR_ALREADY_INITIATED_ERROR, +"Operation has already been initiated (probably a non-blocking connect)." ) + +#ifdef PR_GROUP_EMPTY_ERROR +ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." ) +#endif + +#ifdef PR_INVALID_STATE_ERROR +ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." ) +#endif + +#ifdef PR_NETWORK_DOWN_ERROR +ER2( PR_NETWORK_DOWN_ERROR, "Network is down." ) +#endif + +#ifdef PR_SOCKET_SHUTDOWN_ERROR +ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." ) +#endif + +#ifdef PR_CONNECT_ABORTED_ERROR +ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." ) +#endif + +#ifdef PR_HOST_UNREACHABLE_ERROR +ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." ) +#endif + +/* always last */ +ER2( PR_MAX_ERROR, "Placeholder for the end of the list" ) diff --git a/base/native-tools/src/p7tool/SECerrs.h b/base/native-tools/src/p7tool/SECerrs.h new file mode 100644 index 000000000..55858b98f --- /dev/null +++ b/base/native-tools/src/p7tool/SECerrs.h @@ -0,0 +1,523 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SECerrs.h + */ + +/* General security error codes */ +/* Caller must #include "secerr.h" */ + +ER3(SEC_ERROR_IO, SEC_ERROR_BASE + 0, +"An I/O error occurred during security authorization.") + +ER3(SEC_ERROR_LIBRARY_FAILURE, SEC_ERROR_BASE + 1, +"security library failure.") + +ER3(SEC_ERROR_BAD_DATA, SEC_ERROR_BASE + 2, +"security library: received bad data.") + +ER3(SEC_ERROR_OUTPUT_LEN, SEC_ERROR_BASE + 3, +"security library: output length error.") + +ER3(SEC_ERROR_INPUT_LEN, SEC_ERROR_BASE + 4, +"security library has experienced an input length error.") + +ER3(SEC_ERROR_INVALID_ARGS, SEC_ERROR_BASE + 5, +"security library: invalid arguments.") + +ER3(SEC_ERROR_INVALID_ALGORITHM, SEC_ERROR_BASE + 6, +"security library: invalid algorithm.") + +ER3(SEC_ERROR_INVALID_AVA, SEC_ERROR_BASE + 7, +"security library: invalid AVA.") + +ER3(SEC_ERROR_INVALID_TIME, SEC_ERROR_BASE + 8, +"Improperly formatted time string.") + +ER3(SEC_ERROR_BAD_DER, SEC_ERROR_BASE + 9, +"security library: improperly formatted DER-encoded message.") + +ER3(SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BASE + 10, +"Peer's certificate has an invalid signature.") + +ER3(SEC_ERROR_EXPIRED_CERTIFICATE, SEC_ERROR_BASE + 11, +"Peer's Certificate has expired.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_BASE + 12, +"Peer's Certificate has been revoked.") + +ER3(SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_BASE + 13, +"Peer's Certificate issuer is not recognized.") + +ER3(SEC_ERROR_BAD_KEY, SEC_ERROR_BASE + 14, +"Peer's public key is invalid.") + +ER3(SEC_ERROR_BAD_PASSWORD, SEC_ERROR_BASE + 15, +"The security password entered is incorrect.") + +ER3(SEC_ERROR_RETRY_PASSWORD, SEC_ERROR_BASE + 16, +"New password entered incorrectly. Please try again.") + +ER3(SEC_ERROR_NO_NODELOCK, SEC_ERROR_BASE + 17, +"security library: no nodelock.") + +ER3(SEC_ERROR_BAD_DATABASE, SEC_ERROR_BASE + 18, +"security library: bad database.") + +ER3(SEC_ERROR_NO_MEMORY, SEC_ERROR_BASE + 19, +"security library: memory allocation failure.") + +ER3(SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_BASE + 20, +"Peer's certificate issuer has been marked as not trusted by the user.") + +ER3(SEC_ERROR_UNTRUSTED_CERT, SEC_ERROR_BASE + 21, +"Peer's certificate has been marked as not trusted by the user.") + +ER3(SEC_ERROR_DUPLICATE_CERT, (SEC_ERROR_BASE + 22), +"Certificate already exists in your database.") + +ER3(SEC_ERROR_DUPLICATE_CERT_NAME, (SEC_ERROR_BASE + 23), +"Downloaded certificate's name duplicates one already in your database.") + +ER3(SEC_ERROR_ADDING_CERT, (SEC_ERROR_BASE + 24), +"Error adding certificate to database.") + +ER3(SEC_ERROR_FILING_KEY, (SEC_ERROR_BASE + 25), +"Error refiling the key for this certificate.") + +ER3(SEC_ERROR_NO_KEY, (SEC_ERROR_BASE + 26), +"The private key for this certificate cannot be found in key database") + +ER3(SEC_ERROR_CERT_VALID, (SEC_ERROR_BASE + 27), +"This certificate is valid.") + +ER3(SEC_ERROR_CERT_NOT_VALID, (SEC_ERROR_BASE + 28), +"This certificate is not valid.") + +ER3(SEC_ERROR_CERT_NO_RESPONSE, (SEC_ERROR_BASE + 29), +"Cert Library: No Response") + +ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, (SEC_ERROR_BASE + 30), +"The certificate issuer's certificate has expired. Check your system date and time.") + +ER3(SEC_ERROR_CRL_EXPIRED, (SEC_ERROR_BASE + 31), +"The CRL for the certificate's issuer has expired. Update it or check your system data and time.") + +ER3(SEC_ERROR_CRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 32), +"The CRL for the certificate's issuer has an invalid signature.") + +ER3(SEC_ERROR_CRL_INVALID, (SEC_ERROR_BASE + 33), +"New CRL has an invalid format.") + +ER3(SEC_ERROR_EXTENSION_VALUE_INVALID, (SEC_ERROR_BASE + 34), +"Certificate extension value is invalid.") + +ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), +"Certificate extension not found.") + +ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), +"Issuer certificate is invalid.") + +ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), +"Certificate path length constraint is invalid.") + +ER3(SEC_ERROR_CERT_USAGES_INVALID, (SEC_ERROR_BASE + 38), +"Certificate usages field is invalid.") + +ER3(SEC_INTERNAL_ONLY, (SEC_ERROR_BASE + 39), +"**Internal ONLY module**") + +ER3(SEC_ERROR_INVALID_KEY, (SEC_ERROR_BASE + 40), +"The key does not support the requested operation.") + +ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 41), +"Certificate contains unknown critical extension.") + +ER3(SEC_ERROR_OLD_CRL, (SEC_ERROR_BASE + 42), +"New CRL is not later than the current one.") + +ER3(SEC_ERROR_NO_EMAIL_CERT, (SEC_ERROR_BASE + 43), +"Not encrypted or signed: you do not yet have an email certificate.") + +ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, (SEC_ERROR_BASE + 44), +"Not encrypted: you do not have certificates for each of the recipients.") + +ER3(SEC_ERROR_NOT_A_RECIPIENT, (SEC_ERROR_BASE + 45), +"Cannot decrypt: you are not a recipient, or matching certificate and \ +private key not found.") + +ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH, (SEC_ERROR_BASE + 46), +"Cannot decrypt: key encryption algorithm does not match your certificate.") + +ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE, (SEC_ERROR_BASE + 47), +"Signature verification failed: no signer found, too many signers found, \ +or improper or corrupted data.") + +ER3(SEC_ERROR_UNSUPPORTED_KEYALG, (SEC_ERROR_BASE + 48), +"Unsupported or unknown key algorithm.") + +ER3(SEC_ERROR_DECRYPTION_DISALLOWED, (SEC_ERROR_BASE + 49), +"Cannot decrypt: encrypted using a disallowed algorithm or key size.") + + +/* Fortezza Alerts */ +ER3(XP_SEC_FORTEZZA_BAD_CARD, (SEC_ERROR_BASE + 50), +"Fortezza card has not been properly initialized. \ +Please remove it and return it to your issuer.") + +ER3(XP_SEC_FORTEZZA_NO_CARD, (SEC_ERROR_BASE + 51), +"No Fortezza cards Found") + +ER3(XP_SEC_FORTEZZA_NONE_SELECTED, (SEC_ERROR_BASE + 52), +"No Fortezza card selected") + +ER3(XP_SEC_FORTEZZA_MORE_INFO, (SEC_ERROR_BASE + 53), +"Please select a personality to get more info on") + +ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND, (SEC_ERROR_BASE + 54), +"Personality not found") + +ER3(XP_SEC_FORTEZZA_NO_MORE_INFO, (SEC_ERROR_BASE + 55), +"No more information on that Personality") + +ER3(XP_SEC_FORTEZZA_BAD_PIN, (SEC_ERROR_BASE + 56), +"Invalid Pin") + +ER3(XP_SEC_FORTEZZA_PERSON_ERROR, (SEC_ERROR_BASE + 57), +"Couldn't initialize Fortezza personalities.") +/* end fortezza alerts. */ + +ER3(SEC_ERROR_NO_KRL, (SEC_ERROR_BASE + 58), +"No KRL for this site's certificate has been found.") + +ER3(SEC_ERROR_KRL_EXPIRED, (SEC_ERROR_BASE + 59), +"The KRL for this site's certificate has expired.") + +ER3(SEC_ERROR_KRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 60), +"The KRL for this site's certificate has an invalid signature.") + +ER3(SEC_ERROR_REVOKED_KEY, (SEC_ERROR_BASE + 61), +"The key for this site's certificate has been revoked.") + +ER3(SEC_ERROR_KRL_INVALID, (SEC_ERROR_BASE + 62), +"New KRL has an invalid format.") + +ER3(SEC_ERROR_NEED_RANDOM, (SEC_ERROR_BASE + 63), +"security library: need random data.") + +ER3(SEC_ERROR_NO_MODULE, (SEC_ERROR_BASE + 64), +"security library: no security module can perform the requested operation.") + +ER3(SEC_ERROR_NO_TOKEN, (SEC_ERROR_BASE + 65), +"The security card or token does not exist, needs to be initialized, or has been removed.") + +ER3(SEC_ERROR_READ_ONLY, (SEC_ERROR_BASE + 66), +"security library: read-only database.") + +ER3(SEC_ERROR_NO_SLOT_SELECTED, (SEC_ERROR_BASE + 67), +"No slot or token was selected.") + +ER3(SEC_ERROR_CERT_NICKNAME_COLLISION, (SEC_ERROR_BASE + 68), +"A certificate with the same nickname already exists.") + +ER3(SEC_ERROR_KEY_NICKNAME_COLLISION, (SEC_ERROR_BASE + 69), +"A key with the same nickname already exists.") + +ER3(SEC_ERROR_SAFE_NOT_CREATED, (SEC_ERROR_BASE + 70), +"error while creating safe object") + +ER3(SEC_ERROR_BAGGAGE_NOT_CREATED, (SEC_ERROR_BASE + 71), +"error while creating baggage object") + +ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR, (SEC_ERROR_BASE + 72), +"Couldn't remove the principal") + +ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR, (SEC_ERROR_BASE + 73), +"Couldn't delete the privilege") + +ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR, (SEC_ERROR_BASE + 74), +"This principal doesn't have a certificate") + +ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM, (SEC_ERROR_BASE + 75), +"Required algorithm is not allowed.") + +ER3(SEC_ERROR_EXPORTING_CERTIFICATES, (SEC_ERROR_BASE + 76), +"Error attempting to export certificates.") + +ER3(SEC_ERROR_IMPORTING_CERTIFICATES, (SEC_ERROR_BASE + 77), +"Error attempting to import certificates.") + +ER3(SEC_ERROR_PKCS12_DECODING_PFX, (SEC_ERROR_BASE + 78), +"Unable to import. Decoding error. File not valid.") + +ER3(SEC_ERROR_PKCS12_INVALID_MAC, (SEC_ERROR_BASE + 79), +"Unable to import. Invalid MAC. Incorrect password or corrupt file.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, (SEC_ERROR_BASE + 80), +"Unable to import. MAC algorithm not supported.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81), +"Unable to import. Only password integrity and privacy modes supported.") + +ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, (SEC_ERROR_BASE + 82), +"Unable to import. File structure is corrupt.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83), +"Unable to import. Encryption algorithm not supported.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, (SEC_ERROR_BASE + 84), +"Unable to import. File version not supported.") + +ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85), +"Unable to import. Incorrect privacy password.") + +ER3(SEC_ERROR_PKCS12_CERT_COLLISION, (SEC_ERROR_BASE + 86), +"Unable to import. Same nickname already exists in database.") + +ER3(SEC_ERROR_USER_CANCELLED, (SEC_ERROR_BASE + 87), +"The user pressed cancel.") + +ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA, (SEC_ERROR_BASE + 88), +"Not imported, already in database.") + +ER3(SEC_ERROR_MESSAGE_SEND_ABORTED, (SEC_ERROR_BASE + 89), +"Message not sent.") + +ER3(SEC_ERROR_INADEQUATE_KEY_USAGE, (SEC_ERROR_BASE + 90), +"Certificate key usage inadequate for attempted operation.") + +ER3(SEC_ERROR_INADEQUATE_CERT_TYPE, (SEC_ERROR_BASE + 91), +"Certificate type not approved for application.") + +ER3(SEC_ERROR_CERT_ADDR_MISMATCH, (SEC_ERROR_BASE + 92), +"Address in signing certificate does not match address in message headers.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, (SEC_ERROR_BASE + 93), +"Unable to import. Error attempting to import private key.") + +ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, (SEC_ERROR_BASE + 94), +"Unable to import. Error attempting to import certificate chain.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95), +"Unable to export. Unable to locate certificate or key by nickname.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, (SEC_ERROR_BASE + 96), +"Unable to export. Private Key could not be located and exported.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, (SEC_ERROR_BASE + 97), +"Unable to export. Unable to write the export file.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ, (SEC_ERROR_BASE + 98), +"Unable to import. Unable to read the import file.") + +ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99), +"Unable to export. Key database corrupt or deleted.") + +ER3(SEC_ERROR_KEYGEN_FAIL, (SEC_ERROR_BASE + 100), +"Unable to generate public/private key pair.") + +ER3(SEC_ERROR_INVALID_PASSWORD, (SEC_ERROR_BASE + 101), +"Password entered is invalid. Please pick a different one.") + +ER3(SEC_ERROR_RETRY_OLD_PASSWORD, (SEC_ERROR_BASE + 102), +"Old password entered incorrectly. Please try again.") + +ER3(SEC_ERROR_BAD_NICKNAME, (SEC_ERROR_BASE + 103), +"Certificate nickname already in use.") + +ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER, (SEC_ERROR_BASE + 104), +"Peer FORTEZZA chain has a non-FORTEZZA Certificate.") + +ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, (SEC_ERROR_BASE + 105), +"A sensitive key cannot be moved to the slot where it is needed.") + +ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, (SEC_ERROR_BASE + 106), +"Invalid module name.") + +ER3(SEC_ERROR_JS_INVALID_DLL, (SEC_ERROR_BASE + 107), +"Invalid module path/filename") + +ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, (SEC_ERROR_BASE + 108), +"Unable to add module") + +ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), +"Unable to delete module") + +ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), +"New KRL is not later than the current one.") + +ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), +"New CKL has different issuer than current CKL. Delete current CKL.") + +ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, (SEC_ERROR_BASE + 112), +"The Certifying Authority for this certificate is not permitted to issue a \ +certificate with this name.") + +ER3(SEC_ERROR_KRL_NOT_YET_VALID, (SEC_ERROR_BASE + 113), +"The key revocation list for this certificate is not yet valid.") + +ER3(SEC_ERROR_CRL_NOT_YET_VALID, (SEC_ERROR_BASE + 114), +"The certificate revocation list for this certificate is not yet valid.") + +ER3(SEC_ERROR_UNKNOWN_CERT, (SEC_ERROR_BASE + 115), +"The requested certificate could not be found.") + +ER3(SEC_ERROR_UNKNOWN_SIGNER, (SEC_ERROR_BASE + 116), +"The signer's certificate could not be found.") + +ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, (SEC_ERROR_BASE + 117), +"The location for the certificate status server has invalid format.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, (SEC_ERROR_BASE + 118), +"The OCSP response cannot be fully decoded; it is of an unknown type.") + +ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 119), +"The OCSP server returned unexpected/invalid HTTP data.") + +ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST, (SEC_ERROR_BASE + 120), +"The OCSP server found the request to be corrupted or improperly formed.") + +ER3(SEC_ERROR_OCSP_SERVER_ERROR, (SEC_ERROR_BASE + 121), +"The OCSP server experienced an internal error.") + +ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER, (SEC_ERROR_BASE + 122), +"The OCSP server suggests trying again later.") + +ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, (SEC_ERROR_BASE + 123), +"The OCSP server requires a signature on this request.") + +ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, (SEC_ERROR_BASE + 124), +"The OCSP server has refused this request as unauthorized.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, (SEC_ERROR_BASE + 125), +"The OCSP server returned an unrecognizable status.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_CERT, (SEC_ERROR_BASE + 126), +"The OCSP server has no status for the certificate.") + +ER3(SEC_ERROR_OCSP_NOT_ENABLED, (SEC_ERROR_BASE + 127), +"You must enable OCSP before performing this operation.") + +ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, (SEC_ERROR_BASE + 128), +"You must set the OCSP default responder before performing this operation.") + +ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE, (SEC_ERROR_BASE + 129), +"The response from the OCSP server was corrupted or improperly formed.") + +ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, (SEC_ERROR_BASE + 130), +"The signer of the OCSP response is not authorized to give status for \ +this certificate.") + +ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE, (SEC_ERROR_BASE + 131), +"The OCSP response is not yet valid (contains a date in the future).") + +ER3(SEC_ERROR_OCSP_OLD_RESPONSE, (SEC_ERROR_BASE + 132), +"The OCSP response contains out-of-date information.") + +ER3(SEC_ERROR_DIGEST_NOT_FOUND, (SEC_ERROR_BASE + 133), +"The CMS or PKCS #7 Digest was not found in signed message.") + +ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, (SEC_ERROR_BASE + 134), +"The CMS or PKCS #7 Message type is unsupported.") + +ER3(SEC_ERROR_MODULE_STUCK, (SEC_ERROR_BASE + 135), +"PKCS #11 module could not be removed because it is still in use.") + +ER3(SEC_ERROR_BAD_TEMPLATE, (SEC_ERROR_BASE + 136), +"Could not decode ASN.1 data. Specified template was invalid.") + +ER3(SEC_ERROR_CRL_NOT_FOUND, (SEC_ERROR_BASE + 137), +"No matching CRL was found.") + +ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL, (SEC_ERROR_BASE + 138), +"You are attempting to import a cert with the same issuer/serial as \ +an existing cert, but that is not the same cert.") + +ER3(SEC_ERROR_BUSY, (SEC_ERROR_BASE + 139), +"NSS could not shutdown. Objects are still in use.") + +ER3(SEC_ERROR_EXTRA_INPUT, (SEC_ERROR_BASE + 140), +"DER-encoded message contained extra unused data.") + +ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, (SEC_ERROR_BASE + 141), +"Unsupported elliptic curve.") + +ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142), +"Unsupported elliptic curve point form.") + +ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143), +"Unrecognized Object IDentifier.") + +ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144), +"Invalid OCSP signing certificate in OCSP response.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL, (SEC_ERROR_BASE + 145), +"Certificate is revoked in issuer's certificate revocation list.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP, (SEC_ERROR_BASE + 146), +"Issuer's OCSP responder reports certificate is revoked.") + +ER3(SEC_ERROR_CRL_INVALID_VERSION, (SEC_ERROR_BASE + 147), +"Issuer's Certificate Revocation List has an unknown version number.") + +ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 148), +"Issuer's V1 Certificate Revocation List has a critical extension.") + +ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 149), +"Issuer's V2 Certificate Revocation List has an unknown critical extension.") + +ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE, (SEC_ERROR_BASE + 150), +"Unknown object type specified.") + +ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151), +"PKCS #11 driver violates the spec in an incompatible way.") + +ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152), +"No new slot event is available at this time.") + +ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153), +"CRL already exists.") + +ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154), +"NSS is not initialized.") + +ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), +"The operation failed because the PKCS#11 token is not logged in.") + diff --git a/base/native-tools/src/p7tool/SSLerrs.h b/base/native-tools/src/p7tool/SSLerrs.h new file mode 100644 index 000000000..d6ec13b47 --- /dev/null +++ b/base/native-tools/src/p7tool/SSLerrs.h @@ -0,0 +1,393 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SSLerrs.h + */ + +/* SSL-specific security error codes */ +/* caller must include "sslerr.h" */ + +ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, +"Unable to communicate securely. Peer does not support high-grade encryption.") + +ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, +"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") + +ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, +"Cannot communicate securely with peer: no common encryption algorithm(s).") + +ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, +"Unable to find the certificate or key necessary for authentication.") + +ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, +"Unable to communicate securely with peer: peers's certificate was rejected.") + +/* unused (SSL_ERROR_BASE + 5),*/ + +ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, +"The server has encountered bad data from the client.") + +ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, +"The client has encountered bad data from the server.") + +ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, +"Unsupported certificate type.") + +ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, +"Peer using unsupported version of security protocol.") + +/* unused (SSL_ERROR_BASE + 10),*/ + +ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, +"Client authentication failed: private key in key database does not match public key in certificate database.") + +ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, +"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") + +/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), + defined in sslerr.h +*/ + +ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), +"Peer only supports SSL version 2, which is locally disabled.") + + +ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), +"SSL received a record with an incorrect Message Authentication Code.") + +ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), +"SSL peer reports incorrect Message Authentication Code.") + +ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), +"SSL peer cannot verify your certificate.") + +ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), +"SSL peer rejected your certificate as revoked.") + +ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), +"SSL peer rejected your certificate as expired.") + +ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), +"Cannot connect: SSL is disabled.") + +ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), +"Cannot connect: SSL peer is in another FORTEZZA domain.") + + +ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), +"An unknown SSL cipher suite has been requested.") + +ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), +"No cipher suites are present and enabled in this program.") + +ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), +"SSL received a record with bad block padding.") + +ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), +"SSL received a record that exceeded the maximum permissible length.") + +ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), +"SSL attempted to send a record that exceeded the maximum permissible length.") + +/* + * Received a malformed (too long or short or invalid content) SSL handshake. + */ +ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), +"SSL received a malformed Hello Request handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), +"SSL received a malformed Client Hello handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), +"SSL received a malformed Server Hello handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), +"SSL received a malformed Certificate handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), +"SSL received a malformed Server Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), +"SSL received a malformed Certificate Request handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), +"SSL received a malformed Server Hello Done handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), +"SSL received a malformed Certificate Verify handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), +"SSL received a malformed Client Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), +"SSL received a malformed Finished handshake message.") + +/* + * Received a malformed (too long or short) SSL record. + */ +ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), +"SSL received a malformed Change Cipher Spec record.") + +ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), +"SSL received a malformed Alert record.") + +ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), +"SSL received a malformed Handshake record.") + +ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), +"SSL received a malformed Application Data record.") + +/* + * Received an SSL handshake that was inappropriate for the state we're in. + * E.g. Server received message from server, or wrong state in state machine. + */ +ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), +"SSL received an unexpected Hello Request handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), +"SSL received an unexpected Client Hello handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), +"SSL received an unexpected Server Hello handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), +"SSL received an unexpected Certificate handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), +"SSL received an unexpected Server Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), +"SSL received an unexpected Certificate Request handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), +"SSL received an unexpected Server Hello Done handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), +"SSL received an unexpected Certificate Verify handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), +"SSL received an unexpected Cllient Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), +"SSL received an unexpected Finished handshake message.") + +/* + * Received an SSL record that was inappropriate for the state we're in. + */ +ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), +"SSL received an unexpected Change Cipher Spec record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), +"SSL received an unexpected Alert record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), +"SSL received an unexpected Handshake record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), +"SSL received an unexpected Application Data record.") + +/* + * Received record/message with unknown discriminant. + */ +ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), +"SSL received a record with an unknown content type.") + +ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), +"SSL received a handshake message with an unknown message type.") + +ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), +"SSL received an alert record with an unknown alert description.") + +/* + * Received an alert reporting what we did wrong. (more alerts above) + */ +ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), +"SSL peer has closed this connection.") + +ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), +"SSL peer was not expecting a handshake message it received.") + +ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), +"SSL peer was unable to succesfully decompress an SSL record it received.") + +ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), +"SSL peer was unable to negotiate an acceptable set of security parameters.") + +ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), +"SSL peer rejected a handshake message for unacceptable content.") + +ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), +"SSL peer does not support certificates of the type it received.") + +ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), +"SSL peer had some unspecified issue with the certificate it received.") + + +ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), +"SSL experienced a failure of its random number generator.") + +ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), +"Unable to digitally sign data required to verify your certificate.") + +ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), +"SSL was unable to extract the public key from the peer's certificate.") + +ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), +"Unspecified failure while processing SSL Server Key Exchange handshake.") + +ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), +"Unspecified failure while processing SSL Client Key Exchange handshake.") + +ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), +"Bulk data encryption algorithm failed in selected cipher suite.") + +ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), +"Bulk data decryption algorithm failed in selected cipher suite.") + +ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), +"Attempt to write encrypted data to underlying socket failed.") + +ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), +"MD5 digest function failed.") + +ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), +"SHA-1 digest function failed.") + +ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), +"MAC computation failed.") + +ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), +"Failure to create Symmetric Key context.") + +ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), +"Failure to unwrap the Symmetric key in Client Key Exchange message.") + +ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), +"SSL Server attempted to use domestic-grade public key with export cipher suite.") + +ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), +"PKCS11 code failed to translate an IV into a param.") + +ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), +"Failed to initialize the selected cipher suite.") + +ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), +"Client failed to generate session keys for SSL session.") + +ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), +"Server has no key for the attempted key exchange algorithm.") + +ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), +"PKCS#11 token was inserted or removed while operation was in progress.") + +ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), +"No PKCS#11 token could be found to do a required operation.") + +ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), +"Cannot communicate securely with peer: no common compression algorithm(s).") + +ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), +"Cannot initiate another SSL handshake until current handshake is complete.") + +ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), +"Received incorrect handshakes hash values from peer.") + +ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), +"The certificate provided cannot be used with the selected key exchange algorithm.") + +ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), +"No certificate authority is trusted for SSL client authentication.") + +ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), +"Client's SSL session ID not found in server's session cache.") + +ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), +"Peer was unable to decrypt an SSL record it received.") + +ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), +"Peer received an SSL record that was longer than is permitted.") + +ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), +"Peer does not recognize and trust the CA that issued your certificate.") + +ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), +"Peer received a valid certificate, but access was denied.") + +ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), +"Peer could not decode an SSL handshake message.") + +ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), +"Peer reports failure of signature verification or key exchange.") + +ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), +"Peer reports negotiation not in compliance with export regulations.") + +ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), +"Peer reports incompatible or unsupported protocol version.") + +ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), +"Server requires ciphers more secure than those supported by client.") + +ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), +"Peer reports it experienced an internal error.") + +ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), +"Peer user canceled handshake.") + +ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), +"Peer does not permit renegotiation of SSL security parameters.") + +ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), +"SSL server cache not configured and not disabled for this socket.") + +ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), +"SSL peer does not support requested TLS hello extension.") + +ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), +"SSL peer could not obtain your certificate from the supplied URL.") + +ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), +"SSL peer has no certificate for the requested DNS name.") + +ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), +"SSL peer was unable to get an OCSP response for its certificate.") + +ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), +"SSL peer reported bad certificate hash value.") diff --git a/base/native-tools/src/p7tool/p7tool.c b/base/native-tools/src/p7tool/p7tool.c new file mode 100644 index 000000000..9ab6023ff --- /dev/null +++ b/base/native-tools/src/p7tool/p7tool.c @@ -0,0 +1,375 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * END COPYRIGHT BLOCK **/ + +/* This file is based upon the file originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N + * mozilla/security/nss/cmd/p7content/p7content.c + */ + +/* + * p7tool -- A command to display/process pkcs7 content. + * + */ + +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +#include "nspr.h" +#include "secutil.h" +#include "plgetopt.h" +#include "secpkcs7.h" +#include "cert.h" +#include "certdb.h" +#include "nss.h" + +#if defined(XP_UNIX) +#include <unistd.h> +#endif + +#include <stdio.h> +#include <string.h> + +#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4)) +extern int fwrite(char *, size_t, size_t, FILE*); +extern int fprintf(FILE *, char *, ...); +#endif + + +static void +Usage(char *progName) +{ + fprintf(stderr, + "Usage: %s [-d dbdir] [-p chainFilePrefix] [-a] [-i input] [-o output]\n", + progName); + fprintf(stderr, + "%-20s Key/Cert database directory (default is ~/.netscape)\n", + "-d dbdir"); + fprintf(stderr, "%-20s Define the cert chain file name prefix(default is chaincert)\n", + "-p chainFilePrefix"); + fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n", + "-a"); + fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n", + "-i input"); + fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n", + "-o output"); + exit(-1); +} + +static PRBool saw_content; + +static void +PrintBytes(void *arg, const char *buf, unsigned long len) +{ + FILE *out; + + out = arg; + fwrite (buf, len, 1, out); + + saw_content = PR_TRUE; +} + +/* + * XXX Someday we may want to do real policy stuff here. This allows + * anything to be decrypted, which is okay for a test program but does + * not set an example of how a real client with a real policy would + * need to do it. + */ +static PRBool +decryption_allowed(SECAlgorithmID *algid, PK11SymKey *key) +{ + return PR_TRUE; +} + +int +DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName, int ascii, + char *prefix) +{ + SECItem derdata; + SEC_PKCS7ContentInfo *cinfo = NULL; + SEC_PKCS7DecoderContext *dcx; + int rv; + + if (SECU_ReadDERFromFile(&derdata, in, ascii)) { + SECU_PrintError(progName, "error converting der"); + return -1; + } + + fprintf(out, "Pretty Print of PKCS#7 content:\n"); + rv = SECU_PrintPKCS7ContentInfo(out, &derdata, + "PKCS #7 Content Info", 0); +/* + fprintf(out, + "Content printed between bars (newline added before second bar):"); + fprintf(out, "\n---------------------------------------------\n"); +*/ + if (rv) { + fprintf(stderr, "%s: problem converting data (%s)\n", + progName, SECU_Strerror(PORT_GetError())); + return -1; + } + + saw_content = PR_FALSE; + dcx = SEC_PKCS7DecoderStart(PrintBytes, out, NULL, NULL, + NULL, NULL, decryption_allowed); + if (dcx != NULL) { +#if 0 /* Test that decoder works when data is really streaming in. */ + { + unsigned long i; + for (i = 0; i < derdata.len; i++) + SEC_PKCS7DecoderUpdate(dcx, derdata.data + i, 1); + } +#else + SEC_PKCS7DecoderUpdate(dcx, (char *)derdata.data, derdata.len); +#endif + cinfo = SEC_PKCS7DecoderFinish(dcx); + } +/* + fprintf(out, "\n---------------------------------------------\n"); +*/ + if (cinfo == NULL) + return -1; +/* + fprintf(out, "Content was%s encrypted.\n", + SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not"); +*/ + + if (SEC_PKCS7ContentIsSigned(cinfo)) { + char *signer_cname, *signer_ename; + SECItem *signing_time; + + if (saw_content) { + fprintf(out, "Signature is "); + PORT_SetError(0); + if (SEC_PKCS7VerifySignature(cinfo, certUsageEmailSigner, PR_FALSE)) + fprintf(out, "valid.\n"); + else + fprintf(out, "invalid (Reason: %s).\n", + SECU_Strerror(PORT_GetError())); + } else { + fprintf(out, + "Content is detached; signature cannot be verified.\n"); + } + + signer_cname = SEC_PKCS7GetSignerCommonName(cinfo); + if (signer_cname != NULL) { + fprintf(out, "The signer's common name is %s\n", signer_cname); + PORT_Free(signer_cname); + } else { + fprintf(out, "No signer common name.\n"); + } + + signer_ename = SEC_PKCS7GetSignerEmailAddress(cinfo); + if (signer_ename != NULL) { + fprintf(out, "The signer's email address is %s\n", signer_ename); + PORT_Free(signer_ename); + } else { + fprintf(out, "No signer email address.\n"); + } + + signing_time = SEC_PKCS7GetSigningTime(cinfo); + if (signing_time != NULL) { + SECU_PrintTimeChoice(out, signing_time, "Signing time", 0); + } else { + fprintf(out, "No signing time included.\n"); + } + } else { +/* fprintf(out, "Content was not signed.\n");*/ + } +/* + fprintf(out, "There were%s certs or crls included.\n", + SEC_PKCS7ContainsCertsOrCrls(cinfo) ? "" : " no"); +*/ + + /* write out certs */ + SECItem **items = NULL; + SECOidTag kind; + + kind = SEC_PKCS7ContentType (cinfo); + if (kind == SEC_OID_PKCS7_SIGNED_DATA) { +/* fprintf(out, "content is SEC_OID_PKCS7_SIGNED_DATA\n");*/ + SEC_PKCS7SignedData *sdp; + + sdp = cinfo->content.signedData; + if (sdp != NULL) { + items = sdp->rawCerts; + } + } else { +/* fprintf(out, "content is not SEC_OID_PKCS7_SIGNED_DATA\n");*/ + + } + + int i= 0; + if (items != NULL) { + CERTCertificate *cert; + if (prefix == NULL) { + prefix = "chaincert"; + } + while ((items[i]) != NULL) { + cert = (CERTCertificate*) items[i]->data; + FILE *outFile; + char filename[256]; + int nb = 0; + + sprintf(filename, "%s%d.der", prefix, i); + + outFile = fopen(filename, "wb"); + if (outFile == NULL) { + fprintf(out, "Couldn't open '%s' file for writing\n", filename); + i = -1; + break; + } + nb = fwrite((char *) cert, 1, items[i]->len, outFile); + fclose(outFile); + + i++; + } + } else { + fprintf(out, "certs is NULL\n"); + } + + SEC_PKCS7DestroyContentInfo(cinfo); + return i; +} + + +/* + * Print the contents of a PKCS7 message, indicating signatures, etc. + */ + +int +main(int argc, char **argv) +{ + char *progName; + FILE *outFile; + PRFileDesc *inFile; + PLOptState *optstate; + PLOptStatus status; + SECStatus rv; + int ascii = 0; + char *prefix = NULL; + int exitStatus = 0; + + progName = strrchr(argv[0], '/'); + progName = progName ? progName+1 : argv[0]; + + inFile = NULL; + outFile = NULL; + + /* + * Parse command line arguments + */ + optstate = PL_CreateOptState(argc, argv, "ad:i:o:p:"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'd': + SECU_ConfigDirectory(optstate->value); + break; + + case 'a': + ascii = 1; + break; + + case 'i': + inFile = PR_Open(optstate->value, PR_RDONLY, 0); + if (!inFile) { + fprintf(stderr, "%s: unable to open \"%s\" for reading\n", + progName, optstate->value); + return -1; + } + break; + + case 'o': + outFile = fopen(optstate->value, "w"); + if (!outFile) { + fprintf(stderr, "%s: unable to open \"%s\" for writing\n", + progName, optstate->value); + return -1; + } + break; + + case 'p': + prefix = optstate->value; + break; + + default: + Usage(progName); + break; + } + } + if (status == PL_OPT_BAD) + Usage(progName); + + if (!inFile) inFile = PR_STDIN; + if (!outFile) outFile = stdout; + + /* Call the initialization routines */ + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + rv = NSS_Init(SECU_ConfigDirectory(NULL)); + if (rv != SECSuccess) { + SECU_PrintPRandOSError(progName); + return -1; + } + + exitStatus = DecodeAndPrintFile(outFile, inFile, progName, ascii, prefix); + if (exitStatus < 0) { + SECU_PrintError(progName, "problem decoding data"); + return -1; + } + + if (NSS_Shutdown() != SECSuccess) { + exit(1); + } + + return exitStatus; +/* return 0;*/ +} diff --git a/base/native-tools/src/p7tool/pppolicy.c b/base/native-tools/src/p7tool/pppolicy.c new file mode 100644 index 000000000..76ec6e8c6 --- /dev/null +++ b/base/native-tools/src/p7tool/pppolicy.c @@ -0,0 +1,309 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2004 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/pppolicy.c + */ + +/* + * Support for various policy related extensions + * + * $Id$ + */ + +#include "seccomon.h" +#include "secport.h" +#include "secder.h" +#include "cert.h" +#include "secoid.h" +#include "secasn1.h" +#include "secerr.h" +#include "nspr.h" +#include "secutil.h" + +/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c . +** The chief difference is the addition of the OPTIONAL flag to many +** parts. The idea is to be able to parse and print as much of the +** policy extension as possible, even if some parts are invalid. +** +** If this approach still is unable to decode policy extensions that +** contain invalid parts, then the next approach will be to parse +** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them +** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally +** parse each of the PolicyQualifiers. +*/ + +static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyQualifier) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyQualifier, qualifierID), + NULL, 0}, + { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyQualifier, qualifierValue), + NULL, 0}, + { 0, 0, NULL, 0 } +}; + +static const SEC_ASN1Template secu_PolicyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyInfo) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyInfo, policyID), + NULL, 0}, + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyInfo, policyQualifiers), + secu_PolicyQualifierTemplate, 0 }, + { 0, 0, NULL, 0 } +}; + +static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, + offsetof(CERTCertificatePolicies, policyInfos), + secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) } +}; + + +static CERTCertificatePolicies * +secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) +{ + PRArenaPool *arena = NULL; + SECStatus rv; + CERTCertificatePolicies *policies; + CERTPolicyInfo **policyInfos, *policyInfo; + CERTPolicyQualifier **policyQualifiers, *policyQualifier; + SECItem newExtnValue; + + /* make a new arena */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if ( !arena ) { + goto loser; + } + + /* allocate the certifiate policies structure */ + policies = PORT_ArenaZNew(arena, CERTCertificatePolicies); + if ( policies == NULL ) { + goto loser; + } + + policies->arena = arena; + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); + if ( rv != SECSuccess ) { + goto loser; + } + + /* decode the policy info */ + rv = SEC_QuickDERDecodeItem(arena, policies, + secu_CertificatePoliciesTemplate, + &newExtnValue); + + if ( rv != SECSuccess ) { + goto loser; + } + + /* initialize the oid tags */ + policyInfos = policies->policyInfos; + while (policyInfos != NULL && *policyInfos != NULL ) { + policyInfo = *policyInfos; + policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); + policyQualifiers = policyInfo->policyQualifiers; + while ( policyQualifiers && *policyQualifiers != NULL ) { + policyQualifier = *policyQualifiers; + policyQualifier->oid = + SECOID_FindOIDTag(&policyQualifier->qualifierID); + policyQualifiers++; + } + policyInfos++; + } + + return(policies); + +loser: + if ( arena != NULL ) { + PORT_FreeArena(arena, PR_FALSE); + } + + return(NULL); +} + + +static char * +itemToString(SECItem *item) +{ + char *string; + + string = PORT_ZAlloc(item->len+1); + if (string == NULL) return NULL; + PORT_Memcpy(string,item->data,item->len); + string[item->len] = 0; + return string; +} + +static SECStatus +secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue, + const char *msg, int level) +{ + CERTUserNotice *userNotice = NULL; + if (qualifierValue) + userNotice = CERT_DecodeUserNotice(qualifierValue); + if (userNotice) { + if (userNotice->noticeReference.organization.len != 0) { + char *string = + itemToString(&userNotice->noticeReference.organization); + SECItem **itemList = userNotice->noticeReference.noticeNumbers; + + while (itemList && *itemList) { + SECU_PrintInteger(out,*itemList,string,level+1); + itemList++; + } + PORT_Free(string); + } + if (userNotice->displayText.len != 0) { + SECU_PrintString(out,&userNotice->displayText, + "Display Text", level+1); + } + CERT_DestroyUserNotice(userNotice); + return SECSuccess; + } + return SECFailure; /* caller will print this value */ +} + +static SECStatus +secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier, + const char *msg, int level) +{ + SECStatus rv; + SECItem * qualifierValue = &policyQualifier->qualifierValue; + + SECU_PrintObjectID(out, &policyQualifier->qualifierID , + "Policy Qualifier Name", level); + if (!qualifierValue->data) { + SECU_Indent(out, level); + fprintf(out,"Error: missing qualifier\n"); + } else + switch (policyQualifier->oid) { + case SEC_OID_PKIX_USER_NOTICE_QUALIFIER: + rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level); + if (SECSuccess == rv) + break; + /* fall through on error */ + case SEC_OID_PKIX_CPS_POINTER_QUALIFIER: + default: + SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level); + break; + } + return SECSuccess; +} + +static SECStatus +secu_PrintPolicyInfo(FILE *out, CERTPolicyInfo *policyInfo, const char *msg, int level) +{ + CERTPolicyQualifier **policyQualifiers; + + policyQualifiers = policyInfo->policyQualifiers; + SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level); + + while (policyQualifiers && *policyQualifiers != NULL) { + secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1); + policyQualifiers++; + } + return SECSuccess; +} + +void +SECU_PrintPolicy(FILE *out, SECItem *value, const char *msg, int level) +{ + CERTCertificatePolicies *policies = NULL; + CERTPolicyInfo **policyInfos; + + if (msg) { + SECU_Indent(out, level); + fprintf(out,"%s: \n",msg); + level++; + } + policies = secu_DecodeCertificatePoliciesExtension(value); + if (policies == NULL) { + SECU_PrintAny(out, value, "Invalid Policy Data", level); + return; + } + + policyInfos = policies->policyInfos; + while (policyInfos && *policyInfos != NULL) { + secu_PrintPolicyInfo(out,*policyInfos,"",level); + policyInfos++; + } + + CERT_DestroyCertificatePoliciesExtension(policies); +} + + +void +SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + const char *msg, int level) +{ + CERTPrivKeyUsagePeriod * prd; + PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if ( !arena ) { + goto loser; + } + prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value); + if (!prd) { + goto loser; + } + if (prd->notBefore.data) { + SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level); + } + if (prd->notAfter.data) { + SECU_PrintGeneralizedTime(out, &prd->notAfter, "Not After ", level); + } + if (!prd->notBefore.data && !prd->notAfter.data) { + SECU_Indent(out, level); + fprintf(out, "Error: notBefore or notAfter MUST be present.\n"); +loser: + SECU_PrintAny(out, value, msg, level); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } +} diff --git a/base/native-tools/src/p7tool/secerror.c b/base/native-tools/src/p7tool/secerror.c new file mode 100644 index 000000000..07e6bac8e --- /dev/null +++ b/base/native-tools/src/p7tool/secerror.c @@ -0,0 +1,119 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secerror.c + */ + +#include "nspr.h" +#include "secerror.h" + +struct tuple_str { + PRErrorCode errNum; + const char * errString; +}; + +typedef struct tuple_str tuple_str; + +#define ER2(a,b) {a, b}, +#define ER3(a,b,c) {a, c}, + +#include "secerr.h" +#include "sslerr.h" + +const tuple_str errStrings[] = { + +/* keep this list in asceding order of error numbers */ +#include "SSLerrs.h" +#include "SECerrs.h" +#include "NSPRerrs.h" + +}; + +const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str); + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL of errNum is unknown. + */ +const char * +SECU_Strerror(PRErrorCode errNum) { + PRInt32 low = 0; + PRInt32 high = numStrings - 1; + PRInt32 i; + PRErrorCode num; + static int initDone; + + /* make sure table is in ascending order. + * binary search depends on it. + */ + if (!initDone) { + PRErrorCode lastNum = ((PRInt32)0x80000000); + for (i = low; i <= high; ++i) { + num = errStrings[i].errNum; + if (num <= lastNum) { + fprintf(stderr, +"sequence error in error strings at item %d\n" +"error %d (%s)\n" +"should come after \n" +"error %d (%s)\n", + i, lastNum, errStrings[i-1].errString, + num, errStrings[i].errString); + } + lastNum = num; + } + initDone = 1; + } + + /* Do binary search of table. */ + while (low + 1 < high) { + i = (low + high) / 2; + num = errStrings[i].errNum; + if (errNum == num) + return errStrings[i].errString; + if (errNum < num) + high = i; + else + low = i; + } + if (errNum == errStrings[low].errNum) + return errStrings[low].errString; + if (errNum == errStrings[high].errNum) + return errStrings[high].errString; + return NULL; +} diff --git a/base/native-tools/src/p7tool/secerror.h b/base/native-tools/src/p7tool/secerror.h new file mode 100644 index 000000000..dce63728f --- /dev/null +++ b/base/native-tools/src/p7tool/secerror.h @@ -0,0 +1,44 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +#ifndef _SEC_ERROR_H_ +#define _SEC_ERROR_H_ + +const char * +SECU_Strerror(PRErrorCode errNum); + +#endif /* _SEC_ERROR_H_ */ diff --git a/base/native-tools/src/p7tool/secpwd.c b/base/native-tools/src/p7tool/secpwd.c new file mode 100644 index 000000000..c0cb9b3d5 --- /dev/null +++ b/base/native-tools/src/p7tool/secpwd.c @@ -0,0 +1,213 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secpwd.c + */ + +#include "secutil.h" + +/* + * NOTE: The contents of this file are NOT used by the client. + * (They are part of the security library as a whole, but they are + * NOT USED BY THE CLIENT.) Do not change things on behalf of the + * client (like localizing strings), or add things that are only + * for the client (put them elsewhere). + */ + + +#ifdef XP_UNIX +#include <termios.h> +#endif + +#if defined(XP_UNIX) || defined(XP_BEOS) +#include <unistd.h> /* for isatty() */ +#endif + +#if( defined(_WINDOWS) && !defined(_WIN32_WCE)) || defined(XP_OS2_VACPP) +#include <conio.h> +#include <io.h> +#define QUIET_FGETS quiet_fgets +static char * quiet_fgets (char *buf, int length, FILE *input); +#else +#define QUIET_FGETS fgets +#endif + +static void echoOff(int fd) +{ +#if defined(XP_UNIX) && !defined(VMS) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag &= ~ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +static void echoOn(int fd) +{ +#if defined(XP_UNIX) && !defined(VMS) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag |= ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +char *SEC_GetPassword(FILE *input, FILE *output, const char *prompt, + PRBool (*ok)(char *)) +{ +#if defined(_WINDOWS) + int isTTY = (input == stdin); +#define echoOn(x) +#define echoOff(x) +#else + int infd = fileno(input); + int isTTY = isatty(infd); +#endif + char phrase[200] = {'\0'}; /* ensure EOF doesn't return junk */ + + for (;;) { + /* Prompt for password */ + if (isTTY) { + fprintf(output, "%s", prompt); + fflush (output); + echoOff(infd); + } + + QUIET_FGETS ( phrase, sizeof(phrase), input); + + if (isTTY) { + fprintf(output, "\n"); + echoOn(infd); + } + + /* stomp on newline */ + phrase[PORT_Strlen(phrase)-1] = 0; + + /* Validate password */ + if (!(*ok)(phrase)) { + /* Not weird enough */ + if (!isTTY) return 0; + fprintf(output, "Password must be at least 8 characters long with one or more\n"); + fprintf(output, "non-alphabetic characters\n"); + continue; + } + return (char*) PORT_Strdup(phrase); + } +} + + + +PRBool SEC_CheckPassword(char *cp) +{ + int len; + char *end; + + len = PORT_Strlen(cp); + if (len < 8) { + return PR_FALSE; + } + end = cp + len; + while (cp < end) { + unsigned char ch = *cp++; + if (!((ch >= 'A') && (ch <= 'Z')) && + !((ch >= 'a') && (ch <= 'z'))) { + /* pass phrase has at least one non alphabetic in it */ + return PR_TRUE; + } + } + return PR_FALSE; +} + +PRBool SEC_BlindCheckPassword(char *cp) +{ + if (cp != NULL) { + return PR_TRUE; + } + return PR_FALSE; +} + +/* Get a password from the input terminal, without echoing */ + +#if defined(_WINDOWS) || defined(XP_OS2_VACPP) +static char * quiet_fgets (char *buf, int length, FILE *input) + { + int c; + char *end = buf; + + /* fflush (input); */ + memset (buf, 0, length); + +#ifndef XP_OS2_VACPP + if (input != stdin) { + return fgets(buf,length,input); + } +#else + if (!isatty(fileno(input))) { + return fgets(buf,length,input); + } +#endif + + while (1) + { +#if defined (_WIN32_WCE) + c = getchar(); /* gets a character from stdin */ +#else + c = getch(); /* getch gets a character from the console */ +#endif + if (c == '\b') + { + if (end > buf) + end--; + } + + else if (--length > 0) + *end++ = c; + + if (!c || c == '\n' || c == '\r') + break; + } + + return buf; + } +#endif diff --git a/base/native-tools/src/p7tool/secutil.c b/base/native-tools/src/p7tool/secutil.c new file mode 100644 index 000000000..abdfd216f --- /dev/null +++ b/base/native-tools/src/p7tool/secutil.c @@ -0,0 +1,3665 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.c + */ + +/* +** secutil.c - various functions used by security stuff +** +*/ + +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "prerror.h" +#include "prprf.h" +#include "plgetopt.h" +#include "prenv.h" +#include "prnetdb.h" + +#include "cryptohi.h" +#include "secerror.h" +#include "secutil.h" +#include "secpkcs7.h" +#include <stdarg.h> +#if !defined(_WIN32_WCE) +#include <sys/stat.h> +#include <errno.h> +#endif + +#ifdef XP_UNIX +#include <unistd.h> +#endif + +/* for SEC_TraverseNames */ +#include "cert.h" +#include "certt.h" +#include "certdb.h" + +/* #include "secmod.h" */ +#include "pk11func.h" +#include "secoid.h" + +static char consoleName[] = { +#ifdef XP_UNIX +#ifdef VMS + "TT" +#else + "/dev/tty" +#endif +#else +#ifdef XP_OS2 + "\\DEV\\CON" +#else + "CON:" +#endif +#endif +}; + + +static char * +SECU_GetString(int16 error_number) +{ + + static char errString[80]; + sprintf(errString, "Unknown error string (%d)", error_number); + return errString; +} + +static void +SECU_PrintErrMsg(FILE *out, int level, const char *progName, const char *msg, ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char * errString = SECU_Strerror(err); + + va_start(args, msg); + + SECU_Indent(out, level); + fprintf(out, "%s: ", progName); + vfprintf(out, msg, args); + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(out, ": %s\n", errString); + else + fprintf(out, ": error %d\n", (int)err); + + va_end(args); +} + +void +SECU_PrintError(const char *progName, const char *msg, ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char * errString = SECU_Strerror(err); + + va_start(args, msg); + + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(stderr, ": %s\n", errString); + else + fprintf(stderr, ": error %d\n", (int)err); + + va_end(args); +} + +void +SECU_PrintSystemError(const char *progName, const char *msg, ...) +{ + va_list args; + + va_start(args, msg); + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); +#if defined(_WIN32_WCE) + fprintf(stderr, ": %d\n", PR_GetOSError()); +#else + fprintf(stderr, ": %s\n", strerror(errno)); +#endif + va_end(args); +} + +static void +secu_ClearPassword(char *p) +{ + if (p) { + PORT_Memset(p, 0, PORT_Strlen(p)); + PORT_Free(p); + } +} + +char * +SECU_GetPasswordString(void *arg, char *prompt) +{ +#ifndef _WINDOWS + char *p = NULL; + FILE *input, *output; + + /* open terminal */ + input = fopen(consoleName, "r"); + if (input == NULL) { + fprintf(stderr, "Error opening input terminal for read\n"); + return NULL; + } + + output = fopen(consoleName, "w"); + if (output == NULL) { + fprintf(stderr, "Error opening output terminal for write\n"); + fclose(input); + return NULL; + } + + p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword); + + + fclose(input); + fclose(output); + + return p; + +#else + /* Win32 version of above. opening the console may fail + on windows95, and certainly isn't necessary.. */ + + char *p = NULL; + + p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword); + return p; + +#endif +} + + +/* + * p a s s w o r d _ h a r d c o d e + * + * A function to use the password passed in the -f(pwfile) argument + * of the command line. + * After use once, null it out otherwise PKCS11 calls us forever.? + * + */ +char * +SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + unsigned char phrase[200]; + PRFileDesc *fd; + PRInt32 nb; + char *pwFile = arg; + int i; + + if (!pwFile) + return 0; + + if (retry) { + return 0; /* no good retrying - the files contents will be the same */ + } + + fd = PR_Open(pwFile, PR_RDONLY, 0); + if (!fd) { + fprintf(stderr, "No password file \"%s\" exists.\n", pwFile); + return NULL; + } + + nb = PR_Read(fd, phrase, sizeof(phrase)); + + PR_Close(fd); + /* handle the Windows EOL case */ + i = 0; + while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; + phrase[i] = '\0'; + if (nb == 0) { + fprintf(stderr,"password file contains no data\n"); + return NULL; + } + return (char*) PORT_Strdup((char*)phrase); +} + +char * +SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char prompt[255]; + char external[] = "external"; + secuPWData *pwdata = (secuPWData *)arg; + secuPWData pwnull = { PW_NONE, 0 }; + secuPWData pwxtrn = { PW_EXTERNAL, external }; + char *pw; + + if (pwdata == NULL) + pwdata = &pwnull; + + if (PK11_ProtectedAuthenticationPath(slot)) { + pwdata = &pwxtrn; + } + if (retry && pwdata->source != PW_NONE) { + PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); + return NULL; + } + + switch (pwdata->source) { + case PW_NONE: + sprintf(prompt, "Enter Password or Pin for \"%s\":", + PK11_GetTokenName(slot)); + return SECU_GetPasswordString(NULL, prompt); + case PW_FROMFILE: + /* Instead of opening and closing the file every time, get the pw + * once, then keep it in memory (duh). + */ + pw = SECU_FilePasswd(slot, retry, pwdata->data); + pwdata->source = PW_PLAINTEXT; + pwdata->data = PL_strdup(pw); + /* it's already been dup'ed */ + return pw; + case PW_EXTERNAL: + sprintf(prompt, + "Press Enter, then enter PIN for \"%s\" on external device.\n", + PK11_GetTokenName(slot)); + (void) SECU_GetPasswordString(NULL, prompt); + /* Fall Through */ + case PW_PLAINTEXT: + return PL_strdup(pwdata->data); + default: + break; + } + + PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); + return NULL; +} + +static char * +secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *p0 = NULL; + char *p1 = NULL; + FILE *input, *output; + secuPWData *pwdata = arg; + + if (pwdata->source == PW_FROMFILE) { + return SECU_FilePasswd(slot, retry, pwdata->data); + } + if (pwdata->source == PW_PLAINTEXT) { + return PL_strdup(pwdata->data); + } + + /* PW_NONE - get it from tty */ + /* open terminal */ +#ifdef _WINDOWS + input = stdin; +#else + input = fopen(consoleName, "r"); +#endif + if (input == NULL) { + PR_fprintf(PR_STDERR, "Error opening input terminal for read\n"); + return NULL; + } + + /* we have no password, so initialize database with one */ + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least 8 characters long,\n" + "and should contain at least one non-alphabetic character.\n\n"); + + output = fopen(consoleName, "w"); + if (output == NULL) { + PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); + fclose(input); + return NULL; + } + + + for (;;) { + if (p0) + PORT_Free(p0); + p0 = SEC_GetPassword(input, output, "Enter new password: ", + SEC_BlindCheckPassword); + + if (p1) + PORT_Free(p1); + p1 = SEC_GetPassword(input, output, "Re-enter password: ", + SEC_BlindCheckPassword); + if (p0 && p1 && !PORT_Strcmp(p0, p1)) { + break; + } + PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n"); + } + + /* clear out the duplicate password string */ + secu_ClearPassword(p1); + + fclose(input); + fclose(output); + + return p0; +} + +SECStatus +SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile) +{ + SECStatus rv; + secuPWData pwdata, newpwdata; + char *oldpw = NULL, *newpw = NULL; + + if (passwd) { + pwdata.source = PW_PLAINTEXT; + pwdata.data = passwd; + } else if (pwFile) { + pwdata.source = PW_FROMFILE; + pwdata.data = pwFile; + } else { + pwdata.source = PW_NONE; + pwdata.data = NULL; + } + + if (PK11_NeedUserInit(slot)) { + newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata); + rv = PK11_InitPin(slot, (char*)NULL, newpw); + goto done; + } + + for (;;) { + oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata); + + if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { + if (pwdata.source == PW_NONE) { + PR_fprintf(PR_STDERR, "Invalid password. Try again.\n"); + } else { + PR_fprintf(PR_STDERR, "Invalid password.\n"); + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + return SECFailure; + } + } else + break; + + PORT_Free(oldpw); + } + + newpwdata.source = PW_NONE; + newpwdata.data = NULL; + + newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); + + if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed to change password.\n"); + return SECFailure; + } + + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + + PR_fprintf(PR_STDOUT, "Password changed successfully.\n"); + +done: + PORT_Memset(newpw, 0, PL_strlen(newpw)); + PORT_Free(newpw); + return SECSuccess; +} + +struct matchobj { + SECItem index; + char *nname; + PRBool found; +}; + +char * +SECU_DefaultSSLDir(void) +{ + char *dir; + static char sslDir[1000]; + + dir = PR_GetEnv("SSL_DIR"); + if (!dir) + return NULL; + + sprintf(sslDir, "%s", dir); + + if (sslDir[strlen(sslDir)-1] == '/') + sslDir[strlen(sslDir)-1] = 0; + + return sslDir; +} + +char * +SECU_AppendFilenameToDir(char *dir, char *filename) +{ + static char path[1000]; + + if (dir[strlen(dir)-1] == '/') + sprintf(path, "%s%s", dir, filename); + else + sprintf(path, "%s/%s", dir, filename); + return path; +} + +char * +SECU_ConfigDirectory(const char* base) +{ + static PRBool initted = PR_FALSE; + const char *dir = ".netscape"; + const char *home; + static char buf[1000]; + + if (initted) return buf; + + + if (base == NULL || *base == 0) { + home = PR_GetEnv("HOME"); + if (!home) home = ""; + + if (*home && home[strlen(home) - 1] == '/') + sprintf (buf, "%.900s%s", home, dir); + else + sprintf (buf, "%.900s/%s", home, dir); + } else { + sprintf(buf, "%.900s", base); + if (buf[strlen(buf) - 1] == '/') + buf[strlen(buf) - 1] = 0; + } + + + initted = PR_TRUE; + return buf; +} + +/*Turn off SSL for now */ +/* This gets called by SSL when server wants our cert & key */ +int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + SECKEYPrivateKey *key; + CERTCertificate *cert; + int errsave; + + if (arg == NULL) { + fprintf(stderr, "no key/cert name specified for client auth\n"); + return -1; + } + cert = PK11_FindCertFromNickname(arg, NULL); + errsave = PORT_GetError(); + if (!cert) { + if (errsave == SEC_ERROR_BAD_PASSWORD) + fprintf(stderr, "Bad password\n"); + else if (errsave > 0) + fprintf(stderr, "Unable to read cert (error %d)\n", errsave); + else if (errsave == SEC_ERROR_BAD_DATABASE) + fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); + else + fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); + return -1; + } + + key = PK11_FindKeyByAnyCert(arg,NULL); + if (!key) { + fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); + return -1; + } + + + *pRetCert = cert; + *pRetKey = key; + + return 0; +} + +static SECStatus +secu_StdinToItem(SECItem *dst) +{ + unsigned char buf[1000]; + PRInt32 numBytes; + PRBool notDone = PR_TRUE; + + dst->len = 0; + dst->data = NULL; + + while (notDone) { + numBytes = PR_Read(PR_STDIN, buf, sizeof(buf)); + + if (numBytes < 0) { + return SECFailure; + } + + if (numBytes == 0) + break; + + if (dst->data) { + unsigned char * p = dst->data; + dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes); + if (!dst->data) { + PORT_Free(p); + } + } else { + dst->data = (unsigned char*)PORT_Alloc(numBytes); + } + if (!dst->data) { + return SECFailure; + } + PORT_Memcpy(dst->data + dst->len, buf, numBytes); + dst->len += numBytes; + } + + return SECSuccess; +} + +SECStatus +SECU_FileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, info.size)) + goto loser; + + numBytes = PR_Read(src, dst->data, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + return SECSuccess; +loser: + SECITEM_FreeItem(dst, PR_FALSE); + return SECFailure; +} + +SECStatus +SECU_TextFileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + unsigned char *buf; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + buf = (unsigned char*)PORT_Alloc(info.size); + if (!buf) + return SECFailure; + + numBytes = PR_Read(src, buf, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + if (buf[numBytes-1] == '\n') numBytes--; +#ifdef _WINDOWS + if (buf[numBytes-1] == '\r') numBytes--; +#endif + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, numBytes)) + goto loser; + + memcpy(dst->data, buf, numBytes); + + PORT_Free(buf); + return SECSuccess; +loser: + PORT_Free(buf); + return SECFailure; +} + +SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) +{ + SECStatus rv; + if (ascii) { + /* First convert ascii to binary */ + SECItem filedata; + char *asc, *body; + + /* Read in ascii data */ + rv = SECU_FileToItem(&filedata, inFile); + asc = (char *)filedata.data; + if (!asc) { + fprintf(stderr, "unable to read data from input file\n"); + return SECFailure; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(asc, "-----BEGIN")) != NULL) { + char *trailer = NULL; + asc = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ + if (body) + trailer = strstr(++body, "-----END"); + if (trailer != NULL) { + *trailer = '\0'; + } else { + fprintf(stderr, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = asc; + } + + /* Convert to binary */ + rv = ATOB_ConvertAsciiToItem(der, body); + if (rv) { + fprintf(stderr, "error converting ascii to binary (%s)\n", + SECU_Strerror(PORT_GetError())); + PORT_Free(filedata.data); + return SECFailure; + } + + PORT_Free(filedata.data); + } else { + /* Read in binary der */ + rv = SECU_FileToItem(der, inFile); + if (rv) { + fprintf(stderr, "error converting der (%s)\n", + SECU_Strerror(PORT_GetError())); + return SECFailure; + } + } + return SECSuccess; +} + +#define INDENT_MULT 4 +void +SECU_Indent(FILE *out, int level) +{ + int i; + + for (i = 0; i < level; i++) { + fprintf(out, " "); + } +} + +static void secu_Newline(FILE *out) +{ + fprintf(out, "\n"); +} + +void +SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) +{ + unsigned i; + int column; + PRBool isString = PR_TRUE; + PRBool isWhiteSpace = PR_TRUE; + PRBool printedHex = PR_FALSE; + unsigned int limit = 15; + + if ( m ) { + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + level++; + } + + SECU_Indent(out, level); column = level*INDENT_MULT; + if (!data->len) { + fprintf(out, "(empty)\n"); + return; + } + /* take a pass to see if it's all printable. */ + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + if (!val || !isprint(val)) { + isString = PR_FALSE; + break; + } + if (isWhiteSpace && !isspace(val)) { + isWhiteSpace = PR_FALSE; + } + } + + /* Short values, such as bit strings (which are printed with this + ** function) often look like strings, but we want to see the bits. + ** so this test assures that short values will be printed in hex, + ** perhaps in addition to being printed as strings. + ** The threshold size (4 bytes) is arbitrary. + */ + if (!isString || data->len <= 4) { + for (i = 0; i < data->len; i++) { + if (i != data->len - 1) { + fprintf(out, "%02x:", data->data[i]); + column += 3; + } else { + fprintf(out, "%02x", data->data[i]); + column += 2; + break; + } + if (column > 76 || (i % 16 == limit)) { + secu_Newline(out); + SECU_Indent(out, level); + column = level*INDENT_MULT; + limit = i % 16; + } + } + printedHex = PR_TRUE; + } + if (isString && !isWhiteSpace) { + if (printedHex != PR_FALSE) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + + if (val) { + fprintf(out,"%c",val); + column++; + } else { + column = 77; + } + if (column > 76) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + } + } + + if (column != level*INDENT_MULT) { + secu_Newline(out); + } +} + +static const char *hex = "0123456789abcdef"; + +static const char printable[257] = { + "................" /* 0x */ + "................" /* 1x */ + " !\"#$%&'()*+,-./" /* 2x */ + "0123456789:;<=>?" /* 3x */ + "@ABCDEFGHIJKLMNO" /* 4x */ + "PQRSTUVWXYZ[\\]^_" /* 5x */ + "`abcdefghijklmno" /* 6x */ + "pqrstuvwxyz{|}~." /* 7x */ + "................" /* 8x */ + "................" /* 9x */ + "................" /* ax */ + "................" /* bx */ + "................" /* cx */ + "................" /* dx */ + "................" /* ex */ + "................" /* fx */ +}; + +void +SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len) +{ + const unsigned char *cp = (const unsigned char *)vp; + char buf[80]; + char *bp; + char *ap; + + fprintf(out, "%s [Len: %d]\n", msg, len); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + while (--len >= 0) { + unsigned char ch = *cp++; + *bp++ = hex[(ch >> 4) & 0xf]; + *bp++ = hex[ch & 0xf]; + *bp++ = ' '; + *ap++ = printable[ch]; + if (ap - buf >= 66) { + *ap = 0; + fprintf(out, " %s\n", buf); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + } + } + if (bp > buf) { + *ap = 0; + fprintf(out, " %s\n", buf); + } +} + +static SECStatus +SECU_StripTagAndLength(SECItem *i) +{ + unsigned int start; + + if (!i || !i->data || i->len < 2) { /* must be at least tag and length */ + return SECFailure; + } + start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2); + if (i->len < start) { + return SECFailure; + } + i->data += start; + i->len -= start; + return SECSuccess; +} + + +/* This expents i->data[0] to be the MSB of the integer. +** if you want to print a DER-encoded integer (with the tag and length) +** call SECU_PrintEncodedInteger(); +*/ +void +SECU_PrintInteger(FILE *out, SECItem *i, const char *m, int level) +{ + int iv; + + if (!i || !i->len || !i->data) { + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: (null)\n", m); + } else { + fprintf(out, "(null)\n"); + } + } else if (i->len > 4) { + SECU_PrintAsHex(out, i, m, level); + } else { + iv = DER_GetInteger(i); + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: %d (0x%x)\n", m, iv, iv); + } else { + fprintf(out, "%d (0x%x)\n", iv, iv); + } + } +} + +static void +secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) +{ + int column; + unsigned int i; + + if ( m ) { + SECU_Indent(out, level); fprintf(out, "%s: ", m); + column = (level * INDENT_MULT) + strlen(m) + 2; + level++; + } else { + SECU_Indent(out, level); + column = level*INDENT_MULT; + } + fprintf(out, "\""); column++; + + for (i = 0; i < si->len; i++) { + unsigned char val = si->data[i]; + if (column > 76) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + + fprintf(out,"%c", printable[val]); column++; + } + + fprintf(out, "\""); column++; + if (column != level*INDENT_MULT || column > 76) { + secu_Newline(out); + } +} + +void +SECU_PrintString(FILE *out, SECItem *si, const char *m, int level) +{ + SECItem my = *si; + + if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len) + return; + secu_PrintRawString(out, &my, m, level); +} + +/* print an unencoded boolean */ +static void +secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) +{ + int val = 0; + + if ( i->data && i->len ) { + val = i->data[0]; + } + + if (!m) { + m = "Boolean"; + } + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", m, (val ? "True" : "False")); +} + +/* + * Format and print "time_val". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +static void +secu_PrintTime(FILE *out, int64 time_val, const char *m, int level) +{ + PRExplodedTime printableTime; + char *timeString; + + /* Convert to local time */ + PR_ExplodeTime(time_val, PR_GMTParameters, &printableTime); + + timeString = PORT_Alloc(100); + if (timeString == NULL) + return; + + if (m != NULL) { + SECU_Indent(out, level); + fprintf(out, "%s: ", m); + } + + PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime); + fprintf(out, "%s", timeString); + + if (m != NULL) + fprintf(out, "\n"); + + PORT_Free(timeString); +} + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +void +SECU_PrintUTCTime(FILE *out, SECItem *t, const char *m, int level) +{ + int64 time_val; + SECStatus rv; + + rv = DER_UTCTimeToTime(&time_val, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time_val, m, level); +} + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintGeneralizedTime(FILE *out, SECItem *t, const char *m, int level) +{ + int64 time_val; + SECStatus rv; + + + rv = DER_GeneralizedTimeToTime(&time_val, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time_val, m, level); +} + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintTimeChoice(FILE *out, SECItem *t, const char *m, int level) +{ + switch (t->type) { + case siUTCTime: + SECU_PrintUTCTime(out, t, m, level); + break; + + case siGeneralizedTime: + SECU_PrintGeneralizedTime(out, t, m, level); + break; + + default: + PORT_Assert(0); + break; + } +} + + +/* This prints a SET or SEQUENCE */ +static void +SECU_PrintSet(FILE *out, SECItem *t, const char *m, int level) +{ + int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; + const char * label; + SECItem my = *t; + + if (!constructed) { + SECU_PrintAsHex(out, t, m, level); + return; + } + if (SECSuccess != SECU_StripTagAndLength(&my)) + return; + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + + if (type == SEC_ASN1_SET) + label = "Set "; + else if (type == SEC_ASN1_SEQUENCE) + label = "Sequence "; + else + label = ""; + fprintf(out,"%s{\n", label); /* } */ + + while (my.len >= 2) { + SECItem tmp = my; + + if (tmp.data[1] & 0x80) { + unsigned int i; + unsigned int lenlen = tmp.data[1] & 0x7f; + if (lenlen > sizeof tmp.len) + break; + tmp.len = 0; + for (i=0; i < lenlen; i++) { + tmp.len = (tmp.len << 8) | tmp.data[2+i]; + } + tmp.len += lenlen + 2; + } else { + tmp.len = tmp.data[1] + 2; + } + if (tmp.len > my.len) { + tmp.len = my.len; + } + my.data += tmp.len; + my.len -= tmp.len; + SECU_PrintAny(out, &tmp, NULL, level + 1); + } + SECU_Indent(out, level); fprintf(out, /* { */ "}\n"); +} + +static void +secu_PrintContextSpecific(FILE *out, SECItem *i, const char *m, int level) +{ + int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; + SECItem tmp; + + if (constructed) { + char * m2; + if (!m) + m2 = PR_smprintf("[%d]", type); + else + m2 = PR_smprintf("%s: [%d]", m, type); + if (m2) { + SECU_PrintSet(out, i, m2, level); + PR_smprintf_free(m2); + } + return; + } + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + fprintf(out,"[%d]\n", type); + + tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level+1); +} + +static void +secu_PrintOctetString(FILE *out, SECItem *i, const char *m, int level) +{ + SECItem tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level); +} + +static void +secu_PrintBitString(FILE *out, SECItem *i, const char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2) + return; + + unused_bits = *tmp.data++; + tmp.len--; + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + +/* in a decoded bit string, the len member is a bit length. */ +static void +secu_PrintDecodedBitString(FILE *out, SECItem *i, const char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + + unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0; + DER_ConvertBitString(&tmp); /* convert length to byte length */ + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + + +/* Print a DER encoded Boolean */ +static void +SECU_PrintEncodedBoolean(FILE *out, SECItem *i, const char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + secu_PrintBoolean(out, &my, m, level); +} + +/* Print a DER encoded integer */ +static void +SECU_PrintEncodedInteger(FILE *out, SECItem *i, const char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + SECU_PrintInteger(out, &my, m, level); +} + +/* Print a DER encoded OID */ +static void +SECU_PrintEncodedObjectID(FILE *out, SECItem *i, const char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + SECU_PrintObjectID(out, &my, m, level); +} + +static void +secu_PrintBMPString(FILE *out, SECItem *i, const char *m, int level) +{ + unsigned char * s; + unsigned char * d; + int len; + SECItem tmp = {0, 0, 0}; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 2) + goto loser; + len = (int)(my.len / 2); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data ; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2; + if (!isprint(bmpChar)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversalString(FILE *out, SECItem *i, const char *m, int level) +{ + unsigned char * s; + unsigned char * d; + int len; + SECItem tmp = {0, 0, 0}; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 4) + goto loser; + len = (int)(my.len / 4); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data ; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; + s += 4; + if (!isprint(bmpChar)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversal(FILE *out, SECItem *i, const char *m, int level) +{ + switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { + case SEC_ASN1_ENUMERATED: + case SEC_ASN1_INTEGER: + SECU_PrintEncodedInteger(out, i, m, level); + break; + case SEC_ASN1_OBJECT_ID: + SECU_PrintEncodedObjectID(out, i, m, level); + break; + case SEC_ASN1_BOOLEAN: + SECU_PrintEncodedBoolean(out, i, m, level); + break; + case SEC_ASN1_UTF8_STRING: + case SEC_ASN1_PRINTABLE_STRING: + case SEC_ASN1_VISIBLE_STRING: + case SEC_ASN1_IA5_STRING: + case SEC_ASN1_T61_STRING: + SECU_PrintString(out, i, m, level); + break; + case SEC_ASN1_GENERALIZED_TIME: + SECU_PrintGeneralizedTime(out, i, m, level); + break; + case SEC_ASN1_UTC_TIME: + SECU_PrintUTCTime(out, i, m, level); + break; + case SEC_ASN1_NULL: + SECU_Indent(out, level); + if (m && m[0]) + fprintf(out, "%s: NULL\n", m); + else + fprintf(out, "NULL\n"); + break; + case SEC_ASN1_SET: + case SEC_ASN1_SEQUENCE: + SECU_PrintSet(out, i, m, level); + break; + case SEC_ASN1_OCTET_STRING: + secu_PrintOctetString(out, i, m, level); + break; + case SEC_ASN1_BIT_STRING: + secu_PrintBitString(out, i, m, level); + break; + case SEC_ASN1_BMP_STRING: + secu_PrintBMPString(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL_STRING: + secu_PrintUniversalString(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } +} + +void +SECU_PrintAny(FILE *out, SECItem *i, const char *m, int level) +{ + if ( i && i->len && i->data ) { + switch (i->data[0] & SEC_ASN1_CLASS_MASK) { + case SEC_ASN1_CONTEXT_SPECIFIC: + secu_PrintContextSpecific(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL: + secu_PrintUniversal(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } + } +} + +static int +secu_PrintValidity(FILE *out, CERTValidity *v, const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1); + SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1); + return 0; +} + +/* This function does NOT expect a DER type and length. */ +SECOidTag +SECU_PrintObjectID(FILE *out, SECItem *oid, const char *m, int level) +{ + SECOidData *oiddata; + char * oidString = NULL; + + oiddata = SECOID_FindOID(oid); + if (oiddata != NULL) { + const char *name = oiddata->desc; + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", name); + return oiddata->offset; + } + oidString = CERT_GetOidString(oid); + if (oidString) { + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", oidString); + PR_smprintf_free(oidString); + return SEC_OID_UNKNOWN; + } + SECU_PrintAsHex(out, oid, m, level); + return SEC_OID_UNKNOWN; +} + + +/* This function does NOT expect a DER type and length. */ +void +SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, const char *m, int level) +{ + SECU_PrintObjectID(out, &a->algorithm, m, level); + + if (a->parameters.len == 0 + || (a->parameters.len == 2 + && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { + /* No arguments or NULL argument */ + } else { + /* Print args to algorithm */ + SECU_PrintAsHex(out, &a->parameters, "Args", level+1); + } +} + +static void +secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, const char *m, int level) +{ + SECItem *value; + int i; + char om[100]; + + if (m) { + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + } + + /* + * Should make this smarter; look at the type field and then decode + * and print the value(s) appropriately! + */ + SECU_PrintObjectID(out, &(attr->type), "Type", level+1); + if (attr->values != NULL) { + i = 0; + while ((value = attr->values[i++]) != NULL) { + sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); + if (attr->encoded || attr->typeTag == NULL) { + SECU_PrintAny(out, value, om, level+1); + } else { + switch (attr->typeTag->offset) { + default: + SECU_PrintAsHex(out, value, om, level+1); + break; + case SEC_OID_PKCS9_CONTENT_TYPE: + SECU_PrintObjectID(out, value, om, level+1); + break; + case SEC_OID_PKCS9_SIGNING_TIME: + SECU_PrintTimeChoice(out, value, om, level+1); + break; + } + } + } + } +} + +static void +secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, const char *m, int level) +{ + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1); + SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1); + if (pk->u.rsa.publicExponent.len == 1 && + pk->u.rsa.publicExponent.data[0] == 1) { + SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n"); + } +} + +static void +secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1); + SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1); + SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1); + SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1); +} + +#ifdef NSS_ENABLE_ECC +static void +secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECItem curveOID = { siBuffer, NULL, 0}; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1); + /* For named curves, the DEREncodedParams field contains an + * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID). + */ + if ((pk->u.ec.DEREncodedParams.len > 2) && + (pk->u.ec.DEREncodedParams.data[0] == 0x06)) { + curveOID.len = pk->u.ec.DEREncodedParams.data[1]; + curveOID.data = pk->u.ec.DEREncodedParams.data + 2; + SECU_PrintObjectID(out, &curveOID, "Curve", level +1); + } +} +#endif /* NSS_ENABLE_ECC */ + +static void +secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena, + CERTSubjectPublicKeyInfo *i, const char *msg, int level) +{ + SECKEYPublicKey *pk; + + SECU_Indent(out, level); fprintf(out, "%s:\n", msg); + SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1); + + pk = SECKEY_ExtractPublicKey(i); + if (pk) { + switch (pk->keyType) { + case rsaKey: + secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1); + break; + + case dsaKey: + secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1); + break; + +#ifdef NSS_ENABLE_ECC + case ecKey: + secu_PrintECPublicKey(out, pk, "EC Public Key", level +1); + break; +#endif + + case dhKey: + case fortezzaKey: + case keaKey: + SECU_Indent(out, level); + fprintf(out, "unable to format this SPKI algorithm type\n"); + goto loser; + default: + SECU_Indent(out, level); + fprintf(out, "unknown SPKI algorithm type\n"); + goto loser; + } + PORT_FreeArena(pk->arena, PR_FALSE); + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing public key"); +loser: + if (i->subjectPublicKey.data) { + SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level); + } + } +} + +static SECStatus +secu_PrintX509InvalidDate(FILE *out, SECItem *value, const char *msg, int level) +{ + SECItem decodedValue; + SECStatus rv; + int64 invalidTime; + char *formattedTime = NULL; + + decodedValue.data = NULL; + rv = SEC_ASN1DecodeItem (NULL, &decodedValue, + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), + value); + if (rv == SECSuccess) { + rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue); + if (rv == SECSuccess) { + formattedTime = CERT_GenTime2FormattedAscii + (invalidTime, (char *) "%a %b %d %H:%M:%S %Y"); + SECU_Indent(out, level +1); + fprintf (out, "%s: %s\n", msg, formattedTime); + PORT_Free (formattedTime); + } + } + PORT_Free (decodedValue.data); + return (rv); +} + +static SECStatus +PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level) +{ + CERTOidSequence *os; + SECItem **op; + + os = CERT_DecodeOidSequence(value); + if( (CERTOidSequence *)NULL == os ) { + return SECFailure; + } + + for( op = os->oids; *op; op++ ) { + SECU_PrintObjectID(out, *op, msg, level + 1); + } + CERT_DestroyOidSequence(os); + return SECSuccess; +} + +static SECStatus +secu_PrintBasicConstraints(FILE *out, SECItem *value, const char *msg, int level) { + CERTBasicConstraints constraints; + SECStatus rv; + + SECU_Indent(out, level); + if (msg) { + fprintf(out,"%s: ",msg); + } + rv = CERT_DecodeBasicConstraintValue(&constraints,value); + if (rv == SECSuccess && constraints.isCA) { + if (constraints.pathLenConstraint >= 0) { + fprintf(out,"Is a CA with a maximum path length of %d.\n", + constraints.pathLenConstraint); + } else { + fprintf(out,"Is a CA with no maximum path length.\n"); + } + } else { + fprintf(out,"Is not a CA.\n"); + } + return SECSuccess; +} + +static const char * const nsTypeBits[] = { + "SSL Client", + "SSL Server", + "S/MIME", + "Object Signing", + "Reserved", + "SSL CA", + "S/MIME CA", + "ObjectSigning CA" +}; + +/* NSCertType is merely a bit string whose bits are displayed symbolically */ +static SECStatus +secu_PrintNSCertType(FILE *out, SECItem *value, const char *msg, int level) +{ + int unused; + int NS_Type; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return SECSuccess; + } + + unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0; + NS_Type = my.data[1] & (0xff << unused); + + + SECU_Indent(out, level); + if (msg) { + fprintf(out,"%s: ",msg); + } else { + fprintf(out,"Netscape Certificate Type: "); + } + for (i=0; i < 8; i++) { + if ( (0x80 >> i) & NS_Type) { + fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]); + found = 1; + } + } + fprintf(out, (found ? ">\n" : "none\n")); + return SECSuccess; +} + +static const char * const usageBits[] = { + "Digital Signature", /* 0x80 */ + "Non-Repudiation", /* 0x40 */ + "Key Encipherment", /* 0x20 */ + "Data Encipherment", /* 0x10 */ + "Key Agreement", /* 0x08 */ + "Certificate Signing", /* 0x04 */ + "CRL Signing", /* 0x02 */ + "Encipher Only", /* 0x01 */ + "Decipher Only", /* 0x0080 */ + NULL +}; + +/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ +static void +secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) +{ + int unused; + int usage; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return; + } + + unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0; + usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8 + : (my.data[1] << 8) | + (my.data[2] & (0xff << unused)); + + SECU_Indent(out, level); + fprintf(out, "Usages: "); + for (i=0; usageBits[i]; i++) { + if ( (0x8000 >> i) & usage) { + if (found) + SECU_Indent(out, level + 2); + fprintf(out, "%s\n", usageBits[i]); + found = 1; + } + } + if (!found) { + fprintf(out, "(none)\n"); + } +} + +static void +secu_PrintIPAddress(FILE *out, SECItem *value, const char *msg, int level) +{ + PRStatus st; + PRNetAddr addr; + char addrBuf[80]; + + memset(&addr, 0, sizeof addr); + if (value->len == 4) { + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, value->data, value->len); + } else if (value->len == 16) { + addr.ipv6.family = PR_AF_INET6; + memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len); + if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { + /* convert to IPv4. */ + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); + memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); + } + } else { + goto loser; + } + + st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); + if (st == PR_SUCCESS) { + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", msg, addrBuf); + } else { +loser: + SECU_PrintAsHex(out, value, msg, level); + } +} + + +static void +secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, const char *msg, int level) +{ + char label[40]; + if (msg && msg[0]) { + SECU_Indent(out, level++); fprintf(out, "%s: \n", msg); + } + switch (gname->type) { + case certOtherName : + SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level); + SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1); + break; + case certDirectoryName : + SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level); + break; + case certRFC822Name : + secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level); + break; + case certDNSName : + secu_PrintRawString( out, &gname->name.other, "DNS name", level); + break; + case certURI : + secu_PrintRawString( out, &gname->name.other, "URI", level); + break; + case certIPAddress : + secu_PrintIPAddress(out, &gname->name.other, "IP Address", level); + break; + case certRegisterID : + SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level); + break; + case certX400Address : + SECU_PrintAny( out, &gname->name.other, "X400 Address", level); + break; + case certEDIPartyName : + SECU_PrintAny( out, &gname->name.other, "EDI Party", level); + break; + default: + PR_snprintf(label, sizeof label, "unknown type [%d]", + (int)gname->type - 1); + SECU_PrintAsHex(out, &gname->name.other, label, level); + break; + } +} + +static void +secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthKeyID *kid = NULL; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + kid = CERT_DecodeAuthKeyID(pool, value); + if (!kid) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + int keyIDPresent = (kid->keyID.data && kid->keyID.len); + int issuerPresent = kid->authCertIssuer != NULL; + int snPresent = (kid->authCertSerialNumber.data && + kid->authCertSerialNumber.len); + + if ((keyIDPresent && !issuerPresent && !snPresent) || + (!keyIDPresent && issuerPresent && snPresent)) { + /* all is well */ + } else { + SECU_Indent(out, level); + fprintf(out, + "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n"); + } + if (keyIDPresent) + SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); + if (issuerPresent) + secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level); + if (snPresent) + SECU_PrintInteger(out, &kid->authCertSerialNumber, + "Serial Number", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTGeneralName * nameList; + CERTGeneralName * current; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + nameList = current = CERT_DecodeAltNameExtension(pool, value); + if (!current) { + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + /* Decoder found empty sequence, which is invalid. */ + PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); + } + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + do { + secu_PrintGeneralName(out, current, msg, level); + current = CERT_GetNextGeneralName(current); + } while (current != nameList); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTCrlDistributionPoints * dPoints; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + dPoints = CERT_DecodeCRLDistributionPoints(pool, value); + if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) { + CRLDistributionPoint ** pPoints = dPoints->distPoints; + CRLDistributionPoint * pPoint; + while (NULL != (pPoint = *pPoints++)) { + if (pPoint->distPointType == generalName && + pPoint->distPoint.fullName != NULL) { + secu_PrintGeneralName(out, pPoint->distPoint.fullName, NULL, + level); +#if defined(LATER) + } else if (pPoint->distPointType == relativeDistinguishedName) { + /* print the relative name */ +#endif + } else if (pPoint->derDistPoint.data) { + SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level); + } + if (pPoint->reasons.data) { + secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", + level); + } + if (pPoint->crlIssuer) { + secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level); + } + } + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, + const char *msg, int level) +{ + CERTNameConstraint *head = value; + SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg); + level++; + do { + secu_PrintGeneralName(out, &value->name, NULL, level); + if (value->min.data) + SECU_PrintInteger(out, &value->min, "Minimum", level+1); + if (value->max.data) + SECU_PrintInteger(out, &value->max, "Maximum", level+1); + value = CERT_GetNextNameConstraint(value); + } while (value != head); +} + +static void +secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, const char *msg, int level) +{ + CERTNameConstraints * cnstrnts; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value); + if (!cnstrnts) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + if (cnstrnts->permited) + secu_PrintNameConstraintSubtree(out, cnstrnts->permited, + "Permitted", level); + if (cnstrnts->excluded) + secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, + "Excluded", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthInfoAccess **infos = NULL; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + infos = CERT_DecodeAuthInfoAccessExtension(pool, value); + if (!infos) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + CERTAuthInfoAccess *info; + while (NULL != (info = *infos++)) { + if (info->method.data) { + SECU_PrintObjectID(out, &info->method, "Method", level); + } else { + SECU_Indent(out,level); + fprintf(out, "Error: missing method\n"); + } + if (info->location) { + secu_PrintGeneralName(out, info->location, "Location", level); + } else { + SECU_PrintAny(out, &info->derLocation, "Location", level); + } + } + } + PORT_FreeArena(pool, PR_FALSE); +} + + +void +SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + const char *msg, int level) +{ + SECOidTag oidTag; + + if ( extensions ) { + if (msg && *msg) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", msg); + } + + while ( *extensions ) { + SECItem *tmpitem; + + tmpitem = &(*extensions)->id; + SECU_PrintObjectID(out, tmpitem, "Name", level); + + tmpitem = &(*extensions)->critical; + if ( tmpitem->len ) { + secu_PrintBoolean(out, tmpitem, "Critical", level); + } + + oidTag = SECOID_FindOIDTag (&((*extensions)->id)); + tmpitem = &((*extensions)->value); + + switch (oidTag) { + case SEC_OID_X509_INVALID_DATE: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME: + secu_PrintX509InvalidDate(out, tmpitem, "Date", level ); + break; + case SEC_OID_X509_CERTIFICATE_POLICIES: + SECU_PrintPolicy(out, tmpitem, "Data", level ); + break; + case SEC_OID_NS_CERT_EXT_BASE_URL: + case SEC_OID_NS_CERT_EXT_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_CRL_URL: + case SEC_OID_NS_CERT_EXT_CA_CERT_URL: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL: + case SEC_OID_NS_CERT_EXT_CA_POLICY_URL: + case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL: + case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL: + case SEC_OID_OCSP_RESPONDER: + SECU_PrintString(out,tmpitem, "URL", level); + break; + case SEC_OID_NS_CERT_EXT_COMMENT: + SECU_PrintString(out,tmpitem, "Comment", level); + break; + case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME: + SECU_PrintString(out,tmpitem, "ServerName", level); + break; + case SEC_OID_NS_CERT_EXT_CERT_TYPE: + secu_PrintNSCertType(out,tmpitem,"Data",level); + break; + case SEC_OID_X509_BASIC_CONSTRAINTS: + secu_PrintBasicConstraints(out,tmpitem,"Data",level); + break; + case SEC_OID_X509_EXT_KEY_USAGE: + PrintExtKeyUsageExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_KEY_USAGE: + secu_PrintX509KeyUsage(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_AUTH_KEY_ID: + secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_SUBJECT_ALT_NAME: + case SEC_OID_X509_ISSUER_ALT_NAME: + secu_PrintAltNameExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_CRL_DIST_POINTS: + secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD: + SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, + level ); + break; + case SEC_OID_X509_NAME_CONSTRAINTS: + secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_AUTH_INFO_ACCESS: + secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level); + break; + + case SEC_OID_X509_CRL_NUMBER: + case SEC_OID_X509_REASON_CODE: + + /* PKIX OIDs */ + case SEC_OID_PKIX_OCSP: + case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: + case SEC_OID_PKIX_OCSP_NONCE: + case SEC_OID_PKIX_OCSP_CRL: + case SEC_OID_PKIX_OCSP_RESPONSE: + case SEC_OID_PKIX_OCSP_NO_CHECK: + case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF: + case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR: + case SEC_OID_PKIX_REGCTRL_REGTOKEN: + case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR: + case SEC_OID_PKIX_REGCTRL_PKIPUBINFO: + case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS: + case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID: + case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY: + case SEC_OID_PKIX_REGINFO_UTF8_PAIRS: + case SEC_OID_PKIX_REGINFO_CERT_REQUEST: + + /* Netscape extension OIDs. */ + case SEC_OID_NS_CERT_EXT_NETSCAPE_OK: + case SEC_OID_NS_CERT_EXT_ISSUER_LOGO: + case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO: + case SEC_OID_NS_CERT_EXT_ENTITY_LOGO: + case SEC_OID_NS_CERT_EXT_USER_PICTURE: + + /* x.509 v3 Extensions */ + case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR: + case SEC_OID_X509_SUBJECT_KEY_ID: + case SEC_OID_X509_POLICY_MAPPINGS: + case SEC_OID_X509_POLICY_CONSTRAINTS: + + + default: + SECU_PrintAny(out, tmpitem, "Data", level); + break; + } + + secu_Newline(out); + extensions++; + } + } +} + + +void +SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) +{ + char *nameStr; + const char *str; + SECItem my; + + str = nameStr = CERT_NameToAscii(name); + if (!str) { + str = "!Invalid AVA!"; + } + my.data = (unsigned char *)str; + my.len = PORT_Strlen(str); +#if 1 + secu_PrintRawString(out, &my, msg, level); +#else + SECU_Indent(out, level); fprintf(out, "%s: ", msg); + fprintf(out, str); + secu_Newline(out); +#endif + PORT_Free(nameStr); +} + +void +printflags(char *trusts, unsigned int flags) +{ + if (flags & CERTDB_VALID_CA) + if (!(flags & CERTDB_TRUSTED_CA) && + !(flags & CERTDB_TRUSTED_CLIENT_CA)) + PORT_Strcat(trusts, "c"); + if (flags & CERTDB_VALID_PEER) + if (!(flags & CERTDB_TRUSTED)) + PORT_Strcat(trusts, "p"); + if (flags & CERTDB_TRUSTED_CA) + PORT_Strcat(trusts, "C"); + if (flags & CERTDB_TRUSTED_CLIENT_CA) + PORT_Strcat(trusts, "T"); + if (flags & CERTDB_TRUSTED) + PORT_Strcat(trusts, "P"); + if (flags & CERTDB_USER) + PORT_Strcat(trusts, "u"); + if (flags & CERTDB_SEND_WARN) + PORT_Strcat(trusts, "w"); + if (flags & CERTDB_INVISIBLE_CA) + PORT_Strcat(trusts, "I"); + if (flags & CERTDB_GOVT_APPROVED_CA) + PORT_Strcat(trusts, "G"); + return; +} + +/* callback for listing certs through pkcs11 */ +SECStatus +SECU_PrintCertNickname(CERTCertListNode *node, void *data) +{ + CERTCertTrust *trust; + CERTCertificate* cert; + FILE *out; + char trusts[30]; + const char *name; + + cert = node->cert; + + PORT_Memset (trusts, 0, sizeof (trusts)); + out = (FILE *)data; + + name = node->appData; + if (!name || !name[0]) { + name = cert->nickname; + } + if (!name || !name[0]) { + name = cert->emailAddr; + } + if (!name || !name[0]) { + name = "(NULL)"; + } + + trust = cert->trust; + if (trust) { + printflags(trusts, trust->sslFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust->emailFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust->objectSigningFlags); + } else { + PORT_Memcpy(trusts,",,",3); + } + fprintf(out, "%-60s %-5s\n", name, trusts); + + return (SECSuccess); +} + +static int +SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, const char *m, int level) +{ + CERTCertExtension **extensions = NULL; + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + int rv = 0; + + if (!arena) + return SEC_ERROR_NO_MEMORY; + + rv = SEC_QuickDERDecodeItem(arena, &extensions, + SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any); + if (!rv) + SECU_PrintExtensions(out, extensions, m, level); + else + SECU_PrintAny(out, any, m, level); + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF Extensions */ +static int +SECU_PrintSetOfExtensions(FILE *out, SECItem **any, const char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level); + any++; + } + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF "ANY" */ +static int +SECU_PrintSetOfAny(FILE *out, SECItem **any, const char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + SECU_PrintAny(out, any[0], "", level); + any++; + } + return rv; +} + +static int +SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, const char *m, int level) +{ + int rv = 0; + SECOidTag tag; + tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level); + if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) { + rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level); + } else { + rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level); + } + return rv; +} + +static int +SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, const char *m, int level) +{ + int rv = 0; + while (attrs[0]) { + rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1); + attrs++; + } + return rv; +} + +int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ +SECU_PrintCertificateRequest(FILE *out, SECItem *der, const char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificateRequest *cr; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Decode certificate request */ + cr = PORT_ArenaZNew(arena, CERTCertificateRequest); + if (!cr) + goto loser; + cr->arena = arena; + rv = SEC_QuickDERDecodeItem(arena, cr, + SEC_ASN1_GET(CERT_CertificateRequestTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &cr->version, "Version", level+1); + SECU_PrintName(out, &cr->subject, "Subject", level+1); + secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, + "Subject Public Key Info", level+1); + if (cr->attributes) + SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); + rv = 0; +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintCertificate(FILE *out, SECItem *der, const char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificate *c; + int rv = SEC_ERROR_NO_MEMORY; + int iv; + + if (!arena) + return rv; + + /* Decode certificate */ + c = PORT_ArenaZNew(arena, CERTCertificate); + if (!c) + goto loser; + c->arena = arena; + rv = SEC_ASN1DecodeItem(arena, c, + SEC_ASN1_GET(CERT_CertificateTemplate), der); + if (rv) { + SECU_Indent(out, level); + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, der, "Raw", level); + goto loser; + } + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */ + SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + + SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1); + SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1); + SECU_PrintName(out, &c->issuer, "Issuer", level+1); + secu_PrintValidity(out, &c->validity, "Validity", level+1); + SECU_PrintName(out, &c->subject, "Subject", level+1); + secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, + "Subject Public Key Info", level+1); + if (c->issuerID.data) + secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1); + if (c->subjectID.data) + secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1); + SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintPublicKey(FILE *out, SECItem *der, const char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECKEYPublicKey key; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + PORT_Memset(&key, 0, sizeof(key)); + rv = SEC_ASN1DecodeItem(arena, &key, + SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der); + if (!rv) { + /* Pretty print it out */ + secu_PrintRSAPublicKey(out, &key, m, level); + } + + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +#ifdef HAVE_EPV_TEMPLATE +int +SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECKEYEncryptedPrivateKeyInfo key; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + PORT_Memset(&key, 0, sizeof(key)); + rv = SEC_ASN1DecodeItem(arena, &key, + SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", + level+1); + SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1); +loser: + PORT_FreeArena(arena, PR_TRUE); + return rv; +} +#endif + +int +SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, int level) +{ + unsigned char fingerprint[20]; + char *fpStr = NULL; + int err = PORT_GetError(); + SECStatus rv; + SECItem fpItem; + + /* print MD5 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = MD5_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); fprintf(out, "%s (MD5):\n", m); + SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + fpStr = NULL; + if (rv != SECSuccess && !err) + err = PORT_GetError(); + + /* print SHA1 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = SHA1_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); fprintf(out, "%s (SHA1):\n", m); + SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + fprintf(out, "\n"); + + if (err) + PORT_SetError(err); + if (err || rv != SECSuccess) + return SECFailure; + + return 0; +} + +/* +** PKCS7 Support +*/ + +/* forward declaration */ +static int +secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, const char *, int); + +/* +** secu_PrintPKCS7EncContent +** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) +*/ +static void +secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, + const char *m, int level) +{ + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_Indent(out, level + 1); + fprintf(out, "Content Type: %s\n", + (src->contentTypeTag != NULL) ? src->contentTypeTag->desc + : "Unknown"); + SECU_PrintAlgorithmID(out, &(src->contentEncAlg), + "Content Encryption Algorithm", level+1); + SECU_PrintAsHex(out, &(src->encContent), + "Encrypted Content", level+1); +} + +/* +** secu_PrintRecipientInfo +** Prints a PKCS7RecipientInfo type +*/ +static void +secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, + int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + /* Parse and display encrypted key */ + SECU_PrintAlgorithmID(out, &(info->keyEncAlg), + "Key Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1); +} + +/* +** secu_PrintSignerInfo +** Prints a PKCS7SingerInfo type +*/ +static void +secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level) +{ + SEC_PKCS7Attribute *attr; + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm", + level + 1); + + if (info->authAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Authenticated Attributes:\n"); + iv = 0; + while ((attr = info->authAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%d)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } + + /* Parse and display signature */ + SECU_PrintAlgorithmID(out, &(info->digestEncAlg), + "Digest Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1); + + if (info->unAuthAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Unauthenticated Attributes:\n"); + iv = 0; + while ((attr = info->unAuthAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%x)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } +} + +/* callers of this function must make sure that the CERTSignedCrl + from which they are extracting the CERTCrl has been fully-decoded. + Otherwise it will not have the entries even though the CRL may have + some */ + +void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level) +{ + CERTCrlEntry *entry; + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + /* version is optional */ + iv = crl->version.len ? DER_GetInteger(&crl->version) : 0; + SECU_Indent(out, level+1); + fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm", + level + 1); + SECU_PrintName(out, &(crl->name), "Issuer", level + 1); + SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1); + if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */ + SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1); + + if (crl->entries != NULL) { + iv = 0; + while ((entry = crl->entries[iv++]) != NULL) { + sprintf(om, "Entry (%x):\n", iv); + SECU_Indent(out, level + 1); + fprintf(out, "%s", om); + SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", + level + 2); + SECU_PrintTimeChoice(out, &(entry->revocationDate), + "Revocation Date", level + 2); + SECU_PrintExtensions(out, entry->extensions, + "Entry Extensions", level + 2); + } + } + SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1); +} + +/* +** secu_PrintPKCS7Signed +** Pretty print a PKCS7 signed data type (up to version 1). +*/ +static int +secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, + const char *m, int level) +{ + SECAlgorithmID *digAlg; /* digest algorithms */ + SECItem *aCert; /* certificate */ + CERTSignedCrl *aCrl; /* certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* signer information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + /* Now for the content */ + rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), + "Content Information", level + 1); + if (rv != 0) + return rv; + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level+3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level+3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +/* +** secu_PrintPKCS7Enveloped +** Pretty print a PKCS7 enveloped data type (up to version 1). +*/ +static void +secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, + const char *m, int level) +{ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7SignedEnveloped +** Pretty print a PKCS7 singed and enveloped data type (up to version 1). +*/ +static int +secu_PrintPKCS7SignedAndEnveloped(FILE *out, + SEC_PKCS7SignedAndEnvelopedData *src, + const char *m, int level) +{ + SECAlgorithmID *digAlg; /* pointer for digest algorithms */ + SECItem *aCert; /* pointer for certificate */ + CERTSignedCrl *aCrl; /* pointer for certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level+3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level+3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +int +SECU_PrintCrl(FILE *out, SECItem *der, const char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCrl *c = NULL; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + do { + /* Decode CRL */ + c = PORT_ArenaZNew(arena, CERTCrl); + if (!c) + break; + + rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der); + if (rv != SECSuccess) + break; + SECU_PrintCRLInfo (out, c, m, level); + } while (0); + PORT_FreeArena (arena, PR_FALSE); + return rv; +} + + +/* +** secu_PrintPKCS7Encrypted +** Pretty print a PKCS7 encrypted data type (up to version 1). +*/ +static void +secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, + const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7Digested +** Pretty print a PKCS7 digested data type (up to version 1). +*/ +static void +secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, + const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm", + level + 1); + secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information", + level + 1); + SECU_PrintAsHex(out, &src->digest, "Digest", level + 1); +} + +/* +** secu_PrintPKCS7ContentInfo +** Takes a SEC_PKCS7ContentInfo type and sends the contents to the +** appropriate function +*/ +static int +secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, + const char *m, int level) +{ + const char *desc; + SECOidTag kind; + int rv; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + level++; + + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + if (src->contentTypeTag == NULL) { + desc = "Unknown"; + kind = SEC_OID_PKCS7_DATA; + } else { + desc = src->contentTypeTag->desc; + kind = src->contentTypeTag->offset; + } + + if (src->content.data == NULL) { + SECU_Indent(out, level); fprintf(out, "%s:\n", desc); + level++; + SECU_Indent(out, level); fprintf(out, "<no content>\n"); + return 0; + } + + rv = 0; + switch (kind) { + case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */ + rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level); + break; + + case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */ + secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level); + break; + + case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */ + rv = secu_PrintPKCS7SignedAndEnveloped(out, + src->content.signedAndEnvelopedData, + desc, level); + break; + + case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */ + secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level); + break; + + case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */ + secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level); + break; + + default: + SECU_PrintAsHex(out, src->content.data, desc, level); + break; + } + + return rv; +} + +/* +** SECU_PrintPKCS7ContentInfo +** Decode and print any major PKCS7 data type (up to version 1). +*/ +int +SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, const char *m, int level) +{ + SEC_PKCS7ContentInfo *cinfo; + int rv; + + cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); + if (cinfo != NULL) { + /* Send it to recursive parsing and printing module */ + rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level); + SEC_PKCS7DestroyContentInfo(cinfo); + } else { + rv = -1; + } + + return rv; +} + +/* +** End of PKCS7 functions +*/ + +static void +printFlags(FILE *out, unsigned int flags, int level) +{ + if ( flags & CERTDB_VALID_PEER ) { + SECU_Indent(out, level); fprintf(out, "Valid Peer\n"); + } + if ( flags & CERTDB_TRUSTED ) { + SECU_Indent(out, level); fprintf(out, "Trusted\n"); + } + if ( flags & CERTDB_SEND_WARN ) { + SECU_Indent(out, level); fprintf(out, "Warn When Sending\n"); + } + if ( flags & CERTDB_VALID_CA ) { + SECU_Indent(out, level); fprintf(out, "Valid CA\n"); + } + if ( flags & CERTDB_TRUSTED_CA ) { + SECU_Indent(out, level); fprintf(out, "Trusted CA\n"); + } + if ( flags & CERTDB_NS_TRUSTED_CA ) { + SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n"); + } + if ( flags & CERTDB_USER ) { + SECU_Indent(out, level); fprintf(out, "User\n"); + } + if ( flags & CERTDB_TRUSTED_CLIENT_CA ) { + SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n"); + } + if ( flags & CERTDB_GOVT_APPROVED_CA ) { + SECU_Indent(out, level); fprintf(out, "Step-up\n"); + } +} + +void +SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n"); + printFlags(out, trust->sslFlags, level+2); + SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n"); + printFlags(out, trust->emailFlags, level+2); + SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n"); + printFlags(out, trust->objectSigningFlags, level+2); +} + +int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, + int level, SECU_PPFunc inner) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTSignedData *sd; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Strip off the signature */ + sd = PORT_ArenaZNew(arena, CERTSignedData); + if (!sd) + goto loser; + + rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), + der); + if (rv) + goto loser; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + rv = (*inner)(out, &sd->data, "Data", level+1); + + SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", + level+1); + DER_ConvertBitString(&sd->signature); + SECU_PrintAsHex(out, &sd->signature, "Signature", level+1); + SECU_PrintFingerprints(out, der, "Fingerprint", level+1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; + +} + +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd) +{ + PRBool found; + PLOptState *optstate; + PLOptStatus status; + char *optstring; + int i, j; + + optstring = (char *)malloc(cmd->numCommands + 2*cmd->numOptions); + j = 0; + + for (i=0; i<cmd->numCommands; i++) { + optstring[j++] = cmd->commands[i].flag; + } + for (i=0; i<cmd->numOptions; i++) { + optstring[j++] = cmd->options[i].flag; + if (cmd->options[i].needsArg) + optstring[j++] = ':'; + } + optstring[j] = '\0'; + optstate = PL_CreateOptState(argc, argv, optstring); + + /* Parse command line arguments */ + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + + /* Wasn't really an option, just standalone arg. */ + if (optstate->option == '\0') + continue; + + found = PR_FALSE; + + for (i=0; i<cmd->numCommands; i++) { + if (cmd->commands[i].flag == optstate->option) { + cmd->commands[i].activated = PR_TRUE; + if (optstate->value) { + cmd->commands[i].arg = (char *)optstate->value; + } + found = PR_TRUE; + break; + } + } + + if (found) + continue; + + for (i=0; i<cmd->numOptions; i++) { + if (cmd->options[i].flag == optstate->option) { + cmd->options[i].activated = PR_TRUE; + if (optstate->value) { + cmd->options[i].arg = (char *)optstate->value; + } else if (cmd->options[i].needsArg) { + return SECFailure; + } + found = PR_TRUE; + break; + } + } + + if (!found) + return SECFailure; + } + if (status == PL_OPT_BAD) + return SECFailure; + return SECSuccess; +} + +char * +SECU_GetOptionArg(secuCommand *cmd, int optionNum) +{ + if (optionNum < 0 || optionNum >= cmd->numOptions) + return NULL; + if (cmd->options[optionNum].activated) + return PL_strdup(cmd->options[optionNum].arg); + else + return NULL; +} + +static char SECUErrorBuf[64]; + +char * +SECU_ErrorStringRaw(int16 err) +{ + if (err == 0) + SECUErrorBuf[0] = '\0'; + else if (err == SEC_ERROR_BAD_DATA) + sprintf(SECUErrorBuf, "Bad data"); + else if (err == SEC_ERROR_BAD_DATABASE) + sprintf(SECUErrorBuf, "Problem with database"); + else if (err == SEC_ERROR_BAD_DER) + sprintf(SECUErrorBuf, "Problem with DER"); + else if (err == SEC_ERROR_BAD_KEY) + sprintf(SECUErrorBuf, "Problem with key"); + else if (err == SEC_ERROR_BAD_PASSWORD) + sprintf(SECUErrorBuf, "Incorrect password"); + else if (err == SEC_ERROR_BAD_SIGNATURE) + sprintf(SECUErrorBuf, "Bad signature"); + else if (err == SEC_ERROR_EXPIRED_CERTIFICATE) + sprintf(SECUErrorBuf, "Expired certificate"); + else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) + sprintf(SECUErrorBuf, "Invalid extension value"); + else if (err == SEC_ERROR_INPUT_LEN) + sprintf(SECUErrorBuf, "Problem with input length"); + else if (err == SEC_ERROR_INVALID_ALGORITHM) + sprintf(SECUErrorBuf, "Invalid algorithm"); + else if (err == SEC_ERROR_INVALID_ARGS) + sprintf(SECUErrorBuf, "Invalid arguments"); + else if (err == SEC_ERROR_INVALID_AVA) + sprintf(SECUErrorBuf, "Invalid AVA"); + else if (err == SEC_ERROR_INVALID_TIME) + sprintf(SECUErrorBuf, "Invalid time"); + else if (err == SEC_ERROR_IO) + sprintf(SECUErrorBuf, "Security I/O error"); + else if (err == SEC_ERROR_LIBRARY_FAILURE) + sprintf(SECUErrorBuf, "Library failure"); + else if (err == SEC_ERROR_NO_MEMORY) + sprintf(SECUErrorBuf, "Out of memory"); + else if (err == SEC_ERROR_OLD_CRL) + sprintf(SECUErrorBuf, "CRL is older than the current one"); + else if (err == SEC_ERROR_OUTPUT_LEN) + sprintf(SECUErrorBuf, "Problem with output length"); + else if (err == SEC_ERROR_UNKNOWN_ISSUER) + sprintf(SECUErrorBuf, "Unknown issuer"); + else if (err == SEC_ERROR_UNTRUSTED_CERT) + sprintf(SECUErrorBuf, "Untrusted certificate"); + else if (err == SEC_ERROR_UNTRUSTED_ISSUER) + sprintf(SECUErrorBuf, "Untrusted issuer"); + else if (err == SSL_ERROR_BAD_CERTIFICATE) + sprintf(SECUErrorBuf, "Bad certificate"); + else if (err == SSL_ERROR_BAD_CLIENT) + sprintf(SECUErrorBuf, "Bad client"); + else if (err == SSL_ERROR_BAD_SERVER) + sprintf(SECUErrorBuf, "Bad server"); + else if (err == SSL_ERROR_EXPORT_ONLY_SERVER) + sprintf(SECUErrorBuf, "Export only server"); + else if (err == SSL_ERROR_NO_CERTIFICATE) + sprintf(SECUErrorBuf, "No certificate"); + else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) + sprintf(SECUErrorBuf, "No cypher overlap"); + else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE) + sprintf(SECUErrorBuf, "Unsupported certificate type"); + else if (err == SSL_ERROR_UNSUPPORTED_VERSION) + sprintf(SECUErrorBuf, "Unsupported version"); + else if (err == SSL_ERROR_US_ONLY_SERVER) + sprintf(SECUErrorBuf, "U.S. only server"); + else if (err == PR_IO_ERROR) + sprintf(SECUErrorBuf, "I/O error"); + + else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) + sprintf (SECUErrorBuf, "Expired Issuer Certificate"); + else if (err == SEC_ERROR_REVOKED_CERTIFICATE) + sprintf (SECUErrorBuf, "Revoked certificate"); + else if (err == SEC_ERROR_NO_KEY) + sprintf (SECUErrorBuf, "No private key in database for this cert"); + else if (err == SEC_ERROR_CERT_NOT_VALID) + sprintf (SECUErrorBuf, "Certificate is not valid"); + else if (err == SEC_ERROR_EXTENSION_NOT_FOUND) + sprintf (SECUErrorBuf, "Certificate extension was not found"); + else if (err == SEC_ERROR_CA_CERT_INVALID) + sprintf (SECUErrorBuf, "Issuer certificate is invalid"); + else if (err == SEC_ERROR_CERT_USAGES_INVALID) + sprintf (SECUErrorBuf, "Certificate usages is invalid"); + else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) + sprintf (SECUErrorBuf, "Certificate has unknown critical extension"); + else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE) + sprintf (SECUErrorBuf, "Bad PKCS7 signature"); + else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE) + sprintf (SECUErrorBuf, "Certificate not approved for this operation"); + else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE) + sprintf (SECUErrorBuf, "Certificate not approved for this operation"); + + return SECUErrorBuf; +} + +char * +SECU_ErrorString(int16 err) +{ + char *error_string; + + *SECUErrorBuf = 0; + SECU_ErrorStringRaw (err); + + if (*SECUErrorBuf == 0) { + error_string = SECU_GetString(err); + if (error_string == NULL || *error_string == '\0') + sprintf(SECUErrorBuf, "No error string found for %d.", err); + else + return error_string; + } + + return SECUErrorBuf; +} + + +void +SECU_PrintPRandOSError(const char *progName) +{ + char buffer[513]; + PRInt32 errLen = PR_GetErrorTextLength(); + if ((errLen > 0) && ((size_t) errLen < sizeof(buffer))) { + PR_GetErrorText(buffer); + } + SECU_PrintError(progName, "function failed"); + if ((errLen > 0) && ((size_t) errLen < sizeof(buffer))) { + PR_fprintf(PR_STDERR, "\t%s\n", buffer); + } +} + + +static char * +bestCertName(CERTCertificate *cert) { + if (cert->nickname) { + return cert->nickname; + } + if (cert->emailAddr && cert->emailAddr[0]) { + return cert->emailAddr; + } + return cert->subjectName; +} + +void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose) +{ + CERTVerifyLog log; + CERTVerifyLogNode *node = NULL; + unsigned int depth = (unsigned int)-1; + unsigned int flags = 0; + const char * errstr = NULL; + PRErrorCode err = PORT_GetError(); + + log.arena = PORT_NewArena(512); + log.head = log.tail = NULL; + log.count = 0; + CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL); + + if (log.count > 0) { + fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); + for (node = log.head; node; node = node->next) { + if (depth != node->depth) { + depth = node->depth; + fprintf(outfile,"CERT %d. %s %s:\n", depth, + bestCertName(node->cert), + depth ? "[Certificate Authority]": ""); + if (verbose) { + const char * emailAddr; + emailAddr = CERT_GetFirstEmailAddress(node->cert); + if (emailAddr) { + fprintf(outfile,"Email Address(es): "); + do { + fprintf(outfile, "%s\n", emailAddr); + emailAddr = CERT_GetNextEmailAddress(node->cert, + emailAddr); + } while (emailAddr); + } + } + } + fprintf(outfile," ERROR %ld: %s\n", node->error, + SECU_Strerror(node->error)); + errstr = NULL; + switch (node->error) { + case SEC_ERROR_INADEQUATE_KEY_USAGE: + flags = (unsigned int)node->arg; + switch (flags) { + case KU_DIGITAL_SIGNATURE: + errstr = "Cert cannot sign."; + break; + case KU_KEY_ENCIPHERMENT: + errstr = "Cert cannot encrypt."; + break; + case KU_KEY_CERT_SIGN: + errstr = "Cert cannot sign other certs."; + break; + default: + errstr = "[unknown usage]."; + break; + } + case SEC_ERROR_INADEQUATE_CERT_TYPE: + flags = (unsigned int)node->arg; + switch (flags) { + case NS_CERT_TYPE_SSL_CLIENT: + case NS_CERT_TYPE_SSL_SERVER: + errstr = "Cert cannot be used for SSL."; + break; + case NS_CERT_TYPE_SSL_CA: + errstr = "Cert cannot be used as an SSL CA."; + break; + case NS_CERT_TYPE_EMAIL: + errstr = "Cert cannot be used for SMIME."; + break; + case NS_CERT_TYPE_EMAIL_CA: + errstr = "Cert cannot be used as an SMIME CA."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING: + errstr = "Cert cannot be used for object signing."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING_CA: + errstr = "Cert cannot be used as an object signing CA."; + break; + default: + errstr = "[unknown usage]."; + break; + } + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + errstr = node->cert->issuerName; + break; + default: + break; + } + if (errstr) { + fprintf(stderr," %s\n",errstr); + } + CERT_DestroyCertificate(node->cert); + } + } + PORT_SetError(err); /* restore original error code */ +} + +SECOidTag +SECU_StringToSignatureAlgTag(const char *alg) +{ + SECOidTag hashAlgTag = SEC_OID_UNKNOWN; + + if (alg) { + if (!PL_strcmp(alg, "MD2")) { + hashAlgTag = SEC_OID_MD2; + } else if (!PL_strcmp(alg, "MD4")) { + hashAlgTag = SEC_OID_MD4; + } else if (!PL_strcmp(alg, "MD5")) { + hashAlgTag = SEC_OID_MD5; + } else if (!PL_strcmp(alg, "SHA1")) { + hashAlgTag = SEC_OID_SHA1; + } else if (!PL_strcmp(alg, "SHA256")) { + hashAlgTag = SEC_OID_SHA256; + } else if (!PL_strcmp(alg, "SHA384")) { + hashAlgTag = SEC_OID_SHA384; + } else if (!PL_strcmp(alg, "SHA512")) { + hashAlgTag = SEC_OID_SHA512; + } + } + return hashAlgTag; +} + + +SECStatus +SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, + const PRBool ascii, char *url) +{ + PORT_Assert(derCrl != NULL); + if (!derCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (outFile != NULL) { + if (ascii) { + PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, + BTOA_DataToAscii(derCrl->data, derCrl->len), + NS_CRL_TRAILER); + } else { + if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) { + return SECFailure; + } + } + } + if (slot) { + CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url, + SEC_CRL_TYPE, NULL, 0, NULL, 0); + if (newCrl != NULL) { + SEC_DestroyCrl(newCrl); + return SECSuccess; + } + return SECFailure; + } + if (!outFile && !slot) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return SECSuccess; +} + +SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode) +{ + SECItem der; + SECKEYPrivateKey *caPrivateKey = NULL; + SECStatus rv; + PRArenaPool *arena; + SECOidTag algID; + void *dummy; + + PORT_Assert(issuer != NULL && signCrl != NULL); + if (!issuer || !signCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + arena = signCrl->arena; + + caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL); + if (caPrivateKey == NULL) { + *resCode = noKeyFound; + return SECFailure; + } + + algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + *resCode = noSignatureMatch; + rv = SECFailure; + goto done; + } + + if (!signCrl->crl.signatureAlg.parameters.data) { + rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0); + if (rv != SECSuccess) { + *resCode = failToEncode; + goto done; + } + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + + rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap, + der.data, der.len, caPrivateKey, algID); + if (rv != SECSuccess) { + *resCode = failToSign; + goto done; + } + + signCrl->derCrl = PORT_ArenaZNew(arena, SECItem); + if (signCrl->derCrl == NULL) { + *resCode = noMem; + PORT_SetError(SEC_ERROR_NO_MEMORY); + rv = SECFailure; + goto done; + } + + signCrl->derCrl->len = 0; + signCrl->derCrl->data = NULL; + dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl, + SEC_ASN1_GET(CERT_SignedCrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + +done: + if (caPrivateKey) { + SECKEY_DestroyPrivateKey(caPrivateKey); + } + return rv; +} + + + +SECStatus +SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl) +{ + void *dummy; + SECStatus rv = SECSuccess; + SECItem der; + + PORT_Assert(destArena && srcCrl && destCrl); + if (!destArena || !srcCrl || !destCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + return SECFailure; + } + + rv = SEC_QuickDERDecodeItem(destArena, destCrl, + SEC_ASN1_GET(CERT_CrlTemplate), &der); + if (rv != SECSuccess) { + return SECFailure; + } + + destCrl->arena = destArena; + + return rv; +} + +SECStatus +SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) +{ + SECItem it; + SECStatus rv; + + it.data = 0; + + /* XXX We should probably have some asserts here to make sure the key type + * and algID match + */ + + /* Sign input buffer */ + rv = SEC_SignData(&it, buf, len, pk, algID); + if (rv) goto loser; + + /* Fill out SignedData object */ + PORT_Memset(sd, 0, sizeof(*sd)); + sd->data.data = buf; + sd->data.len = len; + sd->signature.data = it.data; + sd->signature.len = it.len << 3; /* convert to bit string */ + rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0); + if (rv) goto loser; + + return rv; + + loser: + PORT_Free(it.data); + return rv; +} + +#if 0 + +/* we need access to the private function cert_FindExtension for this code to work */ + +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl) +{ + SECItem encodedExtenValue; + SECStatus rv; + CERTAuthKeyID *ret; + CERTCrl* crl; + + if (!scrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + crl = &scrl->crl; + + encodedExtenValue.data = NULL; + encodedExtenValue.len = 0; + + rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, + &encodedExtenValue); + if ( rv != SECSuccess ) { + return (NULL); + } + + ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); + + PORT_Free(encodedExtenValue.data); + encodedExtenValue.data = NULL; + + return(ret); +} + +#endif + +/* + * Find the issuer of a Crl. Use the authorityKeyID if it exists. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject, + CERTAuthKeyID* authorityKeyID, PRTime validTime) +{ + CERTCertificate *issuerCert = NULL; + CERTCertList *certList = NULL; + + if (!subject) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + certList = + CERT_CreateSubjectCertList(NULL, dbhandle, subject, + validTime, PR_TRUE); + if (certList) { + CERTCertListNode *node = CERT_LIST_HEAD(certList); + + /* XXX and authoritykeyid in the future */ + while ( ! CERT_LIST_END(node, certList) ) { + CERTCertificate *cert = node->cert; + /* check cert CERTCertTrust data is allocated, check cert + usage extension, check that cert has pkey in db. Select + the first (newest) user cert */ + if (cert->trust && + CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess && + CERT_IsUserCert(cert)) { + + issuerCert = CERT_DupCertificate(cert); + break; + } + node = CERT_LIST_NEXT(node); + } + CERT_DestroyCertList(certList); + } + return(issuerCert); +} + + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn) +{ + SECItem encodedValue; + SECStatus rv; + + encodedValue.data = NULL; + encodedValue.len = 0; + do { + rv = (*EncodeValueFn)(arena, value, &encodedValue); + if (rv != SECSuccess) + break; + + rv = CERT_AddExtension(extHandle, extenType, &encodedValue, + criticality, PR_TRUE); + if (rv != SECSuccess) + break; + } while (0); + + return (rv); +} diff --git a/base/native-tools/src/p7tool/secutil.h b/base/native-tools/src/p7tool/secutil.h new file mode 100644 index 000000000..10c8f9ae6 --- /dev/null +++ b/base/native-tools/src/p7tool/secutil.h @@ -0,0 +1,430 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.h + */ + +#ifndef _SEC_UTIL_H_ +#define _SEC_UTIL_H_ + +#include "seccomon.h" +#include "secitem.h" +#include "prerror.h" +#include "base64.h" +#include "key.h" +#include "secpkcs7.h" +#include "secasn1.h" +#include "secder.h" +#include <stdio.h> + +#define SEC_CT_PRIVATE_KEY "private-key" +#define SEC_CT_PUBLIC_KEY "public-key" +#define SEC_CT_CERTIFICATE "certificate" +#define SEC_CT_CERTIFICATE_REQUEST "certificate-request" +#define SEC_CT_PKCS7 "pkcs7" +#define SEC_CT_CRL "crl" + +#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" +#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" + +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" +#define NS_CERT_TRAILER "-----END CERTIFICATE-----" + +#define NS_CRL_HEADER "-----BEGIN CRL-----" +#define NS_CRL_TRAILER "-----END CRL-----" + +/* From libsec/pcertdb.c --- it's not declared in sec.h */ +extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, + SECItem *derCert, char *nickname, CERTCertTrust *trust); + + +#ifdef SECUTIL_NEW +typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, + const char *msg, int level); +#else +typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, const char *msg, int level); +#endif + +typedef struct { + enum { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* +** Change a password on a token, or initialize a token with a password +** if it does not already have one. +** Use passwd to send the password in plaintext, pwFile to specify a +** file containing the password, or NULL for both to prompt the user. +*/ +SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile); + +/* These were stolen from the old sec.h... */ +/* +** Check a password for legitimacy. Passwords must be at least 8 +** characters long and contain one non-alphabetic. Return DSTrue if the +** password is ok, DSFalse otherwise. +*/ +extern PRBool SEC_CheckPassword(char *password); + +/* +** Blind check of a password. Complement to SEC_CheckPassword which +** ignores length and content type, just retuning DSTrue is the password +** exists, DSFalse if NULL +*/ +extern PRBool SEC_BlindCheckPassword(char *password); + +/* +** Get a password. +** First prompt with "msg" on "out", then read the password from "in". +** The password is then checked using "chkpw". +*/ +extern char *SEC_GetPassword(FILE *in, FILE *out, const char *msg, + PRBool (*chkpw)(char *)); + +char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg); + +char *SECU_GetPasswordString(void *arg, char *prompt); + +/* +** Write a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to encrypt a password "pw" into a file "fd". +*/ +extern SECStatus SEC_WriteDongleFile(int fd, char *pw); + +/* +** Get a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to decrypt and return a password from file "fd". +*/ +extern char *SEC_ReadDongleFile(int fd); + + +/* End stolen headers */ + +/* Just sticks the two strings together with a / if needed */ +char *SECU_AppendFilenameToDir(char *dir, char *filename); + +/* Returns result of getenv("SSL_DIR") or NULL */ +extern char *SECU_DefaultSSLDir(void); + +/* +** Should be called once during initialization to set the default +** directory for looking for cert.db, key.db, and cert-nameidx.db files +** Removes trailing '/' in 'base' +** If 'base' is NULL, defaults to set to .netscape in home directory. +*/ +extern char *SECU_ConfigDirectory(const char* base); + +/* +** Basic callback function for SSL_GetClientAuthDataHook +*/ +extern int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey); + +/* print out an error message */ +extern void SECU_PrintError(const char *progName, const char *msg, ...); + +/* print out a system error message */ +extern void SECU_PrintSystemError(const char *progName, const char *msg, ...); + +/* Return informative error string */ +extern const char * SECU_Strerror(PRErrorCode errNum); + +/* print information about cert verification failure */ +extern void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose); + +/* Read the contents of a file into a SECItem */ +extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); +extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); + +/* Read in a DER from a file, may be ascii */ +extern SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); + +/* Indent based on "level" */ +extern void SECU_Indent(FILE *out, int level); + +/* Print integer value and hex */ +extern void SECU_PrintInteger(FILE *out, SECItem *i, const char *m, int level); + +/* Print ObjectIdentifier symbolically */ +extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, const char *m, int level); + +/* Print AlgorithmIdentifier symbolically */ +extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, const char *m, + int level); + +/* Print SECItem as hex */ +extern void SECU_PrintAsHex(FILE *out, SECItem *i, const const char *m, int level); + +/* dump a buffer in hex and ASCII */ +extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +extern void SECU_PrintUTCTime(FILE *out, SECItem *t, const char *m, int level); + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, const char *m, + int level); + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, const char *m, int level); + +/* callback for listing certs through pkcs11 */ +extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data); + +/* Dump all certificate nicknames in a database */ +extern SECStatus +SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, + PRBool sortByName, PRBool sortByTrust); + +/* See if nickname already in database. Return 1 true, 0 false, -1 error */ +int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); + +/* Dump contents of cert req */ +extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, const char *m, + int level); + +/* Dump contents of certificate */ +extern int SECU_PrintCertificate(FILE *out, SECItem *der, const char *m, int level); + +/* print trust flags on a cert */ +extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, const char *m, int level); + +/* Dump contents of public key */ +extern int SECU_PrintPublicKey(FILE *out, SECItem *der, const char *m, int level); + +#ifdef HAVE_EPV_TEMPLATE +/* Dump contents of private key */ +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); +#endif + +/* Print the MD5 and SHA1 fingerprints of a cert */ +extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, + int level); + +/* Pretty-print any PKCS7 thing */ +extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, const char *m, + int level); + +/* Init PKCS11 stuff */ +extern SECStatus SECU_PKCS11Init(PRBool readOnly); + +/* Dump contents of signed data */ +extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, int level, + SECU_PPFunc inner); + +extern int SECU_PrintCrl(FILE *out, SECItem *der, const char *m, int level); + +extern void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level); + +extern void SECU_PrintString(FILE *out, SECItem *si, const char *m, int level); +extern void SECU_PrintAny(FILE *out, SECItem *i, const char *m, int level); + +extern void SECU_PrintPolicy(FILE *out, SECItem *value, const char *msg, int level); +extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + const char *msg, int level); + +extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + const char *msg, int level); + +extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level); + +#ifdef SECU_GetPassword +/* Convert a High public Key to a Low public Key */ +extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey); +#endif + +extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); + +extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw); +extern void SEC_Init(void); + +extern char *SECU_SECModDBName(void); + +extern void SECU_PrintPRandOSError(const char *progName); + +extern SECStatus SECU_RegisterDynamicOids(void); + +/* Identifies hash algorithm tag by its string representation. */ +extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); + +/* Store CRL in output file or pk11 db. Also + * encodes with base64 and exports to file if ascii flag is set + * and file is not NULL. */ +extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, + PRFileDesc *outFile, int ascii, char *url); + + +/* +** DER sign a single block of data using private key encryption and the +** MD5 hashing algorithm. This routine first computes a digital signature +** using SEC_SignData, then wraps it with an CERTSignedData and then der +** encodes the result. +** "arena" is the memory arena to use to allocate data from +** "sd" returned CERTSignedData +** "result" the final der encoded data (memory is allocated) +** "buf" the input data to sign +** "len" the amount of data to sign +** "pk" the private key to encrypt with +*/ +extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algID); + +typedef enum { + noKeyFound = 1, + noSignatureMatch = 2, + failToEncode = 3, + failToSign = 4, + noMem = 5 +} SignAndEncodeFuncExitStat; + +extern SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode); + +extern SECStatus +SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl); + +/* +** Finds the crl Authority Key Id extension. Returns NULL if no such extension +** was found. +*/ +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl); + +/* + * Find the issuer of a crl. Cert usage should be checked before signing a crl. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject, + CERTAuthKeyID* id, PRTime validTime); + + +/* call back function used in encoding of an extension. Called from + * SECU_EncodeAndAddExtensionValue */ +typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena, + void *value, SECItem *encodedValue); + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn); + + +/* + * + * Utilities for parsing security tools command lines + * + */ + +/* A single command flag */ +typedef struct { + char flag; + PRBool needsArg; + char *arg; + PRBool activated; +} secuCommandFlag; + +/* A full array of command/option flags */ +typedef struct +{ + int numCommands; + int numOptions; + + secuCommandFlag *commands; + secuCommandFlag *options; +} secuCommand; + +/* fill the "arg" and "activated" fields for each flag */ +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd); +char * +SECU_GetOptionArg(secuCommand *cmd, int optionNum); + +/* + * + * Error messaging + * + */ + +/* Return informative error string */ +char *SECU_ErrorString(int16 err); + +/* Return informative error string. Does not call XP_GetString */ +char *SECU_ErrorStringRaw(int16 err); + +void printflags(char *trusts, unsigned int flags); + +#ifndef XP_UNIX +extern int ffs(unsigned int i); +#endif + +#include "secerr.h" +#include "sslerr.h" + +#endif /* _SEC_UTIL_H_ */ diff --git a/base/native-tools/src/revoker/CMakeLists.txt b/base/native-tools/src/revoker/CMakeLists.txt new file mode 100644 index 000000000..5aa5ddff3 --- /dev/null +++ b/base/native-tools/src/revoker/CMakeLists.txt @@ -0,0 +1,30 @@ +project(revoker C) + +set(REVOKER_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(REVOKER_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} +) + +set(revoker_SRCS + revoker.c + getopt.c +) + +include_directories(${REVOKER_PRIVATE_INCLUDE_DIRS}) + +add_executable(revoker ${revoker_SRCS}) + +target_link_libraries(revoker ${REVOKER_LINK_LIBRARIES}) + +install( + TARGETS revoker + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) diff --git a/base/native-tools/src/revoker/getopt.c b/base/native-tools/src/revoker/getopt.c new file mode 100644 index 000000000..7554e1a14 --- /dev/null +++ b/base/native-tools/src/revoker/getopt.c @@ -0,0 +1,126 @@ +/** BEGIN COPYRIGHT BLOCK + * + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * END COPYRIGHT BLOCK **/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +#include <stdio.h> +#include <string.h> /* for str*() */ +#include <io.h> /* for write() */ + +int opterr = 1; /* boolean flag, says "report error on stderr." */ +int optind = 1; /* index to element of argv from which options are + ** being parsed. */ +int optopt = 0; /* option character */ +char *optarg; /* ptr to option's parameter arg. */ + +#ifdef _WIN32 +static void +do_opterr(const char *s, int c, char * const av[]) +{ + if (opterr) { + char buff[2]; + int fd = _fileno(stderr); + + buff[0] = (char)c; + buff[1] = '\n'; + (void)write(fd, av[0], strlen(av[0])); + (void)write(fd, s, strlen(s)); + (void)write(fd, buff, 2); + } +} +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int +getopt(int ac, char * const av[], const char * opts) +{ + static int i = 1; /* offset of current option char in current arg. */ + char *p; /* opt char in opts that matched. */ + + /* Move to next value from argv? */ + if (i == 1) { + if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') + return EOF; + if (strcmp(av[optind], "--") == 0) { + optind++; + return EOF; + } + } + + /* Get next option character. */ + if ((optopt = av[optind][i]) == ':' || + (p = strchr(opts, optopt)) == NULL) { + ERR(": illegal option -- ", optopt); + if (av[optind][++i] == '\0') { + optind++; + i = 1; + } + return '?'; + } + + /* Snarf argument? */ + if (*++p == ':') { + if (av[optind][i + 1] != '\0') + optarg = &av[optind++][i + 1]; + else { + if (++optind >= ac) { + ERR(": option requires an argument -- ", optopt); + i = 1; + return '?'; + } + optarg = av[optind++]; + } + i = 1; + } else { + if (av[optind][++i] == '\0') { + i = 1; + optind++; + } + optarg = NULL; + } + + return optopt; +} + +#endif /* XP_PC */ diff --git a/base/native-tools/src/revoker/revoker.c b/base/native-tools/src/revoker/revoker.c new file mode 100644 index 000000000..c7fc76294 --- /dev/null +++ b/base/native-tools/src/revoker/revoker.c @@ -0,0 +1,882 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +/* vi: set ts=4 sw=4 : */ +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +#include <stdio.h> +#include <string.h> +#include <time.h> + +#if defined(XP_UNIX) +#include <unistd.h> +#endif + +#include "ssl.h" + +#include "prerror.h" + +#include "pk11func.h" +#include "secitem.h" + + +#include <stdlib.h> +#include <errno.h> +#include <fcntl.h> +#include <stdarg.h> + +#include "nspr.h" +#include "prio.h" +#include "prnetdb.h" +#include "nss.h" + + +/* set Tabs to 8 */ + + +/*from nss2.8.4 secopt.h*/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +extern int opterr; +extern int optind; +extern int optopt; +extern char *optarg; + +#ifdef _WIN32 +static void do_opterr(const char *s, int c, char * const av[]); +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int getopt(int ac, char * const av[], const char * opts); +#else +#if defined(LINUX) +#include <getopt.h> +#endif +#endif /* XP_PC */ +/*end secopt.h*/ + +#define VERSIONSTRING "$Revision$ ($Date$)" + +#ifndef PORT_Sprintf +#define PORT_Sprintf sprintf +#endif + +#ifndef PORT_Strstr +#define PORT_Strstr strstr +#endif + +#ifndef PORT_Malloc +#define PORT_Malloc PR_Malloc +#endif + +#define RD_BUF_SIZE (60 * 1024) + +#define PRINTF if (verbose) printf +#define FPRINTF if (verbose) fprintf +#define FPUTS if (verbose) fputs + +#define MAX_SERIAL_LEN 8192 + +int MakeCertOK=1; + +int verbose; +SECItem bigBuf; + + +char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *passwd = NULL; + + if ( (!retry) && arg ) { + passwd = PL_strdup((char *)arg); + } + + return passwd; +} + +static void +Usage(const char *progName) +{ + fprintf(stderr, + "Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n" + " [-v] [-V] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n" + " serialNum: List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n" + " reasoncode: integer from 0 to 6, as follows\n" + " 0 = Unspecified (default)\n" + " 1 = Key compromised\n" + " 2 = CA key compromised\n" + " 3 = Affiliation changed\n" + " 4 = Certificate superseded\n" + " 5 = Cessation of operation\n" + " 6 = Certificate is on hold\n" + " -u : unrevoke (take off hold)\n" + " -v : verbose\n" + " -V : report version information\n", + progName); + exit(1); +} + + +static void +errWarn(char * funcString) +{ + PRErrorCode perr = PR_GetError(); + + FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); +} + +static void +errExit(char * funcString) +{ + errWarn(funcString); + exit(1); +} + +/* This invokes the "default" AuthCert handler in libssl. +** The only reason to use this one is that it prints out info as it goes. +*/ +static SECStatus +mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, + PRBool isServer) +{ + SECStatus rv; + CERTCertificate * peerCert; + + peerCert = SSL_PeerCertificate(fd); + + PRINTF("Subject: %s\nIssuer : %s\n", + peerCert->subjectName, peerCert->issuerName); + /* invoke the "default" AuthCert handler. */ + rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); + + if (rv == SECSuccess) { + FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); + } + /* error, if any, will be displayed by the Bad Cert Handler. */ + return rv; +} + +static SECStatus +myBadCertHandler( void *arg, PRFileDesc *fd) +{ + /* int err = PR_GetError(); */ + /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", + err, SECU_Strerror(err)); */ + return (MakeCertOK ? SECSuccess : SECFailure); +} + + +SECStatus +my_GetClientAuthData(void * arg, + PRFileDesc * socket, + struct CERTDistNamesStr * caNames, + struct CERTCertificateStr ** pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privkey = NULL; + char * chosenNickName = (char *)arg; /* CONST */ + void * proto_win = NULL; + SECStatus rv = SECFailure; + + FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); + + proto_win = SSL_RevealPinArg(socket); + + if (chosenNickName) { + cert = PK11_FindCertFromNickname(chosenNickName, proto_win); + FPRINTF(stderr," mygetclientauthdata - cert = %x\n",(unsigned int)cert); + if ( cert ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + FPRINTF(stderr," mygetclientauthdata - privkey = %x\n",(unsigned int)privkey); + if ( privkey ) { + rv = SECSuccess; + } else { + CERT_DestroyCertificate(cert); + } + } + } else { /* no name given, automatically find the right cert. */ + CERTCertNicknames * names; + int i; + + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), + SEC_CERT_NICKNAMES_USER, proto_win); + if (names != NULL) { + for (i = 0; i < names->numnicknames; i++) { + cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); + if ( !cert ) + continue; + /* Only check unexpired certs */ + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != + secCertTimeValid ) { + CERT_DestroyCertificate(cert); + continue; + } + rv = NSS_CmpCertChainWCANames(cert, caNames); + if ( rv == SECSuccess ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + if ( privkey ) + break; + } + rv = SECFailure; + CERT_DestroyCertificate(cert); + } + CERT_FreeNicknames(names); + } + } + if (rv == SECSuccess) { + *pRetCert = cert; + *pRetKey = privkey; + } + return rv; +} + + + + +void +printSecurityInfo(PRFileDesc *fd) +{ + char * cp; /* bulk cipher name */ + char * ip; /* cert issuer DN */ + char * sp; /* cert subject DN */ + int op; /* High, Low, Off */ + int kp0; /* total key bits */ + int kp1; /* secret key bits */ + int result; + + static int only_once; + + if (! only_once++ && fd) { + result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); + if (result != SECSuccess) + return; +#if 0 + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" + "subject DN: %s\n" + "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); +#else + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", + cp, kp1, kp0, op); +#endif + PR_Free(cp); + PR_Free(ip); + PR_Free(sp); + } + +} + + +PRBool useModelSocket = PR_TRUE; + +static const char outHeader[] = { + "HTTP/1.0 200 OK\r\n" + "Server: Netscape-Enterprise/2.0a\r\n" + "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" + "Content-type: text/plain\r\n" + "\r\n" +}; + + +PRInt32 +do_writes( + void * a +) +{ + PRFileDesc * ssl_sock = (PRFileDesc *)a; + PRUint32 sent = 0; + PRInt32 count = 0; + + while (sent < bigBuf.len) { + + count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); + if (count < 0) { + errWarn("PR_Write bigBuf"); + exit(4); + break; + } + FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); + FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); + + sent += (PRUint32)count; + } + if (count >= 0) { /* last write didn't fail. */ + FPRINTF(stderr, "do_writes shutting down send socket\n"); + /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ + } + + FPRINTF(stderr, "do_writes exiting with (failure = %d)\n",sent<bigBuf.len == SECFailure); + return (sent < bigBuf.len) ? SECFailure : SECSuccess; +} + + + + +SECStatus +do_io( PRFileDesc *ssl_sock, int connection) +{ + int countRead = 0; + PRInt32 rv; + char *buf; + int first=1; + + buf = PR_Malloc(RD_BUF_SIZE); + if (!buf) exit(5); + + + /* send the http request here. */ + + rv = do_writes(ssl_sock); + + if (rv == SECFailure) { + errWarn("returning from after calling do_writes"); + PR_Free(buf); + buf = 0; + exit(6); + } + printSecurityInfo(ssl_sock); + + /* read until EOF */ + while (1) { + rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); + if (rv == 0) { + break; /* EOF */ + } + if (rv < 0) { + errWarn("PR_Read"); + exit(1); + } + + countRead += rv; + FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", + connection, rv, countRead ); + FPRINTF(stderr, "these bytes read:\n"); + if (verbose) { + PR_Write(PR_STDERR,buf,rv); + PR_fprintf(PR_STDERR, "\n"); + } + + if (first) { + first=0; + if (rv < 13) { + errWarn("not enough bytes read in first read"); + exit(2); + } else { + if ( ! PL_strnstr(buf,"200",13)) { + exit(3); + } + } + } + } + PR_Free(buf); + buf = 0; + + /* Caller closes the socket. */ + + FPRINTF(stderr, + "connection %d read %d bytes total. -----------------------------\n", + connection, countRead); + + return SECSuccess; /* success */ +} + +int +do_connect( + PRNetAddr *addr, + PRFileDesc *model_sock, + int connection) +{ + PRFileDesc * ssl_sock; + PRFileDesc * tcp_sock; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; + PRSocketOptionData opt; + + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); + if (tcp_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(tcp_sock, &opt); + if (prStatus != PR_SUCCESS) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; + } + + prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(6); + } + + ssl_sock = SSL_ImportFD(model_sock, tcp_sock); + /* XXX if this import fails, close tcp_sock and return. */ + if (!ssl_sock) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); + } + + rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); + if (rv != SECSuccess) { + errWarn("SSL_ResetHandshake"); + exit(8); + } + + result = do_io( ssl_sock, connection); + + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } + return SECSuccess; +} + +/* Returns IP address for hostname as PRUint32 in Host Byte Order. +** Since the value returned is an integer (not a string of bytes), +** it is inherently in Host Byte Order. +*/ +PRUint32 +getIPAddress(const char * hostName) +{ + const unsigned char *p; + PRStatus prStatus; + PRUint32 rv; + PRHostEnt prHostEnt; + char scratch[PR_NETDB_BUF_SIZE]; + + prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); + if (prStatus != PR_SUCCESS) + errExit("PR_GetHostByName"); + +#undef h_addr +#define h_addr h_addr_list[0] /* address, for backward compatibility */ + + p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ + FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); + rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + return rv; +} + +void +client_main( + unsigned short port, + int connections, + SECKEYPrivateKey ** privKey, + CERTCertificate ** cert, + const char * hostName, + char * nickName) +{ + PRFileDesc *model_sock = NULL; + int rv; + + + FPRINTF(stderr, "port: %d\n", port); + + /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ + NSS_SetDomesticPolicy(); + + /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + /* SSL_CipherPrefSetDefault(0xC005 */ + /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */ + /*, PR_TRUE); */ + + /* + * Rifle through the values for the host + */ + + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } + + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); + + model_sock = PR_OpenTCPSocket( family ); + if (model_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + /* Should we really be re-using the same socket? */ + model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ + if (model_sock == NULL) { + errExit("SSL_ImportFD"); + } + + /* enable ECC cipher also */ + + /* do SSL configuration. */ + + rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); + if (rv < 0) { + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); + } + + SSL_SetURL(model_sock, hostName); + + SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, + (void *)CERT_GetDefaultCertDB()); + + SSL_BadCertHook(model_sock, myBadCertHandler, NULL); + + SSL_GetClientAuthDataHook(model_sock, + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); + + /* I'm not going to set the HandshakeCallback function. */ + + /* end of ssl configuration. */ + + rv = do_connect(&addr, model_sock, 1); + + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } +} + + +SECStatus +createRequest(char * serials, char *reason, char *invalidity, int take_off_hold) +{ + int tmpI; + char *s; + char **strs=NULL; + char *filter = NULL; + int count = 0; + int range = 0; + int i; + char *old; + char * newstr; + char * iDate; + time_t ltime; + time_t itime; + long l; + + tmpI = strlen(serials); + if (tmpI >= MAX_SERIAL_LEN) { + fputs("Serial number length invalid.\n", stderr); + exit(1); + } + + strs = PR_Malloc((sizeof (char*)) * strlen(serials)); + if (strs == NULL) exit(1); + + /* example serials: + 23-25 + 0x34523 + 0x1010,0x10101 + 0x94,0x2202,0x10101,0202 + */ + + s = serials; + s = strchr(serials,'-'); + if (s != NULL) { + strs[count++] = serials; + *s = '\0'; + s++; + strs[count++] = s; + range = 1; + } else { + s = serials; + while (1) { + strs[count++] = s; + s = strchr(s,','); + if (s == NULL) {break;} + *s = '\0'; + s++; + } + } + + if (range == 0) { + old = ""; + for (i=0; i<count; i++) { + filter = PR_smprintf("%s(certRecordId%%3D%s)",old,strs[i]); + if (i>0) PR_smprintf_free(old); + old = filter; + } + } else { + filter = PR_smprintf("(%%26(certRecordId>%%3D%s)(certRecordId<%%3D%s))",strs[0],strs[1]); + } + + iDate = ""; + if (invalidity != NULL) { + time( <ime ); + l = atol(invalidity); + l *= 3600; + itime = (time_t)l; + ltime -= itime; + iDate = PR_smprintf("invalidityDate=%ld000&", ltime); + } + + if (take_off_hold > 0) { + newstr = PR_smprintf( + "GET /ca/doUnrevoke?serialNumber=%s HTTP/1.0\r\n\r\n", + strs[0]); + } else { + newstr = PR_smprintf( + "GET /ca/doRevoke?op=doRevoke&" + "revocationReason=%s&%s" + "revokeAll=(|%s)&totalRecordCount=1 HTTP/1.0\r\n\r\n", + reason,iDate, + filter); + } + + if (strlen(iDate) > 0) PR_smprintf_free(iDate); + if (filter != NULL) PR_smprintf_free(filter); + if (strs != NULL) PR_Free(strs); + + bigBuf.data = (unsigned char *)newstr; + + FPUTS((char *)bigBuf.data, stderr); + + bigBuf.len = PORT_Strlen((char *)bigBuf.data); + + return SECSuccess; +} + +int +main(int argc, char **argv) +{ + char * dir = "."; + char * hostName = NULL; + char * nickName = NULL; + char * progName = NULL; + char * serial = NULL; + char * tmp = NULL; + CERTCertificate * cert [kt_kea_size] = { NULL }; + SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + int optchar; + int connections = 1; + int tmpI; + unsigned short port = 443; + SECStatus rv; + char * passwd = NULL; + char * passwdfile = NULL; + char * revocation_reason = NULL; + char * invalidity_date = NULL; + int take_off_hold = 0; + FILE *fp; + char pwbuf[256]; + int co; + char *crlf; + + /* Call the NSPR initialization routines */ + PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + tmp = strrchr(argv[0], '/'); + tmp = tmp ? tmp + 1 : argv[0]; + progName = strrchr(tmp, '\\'); + progName = progName ? progName + 1 : tmp; + + + while ((optchar = getopt(argc, argv, "Vd:n:p:s:r:i:w:uv")) != -1) { + switch(optchar) { + +/* Version */ + case 'V': + printf("%s\n",VERSIONSTRING); + PR_Cleanup(); + return 0; + +/* Directory which holds cert8.db and key3.db */ + case 'd': + dir = optarg; + break; + +/* Nickname of certificate to use */ + case 'n': + nickName = optarg; + break; + +/* password to open key3.db */ + case 'p': + passwd = optarg; + break; + +/* name of file holding password for key3.db */ + case 'w': + passwdfile = optarg; + break; + +/* revocation reason */ + case 'r': + revocation_reason = optarg; + break; + +/* invalidity date */ + case 'i': + invalidity_date = optarg; + break; + +/* unrevoke - take off hold */ + case 'u': + take_off_hold++; + break; + +/* serial number */ + case 's': + serial = optarg; + break; + + case 'v': + verbose++; + break; + + default: + case '?': + fprintf( stderr, "ERROR: Invalid option!\n" ); + Usage(progName); + break; + + } + } + + if (optind != argc - 1) { + fprintf( stderr, "ERROR: Invalid number of arguments!\n" ); + Usage(progName); + } + + hostName = argv[optind]; + tmp = strchr(hostName, ':'); + if (tmp) { + *tmp++ = 0; + tmpI = atoi(tmp); + if (tmpI <= 0) { + fprintf( stderr, "ERROR: Invalid port!\n" ); + Usage(progName); + } + port = (unsigned short)tmpI; + } + + if (revocation_reason == NULL) { + revocation_reason = "0"; + } + + if (!nickName || !serial) { + fprintf( stderr, "ERROR: Invalid nickname or serial number!\n" ); + Usage(progName); + } + + createRequest(serial,revocation_reason,invalidity_date,take_off_hold); + + if (passwdfile) { + fp = fopen(passwdfile,"r"); + if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } + co = fread(pwbuf,1,256,fp); + pwbuf[co] = '\0'; + crlf = PL_strchr(pwbuf,'\n'); + if (crlf) { + *crlf = '\0'; + } + passwd = pwbuf; + } + + /* set our password function */ + if (passwd == NULL) { + fprintf( stderr, "ERROR: Invalid password!\n" ); + PRINTF("Password must be provided on command line in this version of revoker.\n"); + Usage(progName); + } + PK11_SetPasswordFunc(ownPasswd); + + /* Call the libsec initialization routines */ + rv = NSS_Init(dir); + if (rv != SECSuccess) { + fputs("NSS_Init failed.\n", stderr); + exit(1); + } + + cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); + if (cert[kt_rsa] == NULL) { + fprintf(stderr, "Can't find certificate %s\n", nickName); + exit(1); + } + + privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); + if (privKey[kt_rsa] == NULL) { + fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); + exit(1); + } + + + client_main(port, connections, privKey, cert, hostName, nickName); + + NSS_Shutdown(); + PR_Cleanup(); + return 0; +} + diff --git a/base/native-tools/src/setpin/CMakeLists.txt b/base/native-tools/src/setpin/CMakeLists.txt new file mode 100644 index 000000000..b32e12b22 --- /dev/null +++ b/base/native-tools/src/setpin/CMakeLists.txt @@ -0,0 +1,43 @@ +project(setpin C) + +find_package(Ldap REQUIRED) + +set(SETPIN_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} + ${LDAP_INCLUDE_DIRS} +) + +set(SETPIN_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} + ${LDAP_LIBRARIES} +) + +set(setpin_SRCS + b64.c + options.c + setpin.c + setpin_options.c +) + +include_directories(${SETPIN_PRIVATE_INCLUDE_DIRS}) + +add_executable(setpin ${setpin_SRCS}) + +target_link_libraries(setpin ${SETPIN_LINK_LIBRARIES}) + +install( + TARGETS setpin + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) + +install( + FILES + setpin.conf + DESTINATION + ${SHARE_INSTALL_PREFIX}/pki/native-tools/ +) diff --git a/base/native-tools/src/setpin/b64.c b/base/native-tools/src/setpin/b64.c new file mode 100644 index 000000000..1c20f3792 --- /dev/null +++ b/base/native-tools/src/setpin/b64.c @@ -0,0 +1,102 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + + + + + + +static char nib2b64[0x40f] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + + + +static int +ldif_base64_encode_internal( unsigned char *src, char *dst, int srclen, int lenused, int wraplen ) +{ + unsigned char *byte, *stop; + unsigned char buf[3]; + char *out; + unsigned long bits; + int i, pad, len; + + len = 0; + out = dst; + stop = src + srclen; + + /* convert to base 64 (3 bytes => 4 base 64 digits) */ + for ( byte = src; byte < stop - 2; byte += 3 ) { + bits = (byte[0] & 0xff) << 16; + bits |= (byte[1] & 0xff) << 8; + bits |= (byte[2] & 0xff); + + for ( i = 0; i < 4; i++, bits <<= 6 ) { + if ( wraplen != -1 && lenused >= 0 && lenused++ > wraplen ) { + *out++ = '\n'; + *out++ = ' '; + lenused = 2; + } + + /* get b64 digit from high order 6 bits */ + *out++ = nib2b64[ (bits & 0xfc0000L) >> 18 ]; + } + } + /* add padding if necessary */ + if ( byte < stop ) { + for ( i = 0; byte + i < stop; i++ ) { + buf[i] = byte[i]; + } + for ( pad = 0; i < 3; i++, pad++ ) { + buf[i] = '\0'; + } + byte = buf; + bits = (byte[0] & 0xff) << 16; + bits |= (byte[1] & 0xff) << 8; + bits |= (byte[2] & 0xff); + + for ( i = 0; i < 4; i++, bits <<= 6 ) { + if ( wraplen != -1 && lenused >= 0 && lenused++ > wraplen ) { + *out++ = '\n'; + *out++ = ' '; + lenused = 2; + } + + if (( i == 3 && pad > 0 ) || ( i == 2 && pad == 2 )) { + /* Pad as appropriate */ + *out++ = '='; + } else { + /* get b64 digit from low order 6 bits */ + *out++ = nib2b64[ (bits & 0xfc0000L) >> 18 ]; + } + } + } + + *out = '\0'; + + return( out - dst ); +} + + +int +ldif_base64_encode( unsigned char *src, char *dst, int srclen, int lenused ) +{ + return ldif_base64_encode_internal( src, dst, srclen, lenused, 200); +} + diff --git a/base/native-tools/src/setpin/options.c b/base/native-tools/src/setpin/options.c new file mode 100644 index 000000000..9e2dab129 --- /dev/null +++ b/base/native-tools/src/setpin/options.c @@ -0,0 +1,184 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + + +#include "options.h" + +#include <stdio.h> +#include <string.h> +#include <assert.h> + +/* + * (C) 1998 Netscape Communications Corporation + * All rights reserved + * Intellectual property rulez! + * + */ + + + +/* this file maintains a static linked list of the + options it knows about +*/ + +static OPTION *option_list = NULL; +static OPTION *last_option = NULL; + +static char* OPT_parseArgument(char *arg,char**valid); + + +/* OPT_getValue(char *option, char** output) + + returns 1 if the specified option exists, + - value is put into 'output' + returns 0 if the specified option doesn't exist + - output is unchanged + +*/ + + +int OPT_getValue(char *option, char **output) { + OPTION *opt = option_list; + + while (opt) { + if (! strcmp(opt->name,option)) { + *output = opt->value; + return 1; + } + opt = opt->next; + } + return 0; +} + + +static char* OPT_parseOptFile(char *filename, char*validlist[]) +{ + FILE *fp; + char buffer[1024]; + + if (filename == NULL || filename[0] == '\0') { + return ("Bad syntax for 'optfile'\n"); + } + fp = fopen(filename,"r"); + if (fp == NULL) { + return ("Options file could not be opened for reading\n"); + } + while (fgets(buffer,1024,fp)) { + if (buffer[strlen(buffer)-1] == '\n') buffer[strlen(buffer)-1] = '\0'; + if (buffer[strlen(buffer)-1] == '\r') buffer[strlen(buffer)-1] = '\0'; + + OPT_parseArgument(strdup(buffer),validlist); + } + fclose(fp); + return NULL; +} + + + +static char *OPT_parseArgument(char *arg, char* validlist[]) { + char *error; + char *INV_ARG = "invalid argument: %s"; + char *eq; + + OPTION *new_opt; + + if (!strncmp(arg,"optfile=",8)) { + return OPT_parseOptFile(&arg[8],validlist); + } + + new_opt = (OPTION*)malloc(sizeof(OPTION)); + + new_opt->next = NULL; + new_opt->name = strdup(arg); + eq = strchr(new_opt->name,'='); + if (eq) { + *eq = 0; + } + new_opt->value = strchr(arg,'='); + + + if (new_opt->value != NULL) { + new_opt->value++; + } + + if (option_list == NULL) { + option_list = new_opt; + last_option = new_opt; + } + else { + last_option->next = new_opt; + last_option= new_opt; + } + if (!validlist) { + return NULL; + } + else { + int i=0; + while (validlist[i]) { + if (! strcmp(validlist[i],new_opt->name)) { + return NULL; + } + i+=2; + } + } + + error = (char *)malloc(strlen(INV_ARG)+strlen(new_opt->name)+5); + sprintf(error,INV_ARG,new_opt->name); + + return error; +} + + + + +/* char *OPT_parseOptions(int ac, char **av) + + constructs the linked list of options + ac: number of arguments + av: array of arguments + valid: array of valid arguments (can be null) + + returns: + NULL if no error + char* with error text if error. caller is responsible for + freeing this memory + +*/ + +char * OPT_parseOptions(int ac, char **av, char *valid[]) { + int i=0; + char *r=NULL; + + assert(option_list == NULL); + assert(last_option == NULL); + assert(av != NULL); + + if (ac == 1) return NULL; + + for (i=0; i<ac-1; i++) { + r = OPT_parseArgument(av[1+i],valid); + if (r) return r; + } + return r; +} + + + + diff --git a/base/native-tools/src/setpin/options.h b/base/native-tools/src/setpin/options.h new file mode 100644 index 000000000..80ccae478 --- /dev/null +++ b/base/native-tools/src/setpin/options.h @@ -0,0 +1,83 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + + +#ifndef OPT_INCLUDE_H +#define OPT_INCLUDE_H + +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +struct option { + struct option *next; + char *name; + char *value; +}; + +typedef struct option OPTION; + +/* OPT_getValue(char *option, char** output) + + returns 1 if the specified option exists, + - value is put into 'output' + returns 0 if the specified option doesn't exist + - output is unchanged + + 'value' will be everything after the '=' + If no '=' is present in the argument, 'output' will be + set to null. + If '=' is present, but no value is given (e.g. "file="), + output will be a pointer to a string of zero length. + +*/ + +extern int OPT_getValue(char *option, char **output); + +/* void OPT_parseOptions(int ac, char **av) + + initializes the global store with the options supplied + in av (typically used for parsing arguments passed on the + command line. Arguments are of the form 'arg=value'. + valid: array of valid arguments (can be null) + + returns: + NULL if no error + char* with error text if error. caller is responsible for + freeing this memory + + + +*/ + +extern char * OPT_parseOptions(int ac, char **av, char**valid); + +#endif diff --git a/base/native-tools/src/setpin/setpin.c b/base/native-tools/src/setpin/setpin.c new file mode 100644 index 000000000..f1bf6a8c7 --- /dev/null +++ b/base/native-tools/src/setpin/setpin.c @@ -0,0 +1,1237 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + +/* Set-pin tool */ + + +/* This will modify the specified attribute in the directory + You must add the pin objectclass to the schema + e.g in config/slapd.oc.conf + + attribute pin bin + objectclass pinPerson + superior organizationalPerson + allows + pin +*/ + +/* + History: + version 1.2 - upgraded to NSS 3.3.1 + */ + +#define SETPIN_VERSION "1.2" + +#include "options.h" +#include "setpin_options.h" +#include <stdio.h> +#include <string.h> +#include <assert.h> + +#include <ldap.h> + +#define USE_NSS_RANDOM + +#ifdef USE_NSS_RANDOM +/* removed #include <secrng.h> as of NSS 3.9 */ +/* removed from nss3_3_1 secrngt.h*/ +typedef struct RNGContextStr RNGContext; +#endif + +#include <sechash.h> + +#include <plhash.h> +#include <prerror.h> +#include <ctype.h> + +#include <secoidt.h> +#include <nss.h> + +extern int equals(char *s, char *t); +extern SECStatus PK11_HashBuf(SECOidTag hashAlg, + unsigned char *out, + unsigned char *in, + int32 len); +extern SECStatus PK11_GenerateRandom(unsigned char *data, + int len); + +/* use NSS's new generic hash api */ +#define USE_NSS_GEN_HASH + +void exitError(char *errstring); +void exitLDAPError(char *errstring); +void doLDAPBind(); +void doLDAPSearch(LDAPMessage **result); +void doLDAPUnbind(); +void processSearchResults(LDAPMessage *r); +char *newPassword(); +void initrandom(); +void testpingen(); +void do_setup(); + + +char *sha1_pw_enc( char *pwd ); + +int errcode=0; + +LDAP *ld=NULL; +char *programName = NULL; + +FILE *output; +FILE *input; + + +PLHashTable *pinHashTable=NULL; + +#ifdef USE_NSS_RANDOM +RNGContext *rngc = NULL; +#endif + +/* this tool should really be changed to use NSPR */ +#ifdef _WIN32 +#define strcasecmp stricmp +#endif + +void exitError(char *errstring) { + char *errbuf; + + errbuf = malloc(strlen(errstring)+strlen(programName)+10); + + sprintf(errbuf,"%s error : %s\n",programName,errstring); + fputs(errbuf,stderr); + exit(errcode); +} + + +void exitLDAPError(char *errstring) { + char *ldaperr; + char *newerror; + int err; + + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); + ldaperr = ldap_err2string(err); + newerror = (char*) malloc((errstring?strlen(errstring):0) + (ldaperr?strlen(ldaperr):0) +5); + sprintf(newerror,"%s (%s)",errstring?errstring:"",ldaperr?ldaperr:""); + exitError(newerror); +} + + +/* This returns an allocated string, like strdup does, except that + the duplicate string begins with the first non-whitespace character */ + +char * trim_strdup(char *s) +{ + while (*s == ' ' || *s == '\t') { + s++; + } + if (*s == '\0') return NULL; + return strdup(s); +} + +void readInputFile() { + int more_to_read=1; + char *thedn = NULL; + char *thepin = NULL; + int linenum=0; + + pinHashTable = PL_NewHashTable(256, + PL_HashString, + PL_CompareStrings, + PL_CompareValues, + NULL, /* allocOps */ + NULL); + if (pinHashTable == NULL) { + errcode=9; + exitError("Couldn't create dn->pin hashtable"); + } + + if (o_input) { + + do { + char line[4096]; + char *n; + char *checkdn; + + do { + n = fgets(line,4096,input); + linenum++; + if (! n) { + more_to_read = 0; + break; + } + + /* replace newline with null byte */ + + line[strlen(line)-1] = 0; + + if (! strncmp("dn:",line,3)) { + thedn = trim_strdup(&line[3]); + if (thedn == NULL) { + fprintf(stderr,"warning: empty line not allowed at line: %d\n",linenum); + } + } + + if (! strncmp("pin:",line,4)) { + thepin = trim_strdup(&line[4]); + } + + } while (strlen(line)); + + /* first check to see if that dn is already in the hashtable */ + + if (thepin == NULL) { + thepin = strdup(""); + } + + if (thedn && thepin) { + + checkdn = (char*) PL_HashTableLookup(pinHashTable, thedn); + if (checkdn) { + char msg[256]; + errcode = 10; + strcpy(msg,"Duplicate entry in input file for dn="); + strcat(msg,thedn); + exitError(msg); + } + + PL_HashTableAdd(pinHashTable, + thedn, + thepin); + fprintf(stderr, "Reading dn/pin ( %s, %s )\n", thedn, thepin); + if (o_debug) { + fprintf(stderr, "Reading dn/pin ( %s, %s )\n", thedn, thepin); + } + + } else { + if (o_debug) { + fprintf(stderr," ...ignoring\n"); + } + } + if (thedn != NULL) { + free(thedn); + thedn = NULL; + } + if (thepin != NULL) { + free(thepin); + thepin = NULL; + } + } while (more_to_read); + } +} + + +int main(int ac, char **av) { + char *error; + LDAPMessage *search_results; + + programName = av[0]; + if (strlen(av[0]) == 0) { + strcpy(programName, "setpin"); + } + else { + strcpy(programName, av[0]); + } + + if (ac == 1) { + int i=0; + fprintf(stderr,"Setpin utility. Version " SETPIN_VERSION "\n" + "(C) 2005 Fedora Project.\n\n"); + fprintf(stderr,"To set up directory for pin usage, modify setpin.conf, " + "then run:\n %s optfile=<svr_root>/bin/cert/tools/setpin.conf\n", programName); + fprintf(stderr,"\nUsage: %s option=value ... option=value\n\n", programName); + + for (i = 0; i < valid_args_len; i += 2) { + if (valid_args[i]) { + fprintf(stderr,"%13s : %s\n",valid_args[i],valid_args[i+1]); + } else { + errcode=0; + fprintf(stderr,"\n"); + exit(errcode); + } + } + } + + error = OPT_parseOptions(ac, av, valid_args); + if (error) { + errcode=7; + exitError(error); + } + + setDefaultOptions(); + + getOptions(); + fprintf(stderr,"\n"); + if (o_debug) { + fprintf(stderr,"about to validateOptions\n"); + } + + validateOptions(); + + /* Initialize random number generator */ + initrandom(); + + if (o_debug) { + fprintf(stderr,"about to doLDAPBind\n"); + } + + if (! o_testpingen) { + doLDAPBind(); + } + + if (o_setup) { + do_setup(); + } + + if (o_output) { + output = fopen(o_output,"w"); + if (!output) { + errcode=5; + exitError("Couldn't open output file"); + } + } else { + output = stdout; + } + + if (o_testpingen) { + testpingen(); + exit(0); + } + + if (o_input) { + input = fopen(o_input,"r"); + if (!input) { + errcode=8; + exitError("Couldn't open input file"); + } + } + + readInputFile(); + + if (o_debug) { + fprintf(stderr,"about to doLDAPSearch\n"); + } + + doLDAPSearch(&search_results); + + if (o_debug) { + fprintf(stderr,"about to processSearchResults\n"); + } + + processSearchResults(search_results); + + if (output != stdout) { + fclose(output); + } + + return 0; +} + + + +/* This function implements the 'setup' procedure, invoked when the user + specified 'setup' as one of the arguments. The point is that in this + mode, schema modifications are performed to add these things to the + directory schema: + if (schemachange argument is specified) + - 'pin' attribute as specified by the 'attribute' argument (default 'pin') + - 'pinPerson' objectclass as specified by the 'objectclass argument (dfl: pinperson) + if ('pinmanager' argument specified) + - pin manager user, with permission to remove the pin for the basedn specified + +*/ + +void do_setup() { + int i; + + char *x_values[]={NULL,NULL,NULL}; + char *a1_values[]={NULL,NULL}; + char *a2_values[]={NULL,NULL}; + char *a3_values[]={NULL,NULL}; + char *a4_values[]={NULL,NULL}; + LDAPMod x,a1,a2,a3,a4; + LDAPMod *mods[10]; + char* password=NULL; + int err; + + x_values[0] = malloc(1024); + + doLDAPBind(); + + if (o_schemachange) { + sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5' SINGLE-VALUE )", + o_attribute, + o_attribute); + + fprintf(stderr,"Adding attribute: %s\n",x_values[0]); + x_values[1] = NULL; + x.mod_op = LDAP_MOD_ADD; + x.mod_type = "attributetypes"; + x.mod_values = x_values; + mods[0] = &x; + mods[1] = NULL; + + i = ldap_modify_ext_s(ld, "cn=schema", mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); + if (err != LDAP_TYPE_OR_VALUE_EXISTS) { + exitLDAPError("couldn't modify schema when creating pin attribute"); + } else { + fprintf(stderr," .. successful\n\n"); + } + } + + sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass ) MAY ( aci $ %s )", + o_objectclass,o_objectclass, + o_attribute); + + fprintf(stderr,"Adding objectclass: %s\n",x_values[0]); + + x_values[1] = NULL; + x.mod_op = LDAP_MOD_ADD; + x.mod_type = "objectclasses"; + x.mod_values = x_values; + mods[0] = &x; + mods[1] = NULL; + + + i = ldap_modify_ext_s(ld, "cn=schema", mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); + if (err != LDAP_TYPE_OR_VALUE_EXISTS) { + exitLDAPError("couldn't modify schema when creating objectclass"); + } else { + fprintf(stderr," .. successful\n\n"); + } + } + } + + if (o_pinmanager) { + + if (o_pinmanagerpwd == NULL) { + exitError("missing pinmanagerpwd argument"); + } + if (o_basedn == NULL) { + exitError("missing basedn argument"); + } + + password = sha1_pw_enc( o_pinmanagerpwd ); + + fprintf(stderr,"Adding user: %s\n",o_pinmanager); + + a1_values[0] = "pinmanager"; + a1_values[1] = NULL; + a1.mod_op = 0; + a1.mod_type = "sn"; + a1.mod_values = a1_values; + + a2_values[0] = "pinmanager"; + a2_values[1] = NULL; + a2.mod_op = 0; + a2.mod_type = "cn"; + a2.mod_values = a2_values; + + a3_values[0] = password; + a3_values[1] = NULL; + a3.mod_op = 0; + a3.mod_type = "userPassword"; + a3.mod_values = a3_values; + + a4_values[0] = "person"; + a4_values[1] = NULL; + a4.mod_op = 0; + a4.mod_type = "objectclass"; + a4.mod_values = a4_values; + + mods[0] = &a1; + mods[1] = &a2; + mods[2] = &a3; + mods[3] = &a4; + mods[4] = NULL; + + + i = ldap_add_ext_s(ld, o_pinmanager, mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); + if (!( err == LDAP_TYPE_OR_VALUE_EXISTS || err == LDAP_ALREADY_EXISTS)) { + exitLDAPError("couldn't create new user"); + } else { + fprintf(stderr," .. successful\n\n"); + } + } + + + /* modify aci on basedn to allow pinmanager to modify pin attr */ + + fprintf(stderr,"modifying ACI for: %s\n",o_basedn); + + sprintf(x_values[0],"(target=\"ldap:///%s\")" + "(targetattr=\"pin\")" + "(version 3.0; acl \"Pin attribute\"; " + "allow (all) userdn = \"ldap:///%s\"; " + "deny(proxy,selfwrite,compare,add,write,delete,search) " + "userdn = \"ldap:///self\"; ) ", + o_basedn, + o_pinmanager); + + x_values[1] = malloc(1024); + + sprintf(x_values[1],"(target=\"ldap:///%s\")" + "(targetattr=\"objectclass\")" + "(version 3.0; acl \"Pin Objectclass\"; " + "allow (all) userdn = \"ldap:///%s\"; " + " ) ", + o_basedn, + o_pinmanager); + + x_values[2] = NULL; + x.mod_op = LDAP_MOD_ADD; + x.mod_type = "aci"; + x.mod_values = x_values; + + mods[0] = &x; + mods[1] = NULL; + + i = ldap_modify_ext_s(ld, o_basedn, mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); + if (!( err == LDAP_TYPE_OR_VALUE_EXISTS || err == LDAP_ALREADY_EXISTS)) { + exitLDAPError("couldn't modify aci on basedn"); + } else { + fprintf(stderr," .. successful\n\n"); + } + } + } + exit(0); +} + +int ldif_base64_encode( + unsigned char *src, char *dst, int srclen, int lenused ); + +/* do password hashing */ + +/* + * Number of bytes each hash algorithm produces + */ +#define SHA1_LENGTH 20 + + +char * +sha1_pw_enc( char *pwd ) +{ + unsigned char hash[ SHA1_LENGTH ]; + char *enc; + + /* SHA1 hash the user's key */ + PK11_HashBuf(SEC_OID_SHA1,hash,pwd,strlen(pwd)); + enc = malloc(256); + + sprintf( enc, "{SHA}"); + + (void)ldif_base64_encode( hash, enc + 5, + SHA1_LENGTH, -1 ); + + return( enc ); +} + +/* check the first 8 characters to see if this is a string */ + +int isstring(char *s) { + int i=0; + + for (i=0;i<8;i++) { + if (*s == 0) return 1; + if (! isprint(*s)) return 0; + s++; + } + return 1; +} + + +void doLDAPBind() { + char errbuf[1024]; + char ldapuri[1024]; + int port=389; + int r; + int status; + + if (o_port == NULL) { + if (o_ssl) { + port = 636; + /* fprintf(stderr,"o_ssl = %0x, o_certdb = %0x, o_nickname= %0x\n",o_ssl,o_certdb,o_nickname); */ + } else { + port = 389; + } + } else { + port = atoi(o_port); + } + + if (o_debug) { + fprintf(stderr,"# connecting to %s:%d\n",o_host,port); + } + + if (o_ssl) { + printf("SSL not currently supported.\n"); + exit(0); + /* ld = ldapssl_init(o_host,port,LDAPSSL_AUTH_CNCHECK); */ + } else { + snprintf(ldapuri, 1024, "ldap://%s:%i", o_host, port); + status = ldap_initialize(&ld, ldapuri); + } + + if ((status != LDAP_SUCCESS) || (ld == NULL)) { + errcode=4; + exitError("could not connect to directory server"); + } + + if (o_debug) { + fprintf(stderr,"# ldap_init completed\n"); + } + + struct berval credential; + credential.bv_val = o_bindpw; + credential.bv_len= strlen(o_bindpw); + + r = ldap_sasl_bind_s(ld, o_binddn, LDAP_SASL_SIMPLE, &credential, NULL, NULL, NULL); + if (r != LDAP_SUCCESS) { + sprintf(errbuf,"could not bind to %s:%d as %s",o_host,port,o_binddn); + if (strstr(o_binddn,"=") == NULL) { + strcat(errbuf,". Perhaps you missed the 'CN=' part of the bin DN?"); + } + exitLDAPError(errbuf); + } + + if (o_debug) { + fprintf(stderr,"# ldap_simple_bind_s completed\n"); + } +} + + +void doLDAPSearch(LDAPMessage **result ) { + int r; + char errbuf[1024]; + + r = ldap_search_ext_s( ld, o_basedn, LDAP_SCOPE_SUBTREE, + o_filter, NULL, 0, NULL, NULL, NULL, 0, result ); + + if (r != LDAP_SUCCESS ) { + sprintf(errbuf,"could not complete search with that filter. Check filter and basedn"); + exitLDAPError(errbuf); + } + + if (o_debug) { + fprintf(stderr,"# ldap_search_s completed\n"); + } +} + +void doLDAPUnbind(){ + ldap_unbind_ext_s(ld, NULL, NULL); +} + + +void processSearchResults(LDAPMessage *r) { + LDAPMessage *e; + char *dn; + char *a; + struct berval **vals; +#ifdef USE_NSS_GEN_HASH + /* HASHContext *hcx; + HASH_HashType ht; */ +#else +#endif + int i; + BerElement *ber; + char *objectclass_values[]={NULL,NULL}; + int change=0; + int pin_objectclass_exists=0; + LDAPMod objectclass, pinattribute; + LDAPMod *mods[3]; + SECStatus status = SECFailure; + + char *saltval; + int action; + char *hashbuf_source = NULL; + char hashbuf_dest[256]; + char errbuf[1024]; + int pindatasize= 0; + char *pindata = NULL; + char *generatedPassword = NULL; + struct berval *bvals[2]; + struct berval bval; + + bvals[0] = &bval; + bvals[1] = NULL; + + /* Check whether any results were found. */ + i = ldap_count_entries( ld, r ); + + fprintf(stderr,"filter %s found %d matching results.\n", o_filter,i); + + /* for each entry print out name + all attrs and values */ + for ( e = ldap_first_entry( ld, r ); e != NULL; + e = ldap_next_entry( ld, e ) ) { + + generatedPassword = NULL; + + if ( (dn = ldap_get_dn( ld, e )) != NULL ) { + fprintf(stderr, "Processing: %s\n", dn ); + if (o_input) { + generatedPassword = (char*) PL_HashTableLookup(pinHashTable,dn); + if (generatedPassword) { + fprintf(stderr, " found user from input file\n"); + } + if (! generatedPassword) { + fprintf(stderr, " Skipping (not in input file)\n"); + continue; + } + } + } + + + /* what we do here is go through all the entries looking for + 'objectclass'. + */ + + pin_objectclass_exists = 0; + change = 0; + +#define ACTION_NONE 0 +#define ACTION_REPLACE 1 +#define ACTION_ADD 2 + + action = ACTION_ADD; + + saltval = NULL; + /* loop through the entries */ + for ( a = ldap_first_attribute( ld, e, &ber ); + a != NULL; a = ldap_next_attribute( ld, e, ber ) ) { + + if ((vals = ldap_get_values_len( ld, e, a)) != NULL ) { + + if (o_debug && (! strcasecmp(o_debug,"attrs"))) { + for ( i = 0; vals[i] != NULL; i++ ) { + char *bin; + bin = "<binary>"; + if (isstring(vals[i]->bv_val)) { + bin = vals[i]->bv_val; + } + + fprintf(stderr, " %s: %s\n",a,bin); + } + } + + if (o_debug) { + fprintf(stderr," examining attribute: %s\n",a); + for ( i = 0; vals[i] != NULL; i++ ) { + fprintf(stderr," val[%d]: %s\n",i,vals[i]->bv_val); + } + } + + if (o_saltattribute != NULL) { + if (!strcasecmp(a,o_saltattribute)) { + saltval = vals[0]->bv_val; + if (o_debug) { + fprintf(stderr," setting salt value to: %s\n",saltval); + } + } + } + + if (!strcasecmp(a,"objectclass")) { + /* check if we have a pin objectclass already */ + /* Cycle through all the values for this + entry, looking for the one which matches the + objectclass we specified */ + + /* if user specified objectclass= on the commandline, + without any value, then the objectclass is assumed to + exist already */ + if (strlen(o_objectclass) == 0) { + if (o_debug) { fprintf(stderr, " user objectclass assumed to already exist\n"); } + pin_objectclass_exists=1; + } else { + for ( i = 0; vals[i] != NULL; i++ ) { + if (o_debug) { + fprintf(stderr, " checking vals[%d]=%s == objectclass=%s -> %d \n", + i,vals[i]->bv_val, o_objectclass, strcasecmp(vals[i]->bv_val,o_objectclass)); + } + if (!strcasecmp(vals[i]->bv_val,o_objectclass)) { + if (o_debug) { + fprintf(stderr, " %s: %s found\n", a, vals[i]->bv_val ); + } + pin_objectclass_exists = 1; + } + } + } + } else if (!strcasecmp(a,o_attribute)) { + if (o_clobber) { + action = ACTION_REPLACE; + } else { + action = ACTION_NONE; + } + } + + /* use ldap_value_free_len */ + ldap_value_free_len( vals ); + } + ldap_memfree( a ); + } + + if (o_debug) { fprintf(stderr, " Did the objectclass exist? %d\n", pin_objectclass_exists); } + + /* add the objectclass attribute if it doesn't already exist */ + + if (! pin_objectclass_exists) { + if (o_debug) { + fprintf(stderr,"objectclass: %s doesn't exist, adding\n",o_objectclass); + } + objectclass_values[0] = o_objectclass; + objectclass_values[1] = NULL; + objectclass.mod_op = LDAP_MOD_ADD; + objectclass.mod_type = "objectclass"; + objectclass.mod_values = objectclass_values; + mods[0] = &objectclass; + mods[1] = NULL; + + if (o_write) { + i = ldap_modify_ext_s(ld, dn, mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + exitLDAPError("couldn't modify attribute"); + } + } + } + + pinattribute.mod_type = o_attribute; + + /* password could have been set from input file. If not, set it now */ + if (generatedPassword == NULL || (strlen(generatedPassword) == 0)) { + generatedPassword = newPassword(); + } + if (generatedPassword == NULL || (strlen(generatedPassword) == 0)) { + errcode=13; + exitError("Couldn't generate password."); + } + + /* should we hash the password? */ + if (o_hash) { + + /* we hash the DN of the user and the PIN together */ + + if (o_debug) { + fprintf(stderr,"checking salt attribute...\n"); + } + if (saltval == NULL) { + if (o_saltattribute != NULL) { + errcode = 11; + exitError("specified salt attribute not found for this user"); + } + if (o_debug) { + fprintf(stderr,"setting salt attribute to dn...\n"); + } + saltval = dn; + } + + hashbuf_source = + malloc(strlen(saltval) + strlen(generatedPassword) + 10); + if (hashbuf_source == NULL) { + errcode=12; + exitError("Couldn't allocate 'hashbuf_source'."); + } + strcpy(hashbuf_source,saltval); + strcat(hashbuf_source,generatedPassword); + + if (o_debug) { + fprintf(stderr,"hashing this: %s\n",hashbuf_source); + } + + saltval = NULL; + + /* We leave one byte at the beginning of the hash + buffer, to support the hash type */ + +#define SENTINEL_SHA1 0 +#define SENTINEL_MD5 1 +#define SENTINEL_NONE '-' + + if ((!strcmp(o_hash,"SHA1")) || (!strcmp(o_hash,"sha1")) ) { + status = PK11_HashBuf(SEC_OID_SHA1, + (unsigned char *)hashbuf_dest+1, + (unsigned char *)hashbuf_source, + strlen(hashbuf_source) + ); + hashbuf_dest[0] = SENTINEL_SHA1; + pindatasize = SHA1_LENGTH + 1; + } else if ((!strcmp(o_hash,"MD5")) || (!strcmp(o_hash,"md5")) ) { + status = PK11_HashBuf(SEC_OID_MD5, + (unsigned char *)hashbuf_dest+1, + (unsigned char *)hashbuf_source, + strlen(hashbuf_source) + ); + hashbuf_dest[0] = SENTINEL_MD5; + pindatasize = MD5_LENGTH + 1; + } else if ((!strcmp(o_hash,"NONE")) || (!strcmp(o_hash,"none")) ) { + hashbuf_dest[0] = SENTINEL_NONE; + status = SECSuccess; + memcpy(hashbuf_dest+1, + hashbuf_source, + strlen(hashbuf_source) + ); + } else { + sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha1', 'md5' or 'none",o_hash); + errcode = 7; + exitError(errbuf); + } + + if (status != SECSuccess) { + sprintf(errbuf,"Error hashing pin (%d)",PR_GetError()); + errcode = 9; + exitError(errbuf); + } + + pindata = hashbuf_dest; + + if (hashbuf_source != NULL) { + free(hashbuf_source); + hashbuf_source = NULL; + } + } else { + pindata = generatedPassword; + pindatasize = strlen(generatedPassword); + } + + bval.bv_len = pindatasize; + bval.bv_val = pindata; + + fprintf(stderr," Adding new %s\n",o_attribute); + + if (! o_write) { + fprintf(stderr, " [NOTE: 'write' was not specified, so no changes will be made to the directory]\n"); + } + + pinattribute.mod_bvalues = bvals; + if (action == ACTION_REPLACE) { + pinattribute.mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES; + if (o_debug) { + fprintf(stderr," %s exists, replacing\n",o_attribute); + } + } else if (action == ACTION_ADD) { + if (o_debug) { + fprintf(stderr," %s doesn't exist, adding\n",o_attribute); + } + pinattribute.mod_op = LDAP_MOD_ADD|LDAP_MOD_BVALUES; + } else if (action == ACTION_NONE) { + if (o_debug) { + fprintf(stderr," %s exists. not replacing\n",o_attribute); + } + goto skip_write; + } + mods[0] = &pinattribute; + mods[1] = NULL; + + if (o_write) { + i = ldap_modify_ext_s(ld, dn, mods, NULL, NULL); + + if (i != LDAP_SUCCESS) { + exitLDAPError("couldn't modify attribute"); + } + } + + skip_write: + + fprintf(output,"dn:%s\n",dn); + fprintf(output,"%s:%s\n",o_attribute,generatedPassword); + if (o_debug) { + fprintf(stderr,"o_write = %0x\n",(unsigned int)o_write); + } + if (! o_write) { + fprintf(output,"status:notwritten\n"); + } else { + if (action == ACTION_NONE) { + fprintf(output,"status:notreplaced\n"); + } else { + if (i != LDAP_SUCCESS) { + fprintf(output,"status:writefailed\n"); + } else { + if (action == ACTION_ADD) { + fprintf(output,"status:added\n"); + } else if (action == ACTION_REPLACE) { + fprintf(output,"status:replaced\n"); + } + } + } + } + + fprintf(output,"\n"); + + if (dn) { + ldap_memfree( dn ); + dn = NULL; + } + + if ( ber != NULL ) { + ber_free( ber, 0 ); + } + fprintf(stderr, "\n" ); + } + ldap_msgfree( r ); +} + + +/* this function uses i_minlength and i_maxlength to determine the + size of the password to generate */ + +static char *UCalpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + + +static char *LCalpha = "abcdefghijklmnopqrstuvwxyz"; +static char *numbers = "0123456789"; +static char *punc = "!#$%&*+,-./:;<=>?@[]^{|}"; + +static char *charpool = NULL; /* carpool, geddit? */ +static int charpoolsize; + +static char *RNG_ALPHA = "RNG-alpha"; +static char *RNG_PRINTABLEASCII = "RNG-printableascii"; +static char *RNG_ALPHANUM = "RNG-alphanum"; + + +/* build the pool of characters we can use for the password */ + +void buildCharpool() { + char err_buf[1024]; + charpool = (char*) malloc(256); + + charpool[0] = '\0'; + + if ( o_case == NULL) { + strcat(charpool,LCalpha); /* then add the lowercase */ + } else { + if (strcmp(o_case,"upperonly")) { + errcode = 7; + exitError("Illegal value for case="); + } + } + + + if ( !strcmp(o_gen,RNG_ALPHA) || + !strcmp(o_gen,RNG_ALPHANUM) || + !strcmp(o_gen,RNG_PRINTABLEASCII) ) { + strcat(charpool,UCalpha); /* add uppercase chars */ + } else { + sprintf(err_buf,"invalid value '%s' for gen= option",o_gen); + errcode = 7; + exitError(err_buf); + } + + if ( strcmp(o_gen,"RNG-alpha")) { /* not alpha-only */ + strcat(charpool,numbers); + } + if (! strcmp(o_gen,"RNG-printableascii")) { + strcat(charpool, punc); + } + if (o_debug) { + fprintf(stderr,"Character pool: %s\n",charpool); + } + charpoolsize = strlen(charpool); +} + + +/* initialize random number generator */ + +void initrandom() { + char err_buf[1024]; +#ifdef USE_NSS_RANDOM + if( NSS_Initialize( "", + "", + "", + "", + NSS_INIT_NOCERTDB | + NSS_INIT_NOMODDB | + NSS_INIT_FORCEOPEN ) != SECSuccess ) { + sprintf(err_buf,"Couldn't initialize NSS (error code %d)\n",PR_GetError()); + errcode = 9; + exitError(err_buf); + } +#else + srand(time(NULL)); +#endif + +} + + +unsigned short getRandomShort() { + unsigned short r; +#ifdef USE_NSS_RANDOM + PK11_GenerateRandom( ( unsigned char * ) &r, sizeof( r ) ); + if (o_debug) { + /* fprintf(stderr,"Random: %d\n",r); */ + } + return r; +#else + return (unsigned short) rand(); +#endif +} + + +/* + * this function is important. It needs review. + * + * returns a random number in the range (0 .. max-1) + */ + +/* We have a short, rno, and we want to convert this to a number + in the required range by just using (rno % max). However, + this may result in some of the numbers at the end of 'rno's + range being selected more frequently. So, if random number + select is in this range, we will pick another. + + As an example, assume: + a short is 4 bits (0..15) + max is 6 + + 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + a a a a a a b b b b b b X X X X + + we want to reject everything more than 11 + + we take 16 (that largest number which can be in a short+1) + divide by 'max', which is 6. This gives us 2. Multiply by + max, gives us 12. Subtract 1, which is 11, our highest + allowable range. Now we do the modulus. + +*/ + +unsigned short getRandomInRange(unsigned short max) { + unsigned short rno; + unsigned short result; + + unsigned short max_allowed_rno = + ((65536 / max) * max) -1; + + do { + rno = getRandomShort(); + } while (rno >max_allowed_rno); + + result = rno % max; + + assert(result < max); + + return result; +} + + +char * newPassword() { + static char *pw_buf=NULL; + unsigned short l; + unsigned short r; + int i; + + if (pw_buf == NULL) { + pw_buf = (char *) malloc(i_maxlength+5); + } + + if (charpool == NULL) { + buildCharpool(); + } + + /* decide how long the password should be */ + /* It must be between i_minlength and i_maxlength */ + + if (i_minlength == i_maxlength) { + l = i_minlength; + } else { + l = getRandomInRange((unsigned short)(1 + i_maxlength - i_minlength)); + l += i_minlength; + } + + for (i=0; i<l; i++) { + r = getRandomInRange((unsigned short)(charpoolsize)); + pw_buf[i] = charpool[r]; + } + pw_buf[l] = '\0'; + return pw_buf; +} + + +void testpingen() { + int count=25; + int i,j; + int pwlen; + char *pw; + unsigned int index[256]; + unsigned int *totals; + char c; + + if (! equals(o_testpingen,"")) { + count = atoi(o_testpingen); + } + + if (charpool == NULL) { + buildCharpool(); + } + + /* last spot is used to hold invalid chars */ + totals = malloc(sizeof(int)*(charpoolsize+1)); + if (totals != NULL) { + for (i=0;i<(charpoolsize);i++) { + totals[i] = 0; + } + totals[charpoolsize]=0; + for (i=0;i<256;i++) { + index[i] = 255; /* indicates->invalid */ + } + for (i=0;i<charpoolsize;i++) { + index[(int)(charpool[i])] = i; + } + + for (i=0;i<count;i++) { + pw = newPassword(); + if (pw != NULL) { + if (o_debug) { + fprintf(output,"%d:%s\n",i+1,pw); + } + pwlen = strlen(pw); + for (j=0;j<pwlen;j++) { + c = pw[j]; + if (index[(int)c] == 255) { + printf("\ninvalid char found: %02x %c\n",c,c); + totals[charpoolsize]++; + } + else { + totals[index[(int)c]]++; + } + } + free(pw); + } + } + + for (i=0;i<charpoolsize;i++) { + fprintf(output,"%c: %10d\n",charpool[i],totals[i]); + } + fprintf(output,"invalid: %10d\n",totals[charpoolsize]); + free(totals); + } +} + + + diff --git a/base/native-tools/src/setpin/setpin.conf b/base/native-tools/src/setpin/setpin.conf new file mode 100644 index 000000000..4e5851858 --- /dev/null +++ b/base/native-tools/src/setpin/setpin.conf @@ -0,0 +1,83 @@ +# --- BEGIN COPYRIGHT BLOCK --- +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2007 Red Hat, Inc. +# All rights reserved. +# --- END COPYRIGHT BLOCK --- +# +# +# Setpin has a special setup mode which allows you to +# automate the following two tasks. +# +# * To enable setpin to operate, the directory schema must be +# changed to add the pin attribute and pinPerson objectclass. +# +# * To enable pin removal to work well, you can create a new +# pin user with an ACI which lets the user remove the pin +# +# This configuration file is used as an input for setpin. +# After modifying the options in this file, invoke setpin +# with this config file: +# +# setpin optfile=setpin.conf + + +########## GENERAL INFO ABOUT YOUR DIRECTORY ##### + + +#------- Enter the hostname of the LDAP server +host=localhost + +#------- Enter the port number of the LDAP server +port=389 + +#------- Enter the DN of the Directory Manager user +binddn=CN=Directory Manager + +#------- Enter the password for the Directory manager user +bindpw= + + + +################ SCHEMA MODIFICATIONS ####### +# +# Comment-out to turn off schema modification +schemachange=yes + +# Enter the pin attribute name +attribute=pin + +# Enter the pin objectclass +objectclass=pinPerson + + +############### PIN REMOVAL ########## +# +# To enable pin removal, it is advisable to create a new +# user who has the power to remove pins, and nothing else. +# +# Enter the DN and password for the new pin manager user +pinmanager=cn=pinmanager,o=mcom.com +pinmanagerpwd= + +# Enter the base over which this user has the power +# to remove pins +basedn=ou=people,o=mcom.com + + + +## This line switches setpin into setup mode. +## Please do not change it. +setup=yes + diff --git a/base/native-tools/src/setpin/setpin_options.c b/base/native-tools/src/setpin/setpin_options.c new file mode 100644 index 000000000..d8ee83a8c --- /dev/null +++ b/base/native-tools/src/setpin/setpin_options.c @@ -0,0 +1,290 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + +/* Set-pin tool */ + +#include <string.h> +#include <stdio.h> +#include <errno.h> +#include <ctype.h> +#include <stdlib.h> + +extern int OPT_getValue(char *option, char **output); +extern void exitError(char *errstring); +extern int errcode; + +#define PW_DEFAULT_LENGTH 6 +#define ERR_BUF_LENGTH 512 + +char *valid_args[] = { + "host", "LDAP host [required]", + "port", "LDAP port (default 389)", + "binddn", "DN to bind to directory as [required]", + "bindpw", "Password associated with above DN ", + "filter", "Ldap search filter e.g. filter=(uid=*) [required]", +/* "ssl", "Use SSL LDAP connection?", */ +/* "certdb", "Path to SSL Client certificate database directory (not yet implemented)", + "nickname", "Nickname of cert to use for SSL client auth (not yet implemented)", + */ + "basedn", "Base DN used for LDAP search", + "length", "Length of generated pins (default 6)", + "minlength","Minimum length of generated pins (not to be used with 'length')", + "maxlength","Maximum length of generated pins (not to be used with 'length')", + "gen", "Permitted chars for pin. Type 'setpin gen' for more info", + "case", "Restrict case of pins 'case=upperonly'", + "objectclass", "Objectclass of LDAP entry to operate on (default pinPerson)", + "attribute","Which LDAP attribute to write to (default pin)", + "hash", "Hash algorithm used to store pin: 'none', 'md5' or 'sha1' (default)", + "saltattribute", "Which attribute to use for salt (default: dn)", + "input", "File to use for restricting DN's, or providing your own pins", + "output", "Redirect stdout to a file", + "write", "Turn on writing to directory (otherwise, pins will not get written)", + "clobber", "Overwrite old pins in the directory", + "testpingen", "Test pin generation mode. testpingen=count", + "debug", "Turn on debugging, or use debug=attrs for even more", + "optfile", "Read in options (one per line) from specified file", + "setup", "Switch to setup mode", + "pinmanager","Pin Manager user to create in setup mode", + "pinmanagerpwd","password of pin manager user in setup mode", + "schemachange","make schema changes in setup mode", + NULL +}; + +int valid_args_len = sizeof(valid_args)/sizeof(char *); + +int i_length, i_minlength, i_maxlength; + +char *attribute=NULL; + +char *o_certdb,*o_nickname,*o_binddn,*o_bindpw,*o_filter,*o_ssl, + *o_basedn,*o_input,*o_host,*o_port,*o_length,*o_minlength,*o_hash, + *o_maxlength,*o_gen,*o_case,*o_attribute,*o_objectclass,*o_output, + *o_retry,*o_debug, *o_write, *o_clobber, *o_saltattribute, *o_testpingen, + *o_setup,*o_pinmanager,*o_pinmanagerpwd,*o_schemachange; + +void setDefaultOptions() { + o_certdb= "."; + o_nickname= NULL; + o_binddn= NULL; + o_bindpw= NULL; + o_filter= NULL; + o_ssl= NULL; + o_basedn= NULL; + o_input= NULL; + o_host= NULL; + o_port= NULL; + o_length= NULL; /* default set later */ + o_minlength=NULL; + o_maxlength=NULL; + o_gen= "RNG-alphanum"; + o_case= NULL; + o_attribute="pin"; + o_hash= "sha1"; + o_objectclass="pinPerson"; + o_output= NULL; + o_retry= "5"; + o_debug= NULL; + o_write= NULL; + o_clobber= NULL; + o_saltattribute = NULL; + o_testpingen = NULL; + o_setup= NULL; + o_pinmanager= NULL; + o_pinmanagerpwd= NULL; + o_schemachange= NULL; +} + +void getOptions() { + int i; + char *c; + + i_length = 0; + i_minlength =0; + i_maxlength =0; + + OPT_getValue("certdb", &o_certdb); + OPT_getValue("nickname", &o_nickname); + OPT_getValue("binddn", &o_binddn); + OPT_getValue("bindpw", &o_bindpw); + OPT_getValue("filter", &o_filter); + i = OPT_getValue("ssl", &o_ssl); + if (i) o_ssl = "yes"; + OPT_getValue("basedn", &o_basedn); + OPT_getValue("input", &o_input); + OPT_getValue("host", &o_host); + OPT_getValue("port", &o_port); + OPT_getValue("length", &o_length); + if (o_length) i_length = atoi(o_length); + OPT_getValue("minlength",&o_minlength); + if (o_minlength) i_minlength = atoi(o_minlength); + OPT_getValue("maxlength",&o_maxlength); + if (o_maxlength) i_maxlength = atoi(o_maxlength); + OPT_getValue("gen", &o_gen); + OPT_getValue("case", &o_case); + OPT_getValue("attribute",&o_attribute); + OPT_getValue("hash", &o_hash); + if (o_hash) { + c = o_hash; + while (*c) { + if (isupper(*c)) { + *c = *c - 'A' + 'a'; + } + c++; + } + } + + OPT_getValue("objectclass",&o_objectclass); + OPT_getValue("output", &o_output); + OPT_getValue("retry", &o_retry); + i = OPT_getValue("debug", &o_debug); + if (i) { + if (! o_debug) { + o_debug = "yes"; + } + } + i = OPT_getValue("write", &o_write); + if (i) o_write = "yes"; + i = OPT_getValue("clobber", &o_clobber); + if (i) o_clobber = "yes"; + OPT_getValue("saltattribute", &o_saltattribute); + i = OPT_getValue("testpingen", &o_testpingen); + if (i) { + if (!o_testpingen) { + o_testpingen = "25"; + } + } + OPT_getValue("setup", &o_setup); + OPT_getValue("pinmanager", &o_pinmanager); + OPT_getValue("pinmanagerpwd", &o_pinmanagerpwd); + OPT_getValue("schemachange", &o_schemachange); + + +} + +int equals(char *s, char *t) { + return !(strcmp(s,t)); +} + +void validateOptions() { + char errbuf[ERR_BUF_LENGTH]; + + if (o_nickname && equals(o_ssl,"no")) { + snprintf(errbuf, ERR_BUF_LENGTH, "specifying nickname doesn't make sense with no SSL"); + goto loser; + } + + if (o_gen == NULL || ! + ( equals(o_gen,"RNG-printableascii") || + equals(o_gen,"RNG-alpha") || + equals(o_gen,"RNG-alphanum") || + equals(o_gen,"FIPS181-printable")) + ) { + printf("Permissible values for gen:\n" + " RNG-alpha : alpha-only characters\n" + " RNG-alphanum : alphanumeric characters\n" + " RNG-printableascii : alphanumeric and punctuation\n"); + if (o_gen) { + printf("You specified: gen=%s\n",o_gen); + } + exit(0); + } + + if (o_length && (o_minlength || o_maxlength)) { + strcpy(errbuf,"cannot use minlength or maxlength with length option"); + goto loser; + } + + if (o_minlength && !o_maxlength) { + strcpy(errbuf,"if you set minlength, you must also set maxlength"); + goto loser; + } + + if (!o_minlength && o_maxlength) { + strcpy(errbuf,"if you set maxlength, you must also set minlength"); + goto loser; + } + + if (i_minlength > i_maxlength) { + strcpy(errbuf,"cannot set minlength to be more than maxlength"); + goto loser; + } + + if (i_length > 0) { + i_minlength = i_length; + i_maxlength = i_length; + } + else { + if (i_minlength == 0 && i_maxlength == 0) { + i_minlength = PW_DEFAULT_LENGTH; + i_maxlength = PW_DEFAULT_LENGTH; + } + } + + if (o_testpingen) { + return; + } + + if (!o_host || equals(o_host,"")) { + strcpy(errbuf,"host missing"); + goto loser; + } + + if (!o_binddn || equals(o_binddn,"")) { + strcpy(errbuf,"binddn missing"); + goto loser; + } + + if (!o_bindpw || equals(o_bindpw,"")) { + strcpy(errbuf,"bindpw missing"); + goto loser; + } + + if (o_setup != NULL) { + return; + } + + if (!o_basedn) { + fprintf(stderr,"WARNING: basedn not set. Will search from root.\n"); + } + + if (!o_filter || equals(o_filter,"")) { + strcpy(errbuf,"filter missing. Example filters:\n filter=(uid=*) - all users with a UID attribute\n filter=(&(uid=*)(ou=Managers)) - all users with a UID and members of the managers group\n"); + goto loser; + } + + if (! + (equals(o_hash,"sha1") || + equals(o_hash,"md5") || + equals(o_hash,"none")) + ) { + snprintf(errbuf, ERR_BUF_LENGTH, "invalid hash: %s",o_hash); + goto loser; + } + if (equals(o_hash,"none")) o_hash = NULL; + + return ; + + loser: + errcode=13; + exitError(errbuf); + +} + + diff --git a/base/native-tools/src/setpin/setpin_options.h b/base/native-tools/src/setpin/setpin_options.h new file mode 100644 index 000000000..45373f356 --- /dev/null +++ b/base/native-tools/src/setpin/setpin_options.h @@ -0,0 +1,56 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + + +#ifndef SETPIN_OPTIONS_H +#define SETPIN_OPTIONS_H + +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +extern char *o_certdb,*o_nickname,*o_binddn,*o_bindpw,*o_bindpwfile,*o_filter,*o_ssl, + *o_input,*o_basedn,*o_dnfile,*o_host,*o_port,*o_length,*o_minlength, + *o_maxlength,*o_gen,*o_case,*o_attribute,*o_hash,*o_objectclass,*o_output, + *o_retry,*o_debug,*o_write,*o_clobber,*o_saltattribute,*o_testpingen,*o_setup, + *o_pinmanager,*o_pinmanagerpwd,*o_schemachange; + +extern char *valid_args[]; +extern int valid_args_len; + +extern void setDefaultOptions(); +extern void getOptions(); +extern void validateOptions(); + +extern int i_length, i_minlength, i_maxlength; + +extern char* attribute; + +#endif diff --git a/base/native-tools/src/sslget/CMakeLists.txt b/base/native-tools/src/sslget/CMakeLists.txt new file mode 100644 index 000000000..ec4bd85f9 --- /dev/null +++ b/base/native-tools/src/sslget/CMakeLists.txt @@ -0,0 +1,30 @@ +project(sslget C) + +set(SSLGET_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(SSLGET_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} +) + +set(sslget_SRCS + sslget.c + getopt.c +) + +include_directories(${SSLGET_PRIVATE_INCLUDE_DIRS}) + +add_executable(sslget ${sslget_SRCS}) + +target_link_libraries(sslget ${SSLGET_LINK_LIBRARIES}) + +install( + TARGETS sslget + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) diff --git a/base/native-tools/src/sslget/getopt.c b/base/native-tools/src/sslget/getopt.c new file mode 100644 index 000000000..7554e1a14 --- /dev/null +++ b/base/native-tools/src/sslget/getopt.c @@ -0,0 +1,126 @@ +/** BEGIN COPYRIGHT BLOCK + * + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * END COPYRIGHT BLOCK **/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +#include <stdio.h> +#include <string.h> /* for str*() */ +#include <io.h> /* for write() */ + +int opterr = 1; /* boolean flag, says "report error on stderr." */ +int optind = 1; /* index to element of argv from which options are + ** being parsed. */ +int optopt = 0; /* option character */ +char *optarg; /* ptr to option's parameter arg. */ + +#ifdef _WIN32 +static void +do_opterr(const char *s, int c, char * const av[]) +{ + if (opterr) { + char buff[2]; + int fd = _fileno(stderr); + + buff[0] = (char)c; + buff[1] = '\n'; + (void)write(fd, av[0], strlen(av[0])); + (void)write(fd, s, strlen(s)); + (void)write(fd, buff, 2); + } +} +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int +getopt(int ac, char * const av[], const char * opts) +{ + static int i = 1; /* offset of current option char in current arg. */ + char *p; /* opt char in opts that matched. */ + + /* Move to next value from argv? */ + if (i == 1) { + if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') + return EOF; + if (strcmp(av[optind], "--") == 0) { + optind++; + return EOF; + } + } + + /* Get next option character. */ + if ((optopt = av[optind][i]) == ':' || + (p = strchr(opts, optopt)) == NULL) { + ERR(": illegal option -- ", optopt); + if (av[optind][++i] == '\0') { + optind++; + i = 1; + } + return '?'; + } + + /* Snarf argument? */ + if (*++p == ':') { + if (av[optind][i + 1] != '\0') + optarg = &av[optind++][i + 1]; + else { + if (++optind >= ac) { + ERR(": option requires an argument -- ", optopt); + i = 1; + return '?'; + } + optarg = av[optind++]; + } + i = 1; + } else { + if (av[optind][++i] == '\0') { + i = 1; + optind++; + } + optarg = NULL; + } + + return optopt; +} + +#endif /* XP_PC */ diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c new file mode 100644 index 000000000..7288a1c58 --- /dev/null +++ b/base/native-tools/src/sslget/sslget.c @@ -0,0 +1,836 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +/* vi: set ts=4 sw=4 : */ +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +#include <stdio.h> +#include <string.h> +#include <time.h> + +#if defined(XP_UNIX) +#include <unistd.h> +#endif + +#include "ssl.h" + +#include "prerror.h" + +#include "pk11func.h" +#include "secitem.h" + + +#include <stdlib.h> +#include <errno.h> +#include <fcntl.h> +#include <stdarg.h> + +#include "nspr.h" +#include "prio.h" +#include "prnetdb.h" +#include "nss.h" + + +/* set Tabs to 8 */ + + +/*from nss2.8.4 secopt.h*/ +#ifdef XP_PC + +/* +** This comes from the AT&T public-domain getopt published in mod.sources +** (i.e., comp.sources.unix before the great Usenet renaming). +*/ + +extern int opterr; +extern int optind; +extern int optopt; +extern char *optarg; + +#ifdef _WIN32 +static void do_opterr(const char *s, int c, char * const av[]); +#define ERR(s, c) do_opterr(s, c, av) +#else +#define ERR(s, c) /* Win16 doesn't do stderr */ +#endif + +/* +** Return options and their values from the command line. +*/ +int getopt(int ac, char * const av[], const char * opts); +#else +#if defined(LINUX) +#include <getopt.h> +#endif +#endif /* XP_PC */ +/*end secopt.h*/ + +#define VERSIONSTRING "$Revision$ ($Date$)" + +#ifndef PORT_Sprintf +#define PORT_Sprintf sprintf +#endif + +#ifndef PORT_Strstr +#define PORT_Strstr strstr +#endif + +#ifndef PORT_Malloc +#define PORT_Malloc PR_Malloc +#endif + +#define RD_BUF_SIZE (60 * 1024) + +#define PRINTF if (verbose) printf +#define FPRINTF if (verbose) fprintf +#define FPUTS if (verbose) fputs + +#define MAX_SERIAL_LEN 8192 + +int MakeCertOK=1; + +int verbose; +SECItem bigBuf; + + +char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *passwd = NULL; + + if ( (!retry) && arg ) { + passwd = PL_strdup((char *)arg); + } + + return passwd; +} + +static void +Usage(const char *progName) +{ + fprintf(stderr, + "Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n" + " [-e post] [-v] [-V] -r url hostname[:port]\n" + " -n : nickname or hsm:nickname\n" + " -v : verbose\n" + " -V : report version information\n", + progName); + exit(1); +} + + +static void +errWarn(char * funcString) +{ + PRErrorCode perr = PR_GetError(); + + FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); +} + +static void +errExit(char * funcString) +{ + errWarn(funcString); + exit(1); +} + +/* This invokes the "default" AuthCert handler in libssl. +** The only reason to use this one is that it prints out info as it goes. +*/ +static SECStatus +mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, + PRBool isServer) +{ + SECStatus rv; + CERTCertificate * peerCert; + + peerCert = SSL_PeerCertificate(fd); + + PRINTF("Subject: %s\nIssuer : %s\n", + peerCert->subjectName, peerCert->issuerName); + /* invoke the "default" AuthCert handler. */ + rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); + + if (rv == SECSuccess) { + FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); + } + /* error, if any, will be displayed by the Bad Cert Handler. */ + return rv; +} + +static SECStatus +myBadCertHandler( void *arg, PRFileDesc *fd) +{ + /* int err = PR_GetError(); */ + /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", + err, SECU_Strerror(err)); */ + return (MakeCertOK ? SECSuccess : SECFailure); +} + + +SECStatus +my_GetClientAuthData(void * arg, + PRFileDesc * socket, + struct CERTDistNamesStr * caNames, + struct CERTCertificateStr ** pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + CERTCertificate * cert = NULL; + SECKEYPrivateKey * privkey = NULL; + char * chosenNickName = (char *)arg; /* CONST */ + void * proto_win = NULL; + SECStatus rv = SECFailure; + + FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); + + proto_win = SSL_RevealPinArg(socket); + + if (chosenNickName) { + cert = PK11_FindCertFromNickname(chosenNickName, proto_win); + FPRINTF(stderr," mygetclientauthdata - cert = %x\n",(unsigned int)cert); + if ( cert ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + FPRINTF(stderr," mygetclientauthdata - privkey = %x\n",(unsigned int)privkey); + if ( privkey ) { + rv = SECSuccess; + } else { + CERT_DestroyCertificate(cert); + } + } + } else { /* no name given, automatically find the right cert. */ + CERTCertNicknames * names; + int i; + + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), + SEC_CERT_NICKNAMES_USER, proto_win); + if (names != NULL) { + for (i = 0; i < names->numnicknames; i++) { + cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); + if ( !cert ) + continue; + /* Only check unexpired certs */ + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != + secCertTimeValid ) { + CERT_DestroyCertificate(cert); + continue; + } + rv = NSS_CmpCertChainWCANames(cert, caNames); + if ( rv == SECSuccess ) { + privkey = PK11_FindKeyByAnyCert(cert, proto_win); + if ( privkey ) + break; + } + rv = SECFailure; + CERT_DestroyCertificate(cert); + } + CERT_FreeNicknames(names); + } + } + if (rv == SECSuccess) { + *pRetCert = cert; + *pRetKey = privkey; + } + return rv; +} + + + + +void +printSecurityInfo(PRFileDesc *fd) +{ + char * cp; /* bulk cipher name */ + char * ip; /* cert issuer DN */ + char * sp; /* cert subject DN */ + int op; /* High, Low, Off */ + int kp0; /* total key bits */ + int kp1; /* secret key bits */ + int result; + + static int only_once; + + if (! only_once++ && fd) { + result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); + if (result != SECSuccess) + return; +#if 0 + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" + "subject DN: %s\n" + "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); +#else + PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", + cp, kp1, kp0, op); +#endif + PR_Free(cp); + PR_Free(ip); + PR_Free(sp); + } + +} + + +PRBool useModelSocket = PR_TRUE; + +static const char outHeader[] = { + "HTTP/1.0 200 OK\r\n" + "Server: Netscape-Enterprise/2.0a\r\n" + "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" + "Content-type: text/plain\r\n" + "\r\n" +}; + + +PRInt32 +do_writes( + void * a +) +{ + PRFileDesc * ssl_sock = (PRFileDesc *)a; + PRUint32 sent = 0; + PRInt32 count = 0; + + while (sent < bigBuf.len) { + + count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); + if (count < 0) { + errWarn("PR_Write bigBuf"); + exit(4); + break; + } + FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); + FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); + + sent += (PRUint32)count; + } + if (count >= 0) { /* last write didn't fail. */ + FPRINTF(stderr, "do_writes shutting down send socket\n"); + /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ + } + + FPRINTF(stderr, "do_writes exiting with (failure = %d)\n",sent<bigBuf.len == SECFailure); + return (sent < bigBuf.len) ? SECFailure : SECSuccess; +} + + + + +SECStatus +do_io( PRFileDesc *ssl_sock, int connection) +{ + int countRead = 0; + PRInt32 rv; + char *buf; + char *buf2; + int first=1; + + buf = PR_Malloc(RD_BUF_SIZE); + if (!buf) exit(5); + + /* send the http request here. */ + + rv = do_writes(ssl_sock); + + if (rv == SECFailure) { + errWarn("returning from after calling do_writes"); + PR_Free(buf); + buf = 0; + exit(6); + } + printSecurityInfo(ssl_sock); + + /* read until EOF */ + while (1) { + rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); + if (rv == 0) { + break; /* EOF */ + } + if (rv < 0) { + errWarn("PR_Read"); + PR_Free(buf); + buf = 0; + exit(1); + } + + countRead += rv; + FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", + connection, rv, countRead ); + FPRINTF(stderr, "these bytes read:\n"); + PR_Write(PR_STDOUT,buf,rv); + + if (first) { + first=0; + if (rv < 13) { + int ret = 0; + buf2 = PR_Malloc(RD_BUF_SIZE); + if (!buf2) { + PR_Free(buf); + buf = 0; + exit(5); + } + + for (ret=0; rv < 13 ; rv += ret) { + ret = PR_Read(ssl_sock, buf2, RD_BUF_SIZE - rv); + if (ret < 0 ) { + errWarn("PR_Read"); + PR_Free(buf); + buf = 0; + PR_Free(buf2); + buf2 = 0; + exit(1); + } + if (ret == 0) { + errWarn("not enough bytes read in first read"); + PR_Free(buf); + buf = 0; + PR_Free(buf2); + buf2 = 0; + exit(2); + } + countRead += ret; + FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", + connection, ret, countRead ); + FPRINTF(stderr, "these bytes read:\n"); + PR_Write(PR_STDOUT, buf2, ret); + + PR_snprintf(buf, RD_BUF_SIZE, "%s%s", buf, buf2); + } + PR_Free(buf2); + buf2 = 0; + } + + if ( ! PL_strnstr(buf,"200",13)) { + PR_Free(buf); + buf = 0; + exit(3); + } + } + } + PR_fprintf(PR_STDOUT, "\n"); + + PR_Free(buf); + buf = 0; + + /* Caller closes the socket. */ + + FPRINTF(stderr, + "connection %d read %d bytes total. -----------------------------\n", + connection, countRead); + + return SECSuccess; /* success */ +} + +int +do_connect( + PRNetAddr *addr, + PRFileDesc *model_sock, + int connection) +{ + PRFileDesc * ssl_sock; + PRFileDesc * tcp_sock; + PRStatus prStatus; + SECStatus result; + int rv = SECSuccess; + PRSocketOptionData opt; + + int family = PR_NetAddrFamily( addr ); + + tcp_sock = PR_OpenTCPSocket( family ); + if (tcp_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(tcp_sock, &opt); + if (prStatus != PR_SUCCESS) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + /* Don't return SECFailure? */ + return SECSuccess; + } + + prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); + if (prStatus != PR_SUCCESS) { + errWarn("PR_Connect"); + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(6); + } + + ssl_sock = SSL_ImportFD(model_sock, tcp_sock); + /* XXX if this import fails, close tcp_sock and return. */ + if (!ssl_sock) { + if( tcp_sock != NULL ) { + PR_Close(tcp_sock); + tcp_sock = NULL; + } + exit(7); + } + + rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); + if (rv != SECSuccess) { + errWarn("SSL_ResetHandshake"); + exit(8); + } + + result = do_io( ssl_sock, connection); + + if( ssl_sock != NULL ) { + PR_Close(ssl_sock); + ssl_sock = NULL; + } + return SECSuccess; +} + +/* Returns IP address for hostname as PRUint32 in Host Byte Order. +** Since the value returned is an integer (not a string of bytes), +** it is inherently in Host Byte Order. +*/ +PRUint32 +getIPAddress(const char * hostName) +{ + const unsigned char *p; + PRStatus prStatus; + PRUint32 rv; + PRHostEnt prHostEnt; + char scratch[PR_NETDB_BUF_SIZE]; + + prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); + if (prStatus != PR_SUCCESS) + errExit("PR_GetHostByName"); + +#undef h_addr +#define h_addr h_addr_list[0] /* address, for backward compatibility */ + + p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ + FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); + rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; + return rv; +} + +void +client_main( + unsigned short port, + int connections, + SECKEYPrivateKey ** privKey, + CERTCertificate ** cert, + const char * hostName, + char * nickName) +{ + PRFileDesc *model_sock = NULL; + int rv; + + + FPRINTF(stderr, "port: %d\n", port); + + /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ + NSS_SetDomesticPolicy(); + + /* all the SSL2 and SSL3 cipher suites are enabled by default. */ + + /* enable FIPS ciphers */ + SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); + SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); + + /* + * Rifle through the values for the host + */ + + PRAddrInfo *ai; + void *iter; + PRNetAddr addr; + int family = PR_AF_INET; + + ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); + if (ai) { + FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); + iter = NULL; + while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { + family = PR_NetAddrFamily(&addr); + FPRINTF( stderr, "family='%d'\n", family ); + break; + } + PR_FreeAddrInfo(ai); + } + + PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); + + model_sock = PR_OpenTCPSocket( family ); + if (model_sock == NULL) { + errExit("PR_OpenTCPSocket on tcp socket"); + } + + /* Should we really be re-using the same socket? */ + model_sock = SSL_ImportFD(NULL, model_sock); + + + /* check on success of call to SSL_ImportFD() */ + if (model_sock == NULL) { + errExit("SSL_ImportFD"); + } + + /* enable ECC cipher also */ + + /* do SSL configuration. */ + + rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); + if (rv < 0) { + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } + errExit("SSL_OptionSet SSL_SECURITY"); + } + + SSL_SetURL(model_sock, hostName); + + SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, + (void *)CERT_GetDefaultCertDB()); + + SSL_BadCertHook(model_sock, myBadCertHandler, NULL); + + if( nickName) { + SSL_GetClientAuthDataHook(model_sock, + (SSLGetClientAuthData)my_GetClientAuthData, + nickName); + } + + /* I'm not going to set the HandshakeCallback function. */ + + /* end of ssl configuration. */ + + rv = do_connect(&addr, model_sock, 1); + + if( model_sock != NULL ) { + PR_Close( model_sock ); + model_sock = NULL; + } +} + + +SECStatus +createRequest(char * url, char *post) +{ + char * newstr; + + if (post == NULL) { + newstr = PR_smprintf( + "GET %s HTTP/1.0\r\n\r\n", + url); + } else { + int len = strlen(post); + newstr = PR_smprintf( + "POST %s HTTP/1.0\r\nContent-Length: %d\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n%s", url, len, post); + } + + bigBuf.data = (unsigned char *)newstr; + + FPUTS((char *)bigBuf.data, stderr); + + bigBuf.len = PORT_Strlen((char *)bigBuf.data); + + return SECSuccess; +} + +int +main(int argc, char **argv) +{ + char * dir = "."; + char * hostName = NULL; + char * nickName = NULL; + char * progName = NULL; + char * tmp = NULL; + char * post = NULL; + CERTCertificate * cert [kt_kea_size] = { NULL }; + SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; + int optchar; + int connections = 1; + int tmpI; + unsigned short port = 443; + SECStatus rv; + char * passwd = NULL; + char * passwdfile = NULL; + char * url = NULL; + FILE *fp; + char pwbuf[256]; + int co; + char *crlf; + + /* Call the NSPR initialization routines */ + PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + + tmp = strrchr(argv[0], '/'); + tmp = tmp ? tmp + 1 : argv[0]; + progName = strrchr(tmp, '\\'); + progName = progName ? progName + 1 : tmp; + + + while ((optchar = getopt(argc, argv, "Vd:e:n:p:r:w:v")) != -1) { + switch(optchar) { + +/* Version */ + case 'V': + printf("%s\n",VERSIONSTRING); + PR_Cleanup(); + return 0; + +/* Directory which holds cert8.db and key3.db */ + case 'd': + dir = optarg; + break; + +/* Nickname of certificate to use */ + case 'n': + nickName = optarg; + break; + +/* password to open key3.db */ + case 'p': + passwd = optarg; + break; + +/* name of file holding password for key3.db */ + case 'w': + passwdfile = optarg; + break; + +/* url */ + case 'r': + url = optarg; + break; + +/* post parameters */ + case 'e': + post = optarg; + break; + + case 'v': + verbose++; + break; + + default: + case '?': + fprintf( stderr, "ERROR: Invalid option!\n" ); + Usage(progName); + break; + + } + } + + if (optind != argc - 1) { + fprintf( stderr, "ERROR: Invalid number of arguments!\n" ); + Usage(progName); + } + + hostName = argv[optind]; + tmp = strchr(hostName, ':'); + if (tmp) { + *tmp++ = 0; + tmpI = atoi(tmp); + if (tmpI <= 0) { + fprintf( stderr, "ERROR: Invalid port!\n" ); + Usage(progName); + } + port = (unsigned short)tmpI; + } + + if ( !url) { + fprintf( stderr, "ERROR: Invalid url!\n" ); + Usage(progName); + } + + createRequest(url, post); + + if (passwdfile) { + fp = fopen(passwdfile,"r"); + if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } + co = fread(pwbuf,1,256,fp); + pwbuf[co] = '\0'; + crlf = PL_strchr(pwbuf,'\n'); + if (crlf) { + *crlf = '\0'; + } + passwd = pwbuf; + } + + /* set our password function */ + if (passwd == NULL) { + fprintf( stderr, "ERROR: Invalid password!\n" ); + PRINTF("Password must be provided on command line in this version of revoker.\n"); + Usage(progName); + } + PK11_SetPasswordFunc(ownPasswd); + + /* Call the libsec initialization routines */ + rv = NSS_Init(dir); + if (rv != SECSuccess) { + fputs("NSS_Init failed.\n", stderr); + exit(1); + } + + if(nickName) { + cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); + if (cert[kt_rsa] == NULL) { + fprintf(stderr, "Can't find certificate %s\n", nickName); + exit(1); + } + + privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); + if (privKey[kt_rsa] == NULL) { + fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); + exit(1); + } + } + + client_main(port, connections, privKey, cert, hostName, nickName); + + NSS_Shutdown(); + PR_Cleanup(); + return 0; +} + diff --git a/base/native-tools/src/tkstool/CMakeLists.txt b/base/native-tools/src/tkstool/CMakeLists.txt new file mode 100644 index 000000000..8b07950eb --- /dev/null +++ b/base/native-tools/src/tkstool/CMakeLists.txt @@ -0,0 +1,45 @@ +project(tkstool C) + +set(TKSTOOL_PRIVATE_INCLUDE_DIRS + ${CMAKE_CURRENT_SOURCE_DIR} + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(TKSTOOL_LINK_LIBRARIES + ${NSPR_LIBRARIES} + ${NSS_LIBRARIES} +) + +set(tkstool_SRCS + delete.c + file.c + find.c + help.c + key.c + list.c + modules.c + pppolicy.c + random.c + retrieve.c + secerror.c + secpwd.c + secutil.c + tkstool.c + util.c + version.c +) + +include_directories(${TKSTOOL_PRIVATE_INCLUDE_DIRS}) + +add_executable(tkstool ${tkstool_SRCS}) + +target_link_libraries(tkstool ${TKSTOOL_LINK_LIBRARIES}) + +install( + TARGETS tkstool + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) diff --git a/base/native-tools/src/tkstool/NSPRerrs.h b/base/native-tools/src/tkstool/NSPRerrs.h new file mode 100644 index 000000000..f0bc8b77e --- /dev/null +++ b/base/native-tools/src/tkstool/NSPRerrs.h @@ -0,0 +1,161 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/NSPRerrs.h + */ + +/* General NSPR 2.0 errors */ +/* Caller must #include "prerror.h" */ + +ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." ) +ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." ) +ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." ) +ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." ) +ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." ) +ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." ) +ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." ) +ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." ) +ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." ) +ER2( PR_IO_ERROR, "I/O function error." ) +ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." ) +ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." ) +ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." ) +ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." ) +ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." ) +ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." ) +ER2( PR_IS_CONNECTED_ERROR, "Already connected." ) +ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." ) +ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." ) +ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." ) +ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." ) +ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." ) +ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." ) +ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." ) +ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." ) +ER2( PR_FIND_SYMBOL_ERROR, +"Symbol not found in any of the loaded dynamic libraries." ) +ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." ) +ER2( PR_DIRECTORY_LOOKUP_ERROR, +"A directory lookup on a network address has failed." ) +ER2( PR_TPD_RANGE_ERROR, +"Attempt to access a TPD key that is out of range." ) +ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." ) +ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." ) +ER2( PR_NOT_SOCKET_ERROR, +"Network operation attempted on non-network file descriptor." ) +ER2( PR_NOT_TCP_SOCKET_ERROR, +"TCP-specific function attempted on a non-TCP file descriptor." ) +ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." ) +ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." ) +ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, +"The requested operation is not supported by the platform." ) +ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, +"The host operating system does not support the protocol requested." ) +ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." ) +ER2( PR_BUFFER_OVERFLOW_ERROR, +"The value requested is too large to be stored in the data buffer provided." ) +ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." ) +ER2( PR_RANGE_ERROR, "Unused." ) +ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." ) +ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." ) +ER2( PR_FILE_TOO_BIG_ERROR, +"Write would result in file larger than the system allows." ) +ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." ) +ER2( PR_PIPE_ERROR, "Unused." ) +ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." ) +ER2( PR_IS_DIRECTORY_ERROR, +"Cannot perform a normal file operation on a directory." ) +ER2( PR_LOOP_ERROR, "Symbolic link loop." ) +ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." ) +ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." ) +ER2( PR_NOT_DIRECTORY_ERROR, +"Cannot perform directory operation on a normal file." ) +ER2( PR_READ_ONLY_FILESYSTEM_ERROR, +"Cannot write to a read-only file system." ) +ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, +"Cannot delete a directory that is not empty." ) +ER2( PR_FILESYSTEM_MOUNTED_ERROR, +"Cannot delete or rename a file object while the file system is busy." ) +ER2( PR_NOT_SAME_DEVICE_ERROR, +"Cannot rename a file to a file system on another device." ) +ER2( PR_DIRECTORY_CORRUPTED_ERROR, +"The directory object in the file system is corrupted." ) +ER2( PR_FILE_EXISTS_ERROR, +"Cannot create or rename a filename that already exists." ) +ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, +"Directory is full. No additional filenames may be added." ) +ER2( PR_INVALID_DEVICE_STATE_ERROR, +"The required device was in an invalid state." ) +ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." ) +ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." ) +ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." ) +ER2( PR_FILE_SEEK_ERROR, "Seek error." ) +ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." ) +ER2( PR_IN_PROGRESS_ERROR, +"Operation is still in progress (probably a non-blocking connect)." ) +ER2( PR_ALREADY_INITIATED_ERROR, +"Operation has already been initiated (probably a non-blocking connect)." ) + +#ifdef PR_GROUP_EMPTY_ERROR +ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." ) +#endif + +#ifdef PR_INVALID_STATE_ERROR +ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." ) +#endif + +#ifdef PR_NETWORK_DOWN_ERROR +ER2( PR_NETWORK_DOWN_ERROR, "Network is down." ) +#endif + +#ifdef PR_SOCKET_SHUTDOWN_ERROR +ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." ) +#endif + +#ifdef PR_CONNECT_ABORTED_ERROR +ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." ) +#endif + +#ifdef PR_HOST_UNREACHABLE_ERROR +ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." ) +#endif + +/* always last */ +ER2( PR_MAX_ERROR, "Placeholder for the end of the list" ) diff --git a/base/native-tools/src/tkstool/SECerrs.h b/base/native-tools/src/tkstool/SECerrs.h new file mode 100644 index 000000000..55858b98f --- /dev/null +++ b/base/native-tools/src/tkstool/SECerrs.h @@ -0,0 +1,523 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SECerrs.h + */ + +/* General security error codes */ +/* Caller must #include "secerr.h" */ + +ER3(SEC_ERROR_IO, SEC_ERROR_BASE + 0, +"An I/O error occurred during security authorization.") + +ER3(SEC_ERROR_LIBRARY_FAILURE, SEC_ERROR_BASE + 1, +"security library failure.") + +ER3(SEC_ERROR_BAD_DATA, SEC_ERROR_BASE + 2, +"security library: received bad data.") + +ER3(SEC_ERROR_OUTPUT_LEN, SEC_ERROR_BASE + 3, +"security library: output length error.") + +ER3(SEC_ERROR_INPUT_LEN, SEC_ERROR_BASE + 4, +"security library has experienced an input length error.") + +ER3(SEC_ERROR_INVALID_ARGS, SEC_ERROR_BASE + 5, +"security library: invalid arguments.") + +ER3(SEC_ERROR_INVALID_ALGORITHM, SEC_ERROR_BASE + 6, +"security library: invalid algorithm.") + +ER3(SEC_ERROR_INVALID_AVA, SEC_ERROR_BASE + 7, +"security library: invalid AVA.") + +ER3(SEC_ERROR_INVALID_TIME, SEC_ERROR_BASE + 8, +"Improperly formatted time string.") + +ER3(SEC_ERROR_BAD_DER, SEC_ERROR_BASE + 9, +"security library: improperly formatted DER-encoded message.") + +ER3(SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BASE + 10, +"Peer's certificate has an invalid signature.") + +ER3(SEC_ERROR_EXPIRED_CERTIFICATE, SEC_ERROR_BASE + 11, +"Peer's Certificate has expired.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_BASE + 12, +"Peer's Certificate has been revoked.") + +ER3(SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_BASE + 13, +"Peer's Certificate issuer is not recognized.") + +ER3(SEC_ERROR_BAD_KEY, SEC_ERROR_BASE + 14, +"Peer's public key is invalid.") + +ER3(SEC_ERROR_BAD_PASSWORD, SEC_ERROR_BASE + 15, +"The security password entered is incorrect.") + +ER3(SEC_ERROR_RETRY_PASSWORD, SEC_ERROR_BASE + 16, +"New password entered incorrectly. Please try again.") + +ER3(SEC_ERROR_NO_NODELOCK, SEC_ERROR_BASE + 17, +"security library: no nodelock.") + +ER3(SEC_ERROR_BAD_DATABASE, SEC_ERROR_BASE + 18, +"security library: bad database.") + +ER3(SEC_ERROR_NO_MEMORY, SEC_ERROR_BASE + 19, +"security library: memory allocation failure.") + +ER3(SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_BASE + 20, +"Peer's certificate issuer has been marked as not trusted by the user.") + +ER3(SEC_ERROR_UNTRUSTED_CERT, SEC_ERROR_BASE + 21, +"Peer's certificate has been marked as not trusted by the user.") + +ER3(SEC_ERROR_DUPLICATE_CERT, (SEC_ERROR_BASE + 22), +"Certificate already exists in your database.") + +ER3(SEC_ERROR_DUPLICATE_CERT_NAME, (SEC_ERROR_BASE + 23), +"Downloaded certificate's name duplicates one already in your database.") + +ER3(SEC_ERROR_ADDING_CERT, (SEC_ERROR_BASE + 24), +"Error adding certificate to database.") + +ER3(SEC_ERROR_FILING_KEY, (SEC_ERROR_BASE + 25), +"Error refiling the key for this certificate.") + +ER3(SEC_ERROR_NO_KEY, (SEC_ERROR_BASE + 26), +"The private key for this certificate cannot be found in key database") + +ER3(SEC_ERROR_CERT_VALID, (SEC_ERROR_BASE + 27), +"This certificate is valid.") + +ER3(SEC_ERROR_CERT_NOT_VALID, (SEC_ERROR_BASE + 28), +"This certificate is not valid.") + +ER3(SEC_ERROR_CERT_NO_RESPONSE, (SEC_ERROR_BASE + 29), +"Cert Library: No Response") + +ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, (SEC_ERROR_BASE + 30), +"The certificate issuer's certificate has expired. Check your system date and time.") + +ER3(SEC_ERROR_CRL_EXPIRED, (SEC_ERROR_BASE + 31), +"The CRL for the certificate's issuer has expired. Update it or check your system data and time.") + +ER3(SEC_ERROR_CRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 32), +"The CRL for the certificate's issuer has an invalid signature.") + +ER3(SEC_ERROR_CRL_INVALID, (SEC_ERROR_BASE + 33), +"New CRL has an invalid format.") + +ER3(SEC_ERROR_EXTENSION_VALUE_INVALID, (SEC_ERROR_BASE + 34), +"Certificate extension value is invalid.") + +ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), +"Certificate extension not found.") + +ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), +"Issuer certificate is invalid.") + +ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), +"Certificate path length constraint is invalid.") + +ER3(SEC_ERROR_CERT_USAGES_INVALID, (SEC_ERROR_BASE + 38), +"Certificate usages field is invalid.") + +ER3(SEC_INTERNAL_ONLY, (SEC_ERROR_BASE + 39), +"**Internal ONLY module**") + +ER3(SEC_ERROR_INVALID_KEY, (SEC_ERROR_BASE + 40), +"The key does not support the requested operation.") + +ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 41), +"Certificate contains unknown critical extension.") + +ER3(SEC_ERROR_OLD_CRL, (SEC_ERROR_BASE + 42), +"New CRL is not later than the current one.") + +ER3(SEC_ERROR_NO_EMAIL_CERT, (SEC_ERROR_BASE + 43), +"Not encrypted or signed: you do not yet have an email certificate.") + +ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, (SEC_ERROR_BASE + 44), +"Not encrypted: you do not have certificates for each of the recipients.") + +ER3(SEC_ERROR_NOT_A_RECIPIENT, (SEC_ERROR_BASE + 45), +"Cannot decrypt: you are not a recipient, or matching certificate and \ +private key not found.") + +ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH, (SEC_ERROR_BASE + 46), +"Cannot decrypt: key encryption algorithm does not match your certificate.") + +ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE, (SEC_ERROR_BASE + 47), +"Signature verification failed: no signer found, too many signers found, \ +or improper or corrupted data.") + +ER3(SEC_ERROR_UNSUPPORTED_KEYALG, (SEC_ERROR_BASE + 48), +"Unsupported or unknown key algorithm.") + +ER3(SEC_ERROR_DECRYPTION_DISALLOWED, (SEC_ERROR_BASE + 49), +"Cannot decrypt: encrypted using a disallowed algorithm or key size.") + + +/* Fortezza Alerts */ +ER3(XP_SEC_FORTEZZA_BAD_CARD, (SEC_ERROR_BASE + 50), +"Fortezza card has not been properly initialized. \ +Please remove it and return it to your issuer.") + +ER3(XP_SEC_FORTEZZA_NO_CARD, (SEC_ERROR_BASE + 51), +"No Fortezza cards Found") + +ER3(XP_SEC_FORTEZZA_NONE_SELECTED, (SEC_ERROR_BASE + 52), +"No Fortezza card selected") + +ER3(XP_SEC_FORTEZZA_MORE_INFO, (SEC_ERROR_BASE + 53), +"Please select a personality to get more info on") + +ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND, (SEC_ERROR_BASE + 54), +"Personality not found") + +ER3(XP_SEC_FORTEZZA_NO_MORE_INFO, (SEC_ERROR_BASE + 55), +"No more information on that Personality") + +ER3(XP_SEC_FORTEZZA_BAD_PIN, (SEC_ERROR_BASE + 56), +"Invalid Pin") + +ER3(XP_SEC_FORTEZZA_PERSON_ERROR, (SEC_ERROR_BASE + 57), +"Couldn't initialize Fortezza personalities.") +/* end fortezza alerts. */ + +ER3(SEC_ERROR_NO_KRL, (SEC_ERROR_BASE + 58), +"No KRL for this site's certificate has been found.") + +ER3(SEC_ERROR_KRL_EXPIRED, (SEC_ERROR_BASE + 59), +"The KRL for this site's certificate has expired.") + +ER3(SEC_ERROR_KRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 60), +"The KRL for this site's certificate has an invalid signature.") + +ER3(SEC_ERROR_REVOKED_KEY, (SEC_ERROR_BASE + 61), +"The key for this site's certificate has been revoked.") + +ER3(SEC_ERROR_KRL_INVALID, (SEC_ERROR_BASE + 62), +"New KRL has an invalid format.") + +ER3(SEC_ERROR_NEED_RANDOM, (SEC_ERROR_BASE + 63), +"security library: need random data.") + +ER3(SEC_ERROR_NO_MODULE, (SEC_ERROR_BASE + 64), +"security library: no security module can perform the requested operation.") + +ER3(SEC_ERROR_NO_TOKEN, (SEC_ERROR_BASE + 65), +"The security card or token does not exist, needs to be initialized, or has been removed.") + +ER3(SEC_ERROR_READ_ONLY, (SEC_ERROR_BASE + 66), +"security library: read-only database.") + +ER3(SEC_ERROR_NO_SLOT_SELECTED, (SEC_ERROR_BASE + 67), +"No slot or token was selected.") + +ER3(SEC_ERROR_CERT_NICKNAME_COLLISION, (SEC_ERROR_BASE + 68), +"A certificate with the same nickname already exists.") + +ER3(SEC_ERROR_KEY_NICKNAME_COLLISION, (SEC_ERROR_BASE + 69), +"A key with the same nickname already exists.") + +ER3(SEC_ERROR_SAFE_NOT_CREATED, (SEC_ERROR_BASE + 70), +"error while creating safe object") + +ER3(SEC_ERROR_BAGGAGE_NOT_CREATED, (SEC_ERROR_BASE + 71), +"error while creating baggage object") + +ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR, (SEC_ERROR_BASE + 72), +"Couldn't remove the principal") + +ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR, (SEC_ERROR_BASE + 73), +"Couldn't delete the privilege") + +ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR, (SEC_ERROR_BASE + 74), +"This principal doesn't have a certificate") + +ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM, (SEC_ERROR_BASE + 75), +"Required algorithm is not allowed.") + +ER3(SEC_ERROR_EXPORTING_CERTIFICATES, (SEC_ERROR_BASE + 76), +"Error attempting to export certificates.") + +ER3(SEC_ERROR_IMPORTING_CERTIFICATES, (SEC_ERROR_BASE + 77), +"Error attempting to import certificates.") + +ER3(SEC_ERROR_PKCS12_DECODING_PFX, (SEC_ERROR_BASE + 78), +"Unable to import. Decoding error. File not valid.") + +ER3(SEC_ERROR_PKCS12_INVALID_MAC, (SEC_ERROR_BASE + 79), +"Unable to import. Invalid MAC. Incorrect password or corrupt file.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, (SEC_ERROR_BASE + 80), +"Unable to import. MAC algorithm not supported.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81), +"Unable to import. Only password integrity and privacy modes supported.") + +ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, (SEC_ERROR_BASE + 82), +"Unable to import. File structure is corrupt.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83), +"Unable to import. Encryption algorithm not supported.") + +ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, (SEC_ERROR_BASE + 84), +"Unable to import. File version not supported.") + +ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85), +"Unable to import. Incorrect privacy password.") + +ER3(SEC_ERROR_PKCS12_CERT_COLLISION, (SEC_ERROR_BASE + 86), +"Unable to import. Same nickname already exists in database.") + +ER3(SEC_ERROR_USER_CANCELLED, (SEC_ERROR_BASE + 87), +"The user pressed cancel.") + +ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA, (SEC_ERROR_BASE + 88), +"Not imported, already in database.") + +ER3(SEC_ERROR_MESSAGE_SEND_ABORTED, (SEC_ERROR_BASE + 89), +"Message not sent.") + +ER3(SEC_ERROR_INADEQUATE_KEY_USAGE, (SEC_ERROR_BASE + 90), +"Certificate key usage inadequate for attempted operation.") + +ER3(SEC_ERROR_INADEQUATE_CERT_TYPE, (SEC_ERROR_BASE + 91), +"Certificate type not approved for application.") + +ER3(SEC_ERROR_CERT_ADDR_MISMATCH, (SEC_ERROR_BASE + 92), +"Address in signing certificate does not match address in message headers.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, (SEC_ERROR_BASE + 93), +"Unable to import. Error attempting to import private key.") + +ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, (SEC_ERROR_BASE + 94), +"Unable to import. Error attempting to import certificate chain.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95), +"Unable to export. Unable to locate certificate or key by nickname.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, (SEC_ERROR_BASE + 96), +"Unable to export. Private Key could not be located and exported.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, (SEC_ERROR_BASE + 97), +"Unable to export. Unable to write the export file.") + +ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ, (SEC_ERROR_BASE + 98), +"Unable to import. Unable to read the import file.") + +ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99), +"Unable to export. Key database corrupt or deleted.") + +ER3(SEC_ERROR_KEYGEN_FAIL, (SEC_ERROR_BASE + 100), +"Unable to generate public/private key pair.") + +ER3(SEC_ERROR_INVALID_PASSWORD, (SEC_ERROR_BASE + 101), +"Password entered is invalid. Please pick a different one.") + +ER3(SEC_ERROR_RETRY_OLD_PASSWORD, (SEC_ERROR_BASE + 102), +"Old password entered incorrectly. Please try again.") + +ER3(SEC_ERROR_BAD_NICKNAME, (SEC_ERROR_BASE + 103), +"Certificate nickname already in use.") + +ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER, (SEC_ERROR_BASE + 104), +"Peer FORTEZZA chain has a non-FORTEZZA Certificate.") + +ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, (SEC_ERROR_BASE + 105), +"A sensitive key cannot be moved to the slot where it is needed.") + +ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, (SEC_ERROR_BASE + 106), +"Invalid module name.") + +ER3(SEC_ERROR_JS_INVALID_DLL, (SEC_ERROR_BASE + 107), +"Invalid module path/filename") + +ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, (SEC_ERROR_BASE + 108), +"Unable to add module") + +ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), +"Unable to delete module") + +ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), +"New KRL is not later than the current one.") + +ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), +"New CKL has different issuer than current CKL. Delete current CKL.") + +ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, (SEC_ERROR_BASE + 112), +"The Certifying Authority for this certificate is not permitted to issue a \ +certificate with this name.") + +ER3(SEC_ERROR_KRL_NOT_YET_VALID, (SEC_ERROR_BASE + 113), +"The key revocation list for this certificate is not yet valid.") + +ER3(SEC_ERROR_CRL_NOT_YET_VALID, (SEC_ERROR_BASE + 114), +"The certificate revocation list for this certificate is not yet valid.") + +ER3(SEC_ERROR_UNKNOWN_CERT, (SEC_ERROR_BASE + 115), +"The requested certificate could not be found.") + +ER3(SEC_ERROR_UNKNOWN_SIGNER, (SEC_ERROR_BASE + 116), +"The signer's certificate could not be found.") + +ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, (SEC_ERROR_BASE + 117), +"The location for the certificate status server has invalid format.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, (SEC_ERROR_BASE + 118), +"The OCSP response cannot be fully decoded; it is of an unknown type.") + +ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 119), +"The OCSP server returned unexpected/invalid HTTP data.") + +ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST, (SEC_ERROR_BASE + 120), +"The OCSP server found the request to be corrupted or improperly formed.") + +ER3(SEC_ERROR_OCSP_SERVER_ERROR, (SEC_ERROR_BASE + 121), +"The OCSP server experienced an internal error.") + +ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER, (SEC_ERROR_BASE + 122), +"The OCSP server suggests trying again later.") + +ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, (SEC_ERROR_BASE + 123), +"The OCSP server requires a signature on this request.") + +ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, (SEC_ERROR_BASE + 124), +"The OCSP server has refused this request as unauthorized.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, (SEC_ERROR_BASE + 125), +"The OCSP server returned an unrecognizable status.") + +ER3(SEC_ERROR_OCSP_UNKNOWN_CERT, (SEC_ERROR_BASE + 126), +"The OCSP server has no status for the certificate.") + +ER3(SEC_ERROR_OCSP_NOT_ENABLED, (SEC_ERROR_BASE + 127), +"You must enable OCSP before performing this operation.") + +ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, (SEC_ERROR_BASE + 128), +"You must set the OCSP default responder before performing this operation.") + +ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE, (SEC_ERROR_BASE + 129), +"The response from the OCSP server was corrupted or improperly formed.") + +ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, (SEC_ERROR_BASE + 130), +"The signer of the OCSP response is not authorized to give status for \ +this certificate.") + +ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE, (SEC_ERROR_BASE + 131), +"The OCSP response is not yet valid (contains a date in the future).") + +ER3(SEC_ERROR_OCSP_OLD_RESPONSE, (SEC_ERROR_BASE + 132), +"The OCSP response contains out-of-date information.") + +ER3(SEC_ERROR_DIGEST_NOT_FOUND, (SEC_ERROR_BASE + 133), +"The CMS or PKCS #7 Digest was not found in signed message.") + +ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, (SEC_ERROR_BASE + 134), +"The CMS or PKCS #7 Message type is unsupported.") + +ER3(SEC_ERROR_MODULE_STUCK, (SEC_ERROR_BASE + 135), +"PKCS #11 module could not be removed because it is still in use.") + +ER3(SEC_ERROR_BAD_TEMPLATE, (SEC_ERROR_BASE + 136), +"Could not decode ASN.1 data. Specified template was invalid.") + +ER3(SEC_ERROR_CRL_NOT_FOUND, (SEC_ERROR_BASE + 137), +"No matching CRL was found.") + +ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL, (SEC_ERROR_BASE + 138), +"You are attempting to import a cert with the same issuer/serial as \ +an existing cert, but that is not the same cert.") + +ER3(SEC_ERROR_BUSY, (SEC_ERROR_BASE + 139), +"NSS could not shutdown. Objects are still in use.") + +ER3(SEC_ERROR_EXTRA_INPUT, (SEC_ERROR_BASE + 140), +"DER-encoded message contained extra unused data.") + +ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, (SEC_ERROR_BASE + 141), +"Unsupported elliptic curve.") + +ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142), +"Unsupported elliptic curve point form.") + +ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143), +"Unrecognized Object IDentifier.") + +ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144), +"Invalid OCSP signing certificate in OCSP response.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL, (SEC_ERROR_BASE + 145), +"Certificate is revoked in issuer's certificate revocation list.") + +ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP, (SEC_ERROR_BASE + 146), +"Issuer's OCSP responder reports certificate is revoked.") + +ER3(SEC_ERROR_CRL_INVALID_VERSION, (SEC_ERROR_BASE + 147), +"Issuer's Certificate Revocation List has an unknown version number.") + +ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 148), +"Issuer's V1 Certificate Revocation List has a critical extension.") + +ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 149), +"Issuer's V2 Certificate Revocation List has an unknown critical extension.") + +ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE, (SEC_ERROR_BASE + 150), +"Unknown object type specified.") + +ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151), +"PKCS #11 driver violates the spec in an incompatible way.") + +ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152), +"No new slot event is available at this time.") + +ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153), +"CRL already exists.") + +ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154), +"NSS is not initialized.") + +ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), +"The operation failed because the PKCS#11 token is not logged in.") + diff --git a/base/native-tools/src/tkstool/SSLerrs.h b/base/native-tools/src/tkstool/SSLerrs.h new file mode 100644 index 000000000..d6ec13b47 --- /dev/null +++ b/base/native-tools/src/tkstool/SSLerrs.h @@ -0,0 +1,393 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SSLerrs.h + */ + +/* SSL-specific security error codes */ +/* caller must include "sslerr.h" */ + +ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, +"Unable to communicate securely. Peer does not support high-grade encryption.") + +ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, +"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") + +ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, +"Cannot communicate securely with peer: no common encryption algorithm(s).") + +ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, +"Unable to find the certificate or key necessary for authentication.") + +ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, +"Unable to communicate securely with peer: peers's certificate was rejected.") + +/* unused (SSL_ERROR_BASE + 5),*/ + +ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, +"The server has encountered bad data from the client.") + +ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, +"The client has encountered bad data from the server.") + +ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, +"Unsupported certificate type.") + +ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, +"Peer using unsupported version of security protocol.") + +/* unused (SSL_ERROR_BASE + 10),*/ + +ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, +"Client authentication failed: private key in key database does not match public key in certificate database.") + +ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, +"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") + +/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), + defined in sslerr.h +*/ + +ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), +"Peer only supports SSL version 2, which is locally disabled.") + + +ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), +"SSL received a record with an incorrect Message Authentication Code.") + +ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), +"SSL peer reports incorrect Message Authentication Code.") + +ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), +"SSL peer cannot verify your certificate.") + +ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), +"SSL peer rejected your certificate as revoked.") + +ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), +"SSL peer rejected your certificate as expired.") + +ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), +"Cannot connect: SSL is disabled.") + +ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), +"Cannot connect: SSL peer is in another FORTEZZA domain.") + + +ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), +"An unknown SSL cipher suite has been requested.") + +ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), +"No cipher suites are present and enabled in this program.") + +ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), +"SSL received a record with bad block padding.") + +ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), +"SSL received a record that exceeded the maximum permissible length.") + +ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), +"SSL attempted to send a record that exceeded the maximum permissible length.") + +/* + * Received a malformed (too long or short or invalid content) SSL handshake. + */ +ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), +"SSL received a malformed Hello Request handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), +"SSL received a malformed Client Hello handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), +"SSL received a malformed Server Hello handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), +"SSL received a malformed Certificate handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), +"SSL received a malformed Server Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), +"SSL received a malformed Certificate Request handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), +"SSL received a malformed Server Hello Done handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), +"SSL received a malformed Certificate Verify handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), +"SSL received a malformed Client Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), +"SSL received a malformed Finished handshake message.") + +/* + * Received a malformed (too long or short) SSL record. + */ +ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), +"SSL received a malformed Change Cipher Spec record.") + +ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), +"SSL received a malformed Alert record.") + +ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), +"SSL received a malformed Handshake record.") + +ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), +"SSL received a malformed Application Data record.") + +/* + * Received an SSL handshake that was inappropriate for the state we're in. + * E.g. Server received message from server, or wrong state in state machine. + */ +ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), +"SSL received an unexpected Hello Request handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), +"SSL received an unexpected Client Hello handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), +"SSL received an unexpected Server Hello handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), +"SSL received an unexpected Certificate handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), +"SSL received an unexpected Server Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), +"SSL received an unexpected Certificate Request handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), +"SSL received an unexpected Server Hello Done handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), +"SSL received an unexpected Certificate Verify handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), +"SSL received an unexpected Cllient Key Exchange handshake message.") + +ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), +"SSL received an unexpected Finished handshake message.") + +/* + * Received an SSL record that was inappropriate for the state we're in. + */ +ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), +"SSL received an unexpected Change Cipher Spec record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), +"SSL received an unexpected Alert record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), +"SSL received an unexpected Handshake record.") + +ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), +"SSL received an unexpected Application Data record.") + +/* + * Received record/message with unknown discriminant. + */ +ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), +"SSL received a record with an unknown content type.") + +ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), +"SSL received a handshake message with an unknown message type.") + +ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), +"SSL received an alert record with an unknown alert description.") + +/* + * Received an alert reporting what we did wrong. (more alerts above) + */ +ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), +"SSL peer has closed this connection.") + +ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), +"SSL peer was not expecting a handshake message it received.") + +ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), +"SSL peer was unable to succesfully decompress an SSL record it received.") + +ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), +"SSL peer was unable to negotiate an acceptable set of security parameters.") + +ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), +"SSL peer rejected a handshake message for unacceptable content.") + +ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), +"SSL peer does not support certificates of the type it received.") + +ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), +"SSL peer had some unspecified issue with the certificate it received.") + + +ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), +"SSL experienced a failure of its random number generator.") + +ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), +"Unable to digitally sign data required to verify your certificate.") + +ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), +"SSL was unable to extract the public key from the peer's certificate.") + +ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), +"Unspecified failure while processing SSL Server Key Exchange handshake.") + +ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), +"Unspecified failure while processing SSL Client Key Exchange handshake.") + +ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), +"Bulk data encryption algorithm failed in selected cipher suite.") + +ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), +"Bulk data decryption algorithm failed in selected cipher suite.") + +ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), +"Attempt to write encrypted data to underlying socket failed.") + +ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), +"MD5 digest function failed.") + +ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), +"SHA-1 digest function failed.") + +ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), +"MAC computation failed.") + +ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), +"Failure to create Symmetric Key context.") + +ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), +"Failure to unwrap the Symmetric key in Client Key Exchange message.") + +ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), +"SSL Server attempted to use domestic-grade public key with export cipher suite.") + +ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), +"PKCS11 code failed to translate an IV into a param.") + +ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), +"Failed to initialize the selected cipher suite.") + +ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), +"Client failed to generate session keys for SSL session.") + +ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), +"Server has no key for the attempted key exchange algorithm.") + +ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), +"PKCS#11 token was inserted or removed while operation was in progress.") + +ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), +"No PKCS#11 token could be found to do a required operation.") + +ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), +"Cannot communicate securely with peer: no common compression algorithm(s).") + +ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), +"Cannot initiate another SSL handshake until current handshake is complete.") + +ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), +"Received incorrect handshakes hash values from peer.") + +ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), +"The certificate provided cannot be used with the selected key exchange algorithm.") + +ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), +"No certificate authority is trusted for SSL client authentication.") + +ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), +"Client's SSL session ID not found in server's session cache.") + +ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), +"Peer was unable to decrypt an SSL record it received.") + +ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), +"Peer received an SSL record that was longer than is permitted.") + +ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), +"Peer does not recognize and trust the CA that issued your certificate.") + +ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), +"Peer received a valid certificate, but access was denied.") + +ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), +"Peer could not decode an SSL handshake message.") + +ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), +"Peer reports failure of signature verification or key exchange.") + +ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), +"Peer reports negotiation not in compliance with export regulations.") + +ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), +"Peer reports incompatible or unsupported protocol version.") + +ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), +"Server requires ciphers more secure than those supported by client.") + +ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), +"Peer reports it experienced an internal error.") + +ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), +"Peer user canceled handshake.") + +ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), +"Peer does not permit renegotiation of SSL security parameters.") + +ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), +"SSL server cache not configured and not disabled for this socket.") + +ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), +"SSL peer does not support requested TLS hello extension.") + +ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), +"SSL peer could not obtain your certificate from the supplied URL.") + +ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), +"SSL peer has no certificate for the requested DNS name.") + +ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), +"SSL peer was unable to get an OCSP response for its certificate.") + +ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), +"SSL peer reported bad certificate hash value.") diff --git a/base/native-tools/src/tkstool/delete.c b/base/native-tools/src/tkstool/delete.c new file mode 100644 index 000000000..f40e66d16 --- /dev/null +++ b/base/native-tools/src/tkstool/delete.c @@ -0,0 +1,111 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +static SECStatus +DeleteKey( char *keyname, + PK11SymKey *key ) +{ + char *name = NULL; + SECStatus rv = SECFailure; + + name = PK11_GetSymKeyNickname( /* symmetric key */ key ); + if( name == NULL ) { + name = PORT_Strdup( "< orphaned >" ); + } + + /* Delete this key ONLY if its name is the specified keyname */ + /* */ + /* NOTE: If duplicate keys are allowed to be added to an */ + /* individual token, this function will delete */ + /* EVERY key named by the specified keyname; */ + /* therefore, MORE than ONE key may be DELETED from */ + /* the specified token!!! */ + if( PL_strcmp( keyname, name ) == 0 ) { + rv = PK11_DeleteTokenSymKey( /* symmetric key */ key ); + } + + PORT_Free( name ); + + return rv; +} + + +SECStatus +TKS_DeleteKeys( char *progName, + PK11SlotInfo *slot, + char *keyname, + secuPWData *pwdata ) +{ + int count = 0; + int keys_deleted = 0; + PK11SymKey *symKey = NULL; + PK11SymKey *nextSymKey = NULL; + SECStatus rvDelete = SECFailure; + SECStatus rv; + + if( PK11_NeedLogin( /* slot */ slot ) ) { + PK11_Authenticate( + /* slot */ slot, + /* load certs */ PR_TRUE, + /* wincx */ pwdata ); + } + + /* Initialize the symmetric key list. */ + symKey = PK11_ListFixedKeysInSlot( + /* slot */ slot, + /* nickname */ NULL, + /* wincx */ ( void *) pwdata ); + + /* Iterate through the symmetric key list. */ + while( symKey != NULL ) { + rvDelete = DeleteKey( keyname, + symKey ); + if( rvDelete != SECFailure ) { + keys_deleted++; + } + + nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); + PK11_FreeSymKey( /* symmetric key */ symKey ); + symKey = nextSymKey; + + count++; + } + + if( keys_deleted == 0 ) { + PR_fprintf( PR_STDOUT, + "\t%s: no key(s) called \"%s\" could be deleted\n", + progName, + keyname ); + + rv = SECFailure; + } else { + PR_fprintf( PR_STDOUT, + "%s: %d key(s) called \"%s\" were deleted\n", + progName, + keys_deleted, + keyname ); + + rv = SECSuccess; + } + + return rv; +} + diff --git a/base/native-tools/src/tkstool/file.c b/base/native-tools/src/tkstool/file.c new file mode 100644 index 000000000..d757225fc --- /dev/null +++ b/base/native-tools/src/tkstool/file.c @@ -0,0 +1,518 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +SECStatus +TKS_ReadInputFileIntoSECItem( char *input, + char *hexInternalKeyKCV, + int hexInternalKeyKCVLength, + char *wrappedKeyName, + SECItem *wrappedKey ) +{ + char buf[1]; + PRFileDesc *fd = NULL; + PRInt32 c = 0; + PRInt32 k = 0; + PRInt32 count = 0; + PRIntn firstCount = 0; + PRIntn secondCount = 0; + PRIntn thirdCount = 0; + PRIntn i = 0; + SECItem hexWrappedKey = { siBuffer, + NULL, + 0 }; + SECStatus status = SECFailure; + + /* Create a clean new hex display buffer for this wrapped key */ + hexWrappedKey.type = ( SECItemType ) siBuffer; + hexWrappedKey.len = ( ( wrappedKey->len * 2 ) + 1 ); + hexWrappedKey.data = ( unsigned char * ) + PORT_ZAlloc( hexWrappedKey.len ); + if( hexWrappedKey.data == NULL ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* open the input file read-only */ + fd = PR_OpenFile( input, PR_RDONLY, 0666 ); + if( !fd ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* read in the wrapped key */ + while( c < HEX_WRAPPED_KEY_LENGTH ) { + /* read in the next byte */ + count = PR_Read( fd, buf, 1 ); + + /* check for EOF */ + if( count > 0 ) { + /* save acceptable hex characters */ + /* silently throw anything else away */ + switch( *buf ) { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + /* acceptable character; save it as typed */ + hexWrappedKey.data[c] = buf[0]; + break; + case 'A': + case 'a': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'A'; + break; + case 'B': + case 'b': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'B'; + break; + case 'C': + case 'c': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'C'; + break; + case 'D': + case 'd': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'D'; + break; + case 'E': + case 'e': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'E'; + break; + case 'F': + case 'f': + /* acceptable character; save uppercase version */ + hexWrappedKey.data[c] = 'F'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + + /* increment the number of wrapped key bytes read */ + c++; + } + } + + /* insure that the wrapped key was completely obtained */ + if( c != HEX_WRAPPED_KEY_LENGTH ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* Convert these wrapped key hex digits */ + /* into the data portion of a SECItem */ + TKS_ConvertStringOfHexCharactersIntoBitStream( ( char * ) hexWrappedKey.data, + ( hexWrappedKey.len - 1 ), + wrappedKey->data ); + + /* read in the wrapped key KCV */ + while( k < HEX_WRAPPED_KEY_KCV_LENGTH ) { + count = PR_Read( fd, buf, 1 ); + + if( count > 0 ) { + /* save acceptable hex characters; silently */ + /* throw anything else away */ + switch( *buf ) { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + /* acceptable character; save it as typed */ + hexInternalKeyKCV[k] = buf[0]; + break; + case 'A': + case 'a': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'A'; + break; + case 'B': + case 'b': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'B'; + break; + case 'C': + case 'c': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'C'; + break; + case 'D': + case 'd': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'D'; + break; + case 'E': + case 'e': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'E'; + break; + case 'F': + case 'f': + /* acceptable character; save uppercase version */ + hexInternalKeyKCV[k] = 'F'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + + /* increment the number of key KCV bytes read */ + k++; + } + } + + /* insure that the wrapped key KCV was completely obtained */ + if( k != HEX_WRAPPED_KEY_KCV_LENGTH ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* For convenience, display the read-in wrapped key */ + /* and its associated KCV to the user. */ + if( hexWrappedKey.data != NULL ) { + /* Display this final wrapped key */ + if( ( hexWrappedKey.len - 1 ) != + HEX_WRAPPED_KEY_LENGTH ) { + /* invalid key length */ + PR_fprintf( PR_STDERR, + "ERROR: Invalid data length of %d bytes!\n\n\n", + hexWrappedKey.len ); + status = SECFailure; + goto destroyHexWrappedKey; + } else { + /* Print wrapped data blob */ + PR_fprintf( PR_STDOUT, + "\n wrapped data: " ); + + /* Print first DES_LENGTH bytes */ + if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { + firstCount = ( ( hexWrappedKey.len - 1 ) / 3 ); + } else { + firstCount = ( ( hexWrappedKey.len - 1 ) / 2 ); + } + for( i = 0; i < firstCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + + /* Print appropriate padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + + /* Print second DES_LENGTH bytes */ + secondCount = firstCount * 2; + for( i = firstCount; i < secondCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + + /* print out last 8 bytes of triple-DES keys */ + if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { + /* Print appropriate padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + + /* Print third DES_LENGTH bytes */ + thirdCount = hexWrappedKey.len; + for( i = secondCount; i < thirdCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + } + + /* Print appropriate vertical spacing */ + PR_fprintf( PR_STDOUT, "\n\n\n" ); + } + } + + if( hexInternalKeyKCV != NULL ) { + /* Display this final wrapped key's KCV */ + if( ( hexInternalKeyKCVLength - 1 ) != + HEX_WRAPPED_KEY_KCV_LENGTH ) { + /* invalid key length */ + PR_fprintf( PR_STDERR, + "ERROR: Invalid key KCV length " + "of %d bytes!\n\n\n", + hexInternalKeyKCVLength ); + status = SECFailure; + goto destroyHexWrappedKey; + } else { + PR_fprintf( PR_STDOUT, + " master key KCV: " + "%c%c%c%c %c%c%c%c\n (pre-computed KCV of the " + "master key residing inside the wrapped data)\n\n\n", + hexInternalKeyKCV[0], + hexInternalKeyKCV[1], + hexInternalKeyKCV[2], + hexInternalKeyKCV[3], + hexInternalKeyKCV[4], + hexInternalKeyKCV[5], + hexInternalKeyKCV[6], + hexInternalKeyKCV[7] ); + } + } + + /* close the input file */ + PR_Close( fd ); + + status = SECSuccess; + +destroyHexWrappedKey: + /* Destroy the hex wrapped key */ + if( hexWrappedKey.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexWrappedKey.data, + hexWrappedKey.len ); + hexWrappedKey.data = NULL; + hexWrappedKey.len = 0; + } + + return status; +} + + +SECStatus +TKS_WriteSECItemIntoOutputFile( SECItem *wrappedKey, + char *wrappedKeyName, + char *hexInternalKeyKCV, + int hexInternalKeyKCVLength, + char *output ) +{ + PRFileDesc *fd = NULL; + PRInt32 count = 0; + PRInt32 r = 0; + PRIntn firstCount = 0; + PRIntn secondCount = 0; + PRIntn thirdCount = 0; + PRIntn i = 0; + SECItem hexWrappedKey = { siBuffer, + NULL, + 0 }; + SECStatus status = SECFailure; + + /* Create a clean new hex display buffer for this wrapped key */ + hexWrappedKey.type = ( SECItemType ) siBuffer; + hexWrappedKey.len = ( ( wrappedKey->len * 2 ) + 1 ); + hexWrappedKey.data = ( unsigned char * ) + PORT_ZAlloc( hexWrappedKey.len ); + if( hexWrappedKey.data == NULL ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* Convert this wrapped key into hex digits */ + TKS_StringToHex( ( PRUint8 * ) wrappedKey->data, + ( PRIntn ) wrappedKey->len, + ( PRUint8 * ) hexWrappedKey.data, + ( PRIntn ) hexWrappedKey.len ); + + /* For convenience, display this wrapped key to the user. */ + if( hexWrappedKey.data != NULL ) { + /* Display this final wrapped key */ + if( ( hexWrappedKey.len - 1 ) != + HEX_WRAPPED_KEY_LENGTH ) { + /* invalid key length */ + PR_fprintf( PR_STDERR, + "ERROR: Invalid data length of %d bytes!\n\n\n", + hexWrappedKey.len ); + status = SECFailure; + goto destroyHexWrappedKey; + } else { + /* Print wrapped data blob */ + PR_fprintf( PR_STDOUT, + " wrapped data: " ); + + /* Print first DES_LENGTH bytes */ + if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { + firstCount = ( ( hexWrappedKey.len - 1 ) / 3 ); + } else { + firstCount = ( ( hexWrappedKey.len - 1 ) / 2 ); + } + for( i = 0; i < firstCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + + /* Print appropriate padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + + /* Print second DES_LENGTH bytes */ + secondCount = firstCount * 2; + for( i = firstCount; i < secondCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + + /* print out last 8 bytes of triple-DES keys */ + if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { + /* Print appropriate padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + + /* Print third DES_LENGTH bytes */ + thirdCount = hexWrappedKey.len; + for( i = secondCount; i < thirdCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexWrappedKey.data[i], + hexWrappedKey.data[i + 1], + hexWrappedKey.data[i + 2], + hexWrappedKey.data[i + 3] ); + } + } + + /* Print appropriate vertical spacing */ + PR_fprintf( PR_STDOUT, "\n\n\n" ); + } + } + + /* For convenience, display this wrapped key's */ + /* master key KCV to the user. */ + if( ( hexInternalKeyKCV != NULL ) && + ( hexInternalKeyKCVLength == HEX_WRAPPED_KEY_KCV_LENGTH ) ) { + /* display this wrapped key's computed KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + " master key KCV: " + "%c%c%c%c %c%c%c%c\n (computed KCV of the " + "master key residing inside the wrapped data)\n\n\n", + hexInternalKeyKCV[0], + hexInternalKeyKCV[1], + hexInternalKeyKCV[2], + hexInternalKeyKCV[3], + hexInternalKeyKCV[4], + hexInternalKeyKCV[5], + hexInternalKeyKCV[6], + hexInternalKeyKCV[7] ); + } + + /* open the output file read-write */ + fd = PR_OpenFile( output, ( PR_RDWR | PR_CREATE_FILE ), 0666 ); + if( !fd ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* write out the wrapped key (in hex) to the output file */ + while( count < HEX_WRAPPED_KEY_LENGTH ) { + /* write out 4 bytes */ + r = PR_Write( fd, &( hexWrappedKey.data[count] ), 4 ); + if( r != 4 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* increment the byte count by 4 */ + count += 4; + + if( count >= HEX_WRAPPED_KEY_LENGTH ) { + r = PR_Write( fd, "\n", 1 ); + if( r != 1 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + } else { + r = PR_Write( fd, " ", 1 ); + if( r != 1 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + } + } + + /* reinitialize count */ + count = 0; + + /* write out the master key KCV (in hex) to the output file */ + while( count < HEX_WRAPPED_KEY_KCV_LENGTH ) { + /* write out 4 bytes */ + r = PR_Write( fd, &( hexInternalKeyKCV[count] ), 4 ); + if( r != 4 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + + /* increment the byte count by 4 */ + count += 4; + + if( count >= HEX_WRAPPED_KEY_KCV_LENGTH ) { + r = PR_Write( fd, "\n", 1 ); + if( r != 1 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + } else { + r = PR_Write( fd, " ", 1 ); + if( r != 1 ) { + status = SECFailure; + goto destroyHexWrappedKey; + } + } + } + + /* close the output file */ + PR_Close( fd ); + + status = SECSuccess; + +destroyHexWrappedKey: + /* Destroy the hex wrapped key */ + if( hexWrappedKey.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexWrappedKey.data, + hexWrappedKey.len ); + hexWrappedKey.data = NULL; + hexWrappedKey.len = 0; + } + + return status; +} + diff --git a/base/native-tools/src/tkstool/find.c b/base/native-tools/src/tkstool/find.c new file mode 100644 index 000000000..8926d5cbb --- /dev/null +++ b/base/native-tools/src/tkstool/find.c @@ -0,0 +1,81 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +SECStatus +TKS_FindSymKey( PK11SlotInfo *slot, + char *keyname, + void *pwdata ) +{ + char *name = NULL; + int count = 0; + int keys_found = 0; + PK11SymKey *symKey = NULL; + PK11SymKey *nextSymKey = NULL; + SECStatus rv = SECFailure; + + if( PK11_NeedLogin( /* slot */ slot ) ) { + PK11_Authenticate( + /* slot */ slot, + /* load certs */ PR_TRUE, + /* wincx */ pwdata ); + } + + /* Initialize the symmetric key list. */ + symKey = PK11_ListFixedKeysInSlot( + /* slot */ slot, + /* nickname */ NULL, + /* wincx */ ( void *) pwdata ); + + /* Iterate through the symmetric key list. */ + while( symKey != NULL ) { + name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); + if( name != NULL ) { + if( keyname != NULL ) { + if( PL_strcmp( keyname, name ) == 0 ) { + keys_found++; + rv = SECSuccess; + } + } + } + + nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); + PK11_FreeSymKey( /* symmetric key */ symKey ); + symKey = nextSymKey; + + count++; + } + + /* case 1: the token is empty */ + if( count == 0 ) { + /* the specified token is empty */ + rv = SECFailure; + } + + /* case 2: the specified key is not on this token */ + if( ( keyname != NULL ) && + ( keys_found == 0 ) ) { + /* the key called "keyname" could not be found */ + rv = SECFailure; + } + + return rv; +} + diff --git a/base/native-tools/src/tkstool/help.c b/base/native-tools/src/tkstool/help.c new file mode 100644 index 000000000..97c724459 --- /dev/null +++ b/base/native-tools/src/tkstool/help.c @@ -0,0 +1,499 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +void +TKS_Usage( char *progName ) +{ + PR_fprintf( PR_STDERR, + "Usage: %s -D -n keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -H\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -I -n keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -K -n keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -L -d DBDir [-h all | -h token_name]\n" + "\t\t[-p DBPrefix] [-n keyname] [-f pwfile] [-x]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -M -n keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -N -d DBDir\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -P -d DBDir\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -R -n keyname -r new_keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -S -d DBDir\n" + "\t\t[-p DBPrefix] [-x]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -T -n keyname -d DBDir [-h token_name]\n" + "\t\t[-p DBPrefix] [-f pwfile] [-z noisefile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -U -n keyname -d DBDir -t transport_keyname -i infile\n" + "\t\t[-h token_name] [-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -V\n\n", + progName ); + PR_fprintf( PR_STDERR, + "\t%s -W -n keyname -d DBDir -t transport_keyname -o outfile\n" + "\t\t[-h token_name] [-p DBPrefix] [-f pwfile]\n\n", + progName ); + PR_fprintf( PR_STDERR, + "Type \"%s -H\" for more detailed descriptions\n\n", + progName ); +} + + +void +TKS_PrintHelp( char *progName ) +{ + /**********************/ + /* -D command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Delete a key from the token\n", + "-D" ); + PR_fprintf( PR_STDERR, + "%-24s The name of the key to delete\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token from which to remove key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -H command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Display this extended help for Usage\n", + "-H" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -I command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Input shares to generate a new transport key\n", + "-I" ); + PR_fprintf( PR_STDERR, + "%-24s The name to assign to the generated transport key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to generate transport key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -K command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Display the KCV of the specified key\n", + "-K" ); + PR_fprintf( PR_STDERR, + "%-24s The name of the key to perform a KCV on\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token on which the named key resides\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -L command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s List out a specified key, or all keys\n", + "-L" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Look on all tokens OR\n" + "%-24s Name of token in which to look for keys\n" + "\t\t [optional]\n", + " -h all |", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s The name of the key to list\n" + "\t\t [optional]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "%-24s force the database to open R/W (software only)\n" + "\t\t [optional]\n", + " -x" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -M command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Generate a new master key\n", + "-M" ); + PR_fprintf( PR_STDERR, + "%-24s The name to assign to the generated master key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to generate master key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -N command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Create a new key database (software only)\n", + "-N" ); + PR_fprintf( PR_STDERR, + "%-24s Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Key database prefix (software only)\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -P command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Change the key database password (software only)\n", + "-P" ); + PR_fprintf( PR_STDERR, + "%-24s Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Key database prefix (software only)\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -R command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Rename a symmetric key\n", + "-R" ); + PR_fprintf( PR_STDERR, + "%-24s The original name assigned to a pre-existing\n" + "\t\t symmetric key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s The new name assigned to the original pre-existing\n" + "\t\t symmetric key\n" + "\t\t [required]\n", + " -r new_keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to generate master key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -S command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s List all security modules\n", + /*, or print out a single named module\n",*/ + "-S" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s force the database to open R/W (software only)\n" + "\t\t [optional]\n", + " -x" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -T command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Generate a new transport key\n", + "-T" ); + PR_fprintf( PR_STDERR, + "%-24s The name to assign to the generated transport key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to generate transport key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the noise file to be used\n" + "\t\t [optional]\n", + " -z noisefile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -U command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Unwrap the wrapped master key\n", + "-U" ); + PR_fprintf( PR_STDERR, + "%-24s The name to assign to the unwrapped master key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s The name of the transport key (e. g. - unwrapping key)\n" + "\t\t [required]\n", + " -t transport_keyname" ); + PR_fprintf( PR_STDERR, + "%-24s The filename from which to input the wrapped master key\n" + "\t\t [required]\n", + " -i infile" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to store wrapped master key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -V command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Display the version number of this tool\n", + "-V" ); + PR_fprintf( PR_STDERR, + "\n" ); + + + /**********************/ + /* -W command options */ + /**********************/ + + PR_fprintf( PR_STDERR, + "%-15s Wrap a newly generated master key\n", + "-W" ); + PR_fprintf( PR_STDERR, + "%-24s The name to assign to the generated master key\n" + "\t\t [required]\n", + " -n keyname" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database directory (HSM);\n" + "\t\t Key database directory (software only)\n" + "\t\t [required]\n", + " -d DBDir" ); + PR_fprintf( PR_STDERR, + "%-24s The name of the transport key (e. g. - wrapping key)\n" + "\t\t [required]\n", + " -t transport_keyname" ); + PR_fprintf( PR_STDERR, + "%-24s The filename in which to output the wrapped master key\n" + "\t\t [required]\n", + " -o outfile" ); + PR_fprintf( PR_STDERR, + "%-24s Name of token in which to generate master key\n" + "\t\t [optional]\n", + " -h token_name" ); + PR_fprintf( PR_STDERR, + "%-24s Security module database prefix\n" + "\t\t [optional]\n", + " -p DBPrefix" ); + PR_fprintf( PR_STDERR, + "%-24s Specify the password file\n" + "\t\t [optional]\n", + " -f pwfile" ); + PR_fprintf( PR_STDERR, + "\n" ); +} + diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c new file mode 100644 index 000000000..4fd37963b --- /dev/null +++ b/base/native-tools/src/tkstool/key.c @@ -0,0 +1,1350 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +/*******************************/ +/** local private functions **/ +/*******************************/ + +/* returns 0 for success, -1 for failure (EOF encountered) */ +static int +InputHexSessionKey( char *sessionKeyShareName, + SECItem *hexSessionKeyShare ) +{ + int fd; + int i; + int count; + int c; + int rv = 0; +#ifdef XP_UNIX + cc_t orig_cc_min; + cc_t orig_cc_time; + tcflag_t orig_lflag; + struct termios tio; +#endif + + PR_fprintf( PR_STDOUT, + "Type in the %s session key share (or ^C to break):\n\n", + sessionKeyShareName ); + PR_fprintf( PR_STDOUT, + "[ ] [ ] [ ] [ ] " + "[ ] [ ] [ ] [ ]\r" ); + + /* turn off echo on stdin & return on 1 char instead of NL */ + fd = fileno( stdin ); + +#if defined( XP_UNIX ) && !defined( VMS ) + tcgetattr( fd, &tio ); + orig_lflag = tio.c_lflag; + orig_cc_min = tio.c_cc[VMIN]; + orig_cc_time = tio.c_cc[VTIME]; + tio.c_lflag &= ~ECHO; + tio.c_lflag &= ~ICANON; + tio.c_cc[VMIN] = 1; + tio.c_cc[VTIME] = 0; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + /* Get user input from keyboard strokes */ + count = 0; + while( count < HEX_SESSION_KEY_BUF_LENGTH ) { +#ifdef VMS + c = GENERIC_GETCHAR_NOECHO(); +#elif XP_UNIX + c = getc( stdin ); +#else + c = getch(); +#endif + /* break on EOF */ + if( c == EOF ) { + rv = -1; + break; + } + + /* break on ^C */ + if( c == CTRL_C ) { + rv = -1; + break; + } + + /* save acceptable hex characters; silently throw anything else away */ + switch( c ) { + case '\010': /* backspace */ + /* acceptable character; save it as a NULL value */ + hexSessionKeyShare->data[count] = '\0'; + break; + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + /* acceptable character; save it as typed */ + hexSessionKeyShare->data[count] = c; + break; + case 'A': + case 'a': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'A'; + break; + case 'B': + case 'b': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'B'; + break; + case 'C': + case 'c': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'C'; + break; + case 'D': + case 'd': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'D'; + break; + case 'E': + case 'e': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'E'; + break; + case 'F': + case 'f': + /* acceptable character; save uppercase version */ + hexSessionKeyShare->data[count] = 'F'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + + /* adjust the character count appropriately */ + if( c != '\010' ) { + /* only increment the character count if everything is OK */ + count++; + } else { + /* only decrement the character count if a backspace was entered */ + if( count > 0 ) { + count--; + } + } + + /* redisplay the left bracket */ + PR_fprintf( PR_STDOUT, + "\r[" ); + + /* display the characters input so far */ + for( i = 0 ; i < count ; i++ ) { + PR_fprintf( PR_STDOUT, + "%c", + hexSessionKeyShare->data[i] ); + if( ( i > 0 ) && + ( ( ( i + 1 ) % 4 ) == 0 ) ) { + PR_fprintf( PR_STDOUT, "] [" ); + } + } + + /* display a "cursor" pointing to the next character */ + PR_fprintf( PR_STDOUT, + "/" ); + + /* display spaces to pad the remainder */ + for( i = ( count + 1 ); + i < HEX_SESSION_KEY_BUF_LENGTH; + i++ ) { + if( ( i % 4 ) != 0 ) { + PR_fprintf( PR_STDOUT, " " ); + } else { + if( ( i > 0 ) && + ( ( i + 1 ) < HEX_SESSION_KEY_BUF_LENGTH ) ) { + PR_fprintf( PR_STDOUT, "] [" ); + PR_fprintf( PR_STDOUT, " " ); + } + } + } + + /* redisplay the right bracket */ + PR_fprintf( PR_STDOUT, + "]" ); + } + + /* Null terminate the entered character sequence */ + hexSessionKeyShare->data[count] = '\0'; + + + /**************************************/ + /* Print the final character sequence */ + /**************************************/ + + /* Clear input line by outputting 78 blank */ + /* spaces from the beginning of this line */ + PR_fprintf( PR_STDOUT, + "\r" + " " + " " ); + + /* Print appropriate key share name */ + PR_fprintf( PR_STDOUT, + "\r %s session key share: ", + sessionKeyShareName ); + + /* Print first DES_LENGTH bytes */ + count = ( ( hexSessionKeyShare->len - 1 ) / 2 ); + for( i = 0; i < count; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSessionKeyShare->data[i], + hexSessionKeyShare->data[i + 1], + hexSessionKeyShare->data[i + 2], + hexSessionKeyShare->data[i + 3] ); + } + + /* Print appropriate key share padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + for( i = 0; i < PL_strlen( sessionKeyShareName ); i++ ) { + PR_fprintf( PR_STDOUT, " " ); + } + + /* Print second DES_LENGTH bytes */ + for( i = count; i < hexSessionKeyShare->len; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSessionKeyShare->data[i], + hexSessionKeyShare->data[i + 1], + hexSessionKeyShare->data[i + 2], + hexSessionKeyShare->data[i + 3] ); + } + + /* Print appropriate vertical spacing */ + PR_fprintf( PR_STDOUT, "\n\n\n" ); + +#if defined( XP_UNIX ) && !defined( VMS ) + /* set back termio the way it was */ + tio.c_lflag = orig_lflag; + tio.c_cc[VMIN] = orig_cc_min; + tio.c_cc[VTIME] = orig_cc_time; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + return rv; +} + + +/* returns 0 for success, -1 for failure (EOF encountered) */ +static int +InputHexKCV( char *sessionKeyShareName, + PRUint8 *hexKCV ) +{ + int fd; + int i; + int count; + int c; + int rv = 0; +#ifdef XP_UNIX + cc_t orig_cc_min; + cc_t orig_cc_time; + tcflag_t orig_lflag; + struct termios tio; +#endif + + PR_fprintf( PR_STDOUT, + "Type in the corresponding KCV for the " + "%s session key share (or ^C to break):\n\n", + sessionKeyShareName ); + PR_fprintf( PR_STDOUT, + "[ ] [ ]\r" ); + + /* turn off echo on stdin & return on 1 char instead of NL */ + fd = fileno( stdin ); + +#if defined( XP_UNIX ) && !defined( VMS ) + tcgetattr( fd, &tio ); + orig_lflag = tio.c_lflag; + orig_cc_min = tio.c_cc[VMIN]; + orig_cc_time = tio.c_cc[VTIME]; + tio.c_lflag &= ~ECHO; + tio.c_lflag &= ~ICANON; + tio.c_cc[VMIN] = 1; + tio.c_cc[VTIME] = 0; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + /* Get user input from keyboard strokes */ + count = 0; + while( count < HEX_SESSION_KEY_KCV_BUF_LENGTH ) { +#ifdef VMS + c = GENERIC_GETCHAR_NOECHO(); +#elif XP_UNIX + c = getc( stdin ); +#else + c = getch(); +#endif + /* break on EOF */ + if( c == EOF ) { + rv = -1; + break; + } + + /* break on ^C */ + if( c == CTRL_C ) { + rv = -1; + break; + } + + /* save acceptable hex characters; silently throw anything else away */ + switch( c ) { + case '\010': /* backspace */ + /* acceptable character; save it as a NULL value */ + hexKCV[count] = '\0'; + break; + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + /* acceptable character; save it as typed */ + hexKCV[count] = c; + break; + case 'A': + case 'a': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'A'; + break; + case 'B': + case 'b': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'B'; + break; + case 'C': + case 'c': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'C'; + break; + case 'D': + case 'd': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'D'; + break; + case 'E': + case 'e': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'E'; + break; + case 'F': + case 'f': + /* acceptable character; save uppercase version */ + hexKCV[count] = 'F'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + + /* adjust the character count appropriately */ + if( c != '\010' ) { + /* only increment the character count if everything is OK */ + count++; + } else { + /* only decrement the character count if a backspace was entered */ + if( count > 0 ) { + count--; + } + } + + /* redisplay the left bracket */ + PR_fprintf( PR_STDOUT, + "\r[" ); + + /* display the characters input so far */ + for( i = 0 ; i < count ; i++ ) { + PR_fprintf( PR_STDOUT, + "%c", + hexKCV[i] ); + if( ( i > 0 ) && + ( ( ( i + 1 ) % 4 ) == 0 ) ) { + PR_fprintf( PR_STDOUT, "] [" ); + } + } + + /* display a "cursor" pointing to the next character */ + PR_fprintf( PR_STDOUT, + "/" ); + + /* display spaces to pad the remainder */ + for( i = ( count + 1 ); + i < HEX_SESSION_KEY_KCV_BUF_LENGTH; + i++ ) { + if( ( i % 4 ) != 0 ) { + PR_fprintf( PR_STDOUT, " " ); + } else { + if( ( i > 0 ) && + ( ( i + 1 ) < HEX_SESSION_KEY_KCV_BUF_LENGTH ) ) { + PR_fprintf( PR_STDOUT, "] [" ); + PR_fprintf( PR_STDOUT, " " ); + } + } + } + + /* redisplay the right bracket */ + PR_fprintf( PR_STDOUT, + "]" ); + } + + /* Null terminate the entered character sequence */ + hexKCV[count] = '\0'; + + + /**************************************/ + /* Print the final character sequence */ + /**************************************/ + + /* Clear input line by outputting 78 blank */ + /* spaces from the beginning of this line */ + PR_fprintf( PR_STDOUT, + "\r" + " " + " " ); + + /* display this session key share's entered KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + "\r %s session key share KCV: " + "%c%c%c%c %c%c%c%c\n\n\n", + sessionKeyShareName, + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + +#if defined( XP_UNIX ) && !defined( VMS ) + /* set back termio the way it was */ + tio.c_lflag = orig_lflag; + tio.c_cc[VMIN] = orig_cc_min; + tio.c_cc[VTIME] = orig_cc_time; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + return rv; +} + + +/************************************/ +/** public session key functions **/ +/************************************/ + +SECStatus +TKS_ComputeAndDisplayKCV( PRUint8 *newKey, + PRIntn newKeyLen, + PRUint8 *KCV, + PRIntn KCVLen, + PK11SymKey *symKey, + char *keyName, + char *keyType, + PRBool displayKCV, + PRUint8 *expectedHexKCV ) +{ + int len; + unsigned char value[8]; + PK11SymKey *key = NULL; + PK11SlotInfo *slot = NULL; + PK11Context *context = NULL; + PRIntn hexKCVLen = ( 2 * KCVLen ) + 1; + PRUint8 *hexKCV = NULL; + PRUint8 *keyData = NULL; + SECItem keyItem = { siBuffer, + NULL, + 0 }; + SECItem noParams = { siBuffer, + NULL, + 0 }; + SECStatus s = SECFailure; + SECStatus status = SECFailure; + + /* for all keys except keys that are resident/wrapped/unwrapped . . . */ + if( ( PL_strcmp( keyType, RESIDENT_KEY ) != 0 ) && + ( PL_strcmp( keyType, UNWRAPPED_KEY ) != 0 ) && + ( PL_strcmp( keyType, WRAPPED_KEY ) != 0 ) ) { + slot = PK11_GetInternalKeySlot(); + + if( newKeyLen == ( 2 * DES_LENGTH ) ) { +#if defined(PAD_DES2_KEY_LENGTH) + /* double-DES key */ + keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen + DES_LENGTH ); + + keyItem.type = ( SECItemType ) siBuffer; + keyItem.data = ( unsigned char * ) keyData; + keyItem.len = ( unsigned int ) ( newKeyLen + DES_LENGTH ); + + /* convert 16-byte double-DES key to 24-byte triple-DES key */ + PORT_Memcpy( keyData, newKey, newKeyLen ); + PORT_Memcpy( ( keyData + ( 2 * DES_LENGTH ) ), + newKey, DES_LENGTH ); +#else + /* double-DES key */ + keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen ); + + keyItem.type = ( SECItemType ) siBuffer; + keyItem.data = ( unsigned char * ) keyData; + keyItem.len = ( unsigned int ) newKeyLen; + + PORT_Memcpy( keyData, newKey, newKeyLen ); +#endif + } else if( newKeyLen == ( 3 * DES_LENGTH ) ) { + /* triple-DES key */ + keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen ); + + keyItem.type = ( SECItemType ) siBuffer; + keyItem.data = ( unsigned char * ) keyData; + keyItem.len = ( unsigned int ) newKeyLen; + + PORT_Memcpy( keyData, newKey, newKeyLen ); + } else { + /* invalid key size */ + PR_fprintf( PR_STDOUT, + "Attempting to perform KCV on invalid key length!\n\n\n" ); + status = SECFailure; + goto done; + } + + key = PK11_ImportSymKeyWithFlags( + /* slot */ slot, + /* mechanism type */ CKM_DES3_ECB, + /* origin */ PK11_OriginGenerated, + /* operation */ CKA_ENCRYPT, + /* key */ &keyItem, + /* flags */ CKF_ENCRYPT, + /* isPerm */ PR_FALSE, + /* wincx */ 0 ); + + if( ! key ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to import %s key!\n\n\n", + keyType ); + status = SECFailure; + goto done; + } + } else { + /* since resident/wrapped/unwrapped keys are already present . . . */ + key = symKey; + } + + PORT_Memset( value, 0, sizeof( value ) ); + + context = PK11_CreateContextBySymKey( + /* mechanism type */ CKM_DES3_ECB, + /* operation */ CKA_ENCRYPT, + /* symmetric key */ key, + /* param */ &noParams ); + + if( ! context ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to create crypto context!\n\n\n" ); + status = SECFailure; + goto done; + } + + s = PK11_CipherOp( + /* context */ context, + /* output */ &value[0], + /* output length */ &len, + /* maximum output length */ DES_LENGTH, + /* input */ &value[0], + /* input length */ DES_LENGTH ); + if( s != SECSuccess) { + PR_fprintf( PR_STDERR, + "ERROR: CipherOp Failed!\n\n\n" ); + status = SECFailure; + goto done; + } + + KCV = ( PRUint8 * ) PORT_ZAlloc( KCVLen ); + + PORT_Memcpy( KCV, value, KCVLen ); + + /* Create a clean new display buffer for this */ + /* symmetric key/session key share KCV */ + hexKCV = ( PRUint8 * ) PORT_ZAlloc( hexKCVLen ); + if( hexKCV == NULL ) { + status = SECFailure; + goto done; + } + + /* Display the symmetric key/session key share KCV (in hex digits) */ + TKS_StringToHex( ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + ( PRUint8 * ) hexKCV, + ( PRIntn ) hexKCVLen ); + + if( displayKCV != PR_FALSE ) { + /********************************************/ + /* The following code is ONLY relevant to: */ + /* */ + /* (1) resident, */ + /* (2) session, */ + /* (3) symmetric, and */ + /* (4) transport keys. */ + /* */ + /********************************************/ + + if( PL_strcmp( keyType, RESIDENT_KEY ) == 0 ) { + /* display this resident key's computed KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + " %s key KCV: " + "%c%c%c%c %c%c%c%c\n\n\n", + keyName, + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + } else if( PL_strcmp( keyType, SESSION_KEY ) == 0 ) { + /* display this session key share's computed KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + " %s session key share KCV: " + "%c%c%c%c %c%c%c%c\n\n\n", + keyName, + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + } else if( PL_strcmp( keyType, SYMMETRIC_KEY ) == 0 ) { + /* display this symmetric key's computed KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + " %s key KCV: " + "%c%c%c%c %c%c%c%c\n\n\n", + keyName, + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + } else if( PL_strcmp( keyType, TRANSPORT_KEY ) == 0 ) { + /* display this transport key's computed KCV value (in hex) */ + PR_fprintf( PR_STDOUT, + " %s key KCV: " + "%c%c%c%c %c%c%c%c\n\n\n", + keyName, + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + } + } else { + /**********************************************/ + /* The following code is ONLY relevant to: */ + /* */ + /* (1) session keys, */ + /* (2) keys that have been unwrapped, and */ + /* (3) keys that will be wrapped. */ + /* */ + /**********************************************/ + + if( PL_strcmp( keyType, SESSION_KEY ) == 0 ) { + /* compare this session key share's computed KCV value (in hex) */ + /* with the expected KCV value (in hex) */ + if( PL_strcmp( ( const char * ) hexKCV, + ( const char * ) expectedHexKCV ) == 0 ) { + PR_fprintf( PR_STDOUT, + "Congratulations, the %s session key share KCV " + "value entered CORRESPONDS\nto the %s session key " + "share value entered!\n", + keyName, + keyName ); + + /* Wait for the user to type "proceed" to continue */ + TKS_TypeProceedToContinue(); + } else { + PR_fprintf( PR_STDOUT, + "Unfortunately, a MISMATCH exists between the %s " + "session key share entered\nand the %s session key " + "share KCV entered. Please try again . . .\n", + keyName, + keyName ); + + /* Wait for the user to type "proceed" to continue */ + TKS_TypeProceedToContinue(); + + status = SECFailure; + goto done; + } + } else if( PL_strcmp( keyType, UNWRAPPED_KEY ) == 0 ) { + PR_fprintf( PR_STDOUT, + " master key KCV: " + "%c%c%c%c %c%c%c%c\n (computed KCV of the " + "master key residing inside the wrapped data)\n\n\n", + hexKCV[0], + hexKCV[1], + hexKCV[2], + hexKCV[3], + hexKCV[4], + hexKCV[5], + hexKCV[6], + hexKCV[7] ); + + PR_fprintf( PR_STDOUT, + " master key KCV: " + "%c%c%c%c %c%c%c%c\n (pre-computed KCV of the " + "master key residing inside the wrapped data)\n\n\n", + expectedHexKCV[0], + expectedHexKCV[1], + expectedHexKCV[2], + expectedHexKCV[3], + expectedHexKCV[4], + expectedHexKCV[5], + expectedHexKCV[6], + expectedHexKCV[7] ); + + /* compare this wrapped key's computed KCV value (in hex) */ + /* with the expected KCV value (in hex) -- silently */ + if( PL_strcmp( ( const char * ) hexKCV, + ( const char * ) expectedHexKCV ) != 0 ) { + PR_fprintf( PR_STDOUT, + "Unfortunately, a MISMATCH exists between the " + "wrapped data read in\nfrom the input file " + "and the master key KCV that was recomputed.\n\n", + keyName, + keyName ); + status = SECFailure; + goto done; + } + } else if( PL_strcmp( keyType, WRAPPED_KEY ) == 0 ) { + /* store this master key's computed KCV value (in hex) */ + expectedHexKCV[0] = hexKCV[0]; + expectedHexKCV[1] = hexKCV[1]; + expectedHexKCV[2] = hexKCV[2]; + expectedHexKCV[3] = hexKCV[3]; + expectedHexKCV[4] = hexKCV[4]; + expectedHexKCV[5] = hexKCV[5]; + expectedHexKCV[6] = hexKCV[6]; + expectedHexKCV[7] = hexKCV[7]; + } + } + + status = SECSuccess; + +done: + if( keyItem.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + keyItem.data, + keyItem.len ); + keyItem.data = NULL; + keyItem.len = 0; + } + + if( hexKCV != NULL ) { + PORT_ZFree( ( PRUint8 * ) + hexKCV, + hexKCVLen ); + } + + if( context ) { + PK11_DestroyContext( + /* context */ context, + /* free it */ PR_TRUE ); + } + + if( slot ) { + PK11_FreeSlot( /* slot */ slot ); + } + + /* for all keys except keys that are resident/wrapped/unwrapped . . . */ + if( ( PL_strcmp( keyType, RESIDENT_KEY ) != 0 ) && + ( PL_strcmp( keyType, UNWRAPPED_KEY ) != 0 ) && + ( PL_strcmp( keyType, WRAPPED_KEY ) != 0 ) ) { + if( key ) { + PK11_FreeSymKey( /* symmetric key */ key ); + } + } + + return status; +} + + +SECStatus +TKS_GenerateSessionKeyShare( char *sessionKeyShareName, + SECItem *sessionKeyShare ) +{ + PRIntn count = 0; + PRIntn i = 0; + PRIntn KCVLen = KCV_LENGTH; + PRUint8 *KCV = NULL; + SECItem hexSessionKeyShare = { siBuffer, + NULL, + 0 }; + SECStatus rvKCV = SECFailure; + SECStatus sessionKeyShareStatus = SECFailure; + SECStatus status = SECFailure; + + /* Clear the screen */ + TKS_ClearScreen(); + + /* Generate a new session key share */ + PR_fprintf( PR_STDOUT, + "\nGenerating the %s session key share . . .\n\n\n", + sessionKeyShareName ); + + sessionKeyShareStatus = PK11_GenerateRandom( ( unsigned char * ) + /* data */ sessionKeyShare->data, + /* length */ sessionKeyShare->len ); + if( sessionKeyShareStatus != SECSuccess ) { + goto destroyHexSessionKeyShare; + } + + /* Create a clean new display buffer for this session key share */ + hexSessionKeyShare.type = ( SECItemType ) siBuffer; + hexSessionKeyShare.len = ( ( sessionKeyShare->len * 2 ) + 1 ); + hexSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( hexSessionKeyShare.len ); + if( hexSessionKeyShare.data == NULL ) { + goto destroyHexSessionKeyShare; + } + + /* Convert this session key share into hex digits */ + TKS_StringToHex( ( PRUint8 * ) sessionKeyShare->data, + ( PRIntn ) sessionKeyShare->len, + ( PRUint8 * ) hexSessionKeyShare.data, + ( PRIntn ) hexSessionKeyShare.len ); + + /* Adjust the first DES-sized (8-byte) chunk */ + TKS_AdjustOddParity( ( PRUint8 * ) sessionKeyShare->data ); + + /* Adjust the second DES-sized (8-byte) chunk */ + TKS_AdjustOddParity( ( PRUint8 * ) ( sessionKeyShare->data + DES_LENGTH ) ); + + /* Finally, display this session key share */ + /* (adjusted for odd parity in hex digits) */ + TKS_StringToHex( ( PRUint8 * ) sessionKeyShare->data, + ( PRIntn ) sessionKeyShare->len, + ( PRUint8 * ) hexSessionKeyShare.data, + ( PRIntn ) hexSessionKeyShare.len ); + + if( ( ( hexSessionKeyShare.len - 1 ) % 4 ) != 0 ) { + /* invalid key length */ + PR_fprintf( PR_STDERR, + "ERROR: Invalid session key share length " + "of %d bytes!\n\n\n", + hexSessionKeyShare.len ); + goto destroyHexSessionKeyShare; + } else { + /* Print appropriate key share name */ + PR_fprintf( PR_STDOUT, + " %s session key share: ", + sessionKeyShareName ); + + /* Print first DES_LENGTH bytes */ + count = ( ( hexSessionKeyShare.len - 1 ) / 2 ); + for( i = 0; i < count; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSessionKeyShare.data[i], + hexSessionKeyShare.data[i + 1], + hexSessionKeyShare.data[i + 2], + hexSessionKeyShare.data[i + 3] ); + } + + /* Print appropriate key share padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + for( i = 0; i < PL_strlen( sessionKeyShareName ); i++ ) { + PR_fprintf( PR_STDOUT, " " ); + } + + /* Print second DES_LENGTH bytes */ + for( i = count; i < hexSessionKeyShare.len; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSessionKeyShare.data[i], + hexSessionKeyShare.data[i + 1], + hexSessionKeyShare.data[i + 2], + hexSessionKeyShare.data[i + 3] ); + } + + /* Print appropriate vertical spacing */ + PR_fprintf( PR_STDOUT, "\n\n\n" ); + } + + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) sessionKeyShare->data, + ( PRIntn ) sessionKeyShare->len, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + NULL, + sessionKeyShareName, + SESSION_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to compute KCV of " + "this %s session key share!\n\n", + sessionKeyShareName ); + goto destroyHexSessionKeyShare; + } + + PR_fprintf( PR_STDOUT, + "(1) Write down and save the value " + "for this %s session key share.\n\n", + sessionKeyShareName ); + + PR_fprintf( PR_STDOUT, + "(2) Write down and save the KCV value " + "for this %s session key share.\n", + sessionKeyShareName ); + + /* Wait for the user to type "proceed" to continue */ + TKS_TypeProceedToContinue(); + + /* Clear the screen */ + TKS_ClearScreen(); + + /* Report success */ + status = SECSuccess; + +destroyHexSessionKeyShare: + /* Destroy the hex session key share */ + if( hexSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexSessionKeyShare.data, + hexSessionKeyShare.len ); + hexSessionKeyShare.data = NULL; + hexSessionKeyShare.len = 0; + } + + return status; +} + +SECStatus +TKS_InputSessionKeyShare( char *sessionKeyShareName, + SECItem *sessionKeyShare ) +{ + int rv = 0; + PRIntn KCVLen = KCV_LENGTH; + PRUint8 *KCV = NULL; + SECItem hexSessionKeyShare; + PRIntn hexKCVLen = ( 2 * KCVLen ) + 1; + PRUint8 *hexKCV = NULL; + SECStatus rvKCV = SECFailure; + SECStatus status = SECFailure; + + /* Clear the screen */ + TKS_ClearScreen(); + + /* Enter a new session key share */ + PR_fprintf( PR_STDOUT, + "\nEnter the %s session key share . . .\n\n\n", + sessionKeyShareName ); + + /* Create a clean new display buffer for this session key share */ + hexSessionKeyShare.type = ( SECItemType ) siBuffer; + hexSessionKeyShare.len = ( ( sessionKeyShare->len * 2 ) + 1 ); + hexSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( hexSessionKeyShare.len ); + if( hexSessionKeyShare.data == NULL ) { + goto destroyHexSessionKeyShare; + } + + rv = InputHexSessionKey( sessionKeyShareName, + &hexSessionKeyShare ); + if( rv ) { + PORT_SetError( PR_END_OF_FILE_ERROR ); + return SECFailure; + } + + /* Convert these hex digits into a session key share */ + TKS_ConvertStringOfHexCharactersIntoBitStream( ( char * ) hexSessionKeyShare.data, + ( hexSessionKeyShare.len - 1 ), + sessionKeyShare->data ); + + /* Create a clean new display buffer for this session key share KCV */ + hexKCV = ( PRUint8 * ) PORT_ZAlloc( hexKCVLen ); + if( hexKCV == NULL ) { + goto destroyHexSessionKeyShare; + } + + rv = InputHexKCV( sessionKeyShareName, + hexKCV ); + if( rv ) { + PORT_SetError( PR_END_OF_FILE_ERROR ); + return SECFailure; + } + + /* Enter the corresponding KCV */ + PR_fprintf( PR_STDOUT, + "Verifying that this session key share and KCV " + "correspond to each other . . .\n\n\n" ); + + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) sessionKeyShare->data, + ( PRIntn ) sessionKeyShare->len, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + NULL, + sessionKeyShareName, + SESSION_KEY, + PR_FALSE, + hexKCV ); + if( rvKCV != SECSuccess ) { + goto destroyHexSessionKeyShare; + } + + /* Clear the screen */ + TKS_ClearScreen(); + + /* Report success */ + status = SECSuccess; + +destroyHexSessionKeyShare: + /* Destroy the hex session key share */ + if( hexSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexSessionKeyShare.data, + hexSessionKeyShare.len ); + hexSessionKeyShare.data = NULL; + hexSessionKeyShare.len = 0; + } + + if( hexKCV != NULL ) { + PORT_ZFree( ( PRUint8 * ) + hexKCV, + hexKCVLen ); + } + + return status; +} + + +/**************************************/ +/** public symmetric key functions **/ +/**************************************/ + +PK11SymKey * +TKS_ImportSymmetricKey( char *symmetricKeyName, + PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + CK_ATTRIBUTE_TYPE operation, + SECItem *sessionKeyShare, + secuPWData *pwdata ) +{ + PK11Origin origin = PK11_OriginGenerated; + PK11SymKey *symKey = NULL; + + if( slot == NULL ) { + return NULL; + } + + PR_fprintf( PR_STDOUT, + "\n" ); + PR_fprintf( PR_STDOUT, + "Generating %s symmetric key . . .\n\n", + symmetricKeyName ); + + symKey = PK11_ImportSymKeyWithFlags( + /* slot */ slot, + /* mechanism type */ mechanism, + /* origin */ origin, + /* operation */ operation, + /* key */ sessionKeyShare, + /* flags */ 0, + /* isPerm */ PR_FALSE, + /* wincx */ pwdata ); + return symKey; +} + + +PK11SymKey * +TKS_DeriveSymmetricKey( char *symmetricKeyName, + PK11SymKey *symKey, + CK_MECHANISM_TYPE derive, + SECItem *sessionKeyShare, + CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, + int keysize ) +{ + PK11SymKey *newSymKey = NULL; + + if( symKey == NULL ) { + return NULL; + } + + if( keysize <= 0 ) { + return NULL; + } + + PR_fprintf( PR_STDOUT, + "Generating %s symmetric key . . .\n\n", + symmetricKeyName ); + + newSymKey = PK11_Derive( + /* base symmetric key */ symKey, + /* mechanism derive type */ derive, + /* param */ sessionKeyShare, + /* target */ target, + /* operation */ operation, + /* key size */ keysize ); + return newSymKey; +} + + +SECStatus +TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, + char *keyname, + PK11SlotInfo *slot, + CK_ATTRIBUTE_TYPE operation, + CK_FLAGS flags, + PK11SymKey *symKey ) +{ + PK11SymKey *newSymKey = NULL; + PRIntn KCVLen = KCV_LENGTH; + PRUint8 *KCV = NULL; + SECItem *symmetricKey = NULL; + SECStatus rvExtractSymmetricKey = SECFailure; + SECStatus rvKCV = SECFailure; + SECStatus rvSymmetricKeyname = SECFailure; + SECStatus status = SECFailure; +#if defined(DEBUG) + PRIntn firstCount = 0; + PRIntn secondCount = 0; + PRIntn thirdCount = 0; + PRIntn i = 0; + SECItem hexSymmetricKey; +#endif + + PR_fprintf( PR_STDOUT, + "Extracting %s key from operational token . . .\n\n", + symmetricKeyName ); + + rvExtractSymmetricKey = PK11_ExtractKeyValue( /* symmetric key */ symKey ); + if( rvExtractSymmetricKey != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to extract the %s key!\n\n", + symmetricKeyName ); + goto destroyHexSymmetricKey; + } + + /* If present, retrieve the raw key data */ + symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); + +#if defined(DEBUG) + /* For convenience, display the final symmetric key and */ + /* its associated KCV to the user in DEBUG mode ONLY!!! */ + if( symmetricKey != NULL ) { + + /* Create a clean new display buffer for this symmetric key */ + hexSymmetricKey.type = ( SECItemType ) siBuffer; + hexSymmetricKey.len = ( ( symmetricKey->len * 2 ) + 1 ); + hexSymmetricKey.data = ( unsigned char * ) + PORT_ZAlloc( hexSymmetricKey.len ); + if( hexSymmetricKey.data == NULL ) { + goto destroyHexSymmetricKey; + } + + /* Convert this symmetric key into hex digits */ + TKS_StringToHex( ( PRUint8 * ) symmetricKey->data, + ( PRIntn ) symmetricKey->len, + ( PRUint8 * ) hexSymmetricKey.data, + ( PRIntn ) hexSymmetricKey.len ); + + /* Display this final symmetric key */ + if( ( ( hexSymmetricKey.len - 1 ) % 4 ) != 0 ) { + /* invalid key length */ + PR_fprintf( PR_STDERR, + "ERROR: Invalid symmetric key length " + "of %d bytes!\n\n\n", + hexSymmetricKey.len ); + goto destroyHexSymmetricKey; + } else { + /* Print appropriate key name */ + PR_fprintf( PR_STDOUT, + "\n %s key: ", + symmetricKeyName ); + + /* Print first DES_LENGTH bytes */ + if( symmetricKey->len == ( 3 * DES_LENGTH ) ) { + firstCount = ( ( hexSymmetricKey.len - 1 ) / 3 ); + } else { + firstCount = ( ( hexSymmetricKey.len - 1 ) / 2 ); + } + for( i = 0; i < firstCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSymmetricKey.data[i], + hexSymmetricKey.data[i + 1], + hexSymmetricKey.data[i + 2], + hexSymmetricKey.data[i + 3] ); + } + + /* Print appropriate key padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + for( i = 0; i < PL_strlen( symmetricKeyName ); i++ ) { + PR_fprintf( PR_STDOUT, " " ); + } + + /* Print second DES_LENGTH bytes */ + secondCount = firstCount * 2; + for( i = firstCount; i < secondCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSymmetricKey.data[i], + hexSymmetricKey.data[i + 1], + hexSymmetricKey.data[i + 2], + hexSymmetricKey.data[i + 3] ); + } + + /* print out last 8 bytes of triple-DES keys */ + if( symmetricKey->len == ( 3 * DES_LENGTH ) ) { + /* Print appropriate key padding length */ + PR_fprintf( PR_STDOUT, "\n " ); + for( i = 0; i < PL_strlen( symmetricKeyName ); i++ ) { + PR_fprintf( PR_STDOUT, " " ); + } + + /* Print third DES_LENGTH bytes */ + thirdCount = hexSymmetricKey.len; + for( i = secondCount; i < thirdCount; i += 4 ) { + PR_fprintf( PR_STDOUT, + "%c%c%c%c ", + hexSymmetricKey.data[i], + hexSymmetricKey.data[i + 1], + hexSymmetricKey.data[i + 2], + hexSymmetricKey.data[i + 3] ); + } + } + + /* Print appropriate vertical spacing */ + PR_fprintf( PR_STDOUT, "\n\n\n" ); + } + + /* Compute and display this final symmetric key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) symmetricKey->data, + ( PRIntn ) symmetricKey->len, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + NULL, + symmetricKeyName, + SYMMETRIC_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to compute KCV of this %s key!\n\n", + symmetricKeyName ); + goto destroyHexSymmetricKey; + } + } +#else + /* Display the final symmetric key's associated KCV to the user . . . */ + if( symmetricKey != NULL ) { + /* . . . if and only if this is the transport key!!! */ + if( PL_strcmp( symmetricKeyName, TRANSPORT_KEY ) == 0 ) { + /* Compute and display this transport key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) symmetricKey->data, + ( PRIntn ) symmetricKey->len, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + NULL, + symmetricKeyName, + TRANSPORT_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to compute KCV of this %s key!\n\n", + symmetricKeyName ); + goto destroyHexSymmetricKey; + } + } + } +#endif + + PR_fprintf( PR_STDOUT, + "Storing %s key on final specified token . . .\n\n", + symmetricKeyName ); + + newSymKey = PK11_MoveSymKey( + /* slot */ slot, + /* operation */ operation, + /* flags */ flags, + /* permanence */ PR_TRUE, + /* symmetric key */ symKey ); + if( newSymKey == NULL ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to store the %s key: %d!\n\n", + symmetricKeyName, + PR_GetError() ); + goto destroyHexSymmetricKey; + } + + + PR_fprintf( PR_STDOUT, + "Naming %s key \"%s\" . . .\n\n", + symmetricKeyName, + keyname ); + + rvSymmetricKeyname = PK11_SetSymKeyNickname( + /* symmetric key */ newSymKey, + /* nickname */ keyname ); + if( rvSymmetricKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to name the %s key!\n\n", + symmetricKeyName ); + goto destroyHexSymmetricKey; + } + + status = SECSuccess; + + +destroyHexSymmetricKey: + +#if defined(DEBUG) + /* Destroy the hex symmetric key */ + if( hexSymmetricKey.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexSymmetricKey.data, + hexSymmetricKey.len ); + hexSymmetricKey.data = NULL; + hexSymmetricKey.len = 0; + } +#endif + + return status; +} + diff --git a/base/native-tools/src/tkstool/list.c b/base/native-tools/src/tkstool/list.c new file mode 100644 index 000000000..44173fa36 --- /dev/null +++ b/base/native-tools/src/tkstool/list.c @@ -0,0 +1,181 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +/* callback for listing keys through pkcs11 */ +static SECStatus +PrintSymKey( struct PRFileDesc *out, + int count, + char *keyname, + PK11SymKey *key ) +{ + char *name = NULL; + SECStatus rv = SECFailure; + + name = PK11_GetSymKeyNickname( /* symmetric key */ key ); + if( name == NULL ) { + name = PORT_Strdup( "\t< orphaned >" ); + } + + if( keyname != NULL ) { + /* ONLY print this name if it is the requested key */ + if( PL_strcmp( keyname, name ) == 0 ) { + PR_fprintf( out, + "\t<%d> %s\n", + count, + name ); + + rv = SECSuccess; + } + } else { + PR_fprintf( out, + "\t<%d> %s\n", + count, + name ); + + rv = SECSuccess; + } + + PORT_Free( name ); + + return rv; +} + + +static SECStatus +listKeys( char *progName, + PK11SlotInfo *slot, + char *keyname, + void *pwdata ) +{ + int count = 0; + int keys_found = 0; + PK11SymKey *symKey = NULL; + PK11SymKey *nextSymKey = NULL; + SECStatus rvPrint = SECFailure; + + if( PK11_NeedLogin( /* slot */ slot ) ) { + PK11_Authenticate( + /* slot */ slot, + /* load certs */ PR_TRUE, + /* wincx */ pwdata ); + } + + /* Initialize the symmetric key list. */ + symKey = PK11_ListFixedKeysInSlot( + /* slot */ slot, + /* nickname */ NULL, + /* wincx */ ( void *) pwdata ); + + /* Iterate through the symmetric key list. */ + while( symKey != NULL ) { + rvPrint = PrintSymKey( PR_STDOUT, + count, + keyname, + symKey ); + if( rvPrint != SECFailure ) { + keys_found++; + } + + nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); + PK11_FreeSymKey( /* symmetric key */ symKey ); + symKey = nextSymKey; + + count++; + } + + /* case 1: the token is empty */ + if( count == 0 ) { + PR_fprintf( PR_STDOUT, + "\t%s: the specified token is empty\n", + progName ); + + return SECFailure; + } + + /* case 2: the specified key is not on this token */ + if( ( keyname != NULL ) && + ( keys_found == 0 ) ) { + PR_fprintf( PR_STDOUT, + "\t%s: the key called \"%s\" could not be found\n", + progName, + keyname ); + + return SECFailure; + } + + return SECSuccess; +} + + +SECStatus +TKS_ListKeys( char *progName, + PK11SlotInfo *slot, + char *keyname, + int index, + PRBool dopriv, + secuPWData *pwdata ) +{ + SECStatus rv = SECSuccess; + + if( slot == NULL ) { + PK11SlotList *list; + PK11SlotListElement *le; + + list = PK11_GetAllTokens( + /* mechanism type */ CKM_INVALID_MECHANISM, + /* need R/W */ PR_FALSE, + /* load certs */ PR_FALSE, + /* wincx */ pwdata ); + + if( list ) { + for( le = list->head ; le ; le = le->next ) { + PR_fprintf( PR_STDOUT, + "\n slot: %s\n", + PK11_GetSlotName( /* slot */ le->slot ) ); + + PR_fprintf( PR_STDOUT, + "token: %s\n\n", + PK11_GetTokenName( /* slot */ le->slot ) ); + + rv = listKeys( progName, + le->slot, + keyname, + pwdata ); + } + } + } else { + PR_fprintf( PR_STDOUT, + "\n slot: %s\n", + PK11_GetSlotName( /* slot */ slot ) ); + + PR_fprintf( PR_STDOUT, + "token: %s\n\n", + PK11_GetTokenName( /* slot */ slot ) ); + + rv = listKeys( progName, + slot, + keyname, + pwdata ); + } + + return rv; +} + diff --git a/base/native-tools/src/tkstool/modules.c b/base/native-tools/src/tkstool/modules.c new file mode 100644 index 000000000..0c4297251 --- /dev/null +++ b/base/native-tools/src/tkstool/modules.c @@ -0,0 +1,63 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +/* + * L i s t S e c M o d u l e s + * + * Print a list of the PKCS11 security modules that are + * available. This is useful for smartcard people to + * make sure they have the drivers loaded. + * + */ +SECStatus +TKS_ListSecModules( void ) +{ + PK11SlotList *list; + PK11SlotListElement *le; + + /* get them all! */ + list = PK11_GetAllTokens( + /* mechanism type */ CKM_INVALID_MECHANISM, + /* need R/W */ PR_FALSE, + /* load certs */ PR_FALSE, + /* wincx */ NULL ); + + if( list == NULL ) { + return SECFailure; + } + + /* look at each slot */ + for( le = list->head ; le ; le = le->next ) { + PR_fprintf ( PR_STDOUT, + "\n" ); + PR_fprintf ( PR_STDOUT, + " slot: %s\n", + PK11_GetSlotName( /* slot */ le->slot ) ); + PR_fprintf ( PR_STDOUT, + " token: %s\n", + PK11_GetTokenName( /* slot */ le->slot ) ); + } + + PK11_FreeSlotList( /* slot list */ list ); + + return SECSuccess; +} + diff --git a/base/native-tools/src/tkstool/pppolicy.c b/base/native-tools/src/tkstool/pppolicy.c new file mode 100644 index 000000000..8b198ca52 --- /dev/null +++ b/base/native-tools/src/tkstool/pppolicy.c @@ -0,0 +1,306 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 2004 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/pppolicy.c + */ + +/* + * Support for various policy related extensions + * + * $Id$ + */ + +#include "seccomon.h" +#include "secport.h" +#include "secder.h" +#include "cert.h" +#include "secoid.h" +#include "secasn1.h" +#include "secerr.h" +#include "nspr.h" +#include "secutil.h" + +/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c . +** The chief difference is the addition of the OPTIONAL flag to many +** parts. The idea is to be able to parse and print as much of the +** policy extension as possible, even if some parts are invalid. +** +** If this approach still is unable to decode policy extensions that +** contain invalid parts, then the next approach will be to parse +** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them +** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally +** parse each of the PolicyQualifiers. +*/ + +static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyQualifier) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyQualifier, qualifierID) }, + { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyQualifier, qualifierValue) }, + { 0 } +}; + +static const SEC_ASN1Template secu_PolicyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyInfo) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyInfo, policyID) }, + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyInfo, policyQualifiers), + secu_PolicyQualifierTemplate }, + { 0 } +}; + +static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, + offsetof(CERTCertificatePolicies, policyInfos), + secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) } +}; + + +static CERTCertificatePolicies * +secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) +{ + PRArenaPool *arena = NULL; + SECStatus rv; + CERTCertificatePolicies *policies; + CERTPolicyInfo **policyInfos, *policyInfo; + CERTPolicyQualifier **policyQualifiers, *policyQualifier; + SECItem newExtnValue; + + /* make a new arena */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if ( !arena ) { + goto loser; + } + + /* allocate the certifiate policies structure */ + policies = PORT_ArenaZNew(arena, CERTCertificatePolicies); + if ( policies == NULL ) { + goto loser; + } + + policies->arena = arena; + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); + if ( rv != SECSuccess ) { + goto loser; + } + + /* decode the policy info */ + rv = SEC_QuickDERDecodeItem(arena, policies, + secu_CertificatePoliciesTemplate, + &newExtnValue); + + if ( rv != SECSuccess ) { + goto loser; + } + + /* initialize the oid tags */ + policyInfos = policies->policyInfos; + while (policyInfos != NULL && *policyInfos != NULL ) { + policyInfo = *policyInfos; + policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); + policyQualifiers = policyInfo->policyQualifiers; + while ( policyQualifiers && *policyQualifiers != NULL ) { + policyQualifier = *policyQualifiers; + policyQualifier->oid = + SECOID_FindOIDTag(&policyQualifier->qualifierID); + policyQualifiers++; + } + policyInfos++; + } + + return(policies); + +loser: + if ( arena != NULL ) { + PORT_FreeArena(arena, PR_FALSE); + } + + return(NULL); +} + + +static char * +itemToString(SECItem *item) +{ + char *string; + + string = PORT_ZAlloc(item->len+1); + if (string == NULL) return NULL; + PORT_Memcpy(string,item->data,item->len); + string[item->len] = 0; + return string; +} + +static SECStatus +secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue, + char *msg, int level) +{ + CERTUserNotice *userNotice = NULL; + if (qualifierValue) + userNotice = CERT_DecodeUserNotice(qualifierValue); + if (userNotice) { + if (userNotice->noticeReference.organization.len != 0) { + char *string = + itemToString(&userNotice->noticeReference.organization); + SECItem **itemList = userNotice->noticeReference.noticeNumbers; + + while (itemList && *itemList) { + SECU_PrintInteger(out,*itemList,string,level+1); + itemList++; + } + PORT_Free(string); + } + if (userNotice->displayText.len != 0) { + SECU_PrintString(out,&userNotice->displayText, + "Display Text", level+1); + } + CERT_DestroyUserNotice(userNotice); + return SECSuccess; + } + return SECFailure; /* caller will print this value */ +} + +static SECStatus +secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier, + char *msg,int level) +{ + SECStatus rv; + SECItem * qualifierValue = &policyQualifier->qualifierValue; + + SECU_PrintObjectID(out, &policyQualifier->qualifierID , + "Policy Qualifier Name", level); + if (!qualifierValue->data) { + SECU_Indent(out, level); + fprintf(out,"Error: missing qualifier\n"); + } else + switch (policyQualifier->oid) { + case SEC_OID_PKIX_USER_NOTICE_QUALIFIER: + rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level); + if (SECSuccess == rv) + break; + /* fall through on error */ + case SEC_OID_PKIX_CPS_POINTER_QUALIFIER: + default: + SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level); + break; + } + return SECSuccess; +} + +static SECStatus +secu_PrintPolicyInfo(FILE *out,CERTPolicyInfo *policyInfo,char *msg,int level) +{ + CERTPolicyQualifier **policyQualifiers; + + policyQualifiers = policyInfo->policyQualifiers; + SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level); + + while (policyQualifiers && *policyQualifiers != NULL) { + secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1); + policyQualifiers++; + } + return SECSuccess; +} + +void +SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level) +{ + CERTCertificatePolicies *policies = NULL; + CERTPolicyInfo **policyInfos; + + if (msg) { + SECU_Indent(out, level); + fprintf(out,"%s: \n",msg); + level++; + } + policies = secu_DecodeCertificatePoliciesExtension(value); + if (policies == NULL) { + SECU_PrintAny(out, value, "Invalid Policy Data", level); + return; + } + + policyInfos = policies->policyInfos; + while (policyInfos && *policyInfos != NULL) { + secu_PrintPolicyInfo(out,*policyInfos,"",level); + policyInfos++; + } + + CERT_DestroyCertificatePoliciesExtension(policies); +} + + +void +SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level) +{ + CERTPrivKeyUsagePeriod * prd; + PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if ( !arena ) { + goto loser; + } + prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value); + if (!prd) { + goto loser; + } + if (prd->notBefore.data) { + SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level); + } + if (prd->notAfter.data) { + SECU_PrintGeneralizedTime(out, &prd->notAfter, "Not After ", level); + } + if (!prd->notBefore.data && !prd->notAfter.data) { + SECU_Indent(out, level); + fprintf(out, "Error: notBefore or notAfter MUST be present.\n"); +loser: + SECU_PrintAny(out, value, msg, level); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } +} diff --git a/base/native-tools/src/tkstool/random.c b/base/native-tools/src/tkstool/random.c new file mode 100644 index 000000000..49dfb525e --- /dev/null +++ b/base/native-tools/src/tkstool/random.c @@ -0,0 +1,173 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +/* returns 0 for success, -1 for failure (EOF encountered) */ +static int +UpdateRNG( void ) +{ + char *randbuf; + int fd; + int i; + int count; + int c; + int rv = 0; +#ifdef XP_UNIX + cc_t orig_cc_min; + cc_t orig_cc_time; + tcflag_t orig_lflag; + struct termios tio; +#endif + +#define FPS PR_fprintf( PR_STDOUT, + FPS "\n"); + FPS "A random seed must be generated that will be used in the\n"); + FPS "creation of your key. One of the easiest ways to create a\n"); + FPS "random seed is to use the timing of keystrokes on a keyboard.\n"); + FPS "\n"); + FPS "To begin, type keys on the keyboard until this progress meter\n"); + FPS "is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!\n"); + FPS "\n"); + FPS "\n"); + FPS "Continue typing until the progress meter is full:\n\n"); + FPS "| |\r|"); + + /* turn off echo on stdin & return on 1 char instead of NL */ + fd = fileno( stdin ); + +#if defined( XP_UNIX ) && !defined( VMS ) + tcgetattr( fd, &tio ); + orig_lflag = tio.c_lflag; + orig_cc_min = tio.c_cc[VMIN]; + orig_cc_time = tio.c_cc[VTIME]; + tio.c_lflag &= ~ECHO; + tio.c_lflag &= ~ICANON; + tio.c_cc[VMIN] = 1; + tio.c_cc[VTIME] = 0; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + /* Get random noise from keyboard strokes */ + randbuf = ( char * ) PORT_Alloc( RAND_BUF_LENGTH ); + count = 0; + while( randbuf != NULL && count < NUM_KEYSTROKES+1 ) { +#ifdef VMS + c = GENERIC_GETCHAR_NOECHO(); +#elif XP_UNIX + c = getc( stdin ); +#else + c = getch(); +#endif + if( c == EOF ) { + rv = -1; + break; + } + + PK11_RandomUpdate( + /* data */ randbuf, + /* length in bytes */ RAND_BUF_LENGTH ); + + if( c != randbuf[0] ) { + randbuf[0] = c; + + FPS "\r|"); + + for( i = 0 ; + i < count / ( NUM_KEYSTROKES / RAND_BUF_LENGTH ) ; + i++ ) { + FPS "*"); + } + + if( count % ( NUM_KEYSTROKES / RAND_BUF_LENGTH ) == 1 ) { + FPS "/"); + } + + count++; + } + } + + if (randbuf != NULL) free (randbuf); + + FPS "\n\n"); + FPS "Finished.\n"); + + TKS_TypeProceedToContinue(); + + FPS "\n"); + +#undef FPS + +#if defined( XP_UNIX ) && !defined( VMS ) + /* set back termio the way it was */ + tio.c_lflag = orig_lflag; + tio.c_cc[VMIN] = orig_cc_min; + tio.c_cc[VTIME] = orig_cc_time; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + return rv; +} + + +void +TKS_FileForRNG( char *noise ) +{ + char buf[2048]; + PRFileDesc *fd; + PRInt32 count; + + fd = PR_OpenFile( noise, PR_RDONLY, 0666 ); + if( !fd ) { + return; + } + + do { + count = PR_Read( fd, buf, sizeof( buf ) ); + if (count > 0) { + PK11_RandomUpdate( + /* data */ buf, + /* length in bytes */ count ); + } + } while( count > 0 ); + + PR_Close( fd ); +} + + +SECStatus +TKS_SeedRNG( char *noise ) +{ + /* Clear the screen */ + TKS_ClearScreen(); + + /* Seed the RNG */ + if( noise ) { + TKS_FileForRNG( noise ); + } else { + int rv = UpdateRNG(); + if( rv ) { + PORT_SetError( PR_END_OF_FILE_ERROR ); + return SECFailure; + } + } + + return SECSuccess; +} + diff --git a/base/native-tools/src/tkstool/retrieve.c b/base/native-tools/src/tkstool/retrieve.c new file mode 100644 index 000000000..44cf3c069 --- /dev/null +++ b/base/native-tools/src/tkstool/retrieve.c @@ -0,0 +1,114 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +PK11SymKey * +TKS_RetrieveSymKey( PK11SlotInfo *slot, + char *keyname, + void *pwdata ) +{ + char *name = NULL; + int count = 0; + int keys_found = 0; + PK11SymKey *symKey = NULL; + PK11SymKey *nextSymKey = NULL; + PK11SymKey *rvSymKey = NULL; + + if( PK11_NeedLogin( /* slot */ slot ) ) { + PK11_Authenticate( + /* slot */ slot, + /* load certs */ PR_TRUE, + /* wincx */ pwdata ); + } + + /* Initialize the symmetric key list. */ + symKey = PK11_ListFixedKeysInSlot( + /* slot */ slot, + /* nickname */ NULL, + /* wincx */ ( void *) pwdata ); + + /* Iterate through the symmetric key list. */ + while( symKey != NULL ) { + name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); + if( name != NULL ) { + if( keyname != NULL ) { + if( PL_strcmp( keyname, name ) == 0 ) { + keys_found++; + } + } + } + + nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); + PK11_FreeSymKey( /* symmetric key */ symKey ); + symKey = nextSymKey; + + count++; + } + + /* case 1: the token is empty */ + if( count == 0 ) { + /* the specified token is empty */ + rvSymKey = NULL; + goto retrievedSymKey; + } + + /* case 2: the specified key is not on this token */ + if( ( keyname != NULL ) && + ( keys_found == 0 ) ) { + /* the key called "keyname" could not be found */ + rvSymKey = NULL; + goto retrievedSymKey; + } + + /* case 3: the specified key exists more than once on this token */ + if( keys_found != 1 ) { + /* more than one key called "keyname" was found on this token */ + rvSymKey = NULL; + goto retrievedSymKey; + } else { + /* Re-initialize the symmetric key list. */ + symKey = PK11_ListFixedKeysInSlot( + /* slot */ slot, + /* nickname */ NULL, + /* wincx */ ( void *) pwdata ); + + /* Reiterate through the symmetric key list once more, */ + /* this time returning an actual reference to the key. */ + while( symKey != NULL ) { + name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); + if( name != NULL ) { + if( keyname != NULL ) { + if( PL_strcmp( keyname, name ) == 0 ) { + rvSymKey = symKey; + goto retrievedSymKey; + } + } + } + + nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); + PK11_FreeSymKey( /* symmetric key */ symKey ); + symKey = nextSymKey; + } + } + +retrievedSymKey: + return rvSymKey; +} + diff --git a/base/native-tools/src/tkstool/secerror.c b/base/native-tools/src/tkstool/secerror.c new file mode 100644 index 000000000..6b0f40d70 --- /dev/null +++ b/base/native-tools/src/tkstool/secerror.c @@ -0,0 +1,118 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secerror.c + */ + +#include "nspr.h" + +struct tuple_str { + PRErrorCode errNum; + const char * errString; +}; + +typedef struct tuple_str tuple_str; + +#define ER2(a,b) {a, b}, +#define ER3(a,b,c) {a, c}, + +#include "secerr.h" +#include "sslerr.h" + +const tuple_str errStrings[] = { + +/* keep this list in asceding order of error numbers */ +#include "SSLerrs.h" +#include "SECerrs.h" +#include "NSPRerrs.h" + +}; + +const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str); + +/* Returns a UTF-8 encoded constant error string for "errNum". + * Returns NULL of errNum is unknown. + */ +const char * +SECU_Strerror(PRErrorCode errNum) { + PRInt32 low = 0; + PRInt32 high = numStrings - 1; + PRInt32 i; + PRErrorCode num; + static int initDone; + + /* make sure table is in ascending order. + * binary search depends on it. + */ + if (!initDone) { + PRErrorCode lastNum = ((PRInt32)0x80000000); + for (i = low; i <= high; ++i) { + num = errStrings[i].errNum; + if (num <= lastNum) { + fprintf(stderr, +"sequence error in error strings at item %d\n" +"error %d (%s)\n" +"should come after \n" +"error %d (%s)\n", + i, lastNum, errStrings[i-1].errString, + num, errStrings[i].errString); + } + lastNum = num; + } + initDone = 1; + } + + /* Do binary search of table. */ + while (low + 1 < high) { + i = (low + high) / 2; + num = errStrings[i].errNum; + if (errNum == num) + return errStrings[i].errString; + if (errNum < num) + high = i; + else + low = i; + } + if (errNum == errStrings[low].errNum) + return errStrings[low].errString; + if (errNum == errStrings[high].errNum) + return errStrings[high].errString; + return NULL; +} diff --git a/base/native-tools/src/tkstool/secpwd.c b/base/native-tools/src/tkstool/secpwd.c new file mode 100644 index 000000000..542885858 --- /dev/null +++ b/base/native-tools/src/tkstool/secpwd.c @@ -0,0 +1,213 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secpwd.c + */ + +#include "secutil.h" + +/* + * NOTE: The contents of this file are NOT used by the client. + * (They are part of the security library as a whole, but they are + * NOT USED BY THE CLIENT.) Do not change things on behalf of the + * client (like localizing strings), or add things that are only + * for the client (put them elsewhere). + */ + + +#ifdef XP_UNIX +#include <termios.h> +#endif + +#if defined(XP_UNIX) || defined(XP_BEOS) +#include <unistd.h> /* for isatty() */ +#endif + +#if( defined(_WINDOWS) && !defined(_WIN32_WCE)) || defined(XP_OS2_VACPP) +#include <conio.h> +#include <io.h> +#define QUIET_FGETS quiet_fgets +static char * quiet_fgets (char *buf, int length, FILE *input); +#else +#define QUIET_FGETS fgets +#endif + +static void echoOff(int fd) +{ +#if defined(XP_UNIX) && !defined(VMS) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag &= ~ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +static void echoOn(int fd) +{ +#if defined(XP_UNIX) && !defined(VMS) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag |= ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, + PRBool (*ok)(char *)) +{ +#if defined(_WINDOWS) + int isTTY = (input == stdin); +#define echoOn(x) +#define echoOff(x) +#else + int infd = fileno(input); + int isTTY = isatty(infd); +#endif + char phrase[200] = {'\0'}; /* ensure EOF doesn't return junk */ + + for (;;) { + /* Prompt for password */ + if (isTTY) { + fprintf(output, "%s", prompt); + fflush (output); + echoOff(infd); + } + + QUIET_FGETS ( phrase, sizeof(phrase), input); + + if (isTTY) { + fprintf(output, "\n"); + echoOn(infd); + } + + /* stomp on newline */ + phrase[PORT_Strlen(phrase)-1] = 0; + + /* Validate password */ + if (!(*ok)(phrase)) { + /* Not weird enough */ + if (!isTTY) return 0; + fprintf(output, "Password must be at least 8 characters long with one or more\n"); + fprintf(output, "non-alphabetic characters\n"); + continue; + } + return (char*) PORT_Strdup(phrase); + } +} + + + +PRBool SEC_CheckPassword(char *cp) +{ + int len; + char *end; + + len = PORT_Strlen(cp); + if (len < 8) { + return PR_FALSE; + } + end = cp + len; + while (cp < end) { + unsigned char ch = *cp++; + if (!((ch >= 'A') && (ch <= 'Z')) && + !((ch >= 'a') && (ch <= 'z'))) { + /* pass phrase has at least one non alphabetic in it */ + return PR_TRUE; + } + } + return PR_FALSE; +} + +PRBool SEC_BlindCheckPassword(char *cp) +{ + if (cp != NULL) { + return PR_TRUE; + } + return PR_FALSE; +} + +/* Get a password from the input terminal, without echoing */ + +#if defined(_WINDOWS) || defined(XP_OS2_VACPP) +static char * quiet_fgets (char *buf, int length, FILE *input) + { + int c; + char *end = buf; + + /* fflush (input); */ + memset (buf, 0, length); + +#ifndef XP_OS2_VACPP + if (input != stdin) { + return fgets(buf,length,input); + } +#else + if (!isatty(fileno(input))) { + return fgets(buf,length,input); + } +#endif + + while (1) + { +#if defined (_WIN32_WCE) + c = getchar(); /* gets a character from stdin */ +#else + c = getch(); /* getch gets a character from the console */ +#endif + if (c == '\b') + { + if (end > buf) + end--; + } + + else if (--length > 0) + *end++ = c; + + if (!c || c == '\n' || c == '\r') + break; + } + + return buf; + } +#endif diff --git a/base/native-tools/src/tkstool/secutil.c b/base/native-tools/src/tkstool/secutil.c new file mode 100644 index 000000000..9ece007fa --- /dev/null +++ b/base/native-tools/src/tkstool/secutil.c @@ -0,0 +1,3662 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.c + */ + +/* +** secutil.c - various functions used by security stuff +** +*/ + +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "prerror.h" +#include "prprf.h" +#include "plgetopt.h" +#include "prenv.h" +#include "prnetdb.h" + +#include "cryptohi.h" +#include "secutil.h" +#include "secpkcs7.h" +#include <stdarg.h> +#if !defined(_WIN32_WCE) +#include <sys/stat.h> +#include <errno.h> +#endif + +#ifdef XP_UNIX +#include <unistd.h> +#endif + +/* for SEC_TraverseNames */ +#include "cert.h" +#include "certt.h" +#include "certdb.h" + +/* #include "secmod.h" */ +#include "pk11func.h" +#include "secoid.h" + +static char consoleName[] = { +#ifdef XP_UNIX +#ifdef VMS + "TT" +#else + "/dev/tty" +#endif +#else +#ifdef XP_OS2 + "\\DEV\\CON" +#else + "CON:" +#endif +#endif +}; + + +char * +SECU_GetString(int16 error_number) +{ + + static char errString[80]; + sprintf(errString, "Unknown error string (%d)", error_number); + return errString; +} + +void +SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char * errString = SECU_Strerror(err); + + va_start(args, msg); + + SECU_Indent(out, level); + fprintf(out, "%s: ", progName); + vfprintf(out, msg, args); + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(out, ": %s\n", errString); + else + fprintf(out, ": error %d\n", (int)err); + + va_end(args); +} + +void +SECU_PrintError(char *progName, char *msg, ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char * errString = SECU_Strerror(err); + + va_start(args, msg); + + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(stderr, ": %s\n", errString); + else + fprintf(stderr, ": error %d\n", (int)err); + + va_end(args); +} + +void +SECU_PrintSystemError(char *progName, char *msg, ...) +{ + va_list args; + + va_start(args, msg); + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); +#if defined(_WIN32_WCE) + fprintf(stderr, ": %d\n", PR_GetOSError()); +#else + fprintf(stderr, ": %s\n", strerror(errno)); +#endif + va_end(args); +} + +static void +secu_ClearPassword(char *p) +{ + if (p) { + PORT_Memset(p, 0, PORT_Strlen(p)); + PORT_Free(p); + } +} + +char * +SECU_GetPasswordString(void *arg, char *prompt) +{ +#ifndef _WINDOWS + char *p = NULL; + FILE *input, *output; + + /* open terminal */ + input = fopen(consoleName, "r"); + if (input == NULL) { + fprintf(stderr, "Error opening input terminal for read\n"); + return NULL; + } + + output = fopen(consoleName, "w"); + if (output == NULL) { + fprintf(stderr, "Error opening output terminal for write\n"); + fclose(input); + return NULL; + } + + p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword); + + + fclose(input); + fclose(output); + + return p; + +#else + /* Win32 version of above. opening the console may fail + on windows95, and certainly isn't necessary.. */ + + char *p = NULL; + + p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword); + return p; + +#endif +} + + +/* + * p a s s w o r d _ h a r d c o d e + * + * A function to use the password passed in the -f(pwfile) argument + * of the command line. + * After use once, null it out otherwise PKCS11 calls us forever.? + * + */ +char * +SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + unsigned char phrase[200]; + PRFileDesc *fd; + PRInt32 nb; + char *pwFile = arg; + int i; + + if (!pwFile) + return 0; + + if (retry) { + return 0; /* no good retrying - the files contents will be the same */ + } + + fd = PR_Open(pwFile, PR_RDONLY, 0); + if (!fd) { + fprintf(stderr, "No password file \"%s\" exists.\n", pwFile); + return NULL; + } + + nb = PR_Read(fd, phrase, sizeof(phrase)); + + PR_Close(fd); + /* handle the Windows EOL case */ + i = 0; + while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; + phrase[i] = '\0'; + if (nb == 0) { + fprintf(stderr,"password file contains no data\n"); + return NULL; + } + return (char*) PORT_Strdup((char*)phrase); +} + +char * +SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char prompt[255]; + secuPWData *pwdata = (secuPWData *)arg; + secuPWData pwnull = { PW_NONE, 0 }; + secuPWData pwxtrn = { PW_EXTERNAL, "external" }; + char *pw; + + if (pwdata == NULL) + pwdata = &pwnull; + + if (PK11_ProtectedAuthenticationPath(slot)) { + pwdata = &pwxtrn; + } + if (retry && pwdata->source != PW_NONE) { + PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); + return NULL; + } + + switch (pwdata->source) { + case PW_NONE: + sprintf(prompt, "Enter Password or Pin for \"%s\":", + PK11_GetTokenName(slot)); + return SECU_GetPasswordString(NULL, prompt); + case PW_FROMFILE: + /* Instead of opening and closing the file every time, get the pw + * once, then keep it in memory (duh). + */ + pw = SECU_FilePasswd(slot, retry, pwdata->data); + pwdata->source = PW_PLAINTEXT; + pwdata->data = PL_strdup(pw); + /* it's already been dup'ed */ + return pw; + case PW_EXTERNAL: + sprintf(prompt, + "Press Enter, then enter PIN for \"%s\" on external device.\n", + PK11_GetTokenName(slot)); + (void) SECU_GetPasswordString(NULL, prompt); + /* Fall Through */ + case PW_PLAINTEXT: + return PL_strdup(pwdata->data); + default: + break; + } + + PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); + return NULL; +} + +char * +secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *p0 = NULL; + char *p1 = NULL; + FILE *input, *output; + secuPWData *pwdata = arg; + + if (pwdata->source == PW_FROMFILE) { + return SECU_FilePasswd(slot, retry, pwdata->data); + } + if (pwdata->source == PW_PLAINTEXT) { + return PL_strdup(pwdata->data); + } + + /* PW_NONE - get it from tty */ + /* open terminal */ +#ifdef _WINDOWS + input = stdin; +#else + input = fopen(consoleName, "r"); +#endif + if (input == NULL) { + PR_fprintf(PR_STDERR, "Error opening input terminal for read\n"); + return NULL; + } + + /* we have no password, so initialize database with one */ + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least 8 characters long,\n" + "and should contain at least one non-alphabetic character.\n\n"); + + output = fopen(consoleName, "w"); + if (output == NULL) { + PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); + fclose(input); + return NULL; + } + + + for (;;) { + if (p0) + PORT_Free(p0); + p0 = SEC_GetPassword(input, output, "Enter new password: ", + SEC_BlindCheckPassword); + + if (p1) + PORT_Free(p1); + p1 = SEC_GetPassword(input, output, "Re-enter password: ", + SEC_BlindCheckPassword); + if (p0 && p1 && !PORT_Strcmp(p0, p1)) { + break; + } + PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n"); + } + + /* clear out the duplicate password string */ + secu_ClearPassword(p1); + + fclose(input); + fclose(output); + + return p0; +} + +SECStatus +SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile) +{ + SECStatus rv; + secuPWData pwdata, newpwdata; + char *oldpw = NULL, *newpw = NULL; + + if (passwd) { + pwdata.source = PW_PLAINTEXT; + pwdata.data = passwd; + } else if (pwFile) { + pwdata.source = PW_FROMFILE; + pwdata.data = pwFile; + } else { + pwdata.source = PW_NONE; + pwdata.data = NULL; + } + + if (PK11_NeedUserInit(slot)) { + newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata); + rv = PK11_InitPin(slot, (char*)NULL, newpw); + goto done; + } + + for (;;) { + oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata); + + if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { + if (pwdata.source == PW_NONE) { + PR_fprintf(PR_STDERR, "Invalid password. Try again.\n"); + } else { + PR_fprintf(PR_STDERR, "Invalid password.\n"); + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + return SECFailure; + } + } else + break; + + PORT_Free(oldpw); + } + + newpwdata.source = PW_NONE; + newpwdata.data = NULL; + + newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); + + if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed to change password.\n"); + return SECFailure; + } + + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + + PR_fprintf(PR_STDOUT, "Password changed successfully.\n"); + +done: + PORT_Memset(newpw, 0, PL_strlen(newpw)); + PORT_Free(newpw); + return SECSuccess; +} + +struct matchobj { + SECItem index; + char *nname; + PRBool found; +}; + +char * +SECU_DefaultSSLDir(void) +{ + char *dir; + static char sslDir[1000]; + + dir = PR_GetEnv("SSL_DIR"); + if (!dir) + return NULL; + + sprintf(sslDir, "%s", dir); + + if (sslDir[strlen(sslDir)-1] == '/') + sslDir[strlen(sslDir)-1] = 0; + + return sslDir; +} + +char * +SECU_AppendFilenameToDir(char *dir, char *filename) +{ + static char path[1000]; + + if (dir[strlen(dir)-1] == '/') + sprintf(path, "%s%s", dir, filename); + else + sprintf(path, "%s/%s", dir, filename); + return path; +} + +char * +SECU_ConfigDirectory(const char* base) +{ + static PRBool initted = PR_FALSE; + const char *dir = ".netscape"; + char *home; + static char buf[1000]; + + if (initted) return buf; + + + if (base == NULL || *base == 0) { + home = PR_GetEnv("HOME"); + if (!home) home = ""; + + if (*home && home[strlen(home) - 1] == '/') + sprintf (buf, "%.900s%s", home, dir); + else + sprintf (buf, "%.900s/%s", home, dir); + } else { + sprintf(buf, "%.900s", base); + if (buf[strlen(buf) - 1] == '/') + buf[strlen(buf) - 1] = 0; + } + + + initted = PR_TRUE; + return buf; +} + +/*Turn off SSL for now */ +/* This gets called by SSL when server wants our cert & key */ +int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + SECKEYPrivateKey *key; + CERTCertificate *cert; + int errsave; + + if (arg == NULL) { + fprintf(stderr, "no key/cert name specified for client auth\n"); + return -1; + } + cert = PK11_FindCertFromNickname(arg, NULL); + errsave = PORT_GetError(); + if (!cert) { + if (errsave == SEC_ERROR_BAD_PASSWORD) + fprintf(stderr, "Bad password\n"); + else if (errsave > 0) + fprintf(stderr, "Unable to read cert (error %d)\n", errsave); + else if (errsave == SEC_ERROR_BAD_DATABASE) + fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); + else + fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); + return -1; + } + + key = PK11_FindKeyByAnyCert(arg,NULL); + if (!key) { + fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); + return -1; + } + + + *pRetCert = cert; + *pRetKey = key; + + return 0; +} + +SECStatus +secu_StdinToItem(SECItem *dst) +{ + unsigned char buf[1000]; + PRInt32 numBytes; + PRBool notDone = PR_TRUE; + + dst->len = 0; + dst->data = NULL; + + while (notDone) { + numBytes = PR_Read(PR_STDIN, buf, sizeof(buf)); + + if (numBytes < 0) { + return SECFailure; + } + + if (numBytes == 0) + break; + + if (dst->data) { + unsigned char * p = dst->data; + dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes); + if (!dst->data) { + PORT_Free(p); + } + } else { + dst->data = (unsigned char*)PORT_Alloc(numBytes); + } + if (!dst->data) { + return SECFailure; + } + PORT_Memcpy(dst->data + dst->len, buf, numBytes); + dst->len += numBytes; + } + + return SECSuccess; +} + +SECStatus +SECU_FileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, info.size)) + goto loser; + + numBytes = PR_Read(src, dst->data, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + return SECSuccess; +loser: + SECITEM_FreeItem(dst, PR_FALSE); + return SECFailure; +} + +SECStatus +SECU_TextFileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + unsigned char *buf; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + buf = (unsigned char*)PORT_Alloc(info.size); + if (!buf) + return SECFailure; + + numBytes = PR_Read(src, buf, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + if (buf[numBytes-1] == '\n') numBytes--; +#ifdef _WINDOWS + if (buf[numBytes-1] == '\r') numBytes--; +#endif + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, numBytes)) + goto loser; + + memcpy(dst->data, buf, numBytes); + + PORT_Free(buf); + return SECSuccess; +loser: + PORT_Free(buf); + return SECFailure; +} + +SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) +{ + SECStatus rv; + if (ascii) { + /* First convert ascii to binary */ + SECItem filedata; + char *asc, *body; + + /* Read in ascii data */ + rv = SECU_FileToItem(&filedata, inFile); + asc = (char *)filedata.data; + if (!asc) { + fprintf(stderr, "unable to read data from input file\n"); + return SECFailure; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(asc, "-----BEGIN")) != NULL) { + char *trailer = NULL; + asc = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ + if (body) + trailer = strstr(++body, "-----END"); + if (trailer != NULL) { + *trailer = '\0'; + } else { + fprintf(stderr, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = asc; + } + + /* Convert to binary */ + rv = ATOB_ConvertAsciiToItem(der, body); + if (rv) { + fprintf(stderr, "error converting ascii to binary (%s)\n", + SECU_Strerror(PORT_GetError())); + PORT_Free(filedata.data); + return SECFailure; + } + + PORT_Free(filedata.data); + } else { + /* Read in binary der */ + rv = SECU_FileToItem(der, inFile); + if (rv) { + fprintf(stderr, "error converting der (%s)\n", + SECU_Strerror(PORT_GetError())); + return SECFailure; + } + } + return SECSuccess; +} + +#define INDENT_MULT 4 +void +SECU_Indent(FILE *out, int level) +{ + int i; + + for (i = 0; i < level; i++) { + fprintf(out, " "); + } +} + +static void secu_Newline(FILE *out) +{ + fprintf(out, "\n"); +} + +void +SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) +{ + unsigned i; + int column; + PRBool isString = PR_TRUE; + PRBool isWhiteSpace = PR_TRUE; + PRBool printedHex = PR_FALSE; + unsigned int limit = 15; + + if ( m ) { + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + level++; + } + + SECU_Indent(out, level); column = level*INDENT_MULT; + if (!data->len) { + fprintf(out, "(empty)\n"); + return; + } + /* take a pass to see if it's all printable. */ + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + if (!val || !isprint(val)) { + isString = PR_FALSE; + break; + } + if (isWhiteSpace && !isspace(val)) { + isWhiteSpace = PR_FALSE; + } + } + + /* Short values, such as bit strings (which are printed with this + ** function) often look like strings, but we want to see the bits. + ** so this test assures that short values will be printed in hex, + ** perhaps in addition to being printed as strings. + ** The threshold size (4 bytes) is arbitrary. + */ + if (!isString || data->len <= 4) { + for (i = 0; i < data->len; i++) { + if (i != data->len - 1) { + fprintf(out, "%02x:", data->data[i]); + column += 3; + } else { + fprintf(out, "%02x", data->data[i]); + column += 2; + break; + } + if (column > 76 || (i % 16 == limit)) { + secu_Newline(out); + SECU_Indent(out, level); + column = level*INDENT_MULT; + limit = i % 16; + } + } + printedHex = PR_TRUE; + } + if (isString && !isWhiteSpace) { + if (printedHex != PR_FALSE) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + + if (val) { + fprintf(out,"%c",val); + column++; + } else { + column = 77; + } + if (column > 76) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + } + } + + if (column != level*INDENT_MULT) { + secu_Newline(out); + } +} + +static const char *hex = "0123456789abcdef"; + +static const char printable[257] = { + "................" /* 0x */ + "................" /* 1x */ + " !\"#$%&'()*+,-./" /* 2x */ + "0123456789:;<=>?" /* 3x */ + "@ABCDEFGHIJKLMNO" /* 4x */ + "PQRSTUVWXYZ[\\]^_" /* 5x */ + "`abcdefghijklmno" /* 6x */ + "pqrstuvwxyz{|}~." /* 7x */ + "................" /* 8x */ + "................" /* 9x */ + "................" /* ax */ + "................" /* bx */ + "................" /* cx */ + "................" /* dx */ + "................" /* ex */ + "................" /* fx */ +}; + +void +SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len) +{ + const unsigned char *cp = (const unsigned char *)vp; + char buf[80]; + char *bp; + char *ap; + + fprintf(out, "%s [Len: %d]\n", msg, len); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + while (--len >= 0) { + unsigned char ch = *cp++; + *bp++ = hex[(ch >> 4) & 0xf]; + *bp++ = hex[ch & 0xf]; + *bp++ = ' '; + *ap++ = printable[ch]; + if (ap - buf >= 66) { + *ap = 0; + fprintf(out, " %s\n", buf); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + } + } + if (bp > buf) { + *ap = 0; + fprintf(out, " %s\n", buf); + } +} + +SECStatus +SECU_StripTagAndLength(SECItem *i) +{ + unsigned int start; + + if (!i || !i->data || i->len < 2) { /* must be at least tag and length */ + return SECFailure; + } + start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2); + if (i->len < start) { + return SECFailure; + } + i->data += start; + i->len -= start; + return SECSuccess; +} + + +/* This expents i->data[0] to be the MSB of the integer. +** if you want to print a DER-encoded integer (with the tag and length) +** call SECU_PrintEncodedInteger(); +*/ +void +SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level) +{ + int iv; + + if (!i || !i->len || !i->data) { + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: (null)\n", m); + } else { + fprintf(out, "(null)\n"); + } + } else if (i->len > 4) { + SECU_PrintAsHex(out, i, m, level); + } else { + iv = DER_GetInteger(i); + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: %d (0x%x)\n", m, iv, iv); + } else { + fprintf(out, "%d (0x%x)\n", iv, iv); + } + } +} + +static void +secu_PrintRawString(FILE *out, SECItem *si, char *m, int level) +{ + int column; + unsigned int i; + + if ( m ) { + SECU_Indent(out, level); fprintf(out, "%s: ", m); + column = (level * INDENT_MULT) + strlen(m) + 2; + level++; + } else { + SECU_Indent(out, level); + column = level*INDENT_MULT; + } + fprintf(out, "\""); column++; + + for (i = 0; i < si->len; i++) { + unsigned char val = si->data[i]; + if (column > 76) { + secu_Newline(out); + SECU_Indent(out, level); column = level*INDENT_MULT; + } + + fprintf(out,"%c", printable[val]); column++; + } + + fprintf(out, "\""); column++; + if (column != level*INDENT_MULT || column > 76) { + secu_Newline(out); + } +} + +void +SECU_PrintString(FILE *out, SECItem *si, char *m, int level) +{ + SECItem my = *si; + + if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len) + return; + secu_PrintRawString(out, &my, m, level); +} + +/* print an unencoded boolean */ +static void +secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) +{ + int val = 0; + + if ( i->data && i->len ) { + val = i->data[0]; + } + + if (!m) { + m = "Boolean"; + } + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", m, (val ? "True" : "False")); +} + +/* + * Format and print "time". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +static void +secu_PrintTime(FILE *out, int64 time, char *m, int level) +{ + PRExplodedTime printableTime; + char *timeString; + + /* Convert to local time */ + PR_ExplodeTime(time, PR_GMTParameters, &printableTime); + + timeString = PORT_Alloc(100); + if (timeString == NULL) + return; + + if (m != NULL) { + SECU_Indent(out, level); + fprintf(out, "%s: ", m); + } + + PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime); + fprintf(out, timeString); + + if (m != NULL) + fprintf(out, "\n"); + + PORT_Free(timeString); +} + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +void +SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level) +{ + int64 time; + SECStatus rv; + + rv = DER_UTCTimeToTime(&time, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time, m, level); +} + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level) +{ + int64 time; + SECStatus rv; + + + rv = DER_GeneralizedTimeToTime(&time, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time, m, level); +} + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level) +{ + switch (t->type) { + case siUTCTime: + SECU_PrintUTCTime(out, t, m, level); + break; + + case siGeneralizedTime: + SECU_PrintGeneralizedTime(out, t, m, level); + break; + + default: + PORT_Assert(0); + break; + } +} + + +/* This prints a SET or SEQUENCE */ +void +SECU_PrintSet(FILE *out, SECItem *t, char *m, int level) +{ + int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; + const char * label; + SECItem my = *t; + + if (!constructed) { + SECU_PrintAsHex(out, t, m, level); + return; + } + if (SECSuccess != SECU_StripTagAndLength(&my)) + return; + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + + if (type == SEC_ASN1_SET) + label = "Set "; + else if (type == SEC_ASN1_SEQUENCE) + label = "Sequence "; + else + label = ""; + fprintf(out,"%s{\n", label); /* } */ + + while (my.len >= 2) { + SECItem tmp = my; + + if (tmp.data[1] & 0x80) { + unsigned int i; + unsigned int lenlen = tmp.data[1] & 0x7f; + if (lenlen > sizeof tmp.len) + break; + tmp.len = 0; + for (i=0; i < lenlen; i++) { + tmp.len = (tmp.len << 8) | tmp.data[2+i]; + } + tmp.len += lenlen + 2; + } else { + tmp.len = tmp.data[1] + 2; + } + if (tmp.len > my.len) { + tmp.len = my.len; + } + my.data += tmp.len; + my.len -= tmp.len; + SECU_PrintAny(out, &tmp, NULL, level + 1); + } + SECU_Indent(out, level); fprintf(out, /* { */ "}\n"); +} + +static void +secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level) +{ + int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; + SECItem tmp; + + if (constructed) { + char * m2; + if (!m) + m2 = PR_smprintf("[%d]", type); + else + m2 = PR_smprintf("%s: [%d]", m, type); + if (m2) { + SECU_PrintSet(out, i, m2, level); + PR_smprintf_free(m2); + } + return; + } + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + fprintf(out,"[%d]\n", type); + + tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level+1); +} + +static void +secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level) +{ + SECItem tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level); +} + +static void +secu_PrintBitString(FILE *out, SECItem *i, char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2) + return; + + unused_bits = *tmp.data++; + tmp.len--; + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + +/* in a decoded bit string, the len member is a bit length. */ +static void +secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + + unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0; + DER_ConvertBitString(&tmp); /* convert length to byte length */ + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + + +/* Print a DER encoded Boolean */ +void +SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + secu_PrintBoolean(out, &my, m, level); +} + +/* Print a DER encoded integer */ +void +SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + SECU_PrintInteger(out, &my, m, level); +} + +/* Print a DER encoded OID */ +void +SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + SECU_PrintObjectID(out, &my, m, level); +} + +static void +secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level) +{ + unsigned char * s; + unsigned char * d; + int len; + SECItem tmp = {0, 0, 0}; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 2) + goto loser; + len = (int)(my.len / 2); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data ; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2; + if (!isprint(bmpChar)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level) +{ + unsigned char * s; + unsigned char * d; + int len; + SECItem tmp = {0, 0, 0}; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 4) + goto loser; + len = (int)(my.len / 4); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data ; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; + s += 4; + if (!isprint(bmpChar)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level) +{ + switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { + case SEC_ASN1_ENUMERATED: + case SEC_ASN1_INTEGER: + SECU_PrintEncodedInteger(out, i, m, level); + break; + case SEC_ASN1_OBJECT_ID: + SECU_PrintEncodedObjectID(out, i, m, level); + break; + case SEC_ASN1_BOOLEAN: + SECU_PrintEncodedBoolean(out, i, m, level); + break; + case SEC_ASN1_UTF8_STRING: + case SEC_ASN1_PRINTABLE_STRING: + case SEC_ASN1_VISIBLE_STRING: + case SEC_ASN1_IA5_STRING: + case SEC_ASN1_T61_STRING: + SECU_PrintString(out, i, m, level); + break; + case SEC_ASN1_GENERALIZED_TIME: + SECU_PrintGeneralizedTime(out, i, m, level); + break; + case SEC_ASN1_UTC_TIME: + SECU_PrintUTCTime(out, i, m, level); + break; + case SEC_ASN1_NULL: + SECU_Indent(out, level); + if (m && m[0]) + fprintf(out, "%s: NULL\n", m); + else + fprintf(out, "NULL\n"); + break; + case SEC_ASN1_SET: + case SEC_ASN1_SEQUENCE: + SECU_PrintSet(out, i, m, level); + break; + case SEC_ASN1_OCTET_STRING: + secu_PrintOctetString(out, i, m, level); + break; + case SEC_ASN1_BIT_STRING: + secu_PrintBitString(out, i, m, level); + break; + case SEC_ASN1_BMP_STRING: + secu_PrintBMPString(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL_STRING: + secu_PrintUniversalString(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } +} + +void +SECU_PrintAny(FILE *out, SECItem *i, char *m, int level) +{ + if ( i && i->len && i->data ) { + switch (i->data[0] & SEC_ASN1_CLASS_MASK) { + case SEC_ASN1_CONTEXT_SPECIFIC: + secu_PrintContextSpecific(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL: + secu_PrintUniversal(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } + } +} + +static int +secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1); + SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1); + return 0; +} + +/* This function does NOT expect a DER type and length. */ +SECOidTag +SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level) +{ + SECOidData *oiddata; + char * oidString = NULL; + + oiddata = SECOID_FindOID(oid); + if (oiddata != NULL) { + const char *name = oiddata->desc; + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", name); + return oiddata->offset; + } + oidString = CERT_GetOidString(oid); + if (oidString) { + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", oidString); + PR_smprintf_free(oidString); + return SEC_OID_UNKNOWN; + } + SECU_PrintAsHex(out, oid, m, level); + return SEC_OID_UNKNOWN; +} + + +/* This function does NOT expect a DER type and length. */ +void +SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) +{ + SECU_PrintObjectID(out, &a->algorithm, m, level); + + if (a->parameters.len == 0 + || (a->parameters.len == 2 + && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { + /* No arguments or NULL argument */ + } else { + /* Print args to algorithm */ + SECU_PrintAsHex(out, &a->parameters, "Args", level+1); + } +} + +static void +secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) +{ + SECItem *value; + int i; + char om[100]; + + if (m) { + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + } + + /* + * Should make this smarter; look at the type field and then decode + * and print the value(s) appropriately! + */ + SECU_PrintObjectID(out, &(attr->type), "Type", level+1); + if (attr->values != NULL) { + i = 0; + while ((value = attr->values[i++]) != NULL) { + sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); + if (attr->encoded || attr->typeTag == NULL) { + SECU_PrintAny(out, value, om, level+1); + } else { + switch (attr->typeTag->offset) { + default: + SECU_PrintAsHex(out, value, om, level+1); + break; + case SEC_OID_PKCS9_CONTENT_TYPE: + SECU_PrintObjectID(out, value, om, level+1); + break; + case SEC_OID_PKCS9_SIGNING_TIME: + SECU_PrintTimeChoice(out, value, om, level+1); + break; + } + } + } + } +} + +static void +secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1); + SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1); + if (pk->u.rsa.publicExponent.len == 1 && + pk->u.rsa.publicExponent.data[0] == 1) { + SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n"); + } +} + +static void +secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1); + SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1); + SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1); + SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1); +} + +#ifdef NSS_ENABLE_ECC +static void +secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECItem curveOID = { siBuffer, NULL, 0}; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1); + /* For named curves, the DEREncodedParams field contains an + * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID). + */ + if ((pk->u.ec.DEREncodedParams.len > 2) && + (pk->u.ec.DEREncodedParams.data[0] == 0x06)) { + curveOID.len = pk->u.ec.DEREncodedParams.data[1]; + curveOID.data = pk->u.ec.DEREncodedParams.data + 2; + SECU_PrintObjectID(out, &curveOID, "Curve", level +1); + } +} +#endif /* NSS_ENABLE_ECC */ + +static void +secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena, + CERTSubjectPublicKeyInfo *i, char *msg, int level) +{ + SECKEYPublicKey *pk; + + SECU_Indent(out, level); fprintf(out, "%s:\n", msg); + SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1); + + pk = SECKEY_ExtractPublicKey(i); + if (pk) { + switch (pk->keyType) { + case rsaKey: + secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1); + break; + + case dsaKey: + secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1); + break; + +#ifdef NSS_ENABLE_ECC + case ecKey: + secu_PrintECPublicKey(out, pk, "EC Public Key", level +1); + break; +#endif + + case dhKey: + case fortezzaKey: + case keaKey: + SECU_Indent(out, level); + fprintf(out, "unable to format this SPKI algorithm type\n"); + goto loser; + default: + SECU_Indent(out, level); + fprintf(out, "unknown SPKI algorithm type\n"); + goto loser; + } + PORT_FreeArena(pk->arena, PR_FALSE); + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing public key"); +loser: + if (i->subjectPublicKey.data) { + SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level); + } + } +} + +static SECStatus +secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level) +{ + SECItem decodedValue; + SECStatus rv; + int64 invalidTime; + char *formattedTime = NULL; + + decodedValue.data = NULL; + rv = SEC_ASN1DecodeItem (NULL, &decodedValue, + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), + value); + if (rv == SECSuccess) { + rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue); + if (rv == SECSuccess) { + formattedTime = CERT_GenTime2FormattedAscii + (invalidTime, "%a %b %d %H:%M:%S %Y"); + SECU_Indent(out, level +1); + fprintf (out, "%s: %s\n", msg, formattedTime); + PORT_Free (formattedTime); + } + } + PORT_Free (decodedValue.data); + return (rv); +} + +static SECStatus +PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level) +{ + CERTOidSequence *os; + SECItem **op; + + os = CERT_DecodeOidSequence(value); + if( (CERTOidSequence *)NULL == os ) { + return SECFailure; + } + + for( op = os->oids; *op; op++ ) { + SECU_PrintObjectID(out, *op, msg, level + 1); + } + CERT_DestroyOidSequence(os); + return SECSuccess; +} + +static SECStatus +secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) { + CERTBasicConstraints constraints; + SECStatus rv; + + SECU_Indent(out, level); + if (msg) { + fprintf(out,"%s: ",msg); + } + rv = CERT_DecodeBasicConstraintValue(&constraints,value); + if (rv == SECSuccess && constraints.isCA) { + if (constraints.pathLenConstraint >= 0) { + fprintf(out,"Is a CA with a maximum path length of %d.\n", + constraints.pathLenConstraint); + } else { + fprintf(out,"Is a CA with no maximum path length.\n"); + } + } else { + fprintf(out,"Is not a CA.\n"); + } + return SECSuccess; +} + +static const char * const nsTypeBits[] = { + "SSL Client", + "SSL Server", + "S/MIME", + "Object Signing", + "Reserved", + "SSL CA", + "S/MIME CA", + "ObjectSigning CA" +}; + +/* NSCertType is merely a bit string whose bits are displayed symbolically */ +static SECStatus +secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) +{ + int unused; + int NS_Type; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return SECSuccess; + } + + unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0; + NS_Type = my.data[1] & (0xff << unused); + + + SECU_Indent(out, level); + if (msg) { + fprintf(out,"%s: ",msg); + } else { + fprintf(out,"Netscape Certificate Type: "); + } + for (i=0; i < 8; i++) { + if ( (0x80 >> i) & NS_Type) { + fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]); + found = 1; + } + } + fprintf(out, (found ? ">\n" : "none\n")); + return SECSuccess; +} + +static const char * const usageBits[] = { + "Digital Signature", /* 0x80 */ + "Non-Repudiation", /* 0x40 */ + "Key Encipherment", /* 0x20 */ + "Data Encipherment", /* 0x10 */ + "Key Agreement", /* 0x08 */ + "Certificate Signing", /* 0x04 */ + "CRL Signing", /* 0x02 */ + "Encipher Only", /* 0x01 */ + "Decipher Only", /* 0x0080 */ + NULL +}; + +/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ +static void +secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) +{ + int unused; + int usage; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return; + } + + unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0; + usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8 + : (my.data[1] << 8) | + (my.data[2] & (0xff << unused)); + + SECU_Indent(out, level); + fprintf(out, "Usages: "); + for (i=0; usageBits[i]; i++) { + if ( (0x8000 >> i) & usage) { + if (found) + SECU_Indent(out, level + 2); + fprintf(out, "%s\n", usageBits[i]); + found = 1; + } + } + if (!found) { + fprintf(out, "(none)\n"); + } +} + +static void +secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level) +{ + PRStatus st; + PRNetAddr addr; + char addrBuf[80]; + + memset(&addr, 0, sizeof addr); + if (value->len == 4) { + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, value->data, value->len); + } else if (value->len == 16) { + addr.ipv6.family = PR_AF_INET6; + memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len); + if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { + /* convert to IPv4. */ + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); + memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); + } + } else { + goto loser; + } + + st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); + if (st == PR_SUCCESS) { + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", msg, addrBuf); + } else { +loser: + SECU_PrintAsHex(out, value, msg, level); + } +} + + +static void +secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) +{ + char label[40]; + if (msg && msg[0]) { + SECU_Indent(out, level++); fprintf(out, "%s: \n", msg); + } + switch (gname->type) { + case certOtherName : + SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level); + SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1); + break; + case certDirectoryName : + SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level); + break; + case certRFC822Name : + secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level); + break; + case certDNSName : + secu_PrintRawString( out, &gname->name.other, "DNS name", level); + break; + case certURI : + secu_PrintRawString( out, &gname->name.other, "URI", level); + break; + case certIPAddress : + secu_PrintIPAddress(out, &gname->name.other, "IP Address", level); + break; + case certRegisterID : + SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level); + break; + case certX400Address : + SECU_PrintAny( out, &gname->name.other, "X400 Address", level); + break; + case certEDIPartyName : + SECU_PrintAny( out, &gname->name.other, "EDI Party", level); + break; + default: + PR_snprintf(label, sizeof label, "unknown type [%d]", + (int)gname->type - 1); + SECU_PrintAsHex(out, &gname->name.other, label, level); + break; + } +} + +static void +secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthKeyID *kid = NULL; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + kid = CERT_DecodeAuthKeyID(pool, value); + if (!kid) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + int keyIDPresent = (kid->keyID.data && kid->keyID.len); + int issuerPresent = kid->authCertIssuer != NULL; + int snPresent = (kid->authCertSerialNumber.data && + kid->authCertSerialNumber.len); + + if ((keyIDPresent && !issuerPresent && !snPresent) || + (!keyIDPresent && issuerPresent && snPresent)) { + /* all is well */ + } else { + SECU_Indent(out, level); + fprintf(out, + "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n"); + } + if (keyIDPresent) + SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); + if (issuerPresent) + secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level); + if (snPresent) + SECU_PrintInteger(out, &kid->authCertSerialNumber, + "Serial Number", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTGeneralName * nameList; + CERTGeneralName * current; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + nameList = current = CERT_DecodeAltNameExtension(pool, value); + if (!current) { + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + /* Decoder found empty sequence, which is invalid. */ + PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); + } + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + do { + secu_PrintGeneralName(out, current, msg, level); + current = CERT_GetNextGeneralName(current); + } while (current != nameList); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTCrlDistributionPoints * dPoints; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + dPoints = CERT_DecodeCRLDistributionPoints(pool, value); + if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) { + CRLDistributionPoint ** pPoints = dPoints->distPoints; + CRLDistributionPoint * pPoint; + while (NULL != (pPoint = *pPoints++)) { + if (pPoint->distPointType == generalName && + pPoint->distPoint.fullName != NULL) { + secu_PrintGeneralName(out, pPoint->distPoint.fullName, NULL, + level); +#if defined(LATER) + } else if (pPoint->distPointType == relativeDistinguishedName) { + /* print the relative name */ +#endif + } else if (pPoint->derDistPoint.data) { + SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level); + } + if (pPoint->reasons.data) { + secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", + level); + } + if (pPoint->crlIssuer) { + secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level); + } + } + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, + char *msg, int level) +{ + CERTNameConstraint *head = value; + SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg); + level++; + do { + secu_PrintGeneralName(out, &value->name, NULL, level); + if (value->min.data) + SECU_PrintInteger(out, &value->min, "Minimum", level+1); + if (value->max.data) + SECU_PrintInteger(out, &value->max, "Maximum", level+1); + value = CERT_GetNextNameConstraint(value); + } while (value != head); +} + +static void +secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTNameConstraints * cnstrnts; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value); + if (!cnstrnts) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + if (cnstrnts->permited) + secu_PrintNameConstraintSubtree(out, cnstrnts->permited, + "Permitted", level); + if (cnstrnts->excluded) + secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, + "Excluded", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + + +static void +secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthInfoAccess **infos = NULL; + PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + infos = CERT_DecodeAuthInfoAccessExtension(pool, value); + if (!infos) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + CERTAuthInfoAccess *info; + while (NULL != (info = *infos++)) { + if (info->method.data) { + SECU_PrintObjectID(out, &info->method, "Method", level); + } else { + SECU_Indent(out,level); + fprintf(out, "Error: missing method\n"); + } + if (info->location) { + secu_PrintGeneralName(out, info->location, "Location", level); + } else { + SECU_PrintAny(out, &info->derLocation, "Location", level); + } + } + } + PORT_FreeArena(pool, PR_FALSE); +} + + +void +SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level) +{ + SECOidTag oidTag; + + if ( extensions ) { + if (msg && *msg) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", msg); + } + + while ( *extensions ) { + SECItem *tmpitem; + + tmpitem = &(*extensions)->id; + SECU_PrintObjectID(out, tmpitem, "Name", level); + + tmpitem = &(*extensions)->critical; + if ( tmpitem->len ) { + secu_PrintBoolean(out, tmpitem, "Critical", level); + } + + oidTag = SECOID_FindOIDTag (&((*extensions)->id)); + tmpitem = &((*extensions)->value); + + switch (oidTag) { + case SEC_OID_X509_INVALID_DATE: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME: + secu_PrintX509InvalidDate(out, tmpitem, "Date", level ); + break; + case SEC_OID_X509_CERTIFICATE_POLICIES: + SECU_PrintPolicy(out, tmpitem, "Data", level ); + break; + case SEC_OID_NS_CERT_EXT_BASE_URL: + case SEC_OID_NS_CERT_EXT_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_CRL_URL: + case SEC_OID_NS_CERT_EXT_CA_CERT_URL: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL: + case SEC_OID_NS_CERT_EXT_CA_POLICY_URL: + case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL: + case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL: + case SEC_OID_OCSP_RESPONDER: + SECU_PrintString(out,tmpitem, "URL", level); + break; + case SEC_OID_NS_CERT_EXT_COMMENT: + SECU_PrintString(out,tmpitem, "Comment", level); + break; + case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME: + SECU_PrintString(out,tmpitem, "ServerName", level); + break; + case SEC_OID_NS_CERT_EXT_CERT_TYPE: + secu_PrintNSCertType(out,tmpitem,"Data",level); + break; + case SEC_OID_X509_BASIC_CONSTRAINTS: + secu_PrintBasicConstraints(out,tmpitem,"Data",level); + break; + case SEC_OID_X509_EXT_KEY_USAGE: + PrintExtKeyUsageExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_KEY_USAGE: + secu_PrintX509KeyUsage(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_AUTH_KEY_ID: + secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_SUBJECT_ALT_NAME: + case SEC_OID_X509_ISSUER_ALT_NAME: + secu_PrintAltNameExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_CRL_DIST_POINTS: + secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level ); + break; + case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD: + SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, + level ); + break; + case SEC_OID_X509_NAME_CONSTRAINTS: + secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_AUTH_INFO_ACCESS: + secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level); + break; + + case SEC_OID_X509_CRL_NUMBER: + case SEC_OID_X509_REASON_CODE: + + /* PKIX OIDs */ + case SEC_OID_PKIX_OCSP: + case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: + case SEC_OID_PKIX_OCSP_NONCE: + case SEC_OID_PKIX_OCSP_CRL: + case SEC_OID_PKIX_OCSP_RESPONSE: + case SEC_OID_PKIX_OCSP_NO_CHECK: + case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF: + case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR: + case SEC_OID_PKIX_REGCTRL_REGTOKEN: + case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR: + case SEC_OID_PKIX_REGCTRL_PKIPUBINFO: + case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS: + case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID: + case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY: + case SEC_OID_PKIX_REGINFO_UTF8_PAIRS: + case SEC_OID_PKIX_REGINFO_CERT_REQUEST: + + /* Netscape extension OIDs. */ + case SEC_OID_NS_CERT_EXT_NETSCAPE_OK: + case SEC_OID_NS_CERT_EXT_ISSUER_LOGO: + case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO: + case SEC_OID_NS_CERT_EXT_ENTITY_LOGO: + case SEC_OID_NS_CERT_EXT_USER_PICTURE: + + /* x.509 v3 Extensions */ + case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR: + case SEC_OID_X509_SUBJECT_KEY_ID: + case SEC_OID_X509_POLICY_MAPPINGS: + case SEC_OID_X509_POLICY_CONSTRAINTS: + + + default: + SECU_PrintAny(out, tmpitem, "Data", level); + break; + } + + secu_Newline(out); + extensions++; + } + } +} + + +void +SECU_PrintName(FILE *out, CERTName *name, char *msg, int level) +{ + char *nameStr; + char *str; + SECItem my; + + str = nameStr = CERT_NameToAscii(name); + if (!str) { + str = "!Invalid AVA!"; + } + my.data = (unsigned char *)str; + my.len = PORT_Strlen(str); +#if 1 + secu_PrintRawString(out, &my, msg, level); +#else + SECU_Indent(out, level); fprintf(out, "%s: ", msg); + fprintf(out, str); + secu_Newline(out); +#endif + PORT_Free(nameStr); +} + +void +printflags(char *trusts, unsigned int flags) +{ + if (flags & CERTDB_VALID_CA) + if (!(flags & CERTDB_TRUSTED_CA) && + !(flags & CERTDB_TRUSTED_CLIENT_CA)) + PORT_Strcat(trusts, "c"); + if (flags & CERTDB_VALID_PEER) + if (!(flags & CERTDB_TRUSTED)) + PORT_Strcat(trusts, "p"); + if (flags & CERTDB_TRUSTED_CA) + PORT_Strcat(trusts, "C"); + if (flags & CERTDB_TRUSTED_CLIENT_CA) + PORT_Strcat(trusts, "T"); + if (flags & CERTDB_TRUSTED) + PORT_Strcat(trusts, "P"); + if (flags & CERTDB_USER) + PORT_Strcat(trusts, "u"); + if (flags & CERTDB_SEND_WARN) + PORT_Strcat(trusts, "w"); + if (flags & CERTDB_INVISIBLE_CA) + PORT_Strcat(trusts, "I"); + if (flags & CERTDB_GOVT_APPROVED_CA) + PORT_Strcat(trusts, "G"); + return; +} + +/* callback for listing certs through pkcs11 */ +SECStatus +SECU_PrintCertNickname(CERTCertListNode *node, void *data) +{ + CERTCertTrust *trust; + CERTCertificate* cert; + FILE *out; + char trusts[30]; + char *name; + + cert = node->cert; + + PORT_Memset (trusts, 0, sizeof (trusts)); + out = (FILE *)data; + + name = node->appData; + if (!name || !name[0]) { + name = cert->nickname; + } + if (!name || !name[0]) { + name = cert->emailAddr; + } + if (!name || !name[0]) { + name = "(NULL)"; + } + + trust = cert->trust; + if (trust) { + printflags(trusts, trust->sslFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust->emailFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust->objectSigningFlags); + } else { + PORT_Memcpy(trusts,",,",3); + } + fprintf(out, "%-60s %-5s\n", name, trusts); + + return (SECSuccess); +} + +int +SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level) +{ + CERTCertExtension **extensions = NULL; + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + int rv = 0; + + if (!arena) + return SEC_ERROR_NO_MEMORY; + + rv = SEC_QuickDERDecodeItem(arena, &extensions, + SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any); + if (!rv) + SECU_PrintExtensions(out, extensions, m, level); + else + SECU_PrintAny(out, any, m, level); + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF Extensions */ +int +SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level); + any++; + } + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF "ANY" */ +int +SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + SECU_PrintAny(out, any[0], "", level); + any++; + } + return rv; +} + +int +SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level) +{ + int rv = 0; + SECOidTag tag; + tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level); + if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) { + rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level); + } else { + rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level); + } + return rv; +} + +int +SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) +{ + int rv = 0; + while (attrs[0]) { + rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1); + attrs++; + } + return rv; +} + +int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ +SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificateRequest *cr; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Decode certificate request */ + cr = PORT_ArenaZNew(arena, CERTCertificateRequest); + if (!cr) + goto loser; + cr->arena = arena; + rv = SEC_QuickDERDecodeItem(arena, cr, + SEC_ASN1_GET(CERT_CertificateRequestTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &cr->version, "Version", level+1); + SECU_PrintName(out, &cr->subject, "Subject", level+1); + secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, + "Subject Public Key Info", level+1); + if (cr->attributes) + SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); + rv = 0; +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificate *c; + int rv = SEC_ERROR_NO_MEMORY; + int iv; + + if (!arena) + return rv; + + /* Decode certificate */ + c = PORT_ArenaZNew(arena, CERTCertificate); + if (!c) + goto loser; + c->arena = arena; + rv = SEC_ASN1DecodeItem(arena, c, + SEC_ASN1_GET(CERT_CertificateTemplate), der); + if (rv) { + SECU_Indent(out, level); + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, der, "Raw", level); + goto loser; + } + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */ + SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + + SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1); + SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1); + SECU_PrintName(out, &c->issuer, "Issuer", level+1); + secu_PrintValidity(out, &c->validity, "Validity", level+1); + SECU_PrintName(out, &c->subject, "Subject", level+1); + secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, + "Subject Public Key Info", level+1); + if (c->issuerID.data) + secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1); + if (c->subjectID.data) + secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1); + SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECKEYPublicKey key; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + PORT_Memset(&key, 0, sizeof(key)); + rv = SEC_ASN1DecodeItem(arena, &key, + SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der); + if (!rv) { + /* Pretty print it out */ + secu_PrintRSAPublicKey(out, &key, m, level); + } + + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +#ifdef HAVE_EPV_TEMPLATE +int +SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECKEYEncryptedPrivateKeyInfo key; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + PORT_Memset(&key, 0, sizeof(key)); + rv = SEC_ASN1DecodeItem(arena, &key, + SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", + level+1); + SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1); +loser: + PORT_FreeArena(arena, PR_TRUE); + return rv; +} +#endif + +int +SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) +{ + unsigned char fingerprint[20]; + char *fpStr = NULL; + int err = PORT_GetError(); + SECStatus rv; + SECItem fpItem; + + /* print MD5 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = MD5_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); fprintf(out, "%s (MD5):\n", m); + SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + fpStr = NULL; + if (rv != SECSuccess && !err) + err = PORT_GetError(); + + /* print SHA1 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = SHA1_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); fprintf(out, "%s (SHA1):\n", m); + SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + fprintf(out, "\n"); + + if (err) + PORT_SetError(err); + if (err || rv != SECSuccess) + return SECFailure; + + return 0; +} + +/* +** PKCS7 Support +*/ + +/* forward declaration */ +static int +secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int); + +/* +** secu_PrintPKCS7EncContent +** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) +*/ +static void +secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, + char *m, int level) +{ + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_Indent(out, level + 1); + fprintf(out, "Content Type: %s\n", + (src->contentTypeTag != NULL) ? src->contentTypeTag->desc + : "Unknown"); + SECU_PrintAlgorithmID(out, &(src->contentEncAlg), + "Content Encryption Algorithm", level+1); + SECU_PrintAsHex(out, &(src->encContent), + "Encrypted Content", level+1); +} + +/* +** secu_PrintRecipientInfo +** Prints a PKCS7RecipientInfo type +*/ +static void +secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, + int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + /* Parse and display encrypted key */ + SECU_PrintAlgorithmID(out, &(info->keyEncAlg), + "Key Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1); +} + +/* +** secu_PrintSignerInfo +** Prints a PKCS7SingerInfo type +*/ +static void +secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level) +{ + SEC_PKCS7Attribute *attr; + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm", + level + 1); + + if (info->authAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Authenticated Attributes:\n"); + iv = 0; + while ((attr = info->authAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%d)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } + + /* Parse and display signature */ + SECU_PrintAlgorithmID(out, &(info->digestEncAlg), + "Digest Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1); + + if (info->unAuthAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Unauthenticated Attributes:\n"); + iv = 0; + while ((attr = info->unAuthAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%x)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } +} + +/* callers of this function must make sure that the CERTSignedCrl + from which they are extracting the CERTCrl has been fully-decoded. + Otherwise it will not have the entries even though the CRL may have + some */ + +void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) +{ + CERTCrlEntry *entry; + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + /* version is optional */ + iv = crl->version.len ? DER_GetInteger(&crl->version) : 0; + SECU_Indent(out, level+1); + fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm", + level + 1); + SECU_PrintName(out, &(crl->name), "Issuer", level + 1); + SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1); + if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */ + SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1); + + if (crl->entries != NULL) { + iv = 0; + while ((entry = crl->entries[iv++]) != NULL) { + sprintf(om, "Entry (%x):\n", iv); + SECU_Indent(out, level + 1); fprintf(out, om); + SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", + level + 2); + SECU_PrintTimeChoice(out, &(entry->revocationDate), + "Revocation Date", level + 2); + SECU_PrintExtensions(out, entry->extensions, + "Entry Extensions", level + 2); + } + } + SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1); +} + +/* +** secu_PrintPKCS7Signed +** Pretty print a PKCS7 signed data type (up to version 1). +*/ +static int +secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, + const char *m, int level) +{ + SECAlgorithmID *digAlg; /* digest algorithms */ + SECItem *aCert; /* certificate */ + CERTSignedCrl *aCrl; /* certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* signer information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + /* Now for the content */ + rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), + "Content Information", level + 1); + if (rv != 0) + return rv; + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level+3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level+3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +/* +** secu_PrintPKCS7Enveloped +** Pretty print a PKCS7 enveloped data type (up to version 1). +*/ +static void +secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, + const char *m, int level) +{ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ + int iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7SignedEnveloped +** Pretty print a PKCS7 singed and enveloped data type (up to version 1). +*/ +static int +secu_PrintPKCS7SignedAndEnveloped(FILE *out, + SEC_PKCS7SignedAndEnvelopedData *src, + const char *m, int level) +{ + SECAlgorithmID *digAlg; /* pointer for digest algorithms */ + SECItem *aCert; /* pointer for certificate */ + CERTSignedCrl *aCrl; /* pointer for certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level+3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level+3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +int +SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCrl *c = NULL; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + do { + /* Decode CRL */ + c = PORT_ArenaZNew(arena, CERTCrl); + if (!c) + break; + + rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der); + if (rv != SECSuccess) + break; + SECU_PrintCRLInfo (out, c, m, level); + } while (0); + PORT_FreeArena (arena, PR_FALSE); + return rv; +} + + +/* +** secu_PrintPKCS7Encrypted +** Pretty print a PKCS7 encrypted data type (up to version 1). +*/ +static void +secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, + const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + secu_PrintPKCS7EncContent(out, &src->encContentInfo, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7Digested +** Pretty print a PKCS7 digested data type (up to version 1). +*/ +static void +secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, + const char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm", + level + 1); + secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information", + level + 1); + SECU_PrintAsHex(out, &src->digest, "Digest", level + 1); +} + +/* +** secu_PrintPKCS7ContentInfo +** Takes a SEC_PKCS7ContentInfo type and sends the contents to the +** appropriate function +*/ +static int +secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, + char *m, int level) +{ + const char *desc; + SECOidTag kind; + int rv; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + level++; + + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + if (src->contentTypeTag == NULL) { + desc = "Unknown"; + kind = SEC_OID_PKCS7_DATA; + } else { + desc = src->contentTypeTag->desc; + kind = src->contentTypeTag->offset; + } + + if (src->content.data == NULL) { + SECU_Indent(out, level); fprintf(out, "%s:\n", desc); + level++; + SECU_Indent(out, level); fprintf(out, "<no content>\n"); + return 0; + } + + rv = 0; + switch (kind) { + case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */ + rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level); + break; + + case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */ + secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level); + break; + + case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */ + rv = secu_PrintPKCS7SignedAndEnveloped(out, + src->content.signedAndEnvelopedData, + desc, level); + break; + + case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */ + secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level); + break; + + case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */ + secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level); + break; + + default: + SECU_PrintAsHex(out, src->content.data, desc, level); + break; + } + + return rv; +} + +/* +** SECU_PrintPKCS7ContentInfo +** Decode and print any major PKCS7 data type (up to version 1). +*/ +int +SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level) +{ + SEC_PKCS7ContentInfo *cinfo; + int rv; + + cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); + if (cinfo != NULL) { + /* Send it to recursive parsing and printing module */ + rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level); + SEC_PKCS7DestroyContentInfo(cinfo); + } else { + rv = -1; + } + + return rv; +} + +/* +** End of PKCS7 functions +*/ + +void +printFlags(FILE *out, unsigned int flags, int level) +{ + if ( flags & CERTDB_VALID_PEER ) { + SECU_Indent(out, level); fprintf(out, "Valid Peer\n"); + } + if ( flags & CERTDB_TRUSTED ) { + SECU_Indent(out, level); fprintf(out, "Trusted\n"); + } + if ( flags & CERTDB_SEND_WARN ) { + SECU_Indent(out, level); fprintf(out, "Warn When Sending\n"); + } + if ( flags & CERTDB_VALID_CA ) { + SECU_Indent(out, level); fprintf(out, "Valid CA\n"); + } + if ( flags & CERTDB_TRUSTED_CA ) { + SECU_Indent(out, level); fprintf(out, "Trusted CA\n"); + } + if ( flags & CERTDB_NS_TRUSTED_CA ) { + SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n"); + } + if ( flags & CERTDB_USER ) { + SECU_Indent(out, level); fprintf(out, "User\n"); + } + if ( flags & CERTDB_TRUSTED_CLIENT_CA ) { + SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n"); + } + if ( flags & CERTDB_GOVT_APPROVED_CA ) { + SECU_Indent(out, level); fprintf(out, "Step-up\n"); + } +} + +void +SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level) +{ + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n"); + printFlags(out, trust->sslFlags, level+2); + SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n"); + printFlags(out, trust->emailFlags, level+2); + SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n"); + printFlags(out, trust->objectSigningFlags, level+2); +} + +int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, + int level, SECU_PPFunc inner) +{ + PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTSignedData *sd; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Strip off the signature */ + sd = PORT_ArenaZNew(arena, CERTSignedData); + if (!sd) + goto loser; + + rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), + der); + if (rv) + goto loser; + + SECU_Indent(out, level); fprintf(out, "%s:\n", m); + rv = (*inner)(out, &sd->data, "Data", level+1); + + SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", + level+1); + DER_ConvertBitString(&sd->signature); + SECU_PrintAsHex(out, &sd->signature, "Signature", level+1); + SECU_PrintFingerprints(out, der, "Fingerprint", level+1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; + +} + +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd) +{ + PRBool found; + PLOptState *optstate; + PLOptStatus status; + char *optstring; + int i, j; + + optstring = (char *)malloc(cmd->numCommands + 2*cmd->numOptions); + j = 0; + + for (i=0; i<cmd->numCommands; i++) { + optstring[j++] = cmd->commands[i].flag; + } + for (i=0; i<cmd->numOptions; i++) { + optstring[j++] = cmd->options[i].flag; + if (cmd->options[i].needsArg) + optstring[j++] = ':'; + } + optstring[j] = '\0'; + optstate = PL_CreateOptState(argc, argv, optstring); + + /* Parse command line arguments */ + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + + /* Wasn't really an option, just standalone arg. */ + if (optstate->option == '\0') + continue; + + found = PR_FALSE; + + for (i=0; i<cmd->numCommands; i++) { + if (cmd->commands[i].flag == optstate->option) { + cmd->commands[i].activated = PR_TRUE; + if (optstate->value) { + cmd->commands[i].arg = (char *)optstate->value; + } + found = PR_TRUE; + break; + } + } + + if (found) + continue; + + for (i=0; i<cmd->numOptions; i++) { + if (cmd->options[i].flag == optstate->option) { + cmd->options[i].activated = PR_TRUE; + if (optstate->value) { + cmd->options[i].arg = (char *)optstate->value; + } else if (cmd->options[i].needsArg) { + return SECFailure; + } + found = PR_TRUE; + break; + } + } + + if (!found) + return SECFailure; + } + if (status == PL_OPT_BAD) + return SECFailure; + return SECSuccess; +} + +char * +SECU_GetOptionArg(secuCommand *cmd, int optionNum) +{ + if (optionNum < 0 || optionNum >= cmd->numOptions) + return NULL; + if (cmd->options[optionNum].activated) + return PL_strdup(cmd->options[optionNum].arg); + else + return NULL; +} + +static char SECUErrorBuf[64]; + +char * +SECU_ErrorStringRaw(int16 err) +{ + if (err == 0) + SECUErrorBuf[0] = '\0'; + else if (err == SEC_ERROR_BAD_DATA) + sprintf(SECUErrorBuf, "Bad data"); + else if (err == SEC_ERROR_BAD_DATABASE) + sprintf(SECUErrorBuf, "Problem with database"); + else if (err == SEC_ERROR_BAD_DER) + sprintf(SECUErrorBuf, "Problem with DER"); + else if (err == SEC_ERROR_BAD_KEY) + sprintf(SECUErrorBuf, "Problem with key"); + else if (err == SEC_ERROR_BAD_PASSWORD) + sprintf(SECUErrorBuf, "Incorrect password"); + else if (err == SEC_ERROR_BAD_SIGNATURE) + sprintf(SECUErrorBuf, "Bad signature"); + else if (err == SEC_ERROR_EXPIRED_CERTIFICATE) + sprintf(SECUErrorBuf, "Expired certificate"); + else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) + sprintf(SECUErrorBuf, "Invalid extension value"); + else if (err == SEC_ERROR_INPUT_LEN) + sprintf(SECUErrorBuf, "Problem with input length"); + else if (err == SEC_ERROR_INVALID_ALGORITHM) + sprintf(SECUErrorBuf, "Invalid algorithm"); + else if (err == SEC_ERROR_INVALID_ARGS) + sprintf(SECUErrorBuf, "Invalid arguments"); + else if (err == SEC_ERROR_INVALID_AVA) + sprintf(SECUErrorBuf, "Invalid AVA"); + else if (err == SEC_ERROR_INVALID_TIME) + sprintf(SECUErrorBuf, "Invalid time"); + else if (err == SEC_ERROR_IO) + sprintf(SECUErrorBuf, "Security I/O error"); + else if (err == SEC_ERROR_LIBRARY_FAILURE) + sprintf(SECUErrorBuf, "Library failure"); + else if (err == SEC_ERROR_NO_MEMORY) + sprintf(SECUErrorBuf, "Out of memory"); + else if (err == SEC_ERROR_OLD_CRL) + sprintf(SECUErrorBuf, "CRL is older than the current one"); + else if (err == SEC_ERROR_OUTPUT_LEN) + sprintf(SECUErrorBuf, "Problem with output length"); + else if (err == SEC_ERROR_UNKNOWN_ISSUER) + sprintf(SECUErrorBuf, "Unknown issuer"); + else if (err == SEC_ERROR_UNTRUSTED_CERT) + sprintf(SECUErrorBuf, "Untrusted certificate"); + else if (err == SEC_ERROR_UNTRUSTED_ISSUER) + sprintf(SECUErrorBuf, "Untrusted issuer"); + else if (err == SSL_ERROR_BAD_CERTIFICATE) + sprintf(SECUErrorBuf, "Bad certificate"); + else if (err == SSL_ERROR_BAD_CLIENT) + sprintf(SECUErrorBuf, "Bad client"); + else if (err == SSL_ERROR_BAD_SERVER) + sprintf(SECUErrorBuf, "Bad server"); + else if (err == SSL_ERROR_EXPORT_ONLY_SERVER) + sprintf(SECUErrorBuf, "Export only server"); + else if (err == SSL_ERROR_NO_CERTIFICATE) + sprintf(SECUErrorBuf, "No certificate"); + else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) + sprintf(SECUErrorBuf, "No cypher overlap"); + else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE) + sprintf(SECUErrorBuf, "Unsupported certificate type"); + else if (err == SSL_ERROR_UNSUPPORTED_VERSION) + sprintf(SECUErrorBuf, "Unsupported version"); + else if (err == SSL_ERROR_US_ONLY_SERVER) + sprintf(SECUErrorBuf, "U.S. only server"); + else if (err == PR_IO_ERROR) + sprintf(SECUErrorBuf, "I/O error"); + + else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) + sprintf (SECUErrorBuf, "Expired Issuer Certificate"); + else if (err == SEC_ERROR_REVOKED_CERTIFICATE) + sprintf (SECUErrorBuf, "Revoked certificate"); + else if (err == SEC_ERROR_NO_KEY) + sprintf (SECUErrorBuf, "No private key in database for this cert"); + else if (err == SEC_ERROR_CERT_NOT_VALID) + sprintf (SECUErrorBuf, "Certificate is not valid"); + else if (err == SEC_ERROR_EXTENSION_NOT_FOUND) + sprintf (SECUErrorBuf, "Certificate extension was not found"); + else if (err == SEC_ERROR_CA_CERT_INVALID) + sprintf (SECUErrorBuf, "Issuer certificate is invalid"); + else if (err == SEC_ERROR_CERT_USAGES_INVALID) + sprintf (SECUErrorBuf, "Certificate usages is invalid"); + else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) + sprintf (SECUErrorBuf, "Certificate has unknown critical extension"); + else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE) + sprintf (SECUErrorBuf, "Bad PKCS7 signature"); + else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE) + sprintf (SECUErrorBuf, "Certificate not approved for this operation"); + else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE) + sprintf (SECUErrorBuf, "Certificate not approved for this operation"); + + return SECUErrorBuf; +} + +char * +SECU_ErrorString(int16 err) +{ + char *error_string; + + *SECUErrorBuf = 0; + SECU_ErrorStringRaw (err); + + if (*SECUErrorBuf == 0) { + error_string = SECU_GetString(err); + if (error_string == NULL || *error_string == '\0') + sprintf(SECUErrorBuf, "No error string found for %d.", err); + else + return error_string; + } + + return SECUErrorBuf; +} + + +void +SECU_PrintPRandOSError(char *progName) +{ + char buffer[513]; + PRInt32 errLen = PR_GetErrorTextLength(); + if (errLen > 0 && errLen < sizeof buffer) { + PR_GetErrorText(buffer); + } + SECU_PrintError(progName, "function failed"); + if (errLen > 0 && errLen < sizeof buffer) { + PR_fprintf(PR_STDERR, "\t%s\n", buffer); + } +} + + +static char * +bestCertName(CERTCertificate *cert) { + if (cert->nickname) { + return cert->nickname; + } + if (cert->emailAddr && cert->emailAddr[0]) { + return cert->emailAddr; + } + return cert->subjectName; +} + +void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose) +{ + CERTVerifyLog log; + CERTVerifyLogNode *node = NULL; + unsigned int depth = (unsigned int)-1; + unsigned int flags = 0; + char * errstr = NULL; + PRErrorCode err = PORT_GetError(); + + log.arena = PORT_NewArena(512); + log.head = log.tail = NULL; + log.count = 0; + CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL); + + if (log.count > 0) { + fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); + for (node = log.head; node; node = node->next) { + if (depth != node->depth) { + depth = node->depth; + fprintf(outfile,"CERT %d. %s %s:\n", depth, + bestCertName(node->cert), + depth ? "[Certificate Authority]": ""); + if (verbose) { + const char * emailAddr; + emailAddr = CERT_GetFirstEmailAddress(node->cert); + if (emailAddr) { + fprintf(outfile,"Email Address(es): "); + do { + fprintf(outfile, "%s\n", emailAddr); + emailAddr = CERT_GetNextEmailAddress(node->cert, + emailAddr); + } while (emailAddr); + } + } + } + fprintf(outfile," ERROR %ld: %s\n", node->error, + SECU_Strerror(node->error)); + errstr = NULL; + switch (node->error) { + case SEC_ERROR_INADEQUATE_KEY_USAGE: + flags = (unsigned int)node->arg; + switch (flags) { + case KU_DIGITAL_SIGNATURE: + errstr = "Cert cannot sign."; + break; + case KU_KEY_ENCIPHERMENT: + errstr = "Cert cannot encrypt."; + break; + case KU_KEY_CERT_SIGN: + errstr = "Cert cannot sign other certs."; + break; + default: + errstr = "[unknown usage]."; + break; + } + case SEC_ERROR_INADEQUATE_CERT_TYPE: + flags = (unsigned int)node->arg; + switch (flags) { + case NS_CERT_TYPE_SSL_CLIENT: + case NS_CERT_TYPE_SSL_SERVER: + errstr = "Cert cannot be used for SSL."; + break; + case NS_CERT_TYPE_SSL_CA: + errstr = "Cert cannot be used as an SSL CA."; + break; + case NS_CERT_TYPE_EMAIL: + errstr = "Cert cannot be used for SMIME."; + break; + case NS_CERT_TYPE_EMAIL_CA: + errstr = "Cert cannot be used as an SMIME CA."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING: + errstr = "Cert cannot be used for object signing."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING_CA: + errstr = "Cert cannot be used as an object signing CA."; + break; + default: + errstr = "[unknown usage]."; + break; + } + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + errstr = node->cert->issuerName; + break; + default: + break; + } + if (errstr) { + fprintf(stderr," %s\n",errstr); + } + CERT_DestroyCertificate(node->cert); + } + } + PORT_SetError(err); /* restore original error code */ +} + +SECOidTag +SECU_StringToSignatureAlgTag(const char *alg) +{ + SECOidTag hashAlgTag = SEC_OID_UNKNOWN; + + if (alg) { + if (!PL_strcmp(alg, "MD2")) { + hashAlgTag = SEC_OID_MD2; + } else if (!PL_strcmp(alg, "MD4")) { + hashAlgTag = SEC_OID_MD4; + } else if (!PL_strcmp(alg, "MD5")) { + hashAlgTag = SEC_OID_MD5; + } else if (!PL_strcmp(alg, "SHA1")) { + hashAlgTag = SEC_OID_SHA1; + } else if (!PL_strcmp(alg, "SHA256")) { + hashAlgTag = SEC_OID_SHA256; + } else if (!PL_strcmp(alg, "SHA384")) { + hashAlgTag = SEC_OID_SHA384; + } else if (!PL_strcmp(alg, "SHA512")) { + hashAlgTag = SEC_OID_SHA512; + } + } + return hashAlgTag; +} + + +SECStatus +SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, + const PRBool ascii, char *url) +{ + PORT_Assert(derCrl != NULL); + if (!derCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (outFile != NULL) { + if (ascii) { + PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, + BTOA_DataToAscii(derCrl->data, derCrl->len), + NS_CRL_TRAILER); + } else { + if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) { + return SECFailure; + } + } + } + if (slot) { + CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url, + SEC_CRL_TYPE, NULL, 0, NULL, 0); + if (newCrl != NULL) { + SEC_DestroyCrl(newCrl); + return SECSuccess; + } + return SECFailure; + } + if (!outFile && !slot) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return SECSuccess; +} + +SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode) +{ + SECItem der; + SECKEYPrivateKey *caPrivateKey = NULL; + SECStatus rv; + PRArenaPool *arena; + SECOidTag algID; + void *dummy; + + PORT_Assert(issuer != NULL && signCrl != NULL); + if (!issuer || !signCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + arena = signCrl->arena; + + caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL); + if (caPrivateKey == NULL) { + *resCode = noKeyFound; + return SECFailure; + } + + algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + *resCode = noSignatureMatch; + rv = SECFailure; + goto done; + } + + if (!signCrl->crl.signatureAlg.parameters.data) { + rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0); + if (rv != SECSuccess) { + *resCode = failToEncode; + goto done; + } + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + + rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap, + der.data, der.len, caPrivateKey, algID); + if (rv != SECSuccess) { + *resCode = failToSign; + goto done; + } + + signCrl->derCrl = PORT_ArenaZNew(arena, SECItem); + if (signCrl->derCrl == NULL) { + *resCode = noMem; + PORT_SetError(SEC_ERROR_NO_MEMORY); + rv = SECFailure; + goto done; + } + + signCrl->derCrl->len = 0; + signCrl->derCrl->data = NULL; + dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl, + SEC_ASN1_GET(CERT_SignedCrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + +done: + if (caPrivateKey) { + SECKEY_DestroyPrivateKey(caPrivateKey); + } + return rv; +} + + + +SECStatus +SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl) +{ + void *dummy; + SECStatus rv = SECSuccess; + SECItem der; + + PORT_Assert(destArena && srcCrl && destCrl); + if (!destArena || !srcCrl || !destCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + return SECFailure; + } + + rv = SEC_QuickDERDecodeItem(destArena, destCrl, + SEC_ASN1_GET(CERT_CrlTemplate), &der); + if (rv != SECSuccess) { + return SECFailure; + } + + destCrl->arena = destArena; + + return rv; +} + +SECStatus +SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) +{ + SECItem it; + SECStatus rv; + + it.data = 0; + + /* XXX We should probably have some asserts here to make sure the key type + * and algID match + */ + + /* Sign input buffer */ + rv = SEC_SignData(&it, buf, len, pk, algID); + if (rv) goto loser; + + /* Fill out SignedData object */ + PORT_Memset(sd, 0, sizeof(*sd)); + sd->data.data = buf; + sd->data.len = len; + sd->signature.data = it.data; + sd->signature.len = it.len << 3; /* convert to bit string */ + rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0); + if (rv) goto loser; + + return rv; + + loser: + PORT_Free(it.data); + return rv; +} + +#if 0 + +/* we need access to the private function cert_FindExtension for this code to work */ + +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl) +{ + SECItem encodedExtenValue; + SECStatus rv; + CERTAuthKeyID *ret; + CERTCrl* crl; + + if (!scrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + crl = &scrl->crl; + + encodedExtenValue.data = NULL; + encodedExtenValue.len = 0; + + rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, + &encodedExtenValue); + if ( rv != SECSuccess ) { + return (NULL); + } + + ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); + + PORT_Free(encodedExtenValue.data); + encodedExtenValue.data = NULL; + + return(ret); +} + +#endif + +/* + * Find the issuer of a Crl. Use the authorityKeyID if it exists. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject, + CERTAuthKeyID* authorityKeyID, PRTime validTime) +{ + CERTCertificate *issuerCert = NULL; + CERTCertList *certList = NULL; + + if (!subject) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + certList = + CERT_CreateSubjectCertList(NULL, dbhandle, subject, + validTime, PR_TRUE); + if (certList) { + CERTCertListNode *node = CERT_LIST_HEAD(certList); + + /* XXX and authoritykeyid in the future */ + while ( ! CERT_LIST_END(node, certList) ) { + CERTCertificate *cert = node->cert; + /* check cert CERTCertTrust data is allocated, check cert + usage extension, check that cert has pkey in db. Select + the first (newest) user cert */ + if (cert->trust && + CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess && + CERT_IsUserCert(cert)) { + + issuerCert = CERT_DupCertificate(cert); + break; + } + node = CERT_LIST_NEXT(node); + } + CERT_DestroyCertList(certList); + } + return(issuerCert); +} + + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn) +{ + SECItem encodedValue; + SECStatus rv; + + encodedValue.data = NULL; + encodedValue.len = 0; + do { + rv = (*EncodeValueFn)(arena, value, &encodedValue); + if (rv != SECSuccess) + break; + + rv = CERT_AddExtension(extHandle, extenType, &encodedValue, + criticality, PR_TRUE); + if (rv != SECSuccess) + break; + } while (0); + + return (rv); +} diff --git a/base/native-tools/src/tkstool/secutil.h b/base/native-tools/src/tkstool/secutil.h new file mode 100644 index 000000000..a2f065067 --- /dev/null +++ b/base/native-tools/src/tkstool/secutil.h @@ -0,0 +1,430 @@ +/** BEGIN COPYRIGHT BLOCK + * + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * END COPYRIGHT BLOCK **/ + +/* Originally obtained from: + * + * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot + * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.h + */ + +#ifndef _SEC_UTIL_H_ +#define _SEC_UTIL_H_ + +#include "seccomon.h" +#include "secitem.h" +#include "prerror.h" +#include "base64.h" +#include "key.h" +#include "secpkcs7.h" +#include "secasn1.h" +#include "secder.h" +#include <stdio.h> + +#define SEC_CT_PRIVATE_KEY "private-key" +#define SEC_CT_PUBLIC_KEY "public-key" +#define SEC_CT_CERTIFICATE "certificate" +#define SEC_CT_CERTIFICATE_REQUEST "certificate-request" +#define SEC_CT_PKCS7 "pkcs7" +#define SEC_CT_CRL "crl" + +#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" +#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" + +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" +#define NS_CERT_TRAILER "-----END CERTIFICATE-----" + +#define NS_CRL_HEADER "-----BEGIN CRL-----" +#define NS_CRL_TRAILER "-----END CRL-----" + +/* From libsec/pcertdb.c --- it's not declared in sec.h */ +extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, + SECItem *derCert, char *nickname, CERTCertTrust *trust); + + +#ifdef SECUTIL_NEW +typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, + char *msg, int level); +#else +typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level); +#endif + +typedef struct { + enum { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* +** Change a password on a token, or initialize a token with a password +** if it does not already have one. +** Use passwd to send the password in plaintext, pwFile to specify a +** file containing the password, or NULL for both to prompt the user. +*/ +SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile); + +/* These were stolen from the old sec.h... */ +/* +** Check a password for legitimacy. Passwords must be at least 8 +** characters long and contain one non-alphabetic. Return DSTrue if the +** password is ok, DSFalse otherwise. +*/ +extern PRBool SEC_CheckPassword(char *password); + +/* +** Blind check of a password. Complement to SEC_CheckPassword which +** ignores length and content type, just retuning DSTrue is the password +** exists, DSFalse if NULL +*/ +extern PRBool SEC_BlindCheckPassword(char *password); + +/* +** Get a password. +** First prompt with "msg" on "out", then read the password from "in". +** The password is then checked using "chkpw". +*/ +extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg, + PRBool (*chkpw)(char *)); + +char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg); + +char *SECU_GetPasswordString(void *arg, char *prompt); + +/* +** Write a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to encrypt a password "pw" into a file "fd". +*/ +extern SECStatus SEC_WriteDongleFile(int fd, char *pw); + +/* +** Get a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to decrypt and return a password from file "fd". +*/ +extern char *SEC_ReadDongleFile(int fd); + + +/* End stolen headers */ + +/* Just sticks the two strings together with a / if needed */ +char *SECU_AppendFilenameToDir(char *dir, char *filename); + +/* Returns result of getenv("SSL_DIR") or NULL */ +extern char *SECU_DefaultSSLDir(void); + +/* +** Should be called once during initialization to set the default +** directory for looking for cert.db, key.db, and cert-nameidx.db files +** Removes trailing '/' in 'base' +** If 'base' is NULL, defaults to set to .netscape in home directory. +*/ +extern char *SECU_ConfigDirectory(const char* base); + +/* +** Basic callback function for SSL_GetClientAuthDataHook +*/ +extern int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey); + +/* print out an error message */ +extern void SECU_PrintError(char *progName, char *msg, ...); + +/* print out a system error message */ +extern void SECU_PrintSystemError(char *progName, char *msg, ...); + +/* Return informative error string */ +extern const char * SECU_Strerror(PRErrorCode errNum); + +/* print information about cert verification failure */ +extern void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose); + +/* Read the contents of a file into a SECItem */ +extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); +extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); + +/* Read in a DER from a file, may be ascii */ +extern SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); + +/* Indent based on "level" */ +extern void SECU_Indent(FILE *out, int level); + +/* Print integer value and hex */ +extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level); + +/* Print ObjectIdentifier symbolically */ +extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level); + +/* Print AlgorithmIdentifier symbolically */ +extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, + int level); + +/* Print SECItem as hex */ +extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level); + +/* dump a buffer in hex and ASCII */ +extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level); + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, + int level); + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level); + +/* callback for listing certs through pkcs11 */ +extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data); + +/* Dump all certificate nicknames in a database */ +extern SECStatus +SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, + PRBool sortByName, PRBool sortByTrust); + +/* See if nickname already in database. Return 1 true, 0 false, -1 error */ +int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); + +/* Dump contents of cert req */ +extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, + int level); + +/* Dump contents of certificate */ +extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level); + +/* print trust flags on a cert */ +extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level); + +/* Dump contents of public key */ +extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level); + +#ifdef HAVE_EPV_TEMPLATE +/* Dump contents of private key */ +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); +#endif + +/* Print the MD5 and SHA1 fingerprints of a cert */ +extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, + int level); + +/* Pretty-print any PKCS7 thing */ +extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, + int level); + +/* Init PKCS11 stuff */ +extern SECStatus SECU_PKCS11Init(PRBool readOnly); + +/* Dump contents of signed data */ +extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level, + SECU_PPFunc inner); + +extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); + +extern void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level); + +extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level); +extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level); + +extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level); +extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level); + +extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level); + +extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level); + +#ifdef SECU_GetPassword +/* Convert a High public Key to a Low public Key */ +extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey); +#endif + +extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); + +extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw); +extern void SEC_Init(void); + +extern char *SECU_SECModDBName(void); + +extern void SECU_PrintPRandOSError(char *progName); + +extern SECStatus SECU_RegisterDynamicOids(void); + +/* Identifies hash algorithm tag by its string representation. */ +extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); + +/* Store CRL in output file or pk11 db. Also + * encodes with base64 and exports to file if ascii flag is set + * and file is not NULL. */ +extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, + PRFileDesc *outFile, int ascii, char *url); + + +/* +** DER sign a single block of data using private key encryption and the +** MD5 hashing algorithm. This routine first computes a digital signature +** using SEC_SignData, then wraps it with an CERTSignedData and then der +** encodes the result. +** "arena" is the memory arena to use to allocate data from +** "sd" returned CERTSignedData +** "result" the final der encoded data (memory is allocated) +** "buf" the input data to sign +** "len" the amount of data to sign +** "pk" the private key to encrypt with +*/ +extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algID); + +typedef enum { + noKeyFound = 1, + noSignatureMatch = 2, + failToEncode = 3, + failToSign = 4, + noMem = 5 +} SignAndEncodeFuncExitStat; + +extern SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode); + +extern SECStatus +SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl); + +/* +** Finds the crl Authority Key Id extension. Returns NULL if no such extension +** was found. +*/ +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl); + +/* + * Find the issuer of a crl. Cert usage should be checked before signing a crl. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject, + CERTAuthKeyID* id, PRTime validTime); + + +/* call back function used in encoding of an extension. Called from + * SECU_EncodeAndAddExtensionValue */ +typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena, + void *value, SECItem *encodedValue); + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn); + + +/* + * + * Utilities for parsing security tools command lines + * + */ + +/* A single command flag */ +typedef struct { + char flag; + PRBool needsArg; + char *arg; + PRBool activated; +} secuCommandFlag; + +/* A full array of command/option flags */ +typedef struct +{ + int numCommands; + int numOptions; + + secuCommandFlag *commands; + secuCommandFlag *options; +} secuCommand; + +/* fill the "arg" and "activated" fields for each flag */ +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd); +char * +SECU_GetOptionArg(secuCommand *cmd, int optionNum); + +/* + * + * Error messaging + * + */ + +/* Return informative error string */ +char *SECU_ErrorString(int16 err); + +/* Return informative error string. Does not call XP_GetString */ +char *SECU_ErrorStringRaw(int16 err); + +void printflags(char *trusts, unsigned int flags); + +#ifndef XP_UNIX +extern int ffs(unsigned int i); +#endif + +#include "secerr.h" +#include "sslerr.h" + +#endif /* _SEC_UTIL_H_ */ diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c new file mode 100644 index 000000000..5368b2e7b --- /dev/null +++ b/base/native-tools/src/tkstool/tkstool.c @@ -0,0 +1,2660 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + + +static char *progName; + + +/* tkstool commands */ +enum { + cmd_DeleteKey = 0, + cmd_PrintHelp, + cmd_InputGenTransportKey, + cmd_DisplayKCV, + cmd_ListKeys, + cmd_GenMasterKey, + cmd_NewDBs, + cmd_ChangePassword, + cmd_RenameKey, + cmd_ListSecModules, + cmd_GenTransportKey, + cmd_UnWrapMasterKey, + cmd_Version, + cmd_WrapMasterKey +}; + + +/* tkstool options */ +enum { + opt_DBDir = 0, + opt_PasswordFile, + opt_TokenName, + opt_InFile, + opt_Keyname, + opt_OutFile, + opt_DBPrefix, + opt_NewKeyname, + opt_TransportKeyname, + opt_RW, + opt_NoiseFile +}; + + +static secuCommandFlag tkstool_commands[] = { + { /* cmd_DeleteKey */ 'D', PR_FALSE, 0, PR_FALSE }, + { /* cmd_PrintHelp */ 'H', PR_FALSE, 0, PR_FALSE }, + { /* cmd_InputGenTransportKey */ 'I', PR_FALSE, 0, PR_FALSE }, + { /* cmd_DisplayKCV */ 'K', PR_FALSE, 0, PR_FALSE }, + { /* cmd_ListKeys */ 'L', PR_FALSE, 0, PR_FALSE }, + { /* cmd_GenMasterKey */ 'M', PR_FALSE, 0, PR_FALSE }, + { /* cmd_NewDBs */ 'N', PR_FALSE, 0, PR_FALSE }, + { /* cmd_ChangePassword */ 'P', PR_FALSE, 0, PR_FALSE }, + { /* cmd_RenameKey */ 'R', PR_FALSE, 0, PR_FALSE }, + { /* cmd_ListSecModules */ 'S', PR_FALSE, 0, PR_FALSE }, + { /* cmd_GenTransportKey */ 'T', PR_FALSE, 0, PR_FALSE }, + { /* cmd_UnWrapMasterKey */ 'U', PR_FALSE, 0, PR_FALSE }, + { /* cmd_Version */ 'V', PR_FALSE, 0, PR_FALSE }, + { /* cmd_WrapMasterKey */ 'W', PR_FALSE, 0, PR_FALSE } +}; + + +static secuCommandFlag tkstool_options[] = { + { /* opt_DBDir */ 'd', PR_TRUE, 0, PR_FALSE }, + { /* opt_PasswordFile */ 'f', PR_TRUE, 0, PR_FALSE }, + { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE }, + { /* opt_InFile */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_Keyname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_OutFile */ 'o', PR_TRUE, 0, PR_FALSE }, + { /* opt_DBPrefix */ 'p', PR_TRUE, 0, PR_FALSE }, + { /* opt_NewKeyname */ 'r', PR_TRUE, 0, PR_FALSE }, + { /* opt_TransportKeyname */ 't', PR_TRUE, 0, PR_FALSE }, + { /* opt_RW */ 'x', PR_FALSE, 0, PR_FALSE }, + { /* opt_NoiseFile */ 'z', PR_TRUE, 0, PR_FALSE }, +}; + + +int +main( int argc, char **argv ) +{ + CK_KEY_DERIVATION_STRING_DATA secondDerivationData = { NULL, + 0 }; + CK_KEY_DERIVATION_STRING_DATA thirdDerivationData = { NULL, + 0 }; + PK11SlotInfo *internalSlot = NULL; + PK11SlotInfo *slot = NULL; + PK11SymKey *symmetricKey = NULL; + PK11SymKey *masterKey = NULL; + PK11SymKey *temporaryMasterKey = NULL; + PK11SymKey *firstSymmetricKey = NULL; + PK11SymKey *secondSymmetricKey = NULL; + PK11SymKey *thirdSymmetricKey = NULL; + PK11SymKey *transportKey = NULL; + PRBool readOnly = PR_FALSE; + PRIntn KCVLen = KCV_LENGTH; + PRUint8 *KCV = NULL; + SECItem firstSessionKeyShare = { siBuffer, + NULL, + 0 }; + SECItem secondSessionKeyShare = { siBuffer, + NULL, + 0 }; + SECItem thirdSessionKeyShare = { siBuffer, + NULL, + 0 }; +#if defined(PAD_DES2_KEY_LENGTH) + SECItem paddedFirstSessionKeyShare = { siBuffer, + NULL, + 0 }; + SECItem paddedSecondSessionKeyShare = { siBuffer, + NULL, + 0 }; + SECItem paddedThirdSessionKeyShare = { siBuffer, + NULL, + 0 }; +#endif + SECItem hexInternalKeyKCV = { siBuffer, + NULL, + 0 }; + SECItem wrappedMasterKey = { siBuffer, + NULL, + 0 }; + SECStatus rvKCV = SECFailure; + SECStatus rvParse = SECSuccess; + SECStatus rvNSSinit = SECSuccess; + SECStatus rvFindSymKey = SECSuccess; + SECStatus rvSeedRNG = SECSuccess; + SECStatus rvFirstSessionKeyShare = SECFailure; + SECStatus rvSecondSessionKeyShare = SECFailure; + SECStatus rvThirdSessionKeyShare = SECFailure; + SECStatus rvSaveWrappedMasterKey = SECSuccess; + SECStatus rvSymmetricKeyname = SECSuccess; + SECStatus rvWrappedMasterKey = SECSuccess; + SECStatus rvMasterKeyname = SECSuccess; + SECStatus rv = SECSuccess; + SECStatus status = PR_FALSE; + char commandToRun = '\0'; + char *DBDir = NULL; + char *DBPrefix = ""; + char *input = NULL; + char *keyname = NULL; + char *new_keyname = NULL; + char *output = NULL; + char *SeedNoise = NULL; + char *slotname = "internal"; + char *transport_keyname = NULL; + int commandsEntered = 0; + int i = 0; + int optionsEntered = 0; + secuPWData pwdata = { PW_NONE, + 0 }; + + + /**************************/ + /* Parse the command line */ + /**************************/ + + secuCommand tkstool; + tkstool.numCommands = sizeof( tkstool_commands ) / + sizeof( secuCommandFlag ); + tkstool.numOptions = sizeof( tkstool_options ) / + sizeof( secuCommandFlag ); + tkstool.commands = tkstool_commands; + tkstool.options = tkstool_options; + + /* retrieve name of command */ + progName = strrchr( argv[0], '/' ); + progName = progName ? ( progName + 1 ) : argv[0]; + + /* parse command line (command(s) and options) from command line */ + rvParse = SECU_ParseCommandLine( argc, argv, progName, &tkstool ); + if( rvParse != SECSuccess ) { + TKS_Usage( progName ); + + return 255; + } + + + /*********************************************************/ + /* Check the number of command line "command(s)" entered */ + /*********************************************************/ + + commandsEntered = 0; + for( i = 0 ; i < tkstool.numCommands ; i++ ) { + if( tkstool.commands[i].activated ) { + commandToRun = tkstool.commands[i].flag; + commandsEntered++; + } + + if( commandsEntered > 1 ) { + break; + } + } + + if( commandsEntered > 1 ) { + PR_fprintf( PR_STDERR, + "%s: only one command at a time!\n", + progName ); + + PR_fprintf( PR_STDERR, + "You entered: " ); + + for( i = 0 ; i < tkstool.numCommands ; i++ ) { + if( tkstool.commands[i].activated ) { + PR_fprintf( PR_STDERR, + " -%c", + tkstool.commands[i].flag ); + } + } + + PR_fprintf( PR_STDERR, + "\n" ); + return 255; + } + + if( commandsEntered == 0 ) { + PR_fprintf( PR_STDERR, + "%s: you must enter one of the following commands:\n\n", + progName ); + + TKS_Usage( progName ); + + return 255; + } + + + /********************************************************/ + /* Check the number of command line "option(s)" entered */ + /********************************************************/ + + optionsEntered = 0; + for( i = 0 ; i < tkstool.numOptions ; i++ ) { + if( tkstool.options[i].activated ) { + optionsEntered++; + } + + if( optionsEntered > 1 ) { + break; + } + } + + if( optionsEntered == 0 && + ! ( tkstool.commands[cmd_PrintHelp].activated || + tkstool.commands[cmd_Version].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: you must enter the following options " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + + /***************************************************/ + /* Check that command line "options" correspond to */ + /* one of their specified command line "commands" */ + /***************************************************/ + + /* the "-d DBDir" command option may ONLY be used with */ + /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ + /* "-S", "-T", "-U", and "-W" commands */ + if( tkstool.options[opt_DBDir].activated && + ! ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_NewDBs].activated || + tkstool.commands[cmd_ChangePassword].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_ListSecModules].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-d DBDir\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-f pwfile" command option may ONLY be used with */ + /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ + /* "-T", "-U", and "-W" commands */ + if( tkstool.options[opt_PasswordFile].activated && + ! ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_NewDBs].activated || + tkstool.commands[cmd_ChangePassword].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-f pwfile\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-h token_name" command option may ONLY be used with */ + /* the "-D", "-I", "-K", "-L", "-M", "-R", "-T", "-U", and */ + /* "-W" commands */ + if( tkstool.options[opt_TokenName].activated && + ! ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-h token_name\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-i infile" command option may ONLY be used with */ + /* the "-U" command */ + if( tkstool.options[opt_InFile].activated && + !tkstool.commands[cmd_UnWrapMasterKey].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-i infile\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-n keyname" command option may ONLY be used with the */ + /* "-D", "-I", "-K", "-L", "-M", "-R", "-T", "-U", and "-W" */ + /* commands */ + if( tkstool.options[opt_Keyname].activated && + ! ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-n keyname\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-o outfile" command option may ONLY be used with */ + /* the "-W" command */ + if( tkstool.options[opt_OutFile].activated && + !tkstool.commands[cmd_WrapMasterKey].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-o outfile\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-p DBPrefix" command option may ONLY be used with */ + /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ + /* "-S", "-T", "-U", and "-W" commands */ + if( tkstool.options[opt_DBPrefix].activated && + ! ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_NewDBs].activated || + tkstool.commands[cmd_ChangePassword].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_ListSecModules].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-p DBPrefix\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-r new_keyname" command option may */ + /* ONLY be used with the "-R" command */ + if( tkstool.options[opt_NewKeyname].activated && + ! ( tkstool.commands[cmd_RenameKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-r new_keyname\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-t transport_keyname" command option may ONLY be used with */ + /* the "-U", and "-W" commands */ + if( tkstool.options[opt_TransportKeyname].activated && + !( tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-t transport_keyname\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-x" command option may ONLY be used with */ + /* the "-L", and "-S" commands */ + if( tkstool.options[opt_RW].activated && + ! ( tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_ListSecModules].activated ) ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-x\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* the "-z noisefile" command option may ONLY be used with */ + /* the "-T" command */ + if( tkstool.options[opt_NoiseFile].activated && + !tkstool.commands[cmd_GenTransportKey].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-z noisefile\" option may only be " + "specified with one of the following command(s):\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + + /********************************************************/ + /* Perform special processing on command line "options" */ + /********************************************************/ + + /* "-d DBDir" command option */ + if( tkstool.options[opt_DBDir].activated ) { + if( tkstool.options[opt_DBDir].arg ) { + DBDir = SECU_ConfigDirectory( tkstool.options[opt_DBDir].arg ); + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-d\" option must contain a " + "\"DBDir\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-f pwfile" command option */ + if( tkstool.options[opt_PasswordFile].activated ) { + pwdata.source = PW_FROMFILE; + if( tkstool.options[opt_PasswordFile].arg ) { + pwdata.data = tkstool.options[opt_PasswordFile].arg; + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-f\" option must contain a " + "\"pwfile\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-i infile" command option */ + if( tkstool.options[opt_InFile].activated ) { + if( tkstool.options[opt_InFile].arg ) { + input = tkstool.options[opt_InFile].arg; + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-i\" option must contain an " + "\"infile\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-h token_name" command option */ + if( tkstool.options[opt_TokenName].activated ) { + if( tkstool.options[opt_TokenName].arg ) { + if( PL_strcmp( tkstool.options[opt_TokenName].arg, "all" ) == 0 ) { + slotname = NULL; + } else { + slotname = PL_strdup( tkstool.options[opt_TokenName].arg ); + } + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-h\" option must contain a " + "\"token_name\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-n keyname" command option */ + if( tkstool.options[opt_Keyname].activated ) { + if( tkstool.options[opt_Keyname].arg ) { + keyname = SECU_GetOptionArg( &tkstool, + opt_Keyname ); + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-n\" option must contain a " + "\"keyname\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-o outfile" command option */ + if( tkstool.options[opt_OutFile].activated ) { + if( tkstool.options[opt_OutFile].arg ) { + output = tkstool.options[opt_OutFile].arg; + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-o\" option must contain an " + "\"outfile\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-p DBPrefix" command option */ + if( tkstool.options[opt_DBPrefix].activated ) { + if( tkstool.options[opt_DBPrefix].arg ) { + DBPrefix = strdup( tkstool.options[opt_DBPrefix].arg ); + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-p\" option must contain a " + "\"DBPrefix\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-r new_keyname" command option */ + if( tkstool.options[opt_NewKeyname].activated ) { + if( tkstool.options[opt_NewKeyname].arg ) { + new_keyname = SECU_GetOptionArg( &tkstool, + opt_NewKeyname ); + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-r\" option must contain a " + "\"new_keyname\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-t transport_keyname" command option */ + if( tkstool.options[opt_TransportKeyname].activated ) { + if( tkstool.options[opt_TransportKeyname].arg ) { + transport_keyname = SECU_GetOptionArg( &tkstool, + opt_TransportKeyname ); + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-t\" option must contain a " + "\"transport_keyname\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + /* "-x" command option is processed below */ + /* ONLY based upon specific commands */ + + /* "-z noisefile" command option */ + if( tkstool.options[opt_NoiseFile].activated ) { + if( tkstool.options[opt_NoiseFile].arg ) { + SeedNoise = tkstool.options[opt_NoiseFile].arg; + } else { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-z\" option must contain a " + "\"noisefile\" argument:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + } + + + /******************************************************************/ + /* Perform special processing on specific command line "commands" */ + /******************************************************************/ + + /* "-D", "-I", "-K", "-M", "-R", "-T", "-U" and "-W" */ + /* commands require the "-n keyname" command line */ + /* option to be specified */ + if( ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) && + !tkstool.options[opt_Keyname].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-n keyname\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", "-S", */ + /* "-T", "-U", and "-W" commands require the "-d DBDir" */ + /* command line option to be specified */ + if( ( tkstool.commands[cmd_DeleteKey].activated || + tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_DisplayKCV].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_GenMasterKey].activated || + tkstool.commands[cmd_NewDBs].activated || + tkstool.commands[cmd_ChangePassword].activated || + tkstool.commands[cmd_RenameKey].activated || + tkstool.commands[cmd_ListSecModules].activated || + tkstool.commands[cmd_GenTransportKey].activated || + tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) && + !tkstool.options[opt_DBDir].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-d DBDir\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-H", "-L", "-S", and "-V" commands require the "-x" */ + /* command line option to be silently turned off */ + if( tkstool.commands[cmd_PrintHelp].activated || + tkstool.commands[cmd_ListKeys].activated || + tkstool.commands[cmd_ListSecModules].activated || + tkstool.commands[cmd_Version].activated ) { + readOnly = !tkstool.options[opt_RW].activated; + } + + /* "-L" command is the ONLY command that allows */ + /* the "-h all" command line option to be used */ + /* */ + /* NOTE: ONLY use "slotname == NULL" to */ + /* LIST keys on all slots */ + if( !tkstool.commands[cmd_ListKeys].activated && slotname == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: cannot use \"-h all\" for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-R" commands require the "-r new_keyname" */ + /* command line option to be specified */ + if( ( tkstool.commands[cmd_RenameKey].activated ) && + !tkstool.options[opt_NewKeyname].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-r new_keyname\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-U", and "-W" commands require the "-t transport_keyname" */ + /* command line option to be specified */ + if( ( tkstool.commands[cmd_UnWrapMasterKey].activated || + tkstool.commands[cmd_WrapMasterKey].activated ) && + !tkstool.options[opt_TransportKeyname].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-t transport_keyname\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-U" commands require the "-i infile" */ + /* command line option to be specified */ + if( tkstool.commands[cmd_UnWrapMasterKey].activated && + !tkstool.options[opt_InFile].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-i infile\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + /* "-W" commands require the "-o outfile" */ + /* command line option to be specified */ + if( tkstool.commands[cmd_WrapMasterKey].activated && + !tkstool.options[opt_OutFile].activated ) { + PR_fprintf( PR_STDERR, + "%s -%c: the \"-o outfile\" option is required " + "for this command:\n\n", + progName, + commandToRun ); + + TKS_Usage( progName ); + + return 255; + } + + + /*********************************/ + /* Execute the "-H" help command */ + /*********************************/ + + if( tkstool.commands[cmd_PrintHelp].activated ) { + TKS_PrintHelp( progName ); + + return 0; + } + + + /************************************/ + /* Execute the "-V" version command */ + /************************************/ + + /* "-V" version command */ + if( tkstool.commands[cmd_Version].activated ) { + TKS_Version( progName ); + + return 0; + } + + + /************************************************/ + /* Initialize PKCS #11 Security Module Password */ + /************************************************/ + + PK11_SetPasswordFunc( /* password callback */ SECU_GetModulePassword ); + + + /*******************/ + /* Initialize NSPR */ + /*******************/ + + PR_Init( PR_SYSTEM_THREAD, + PR_PRIORITY_NORMAL, + 1 ); + + + /******************/ + /* Initialize NSS */ + /******************/ + + rvNSSinit = NSS_Initialize( DBDir, + DBPrefix, + DBPrefix, + "secmod.db", + readOnly ? NSS_INIT_READONLY : 0 ); + if( rvNSSinit != SECSuccess ) { + char buffer[513]; + PRInt32 errLen = PR_GetErrorTextLength(); + + if( errLen > 0 && errLen < sizeof buffer ) { + PR_GetErrorText( buffer ); + } + + PR_fprintf( PR_STDERR, + "%s -%c: %s", + progName, + commandToRun, + "NSS_Initialize() failed" ); + + if( errLen > 0 && errLen < sizeof buffer ) { + PR_fprintf( PR_STDERR, "\t%s\n", buffer ); + } else { + PR_fprintf( PR_STDERR, "\n" ); + } + + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************/ + /* Initialize internal PKCS #11 software crypto slot */ + /* as well as any specified PKCS #11 slot */ + /*****************************************************/ + + /* Always initialize the internal software crypto slot */ + internalSlot = PK11_GetInternalSlot(); + + /* If "slotname != NULL", initialize the slot based upon the slotname */ + if( PL_strcmp( slotname, "internal" ) == 0 ) { + slot = PK11_GetInternalKeySlot(); + } else if( slotname != NULL ) { + slot = PK11_FindSlotByName( /* slot name */ slotname ); + + /* Fixes Bugscape Bug #55178: tkstool dumps core if -h <token> */ + /* specifies a nonexistent token */ + if( slot == NULL ) { + char buffer[513]; + PRInt32 errLen = PR_GetErrorTextLength(); + + if( errLen > 0 && errLen < sizeof buffer ) { + PR_GetErrorText( buffer ); + } + + PR_fprintf( PR_STDERR, + "%s -%c: %s%s%s", + progName, + commandToRun, + "no token called \"", + slotname, + "\" exists!" ); + + if( errLen > 0 && errLen < sizeof buffer ) { + PR_fprintf( PR_STDERR, "\t%s\n", buffer ); + } else { + PR_fprintf( PR_STDERR, "\n" ); + } + + rv = SECFailure; + goto shutdown; + } + } + + + /****************************************/ + /* Execute the "-D" delete keys command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /****************************************/ + + if( tkstool.commands[cmd_DeleteKey].activated ) { + rv = TKS_DeleteKeys( progName, + slot, + keyname, + &pwdata ); + goto shutdown; + } + + + /*******************************************************************/ + /* Execute the "-I" input shares to generate transport key command */ + /* */ + /* --- OR --- */ + /* */ + /* Execute the "-T" generate transport key command */ + /* */ + /* NOTE: Each of these commands is mutually */ + /* exclusive from all others, including */ + /* each other. */ + /*******************************************************************/ + + if( tkstool.commands[cmd_InputGenTransportKey].activated || + tkstool.commands[cmd_GenTransportKey].activated ) { + + /**********************************************************/ + /* Do not allow duplicate symmetric keys to be generated */ + /* (i. e. - disallow symmetric keys specified */ + /* by the same keyname) */ + /* */ + /* NOTE: The following code snippet effectively */ + /* prohibits this tool from generating any */ + /* symmetric key with a keyname that already */ + /* resides in the specified token */ + /**********************************************************/ + + rvFindSymKey = TKS_FindSymKey( slot, + keyname, + &pwdata ); + if( rvFindSymKey == SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" keyname specified by " + "\n\t\t\"-n %s\"\n\t\talready exists in the " + "specified token.\n\t\tPlease specify a " + "different keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /**********************************************/ + /* Seed the Random Number Generator (RNG). */ + /* ("-T" generate transport key command ONLY) */ + /**********************************************/ + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + rvSeedRNG = TKS_SeedRNG( SeedNoise ); + if( rvSeedRNG != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s", + progName, + commandToRun, + "unable to seed random number generator\n" ); + rv = SECFailure; + goto shutdown; + } + } + + + /***********************************/ + /* Clear screen and wait for user. */ + /***********************************/ + + TKS_ClearScreen(); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + PR_fprintf( PR_STDOUT, + "\nThe next screen generates the " + "first session key share . . .\n" ); + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + PR_fprintf( PR_STDOUT, + "\nUse the next screen to input the " + "first session key share . . .\n" ); + } + + TKS_TypeProceedToContinue(); + + + /******************************************************************/ + /* Input ("-I"), or Generate ("-T"), the first session key share. */ + /******************************************************************/ + + firstSessionKeyShare.len = FIRST_SESSION_KEY_SHARE_LENGTH; + firstSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( FIRST_SESSION_KEY_SHARE_LENGTH ); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + rvFirstSessionKeyShare = TKS_GenerateSessionKeyShare( + FIRST_SESSION_KEY_SHARE, + &firstSessionKeyShare ); + + if( rvFirstSessionKeyShare != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s", + progName, + commandToRun, + "unable to generate the ", + FIRST_SESSION_KEY_SHARE, + " session key share\n" ); + rv = SECFailure; + goto shutdown; + } + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + while( rvFirstSessionKeyShare != SECSuccess ) { + rvFirstSessionKeyShare = TKS_InputSessionKeyShare( + FIRST_SESSION_KEY_SHARE, + &firstSessionKeyShare ); + } + } + +#if defined(PAD_DES2_KEY_LENGTH) + /****************************************************************/ + /* Since TKS uses double-DES keys instead of triple-DES keys, */ + /* the final 8 bytes of this session key share must be padded */ + /* in order to use the standard PKCS #11 triple-DES operations! */ + /* */ + /* Therefore, in order to perform this operation, the 16 bytes */ + /* comprising the original buffer are first copied into the new */ + /* buffer, and then the first 8 bytes of the original buffer */ + /* are copied into the final 8 bytes of the new buffer. */ + /****************************************************************/ + + paddedFirstSessionKeyShare.len = PADDED_FIRST_SESSION_KEY_SHARE_LENGTH; + paddedFirstSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( PADDED_FIRST_SESSION_KEY_SHARE_LENGTH ); + + PORT_Memcpy( paddedFirstSessionKeyShare.data, + firstSessionKeyShare.data, + FIRST_SESSION_KEY_SHARE_LENGTH ); + PORT_Memcpy( ( paddedFirstSessionKeyShare.data + + FIRST_SESSION_KEY_SHARE_LENGTH ), + firstSessionKeyShare.data, + DES_LENGTH ); +#endif + + + /***********************************/ + /* Clear screen and wait for user. */ + /***********************************/ + + TKS_ClearScreen(); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + PR_fprintf( PR_STDOUT, + "\nThe next screen generates the " + "second session key share . . .\n" ); + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + PR_fprintf( PR_STDOUT, + "\nUse the next screen to input the " + "second session key share . . .\n" ); + } + + TKS_TypeProceedToContinue(); + + + /*******************************************************************/ + /* Input ("-I"), or Generate ("-T"), the second session key share. */ + /*******************************************************************/ + + secondSessionKeyShare.len = SECOND_SESSION_KEY_SHARE_LENGTH; + secondSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( SECOND_SESSION_KEY_SHARE_LENGTH ); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + rvSecondSessionKeyShare = TKS_GenerateSessionKeyShare( + SECOND_SESSION_KEY_SHARE, + &secondSessionKeyShare ); + + if( rvSecondSessionKeyShare != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s", + progName, + commandToRun, + "unable to generate the ", + SECOND_SESSION_KEY_SHARE, + " session key share\n" ); + rv = SECFailure; + goto shutdown; + } + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + while( rvSecondSessionKeyShare != SECSuccess ) { + rvSecondSessionKeyShare = TKS_InputSessionKeyShare( + SECOND_SESSION_KEY_SHARE, + &secondSessionKeyShare ); + } + } + +#if defined(PAD_DES2_KEY_LENGTH) + /****************************************************************/ + /* Since TKS uses double-DES keys instead of triple-DES keys, */ + /* the final 8 bytes of this session key share must be padded */ + /* in order to use the standard PKCS #11 triple-DES operations! */ + /* */ + /* Therefore, in order to perform this operation, the 16 bytes */ + /* comprising the original buffer are first copied into the new */ + /* buffer, and then the first 8 bytes of the original buffer */ + /* are copied into the final 8 bytes of the new buffer. */ + /****************************************************************/ + + paddedSecondSessionKeyShare.len = PADDED_SECOND_SESSION_KEY_SHARE_LENGTH; + paddedSecondSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( PADDED_SECOND_SESSION_KEY_SHARE_LENGTH ); + + PORT_Memcpy( paddedSecondSessionKeyShare.data, + secondSessionKeyShare.data, + SECOND_SESSION_KEY_SHARE_LENGTH ); + PORT_Memcpy( ( paddedSecondSessionKeyShare.data + + SECOND_SESSION_KEY_SHARE_LENGTH ), + secondSessionKeyShare.data, + DES_LENGTH ); + + + /**********************************************/ + /* Prepare this key share to be used with the */ + /* TKS_DeriveSymmetricKey() function . . . */ + /**********************************************/ + + /* store a copy of the "original" padded second session key share */ + secondDerivationData.ulLen = paddedSecondSessionKeyShare.len; + secondDerivationData.pData = ( unsigned char * ) + PORT_ZAlloc( paddedSecondSessionKeyShare.len ); + PORT_Memcpy( secondDerivationData.pData, + paddedSecondSessionKeyShare.data, + paddedSecondSessionKeyShare.len ); + + /* destroy the "original" padded second session key share */ + if( paddedSecondSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + paddedSecondSessionKeyShare.data, + paddedSecondSessionKeyShare.len ); + paddedSecondSessionKeyShare.data = NULL; + paddedSecondSessionKeyShare.len = 0; + } + + /* create a "new" container for the padded second session key share */ + paddedSecondSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); + paddedSecondSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( paddedSecondSessionKeyShare.len ); + + /* copy the "original" padded second session key share */ + /* into the "new" container */ + PORT_Memcpy( paddedSecondSessionKeyShare.data, + &secondDerivationData, + paddedSecondSessionKeyShare.len ); +#else + /**********************************************/ + /* Prepare this key share to be used with the */ + /* TKS_DeriveSymmetricKey() function . . . */ + /**********************************************/ + + /* store a copy of the "original" second session key share */ + secondDerivationData.ulLen = secondSessionKeyShare.len; + secondDerivationData.pData = ( unsigned char * ) + PORT_ZAlloc( secondSessionKeyShare.len ); + PORT_Memcpy( secondDerivationData.pData, + secondSessionKeyShare.data, + secondSessionKeyShare.len ); + + /* destroy the "original" second session key share */ + if( secondSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + secondSessionKeyShare.data, + secondSessionKeyShare.len ); + secondSessionKeyShare.data = NULL; + secondSessionKeyShare.len = 0; + } + + /* create a "new" container for the second session key share */ + secondSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); + secondSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( secondSessionKeyShare.len ); + + /* copy the "original" second session key share */ + /* into the "new" container */ + PORT_Memcpy( secondSessionKeyShare.data, + &secondDerivationData, + secondSessionKeyShare.len ); +#endif + + + /***********************************/ + /* Clear screen and wait for user. */ + /***********************************/ + + TKS_ClearScreen(); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + PR_fprintf( PR_STDOUT, + "\nThe next screen generates the " + "third session key share . . .\n" ); + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + PR_fprintf( PR_STDOUT, + "\nUse the next screen to input the " + "third session key share . . .\n" ); + } + + TKS_TypeProceedToContinue(); + + + /******************************************************************/ + /* Input ("-I"), or Generate ("-T"), the third session key share. */ + /******************************************************************/ + + thirdSessionKeyShare.len = THIRD_SESSION_KEY_SHARE_LENGTH; + thirdSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( THIRD_SESSION_KEY_SHARE_LENGTH ); + + if( tkstool.commands[cmd_GenTransportKey].activated ) { + rvThirdSessionKeyShare = TKS_GenerateSessionKeyShare( + THIRD_SESSION_KEY_SHARE, + &thirdSessionKeyShare ); + + if( rvThirdSessionKeyShare != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s", + progName, + commandToRun, + "unable to generate the ", + THIRD_SESSION_KEY_SHARE, + " session key share\n" ); + rv = SECFailure; + goto shutdown; + } + } else { + /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ + while( rvThirdSessionKeyShare != SECSuccess ) { + rvThirdSessionKeyShare = TKS_InputSessionKeyShare( + THIRD_SESSION_KEY_SHARE, + &thirdSessionKeyShare ); + } + } + +#if defined(PAD_DES2_KEY_LENGTH) + /****************************************************************/ + /* Since TKS uses double-DES keys instead of triple-DES keys, */ + /* the final 8 bytes of this session key share must be padded */ + /* in order to use the standard PKCS #11 triple-DES operations! */ + /* */ + /* Therefore, in order to perform this operation, the 16 bytes */ + /* comprising the original buffer are first copied into the new */ + /* buffer, and then the first 8 bytes of the original buffer */ + /* are copied into the final 8 bytes of the new buffer. */ + /****************************************************************/ + + paddedThirdSessionKeyShare.len = PADDED_THIRD_SESSION_KEY_SHARE_LENGTH; + paddedThirdSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( PADDED_THIRD_SESSION_KEY_SHARE_LENGTH ); + + PORT_Memcpy( paddedThirdSessionKeyShare.data, + thirdSessionKeyShare.data, + THIRD_SESSION_KEY_SHARE_LENGTH ); + PORT_Memcpy( ( paddedThirdSessionKeyShare.data + + THIRD_SESSION_KEY_SHARE_LENGTH ), + thirdSessionKeyShare.data, + DES_LENGTH ); + + + /**********************************************/ + /* Prepare this key share to be used with the */ + /* TKS_DeriveSymmetricKey() function . . . */ + /**********************************************/ + + /* store a copy of the "original" padded third session key share */ + thirdDerivationData.ulLen = paddedThirdSessionKeyShare.len; + thirdDerivationData.pData = ( unsigned char * ) + PORT_ZAlloc( paddedThirdSessionKeyShare.len ); + PORT_Memcpy( thirdDerivationData.pData, + paddedThirdSessionKeyShare.data, + paddedThirdSessionKeyShare.len ); + + /* destroy the "original" padded third session key share */ + if( paddedThirdSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + paddedThirdSessionKeyShare.data, + paddedThirdSessionKeyShare.len ); + paddedThirdSessionKeyShare.data = NULL; + paddedThirdSessionKeyShare.len = 0; + } + + /* create a "new" container for the padded third session key share */ + paddedThirdSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); + paddedThirdSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( paddedThirdSessionKeyShare.len ); + + /* copy the "original" padded third session key share */ + /* into the "new" container */ + PORT_Memcpy( paddedThirdSessionKeyShare.data, + &thirdDerivationData, + paddedThirdSessionKeyShare.len ); +#else + /**********************************************/ + /* Prepare this key share to be used with the */ + /* TKS_DeriveSymmetricKey() function . . . */ + /**********************************************/ + + /* store a copy of the "original" third session key share */ + thirdDerivationData.ulLen = thirdSessionKeyShare.len; + thirdDerivationData.pData = ( unsigned char * ) + PORT_ZAlloc( thirdSessionKeyShare.len ); + PORT_Memcpy( thirdDerivationData.pData, + thirdSessionKeyShare.data, + thirdSessionKeyShare.len ); + + /* destroy the "original" third session key share */ + if( thirdSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + thirdSessionKeyShare.data, + thirdSessionKeyShare.len ); + thirdSessionKeyShare.data = NULL; + thirdSessionKeyShare.len = 0; + } + + /* create a "new" container for the third session key share */ + thirdSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); + thirdSessionKeyShare.data = ( unsigned char * ) + PORT_ZAlloc( thirdSessionKeyShare.len ); + + /* copy the "original" third session key share */ + /* into the "new" container */ + PORT_Memcpy( thirdSessionKeyShare.data, + &thirdDerivationData, + thirdSessionKeyShare.len ); +#endif + + + /***********************************/ + /* Clear screen and wait for user. */ + /***********************************/ + + TKS_ClearScreen(); + + PR_fprintf( PR_STDOUT, + "\nThe next screen uses the session key shares to " + "generate the transport key . . .\n" ); + + TKS_TypeProceedToContinue(); + + TKS_ClearScreen(); + + + /**************************************/ + /* Generate the first symmetric key */ + /* using the first session key share. */ + /**************************************/ + + +#if defined(PAD_DES2_KEY_LENGTH) + firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, + internalSlot, + CKM_DES3_KEY_GEN, + CKA_ENCRYPT, + &paddedFirstSessionKeyShare, + &pwdata ); +#else + firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, + internalSlot, + CKM_DES2_KEY_GEN, + CKA_ENCRYPT, + &firstSessionKeyShare, + &pwdata ); +#endif + if( firstSymmetricKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate the first (or initial) " + "symmetric key", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /*********************************************************/ + /* Generate the second symmetric key using the */ + /* first symmetric key and the second session key share. */ + /*********************************************************/ + +#if defined(PAD_DES2_KEY_LENGTH) + secondSymmetricKey = TKS_DeriveSymmetricKey( SECOND_SYMMETRIC_KEY, + firstSymmetricKey, + CKM_XOR_BASE_AND_DATA, + &paddedSecondSessionKeyShare, + CKM_DES3_ECB, + ( CKA_DERIVE | + CKA_ENCRYPT ), + PADDED_SECOND_SESSION_KEY_SHARE_LENGTH ); +#else + secondSymmetricKey = TKS_DeriveSymmetricKey( SECOND_SYMMETRIC_KEY, + firstSymmetricKey, + CKM_XOR_BASE_AND_DATA, + &secondSessionKeyShare, + CKM_DES3_ECB, + ( CKA_DERIVE | + CKA_ENCRYPT ), + SECOND_SESSION_KEY_SHARE_LENGTH ); +#endif + if( secondSymmetricKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate the second (or intermediate) " + "symmetric key", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /*********************************************************/ + /* Generate the third symmetric key using the */ + /* second symmetric key and the third session key share. */ + /*********************************************************/ + +#if defined(PAD_DES2_KEY_LENGTH) + thirdSymmetricKey = TKS_DeriveSymmetricKey( THIRD_SYMMETRIC_KEY, + secondSymmetricKey, + CKM_XOR_BASE_AND_DATA, + &paddedThirdSessionKeyShare, + CKM_DES3_ECB, + ( CKA_DERIVE | + CKA_ENCRYPT ), + PADDED_THIRD_SESSION_KEY_SHARE_LENGTH ); +#else + thirdSymmetricKey = TKS_DeriveSymmetricKey( THIRD_SYMMETRIC_KEY, + secondSymmetricKey, + CKM_XOR_BASE_AND_DATA, + &thirdSessionKeyShare, + CKM_DES3_ECB, + ( CKA_DERIVE | + CKA_ENCRYPT ), + THIRD_SESSION_KEY_SHARE_LENGTH ); +#endif + if( thirdSymmetricKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate the third (or final) " + "symmetric key", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /*******************************************************************/ + /* Finally, store the third symmetric key (the transport key) into */ + /* the specified slot, and provide a name for this transport key. */ + /*******************************************************************/ + + rvSymmetricKeyname = TKS_StoreSymmetricKeyAndNameIt( TRANSPORT_KEY, + keyname, + slot, + ( CKA_ENCRYPT | + CKA_WRAP ), + ( CKF_ENCRYPT | + CKF_UNWRAP | + CKF_WRAP ), + thirdSymmetricKey ); + if( rvSymmetricKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to save/name the transport key!\n\n" ); + rv = SECFailure; + goto shutdown; + } else { + PR_fprintf( PR_STDOUT, + "Successfully generated, stored, and named the " + "transport key!\n\n" ); + } + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + + /****************************************/ + /* Execute the "-K" display KCV command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /****************************************/ + + if( tkstool.commands[cmd_DisplayKCV].activated ) { + + /*****************************************************/ + /* Retrieve a handle to the specified symmetric key. */ + /* This insures that the specified symmetric key */ + /* already resides on the specified token. */ + /*****************************************************/ + + symmetricKey = TKS_RetrieveSymKey( slot, + keyname, + &pwdata ); + if( symmetricKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" symmetric keyname specified by " + "\n\t\t\"-n %s\" does NOT exist on the specified " + "token.\n\t\tPlease specify a " + "different symmetric keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*************************************************/ + /* Compute and display this symmetric key's KCV. */ + /*************************************************/ + + PR_fprintf( PR_STDOUT, + "\nComputing and displaying KCV of the symmetric key " + "on the specified token . . .\n\n" ); + + /* Calculate this symmetric key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + symmetricKey, + keyname, + RESIDENT_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Unable to compute/display KCV of " + "this symmetric key!\n\n" ); + rv = SECFailure; + goto shutdown; + } + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + + /**************************************/ + /* Execute the "-L" list keys command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /**************************************/ + + if( tkstool.commands[cmd_ListKeys].activated ) { + rv = TKS_ListKeys( progName, + slot, + keyname, + 0 /*keyindex*/, + PR_FALSE /*dopriv*/, + &pwdata ); + goto shutdown; + } + + + /************************************************/ + /* Execute the "-M" generate master key command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /************************************************/ + + if( tkstool.commands[cmd_GenMasterKey].activated ) { + + /**********************************************************/ + /* Do not allow duplicate symmetric keys to be generated */ + /* (i. e. - disallow symmetric keys specified */ + /* by the same keyname) */ + /* */ + /* NOTE: The following code snippet effectively */ + /* prohibits this tool from generating any */ + /* symmetric key with a keyname that already */ + /* resides in the specified token */ + /**********************************************************/ + + rvFindSymKey = TKS_FindSymKey( slot, + keyname, + &pwdata ); + if( rvFindSymKey == SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" keyname specified by " + "\n\t\t\"-n %s\"\n\t\talready exists in the " + "specified token.\n\t\tPlease specify a " + "different keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Generate the master key and store it on the designated token. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "\nGenerating and storing the master key " + "on the specified token . . .\n\n" ); + + if( MASTER_KEY_LENGTH == ( 2 * DES_LENGTH ) ) { + masterKey = PK11_TokenKeyGen( + /* slot */ slot, + /* mechanism */ CKM_DES2_KEY_GEN, + /* param */ 0, + /* keySize */ 0, + /* keyid */ 0, + /* isToken (i. e. - isPerm) */ PR_TRUE, + /* wincx */ &pwdata ); + if( masterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate/store this DES2 master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + } else if( MASTER_KEY_LENGTH == ( 3 * DES_LENGTH ) ) { + masterKey = PK11_TokenKeyGen( + /* slot */ slot, + /* mechanism */ CKM_DES3_KEY_GEN, + /* param */ 0, + /* keySize */ 0, + /* keyid */ 0, + /* isToken (i. e. - isPerm) */ PR_TRUE, + /* wincx */ &pwdata ); + if( masterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate/store this DES3 master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + } else { + /* invalid key size */ + PR_fprintf( PR_STDERR, + "%s -%c: %s\n\n\n", + progName, + commandToRun, + "MASTER_KEY_LENGTH must be DES2 or DES3 length!" ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Finally, name the master key with the specified name. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "Naming the master key \"%s\" . . .\n\n", + keyname ); + + rvMasterKeyname = PK11_SetSymKeyNickname( + /* symmetric key */ masterKey, + /* nickname */ keyname ); + if( rvMasterKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to name the master key!\n\n" ); + rv = SECFailure; + goto shutdown; + } + + + /*********************************************/ + /* Compute and display the master key's KCV. */ + /*********************************************/ + + PR_fprintf( PR_STDOUT, + "Computing and displaying KCV of the master key " + "on the specified token . . .\n\n" ); + + /* Calculate the master key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + masterKey, + keyname, + RESIDENT_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Unable to compute/display KCV of " + "the master key!\n\n" ); + rv = SECFailure; + goto shutdown; + } else { + PR_fprintf( PR_STDOUT, + "Successfully generated, stored, and named the " + "master key\nincluding computing and displaying " + "its KCV!\n\n" ); + } + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + + /**************************************************************/ + /* Execute the "-N" new software database creation command */ + /* */ + /* NOTE: This command is mutually exclusive from all others. */ + /* Always initialize the password when creating a new */ + /* set of software databases */ + /**************************************************************/ + + if( tkstool.commands[cmd_NewDBs].activated ) { + rv = SECU_ChangePW( slot, + 0, + pwdata.data ); + goto shutdown; + } + + + /****************************************************/ + /* Execute the "-P" change key DB password command */ + /* */ + /* NOTE: This command is mutually exclusive from */ + /* all others. (future - change pw to slot?) */ + /****************************************************/ + + if( tkstool.commands[cmd_ChangePassword].activated ) { + rv = SECU_ChangePW( slot, + 0, + pwdata.data ); + goto shutdown; + } + + + /***************************************/ + /* Execute the "-R" rename key command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /***************************************/ + + if( tkstool.commands[cmd_RenameKey].activated ) { + + /*****************************************************/ + /* Check that specified keynames are not identical. */ + /*****************************************************/ + if( PL_strcmp( keyname, new_keyname ) == 0 ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe two keynames specified by " + "\n\t\t\"-n %s\" and \"-r %s\" are identical." + "\n\t\tPlease provide two non-identical keynames.\n\n", + progName, + commandToRun, + keyname, + new_keyname ); + rv = SECFailure; + goto shutdown; + } + + /*****************************************************/ + /* Retrieve a handle to the specified symmetric key. */ + /* This insures that the specified symmetric key */ + /* already resides on the specified token. */ + /*****************************************************/ + + symmetricKey = TKS_RetrieveSymKey( slot, + keyname, + &pwdata ); + if( symmetricKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" symmetric keyname specified by " + "\n\t\t\"-n %s\" does NOT exist on the specified " + "token.\n\t\tPlease specify a " + "different symmetric keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /**********************************************************/ + /* Do not allow the renamed key to overwrite a */ + /* preexisting key of the same name */ + /* */ + /* NOTE: The following code snippet effectively */ + /* prohibits this tool from renaming any */ + /* symmetric key with a keyname that already */ + /* resides in the specified token */ + /**********************************************************/ + + rvFindSymKey = TKS_FindSymKey( slot, + new_keyname, + &pwdata ); + if( rvFindSymKey == SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" keyname specified by " + "\n\t\t\"-r %s\"\n\t\talready exists in the " + "specified token.\n\t\tPlease specify a " + "different keyname for renaming purposes.\n\n", + progName, + commandToRun, + new_keyname, + new_keyname ); + rv = SECFailure; + goto shutdown; + } + + +#if defined(DEBUG) + /*****************************************************************/ + /* For convenience, compute and display the symmetric key's KCV. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "Computing and displaying KCV of the symmetric key " + "on the specified token . . .\n\n" ); + + /* Calculate the symmetric key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + symmetricKey, + keyname, + RESIDENT_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Unable to compute/display KCV of " + "the symmetric key!\n\n" ); + rv = SECFailure; + goto shutdown; + } +#endif + + + /********************************************************************/ + /* Finally, rename the symmetric key with the newly specified name. */ + /********************************************************************/ + + PR_fprintf( PR_STDOUT, + "Renaming the symmetric key named \"%s\" to \"%s\" . . .\n\n", + keyname, + new_keyname ); + + rvSymmetricKeyname = PK11_SetSymKeyNickname( + /* symmetric key */ symmetricKey, + /* nickname */ new_keyname ); + if( rvSymmetricKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to rename the symmetric key!\n\n" ); + rv = SECFailure; + goto shutdown; + } else { + PR_fprintf( PR_STDOUT, + "Successfully renamed the symmetric key named \"%s\" " + "to \"%s\"!\n\n", + keyname, + new_keyname ); + } + + +#if defined(DEBUG) + /********************************************************/ + /* For convenience, compute and display the renamed */ + /* symmetric key's KCV. */ + /********************************************************/ + + PR_fprintf( PR_STDOUT, + "Computing and displaying KCV of the renamed symmetric key " + "on the specified token . . .\n\n" ); + + /* Calculate the renamed symmetric key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + symmetricKey, + new_keyname, + RESIDENT_KEY, + PR_TRUE, + NULL ); + if( rvKCV != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Unable to compute/display KCV of " + "the renamed symmetric key!\n\n" ); + rv = SECFailure; + goto shutdown; + } +#endif + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + + /**************************************************/ + /* Execute the "-S" list security modules command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /**************************************************/ + + if( tkstool.commands[cmd_ListSecModules].activated ) { + rv = TKS_ListSecModules(); + goto shutdown; + } + + + /**********************************************/ + /* Execute the "-U" unwrap master key command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /**********************************************/ + + if( tkstool.commands[cmd_UnWrapMasterKey].activated ) { + + /**********************************************************/ + /* Do not allow duplicate symmetric keys to be stored */ + /* (i. e. - disallow symmetric keys specified */ + /* by the same keyname) */ + /* */ + /* NOTE: The following code snippet effectively */ + /* prohibits this tool from storing any */ + /* symmetric key with a keyname that already */ + /* resides in the specified token */ + /**********************************************************/ + + rvFindSymKey = TKS_FindSymKey( slot, + keyname, + &pwdata ); + if( rvFindSymKey == SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" keyname specified by " + "\n\t\t\"-n %s\"\n\t\talready exists in the " + "specified token.\n\t\tPlease specify a " + "different keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*******************************************************************/ + /* Retrieve a handle to the specified unwrapping key. This insures */ + /* that the specified unwrapping key (i. e. - transport key) */ + /* already exists on the specified token. */ + /* */ + /* NOTE: Requiring that the transport key AND the master key */ + /* reside on the same token is a FIPS 140-1 requirement! */ + /*******************************************************************/ + + TKS_ClearScreen(); + + PR_fprintf( PR_STDOUT, + "\nRetrieving the transport key from the " + "specified token (for unwrapping) . . .\n\n" ); + + transportKey = TKS_RetrieveSymKey( slot, + transport_keyname, + &pwdata ); + if( transportKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" transport keyname specified by " + "\"-t %s\"\n\t\tdoes NOT exist on the specified " + "token.\n\t\tPlease specify a " + "different transport keyname.\n\n", + progName, + commandToRun, + transport_keyname, + transport_keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Read in the wrapped master key from the specified input file. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "Reading in the wrapped data (and resident master key KCV) " + "from the file called\n\"%s\" . . .\n\n", + input ); + + /* Create a clean new storage buffer for this wrapped key */ + wrappedMasterKey.len = WRAPPED_KEY_LENGTH; + wrappedMasterKey.data = ( unsigned char * ) + PORT_ZAlloc( WRAPPED_KEY_LENGTH ); + + /* Create a clean new hex storage buffer for this master key's KCV */ + hexInternalKeyKCV.type = ( SECItemType ) siBuffer; + hexInternalKeyKCV.len = ( HEX_WRAPPED_KEY_KCV_LENGTH + 1 ); + hexInternalKeyKCV.data = ( unsigned char * ) + PORT_ZAlloc( hexInternalKeyKCV.len ); + if( hexInternalKeyKCV.data == NULL ) { + rv = SECFailure; + goto shutdown; + } + + rvWrappedMasterKey = TKS_ReadInputFileIntoSECItem( input, + ( char * ) hexInternalKeyKCV.data, + hexInternalKeyKCV.len, + keyname, + &wrappedMasterKey ); + if( rvWrappedMasterKey != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tunable to read in wrapped master key " + "from file called \"%s\".\n", + progName, + commandToRun, + input ); + rv = SECFailure; + goto shutdown; + } + + + /*************************************************************/ + /* Temporarily unwrap the master key to check its KCV value. */ + /*************************************************************/ + + PR_fprintf( PR_STDOUT, + "Using the transport key to temporarily unwrap " + "the master key to recompute\nits KCV value to " + "check against its pre-computed KCV value . . .\n\n" ); + + temporaryMasterKey = PK11_UnwrapSymKeyWithFlagsPerm( + /* wrapping key */ transportKey, + /* wraptype */ CKM_DES3_ECB, + /* param */ 0, + /* wrapped key */ &wrappedMasterKey, + /* target */ CKM_DES3_ECB, + /* operation */ CKA_ENCRYPT, + /* target key length */ WRAPPED_KEY_LENGTH, + /* flags */ 0, + /* isPerm */ PR_FALSE ); + if( temporaryMasterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to temporarily unwrap the master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + /* verify that the wrapped key and KCV read in from */ + /* the input file correspond to each other . . . */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + temporaryMasterKey, + keyname, + UNWRAPPED_KEY, + PR_FALSE, + hexInternalKeyKCV.data ); + if( rvKCV != SECSuccess ) { + rv = SECFailure; + goto shutdown; + } + + + /***************************************************************/ + /* Unwrap the master key and store it on the designated token. */ + /***************************************************************/ + + PR_fprintf( PR_STDOUT, + "Using the transport key to unwrap and store " + "the master key\non the specified token . . .\n\n" ); + + masterKey = PK11_UnwrapSymKeyWithFlagsPerm( + /* wrapping key */ transportKey, + /* wraptype */ CKM_DES3_ECB, + /* param */ 0, + /* wrapped key */ &wrappedMasterKey, + /* target */ CKM_DES3_ECB, + /* operation */ CKA_ENCRYPT, + /* target key length */ WRAPPED_KEY_LENGTH, + /* flags */ 0, + /* isPerm */ PR_TRUE ); + if( masterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to unwrap/store the master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Finally, name the master key with the specified name. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "Naming the master key \"%s\" . . .\n\n", + keyname ); + + rvMasterKeyname = PK11_SetSymKeyNickname( + /* symmetric key */ masterKey, + /* nickname */ keyname ); + if( rvMasterKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to name the master key!\n\n" ); + rv = SECFailure; + goto shutdown; + } else { + PR_fprintf( PR_STDOUT, + "Successfully unwrapped, stored, and named the " + "master key!\n\n" ); + } + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + + /******************************************************/ + /* Execute the "-W" wrap generated master key command */ + /* */ + /* NOTE: This command is mutually */ + /* exclusive from all others. */ + /******************************************************/ + + if( tkstool.commands[cmd_WrapMasterKey].activated ) { + + /**********************************************************/ + /* Do not allow duplicate symmetric keys to be stored */ + /* (i. e. - disallow symmetric keys specified */ + /* by the same keyname) */ + /* */ + /* NOTE: The following code snippet effectively */ + /* prohibits this tool from storing any */ + /* symmetric key with a keyname that already */ + /* resides in the specified token */ + /**********************************************************/ + + rvFindSymKey = TKS_FindSymKey( slot, + keyname, + &pwdata ); + if( rvFindSymKey == SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" keyname specified by " + "\n\t\t\"-n %s\"\n\t\talready exists in the " + "specified token.\n\t\tPlease specify a " + "different keyname.\n\n", + progName, + commandToRun, + keyname, + keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Retrieve a handle to the specified wrapping key. This insures */ + /* that the specified wrapping key (i. e. - transport key) */ + /* already exists on the specified token. */ + /* */ + /* NOTE: Requiring that the transport key AND the master key */ + /* reside on the same token is a FIPS 140-1 requirement! */ + /*****************************************************************/ + + TKS_ClearScreen(); + + PR_fprintf( PR_STDOUT, + "\nRetrieving the transport key (for wrapping) " + "from the specified token . . .\n\n" ); + + transportKey = TKS_RetrieveSymKey( slot, + transport_keyname, + &pwdata ); + if( transportKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c:\tthe \"%s\" transport keyname specified by " + "\"-t %s\"\n\t\tdoes NOT exist on the specified " + "token.\n\t\tPlease specify a " + "different transport keyname.\n\n", + progName, + commandToRun, + transport_keyname, + transport_keyname ); + rv = SECFailure; + goto shutdown; + } + + + /*****************************************************************/ + /* Generate the master key and store it on the designated token. */ + /*****************************************************************/ + + PR_fprintf( PR_STDOUT, + "Generating and storing the master key " + "on the specified token . . .\n\n" ); + + if( WRAPPED_KEY_LENGTH == ( 2 * DES_LENGTH ) ) { + masterKey = PK11_TokenKeyGen( + /* slot */ slot, + /* mechanism */ CKM_DES2_KEY_GEN, + /* param */ 0, + /* keySize */ 0, + /* keyid */ 0, + /* isToken (i. e. - isPerm) */ PR_TRUE, + /* wincx */ &pwdata ); + if( masterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate/store this DES2 master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + } else if( WRAPPED_KEY_LENGTH == ( 3 * DES_LENGTH ) ) { + masterKey = PK11_TokenKeyGen( + /* slot */ slot, + /* mechanism */ CKM_DES3_KEY_GEN, + /* param */ 0, + /* keySize */ 0, + /* keyid */ 0, + /* isToken (i. e. - isPerm) */ PR_TRUE, + /* wincx */ &pwdata ); + if( masterKey == NULL ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to generate/store this DES3 master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + } else { + /* invalid key size */ + PR_fprintf( PR_STDERR, + "%s -%c: %s\n\n\n", + progName, + commandToRun, + "WRAPPED_KEY_LENGTH must be DES2 or DES3 length!" ); + rv = SECFailure; + goto shutdown; + } + + + /************************************************/ + /* Name the master key with the specified name. */ + /************************************************/ + + PR_fprintf( PR_STDOUT, + "Naming the master key \"%s\" . . .\n\n", + keyname ); + + rvMasterKeyname = PK11_SetSymKeyNickname( + /* symmetric key */ masterKey, + /* nickname */ keyname ); + if( rvMasterKeyname != SECSuccess ) { + PR_fprintf( PR_STDERR, + "ERROR: Failed to name the master key!\n\n" ); + rv = SECFailure; + goto shutdown; + } else { + PR_fprintf( PR_STDOUT, + "Successfully generated, stored, and named the " + "master key!\n\n" ); + } + + + /**********************************/ + /* Compute this master key's KCV. */ + /**********************************/ + + /* Create a clean new hex storage buffer for this master key's KCV */ + hexInternalKeyKCV.type = ( SECItemType ) siBuffer; + hexInternalKeyKCV.len = ( HEX_WRAPPED_KEY_KCV_LENGTH + 1 ); + hexInternalKeyKCV.data = ( unsigned char * ) + PORT_ZAlloc( hexInternalKeyKCV.len ); + if( hexInternalKeyKCV.data == NULL ) { + rv = SECFailure; + goto shutdown; + } + + /* Calculate this master key's KCV */ + rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, + ( PRIntn ) 0, + ( PRUint8 * ) KCV, + ( PRIntn ) KCVLen, + masterKey, + keyname, + WRAPPED_KEY, + PR_FALSE, + hexInternalKeyKCV.data ); + if( rvKCV != SECSuccess ) { + rv = SECFailure; + goto shutdown; + } + + + /****************************************/ + /* Wrap the newly generated master key. */ + /****************************************/ + + PR_fprintf( PR_STDOUT, + "Using the transport key to wrap and store " + "the master key . . .\n\n" ); + + wrappedMasterKey.len = WRAPPED_KEY_LENGTH; + wrappedMasterKey.data = ( unsigned char * ) + PORT_ZAlloc( WRAPPED_KEY_LENGTH ); + + rvWrappedMasterKey = PK11_WrapSymKey( + /* mechanism type */ CKM_DES3_ECB, + /* param */ 0, + /* wrapping key */ transportKey, + /* key to be wrapped */ masterKey, + /* wrapped key */ &wrappedMasterKey ); + if( rvWrappedMasterKey != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to wrap the master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /**************************************************************/ + /* Write the wrapped master key to the specified output file. */ + /**************************************************************/ + + PR_fprintf( PR_STDOUT, + "Writing the wrapped data (and resident master key KCV) " + "into the file called\n\"%s\" . . .\n\n", + output ); + + rvSaveWrappedMasterKey = TKS_WriteSECItemIntoOutputFile( &wrappedMasterKey, + keyname, + ( char * ) hexInternalKeyKCV.data, + ( hexInternalKeyKCV.len - 1 ), + output ); + if( rvSaveWrappedMasterKey != SECSuccess ) { + PR_fprintf( PR_STDERR, + "%s -%c: %s:%d\n", + progName, + commandToRun, + "unable to save the wrapped master key ", + PR_GetError() ); + rv = SECFailure; + goto shutdown; + } + + + /*********************************/ + /* Cleanup and exit with success */ + /*********************************/ + + rv = SECSuccess; + goto shutdown; + } + + +shutdown: + /* free internal slot */ + if( slot ) { + PK11_FreeSlot( /* slot */ internalSlot ); + } + + + /* free slot */ + if( slot ) { + PK11_FreeSlot( /* slot */ slot ); + } + + + /* destroy the pwdata */ + if( pwdata.data != NULL ) { + pwdata.source = PW_NONE; + i = 0; + do { + if( pwdata.data[i] != 0 ) { + pwdata.data[i] = 0; + i++; + } else { + status = PR_TRUE; + } + } while( status == PR_FALSE ); + } + + + /* destroy the first session key share */ + if( firstSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + firstSessionKeyShare.data, + firstSessionKeyShare.len ); + firstSessionKeyShare.data = NULL; + firstSessionKeyShare.len = 0; + } + + +#if defined(PAD_DES2_KEY_LENGTH) + /* destroy the first padded session key share */ + if( paddedFirstSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + paddedFirstSessionKeyShare.data, + paddedFirstSessionKeyShare.len ); + paddedFirstSessionKeyShare.data = NULL; + paddedFirstSessionKeyShare.len = 0; + } +#endif + + + /* destroy the "original" second session key share */ + if( secondDerivationData.pData != NULL ) { + PORT_ZFree( ( unsigned char * ) + secondDerivationData.pData, + secondDerivationData.ulLen ); + secondDerivationData.pData = NULL; + secondDerivationData.ulLen = 0; + } + + +#if defined(PAD_DES2_KEY_LENGTH) + /* destroy the second padded session key share */ + if( paddedSecondSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + paddedSecondSessionKeyShare.data, + paddedSecondSessionKeyShare.len ); + paddedSecondSessionKeyShare.data = NULL; + paddedSecondSessionKeyShare.len = 0; + } +#endif + + + /* destroy the second session key share container */ + if( secondSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + secondSessionKeyShare.data, + secondSessionKeyShare.len ); + secondSessionKeyShare.data = NULL; + secondSessionKeyShare.len = 0; + } + + + /* destroy the "original" third session key share */ + if( thirdDerivationData.pData != NULL ) { + PORT_ZFree( ( unsigned char * ) + thirdDerivationData.pData, + thirdDerivationData.ulLen ); + thirdDerivationData.pData = NULL; + thirdDerivationData.ulLen = 0; + } + + +#if defined(PAD_DES2_KEY_LENGTH) + /* destroy the third padded session key share */ + if( paddedThirdSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + paddedThirdSessionKeyShare.data, + paddedThirdSessionKeyShare.len ); + paddedThirdSessionKeyShare.data = NULL; + paddedThirdSessionKeyShare.len = 0; + } +#endif + + + /* destroy the third session key share container */ + if( thirdSessionKeyShare.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + thirdSessionKeyShare.data, + thirdSessionKeyShare.len ); + thirdSessionKeyShare.data = NULL; + thirdSessionKeyShare.len = 0; + } + + + /* destroy the first symmetric key */ + if( firstSymmetricKey ) { + PK11_FreeSymKey( /* symmetric key */ firstSymmetricKey ); + } + + + /* destroy the second symmetric key */ + if( secondSymmetricKey ) { + PK11_FreeSymKey( /* symmetric key */ secondSymmetricKey ); + } + + + /* destroy the third symmetric key (transport key) */ + if( thirdSymmetricKey ) { + PK11_FreeSymKey( /* symmetric key */ thirdSymmetricKey ); + } + + + /* destroy the hexInternalKeyKCV */ + if( hexInternalKeyKCV.data != NULL ) { + PORT_ZFree( ( unsigned char * ) + hexInternalKeyKCV.data, + hexInternalKeyKCV.len ); + hexInternalKeyKCV.data = NULL; + hexInternalKeyKCV.len = 0; + } + + + /* destroy the KCV */ + if( KCV != NULL ) { + PORT_ZFree( ( unsigned char * ) + KCV, + KCVLen ); + KCV = NULL; + KCVLen = 0; + } + + + /* destroy the temporary master key */ + if( temporaryMasterKey ) { + PK11_FreeSymKey( /* symmetric key */ temporaryMasterKey ); + } + + + /* destroy the master key */ + if( masterKey ) { + PK11_FreeSymKey( /* symmetric key */ masterKey ); + } + + + /* destroy the transport key */ + if( transportKey ) { + PK11_FreeSymKey( /* symmetric key */ transportKey ); + } + + + /* shutdown NSS */ + if( NSS_Shutdown() != SECSuccess ) { + return 255; + } + + + /* exit with an appropriate return value */ + if( rv == SECSuccess ) { + return 0; + } else { + return 255; + } +} + diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h new file mode 100644 index 000000000..3b0407227 --- /dev/null +++ b/base/native-tools/src/tkstool/tkstool.h @@ -0,0 +1,321 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +/************************/ +/** #include headers **/ +/************************/ + +#ifdef HAVE_CONFIG_H +#ifndef AUTOTOOLS_CONFIG_H +#define AUTOTOOLS_CONFIG_H + +/* Eliminate warnings when using Autotools */ +#undef PACKAGE_BUGREPORT +#undef PACKAGE_NAME +#undef PACKAGE_STRING +#undef PACKAGE_TARNAME +#undef PACKAGE_VERSION + +#include <config.h> +#endif /* AUTOTOOLS_CONFIG_H */ +#endif /* HAVE_CONFIG_H */ + +#include <stdio.h> +#include <string.h> + +#if defined(WIN32) +#include "fcntl.h" +#include "io.h" +#endif + +#if defined(XP_UNIX) +#include <unistd.h> +#include <sys/time.h> +#include <termios.h> +#endif + +#if defined(XP_WIN) || defined (XP_PC) +#include <time.h> +#include <conio.h> +#endif + +#include "secutil.h" +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "pk11func.h" +#include "secasn1.h" +#include "cert.h" +#include "cryptohi.h" +#include "secoid.h" +#include "certdb.h" +#include "nss.h" + + +/****************/ +/** #defines **/ +/****************/ + +#define TKSTOOL_MAJOR_VERSION_NUMBER 1 +#define TKSTOOL_MINOR_VERSION_NUMBER 0 +#define TKSTOOL_VERSION_SUFFIX "" + +#define DEFAULT_KEY_BITS 1024 +#define NUM_KEYSTROKES 120 +#define RAND_BUF_LENGTH 60 +#define DES_LENGTH 8 +#define KEYSTROKES_TO_PROCEED 8 +#define KCV_LENGTH 4 +#define CTRL_C 3 + +#define FIRST_SESSION_KEY_SHARE "first" +#define FIRST_SESSION_KEY_SHARE_LENGTH 16 +#define SECOND_SESSION_KEY_SHARE "second" +#define SECOND_SESSION_KEY_SHARE_LENGTH 16 +#define THIRD_SESSION_KEY_SHARE "third" +#define THIRD_SESSION_KEY_SHARE_LENGTH 16 +#define HEX_SESSION_KEY_BUF_LENGTH 32 +#define HEX_SESSION_KEY_KCV_BUF_LENGTH 8 + +#define MASTER_KEY_LENGTH 16 + +#define WRAPPED_KEY_LENGTH 16 +#define HEX_WRAPPED_KEY_LENGTH 32 +#define HEX_WRAPPED_KEY_KCV_LENGTH 8 + +#if defined(PAD_DES2_KEY_LENGTH) +#define PADDED_FIRST_SESSION_KEY_SHARE_LENGTH 24 +#define PADDED_SECOND_SESSION_KEY_SHARE_LENGTH 24 +#define PADDED_THIRD_SESSION_KEY_SHARE_LENGTH 24 +#endif + +#define FIRST_SYMMETRIC_KEY "first" +#define SECOND_SYMMETRIC_KEY "second" +#define THIRD_SYMMETRIC_KEY "third" +#define MASTER_KEY "master" +#define RESIDENT_KEY "resident" +#define SESSION_KEY "session" +#define SYMMETRIC_KEY "symmetric" +#define TRANSPORT_KEY "transport" +#define UNWRAPPED_KEY "unwrapped" +#define WRAPPED_KEY "wrapped" + +#define CONTINUATION_MESSAGE "Press enter to continue " \ + "(or ^C to break): " + +#define PROCEED_MESSAGE "Type the word \"proceed\" " \ + "and press enter to continue " \ + "(or ^C to break): " + + +/**************************************/ +/** external function declarations **/ +/**************************************/ + +#if defined(__sun) && !defined(SVR4) +extern int fclose( FILE* ); +extern int fprintf( FILE *, char *, ... ); +extern int isatty( int ); +extern char *sys_errlist[]; +#define strerror( errno ) sys_errlist[errno] +#endif + + +/***************************/ +/** function prototypes **/ +/***************************/ + +/************/ +/* delete.c */ +/************/ + +SECStatus +TKS_DeleteKeys( char *progName, + PK11SlotInfo *slot, + char *keyname, + secuPWData *pwdata ); + + +/**********/ +/* file.c */ +/**********/ + +SECStatus +TKS_ReadInputFileIntoSECItem( char *input, + char *hexInternalKeyKCV, + int hexInternalKeyKCVLength, + char *keyname, + SECItem *wrappedKey ); + +SECStatus +TKS_WriteSECItemIntoOutputFile( SECItem *wrappedKey, + char *keyname, + char *hexInternalKeyKCV, + int hexInternalKeyKCVLength, + char *output ); + + +/**********/ +/* find.c */ +/**********/ + +SECStatus +TKS_FindSymKey( PK11SlotInfo *slot, + char *keyname, + void *pwdata ); + + +/**********/ +/* help.c */ +/**********/ + +void +TKS_Usage( char *progName ); + +void +TKS_PrintHelp( char *progName ); + + +/*********/ +/* key.c */ +/*********/ + +SECStatus +TKS_ComputeAndDisplayKCV( PRUint8 *newKey, + PRIntn newKeyLen, + PRUint8 *KCV, + PRIntn KCVLen, + PK11SymKey *symKey, + char *keyName, + char *keyType, + PRBool displayKCV, + PRUint8 *expectedHexKCV ); + +SECStatus +TKS_GenerateSessionKeyShare( char *sessionKeyShareName, + SECItem *sessionKeyShare ); + +SECStatus +TKS_InputSessionKeyShare( char *sessionKeyShareName, + SECItem *sessionKeyShare ); + +PK11SymKey * +TKS_ImportSymmetricKey( char *symmetricKeyName, + PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + CK_ATTRIBUTE_TYPE operation, + SECItem *sessionKeyShare, + secuPWData *pwdata ); + +PK11SymKey * +TKS_DeriveSymmetricKey( char *symmetricKeyName, + PK11SymKey *symKey, + CK_MECHANISM_TYPE derive, + SECItem *sessionKeyShare, + CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, + int keysize ); + +SECStatus +TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, + char *keyname, + PK11SlotInfo *slot, + CK_ATTRIBUTE_TYPE operation, + CK_FLAGS flags, + PK11SymKey *symKey ); + + +/**********/ +/* list.c */ +/**********/ + +SECStatus +TKS_ListKeys( char *progName, + PK11SlotInfo *slot, + char *keyname, + int index, + PRBool dopriv, + secuPWData *pwdata ); + + +/*************/ +/* modules.c */ +/*************/ + +SECStatus +TKS_ListSecModules( void ); + + +/************/ +/* random.c */ +/************/ + +void +TKS_FileForRNG( char *noise ); + +SECStatus +TKS_SeedRNG( char *noise ); + + +/**************/ +/* retrieve.c */ +/**************/ + +PK11SymKey * +TKS_RetrieveSymKey( PK11SlotInfo *slot, + char *keyname, + void *pwdata ); + + +/**********/ +/* util.c */ +/**********/ + +PR_IMPLEMENT( void ) +TKS_ClearScreen(); + +PR_IMPLEMENT( void ) +TKS_WaitForUser(); + +PR_IMPLEMENT( void ) +TKS_TypeProceedToContinue(); + +PR_IMPLEMENT( void ) +TKS_AdjustOddParity( PRUint8 *key ); + +PR_IMPLEMENT( void ) +TKS_StringToHex( PRUint8 *key, + PRIntn len, + PRUint8 *hex_key, + PRIntn hex_len ); + +PR_IMPLEMENT( PRBool ) +TKS_ConvertStringOfHexCharactersIntoBitStream( char* input, + PRIntn input_bytes, + PRUint8* output ); + + +/*************/ +/* version.c */ +/*************/ + +void +TKS_Version( char *progName ); + diff --git a/base/native-tools/src/tkstool/util.c b/base/native-tools/src/tkstool/util.c new file mode 100644 index 000000000..5fda75f8e --- /dev/null +++ b/base/native-tools/src/tkstool/util.c @@ -0,0 +1,640 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +static PRBool +IsValidHexCharacter( char byte ) +{ + switch( byte ) + { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case 'a': + case 'A': + case 'b': + case 'B': + case 'c': + case 'C': + case 'd': + case 'D': + case 'e': + case 'E': + case 'f': + case 'F': + { + /* Character may be converted into a hexadecimal number. */ + return PR_TRUE; + } + default: + { + return PR_FALSE; + } + } +} + + +static void +InsertUpperFourBits( char* byte, char bits ) +{ + switch( bits ) + { + case '0': + { + *byte &= ~( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case '1': + { + *byte &= ~( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case '2': + { + *byte &= ~( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case '3': + { + *byte &= ~( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case '4': + { + *byte &= ~( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case '5': + { + *byte &= ~( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case '6': + { + *byte &= ~( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case '7': + { + *byte &= ~( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case '8': + { + *byte |= ( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case '9': + { + *byte |= ( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case 'a': + case 'A': + { + *byte |= ( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case 'b': + case 'B': + { + *byte |= ( 1 << 7 ); + *byte &= ~( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case 'c': + case 'C': + { + *byte |= ( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case 'd': + case 'D': + { + *byte |= ( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte &= ~( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + case 'e': + case 'E': + { + *byte |= ( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte &= ~( 1 << 4 ); + break; + } + case 'f': + case 'F': + { + *byte |= ( 1 << 7 ); + *byte |= ( 1 << 6 ); + *byte |= ( 1 << 5 ); + *byte |= ( 1 << 4 ); + break; + } + } +} + + +static void +InsertLowerFourBits( char* byte, char bits ) +{ + switch( bits ) + { + case '0': + { + *byte &= ~( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case '1': + { + *byte &= ~( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case '2': + { + *byte &= ~( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case '3': + { + *byte &= ~( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case '4': + { + *byte &= ~( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case '5': + { + *byte &= ~( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case '6': + { + *byte &= ~( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case '7': + { + *byte &= ~( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case '8': + { + *byte |= ( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case '9': + { + *byte |= ( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case 'a': + case 'A': + { + *byte |= ( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case 'b': + case 'B': + { + *byte |= ( 1 << 3 ); + *byte &= ~( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case 'c': + case 'C': + { + *byte |= ( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case 'd': + case 'D': + { + *byte |= ( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte &= ~( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + case 'e': + case 'E': + { + *byte |= ( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte &= ~( 1 << 0 ); + break; + } + case 'f': + case 'F': + { + *byte |= ( 1 << 3 ); + *byte |= ( 1 << 2 ); + *byte |= ( 1 << 1 ); + *byte |= ( 1 << 0 ); + break; + } + } +} + + +PR_IMPLEMENT( void ) +TKS_ClearScreen() +{ +#if defined(XP_UNIX) && !defined(VMS) + system( "tput clear" ); +#else + system( "cls" ); +#endif +} + + +PR_IMPLEMENT( void ) +TKS_WaitForUser() +{ + int c; + + PR_fprintf( PR_STDOUT, "\n\n" ); + PR_fprintf( PR_STDOUT, "%s", CONTINUATION_MESSAGE ); +#if defined(VMS) + while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF && c != CTRL_C ) + ; +#else + while ((c = getc(stdin)) != '\n' && c != EOF && c != CTRL_C ) + ; +#endif + PR_fprintf( PR_STDOUT, "\n" ); +} + + +PR_IMPLEMENT( void ) +TKS_TypeProceedToContinue() +{ + int fd; + int i; + int count; + int c; + int rv = 0; +#ifdef XP_UNIX + cc_t orig_cc_min; + cc_t orig_cc_time; + tcflag_t orig_lflag; + struct termios tio; +#endif + char keystrokes[KEYSTROKES_TO_PROCEED + 1] = "\0\0\0\0\0\0\0\0\0"; + + /* display the continuation message */ + PR_fprintf( PR_STDOUT, "\n\n" ); + PR_fprintf( PR_STDOUT, "%s", PROCEED_MESSAGE ); + + /* turn off echo on stdin & return on 1 char instead of NL */ + fd = fileno( stdin ); + +#if defined( XP_UNIX ) && !defined( VMS ) + tcgetattr( fd, &tio ); + orig_lflag = tio.c_lflag; + orig_cc_min = tio.c_cc[VMIN]; + orig_cc_time = tio.c_cc[VTIME]; + tio.c_lflag &= ~ECHO; + tio.c_lflag &= ~ICANON; + tio.c_cc[VMIN] = 1; + tio.c_cc[VTIME] = 0; + tcsetattr( fd, TCSAFLUSH, &tio ); +#endif + + /* Get user input from keyboard strokes */ + count = 0; + while( count < KEYSTROKES_TO_PROCEED ) { +#ifdef VMS + c = GENERIC_GETCHAR_NOECHO(); +#elif XP_UNIX + c = getc( stdin ); +#else + c = getch(); +#endif + /* break on EOF */ + if( c == EOF ) { + rv = -1; + break; + } + + /* break on ^C */ + if( c == CTRL_C ) { + rv = -1; + break; + } + + /* save acceptable characters; silently throw anything else away */ + switch( count ) { + case 0: + switch( c ) { + case 'P': + case 'p': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'p'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 1: + switch( c ) { + case 'R': + case 'r': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'r'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 2: + switch( c ) { + case 'O': + case 'o': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'o'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 3: + switch( c ) { + case 'C': + case 'c': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'c'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 4: + switch( c ) { + case 'E': + case 'e': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'e'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 5: + switch( c ) { + case 'E': + case 'e': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'e'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 6: + switch( c ) { + case 'D': + case 'd': + /* acceptable character; save lowercase version */ + keystrokes[count] = 'd'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + case 7: + switch( c ) { + case '\n': + case '\r': + /* acceptable character; save lowercase version */ + keystrokes[count] = '\n'; + break; + default: + /* unacceptable character; don't save it */ + continue; + } + break; + default: + /* unacceptable character; don't save it */ + continue; + } + + /* adjust the character count appropriately */ + count++; + + /* redisplay the message */ + PR_fprintf( PR_STDOUT, "\r%s", PROCEED_MESSAGE ); + + /* display the characters input so far */ + for( i = 0 ; i < count ; i++ ) { + PR_fprintf( PR_STDOUT, + "%c", + keystrokes[i] ); + } + } +} + + +PR_IMPLEMENT( void ) +TKS_AdjustOddParity( PRUint8 *key ) +{ + PRIntn i; + PRIntn j; + PRIntn one; + + /* this must be performed for each DES-sized (8-byte) chunk */ + for( j = 0 ; j < DES_LENGTH ; j++ ) { + for( one = 0, i = key[j] ; i ; i >>= 1 ) { + if( i & 1 ) { + one++; + } + } + + key[j] ^= !( one & 1 ); + } +} + + +PR_IMPLEMENT( void ) +TKS_StringToHex( PRUint8 *key, + PRIntn len, + PRUint8 *hex_key, + PRIntn hex_len ) +{ + PRIntn i; + + for( i = 0 ; i < len ; i++ ) { + ( void ) PR_snprintf( ( char * ) &( hex_key[ ( 2 * i ) ] ), + hex_len, + "%X", + ( key[i] >> 4 ) & 0x0F ); + ( void ) PR_snprintf( ( char * ) &( hex_key[ ( 2 * i ) + 1 ] ), + hex_len, + "%X", + key[i] & 0x0F ); + } + + hex_key[ ( hex_len - 1 ) ] = '\0'; + + return; +} + + +/* Convert a signed character string such as "de43a58f. . ." into an */ +/* unsigned character string which is one/half the size of the input */ +PR_IMPLEMENT( PRBool ) +TKS_ConvertStringOfHexCharactersIntoBitStream( char* input, + PRIntn input_bytes, + PRUint8* output ) +{ + PRIntn i; + PRIntn output_bytes; + + /* Check to be sure that the input string contains an */ + /* "even" number of bytes so that it may be converted. */ + if( input_bytes % 2 ) { + ( void ) PR_fprintf( PR_STDERR, + "ERROR: " + "ConvertStringOfHexCharactersIntoBitStream() " + "contained an illegal " + "input byte length of %d bytes!\r\n", + input_bytes ); + return PR_FALSE; + } + + output_bytes = ( input_bytes / 2 ); + + for( i = 0; i < output_bytes; i++ ) { + if( IsValidHexCharacter( input[ ( 2 * i ) ] ) && + IsValidHexCharacter( input[ ( 2 * i ) + 1 ] ) ) { + InsertUpperFourBits( ( char* ) &( output[i] ), input[ ( 2 * i ) ] ); + InsertLowerFourBits( ( char* ) &( output[i] ), input[ ( 2 * i ) + 1 ] ); + } else { + ( void ) PR_fprintf( PR_STDERR, + "ERROR: " + "ConvertStringOfHexCharactersIntoBitStream() " + "contained a " + "byte in the input string which can not be " + "converted!\r\n" ); + return PR_FALSE; + } + } + + return PR_TRUE; +} + + diff --git a/base/native-tools/src/tkstool/version.c b/base/native-tools/src/tkstool/version.c new file mode 100644 index 000000000..b8d4c5fbb --- /dev/null +++ b/base/native-tools/src/tkstool/version.c @@ -0,0 +1,49 @@ +/* --- BEGIN COPYRIGHT BLOCK --- + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Copyright (C) 2007 Red Hat, Inc. + * All rights reserved. + * --- END COPYRIGHT BLOCK --- + */ + +#include "tkstool.h" + +void +TKS_Version( char *progName ) +{ +#if defined(TKSTOOL_VERSION_SUFFIX) + if( TKSTOOL_VERSION_SUFFIX != NULL && + PL_strcmp( TKSTOOL_VERSION_SUFFIX, "" ) != 0 ) { + PR_fprintf( PR_STDOUT, + "%s: Version %d.%d %s\n", + progName, + TKSTOOL_MAJOR_VERSION_NUMBER, + TKSTOOL_MINOR_VERSION_NUMBER, + TKSTOOL_VERSION_SUFFIX ); + } else { + PR_fprintf( PR_STDOUT, + "%s: Version %d.%d\n", + progName, + TKSTOOL_MAJOR_VERSION_NUMBER, + TKSTOOL_MINOR_VERSION_NUMBER ); + } +#else + PR_fprintf( PR_STDOUT, + "%s: Version %d.%d\n", + progName, + TKSTOOL_MAJOR_VERSION_NUMBER, + TKSTOOL_MINOR_VERSION_NUMBER ); +#endif +} + |