diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-24 02:27:47 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-26 11:43:54 -0500 |
commit | 621d9e5c413e561293d7484b93882d985b3fe15f (patch) | |
tree | 638f3d75761c121d9a8fb50b52a12a6686c5ac5c /pki/base/native-tools | |
parent | 40d3643b8d91886bf210aa27f711731c81a11e49 (diff) | |
download | pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.gz pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.xz pki-621d9e5c413e561293d7484b93882d985b3fe15f.zip |
Removed unnecessary pki folder.
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
Diffstat (limited to 'pki/base/native-tools')
55 files changed, 0 insertions, 24309 deletions
diff --git a/pki/base/native-tools/CMakeLists.txt b/pki/base/native-tools/CMakeLists.txt deleted file mode 100644 index 0ccebe578..000000000 --- a/pki/base/native-tools/CMakeLists.txt +++ /dev/null @@ -1,3 +0,0 @@ -project(native-tools) - -add_subdirectory(src) diff --git a/pki/base/native-tools/LICENSE b/pki/base/native-tools/LICENSE deleted file mode 100644 index e281f4362..000000000 --- a/pki/base/native-tools/LICENSE +++ /dev/null @@ -1,291 +0,0 @@ -This Program is free software; you can redistribute it and/or modify -it under the terms of the GNU General Public License as published -by the Free Software Foundation; version 2 of the License. - -This Program is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -for more details. - -You should have received a copy of the GNU General Public License -along with this Program; if not, write to the Free Software -Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. - - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 - - Copyright (C) 1989, 1991 Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -License is intended to guarantee your freedom to share and change free -software--to make sure the software is free for all its users. This -General Public License applies to most of the Free Software -Foundation's software and to any other program whose authors commit to -using it. (Some other Free Software Foundation software is covered by -the GNU Lesser General Public License instead.) You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -this service if you wish), that you receive source code or can get it -if you want it, that you can change the software or use pieces of it -in new free programs; and that you know you can do these things. - - To protect your rights, we need to make restrictions that forbid -anyone to deny you these rights or to ask you to surrender the rights. -These restrictions translate to certain responsibilities for you if you -distribute copies of the software, or if you modify it. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must give the recipients all the rights that -you have. You must make sure that they, too, receive or can get the -source code. And you must show them these terms so they know their -rights. - - We protect your rights with two steps: (1) copyright the software, and -(2) offer you this license which gives you legal permission to copy, -distribute and/or modify the software. - - Also, for each author's protection and ours, we want to make certain -that everyone understands that there is no warranty for this free -software. If the software is modified by someone else and passed on, we -want its recipients to know that what they have is not the original, so -that any problems introduced by others will not reflect on the original -authors' reputations. - - Finally, any free program is threatened constantly by software -patents. We wish to avoid the danger that redistributors of a free -program will individually obtain patent licenses, in effect making the -program proprietary. To prevent this, we have made it clear that any -patent must be licensed for everyone's free use or not licensed at all. - - The precise terms and conditions for copying, distribution and -modification follow. - - GNU GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License applies to any program or other work which contains -a notice placed by the copyright holder saying it may be distributed -under the terms of this General Public License. The "Program", below, -refers to any such program or work, and a "work based on the Program" -means either the Program or any derivative work under copyright law: -that is to say, a work containing the Program or a portion of it, -either verbatim or with modifications and/or translated into another -language. (Hereinafter, translation is included without limitation in -the term "modification".) Each licensee is addressed as "you". - -Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running the Program is not restricted, and the output from the Program -is covered only if its contents constitute a work based on the -Program (independent of having been made by running the Program). -Whether that is true depends on what the Program does. - - 1. You may copy and distribute verbatim copies of the Program's -source code as you receive it, in any medium, provided that you -conspicuously and appropriately publish on each copy an appropriate -copyright notice and disclaimer of warranty; keep intact all the -notices that refer to this License and to the absence of any warranty; -and give any other recipients of the Program a copy of this License -along with the Program. - -You may charge a fee for the physical act of transferring a copy, and -you may at your option offer warranty protection in exchange for a fee. - - 2. You may modify your copy or copies of the Program or any portion -of it, thus forming a work based on the Program, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) You must cause the modified files to carry prominent notices - stating that you changed the files and the date of any change. - - b) You must cause any work that you distribute or publish, that in - whole or in part contains or is derived from the Program or any - part thereof, to be licensed as a whole at no charge to all third - parties under the terms of this License. - - c) If the modified program normally reads commands interactively - when run, you must cause it, when started running for such - interactive use in the most ordinary way, to print or display an - announcement including an appropriate copyright notice and a - notice that there is no warranty (or else, saying that you provide - a warranty) and that users may redistribute the program under - these conditions, and telling the user how to view a copy of this - License. (Exception: if the Program itself is interactive but - does not normally print such an announcement, your work based on - the Program is not required to print an announcement.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Program, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Program, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Program. - -In addition, mere aggregation of another work not based on the Program -with the Program (or with a work based on the Program) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may copy and distribute the Program (or a work based on it, -under Section 2) in object code or executable form under the terms of -Sections 1 and 2 above provided that you also do one of the following: - - a) Accompany it with the complete corresponding machine-readable - source code, which must be distributed under the terms of Sections - 1 and 2 above on a medium customarily used for software interchange; or, - - b) Accompany it with a written offer, valid for at least three - years, to give any third party, for a charge no more than your - cost of physically performing source distribution, a complete - machine-readable copy of the corresponding source code, to be - distributed under the terms of Sections 1 and 2 above on a medium - customarily used for software interchange; or, - - c) Accompany it with the information you received as to the offer - to distribute corresponding source code. (This alternative is - allowed only for noncommercial distribution and only if you - received the program in object code or executable form with such - an offer, in accord with Subsection b above.) - -The source code for a work means the preferred form of the work for -making modifications to it. For an executable work, complete source -code means all the source code for all modules it contains, plus any -associated interface definition files, plus the scripts used to -control compilation and installation of the executable. However, as a -special exception, the source code distributed need not include -anything that is normally distributed (in either source or binary -form) with the major components (compiler, kernel, and so on) of the -operating system on which the executable runs, unless that component -itself accompanies the executable. - -If distribution of executable or object code is made by offering -access to copy from a designated place, then offering equivalent -access to copy the source code from the same place counts as -distribution of the source code, even though third parties are not -compelled to copy the source along with the object code. - - 4. You may not copy, modify, sublicense, or distribute the Program -except as expressly provided under this License. Any attempt -otherwise to copy, modify, sublicense or distribute the Program is -void, and will automatically terminate your rights under this License. -However, parties who have received copies, or rights, from you under -this License will not have their licenses terminated so long as such -parties remain in full compliance. - - 5. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Program or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Program (or any work based on the -Program), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Program or works based on it. - - 6. Each time you redistribute the Program (or any work based on the -Program), the recipient automatically receives a license from the -original licensor to copy, distribute or modify the Program subject to -these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties to -this License. - - 7. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Program at all. For example, if a patent -license would not permit royalty-free redistribution of the Program by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Program. - -If any portion of this section is held invalid or unenforceable under -any particular circumstance, the balance of the section is intended to -apply and the section as a whole is intended to apply in other -circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system, which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 8. If the distribution and/or use of the Program is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Program under this License -may add an explicit geographical distribution limitation excluding -those countries, so that distribution is permitted only in or among -countries not thus excluded. In such case, this License incorporates -the limitation as if written in the body of this License. - - 9. The Free Software Foundation may publish revised and/or new versions -of the General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - -Each version is given a distinguishing version number. If the Program -specifies a version number of this License which applies to it and "any -later version", you have the option of following the terms and conditions -either of that version or of any later version published by the Free -Software Foundation. If the Program does not specify a version number of -this License, you may choose any version ever published by the Free Software -Foundation. - - 10. If you wish to incorporate parts of the Program into other free -programs whose distribution conditions are different, write to the author -to ask for permission. For software which is copyrighted by the Free -Software Foundation, write to the Free Software Foundation; we sometimes -make exceptions for this. Our decision will be guided by the two goals -of preserving the free status of all derivatives of our free software and -of promoting the sharing and reuse of software generally. - - NO WARRANTY - - 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -REPAIR OR CORRECTION. - - 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -POSSIBILITY OF SUCH DAMAGES. diff --git a/pki/base/native-tools/doc/README b/pki/base/native-tools/doc/README deleted file mode 100644 index 01b11a7a3..000000000 --- a/pki/base/native-tools/doc/README +++ /dev/null @@ -1,55 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# - Certificate System - Native Command Line Utilities - - -Command Line Utility Purpose -============================================================================== -bulkissuance A command line utility utilized - to send either a KEYGEN or CRMF - enrollment request to the bulk - issuance interface for the - automatic creation of - certificates. - -bulkissuance.data An example data file for use - with the bulkissuance tool. - -revoker A command line tool which may be - conveniently utilized to - automate user management scripts - used to revoke certificates. - -setpin A command line tool utilized - to enable Certificate - System to utilize PIN-based - authentication. - -setpin.conf The configuration file utilized - by the setpin command line - utility. - -tkstool A command line tool utilized - to construct DES 2 symmetric - keys utilized in conjunction - with the Certificate - System Token Key Service - subsystem. - diff --git a/pki/base/native-tools/src/CMakeLists.txt b/pki/base/native-tools/src/CMakeLists.txt deleted file mode 100644 index c727a9a49..000000000 --- a/pki/base/native-tools/src/CMakeLists.txt +++ /dev/null @@ -1,5 +0,0 @@ -add_subdirectory(p7tool) -add_subdirectory(revoker) -add_subdirectory(setpin) -add_subdirectory(sslget) -add_subdirectory(tkstool) diff --git a/pki/base/native-tools/src/bulkissuance/CMakeLists.txt b/pki/base/native-tools/src/bulkissuance/CMakeLists.txt deleted file mode 100644 index 31df27306..000000000 --- a/pki/base/native-tools/src/bulkissuance/CMakeLists.txt +++ /dev/null @@ -1,37 +0,0 @@ -project(bulkissuance C) - -set(BULKISSUANCE_PRIVATE_INCLUDE_DIRS - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} -) - -set(BULKISSUANCE_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} -) - -set(bulkissuance_SRCS - bulkissuance.c - getopt.c -) - -include_directories(${BULKISSUANCE_PRIVATE_INCLUDE_DIRS}) - -add_executable(bulkissuance ${bulkissuance_SRCS}) - -target_link_libraries(bulkissuance ${BULKISSUANCE_LINK_LIBRARIES}) - -install( - TARGETS bulkissuance - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) - -install( - FILES - bulkissuance.data - DESTINATION - ${SHARE_INSTALL_PREFIX}/pki/native-tools/ -) diff --git a/pki/base/native-tools/src/bulkissuance/bulkissuance.c b/pki/base/native-tools/src/bulkissuance/bulkissuance.c deleted file mode 100644 index ec33e8a7a..000000000 --- a/pki/base/native-tools/src/bulkissuance/bulkissuance.c +++ /dev/null @@ -1,807 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -/* vi: set ts=4 sw=4 : */ -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -#include <stdio.h> -#include <string.h> -#include <time.h> - -#if defined(XP_UNIX) -#include <unistd.h> -#endif - -#include "ssl.h" - -#include "prerror.h" - -#include "pk11func.h" -#include "secitem.h" - - -#include <stdlib.h> -#include <errno.h> -#include <fcntl.h> -#include <stdarg.h> - -#include "nspr.h" -#include "prio.h" -#include "prnetdb.h" -#include "nss.h" - -/*from nss2.8.4 secopt.h*/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -extern int opterr; -extern int optind; -extern int optopt; -extern char *optarg; - -#ifdef _WIN32 -static void do_opterr(const char *s, int c, char * const av[]); -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int getopt(int ac, char * const av[], const char * opts); -#else -#if defined(LINUX) -#include <getopt.h> -#endif -#endif /* XP_PC */ -/*end secopt.h*/ - -#define VERSIONSTRING "$Revision$ ($Date$)" -#define MAXLEN 50000 - -#ifndef PORT_Sprintf -#define PORT_Sprintf sprintf -#endif - -#ifndef PORT_Strstr -#define PORT_Strstr strstr -#endif - -#ifndef PORT_Malloc -#define PORT_Malloc PR_Malloc -#endif - -#define RD_BUF_SIZE (60 * 1024) - -#define PRINTF if (verbose) printf -#define FPRINTF if (verbose) fprintf -#define FPUTS if (verbose) fputs - -#define MAX_SERIAL_LEN 8192 - -int MakeCertOK=1; - -int verbose; -SECItem bigBuf; - - -static char *ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char *passwd = NULL; - - if ( (!retry) && arg ) { - passwd = PL_strdup((char *)arg); - } - - return passwd; -} - -static void -Usage(const char *progName) -{ - fprintf( stderr, - "\n" ); - fprintf( stderr, - "Description: A command-line utility used to send either a KEYGEN or a\n" - " Certificate Request Message Format (CRMF) enrollment\n" - " request to the bulk issuance interface of a\n" - " Certificate Authority (CA) for the automatic\n" - " creation of certificates.\n\n\n" ); - fprintf( stderr, - "Usage:\n\n" - " %s -n rsa_nickname [-p password | -w pwfile ]\n" - " [-d dbdir] [-v] [-V] [-f inputFile] hostname[:port]\n\n" - " where:\n\n" - " -n rsa_nickname nickname of the Agent Certificate\n" - " [-p password | -w pwfile] password OR file containing password\n" - " [-d dbdir] database directory\n" - " [-v] verbose mode\n" - " [-V] version of %s\n" - " [-f inputFile] file containing an http request\n" - " which gets sent to the hostname[:port]\n" - " hostname[:port] machine name with optional port address\n\n\n", - progName, progName ); - fprintf( stderr, - "Example (using the example inputFile called \"bulkissuance.data\"):\n\n" ); - fprintf( stderr, - " (1) cd <server-root>/bin/cert/tools\n" ); - fprintf( stderr, - " (2) cp <client-database>/cert8.db .\n" ); - fprintf( stderr, - " (3) cp <client-database>/key3.db .\n" ); - fprintf( stderr, - " (4) Ensure that the agent certificate is\n" - " inside these cert8.db/key3.db databases.\n" - " (for this example, call it \"CS Agent\'s CS ID\")\n" ); - fprintf( stderr, - " (5) ./bulkissuance.sh -n \"CS Agent\'s CS ID\" -p password\n" - " -d . -f bulkissuance.data example.com:8100\n\n" ); - exit( 1 ); -} - - -static void -errWarn(const char * funcString) -{ - PRErrorCode perr = PR_GetError(); - - FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); -} - -static void -errExit(const char * funcString) -{ - errWarn(funcString); - exit(1); -} - -/* This invokes the "default" AuthCert handler in libssl. -** The only reason to use this one is that it prints out info as it goes. -*/ -static SECStatus -mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, - PRBool isServer) -{ - SECStatus rv; - CERTCertificate * peerCert; - - peerCert = SSL_PeerCertificate(fd); - - PRINTF("Subject: %s\nIssuer : %s\n", - peerCert->subjectName, peerCert->issuerName); - /* invoke the "default" AuthCert handler. */ - rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); - - if (rv == SECSuccess) { - FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); - } - /* error, if any, will be displayed by the Bad Cert Handler. */ - return rv; -} - -static SECStatus -myBadCertHandler( void *arg, PRFileDesc *fd) -{ - /* int err = PR_GetError(); */ - /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", - err, SECU_Strerror(err)); */ - return (MakeCertOK ? SECSuccess : SECFailure); -} - - -static SECStatus -my_GetClientAuthData(void * arg, - PRFileDesc * sock, - struct CERTDistNamesStr * caNames, - struct CERTCertificateStr ** pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) -{ - CERTCertificate * cert = NULL; - SECKEYPrivateKey * privkey = NULL; - char * chosenNickName = (char *)arg; /* CONST */ - void * proto_win = NULL; - SECStatus rv = SECFailure; - - FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); - - proto_win = SSL_RevealPinArg(sock); - - if (chosenNickName) { - cert = PK11_FindCertFromNickname(chosenNickName, proto_win); - FPRINTF(stderr," mygetclientauthdata - cert = %p\n", cert); - if ( cert ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - FPRINTF(stderr," mygetclientauthdata - privkey = %p\n", privkey); - if ( privkey ) { - rv = SECSuccess; - } else { - CERT_DestroyCertificate(cert); - } - } - } else { /* no name given, automatically find the right cert. */ - CERTCertNicknames * names; - int i; - - names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), - SEC_CERT_NICKNAMES_USER, proto_win); - if (names != NULL) { - for (i = 0; i < names->numnicknames; i++) { - cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); - if ( !cert ) - continue; - /* Only check unexpired certs */ - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != - secCertTimeValid ) { - CERT_DestroyCertificate(cert); - continue; - } - rv = NSS_CmpCertChainWCANames(cert, caNames); - if ( rv == SECSuccess ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - if ( privkey ) - break; - } - rv = SECFailure; - CERT_DestroyCertificate(cert); - } - CERT_FreeNicknames(names); - } - } - if (rv == SECSuccess) { - *pRetCert = cert; - *pRetKey = privkey; - } - return rv; -} - - - - -static void -printSecurityInfo(PRFileDesc *fd) -{ - char * cp; /* bulk cipher name */ - char * ip; /* cert issuer DN */ - char * sp; /* cert subject DN */ - int op; /* High, Low, Off */ - int kp0; /* total key bits */ - int kp1; /* secret key bits */ - int result; - - static int only_once; - - if (! only_once++ && fd) { - result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); - if (result != SECSuccess) - return; -#if 0 - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" - "subject DN: %s\n" - "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); -#else - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", - cp, kp1, kp0, op); -#endif - PR_Free(cp); - PR_Free(ip); - PR_Free(sp); - } - -} - - -PRBool useModelSocket = PR_TRUE; - -static const char outHeader[] = { - "HTTP/1.0 200 OK\r\n" - "Server: Netscape-Enterprise/2.0a\r\n" - "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" - "Content-type: text/plain\r\n" - "\r\n" -}; - - -static PRInt32 -do_writes( - void * a -) -{ - PRFileDesc * ssl_sock = (PRFileDesc *)a; - PRUint32 sent = 0; - PRInt32 count = 0; - - while (sent < bigBuf.len) { - - count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); - if (count < 0) { - errWarn("PR_Write bigBuf"); - exit(4); - break; - } - FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); - FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); - - sent += (PRUint32)count; - } - if (count >= 0) { /* last write didn't fail. */ - FPRINTF(stderr, "do_writes shutting down send socket\n"); - /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ - } - - FPRINTF(stderr, "do_writes exiting with (failure = %d)\n", - (sent < bigBuf.len) == SECFailure); - return (sent < bigBuf.len) ? SECFailure : SECSuccess; -} - - - - -static SECStatus -do_io( PRFileDesc *ssl_sock, int connection) -{ - int countRead = 0; - PRInt32 rv; - char *buf; - int first=1; - - buf = PR_Malloc(RD_BUF_SIZE); - if (!buf) exit(5); - - - /* send the http request here. */ - - rv = do_writes(ssl_sock); - - if (rv == SECFailure) { - errWarn("returning from after calling do_writes"); - PR_Free(buf); - buf = 0; - exit(6); - } - printSecurityInfo(ssl_sock); - - /* read until EOF */ - while (1) { - rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); - if (rv == 0) { - break; /* EOF */ - } - if (rv < 0) { - errWarn("PR_Read"); - exit(1); - } - - countRead += rv; - FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", - connection, rv, countRead ); - FPRINTF(stderr, "these bytes read: "); - if (verbose) { - PR_Write(PR_STDERR,buf,rv); - } - - if (first) { - first=0; - if (rv < 13) { - errWarn("not enough bytes read in first read"); - exit(2); - } else { - if ( ! PL_strnstr(buf,"200",13)) { - exit(3); - } - } - } - } - PR_Free(buf); - buf = 0; - - /* Caller closes the socket. */ - - FPRINTF(stderr, - "connection %d read %d bytes total. -----------------------------\n", - connection, countRead); - - return SECSuccess; /* success */ -} - -static int -do_connect( - PRNetAddr *addr, - PRFileDesc *model_sock, - int connection) -{ - PRFileDesc * ssl_sock; - PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; - PRSocketOptionData opt; - - int family = PR_NetAddrFamily( addr ); - - tcp_sock = PR_OpenTCPSocket( family ); - if (tcp_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(tcp_sock, &opt); - if (prStatus != PR_SUCCESS) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - /* Don't return SECFailure? */ - return SECSuccess; - } - - prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(6); - } - - ssl_sock = SSL_ImportFD(model_sock, tcp_sock); - /* XXX if this import fails, close tcp_sock and return. */ - if (!ssl_sock) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(7); - } - - rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); - if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); - } - - result = do_io( ssl_sock, connection); - - if( ssl_sock != NULL ) { - PR_Close(ssl_sock); - ssl_sock = NULL; - } - return SECSuccess; -} - -#if 0 -/* Returns IP address for hostname as PRUint32 in Host Byte Order. -** Since the value returned is an integer (not a string of bytes), -** it is inherently in Host Byte Order. -*/ -static PRUint32 -getIPAddress(const char * hostName) -{ - const unsigned char *p; - PRStatus prStatus; - PRUint32 rv; - PRHostEnt prHostEnt; - char scratch[PR_NETDB_BUF_SIZE]; - - prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); - if (prStatus != PR_SUCCESS) - errExit("PR_GetHostByName"); - -#undef h_addr -#define h_addr h_addr_list[0] /* address, for backward compatibility */ - - p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ - FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); - rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - return rv; -} -#endif - -static void -client_main( - unsigned short port, - int connections, - SECKEYPrivateKey ** privKey, - CERTCertificate ** cert, - const char * hostName, - char * nickName) -{ - PRFileDesc *model_sock = NULL; - int rv; - PRAddrInfo *ai; - void *iter; - PRNetAddr addr; - int family = PR_AF_INET; - - - - FPRINTF(stderr, "port: %d\n", port); - - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ - NSS_SetDomesticPolicy(); - - /* all the SSL2 and SSL3 cipher suites are enabled by default. */ - /* SSL_CipherPrefSetDefault(0xC005 */ - /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */ - /*, PR_TRUE); */ - - /* - * Rifle through the values for the host - */ - - ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); - if (ai) { - FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); - iter = NULL; - while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { - family = PR_NetAddrFamily(&addr); - FPRINTF( stderr, "family='%d'\n", family ); - break; - } - PR_FreeAddrInfo(ai); - } - - PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - - model_sock = PR_OpenTCPSocket( family ); - if (model_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - /* Should we really be re-using the same socket? */ - model_sock = SSL_ImportFD(NULL, model_sock); - - - /* check on success of call to SSL_ImportFD() */ - if (model_sock == NULL) { - errExit("SSL_ImportFD"); - } - - /* enable ECC cipher also */ - - /* do SSL configuration. */ - - rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); - if (rv < 0) { - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } - errExit("SSL_OptionSet SSL_SECURITY"); - } - - SSL_SetURL(model_sock, hostName); - - SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); - - SSL_BadCertHook(model_sock, myBadCertHandler, NULL); - - SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); - - /* I'm not going to set the HandshakeCallback function. */ - - /* end of ssl configuration. */ - - rv = do_connect(&addr, model_sock, 1); - - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } -} - - -static SECStatus -createRequest(char *progName, char *path) -{ - char *temp; - char * newstr; - FILE *fp; - - temp = (char *)malloc(MAXLEN); - fp = fopen(path, "r"); - if (fp == NULL) { - fputs("Input file must be provided on command line in this version" - " of bulk issuance client.\n", stderr); - Usage(progName); - } else { - temp = fgets(temp, MAXLEN, fp); - if (temp == NULL) { - fclose(fp); - fputs("File is empty\n", stderr); - exit(1); - } - - fclose(fp); - } - - newstr = PR_smprintf("%s\r\n\r\n", temp); -/* - "GET /ca/bulkissuance?csrRequestorName=++&CN=a&UID=a&E=a&OU=&O=&C=US&email=true&ssl_client=true&digital_signature=true&non_repudiation=true&key_encipherment=true&challengePassword=&confirmChallengePassword=&csrRequestorEmail=a&csrRequestorPhone=&csrRequestorComments=&CRMFRequest=MIICTDCB%2BzCB8wICJ4EwgbWAAQKlQDA%2BMQswCQYDVQQGEwJVUzERMA8GCgmSJomT%0D%0A8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0BCQEWAWGmXDANBgkqhkiG%0D%0A9w0BAQEFAANLADBIAkEA3R3vkvw3%2F4f5eDJZszB2%2B8BhWtNgwX97KV%2FydZ1kPlei%0D%0AcJwIcHfLbp6tRYs2iKAxbTuw01H1P9gdUIx1nY7R0QIDAQABqRAwDgYDVR0PAQH%2F%0D%0ABAQDAgUgMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNhdG9yADAWBgkrBgEFBQcF%0D%0AAQEMCXJlZ1Rva2VuAKIDgQEBMIIBSjCB8wICRGswgbWAAQKlQDA%2BMQswCQYDVQQG%0D%0AEwJVUzERMA8GCgmSJomT8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0B%0D%0ACQEWAWGmXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuf9KVCouLB6rKI290XpSghLe%0D%0APtYxSBdGv5gnzYVyokz9DPSSTeRBCUQDGWCVMIgMrUMABK0tkXPlVrD8lylVWQID%0D%0AAQABqRAwDgYDVR0PAQH%2FBAQDAgeAMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNh%0D%0AdG9yADAWBgkrBgEFBQcFAQEMCXJlZ1Rva2VuAKFSMA0GCSqGSIb3DQEBBQUAA0EA%0D%0Aq0tNDOzqcDI%2BwQ6gZMsCbYLh7MBBAzJo8Z67ddx%2BOS%2FZjCAtAbdabeazQnu0UOfN%0D%0A0HwLPDcNuurcvw4y604ang%3D%3D&cmmfResponse=true&certNickname=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&subject=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&requestFormat=keygen&certType=client HTTP/1.0\r\n" - "Content-Type: application/x-www-form-urlencoded\r\n" - "\r\n"); -*/ - - bigBuf.data = (unsigned char *)newstr; - - FPUTS((char *)bigBuf.data, stderr); - - bigBuf.len = PORT_Strlen((char *)bigBuf.data); - - free(temp); - - return SECSuccess; -} - -int -main(int argc, char **argv) -{ - const char * dir = "."; - char * hostName = NULL; - char * nickName = NULL; - char * progName = NULL; - char * tmp = NULL; - CERTCertificate * cert [kt_kea_size] = { NULL }; - SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; - int optchar; - int connections = 1; - int tmpI; - unsigned short port = 443; - SECStatus rv; - char * passwd = NULL; - char * passwdfile = NULL; - char path[1000]; - FILE *fp; - char pwbuf[256]; - int co; - char *crlf; - - /* Call the NSPR initialization routines */ - PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - - tmp = strrchr(argv[0], '/'); - tmp = tmp ? tmp + 1 : argv[0]; - progName = strrchr(tmp, '\\'); - progName = progName ? progName + 1 : tmp; - - - while ((optchar = getopt(argc, argv, "Vd:n:p:f:v")) != -1) { - switch(optchar) { - - case 'V': - PRINTF("%s\n",VERSIONSTRING); - break; - - case 'd': - dir = optarg; - break; - - case 'n': - nickName = optarg; - break; - - case 'p': - passwd = optarg; - break; - - case 'w': - passwdfile = optarg; - break; - - case 'v': - verbose++; - break; - - case 'f': - strcpy(path, optarg); - break; - - default: - case '?': - Usage(progName); - break; - - } - } - if (optind != argc - 1) - Usage(progName); - - hostName = argv[optind]; - tmp = strchr(hostName, ':'); - if (tmp) { - *tmp++ = 0; - tmpI = atoi(tmp); - if (tmpI <= 0) - Usage(progName); - port = (unsigned short)tmpI; - } - - if (!nickName) - Usage(progName); - - createRequest(progName, path); - - if (passwdfile) { - fp = fopen(passwdfile,"r"); - if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } - co = fread(pwbuf,1,256,fp); - pwbuf[co] = '\0'; - crlf = PL_strchr(pwbuf,'\n'); - if (crlf) { - *crlf = '\0'; - } - passwd = pwbuf; - } - - /* set our password function */ - if (passwd == NULL) { - PRINTF("Password must be provided on command line in this version of revoker.\n"); - Usage(progName); - } - PK11_SetPasswordFunc(ownPasswd); - - /* Call the libsec initialization routines */ - rv = NSS_Init(dir); - if (rv != SECSuccess) { - fputs("NSS_Init failed.\n", stderr); - exit(1); - } - - cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); - if (cert[kt_rsa] == NULL) { - fprintf(stderr, "Can't find certificate %s\n", nickName); - exit(1); - } - - privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); - if (privKey[kt_rsa] == NULL) { - fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); - exit(1); - } - - - client_main(port, connections, privKey, cert, hostName, nickName); - - NSS_Shutdown(); - PR_Cleanup(); - return 0; -} - diff --git a/pki/base/native-tools/src/bulkissuance/bulkissuance.data b/pki/base/native-tools/src/bulkissuance/bulkissuance.data deleted file mode 100644 index 1d68c26a1..000000000 --- a/pki/base/native-tools/src/bulkissuance/bulkissuance.data +++ /dev/null @@ -1 +0,0 @@ -GET /ca/agent/ca/bulkissuance?csrRequestorName=++&CN=a&UID=a&E=a&OU=&O=&C=US&email=true&ssl_client=true&digital_signature=true&non_repudiation=true&key_encipherment=true&challengePassword=&confirmChallengePassword=&csrRequestorEmail=a&csrRequestorPhone=&csrRequestorComments=&CRMFRequest=MIICTDCB%2BzCB8wICJ4EwgbWAAQKlQDA%2BMQswCQYDVQQGEwJVUzERMA8GCgmSJomT%0D%0A8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0BCQEWAWGmXDANBgkqhkiG%0D%0A9w0BAQEFAANLADBIAkEA3R3vkvw3%2F4f5eDJZszB2%2B8BhWtNgwX97KV%2FydZ1kPlei%0D%0AcJwIcHfLbp6tRYs2iKAxbTuw01H1P9gdUIx1nY7R0QIDAQABqRAwDgYDVR0PAQH%2F%0D%0ABAQDAgUgMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNhdG9yADAWBgkrBgEFBQcF%0D%0AAQEMCXJlZ1Rva2VuAKIDgQEBMIIBSjCB8wICRGswgbWAAQKlQDA%2BMQswCQYDVQQG%0D%0AEwJVUzERMA8GCgmSJomT8ixkAQETAWExCjAIBgNVBAMTAWExEDAOBgkqhkiG9w0B%0D%0ACQEWAWGmXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuf9KVCouLB6rKI290XpSghLe%0D%0APtYxSBdGv5gnzYVyokz9DPSSTeRBCUQDGWCVMIgMrUMABK0tkXPlVrD8lylVWQID%0D%0AAQABqRAwDgYDVR0PAQH%2FBAQDAgeAMDUwGwYJKwYBBQUHBQECDA5hdXRoZW50aWNh%0D%0AdG9yADAWBgkrBgEFBQcFAQEMCXJlZ1Rva2VuAKFSMA0GCSqGSIb3DQEBBQUAA0EA%0D%0Aq0tNDOzqcDI%2BwQ6gZMsCbYLh7MBBAzJo8Z67ddx%2BOS%2FZjCAtAbdabeazQnu0UOfN%0D%0A0HwLPDcNuurcvw4y604ang%3D%3D&cmmfResponse=true&certNickname=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&subject=E%3Da%2C+CN%3Da%2C+UID%3Da%2C+C%3DUS&requestFormat=CRMF&certType=client HTTP/1.0 diff --git a/pki/base/native-tools/src/bulkissuance/getopt.c b/pki/base/native-tools/src/bulkissuance/getopt.c deleted file mode 100644 index 7554e1a14..000000000 --- a/pki/base/native-tools/src/bulkissuance/getopt.c +++ /dev/null @@ -1,126 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - * - * END COPYRIGHT BLOCK **/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -#include <stdio.h> -#include <string.h> /* for str*() */ -#include <io.h> /* for write() */ - -int opterr = 1; /* boolean flag, says "report error on stderr." */ -int optind = 1; /* index to element of argv from which options are - ** being parsed. */ -int optopt = 0; /* option character */ -char *optarg; /* ptr to option's parameter arg. */ - -#ifdef _WIN32 -static void -do_opterr(const char *s, int c, char * const av[]) -{ - if (opterr) { - char buff[2]; - int fd = _fileno(stderr); - - buff[0] = (char)c; - buff[1] = '\n'; - (void)write(fd, av[0], strlen(av[0])); - (void)write(fd, s, strlen(s)); - (void)write(fd, buff, 2); - } -} -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int -getopt(int ac, char * const av[], const char * opts) -{ - static int i = 1; /* offset of current option char in current arg. */ - char *p; /* opt char in opts that matched. */ - - /* Move to next value from argv? */ - if (i == 1) { - if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') - return EOF; - if (strcmp(av[optind], "--") == 0) { - optind++; - return EOF; - } - } - - /* Get next option character. */ - if ((optopt = av[optind][i]) == ':' || - (p = strchr(opts, optopt)) == NULL) { - ERR(": illegal option -- ", optopt); - if (av[optind][++i] == '\0') { - optind++; - i = 1; - } - return '?'; - } - - /* Snarf argument? */ - if (*++p == ':') { - if (av[optind][i + 1] != '\0') - optarg = &av[optind++][i + 1]; - else { - if (++optind >= ac) { - ERR(": option requires an argument -- ", optopt); - i = 1; - return '?'; - } - optarg = av[optind++]; - } - i = 1; - } else { - if (av[optind][++i] == '\0') { - i = 1; - optind++; - } - optarg = NULL; - } - - return optopt; -} - -#endif /* XP_PC */ diff --git a/pki/base/native-tools/src/p7tool/CMakeLists.txt b/pki/base/native-tools/src/p7tool/CMakeLists.txt deleted file mode 100644 index 6adfbedb7..000000000 --- a/pki/base/native-tools/src/p7tool/CMakeLists.txt +++ /dev/null @@ -1,33 +0,0 @@ -project(p7tool C) - -set(P7TOOL_PRIVATE_INCLUDE_DIRS - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} -) - -set(P7TOOL_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} -) - -set(p7tool_SRCS - secerror.c - secpwd.c - secutil.c - pppolicy.c - p7tool.c -) - -include_directories(${P7TOOL_PRIVATE_INCLUDE_DIRS}) - -add_executable(p7tool ${p7tool_SRCS}) - -target_link_libraries(p7tool ${P7TOOL_LINK_LIBRARIES}) - -install( - TARGETS p7tool - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) diff --git a/pki/base/native-tools/src/p7tool/NSPRerrs.h b/pki/base/native-tools/src/p7tool/NSPRerrs.h deleted file mode 100644 index f0bc8b77e..000000000 --- a/pki/base/native-tools/src/p7tool/NSPRerrs.h +++ /dev/null @@ -1,161 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/NSPRerrs.h - */ - -/* General NSPR 2.0 errors */ -/* Caller must #include "prerror.h" */ - -ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." ) -ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." ) -ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." ) -ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." ) -ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." ) -ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." ) -ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." ) -ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." ) -ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." ) -ER2( PR_IO_ERROR, "I/O function error." ) -ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." ) -ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." ) -ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." ) -ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." ) -ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." ) -ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." ) -ER2( PR_IS_CONNECTED_ERROR, "Already connected." ) -ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." ) -ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." ) -ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." ) -ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." ) -ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." ) -ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." ) -ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." ) -ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." ) -ER2( PR_FIND_SYMBOL_ERROR, -"Symbol not found in any of the loaded dynamic libraries." ) -ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." ) -ER2( PR_DIRECTORY_LOOKUP_ERROR, -"A directory lookup on a network address has failed." ) -ER2( PR_TPD_RANGE_ERROR, -"Attempt to access a TPD key that is out of range." ) -ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." ) -ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." ) -ER2( PR_NOT_SOCKET_ERROR, -"Network operation attempted on non-network file descriptor." ) -ER2( PR_NOT_TCP_SOCKET_ERROR, -"TCP-specific function attempted on a non-TCP file descriptor." ) -ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." ) -ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." ) -ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, -"The requested operation is not supported by the platform." ) -ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, -"The host operating system does not support the protocol requested." ) -ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." ) -ER2( PR_BUFFER_OVERFLOW_ERROR, -"The value requested is too large to be stored in the data buffer provided." ) -ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." ) -ER2( PR_RANGE_ERROR, "Unused." ) -ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." ) -ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." ) -ER2( PR_FILE_TOO_BIG_ERROR, -"Write would result in file larger than the system allows." ) -ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." ) -ER2( PR_PIPE_ERROR, "Unused." ) -ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." ) -ER2( PR_IS_DIRECTORY_ERROR, -"Cannot perform a normal file operation on a directory." ) -ER2( PR_LOOP_ERROR, "Symbolic link loop." ) -ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." ) -ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." ) -ER2( PR_NOT_DIRECTORY_ERROR, -"Cannot perform directory operation on a normal file." ) -ER2( PR_READ_ONLY_FILESYSTEM_ERROR, -"Cannot write to a read-only file system." ) -ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, -"Cannot delete a directory that is not empty." ) -ER2( PR_FILESYSTEM_MOUNTED_ERROR, -"Cannot delete or rename a file object while the file system is busy." ) -ER2( PR_NOT_SAME_DEVICE_ERROR, -"Cannot rename a file to a file system on another device." ) -ER2( PR_DIRECTORY_CORRUPTED_ERROR, -"The directory object in the file system is corrupted." ) -ER2( PR_FILE_EXISTS_ERROR, -"Cannot create or rename a filename that already exists." ) -ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, -"Directory is full. No additional filenames may be added." ) -ER2( PR_INVALID_DEVICE_STATE_ERROR, -"The required device was in an invalid state." ) -ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." ) -ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." ) -ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." ) -ER2( PR_FILE_SEEK_ERROR, "Seek error." ) -ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." ) -ER2( PR_IN_PROGRESS_ERROR, -"Operation is still in progress (probably a non-blocking connect)." ) -ER2( PR_ALREADY_INITIATED_ERROR, -"Operation has already been initiated (probably a non-blocking connect)." ) - -#ifdef PR_GROUP_EMPTY_ERROR -ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." ) -#endif - -#ifdef PR_INVALID_STATE_ERROR -ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." ) -#endif - -#ifdef PR_NETWORK_DOWN_ERROR -ER2( PR_NETWORK_DOWN_ERROR, "Network is down." ) -#endif - -#ifdef PR_SOCKET_SHUTDOWN_ERROR -ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." ) -#endif - -#ifdef PR_CONNECT_ABORTED_ERROR -ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." ) -#endif - -#ifdef PR_HOST_UNREACHABLE_ERROR -ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." ) -#endif - -/* always last */ -ER2( PR_MAX_ERROR, "Placeholder for the end of the list" ) diff --git a/pki/base/native-tools/src/p7tool/SECerrs.h b/pki/base/native-tools/src/p7tool/SECerrs.h deleted file mode 100644 index 55858b98f..000000000 --- a/pki/base/native-tools/src/p7tool/SECerrs.h +++ /dev/null @@ -1,523 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SECerrs.h - */ - -/* General security error codes */ -/* Caller must #include "secerr.h" */ - -ER3(SEC_ERROR_IO, SEC_ERROR_BASE + 0, -"An I/O error occurred during security authorization.") - -ER3(SEC_ERROR_LIBRARY_FAILURE, SEC_ERROR_BASE + 1, -"security library failure.") - -ER3(SEC_ERROR_BAD_DATA, SEC_ERROR_BASE + 2, -"security library: received bad data.") - -ER3(SEC_ERROR_OUTPUT_LEN, SEC_ERROR_BASE + 3, -"security library: output length error.") - -ER3(SEC_ERROR_INPUT_LEN, SEC_ERROR_BASE + 4, -"security library has experienced an input length error.") - -ER3(SEC_ERROR_INVALID_ARGS, SEC_ERROR_BASE + 5, -"security library: invalid arguments.") - -ER3(SEC_ERROR_INVALID_ALGORITHM, SEC_ERROR_BASE + 6, -"security library: invalid algorithm.") - -ER3(SEC_ERROR_INVALID_AVA, SEC_ERROR_BASE + 7, -"security library: invalid AVA.") - -ER3(SEC_ERROR_INVALID_TIME, SEC_ERROR_BASE + 8, -"Improperly formatted time string.") - -ER3(SEC_ERROR_BAD_DER, SEC_ERROR_BASE + 9, -"security library: improperly formatted DER-encoded message.") - -ER3(SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BASE + 10, -"Peer's certificate has an invalid signature.") - -ER3(SEC_ERROR_EXPIRED_CERTIFICATE, SEC_ERROR_BASE + 11, -"Peer's Certificate has expired.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_BASE + 12, -"Peer's Certificate has been revoked.") - -ER3(SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_BASE + 13, -"Peer's Certificate issuer is not recognized.") - -ER3(SEC_ERROR_BAD_KEY, SEC_ERROR_BASE + 14, -"Peer's public key is invalid.") - -ER3(SEC_ERROR_BAD_PASSWORD, SEC_ERROR_BASE + 15, -"The security password entered is incorrect.") - -ER3(SEC_ERROR_RETRY_PASSWORD, SEC_ERROR_BASE + 16, -"New password entered incorrectly. Please try again.") - -ER3(SEC_ERROR_NO_NODELOCK, SEC_ERROR_BASE + 17, -"security library: no nodelock.") - -ER3(SEC_ERROR_BAD_DATABASE, SEC_ERROR_BASE + 18, -"security library: bad database.") - -ER3(SEC_ERROR_NO_MEMORY, SEC_ERROR_BASE + 19, -"security library: memory allocation failure.") - -ER3(SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_BASE + 20, -"Peer's certificate issuer has been marked as not trusted by the user.") - -ER3(SEC_ERROR_UNTRUSTED_CERT, SEC_ERROR_BASE + 21, -"Peer's certificate has been marked as not trusted by the user.") - -ER3(SEC_ERROR_DUPLICATE_CERT, (SEC_ERROR_BASE + 22), -"Certificate already exists in your database.") - -ER3(SEC_ERROR_DUPLICATE_CERT_NAME, (SEC_ERROR_BASE + 23), -"Downloaded certificate's name duplicates one already in your database.") - -ER3(SEC_ERROR_ADDING_CERT, (SEC_ERROR_BASE + 24), -"Error adding certificate to database.") - -ER3(SEC_ERROR_FILING_KEY, (SEC_ERROR_BASE + 25), -"Error refiling the key for this certificate.") - -ER3(SEC_ERROR_NO_KEY, (SEC_ERROR_BASE + 26), -"The private key for this certificate cannot be found in key database") - -ER3(SEC_ERROR_CERT_VALID, (SEC_ERROR_BASE + 27), -"This certificate is valid.") - -ER3(SEC_ERROR_CERT_NOT_VALID, (SEC_ERROR_BASE + 28), -"This certificate is not valid.") - -ER3(SEC_ERROR_CERT_NO_RESPONSE, (SEC_ERROR_BASE + 29), -"Cert Library: No Response") - -ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, (SEC_ERROR_BASE + 30), -"The certificate issuer's certificate has expired. Check your system date and time.") - -ER3(SEC_ERROR_CRL_EXPIRED, (SEC_ERROR_BASE + 31), -"The CRL for the certificate's issuer has expired. Update it or check your system data and time.") - -ER3(SEC_ERROR_CRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 32), -"The CRL for the certificate's issuer has an invalid signature.") - -ER3(SEC_ERROR_CRL_INVALID, (SEC_ERROR_BASE + 33), -"New CRL has an invalid format.") - -ER3(SEC_ERROR_EXTENSION_VALUE_INVALID, (SEC_ERROR_BASE + 34), -"Certificate extension value is invalid.") - -ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), -"Certificate extension not found.") - -ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), -"Issuer certificate is invalid.") - -ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), -"Certificate path length constraint is invalid.") - -ER3(SEC_ERROR_CERT_USAGES_INVALID, (SEC_ERROR_BASE + 38), -"Certificate usages field is invalid.") - -ER3(SEC_INTERNAL_ONLY, (SEC_ERROR_BASE + 39), -"**Internal ONLY module**") - -ER3(SEC_ERROR_INVALID_KEY, (SEC_ERROR_BASE + 40), -"The key does not support the requested operation.") - -ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 41), -"Certificate contains unknown critical extension.") - -ER3(SEC_ERROR_OLD_CRL, (SEC_ERROR_BASE + 42), -"New CRL is not later than the current one.") - -ER3(SEC_ERROR_NO_EMAIL_CERT, (SEC_ERROR_BASE + 43), -"Not encrypted or signed: you do not yet have an email certificate.") - -ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, (SEC_ERROR_BASE + 44), -"Not encrypted: you do not have certificates for each of the recipients.") - -ER3(SEC_ERROR_NOT_A_RECIPIENT, (SEC_ERROR_BASE + 45), -"Cannot decrypt: you are not a recipient, or matching certificate and \ -private key not found.") - -ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH, (SEC_ERROR_BASE + 46), -"Cannot decrypt: key encryption algorithm does not match your certificate.") - -ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE, (SEC_ERROR_BASE + 47), -"Signature verification failed: no signer found, too many signers found, \ -or improper or corrupted data.") - -ER3(SEC_ERROR_UNSUPPORTED_KEYALG, (SEC_ERROR_BASE + 48), -"Unsupported or unknown key algorithm.") - -ER3(SEC_ERROR_DECRYPTION_DISALLOWED, (SEC_ERROR_BASE + 49), -"Cannot decrypt: encrypted using a disallowed algorithm or key size.") - - -/* Fortezza Alerts */ -ER3(XP_SEC_FORTEZZA_BAD_CARD, (SEC_ERROR_BASE + 50), -"Fortezza card has not been properly initialized. \ -Please remove it and return it to your issuer.") - -ER3(XP_SEC_FORTEZZA_NO_CARD, (SEC_ERROR_BASE + 51), -"No Fortezza cards Found") - -ER3(XP_SEC_FORTEZZA_NONE_SELECTED, (SEC_ERROR_BASE + 52), -"No Fortezza card selected") - -ER3(XP_SEC_FORTEZZA_MORE_INFO, (SEC_ERROR_BASE + 53), -"Please select a personality to get more info on") - -ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND, (SEC_ERROR_BASE + 54), -"Personality not found") - -ER3(XP_SEC_FORTEZZA_NO_MORE_INFO, (SEC_ERROR_BASE + 55), -"No more information on that Personality") - -ER3(XP_SEC_FORTEZZA_BAD_PIN, (SEC_ERROR_BASE + 56), -"Invalid Pin") - -ER3(XP_SEC_FORTEZZA_PERSON_ERROR, (SEC_ERROR_BASE + 57), -"Couldn't initialize Fortezza personalities.") -/* end fortezza alerts. */ - -ER3(SEC_ERROR_NO_KRL, (SEC_ERROR_BASE + 58), -"No KRL for this site's certificate has been found.") - -ER3(SEC_ERROR_KRL_EXPIRED, (SEC_ERROR_BASE + 59), -"The KRL for this site's certificate has expired.") - -ER3(SEC_ERROR_KRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 60), -"The KRL for this site's certificate has an invalid signature.") - -ER3(SEC_ERROR_REVOKED_KEY, (SEC_ERROR_BASE + 61), -"The key for this site's certificate has been revoked.") - -ER3(SEC_ERROR_KRL_INVALID, (SEC_ERROR_BASE + 62), -"New KRL has an invalid format.") - -ER3(SEC_ERROR_NEED_RANDOM, (SEC_ERROR_BASE + 63), -"security library: need random data.") - -ER3(SEC_ERROR_NO_MODULE, (SEC_ERROR_BASE + 64), -"security library: no security module can perform the requested operation.") - -ER3(SEC_ERROR_NO_TOKEN, (SEC_ERROR_BASE + 65), -"The security card or token does not exist, needs to be initialized, or has been removed.") - -ER3(SEC_ERROR_READ_ONLY, (SEC_ERROR_BASE + 66), -"security library: read-only database.") - -ER3(SEC_ERROR_NO_SLOT_SELECTED, (SEC_ERROR_BASE + 67), -"No slot or token was selected.") - -ER3(SEC_ERROR_CERT_NICKNAME_COLLISION, (SEC_ERROR_BASE + 68), -"A certificate with the same nickname already exists.") - -ER3(SEC_ERROR_KEY_NICKNAME_COLLISION, (SEC_ERROR_BASE + 69), -"A key with the same nickname already exists.") - -ER3(SEC_ERROR_SAFE_NOT_CREATED, (SEC_ERROR_BASE + 70), -"error while creating safe object") - -ER3(SEC_ERROR_BAGGAGE_NOT_CREATED, (SEC_ERROR_BASE + 71), -"error while creating baggage object") - -ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR, (SEC_ERROR_BASE + 72), -"Couldn't remove the principal") - -ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR, (SEC_ERROR_BASE + 73), -"Couldn't delete the privilege") - -ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR, (SEC_ERROR_BASE + 74), -"This principal doesn't have a certificate") - -ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM, (SEC_ERROR_BASE + 75), -"Required algorithm is not allowed.") - -ER3(SEC_ERROR_EXPORTING_CERTIFICATES, (SEC_ERROR_BASE + 76), -"Error attempting to export certificates.") - -ER3(SEC_ERROR_IMPORTING_CERTIFICATES, (SEC_ERROR_BASE + 77), -"Error attempting to import certificates.") - -ER3(SEC_ERROR_PKCS12_DECODING_PFX, (SEC_ERROR_BASE + 78), -"Unable to import. Decoding error. File not valid.") - -ER3(SEC_ERROR_PKCS12_INVALID_MAC, (SEC_ERROR_BASE + 79), -"Unable to import. Invalid MAC. Incorrect password or corrupt file.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, (SEC_ERROR_BASE + 80), -"Unable to import. MAC algorithm not supported.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81), -"Unable to import. Only password integrity and privacy modes supported.") - -ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, (SEC_ERROR_BASE + 82), -"Unable to import. File structure is corrupt.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83), -"Unable to import. Encryption algorithm not supported.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, (SEC_ERROR_BASE + 84), -"Unable to import. File version not supported.") - -ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85), -"Unable to import. Incorrect privacy password.") - -ER3(SEC_ERROR_PKCS12_CERT_COLLISION, (SEC_ERROR_BASE + 86), -"Unable to import. Same nickname already exists in database.") - -ER3(SEC_ERROR_USER_CANCELLED, (SEC_ERROR_BASE + 87), -"The user pressed cancel.") - -ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA, (SEC_ERROR_BASE + 88), -"Not imported, already in database.") - -ER3(SEC_ERROR_MESSAGE_SEND_ABORTED, (SEC_ERROR_BASE + 89), -"Message not sent.") - -ER3(SEC_ERROR_INADEQUATE_KEY_USAGE, (SEC_ERROR_BASE + 90), -"Certificate key usage inadequate for attempted operation.") - -ER3(SEC_ERROR_INADEQUATE_CERT_TYPE, (SEC_ERROR_BASE + 91), -"Certificate type not approved for application.") - -ER3(SEC_ERROR_CERT_ADDR_MISMATCH, (SEC_ERROR_BASE + 92), -"Address in signing certificate does not match address in message headers.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, (SEC_ERROR_BASE + 93), -"Unable to import. Error attempting to import private key.") - -ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, (SEC_ERROR_BASE + 94), -"Unable to import. Error attempting to import certificate chain.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95), -"Unable to export. Unable to locate certificate or key by nickname.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, (SEC_ERROR_BASE + 96), -"Unable to export. Private Key could not be located and exported.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, (SEC_ERROR_BASE + 97), -"Unable to export. Unable to write the export file.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ, (SEC_ERROR_BASE + 98), -"Unable to import. Unable to read the import file.") - -ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99), -"Unable to export. Key database corrupt or deleted.") - -ER3(SEC_ERROR_KEYGEN_FAIL, (SEC_ERROR_BASE + 100), -"Unable to generate public/private key pair.") - -ER3(SEC_ERROR_INVALID_PASSWORD, (SEC_ERROR_BASE + 101), -"Password entered is invalid. Please pick a different one.") - -ER3(SEC_ERROR_RETRY_OLD_PASSWORD, (SEC_ERROR_BASE + 102), -"Old password entered incorrectly. Please try again.") - -ER3(SEC_ERROR_BAD_NICKNAME, (SEC_ERROR_BASE + 103), -"Certificate nickname already in use.") - -ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER, (SEC_ERROR_BASE + 104), -"Peer FORTEZZA chain has a non-FORTEZZA Certificate.") - -ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, (SEC_ERROR_BASE + 105), -"A sensitive key cannot be moved to the slot where it is needed.") - -ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, (SEC_ERROR_BASE + 106), -"Invalid module name.") - -ER3(SEC_ERROR_JS_INVALID_DLL, (SEC_ERROR_BASE + 107), -"Invalid module path/filename") - -ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, (SEC_ERROR_BASE + 108), -"Unable to add module") - -ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), -"Unable to delete module") - -ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), -"New KRL is not later than the current one.") - -ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), -"New CKL has different issuer than current CKL. Delete current CKL.") - -ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, (SEC_ERROR_BASE + 112), -"The Certifying Authority for this certificate is not permitted to issue a \ -certificate with this name.") - -ER3(SEC_ERROR_KRL_NOT_YET_VALID, (SEC_ERROR_BASE + 113), -"The key revocation list for this certificate is not yet valid.") - -ER3(SEC_ERROR_CRL_NOT_YET_VALID, (SEC_ERROR_BASE + 114), -"The certificate revocation list for this certificate is not yet valid.") - -ER3(SEC_ERROR_UNKNOWN_CERT, (SEC_ERROR_BASE + 115), -"The requested certificate could not be found.") - -ER3(SEC_ERROR_UNKNOWN_SIGNER, (SEC_ERROR_BASE + 116), -"The signer's certificate could not be found.") - -ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, (SEC_ERROR_BASE + 117), -"The location for the certificate status server has invalid format.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, (SEC_ERROR_BASE + 118), -"The OCSP response cannot be fully decoded; it is of an unknown type.") - -ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 119), -"The OCSP server returned unexpected/invalid HTTP data.") - -ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST, (SEC_ERROR_BASE + 120), -"The OCSP server found the request to be corrupted or improperly formed.") - -ER3(SEC_ERROR_OCSP_SERVER_ERROR, (SEC_ERROR_BASE + 121), -"The OCSP server experienced an internal error.") - -ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER, (SEC_ERROR_BASE + 122), -"The OCSP server suggests trying again later.") - -ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, (SEC_ERROR_BASE + 123), -"The OCSP server requires a signature on this request.") - -ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, (SEC_ERROR_BASE + 124), -"The OCSP server has refused this request as unauthorized.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, (SEC_ERROR_BASE + 125), -"The OCSP server returned an unrecognizable status.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_CERT, (SEC_ERROR_BASE + 126), -"The OCSP server has no status for the certificate.") - -ER3(SEC_ERROR_OCSP_NOT_ENABLED, (SEC_ERROR_BASE + 127), -"You must enable OCSP before performing this operation.") - -ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, (SEC_ERROR_BASE + 128), -"You must set the OCSP default responder before performing this operation.") - -ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE, (SEC_ERROR_BASE + 129), -"The response from the OCSP server was corrupted or improperly formed.") - -ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, (SEC_ERROR_BASE + 130), -"The signer of the OCSP response is not authorized to give status for \ -this certificate.") - -ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE, (SEC_ERROR_BASE + 131), -"The OCSP response is not yet valid (contains a date in the future).") - -ER3(SEC_ERROR_OCSP_OLD_RESPONSE, (SEC_ERROR_BASE + 132), -"The OCSP response contains out-of-date information.") - -ER3(SEC_ERROR_DIGEST_NOT_FOUND, (SEC_ERROR_BASE + 133), -"The CMS or PKCS #7 Digest was not found in signed message.") - -ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, (SEC_ERROR_BASE + 134), -"The CMS or PKCS #7 Message type is unsupported.") - -ER3(SEC_ERROR_MODULE_STUCK, (SEC_ERROR_BASE + 135), -"PKCS #11 module could not be removed because it is still in use.") - -ER3(SEC_ERROR_BAD_TEMPLATE, (SEC_ERROR_BASE + 136), -"Could not decode ASN.1 data. Specified template was invalid.") - -ER3(SEC_ERROR_CRL_NOT_FOUND, (SEC_ERROR_BASE + 137), -"No matching CRL was found.") - -ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL, (SEC_ERROR_BASE + 138), -"You are attempting to import a cert with the same issuer/serial as \ -an existing cert, but that is not the same cert.") - -ER3(SEC_ERROR_BUSY, (SEC_ERROR_BASE + 139), -"NSS could not shutdown. Objects are still in use.") - -ER3(SEC_ERROR_EXTRA_INPUT, (SEC_ERROR_BASE + 140), -"DER-encoded message contained extra unused data.") - -ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, (SEC_ERROR_BASE + 141), -"Unsupported elliptic curve.") - -ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142), -"Unsupported elliptic curve point form.") - -ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143), -"Unrecognized Object IDentifier.") - -ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144), -"Invalid OCSP signing certificate in OCSP response.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL, (SEC_ERROR_BASE + 145), -"Certificate is revoked in issuer's certificate revocation list.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP, (SEC_ERROR_BASE + 146), -"Issuer's OCSP responder reports certificate is revoked.") - -ER3(SEC_ERROR_CRL_INVALID_VERSION, (SEC_ERROR_BASE + 147), -"Issuer's Certificate Revocation List has an unknown version number.") - -ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 148), -"Issuer's V1 Certificate Revocation List has a critical extension.") - -ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 149), -"Issuer's V2 Certificate Revocation List has an unknown critical extension.") - -ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE, (SEC_ERROR_BASE + 150), -"Unknown object type specified.") - -ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151), -"PKCS #11 driver violates the spec in an incompatible way.") - -ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152), -"No new slot event is available at this time.") - -ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153), -"CRL already exists.") - -ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154), -"NSS is not initialized.") - -ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), -"The operation failed because the PKCS#11 token is not logged in.") - diff --git a/pki/base/native-tools/src/p7tool/SSLerrs.h b/pki/base/native-tools/src/p7tool/SSLerrs.h deleted file mode 100644 index d6ec13b47..000000000 --- a/pki/base/native-tools/src/p7tool/SSLerrs.h +++ /dev/null @@ -1,393 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SSLerrs.h - */ - -/* SSL-specific security error codes */ -/* caller must include "sslerr.h" */ - -ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, -"Unable to communicate securely. Peer does not support high-grade encryption.") - -ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, -"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") - -ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, -"Cannot communicate securely with peer: no common encryption algorithm(s).") - -ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, -"Unable to find the certificate or key necessary for authentication.") - -ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, -"Unable to communicate securely with peer: peers's certificate was rejected.") - -/* unused (SSL_ERROR_BASE + 5),*/ - -ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, -"The server has encountered bad data from the client.") - -ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, -"The client has encountered bad data from the server.") - -ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, -"Unsupported certificate type.") - -ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, -"Peer using unsupported version of security protocol.") - -/* unused (SSL_ERROR_BASE + 10),*/ - -ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, -"Client authentication failed: private key in key database does not match public key in certificate database.") - -ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, -"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") - -/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), - defined in sslerr.h -*/ - -ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), -"Peer only supports SSL version 2, which is locally disabled.") - - -ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), -"SSL received a record with an incorrect Message Authentication Code.") - -ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), -"SSL peer reports incorrect Message Authentication Code.") - -ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), -"SSL peer cannot verify your certificate.") - -ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), -"SSL peer rejected your certificate as revoked.") - -ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), -"SSL peer rejected your certificate as expired.") - -ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), -"Cannot connect: SSL is disabled.") - -ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), -"Cannot connect: SSL peer is in another FORTEZZA domain.") - - -ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), -"An unknown SSL cipher suite has been requested.") - -ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), -"No cipher suites are present and enabled in this program.") - -ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), -"SSL received a record with bad block padding.") - -ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), -"SSL received a record that exceeded the maximum permissible length.") - -ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), -"SSL attempted to send a record that exceeded the maximum permissible length.") - -/* - * Received a malformed (too long or short or invalid content) SSL handshake. - */ -ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), -"SSL received a malformed Hello Request handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), -"SSL received a malformed Client Hello handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), -"SSL received a malformed Server Hello handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), -"SSL received a malformed Certificate handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), -"SSL received a malformed Server Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), -"SSL received a malformed Certificate Request handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), -"SSL received a malformed Server Hello Done handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), -"SSL received a malformed Certificate Verify handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), -"SSL received a malformed Client Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), -"SSL received a malformed Finished handshake message.") - -/* - * Received a malformed (too long or short) SSL record. - */ -ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), -"SSL received a malformed Change Cipher Spec record.") - -ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), -"SSL received a malformed Alert record.") - -ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), -"SSL received a malformed Handshake record.") - -ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), -"SSL received a malformed Application Data record.") - -/* - * Received an SSL handshake that was inappropriate for the state we're in. - * E.g. Server received message from server, or wrong state in state machine. - */ -ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), -"SSL received an unexpected Hello Request handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), -"SSL received an unexpected Client Hello handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), -"SSL received an unexpected Server Hello handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), -"SSL received an unexpected Certificate handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), -"SSL received an unexpected Server Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), -"SSL received an unexpected Certificate Request handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), -"SSL received an unexpected Server Hello Done handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), -"SSL received an unexpected Certificate Verify handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), -"SSL received an unexpected Cllient Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), -"SSL received an unexpected Finished handshake message.") - -/* - * Received an SSL record that was inappropriate for the state we're in. - */ -ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), -"SSL received an unexpected Change Cipher Spec record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), -"SSL received an unexpected Alert record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), -"SSL received an unexpected Handshake record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), -"SSL received an unexpected Application Data record.") - -/* - * Received record/message with unknown discriminant. - */ -ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), -"SSL received a record with an unknown content type.") - -ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), -"SSL received a handshake message with an unknown message type.") - -ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), -"SSL received an alert record with an unknown alert description.") - -/* - * Received an alert reporting what we did wrong. (more alerts above) - */ -ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), -"SSL peer has closed this connection.") - -ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), -"SSL peer was not expecting a handshake message it received.") - -ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), -"SSL peer was unable to succesfully decompress an SSL record it received.") - -ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), -"SSL peer was unable to negotiate an acceptable set of security parameters.") - -ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), -"SSL peer rejected a handshake message for unacceptable content.") - -ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), -"SSL peer does not support certificates of the type it received.") - -ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), -"SSL peer had some unspecified issue with the certificate it received.") - - -ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), -"SSL experienced a failure of its random number generator.") - -ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), -"Unable to digitally sign data required to verify your certificate.") - -ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), -"SSL was unable to extract the public key from the peer's certificate.") - -ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), -"Unspecified failure while processing SSL Server Key Exchange handshake.") - -ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), -"Unspecified failure while processing SSL Client Key Exchange handshake.") - -ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), -"Bulk data encryption algorithm failed in selected cipher suite.") - -ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), -"Bulk data decryption algorithm failed in selected cipher suite.") - -ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), -"Attempt to write encrypted data to underlying socket failed.") - -ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), -"MD5 digest function failed.") - -ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), -"SHA-1 digest function failed.") - -ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), -"MAC computation failed.") - -ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), -"Failure to create Symmetric Key context.") - -ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), -"Failure to unwrap the Symmetric key in Client Key Exchange message.") - -ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), -"SSL Server attempted to use domestic-grade public key with export cipher suite.") - -ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), -"PKCS11 code failed to translate an IV into a param.") - -ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), -"Failed to initialize the selected cipher suite.") - -ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), -"Client failed to generate session keys for SSL session.") - -ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), -"Server has no key for the attempted key exchange algorithm.") - -ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), -"PKCS#11 token was inserted or removed while operation was in progress.") - -ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), -"No PKCS#11 token could be found to do a required operation.") - -ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), -"Cannot communicate securely with peer: no common compression algorithm(s).") - -ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), -"Cannot initiate another SSL handshake until current handshake is complete.") - -ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), -"Received incorrect handshakes hash values from peer.") - -ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), -"The certificate provided cannot be used with the selected key exchange algorithm.") - -ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), -"No certificate authority is trusted for SSL client authentication.") - -ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), -"Client's SSL session ID not found in server's session cache.") - -ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), -"Peer was unable to decrypt an SSL record it received.") - -ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), -"Peer received an SSL record that was longer than is permitted.") - -ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), -"Peer does not recognize and trust the CA that issued your certificate.") - -ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), -"Peer received a valid certificate, but access was denied.") - -ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), -"Peer could not decode an SSL handshake message.") - -ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), -"Peer reports failure of signature verification or key exchange.") - -ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), -"Peer reports negotiation not in compliance with export regulations.") - -ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), -"Peer reports incompatible or unsupported protocol version.") - -ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), -"Server requires ciphers more secure than those supported by client.") - -ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), -"Peer reports it experienced an internal error.") - -ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), -"Peer user canceled handshake.") - -ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), -"Peer does not permit renegotiation of SSL security parameters.") - -ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), -"SSL server cache not configured and not disabled for this socket.") - -ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), -"SSL peer does not support requested TLS hello extension.") - -ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), -"SSL peer could not obtain your certificate from the supplied URL.") - -ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), -"SSL peer has no certificate for the requested DNS name.") - -ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), -"SSL peer was unable to get an OCSP response for its certificate.") - -ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), -"SSL peer reported bad certificate hash value.") diff --git a/pki/base/native-tools/src/p7tool/p7tool.c b/pki/base/native-tools/src/p7tool/p7tool.c deleted file mode 100644 index 9ab6023ff..000000000 --- a/pki/base/native-tools/src/p7tool/p7tool.c +++ /dev/null @@ -1,375 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -/* This file is based upon the file originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N - * mozilla/security/nss/cmd/p7content/p7content.c - */ - -/* - * p7tool -- A command to display/process pkcs7 content. - * - */ - -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -#include "nspr.h" -#include "secutil.h" -#include "plgetopt.h" -#include "secpkcs7.h" -#include "cert.h" -#include "certdb.h" -#include "nss.h" - -#if defined(XP_UNIX) -#include <unistd.h> -#endif - -#include <stdio.h> -#include <string.h> - -#if (defined(XP_WIN) && !defined(WIN32)) || (defined(__sun) && !defined(SVR4)) -extern int fwrite(char *, size_t, size_t, FILE*); -extern int fprintf(FILE *, char *, ...); -#endif - - -static void -Usage(char *progName) -{ - fprintf(stderr, - "Usage: %s [-d dbdir] [-p chainFilePrefix] [-a] [-i input] [-o output]\n", - progName); - fprintf(stderr, - "%-20s Key/Cert database directory (default is ~/.netscape)\n", - "-d dbdir"); - fprintf(stderr, "%-20s Define the cert chain file name prefix(default is chaincert)\n", - "-p chainFilePrefix"); - fprintf(stderr, "%-20s Input is in ascii encoded form (RFC1113)\n", - "-a"); - fprintf(stderr, "%-20s Define an input file to use (default is stdin)\n", - "-i input"); - fprintf(stderr, "%-20s Define an output file to use (default is stdout)\n", - "-o output"); - exit(-1); -} - -static PRBool saw_content; - -static void -PrintBytes(void *arg, const char *buf, unsigned long len) -{ - FILE *out; - - out = arg; - fwrite (buf, len, 1, out); - - saw_content = PR_TRUE; -} - -/* - * XXX Someday we may want to do real policy stuff here. This allows - * anything to be decrypted, which is okay for a test program but does - * not set an example of how a real client with a real policy would - * need to do it. - */ -static PRBool -decryption_allowed(SECAlgorithmID *algid, PK11SymKey *key) -{ - return PR_TRUE; -} - -int -DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName, int ascii, - char *prefix) -{ - SECItem derdata; - SEC_PKCS7ContentInfo *cinfo = NULL; - SEC_PKCS7DecoderContext *dcx; - int rv; - - if (SECU_ReadDERFromFile(&derdata, in, ascii)) { - SECU_PrintError(progName, "error converting der"); - return -1; - } - - fprintf(out, "Pretty Print of PKCS#7 content:\n"); - rv = SECU_PrintPKCS7ContentInfo(out, &derdata, - "PKCS #7 Content Info", 0); -/* - fprintf(out, - "Content printed between bars (newline added before second bar):"); - fprintf(out, "\n---------------------------------------------\n"); -*/ - if (rv) { - fprintf(stderr, "%s: problem converting data (%s)\n", - progName, SECU_Strerror(PORT_GetError())); - return -1; - } - - saw_content = PR_FALSE; - dcx = SEC_PKCS7DecoderStart(PrintBytes, out, NULL, NULL, - NULL, NULL, decryption_allowed); - if (dcx != NULL) { -#if 0 /* Test that decoder works when data is really streaming in. */ - { - unsigned long i; - for (i = 0; i < derdata.len; i++) - SEC_PKCS7DecoderUpdate(dcx, derdata.data + i, 1); - } -#else - SEC_PKCS7DecoderUpdate(dcx, (char *)derdata.data, derdata.len); -#endif - cinfo = SEC_PKCS7DecoderFinish(dcx); - } -/* - fprintf(out, "\n---------------------------------------------\n"); -*/ - if (cinfo == NULL) - return -1; -/* - fprintf(out, "Content was%s encrypted.\n", - SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not"); -*/ - - if (SEC_PKCS7ContentIsSigned(cinfo)) { - char *signer_cname, *signer_ename; - SECItem *signing_time; - - if (saw_content) { - fprintf(out, "Signature is "); - PORT_SetError(0); - if (SEC_PKCS7VerifySignature(cinfo, certUsageEmailSigner, PR_FALSE)) - fprintf(out, "valid.\n"); - else - fprintf(out, "invalid (Reason: %s).\n", - SECU_Strerror(PORT_GetError())); - } else { - fprintf(out, - "Content is detached; signature cannot be verified.\n"); - } - - signer_cname = SEC_PKCS7GetSignerCommonName(cinfo); - if (signer_cname != NULL) { - fprintf(out, "The signer's common name is %s\n", signer_cname); - PORT_Free(signer_cname); - } else { - fprintf(out, "No signer common name.\n"); - } - - signer_ename = SEC_PKCS7GetSignerEmailAddress(cinfo); - if (signer_ename != NULL) { - fprintf(out, "The signer's email address is %s\n", signer_ename); - PORT_Free(signer_ename); - } else { - fprintf(out, "No signer email address.\n"); - } - - signing_time = SEC_PKCS7GetSigningTime(cinfo); - if (signing_time != NULL) { - SECU_PrintTimeChoice(out, signing_time, "Signing time", 0); - } else { - fprintf(out, "No signing time included.\n"); - } - } else { -/* fprintf(out, "Content was not signed.\n");*/ - } -/* - fprintf(out, "There were%s certs or crls included.\n", - SEC_PKCS7ContainsCertsOrCrls(cinfo) ? "" : " no"); -*/ - - /* write out certs */ - SECItem **items = NULL; - SECOidTag kind; - - kind = SEC_PKCS7ContentType (cinfo); - if (kind == SEC_OID_PKCS7_SIGNED_DATA) { -/* fprintf(out, "content is SEC_OID_PKCS7_SIGNED_DATA\n");*/ - SEC_PKCS7SignedData *sdp; - - sdp = cinfo->content.signedData; - if (sdp != NULL) { - items = sdp->rawCerts; - } - } else { -/* fprintf(out, "content is not SEC_OID_PKCS7_SIGNED_DATA\n");*/ - - } - - int i= 0; - if (items != NULL) { - CERTCertificate *cert; - if (prefix == NULL) { - prefix = "chaincert"; - } - while ((items[i]) != NULL) { - cert = (CERTCertificate*) items[i]->data; - FILE *outFile; - char filename[256]; - int nb = 0; - - sprintf(filename, "%s%d.der", prefix, i); - - outFile = fopen(filename, "wb"); - if (outFile == NULL) { - fprintf(out, "Couldn't open '%s' file for writing\n", filename); - i = -1; - break; - } - nb = fwrite((char *) cert, 1, items[i]->len, outFile); - fclose(outFile); - - i++; - } - } else { - fprintf(out, "certs is NULL\n"); - } - - SEC_PKCS7DestroyContentInfo(cinfo); - return i; -} - - -/* - * Print the contents of a PKCS7 message, indicating signatures, etc. - */ - -int -main(int argc, char **argv) -{ - char *progName; - FILE *outFile; - PRFileDesc *inFile; - PLOptState *optstate; - PLOptStatus status; - SECStatus rv; - int ascii = 0; - char *prefix = NULL; - int exitStatus = 0; - - progName = strrchr(argv[0], '/'); - progName = progName ? progName+1 : argv[0]; - - inFile = NULL; - outFile = NULL; - - /* - * Parse command line arguments - */ - optstate = PL_CreateOptState(argc, argv, "ad:i:o:p:"); - while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - switch (optstate->option) { - case 'd': - SECU_ConfigDirectory(optstate->value); - break; - - case 'a': - ascii = 1; - break; - - case 'i': - inFile = PR_Open(optstate->value, PR_RDONLY, 0); - if (!inFile) { - fprintf(stderr, "%s: unable to open \"%s\" for reading\n", - progName, optstate->value); - return -1; - } - break; - - case 'o': - outFile = fopen(optstate->value, "w"); - if (!outFile) { - fprintf(stderr, "%s: unable to open \"%s\" for writing\n", - progName, optstate->value); - return -1; - } - break; - - case 'p': - prefix = optstate->value; - break; - - default: - Usage(progName); - break; - } - } - if (status == PL_OPT_BAD) - Usage(progName); - - if (!inFile) inFile = PR_STDIN; - if (!outFile) outFile = stdout; - - /* Call the initialization routines */ - PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - rv = NSS_Init(SECU_ConfigDirectory(NULL)); - if (rv != SECSuccess) { - SECU_PrintPRandOSError(progName); - return -1; - } - - exitStatus = DecodeAndPrintFile(outFile, inFile, progName, ascii, prefix); - if (exitStatus < 0) { - SECU_PrintError(progName, "problem decoding data"); - return -1; - } - - if (NSS_Shutdown() != SECSuccess) { - exit(1); - } - - return exitStatus; -/* return 0;*/ -} diff --git a/pki/base/native-tools/src/p7tool/pppolicy.c b/pki/base/native-tools/src/p7tool/pppolicy.c deleted file mode 100644 index 76ec6e8c6..000000000 --- a/pki/base/native-tools/src/p7tool/pppolicy.c +++ /dev/null @@ -1,309 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2004 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/pppolicy.c - */ - -/* - * Support for various policy related extensions - * - * $Id$ - */ - -#include "seccomon.h" -#include "secport.h" -#include "secder.h" -#include "cert.h" -#include "secoid.h" -#include "secasn1.h" -#include "secerr.h" -#include "nspr.h" -#include "secutil.h" - -/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c . -** The chief difference is the addition of the OPTIONAL flag to many -** parts. The idea is to be able to parse and print as much of the -** policy extension as possible, even if some parts are invalid. -** -** If this approach still is unable to decode policy extensions that -** contain invalid parts, then the next approach will be to parse -** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them -** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally -** parse each of the PolicyQualifiers. -*/ - -static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTPolicyQualifier) }, - { SEC_ASN1_OBJECT_ID, - offsetof(CERTPolicyQualifier, qualifierID), - NULL, 0}, - { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL, - offsetof(CERTPolicyQualifier, qualifierValue), - NULL, 0}, - { 0, 0, NULL, 0 } -}; - -static const SEC_ASN1Template secu_PolicyInfoTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTPolicyInfo) }, - { SEC_ASN1_OBJECT_ID, - offsetof(CERTPolicyInfo, policyID), - NULL, 0}, - { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL, - offsetof(CERTPolicyInfo, policyQualifiers), - secu_PolicyQualifierTemplate, 0 }, - { 0, 0, NULL, 0 } -}; - -static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { - { SEC_ASN1_SEQUENCE_OF, - offsetof(CERTCertificatePolicies, policyInfos), - secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) } -}; - - -static CERTCertificatePolicies * -secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) -{ - PRArenaPool *arena = NULL; - SECStatus rv; - CERTCertificatePolicies *policies; - CERTPolicyInfo **policyInfos, *policyInfo; - CERTPolicyQualifier **policyQualifiers, *policyQualifier; - SECItem newExtnValue; - - /* make a new arena */ - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - goto loser; - } - - /* allocate the certifiate policies structure */ - policies = PORT_ArenaZNew(arena, CERTCertificatePolicies); - if ( policies == NULL ) { - goto loser; - } - - policies->arena = arena; - - /* copy the DER into the arena, since Quick DER returns data that points - into the DER input, which may get freed by the caller */ - rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); - if ( rv != SECSuccess ) { - goto loser; - } - - /* decode the policy info */ - rv = SEC_QuickDERDecodeItem(arena, policies, - secu_CertificatePoliciesTemplate, - &newExtnValue); - - if ( rv != SECSuccess ) { - goto loser; - } - - /* initialize the oid tags */ - policyInfos = policies->policyInfos; - while (policyInfos != NULL && *policyInfos != NULL ) { - policyInfo = *policyInfos; - policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); - policyQualifiers = policyInfo->policyQualifiers; - while ( policyQualifiers && *policyQualifiers != NULL ) { - policyQualifier = *policyQualifiers; - policyQualifier->oid = - SECOID_FindOIDTag(&policyQualifier->qualifierID); - policyQualifiers++; - } - policyInfos++; - } - - return(policies); - -loser: - if ( arena != NULL ) { - PORT_FreeArena(arena, PR_FALSE); - } - - return(NULL); -} - - -static char * -itemToString(SECItem *item) -{ - char *string; - - string = PORT_ZAlloc(item->len+1); - if (string == NULL) return NULL; - PORT_Memcpy(string,item->data,item->len); - string[item->len] = 0; - return string; -} - -static SECStatus -secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue, - const char *msg, int level) -{ - CERTUserNotice *userNotice = NULL; - if (qualifierValue) - userNotice = CERT_DecodeUserNotice(qualifierValue); - if (userNotice) { - if (userNotice->noticeReference.organization.len != 0) { - char *string = - itemToString(&userNotice->noticeReference.organization); - SECItem **itemList = userNotice->noticeReference.noticeNumbers; - - while (itemList && *itemList) { - SECU_PrintInteger(out,*itemList,string,level+1); - itemList++; - } - PORT_Free(string); - } - if (userNotice->displayText.len != 0) { - SECU_PrintString(out,&userNotice->displayText, - "Display Text", level+1); - } - CERT_DestroyUserNotice(userNotice); - return SECSuccess; - } - return SECFailure; /* caller will print this value */ -} - -static SECStatus -secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier, - const char *msg, int level) -{ - SECStatus rv; - SECItem * qualifierValue = &policyQualifier->qualifierValue; - - SECU_PrintObjectID(out, &policyQualifier->qualifierID , - "Policy Qualifier Name", level); - if (!qualifierValue->data) { - SECU_Indent(out, level); - fprintf(out,"Error: missing qualifier\n"); - } else - switch (policyQualifier->oid) { - case SEC_OID_PKIX_USER_NOTICE_QUALIFIER: - rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level); - if (SECSuccess == rv) - break; - /* fall through on error */ - case SEC_OID_PKIX_CPS_POINTER_QUALIFIER: - default: - SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level); - break; - } - return SECSuccess; -} - -static SECStatus -secu_PrintPolicyInfo(FILE *out, CERTPolicyInfo *policyInfo, const char *msg, int level) -{ - CERTPolicyQualifier **policyQualifiers; - - policyQualifiers = policyInfo->policyQualifiers; - SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level); - - while (policyQualifiers && *policyQualifiers != NULL) { - secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1); - policyQualifiers++; - } - return SECSuccess; -} - -void -SECU_PrintPolicy(FILE *out, SECItem *value, const char *msg, int level) -{ - CERTCertificatePolicies *policies = NULL; - CERTPolicyInfo **policyInfos; - - if (msg) { - SECU_Indent(out, level); - fprintf(out,"%s: \n",msg); - level++; - } - policies = secu_DecodeCertificatePoliciesExtension(value); - if (policies == NULL) { - SECU_PrintAny(out, value, "Invalid Policy Data", level); - return; - } - - policyInfos = policies->policyInfos; - while (policyInfos && *policyInfos != NULL) { - secu_PrintPolicyInfo(out,*policyInfos,"",level); - policyInfos++; - } - - CERT_DestroyCertificatePoliciesExtension(policies); -} - - -void -SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, - const char *msg, int level) -{ - CERTPrivKeyUsagePeriod * prd; - PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - goto loser; - } - prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value); - if (!prd) { - goto loser; - } - if (prd->notBefore.data) { - SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level); - } - if (prd->notAfter.data) { - SECU_PrintGeneralizedTime(out, &prd->notAfter, "Not After ", level); - } - if (!prd->notBefore.data && !prd->notAfter.data) { - SECU_Indent(out, level); - fprintf(out, "Error: notBefore or notAfter MUST be present.\n"); -loser: - SECU_PrintAny(out, value, msg, level); - } - if (arena) { - PORT_FreeArena(arena, PR_FALSE); - } -} diff --git a/pki/base/native-tools/src/p7tool/secerror.c b/pki/base/native-tools/src/p7tool/secerror.c deleted file mode 100644 index 07e6bac8e..000000000 --- a/pki/base/native-tools/src/p7tool/secerror.c +++ /dev/null @@ -1,119 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secerror.c - */ - -#include "nspr.h" -#include "secerror.h" - -struct tuple_str { - PRErrorCode errNum; - const char * errString; -}; - -typedef struct tuple_str tuple_str; - -#define ER2(a,b) {a, b}, -#define ER3(a,b,c) {a, c}, - -#include "secerr.h" -#include "sslerr.h" - -const tuple_str errStrings[] = { - -/* keep this list in asceding order of error numbers */ -#include "SSLerrs.h" -#include "SECerrs.h" -#include "NSPRerrs.h" - -}; - -const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str); - -/* Returns a UTF-8 encoded constant error string for "errNum". - * Returns NULL of errNum is unknown. - */ -const char * -SECU_Strerror(PRErrorCode errNum) { - PRInt32 low = 0; - PRInt32 high = numStrings - 1; - PRInt32 i; - PRErrorCode num; - static int initDone; - - /* make sure table is in ascending order. - * binary search depends on it. - */ - if (!initDone) { - PRErrorCode lastNum = ((PRInt32)0x80000000); - for (i = low; i <= high; ++i) { - num = errStrings[i].errNum; - if (num <= lastNum) { - fprintf(stderr, -"sequence error in error strings at item %d\n" -"error %d (%s)\n" -"should come after \n" -"error %d (%s)\n", - i, lastNum, errStrings[i-1].errString, - num, errStrings[i].errString); - } - lastNum = num; - } - initDone = 1; - } - - /* Do binary search of table. */ - while (low + 1 < high) { - i = (low + high) / 2; - num = errStrings[i].errNum; - if (errNum == num) - return errStrings[i].errString; - if (errNum < num) - high = i; - else - low = i; - } - if (errNum == errStrings[low].errNum) - return errStrings[low].errString; - if (errNum == errStrings[high].errNum) - return errStrings[high].errString; - return NULL; -} diff --git a/pki/base/native-tools/src/p7tool/secerror.h b/pki/base/native-tools/src/p7tool/secerror.h deleted file mode 100644 index dce63728f..000000000 --- a/pki/base/native-tools/src/p7tool/secerror.h +++ /dev/null @@ -1,44 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -#ifndef _SEC_ERROR_H_ -#define _SEC_ERROR_H_ - -const char * -SECU_Strerror(PRErrorCode errNum); - -#endif /* _SEC_ERROR_H_ */ diff --git a/pki/base/native-tools/src/p7tool/secpwd.c b/pki/base/native-tools/src/p7tool/secpwd.c deleted file mode 100644 index c0cb9b3d5..000000000 --- a/pki/base/native-tools/src/p7tool/secpwd.c +++ /dev/null @@ -1,213 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secpwd.c - */ - -#include "secutil.h" - -/* - * NOTE: The contents of this file are NOT used by the client. - * (They are part of the security library as a whole, but they are - * NOT USED BY THE CLIENT.) Do not change things on behalf of the - * client (like localizing strings), or add things that are only - * for the client (put them elsewhere). - */ - - -#ifdef XP_UNIX -#include <termios.h> -#endif - -#if defined(XP_UNIX) || defined(XP_BEOS) -#include <unistd.h> /* for isatty() */ -#endif - -#if( defined(_WINDOWS) && !defined(_WIN32_WCE)) || defined(XP_OS2_VACPP) -#include <conio.h> -#include <io.h> -#define QUIET_FGETS quiet_fgets -static char * quiet_fgets (char *buf, int length, FILE *input); -#else -#define QUIET_FGETS fgets -#endif - -static void echoOff(int fd) -{ -#if defined(XP_UNIX) && !defined(VMS) - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag &= ~ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } -#endif -} - -static void echoOn(int fd) -{ -#if defined(XP_UNIX) && !defined(VMS) - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag |= ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } -#endif -} - -char *SEC_GetPassword(FILE *input, FILE *output, const char *prompt, - PRBool (*ok)(char *)) -{ -#if defined(_WINDOWS) - int isTTY = (input == stdin); -#define echoOn(x) -#define echoOff(x) -#else - int infd = fileno(input); - int isTTY = isatty(infd); -#endif - char phrase[200] = {'\0'}; /* ensure EOF doesn't return junk */ - - for (;;) { - /* Prompt for password */ - if (isTTY) { - fprintf(output, "%s", prompt); - fflush (output); - echoOff(infd); - } - - QUIET_FGETS ( phrase, sizeof(phrase), input); - - if (isTTY) { - fprintf(output, "\n"); - echoOn(infd); - } - - /* stomp on newline */ - phrase[PORT_Strlen(phrase)-1] = 0; - - /* Validate password */ - if (!(*ok)(phrase)) { - /* Not weird enough */ - if (!isTTY) return 0; - fprintf(output, "Password must be at least 8 characters long with one or more\n"); - fprintf(output, "non-alphabetic characters\n"); - continue; - } - return (char*) PORT_Strdup(phrase); - } -} - - - -PRBool SEC_CheckPassword(char *cp) -{ - int len; - char *end; - - len = PORT_Strlen(cp); - if (len < 8) { - return PR_FALSE; - } - end = cp + len; - while (cp < end) { - unsigned char ch = *cp++; - if (!((ch >= 'A') && (ch <= 'Z')) && - !((ch >= 'a') && (ch <= 'z'))) { - /* pass phrase has at least one non alphabetic in it */ - return PR_TRUE; - } - } - return PR_FALSE; -} - -PRBool SEC_BlindCheckPassword(char *cp) -{ - if (cp != NULL) { - return PR_TRUE; - } - return PR_FALSE; -} - -/* Get a password from the input terminal, without echoing */ - -#if defined(_WINDOWS) || defined(XP_OS2_VACPP) -static char * quiet_fgets (char *buf, int length, FILE *input) - { - int c; - char *end = buf; - - /* fflush (input); */ - memset (buf, 0, length); - -#ifndef XP_OS2_VACPP - if (input != stdin) { - return fgets(buf,length,input); - } -#else - if (!isatty(fileno(input))) { - return fgets(buf,length,input); - } -#endif - - while (1) - { -#if defined (_WIN32_WCE) - c = getchar(); /* gets a character from stdin */ -#else - c = getch(); /* getch gets a character from the console */ -#endif - if (c == '\b') - { - if (end > buf) - end--; - } - - else if (--length > 0) - *end++ = c; - - if (!c || c == '\n' || c == '\r') - break; - } - - return buf; - } -#endif diff --git a/pki/base/native-tools/src/p7tool/secutil.c b/pki/base/native-tools/src/p7tool/secutil.c deleted file mode 100644 index abdfd216f..000000000 --- a/pki/base/native-tools/src/p7tool/secutil.c +++ /dev/null @@ -1,3665 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.c - */ - -/* -** secutil.c - various functions used by security stuff -** -*/ - -#include "prtypes.h" -#include "prtime.h" -#include "prlong.h" -#include "prerror.h" -#include "prprf.h" -#include "plgetopt.h" -#include "prenv.h" -#include "prnetdb.h" - -#include "cryptohi.h" -#include "secerror.h" -#include "secutil.h" -#include "secpkcs7.h" -#include <stdarg.h> -#if !defined(_WIN32_WCE) -#include <sys/stat.h> -#include <errno.h> -#endif - -#ifdef XP_UNIX -#include <unistd.h> -#endif - -/* for SEC_TraverseNames */ -#include "cert.h" -#include "certt.h" -#include "certdb.h" - -/* #include "secmod.h" */ -#include "pk11func.h" -#include "secoid.h" - -static char consoleName[] = { -#ifdef XP_UNIX -#ifdef VMS - "TT" -#else - "/dev/tty" -#endif -#else -#ifdef XP_OS2 - "\\DEV\\CON" -#else - "CON:" -#endif -#endif -}; - - -static char * -SECU_GetString(int16 error_number) -{ - - static char errString[80]; - sprintf(errString, "Unknown error string (%d)", error_number); - return errString; -} - -static void -SECU_PrintErrMsg(FILE *out, int level, const char *progName, const char *msg, ...) -{ - va_list args; - PRErrorCode err = PORT_GetError(); - const char * errString = SECU_Strerror(err); - - va_start(args, msg); - - SECU_Indent(out, level); - fprintf(out, "%s: ", progName); - vfprintf(out, msg, args); - if (errString != NULL && PORT_Strlen(errString) > 0) - fprintf(out, ": %s\n", errString); - else - fprintf(out, ": error %d\n", (int)err); - - va_end(args); -} - -void -SECU_PrintError(const char *progName, const char *msg, ...) -{ - va_list args; - PRErrorCode err = PORT_GetError(); - const char * errString = SECU_Strerror(err); - - va_start(args, msg); - - fprintf(stderr, "%s: ", progName); - vfprintf(stderr, msg, args); - if (errString != NULL && PORT_Strlen(errString) > 0) - fprintf(stderr, ": %s\n", errString); - else - fprintf(stderr, ": error %d\n", (int)err); - - va_end(args); -} - -void -SECU_PrintSystemError(const char *progName, const char *msg, ...) -{ - va_list args; - - va_start(args, msg); - fprintf(stderr, "%s: ", progName); - vfprintf(stderr, msg, args); -#if defined(_WIN32_WCE) - fprintf(stderr, ": %d\n", PR_GetOSError()); -#else - fprintf(stderr, ": %s\n", strerror(errno)); -#endif - va_end(args); -} - -static void -secu_ClearPassword(char *p) -{ - if (p) { - PORT_Memset(p, 0, PORT_Strlen(p)); - PORT_Free(p); - } -} - -char * -SECU_GetPasswordString(void *arg, char *prompt) -{ -#ifndef _WINDOWS - char *p = NULL; - FILE *input, *output; - - /* open terminal */ - input = fopen(consoleName, "r"); - if (input == NULL) { - fprintf(stderr, "Error opening input terminal for read\n"); - return NULL; - } - - output = fopen(consoleName, "w"); - if (output == NULL) { - fprintf(stderr, "Error opening output terminal for write\n"); - fclose(input); - return NULL; - } - - p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword); - - - fclose(input); - fclose(output); - - return p; - -#else - /* Win32 version of above. opening the console may fail - on windows95, and certainly isn't necessary.. */ - - char *p = NULL; - - p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword); - return p; - -#endif -} - - -/* - * p a s s w o r d _ h a r d c o d e - * - * A function to use the password passed in the -f(pwfile) argument - * of the command line. - * After use once, null it out otherwise PKCS11 calls us forever.? - * - */ -char * -SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - unsigned char phrase[200]; - PRFileDesc *fd; - PRInt32 nb; - char *pwFile = arg; - int i; - - if (!pwFile) - return 0; - - if (retry) { - return 0; /* no good retrying - the files contents will be the same */ - } - - fd = PR_Open(pwFile, PR_RDONLY, 0); - if (!fd) { - fprintf(stderr, "No password file \"%s\" exists.\n", pwFile); - return NULL; - } - - nb = PR_Read(fd, phrase, sizeof(phrase)); - - PR_Close(fd); - /* handle the Windows EOL case */ - i = 0; - while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; - phrase[i] = '\0'; - if (nb == 0) { - fprintf(stderr,"password file contains no data\n"); - return NULL; - } - return (char*) PORT_Strdup((char*)phrase); -} - -char * -SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char prompt[255]; - char external[] = "external"; - secuPWData *pwdata = (secuPWData *)arg; - secuPWData pwnull = { PW_NONE, 0 }; - secuPWData pwxtrn = { PW_EXTERNAL, external }; - char *pw; - - if (pwdata == NULL) - pwdata = &pwnull; - - if (PK11_ProtectedAuthenticationPath(slot)) { - pwdata = &pwxtrn; - } - if (retry && pwdata->source != PW_NONE) { - PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); - return NULL; - } - - switch (pwdata->source) { - case PW_NONE: - sprintf(prompt, "Enter Password or Pin for \"%s\":", - PK11_GetTokenName(slot)); - return SECU_GetPasswordString(NULL, prompt); - case PW_FROMFILE: - /* Instead of opening and closing the file every time, get the pw - * once, then keep it in memory (duh). - */ - pw = SECU_FilePasswd(slot, retry, pwdata->data); - pwdata->source = PW_PLAINTEXT; - pwdata->data = PL_strdup(pw); - /* it's already been dup'ed */ - return pw; - case PW_EXTERNAL: - sprintf(prompt, - "Press Enter, then enter PIN for \"%s\" on external device.\n", - PK11_GetTokenName(slot)); - (void) SECU_GetPasswordString(NULL, prompt); - /* Fall Through */ - case PW_PLAINTEXT: - return PL_strdup(pwdata->data); - default: - break; - } - - PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); - return NULL; -} - -static char * -secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char *p0 = NULL; - char *p1 = NULL; - FILE *input, *output; - secuPWData *pwdata = arg; - - if (pwdata->source == PW_FROMFILE) { - return SECU_FilePasswd(slot, retry, pwdata->data); - } - if (pwdata->source == PW_PLAINTEXT) { - return PL_strdup(pwdata->data); - } - - /* PW_NONE - get it from tty */ - /* open terminal */ -#ifdef _WINDOWS - input = stdin; -#else - input = fopen(consoleName, "r"); -#endif - if (input == NULL) { - PR_fprintf(PR_STDERR, "Error opening input terminal for read\n"); - return NULL; - } - - /* we have no password, so initialize database with one */ - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least 8 characters long,\n" - "and should contain at least one non-alphabetic character.\n\n"); - - output = fopen(consoleName, "w"); - if (output == NULL) { - PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); - fclose(input); - return NULL; - } - - - for (;;) { - if (p0) - PORT_Free(p0); - p0 = SEC_GetPassword(input, output, "Enter new password: ", - SEC_BlindCheckPassword); - - if (p1) - PORT_Free(p1); - p1 = SEC_GetPassword(input, output, "Re-enter password: ", - SEC_BlindCheckPassword); - if (p0 && p1 && !PORT_Strcmp(p0, p1)) { - break; - } - PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n"); - } - - /* clear out the duplicate password string */ - secu_ClearPassword(p1); - - fclose(input); - fclose(output); - - return p0; -} - -SECStatus -SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile) -{ - SECStatus rv; - secuPWData pwdata, newpwdata; - char *oldpw = NULL, *newpw = NULL; - - if (passwd) { - pwdata.source = PW_PLAINTEXT; - pwdata.data = passwd; - } else if (pwFile) { - pwdata.source = PW_FROMFILE; - pwdata.data = pwFile; - } else { - pwdata.source = PW_NONE; - pwdata.data = NULL; - } - - if (PK11_NeedUserInit(slot)) { - newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata); - rv = PK11_InitPin(slot, (char*)NULL, newpw); - goto done; - } - - for (;;) { - oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata); - - if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { - if (pwdata.source == PW_NONE) { - PR_fprintf(PR_STDERR, "Invalid password. Try again.\n"); - } else { - PR_fprintf(PR_STDERR, "Invalid password.\n"); - PORT_Memset(oldpw, 0, PL_strlen(oldpw)); - PORT_Free(oldpw); - return SECFailure; - } - } else - break; - - PORT_Free(oldpw); - } - - newpwdata.source = PW_NONE; - newpwdata.data = NULL; - - newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); - - if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { - PR_fprintf(PR_STDERR, "Failed to change password.\n"); - return SECFailure; - } - - PORT_Memset(oldpw, 0, PL_strlen(oldpw)); - PORT_Free(oldpw); - - PR_fprintf(PR_STDOUT, "Password changed successfully.\n"); - -done: - PORT_Memset(newpw, 0, PL_strlen(newpw)); - PORT_Free(newpw); - return SECSuccess; -} - -struct matchobj { - SECItem index; - char *nname; - PRBool found; -}; - -char * -SECU_DefaultSSLDir(void) -{ - char *dir; - static char sslDir[1000]; - - dir = PR_GetEnv("SSL_DIR"); - if (!dir) - return NULL; - - sprintf(sslDir, "%s", dir); - - if (sslDir[strlen(sslDir)-1] == '/') - sslDir[strlen(sslDir)-1] = 0; - - return sslDir; -} - -char * -SECU_AppendFilenameToDir(char *dir, char *filename) -{ - static char path[1000]; - - if (dir[strlen(dir)-1] == '/') - sprintf(path, "%s%s", dir, filename); - else - sprintf(path, "%s/%s", dir, filename); - return path; -} - -char * -SECU_ConfigDirectory(const char* base) -{ - static PRBool initted = PR_FALSE; - const char *dir = ".netscape"; - const char *home; - static char buf[1000]; - - if (initted) return buf; - - - if (base == NULL || *base == 0) { - home = PR_GetEnv("HOME"); - if (!home) home = ""; - - if (*home && home[strlen(home) - 1] == '/') - sprintf (buf, "%.900s%s", home, dir); - else - sprintf (buf, "%.900s/%s", home, dir); - } else { - sprintf(buf, "%.900s", base); - if (buf[strlen(buf) - 1] == '/') - buf[strlen(buf) - 1] = 0; - } - - - initted = PR_TRUE; - return buf; -} - -/*Turn off SSL for now */ -/* This gets called by SSL when server wants our cert & key */ -int -SECU_GetClientAuthData(void *arg, PRFileDesc *fd, - struct CERTDistNamesStr *caNames, - struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) -{ - SECKEYPrivateKey *key; - CERTCertificate *cert; - int errsave; - - if (arg == NULL) { - fprintf(stderr, "no key/cert name specified for client auth\n"); - return -1; - } - cert = PK11_FindCertFromNickname(arg, NULL); - errsave = PORT_GetError(); - if (!cert) { - if (errsave == SEC_ERROR_BAD_PASSWORD) - fprintf(stderr, "Bad password\n"); - else if (errsave > 0) - fprintf(stderr, "Unable to read cert (error %d)\n", errsave); - else if (errsave == SEC_ERROR_BAD_DATABASE) - fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); - else - fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); - return -1; - } - - key = PK11_FindKeyByAnyCert(arg,NULL); - if (!key) { - fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); - return -1; - } - - - *pRetCert = cert; - *pRetKey = key; - - return 0; -} - -static SECStatus -secu_StdinToItem(SECItem *dst) -{ - unsigned char buf[1000]; - PRInt32 numBytes; - PRBool notDone = PR_TRUE; - - dst->len = 0; - dst->data = NULL; - - while (notDone) { - numBytes = PR_Read(PR_STDIN, buf, sizeof(buf)); - - if (numBytes < 0) { - return SECFailure; - } - - if (numBytes == 0) - break; - - if (dst->data) { - unsigned char * p = dst->data; - dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes); - if (!dst->data) { - PORT_Free(p); - } - } else { - dst->data = (unsigned char*)PORT_Alloc(numBytes); - } - if (!dst->data) { - return SECFailure; - } - PORT_Memcpy(dst->data + dst->len, buf, numBytes); - dst->len += numBytes; - } - - return SECSuccess; -} - -SECStatus -SECU_FileToItem(SECItem *dst, PRFileDesc *src) -{ - PRFileInfo info; - PRInt32 numBytes; - PRStatus prStatus; - - if (src == PR_STDIN) - return secu_StdinToItem(dst); - - prStatus = PR_GetOpenFileInfo(src, &info); - - if (prStatus != PR_SUCCESS) { - PORT_SetError(SEC_ERROR_IO); - return SECFailure; - } - - /* XXX workaround for 3.1, not all utils zero dst before sending */ - dst->data = 0; - if (!SECITEM_AllocItem(NULL, dst, info.size)) - goto loser; - - numBytes = PR_Read(src, dst->data, info.size); - if (numBytes != info.size) { - PORT_SetError(SEC_ERROR_IO); - goto loser; - } - - return SECSuccess; -loser: - SECITEM_FreeItem(dst, PR_FALSE); - return SECFailure; -} - -SECStatus -SECU_TextFileToItem(SECItem *dst, PRFileDesc *src) -{ - PRFileInfo info; - PRInt32 numBytes; - PRStatus prStatus; - unsigned char *buf; - - if (src == PR_STDIN) - return secu_StdinToItem(dst); - - prStatus = PR_GetOpenFileInfo(src, &info); - - if (prStatus != PR_SUCCESS) { - PORT_SetError(SEC_ERROR_IO); - return SECFailure; - } - - buf = (unsigned char*)PORT_Alloc(info.size); - if (!buf) - return SECFailure; - - numBytes = PR_Read(src, buf, info.size); - if (numBytes != info.size) { - PORT_SetError(SEC_ERROR_IO); - goto loser; - } - - if (buf[numBytes-1] == '\n') numBytes--; -#ifdef _WINDOWS - if (buf[numBytes-1] == '\r') numBytes--; -#endif - - /* XXX workaround for 3.1, not all utils zero dst before sending */ - dst->data = 0; - if (!SECITEM_AllocItem(NULL, dst, numBytes)) - goto loser; - - memcpy(dst->data, buf, numBytes); - - PORT_Free(buf); - return SECSuccess; -loser: - PORT_Free(buf); - return SECFailure; -} - -SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) -{ - SECStatus rv; - if (ascii) { - /* First convert ascii to binary */ - SECItem filedata; - char *asc, *body; - - /* Read in ascii data */ - rv = SECU_FileToItem(&filedata, inFile); - asc = (char *)filedata.data; - if (!asc) { - fprintf(stderr, "unable to read data from input file\n"); - return SECFailure; - } - - /* check for headers and trailers and remove them */ - if ((body = strstr(asc, "-----BEGIN")) != NULL) { - char *trailer = NULL; - asc = body; - body = PORT_Strchr(body, '\n'); - if (!body) - body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ - if (body) - trailer = strstr(++body, "-----END"); - if (trailer != NULL) { - *trailer = '\0'; - } else { - fprintf(stderr, "input has header but no trailer\n"); - PORT_Free(filedata.data); - return SECFailure; - } - } else { - body = asc; - } - - /* Convert to binary */ - rv = ATOB_ConvertAsciiToItem(der, body); - if (rv) { - fprintf(stderr, "error converting ascii to binary (%s)\n", - SECU_Strerror(PORT_GetError())); - PORT_Free(filedata.data); - return SECFailure; - } - - PORT_Free(filedata.data); - } else { - /* Read in binary der */ - rv = SECU_FileToItem(der, inFile); - if (rv) { - fprintf(stderr, "error converting der (%s)\n", - SECU_Strerror(PORT_GetError())); - return SECFailure; - } - } - return SECSuccess; -} - -#define INDENT_MULT 4 -void -SECU_Indent(FILE *out, int level) -{ - int i; - - for (i = 0; i < level; i++) { - fprintf(out, " "); - } -} - -static void secu_Newline(FILE *out) -{ - fprintf(out, "\n"); -} - -void -SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) -{ - unsigned i; - int column; - PRBool isString = PR_TRUE; - PRBool isWhiteSpace = PR_TRUE; - PRBool printedHex = PR_FALSE; - unsigned int limit = 15; - - if ( m ) { - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - level++; - } - - SECU_Indent(out, level); column = level*INDENT_MULT; - if (!data->len) { - fprintf(out, "(empty)\n"); - return; - } - /* take a pass to see if it's all printable. */ - for (i = 0; i < data->len; i++) { - unsigned char val = data->data[i]; - if (!val || !isprint(val)) { - isString = PR_FALSE; - break; - } - if (isWhiteSpace && !isspace(val)) { - isWhiteSpace = PR_FALSE; - } - } - - /* Short values, such as bit strings (which are printed with this - ** function) often look like strings, but we want to see the bits. - ** so this test assures that short values will be printed in hex, - ** perhaps in addition to being printed as strings. - ** The threshold size (4 bytes) is arbitrary. - */ - if (!isString || data->len <= 4) { - for (i = 0; i < data->len; i++) { - if (i != data->len - 1) { - fprintf(out, "%02x:", data->data[i]); - column += 3; - } else { - fprintf(out, "%02x", data->data[i]); - column += 2; - break; - } - if (column > 76 || (i % 16 == limit)) { - secu_Newline(out); - SECU_Indent(out, level); - column = level*INDENT_MULT; - limit = i % 16; - } - } - printedHex = PR_TRUE; - } - if (isString && !isWhiteSpace) { - if (printedHex != PR_FALSE) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - for (i = 0; i < data->len; i++) { - unsigned char val = data->data[i]; - - if (val) { - fprintf(out,"%c",val); - column++; - } else { - column = 77; - } - if (column > 76) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - } - } - - if (column != level*INDENT_MULT) { - secu_Newline(out); - } -} - -static const char *hex = "0123456789abcdef"; - -static const char printable[257] = { - "................" /* 0x */ - "................" /* 1x */ - " !\"#$%&'()*+,-./" /* 2x */ - "0123456789:;<=>?" /* 3x */ - "@ABCDEFGHIJKLMNO" /* 4x */ - "PQRSTUVWXYZ[\\]^_" /* 5x */ - "`abcdefghijklmno" /* 6x */ - "pqrstuvwxyz{|}~." /* 7x */ - "................" /* 8x */ - "................" /* 9x */ - "................" /* ax */ - "................" /* bx */ - "................" /* cx */ - "................" /* dx */ - "................" /* ex */ - "................" /* fx */ -}; - -void -SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len) -{ - const unsigned char *cp = (const unsigned char *)vp; - char buf[80]; - char *bp; - char *ap; - - fprintf(out, "%s [Len: %d]\n", msg, len); - memset(buf, ' ', sizeof buf); - bp = buf; - ap = buf + 50; - while (--len >= 0) { - unsigned char ch = *cp++; - *bp++ = hex[(ch >> 4) & 0xf]; - *bp++ = hex[ch & 0xf]; - *bp++ = ' '; - *ap++ = printable[ch]; - if (ap - buf >= 66) { - *ap = 0; - fprintf(out, " %s\n", buf); - memset(buf, ' ', sizeof buf); - bp = buf; - ap = buf + 50; - } - } - if (bp > buf) { - *ap = 0; - fprintf(out, " %s\n", buf); - } -} - -static SECStatus -SECU_StripTagAndLength(SECItem *i) -{ - unsigned int start; - - if (!i || !i->data || i->len < 2) { /* must be at least tag and length */ - return SECFailure; - } - start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2); - if (i->len < start) { - return SECFailure; - } - i->data += start; - i->len -= start; - return SECSuccess; -} - - -/* This expents i->data[0] to be the MSB of the integer. -** if you want to print a DER-encoded integer (with the tag and length) -** call SECU_PrintEncodedInteger(); -*/ -void -SECU_PrintInteger(FILE *out, SECItem *i, const char *m, int level) -{ - int iv; - - if (!i || !i->len || !i->data) { - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: (null)\n", m); - } else { - fprintf(out, "(null)\n"); - } - } else if (i->len > 4) { - SECU_PrintAsHex(out, i, m, level); - } else { - iv = DER_GetInteger(i); - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: %d (0x%x)\n", m, iv, iv); - } else { - fprintf(out, "%d (0x%x)\n", iv, iv); - } - } -} - -static void -secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) -{ - int column; - unsigned int i; - - if ( m ) { - SECU_Indent(out, level); fprintf(out, "%s: ", m); - column = (level * INDENT_MULT) + strlen(m) + 2; - level++; - } else { - SECU_Indent(out, level); - column = level*INDENT_MULT; - } - fprintf(out, "\""); column++; - - for (i = 0; i < si->len; i++) { - unsigned char val = si->data[i]; - if (column > 76) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - - fprintf(out,"%c", printable[val]); column++; - } - - fprintf(out, "\""); column++; - if (column != level*INDENT_MULT || column > 76) { - secu_Newline(out); - } -} - -void -SECU_PrintString(FILE *out, SECItem *si, const char *m, int level) -{ - SECItem my = *si; - - if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len) - return; - secu_PrintRawString(out, &my, m, level); -} - -/* print an unencoded boolean */ -static void -secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) -{ - int val = 0; - - if ( i->data && i->len ) { - val = i->data[0]; - } - - if (!m) { - m = "Boolean"; - } - SECU_Indent(out, level); - fprintf(out, "%s: %s\n", m, (val ? "True" : "False")); -} - -/* - * Format and print "time_val". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -static void -secu_PrintTime(FILE *out, int64 time_val, const char *m, int level) -{ - PRExplodedTime printableTime; - char *timeString; - - /* Convert to local time */ - PR_ExplodeTime(time_val, PR_GMTParameters, &printableTime); - - timeString = PORT_Alloc(100); - if (timeString == NULL) - return; - - if (m != NULL) { - SECU_Indent(out, level); - fprintf(out, "%s: ", m); - } - - PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime); - fprintf(out, "%s", timeString); - - if (m != NULL) - fprintf(out, "\n"); - - PORT_Free(timeString); -} - -/* - * Format and print the UTC Time "t". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -void -SECU_PrintUTCTime(FILE *out, SECItem *t, const char *m, int level) -{ - int64 time_val; - SECStatus rv; - - rv = DER_UTCTimeToTime(&time_val, t); - if (rv != SECSuccess) - return; - - secu_PrintTime(out, time_val, m, level); -} - -/* - * Format and print the Generalized Time "t". If the tag message "m" - * is not NULL, * do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -void -SECU_PrintGeneralizedTime(FILE *out, SECItem *t, const char *m, int level) -{ - int64 time_val; - SECStatus rv; - - - rv = DER_GeneralizedTimeToTime(&time_val, t); - if (rv != SECSuccess) - return; - - secu_PrintTime(out, time_val, m, level); -} - -/* - * Format and print the UTC or Generalized Time "t". If the tag message - * "m" is not NULL, do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -void -SECU_PrintTimeChoice(FILE *out, SECItem *t, const char *m, int level) -{ - switch (t->type) { - case siUTCTime: - SECU_PrintUTCTime(out, t, m, level); - break; - - case siGeneralizedTime: - SECU_PrintGeneralizedTime(out, t, m, level); - break; - - default: - PORT_Assert(0); - break; - } -} - - -/* This prints a SET or SEQUENCE */ -static void -SECU_PrintSet(FILE *out, SECItem *t, const char *m, int level) -{ - int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; - int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; - const char * label; - SECItem my = *t; - - if (!constructed) { - SECU_PrintAsHex(out, t, m, level); - return; - } - if (SECSuccess != SECU_StripTagAndLength(&my)) - return; - - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: ", m); - } - - if (type == SEC_ASN1_SET) - label = "Set "; - else if (type == SEC_ASN1_SEQUENCE) - label = "Sequence "; - else - label = ""; - fprintf(out,"%s{\n", label); /* } */ - - while (my.len >= 2) { - SECItem tmp = my; - - if (tmp.data[1] & 0x80) { - unsigned int i; - unsigned int lenlen = tmp.data[1] & 0x7f; - if (lenlen > sizeof tmp.len) - break; - tmp.len = 0; - for (i=0; i < lenlen; i++) { - tmp.len = (tmp.len << 8) | tmp.data[2+i]; - } - tmp.len += lenlen + 2; - } else { - tmp.len = tmp.data[1] + 2; - } - if (tmp.len > my.len) { - tmp.len = my.len; - } - my.data += tmp.len; - my.len -= tmp.len; - SECU_PrintAny(out, &tmp, NULL, level + 1); - } - SECU_Indent(out, level); fprintf(out, /* { */ "}\n"); -} - -static void -secu_PrintContextSpecific(FILE *out, SECItem *i, const char *m, int level) -{ - int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; - int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; - SECItem tmp; - - if (constructed) { - char * m2; - if (!m) - m2 = PR_smprintf("[%d]", type); - else - m2 = PR_smprintf("%s: [%d]", m, type); - if (m2) { - SECU_PrintSet(out, i, m2, level); - PR_smprintf_free(m2); - } - return; - } - - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: ", m); - } - fprintf(out,"[%d]\n", type); - - tmp = *i; - if (SECSuccess == SECU_StripTagAndLength(&tmp)) - SECU_PrintAsHex(out, &tmp, m, level+1); -} - -static void -secu_PrintOctetString(FILE *out, SECItem *i, const char *m, int level) -{ - SECItem tmp = *i; - if (SECSuccess == SECU_StripTagAndLength(&tmp)) - SECU_PrintAsHex(out, &tmp, m, level); -} - -static void -secu_PrintBitString(FILE *out, SECItem *i, const char *m, int level) -{ - int unused_bits; - SECItem tmp = *i; - - if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2) - return; - - unused_bits = *tmp.data++; - tmp.len--; - - SECU_PrintAsHex(out, &tmp, m, level); - if (unused_bits) { - SECU_Indent(out, level + 1); - fprintf(out, "(%d least significant bits unused)\n", unused_bits); - } -} - -/* in a decoded bit string, the len member is a bit length. */ -static void -secu_PrintDecodedBitString(FILE *out, SECItem *i, const char *m, int level) -{ - int unused_bits; - SECItem tmp = *i; - - - unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0; - DER_ConvertBitString(&tmp); /* convert length to byte length */ - - SECU_PrintAsHex(out, &tmp, m, level); - if (unused_bits) { - SECU_Indent(out, level + 1); - fprintf(out, "(%d least significant bits unused)\n", unused_bits); - } -} - - -/* Print a DER encoded Boolean */ -static void -SECU_PrintEncodedBoolean(FILE *out, SECItem *i, const char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - secu_PrintBoolean(out, &my, m, level); -} - -/* Print a DER encoded integer */ -static void -SECU_PrintEncodedInteger(FILE *out, SECItem *i, const char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - SECU_PrintInteger(out, &my, m, level); -} - -/* Print a DER encoded OID */ -static void -SECU_PrintEncodedObjectID(FILE *out, SECItem *i, const char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - SECU_PrintObjectID(out, &my, m, level); -} - -static void -secu_PrintBMPString(FILE *out, SECItem *i, const char *m, int level) -{ - unsigned char * s; - unsigned char * d; - int len; - SECItem tmp = {0, 0, 0}; - SECItem my = *i; - - if (SECSuccess != SECU_StripTagAndLength(&my)) - goto loser; - if (my.len % 2) - goto loser; - len = (int)(my.len / 2); - tmp.data = (unsigned char *)PORT_Alloc(len); - if (!tmp.data) - goto loser; - tmp.len = len; - for (s = my.data, d = tmp.data ; len > 0; len--) { - PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2; - if (!isprint(bmpChar)) - goto loser; - *d++ = (unsigned char)bmpChar; - } - secu_PrintRawString(out, &tmp, m, level); - PORT_Free(tmp.data); - return; - -loser: - SECU_PrintAsHex(out, i, m, level); - if (tmp.data) - PORT_Free(tmp.data); -} - -static void -secu_PrintUniversalString(FILE *out, SECItem *i, const char *m, int level) -{ - unsigned char * s; - unsigned char * d; - int len; - SECItem tmp = {0, 0, 0}; - SECItem my = *i; - - if (SECSuccess != SECU_StripTagAndLength(&my)) - goto loser; - if (my.len % 4) - goto loser; - len = (int)(my.len / 4); - tmp.data = (unsigned char *)PORT_Alloc(len); - if (!tmp.data) - goto loser; - tmp.len = len; - for (s = my.data, d = tmp.data ; len > 0; len--) { - PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; - s += 4; - if (!isprint(bmpChar)) - goto loser; - *d++ = (unsigned char)bmpChar; - } - secu_PrintRawString(out, &tmp, m, level); - PORT_Free(tmp.data); - return; - -loser: - SECU_PrintAsHex(out, i, m, level); - if (tmp.data) - PORT_Free(tmp.data); -} - -static void -secu_PrintUniversal(FILE *out, SECItem *i, const char *m, int level) -{ - switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { - case SEC_ASN1_ENUMERATED: - case SEC_ASN1_INTEGER: - SECU_PrintEncodedInteger(out, i, m, level); - break; - case SEC_ASN1_OBJECT_ID: - SECU_PrintEncodedObjectID(out, i, m, level); - break; - case SEC_ASN1_BOOLEAN: - SECU_PrintEncodedBoolean(out, i, m, level); - break; - case SEC_ASN1_UTF8_STRING: - case SEC_ASN1_PRINTABLE_STRING: - case SEC_ASN1_VISIBLE_STRING: - case SEC_ASN1_IA5_STRING: - case SEC_ASN1_T61_STRING: - SECU_PrintString(out, i, m, level); - break; - case SEC_ASN1_GENERALIZED_TIME: - SECU_PrintGeneralizedTime(out, i, m, level); - break; - case SEC_ASN1_UTC_TIME: - SECU_PrintUTCTime(out, i, m, level); - break; - case SEC_ASN1_NULL: - SECU_Indent(out, level); - if (m && m[0]) - fprintf(out, "%s: NULL\n", m); - else - fprintf(out, "NULL\n"); - break; - case SEC_ASN1_SET: - case SEC_ASN1_SEQUENCE: - SECU_PrintSet(out, i, m, level); - break; - case SEC_ASN1_OCTET_STRING: - secu_PrintOctetString(out, i, m, level); - break; - case SEC_ASN1_BIT_STRING: - secu_PrintBitString(out, i, m, level); - break; - case SEC_ASN1_BMP_STRING: - secu_PrintBMPString(out, i, m, level); - break; - case SEC_ASN1_UNIVERSAL_STRING: - secu_PrintUniversalString(out, i, m, level); - break; - default: - SECU_PrintAsHex(out, i, m, level); - break; - } -} - -void -SECU_PrintAny(FILE *out, SECItem *i, const char *m, int level) -{ - if ( i && i->len && i->data ) { - switch (i->data[0] & SEC_ASN1_CLASS_MASK) { - case SEC_ASN1_CONTEXT_SPECIFIC: - secu_PrintContextSpecific(out, i, m, level); - break; - case SEC_ASN1_UNIVERSAL: - secu_PrintUniversal(out, i, m, level); - break; - default: - SECU_PrintAsHex(out, i, m, level); - break; - } - } -} - -static int -secu_PrintValidity(FILE *out, CERTValidity *v, const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1); - SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1); - return 0; -} - -/* This function does NOT expect a DER type and length. */ -SECOidTag -SECU_PrintObjectID(FILE *out, SECItem *oid, const char *m, int level) -{ - SECOidData *oiddata; - char * oidString = NULL; - - oiddata = SECOID_FindOID(oid); - if (oiddata != NULL) { - const char *name = oiddata->desc; - SECU_Indent(out, level); - if (m != NULL) - fprintf(out, "%s: ", m); - fprintf(out, "%s\n", name); - return oiddata->offset; - } - oidString = CERT_GetOidString(oid); - if (oidString) { - SECU_Indent(out, level); - if (m != NULL) - fprintf(out, "%s: ", m); - fprintf(out, "%s\n", oidString); - PR_smprintf_free(oidString); - return SEC_OID_UNKNOWN; - } - SECU_PrintAsHex(out, oid, m, level); - return SEC_OID_UNKNOWN; -} - - -/* This function does NOT expect a DER type and length. */ -void -SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, const char *m, int level) -{ - SECU_PrintObjectID(out, &a->algorithm, m, level); - - if (a->parameters.len == 0 - || (a->parameters.len == 2 - && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { - /* No arguments or NULL argument */ - } else { - /* Print args to algorithm */ - SECU_PrintAsHex(out, &a->parameters, "Args", level+1); - } -} - -static void -secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, const char *m, int level) -{ - SECItem *value; - int i; - char om[100]; - - if (m) { - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - } - - /* - * Should make this smarter; look at the type field and then decode - * and print the value(s) appropriately! - */ - SECU_PrintObjectID(out, &(attr->type), "Type", level+1); - if (attr->values != NULL) { - i = 0; - while ((value = attr->values[i++]) != NULL) { - sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); - if (attr->encoded || attr->typeTag == NULL) { - SECU_PrintAny(out, value, om, level+1); - } else { - switch (attr->typeTag->offset) { - default: - SECU_PrintAsHex(out, value, om, level+1); - break; - case SEC_OID_PKCS9_CONTENT_TYPE: - SECU_PrintObjectID(out, value, om, level+1); - break; - case SEC_OID_PKCS9_SIGNING_TIME: - SECU_PrintTimeChoice(out, value, om, level+1); - break; - } - } - } - } -} - -static void -secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, const char *m, int level) -{ - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1); - SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1); - if (pk->u.rsa.publicExponent.len == 1 && - pk->u.rsa.publicExponent.data[0] == 1) { - SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n"); - } -} - -static void -secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1); - SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1); - SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1); - SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1); -} - -#ifdef NSS_ENABLE_ECC -static void -secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) -{ - SECItem curveOID = { siBuffer, NULL, 0}; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1); - /* For named curves, the DEREncodedParams field contains an - * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID). - */ - if ((pk->u.ec.DEREncodedParams.len > 2) && - (pk->u.ec.DEREncodedParams.data[0] == 0x06)) { - curveOID.len = pk->u.ec.DEREncodedParams.data[1]; - curveOID.data = pk->u.ec.DEREncodedParams.data + 2; - SECU_PrintObjectID(out, &curveOID, "Curve", level +1); - } -} -#endif /* NSS_ENABLE_ECC */ - -static void -secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena, - CERTSubjectPublicKeyInfo *i, const char *msg, int level) -{ - SECKEYPublicKey *pk; - - SECU_Indent(out, level); fprintf(out, "%s:\n", msg); - SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1); - - pk = SECKEY_ExtractPublicKey(i); - if (pk) { - switch (pk->keyType) { - case rsaKey: - secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1); - break; - - case dsaKey: - secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1); - break; - -#ifdef NSS_ENABLE_ECC - case ecKey: - secu_PrintECPublicKey(out, pk, "EC Public Key", level +1); - break; -#endif - - case dhKey: - case fortezzaKey: - case keaKey: - SECU_Indent(out, level); - fprintf(out, "unable to format this SPKI algorithm type\n"); - goto loser; - default: - SECU_Indent(out, level); - fprintf(out, "unknown SPKI algorithm type\n"); - goto loser; - } - PORT_FreeArena(pk->arena, PR_FALSE); - } else { - SECU_PrintErrMsg(out, level, "Error", "Parsing public key"); -loser: - if (i->subjectPublicKey.data) { - SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level); - } - } -} - -static SECStatus -secu_PrintX509InvalidDate(FILE *out, SECItem *value, const char *msg, int level) -{ - SECItem decodedValue; - SECStatus rv; - int64 invalidTime; - char *formattedTime = NULL; - - decodedValue.data = NULL; - rv = SEC_ASN1DecodeItem (NULL, &decodedValue, - SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), - value); - if (rv == SECSuccess) { - rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue); - if (rv == SECSuccess) { - formattedTime = CERT_GenTime2FormattedAscii - (invalidTime, (char *) "%a %b %d %H:%M:%S %Y"); - SECU_Indent(out, level +1); - fprintf (out, "%s: %s\n", msg, formattedTime); - PORT_Free (formattedTime); - } - } - PORT_Free (decodedValue.data); - return (rv); -} - -static SECStatus -PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level) -{ - CERTOidSequence *os; - SECItem **op; - - os = CERT_DecodeOidSequence(value); - if( (CERTOidSequence *)NULL == os ) { - return SECFailure; - } - - for( op = os->oids; *op; op++ ) { - SECU_PrintObjectID(out, *op, msg, level + 1); - } - CERT_DestroyOidSequence(os); - return SECSuccess; -} - -static SECStatus -secu_PrintBasicConstraints(FILE *out, SECItem *value, const char *msg, int level) { - CERTBasicConstraints constraints; - SECStatus rv; - - SECU_Indent(out, level); - if (msg) { - fprintf(out,"%s: ",msg); - } - rv = CERT_DecodeBasicConstraintValue(&constraints,value); - if (rv == SECSuccess && constraints.isCA) { - if (constraints.pathLenConstraint >= 0) { - fprintf(out,"Is a CA with a maximum path length of %d.\n", - constraints.pathLenConstraint); - } else { - fprintf(out,"Is a CA with no maximum path length.\n"); - } - } else { - fprintf(out,"Is not a CA.\n"); - } - return SECSuccess; -} - -static const char * const nsTypeBits[] = { - "SSL Client", - "SSL Server", - "S/MIME", - "Object Signing", - "Reserved", - "SSL CA", - "S/MIME CA", - "ObjectSigning CA" -}; - -/* NSCertType is merely a bit string whose bits are displayed symbolically */ -static SECStatus -secu_PrintNSCertType(FILE *out, SECItem *value, const char *msg, int level) -{ - int unused; - int NS_Type; - int i; - int found = 0; - SECItem my = *value; - - if ((my.data[0] != SEC_ASN1_BIT_STRING) || - SECSuccess != SECU_StripTagAndLength(&my)) { - SECU_PrintAny(out, value, "Data", level); - return SECSuccess; - } - - unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0; - NS_Type = my.data[1] & (0xff << unused); - - - SECU_Indent(out, level); - if (msg) { - fprintf(out,"%s: ",msg); - } else { - fprintf(out,"Netscape Certificate Type: "); - } - for (i=0; i < 8; i++) { - if ( (0x80 >> i) & NS_Type) { - fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]); - found = 1; - } - } - fprintf(out, (found ? ">\n" : "none\n")); - return SECSuccess; -} - -static const char * const usageBits[] = { - "Digital Signature", /* 0x80 */ - "Non-Repudiation", /* 0x40 */ - "Key Encipherment", /* 0x20 */ - "Data Encipherment", /* 0x10 */ - "Key Agreement", /* 0x08 */ - "Certificate Signing", /* 0x04 */ - "CRL Signing", /* 0x02 */ - "Encipher Only", /* 0x01 */ - "Decipher Only", /* 0x0080 */ - NULL -}; - -/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ -static void -secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) -{ - int unused; - int usage; - int i; - int found = 0; - SECItem my = *value; - - if ((my.data[0] != SEC_ASN1_BIT_STRING) || - SECSuccess != SECU_StripTagAndLength(&my)) { - SECU_PrintAny(out, value, "Data", level); - return; - } - - unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0; - usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8 - : (my.data[1] << 8) | - (my.data[2] & (0xff << unused)); - - SECU_Indent(out, level); - fprintf(out, "Usages: "); - for (i=0; usageBits[i]; i++) { - if ( (0x8000 >> i) & usage) { - if (found) - SECU_Indent(out, level + 2); - fprintf(out, "%s\n", usageBits[i]); - found = 1; - } - } - if (!found) { - fprintf(out, "(none)\n"); - } -} - -static void -secu_PrintIPAddress(FILE *out, SECItem *value, const char *msg, int level) -{ - PRStatus st; - PRNetAddr addr; - char addrBuf[80]; - - memset(&addr, 0, sizeof addr); - if (value->len == 4) { - addr.inet.family = PR_AF_INET; - memcpy(&addr.inet.ip, value->data, value->len); - } else if (value->len == 16) { - addr.ipv6.family = PR_AF_INET6; - memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len); - if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { - /* convert to IPv4. */ - addr.inet.family = PR_AF_INET; - memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); - memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); - } - } else { - goto loser; - } - - st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); - if (st == PR_SUCCESS) { - SECU_Indent(out, level); - fprintf(out, "%s: %s\n", msg, addrBuf); - } else { -loser: - SECU_PrintAsHex(out, value, msg, level); - } -} - - -static void -secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, const char *msg, int level) -{ - char label[40]; - if (msg && msg[0]) { - SECU_Indent(out, level++); fprintf(out, "%s: \n", msg); - } - switch (gname->type) { - case certOtherName : - SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level); - SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1); - break; - case certDirectoryName : - SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level); - break; - case certRFC822Name : - secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level); - break; - case certDNSName : - secu_PrintRawString( out, &gname->name.other, "DNS name", level); - break; - case certURI : - secu_PrintRawString( out, &gname->name.other, "URI", level); - break; - case certIPAddress : - secu_PrintIPAddress(out, &gname->name.other, "IP Address", level); - break; - case certRegisterID : - SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level); - break; - case certX400Address : - SECU_PrintAny( out, &gname->name.other, "X400 Address", level); - break; - case certEDIPartyName : - SECU_PrintAny( out, &gname->name.other, "EDI Party", level); - break; - default: - PR_snprintf(label, sizeof label, "unknown type [%d]", - (int)gname->type - 1); - SECU_PrintAsHex(out, &gname->name.other, label, level); - break; - } -} - -static void -secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTAuthKeyID *kid = NULL; - PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - kid = CERT_DecodeAuthKeyID(pool, value); - if (!kid) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } else { - int keyIDPresent = (kid->keyID.data && kid->keyID.len); - int issuerPresent = kid->authCertIssuer != NULL; - int snPresent = (kid->authCertSerialNumber.data && - kid->authCertSerialNumber.len); - - if ((keyIDPresent && !issuerPresent && !snPresent) || - (!keyIDPresent && issuerPresent && snPresent)) { - /* all is well */ - } else { - SECU_Indent(out, level); - fprintf(out, - "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n"); - } - if (keyIDPresent) - SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); - if (issuerPresent) - secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level); - if (snPresent) - SECU_PrintInteger(out, &kid->authCertSerialNumber, - "Serial Number", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTGeneralName * nameList; - CERTGeneralName * current; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - nameList = current = CERT_DecodeAltNameExtension(pool, value); - if (!current) { - if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { - /* Decoder found empty sequence, which is invalid. */ - PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); - } - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } else { - do { - secu_PrintGeneralName(out, current, msg, level); - current = CERT_GetNextGeneralName(current); - } while (current != nameList); - } - PORT_FreeArena(pool, PR_FALSE); -} - -static void -secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTCrlDistributionPoints * dPoints; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - dPoints = CERT_DecodeCRLDistributionPoints(pool, value); - if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) { - CRLDistributionPoint ** pPoints = dPoints->distPoints; - CRLDistributionPoint * pPoint; - while (NULL != (pPoint = *pPoints++)) { - if (pPoint->distPointType == generalName && - pPoint->distPoint.fullName != NULL) { - secu_PrintGeneralName(out, pPoint->distPoint.fullName, NULL, - level); -#if defined(LATER) - } else if (pPoint->distPointType == relativeDistinguishedName) { - /* print the relative name */ -#endif - } else if (pPoint->derDistPoint.data) { - SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level); - } - if (pPoint->reasons.data) { - secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", - level); - } - if (pPoint->crlIssuer) { - secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level); - } - } - } else { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, - const char *msg, int level) -{ - CERTNameConstraint *head = value; - SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg); - level++; - do { - secu_PrintGeneralName(out, &value->name, NULL, level); - if (value->min.data) - SECU_PrintInteger(out, &value->min, "Minimum", level+1); - if (value->max.data) - SECU_PrintInteger(out, &value->max, "Maximum", level+1); - value = CERT_GetNextNameConstraint(value); - } while (value != head); -} - -static void -secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, const char *msg, int level) -{ - CERTNameConstraints * cnstrnts; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value); - if (!cnstrnts) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Raw", level); - } else { - if (cnstrnts->permited) - secu_PrintNameConstraintSubtree(out, cnstrnts->permited, - "Permitted", level); - if (cnstrnts->excluded) - secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, - "Excluded", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) -{ - CERTAuthInfoAccess **infos = NULL; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - infos = CERT_DecodeAuthInfoAccessExtension(pool, value); - if (!infos) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Raw", level); - } else { - CERTAuthInfoAccess *info; - while (NULL != (info = *infos++)) { - if (info->method.data) { - SECU_PrintObjectID(out, &info->method, "Method", level); - } else { - SECU_Indent(out,level); - fprintf(out, "Error: missing method\n"); - } - if (info->location) { - secu_PrintGeneralName(out, info->location, "Location", level); - } else { - SECU_PrintAny(out, &info->derLocation, "Location", level); - } - } - } - PORT_FreeArena(pool, PR_FALSE); -} - - -void -SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, - const char *msg, int level) -{ - SECOidTag oidTag; - - if ( extensions ) { - if (msg && *msg) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", msg); - } - - while ( *extensions ) { - SECItem *tmpitem; - - tmpitem = &(*extensions)->id; - SECU_PrintObjectID(out, tmpitem, "Name", level); - - tmpitem = &(*extensions)->critical; - if ( tmpitem->len ) { - secu_PrintBoolean(out, tmpitem, "Critical", level); - } - - oidTag = SECOID_FindOIDTag (&((*extensions)->id)); - tmpitem = &((*extensions)->value); - - switch (oidTag) { - case SEC_OID_X509_INVALID_DATE: - case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME: - secu_PrintX509InvalidDate(out, tmpitem, "Date", level ); - break; - case SEC_OID_X509_CERTIFICATE_POLICIES: - SECU_PrintPolicy(out, tmpitem, "Data", level ); - break; - case SEC_OID_NS_CERT_EXT_BASE_URL: - case SEC_OID_NS_CERT_EXT_REVOCATION_URL: - case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL: - case SEC_OID_NS_CERT_EXT_CA_CRL_URL: - case SEC_OID_NS_CERT_EXT_CA_CERT_URL: - case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL: - case SEC_OID_NS_CERT_EXT_CA_POLICY_URL: - case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL: - case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL: - case SEC_OID_OCSP_RESPONDER: - SECU_PrintString(out,tmpitem, "URL", level); - break; - case SEC_OID_NS_CERT_EXT_COMMENT: - SECU_PrintString(out,tmpitem, "Comment", level); - break; - case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME: - SECU_PrintString(out,tmpitem, "ServerName", level); - break; - case SEC_OID_NS_CERT_EXT_CERT_TYPE: - secu_PrintNSCertType(out,tmpitem,"Data",level); - break; - case SEC_OID_X509_BASIC_CONSTRAINTS: - secu_PrintBasicConstraints(out,tmpitem,"Data",level); - break; - case SEC_OID_X509_EXT_KEY_USAGE: - PrintExtKeyUsageExtension(out, tmpitem, NULL, level); - break; - case SEC_OID_X509_KEY_USAGE: - secu_PrintX509KeyUsage(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_AUTH_KEY_ID: - secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_SUBJECT_ALT_NAME: - case SEC_OID_X509_ISSUER_ALT_NAME: - secu_PrintAltNameExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_CRL_DIST_POINTS: - secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD: - SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, - level ); - break; - case SEC_OID_X509_NAME_CONSTRAINTS: - secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level); - break; - case SEC_OID_X509_AUTH_INFO_ACCESS: - secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level); - break; - - case SEC_OID_X509_CRL_NUMBER: - case SEC_OID_X509_REASON_CODE: - - /* PKIX OIDs */ - case SEC_OID_PKIX_OCSP: - case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: - case SEC_OID_PKIX_OCSP_NONCE: - case SEC_OID_PKIX_OCSP_CRL: - case SEC_OID_PKIX_OCSP_RESPONSE: - case SEC_OID_PKIX_OCSP_NO_CHECK: - case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF: - case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR: - case SEC_OID_PKIX_REGCTRL_REGTOKEN: - case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR: - case SEC_OID_PKIX_REGCTRL_PKIPUBINFO: - case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS: - case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID: - case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY: - case SEC_OID_PKIX_REGINFO_UTF8_PAIRS: - case SEC_OID_PKIX_REGINFO_CERT_REQUEST: - - /* Netscape extension OIDs. */ - case SEC_OID_NS_CERT_EXT_NETSCAPE_OK: - case SEC_OID_NS_CERT_EXT_ISSUER_LOGO: - case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO: - case SEC_OID_NS_CERT_EXT_ENTITY_LOGO: - case SEC_OID_NS_CERT_EXT_USER_PICTURE: - - /* x.509 v3 Extensions */ - case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR: - case SEC_OID_X509_SUBJECT_KEY_ID: - case SEC_OID_X509_POLICY_MAPPINGS: - case SEC_OID_X509_POLICY_CONSTRAINTS: - - - default: - SECU_PrintAny(out, tmpitem, "Data", level); - break; - } - - secu_Newline(out); - extensions++; - } - } -} - - -void -SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) -{ - char *nameStr; - const char *str; - SECItem my; - - str = nameStr = CERT_NameToAscii(name); - if (!str) { - str = "!Invalid AVA!"; - } - my.data = (unsigned char *)str; - my.len = PORT_Strlen(str); -#if 1 - secu_PrintRawString(out, &my, msg, level); -#else - SECU_Indent(out, level); fprintf(out, "%s: ", msg); - fprintf(out, str); - secu_Newline(out); -#endif - PORT_Free(nameStr); -} - -void -printflags(char *trusts, unsigned int flags) -{ - if (flags & CERTDB_VALID_CA) - if (!(flags & CERTDB_TRUSTED_CA) && - !(flags & CERTDB_TRUSTED_CLIENT_CA)) - PORT_Strcat(trusts, "c"); - if (flags & CERTDB_VALID_PEER) - if (!(flags & CERTDB_TRUSTED)) - PORT_Strcat(trusts, "p"); - if (flags & CERTDB_TRUSTED_CA) - PORT_Strcat(trusts, "C"); - if (flags & CERTDB_TRUSTED_CLIENT_CA) - PORT_Strcat(trusts, "T"); - if (flags & CERTDB_TRUSTED) - PORT_Strcat(trusts, "P"); - if (flags & CERTDB_USER) - PORT_Strcat(trusts, "u"); - if (flags & CERTDB_SEND_WARN) - PORT_Strcat(trusts, "w"); - if (flags & CERTDB_INVISIBLE_CA) - PORT_Strcat(trusts, "I"); - if (flags & CERTDB_GOVT_APPROVED_CA) - PORT_Strcat(trusts, "G"); - return; -} - -/* callback for listing certs through pkcs11 */ -SECStatus -SECU_PrintCertNickname(CERTCertListNode *node, void *data) -{ - CERTCertTrust *trust; - CERTCertificate* cert; - FILE *out; - char trusts[30]; - const char *name; - - cert = node->cert; - - PORT_Memset (trusts, 0, sizeof (trusts)); - out = (FILE *)data; - - name = node->appData; - if (!name || !name[0]) { - name = cert->nickname; - } - if (!name || !name[0]) { - name = cert->emailAddr; - } - if (!name || !name[0]) { - name = "(NULL)"; - } - - trust = cert->trust; - if (trust) { - printflags(trusts, trust->sslFlags); - PORT_Strcat(trusts, ","); - printflags(trusts, trust->emailFlags); - PORT_Strcat(trusts, ","); - printflags(trusts, trust->objectSigningFlags); - } else { - PORT_Memcpy(trusts,",,",3); - } - fprintf(out, "%-60s %-5s\n", name, trusts); - - return (SECSuccess); -} - -static int -SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, const char *m, int level) -{ - CERTCertExtension **extensions = NULL; - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - int rv = 0; - - if (!arena) - return SEC_ERROR_NO_MEMORY; - - rv = SEC_QuickDERDecodeItem(arena, &extensions, - SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any); - if (!rv) - SECU_PrintExtensions(out, extensions, m, level); - else - SECU_PrintAny(out, any, m, level); - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -/* print a decoded SET OF or SEQUENCE OF Extensions */ -static int -SECU_PrintSetOfExtensions(FILE *out, SECItem **any, const char *m, int level) -{ - int rv = 0; - if (m && *m) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", m); - } - while (any && any[0]) { - rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level); - any++; - } - return rv; -} - -/* print a decoded SET OF or SEQUENCE OF "ANY" */ -static int -SECU_PrintSetOfAny(FILE *out, SECItem **any, const char *m, int level) -{ - int rv = 0; - if (m && *m) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", m); - } - while (any && any[0]) { - SECU_PrintAny(out, any[0], "", level); - any++; - } - return rv; -} - -static int -SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, const char *m, int level) -{ - int rv = 0; - SECOidTag tag; - tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level); - if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) { - rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level); - } else { - rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level); - } - return rv; -} - -static int -SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, const char *m, int level) -{ - int rv = 0; - while (attrs[0]) { - rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1); - attrs++; - } - return rv; -} - -int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ -SECU_PrintCertificateRequest(FILE *out, SECItem *der, const char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCertificateRequest *cr; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - /* Decode certificate request */ - cr = PORT_ArenaZNew(arena, CERTCertificateRequest); - if (!cr) - goto loser; - cr->arena = arena; - rv = SEC_QuickDERDecodeItem(arena, cr, - SEC_ASN1_GET(CERT_CertificateRequestTemplate), der); - if (rv) - goto loser; - - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &cr->version, "Version", level+1); - SECU_PrintName(out, &cr->subject, "Subject", level+1); - secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, - "Subject Public Key Info", level+1); - if (cr->attributes) - SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); - rv = 0; -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -int -SECU_PrintCertificate(FILE *out, SECItem *der, const char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCertificate *c; - int rv = SEC_ERROR_NO_MEMORY; - int iv; - - if (!arena) - return rv; - - /* Decode certificate */ - c = PORT_ArenaZNew(arena, CERTCertificate); - if (!c) - goto loser; - c->arena = arena; - rv = SEC_ASN1DecodeItem(arena, c, - SEC_ASN1_GET(CERT_CertificateTemplate), der); - if (rv) { - SECU_Indent(out, level); - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, der, "Raw", level); - goto loser; - } - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */ - SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); - - SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1); - SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1); - SECU_PrintName(out, &c->issuer, "Issuer", level+1); - secu_PrintValidity(out, &c->validity, "Validity", level+1); - SECU_PrintName(out, &c->subject, "Subject", level+1); - secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, - "Subject Public Key Info", level+1); - if (c->issuerID.data) - secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1); - if (c->subjectID.data) - secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1); - SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1); -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -int -SECU_PrintPublicKey(FILE *out, SECItem *der, const char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - SECKEYPublicKey key; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - PORT_Memset(&key, 0, sizeof(key)); - rv = SEC_ASN1DecodeItem(arena, &key, - SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der); - if (!rv) { - /* Pretty print it out */ - secu_PrintRSAPublicKey(out, &key, m, level); - } - - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -#ifdef HAVE_EPV_TEMPLATE -int -SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - SECKEYEncryptedPrivateKeyInfo key; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - PORT_Memset(&key, 0, sizeof(key)); - rv = SEC_ASN1DecodeItem(arena, &key, - SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der); - if (rv) - goto loser; - - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", - level+1); - SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1); -loser: - PORT_FreeArena(arena, PR_TRUE); - return rv; -} -#endif - -int -SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, int level) -{ - unsigned char fingerprint[20]; - char *fpStr = NULL; - int err = PORT_GetError(); - SECStatus rv; - SECItem fpItem; - - /* print MD5 fingerprint */ - memset(fingerprint, 0, sizeof fingerprint); - rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len); - fpItem.data = fingerprint; - fpItem.len = MD5_LENGTH; - fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (MD5):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); - PORT_Free(fpStr); - fpStr = NULL; - if (rv != SECSuccess && !err) - err = PORT_GetError(); - - /* print SHA1 fingerprint */ - memset(fingerprint, 0, sizeof fingerprint); - rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len); - fpItem.data = fingerprint; - fpItem.len = SHA1_LENGTH; - fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (SHA1):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); - PORT_Free(fpStr); - fprintf(out, "\n"); - - if (err) - PORT_SetError(err); - if (err || rv != SECSuccess) - return SECFailure; - - return 0; -} - -/* -** PKCS7 Support -*/ - -/* forward declaration */ -static int -secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, const char *, int); - -/* -** secu_PrintPKCS7EncContent -** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) -*/ -static void -secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, - const char *m, int level) -{ - if (src->contentTypeTag == NULL) - src->contentTypeTag = SECOID_FindOID(&(src->contentType)); - - SECU_Indent(out, level); - fprintf(out, "%s:\n", m); - SECU_Indent(out, level + 1); - fprintf(out, "Content Type: %s\n", - (src->contentTypeTag != NULL) ? src->contentTypeTag->desc - : "Unknown"); - SECU_PrintAlgorithmID(out, &(src->contentEncAlg), - "Content Encryption Algorithm", level+1); - SECU_PrintAsHex(out, &(src->encContent), - "Encrypted Content", level+1); -} - -/* -** secu_PrintRecipientInfo -** Prints a PKCS7RecipientInfo type -*/ -static void -secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, - int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(info->version), "Version", level + 1); - - SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", - level + 1); - SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), - "Serial Number", level + 1); - - /* Parse and display encrypted key */ - SECU_PrintAlgorithmID(out, &(info->keyEncAlg), - "Key Encryption Algorithm", level + 1); - SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1); -} - -/* -** secu_PrintSignerInfo -** Prints a PKCS7SingerInfo type -*/ -static void -secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level) -{ - SEC_PKCS7Attribute *attr; - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(info->version), "Version", level + 1); - - SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", - level + 1); - SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), - "Serial Number", level + 1); - - SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm", - level + 1); - - if (info->authAttr != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Authenticated Attributes:\n"); - iv = 0; - while ((attr = info->authAttr[iv++]) != NULL) { - sprintf(om, "Attribute (%d)", iv); - secu_PrintAttribute(out, attr, om, level + 2); - } - } - - /* Parse and display signature */ - SECU_PrintAlgorithmID(out, &(info->digestEncAlg), - "Digest Encryption Algorithm", level + 1); - SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1); - - if (info->unAuthAttr != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Unauthenticated Attributes:\n"); - iv = 0; - while ((attr = info->unAuthAttr[iv++]) != NULL) { - sprintf(om, "Attribute (%x)", iv); - secu_PrintAttribute(out, attr, om, level + 2); - } - } -} - -/* callers of this function must make sure that the CERTSignedCrl - from which they are extracting the CERTCrl has been fully-decoded. - Otherwise it will not have the entries even though the CRL may have - some */ - -void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level) -{ - CERTCrlEntry *entry; - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - /* version is optional */ - iv = crl->version.len ? DER_GetInteger(&crl->version) : 0; - SECU_Indent(out, level+1); - fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); - SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm", - level + 1); - SECU_PrintName(out, &(crl->name), "Issuer", level + 1); - SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1); - if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */ - SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1); - - if (crl->entries != NULL) { - iv = 0; - while ((entry = crl->entries[iv++]) != NULL) { - sprintf(om, "Entry (%x):\n", iv); - SECU_Indent(out, level + 1); - fprintf(out, "%s", om); - SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", - level + 2); - SECU_PrintTimeChoice(out, &(entry->revocationDate), - "Revocation Date", level + 2); - SECU_PrintExtensions(out, entry->extensions, - "Entry Extensions", level + 2); - } - } - SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1); -} - -/* -** secu_PrintPKCS7Signed -** Pretty print a PKCS7 signed data type (up to version 1). -*/ -static int -secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, - const char *m, int level) -{ - SECAlgorithmID *digAlg; /* digest algorithms */ - SECItem *aCert; /* certificate */ - CERTSignedCrl *aCrl; /* certificate revocation list */ - SEC_PKCS7SignerInfo *sigInfo; /* signer information */ - int rv, iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list digest algorithms (if any) */ - if (src->digestAlgorithms != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); - iv = 0; - while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { - sprintf(om, "Digest Algorithm (%x)", iv); - SECU_PrintAlgorithmID(out, digAlg, om, level + 2); - } - } - - /* Now for the content */ - rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), - "Content Information", level + 1); - if (rv != 0) - return rv; - - /* Parse and list certificates (if any) */ - if (src->rawCerts != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); - iv = 0; - while ((aCert = src->rawCerts[iv++]) != NULL) { - sprintf(om, "Certificate (%x)", iv); - rv = SECU_PrintSignedData(out, aCert, om, level + 2, - SECU_PrintCertificate); - if (rv) - return rv; - } - } - - /* Parse and list CRL's (if any) */ - if (src->crls != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signed Revocation Lists:\n"); - iv = 0; - while ((aCrl = src->crls[iv++]) != NULL) { - sprintf(om, "Signed Revocation List (%x)", iv); - SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); - SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, - "Signature Algorithm", level+3); - DER_ConvertBitString(&aCrl->signatureWrap.signature); - SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", - level+3); - SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", - level + 3); - } - } - - /* Parse and list signatures (if any) */ - if (src->signerInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signer Information List:\n"); - iv = 0; - while ((sigInfo = src->signerInfos[iv++]) != NULL) { - sprintf(om, "Signer Information (%x)", iv); - secu_PrintSignerInfo(out, sigInfo, om, level + 2); - } - } - - return 0; -} - -/* -** secu_PrintPKCS7Enveloped -** Pretty print a PKCS7 enveloped data type (up to version 1). -*/ -static void -secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, - const char *m, int level) -{ - SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list recipients (this is not optional) */ - if (src->recipientInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Recipient Information List:\n"); - iv = 0; - while ((recInfo = src->recipientInfos[iv++]) != NULL) { - sprintf(om, "Recipient Information (%x)", iv); - secu_PrintRecipientInfo(out, recInfo, om, level + 2); - } - } - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); -} - -/* -** secu_PrintPKCS7SignedEnveloped -** Pretty print a PKCS7 singed and enveloped data type (up to version 1). -*/ -static int -secu_PrintPKCS7SignedAndEnveloped(FILE *out, - SEC_PKCS7SignedAndEnvelopedData *src, - const char *m, int level) -{ - SECAlgorithmID *digAlg; /* pointer for digest algorithms */ - SECItem *aCert; /* pointer for certificate */ - CERTSignedCrl *aCrl; /* pointer for certificate revocation list */ - SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */ - SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */ - int rv, iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list recipients (this is not optional) */ - if (src->recipientInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Recipient Information List:\n"); - iv = 0; - while ((recInfo = src->recipientInfos[iv++]) != NULL) { - sprintf(om, "Recipient Information (%x)", iv); - secu_PrintRecipientInfo(out, recInfo, om, level + 2); - } - } - - /* Parse and list digest algorithms (if any) */ - if (src->digestAlgorithms != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); - iv = 0; - while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { - sprintf(om, "Digest Algorithm (%x)", iv); - SECU_PrintAlgorithmID(out, digAlg, om, level + 2); - } - } - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); - - /* Parse and list certificates (if any) */ - if (src->rawCerts != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); - iv = 0; - while ((aCert = src->rawCerts[iv++]) != NULL) { - sprintf(om, "Certificate (%x)", iv); - rv = SECU_PrintSignedData(out, aCert, om, level + 2, - SECU_PrintCertificate); - if (rv) - return rv; - } - } - - /* Parse and list CRL's (if any) */ - if (src->crls != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signed Revocation Lists:\n"); - iv = 0; - while ((aCrl = src->crls[iv++]) != NULL) { - sprintf(om, "Signed Revocation List (%x)", iv); - SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); - SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, - "Signature Algorithm", level+3); - DER_ConvertBitString(&aCrl->signatureWrap.signature); - SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", - level+3); - SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", - level + 3); - } - } - - /* Parse and list signatures (if any) */ - if (src->signerInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signer Information List:\n"); - iv = 0; - while ((sigInfo = src->signerInfos[iv++]) != NULL) { - sprintf(om, "Signer Information (%x)", iv); - secu_PrintSignerInfo(out, sigInfo, om, level + 2); - } - } - - return 0; -} - -int -SECU_PrintCrl(FILE *out, SECItem *der, const char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCrl *c = NULL; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - do { - /* Decode CRL */ - c = PORT_ArenaZNew(arena, CERTCrl); - if (!c) - break; - - rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der); - if (rv != SECSuccess) - break; - SECU_PrintCRLInfo (out, c, m, level); - } while (0); - PORT_FreeArena (arena, PR_FALSE); - return rv; -} - - -/* -** secu_PrintPKCS7Encrypted -** Pretty print a PKCS7 encrypted data type (up to version 1). -*/ -static void -secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, - const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); -} - -/* -** secu_PrintPKCS7Digested -** Pretty print a PKCS7 digested data type (up to version 1). -*/ -static void -secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, - const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm", - level + 1); - secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information", - level + 1); - SECU_PrintAsHex(out, &src->digest, "Digest", level + 1); -} - -/* -** secu_PrintPKCS7ContentInfo -** Takes a SEC_PKCS7ContentInfo type and sends the contents to the -** appropriate function -*/ -static int -secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, - const char *m, int level) -{ - const char *desc; - SECOidTag kind; - int rv; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - level++; - - if (src->contentTypeTag == NULL) - src->contentTypeTag = SECOID_FindOID(&(src->contentType)); - - if (src->contentTypeTag == NULL) { - desc = "Unknown"; - kind = SEC_OID_PKCS7_DATA; - } else { - desc = src->contentTypeTag->desc; - kind = src->contentTypeTag->offset; - } - - if (src->content.data == NULL) { - SECU_Indent(out, level); fprintf(out, "%s:\n", desc); - level++; - SECU_Indent(out, level); fprintf(out, "<no content>\n"); - return 0; - } - - rv = 0; - switch (kind) { - case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */ - rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level); - break; - - case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */ - secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level); - break; - - case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */ - rv = secu_PrintPKCS7SignedAndEnveloped(out, - src->content.signedAndEnvelopedData, - desc, level); - break; - - case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */ - secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level); - break; - - case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */ - secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level); - break; - - default: - SECU_PrintAsHex(out, src->content.data, desc, level); - break; - } - - return rv; -} - -/* -** SECU_PrintPKCS7ContentInfo -** Decode and print any major PKCS7 data type (up to version 1). -*/ -int -SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, const char *m, int level) -{ - SEC_PKCS7ContentInfo *cinfo; - int rv; - - cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); - if (cinfo != NULL) { - /* Send it to recursive parsing and printing module */ - rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level); - SEC_PKCS7DestroyContentInfo(cinfo); - } else { - rv = -1; - } - - return rv; -} - -/* -** End of PKCS7 functions -*/ - -static void -printFlags(FILE *out, unsigned int flags, int level) -{ - if ( flags & CERTDB_VALID_PEER ) { - SECU_Indent(out, level); fprintf(out, "Valid Peer\n"); - } - if ( flags & CERTDB_TRUSTED ) { - SECU_Indent(out, level); fprintf(out, "Trusted\n"); - } - if ( flags & CERTDB_SEND_WARN ) { - SECU_Indent(out, level); fprintf(out, "Warn When Sending\n"); - } - if ( flags & CERTDB_VALID_CA ) { - SECU_Indent(out, level); fprintf(out, "Valid CA\n"); - } - if ( flags & CERTDB_TRUSTED_CA ) { - SECU_Indent(out, level); fprintf(out, "Trusted CA\n"); - } - if ( flags & CERTDB_NS_TRUSTED_CA ) { - SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n"); - } - if ( flags & CERTDB_USER ) { - SECU_Indent(out, level); fprintf(out, "User\n"); - } - if ( flags & CERTDB_TRUSTED_CLIENT_CA ) { - SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n"); - } - if ( flags & CERTDB_GOVT_APPROVED_CA ) { - SECU_Indent(out, level); fprintf(out, "Step-up\n"); - } -} - -void -SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n"); - printFlags(out, trust->sslFlags, level+2); - SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n"); - printFlags(out, trust->emailFlags, level+2); - SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n"); - printFlags(out, trust->objectSigningFlags, level+2); -} - -int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, - int level, SECU_PPFunc inner) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTSignedData *sd; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - /* Strip off the signature */ - sd = PORT_ArenaZNew(arena, CERTSignedData); - if (!sd) - goto loser; - - rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), - der); - if (rv) - goto loser; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - rv = (*inner)(out, &sd->data, "Data", level+1); - - SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", - level+1); - DER_ConvertBitString(&sd->signature); - SECU_PrintAsHex(out, &sd->signature, "Signature", level+1); - SECU_PrintFingerprints(out, der, "Fingerprint", level+1); -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; - -} - -SECStatus -SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd) -{ - PRBool found; - PLOptState *optstate; - PLOptStatus status; - char *optstring; - int i, j; - - optstring = (char *)malloc(cmd->numCommands + 2*cmd->numOptions); - j = 0; - - for (i=0; i<cmd->numCommands; i++) { - optstring[j++] = cmd->commands[i].flag; - } - for (i=0; i<cmd->numOptions; i++) { - optstring[j++] = cmd->options[i].flag; - if (cmd->options[i].needsArg) - optstring[j++] = ':'; - } - optstring[j] = '\0'; - optstate = PL_CreateOptState(argc, argv, optstring); - - /* Parse command line arguments */ - while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - - /* Wasn't really an option, just standalone arg. */ - if (optstate->option == '\0') - continue; - - found = PR_FALSE; - - for (i=0; i<cmd->numCommands; i++) { - if (cmd->commands[i].flag == optstate->option) { - cmd->commands[i].activated = PR_TRUE; - if (optstate->value) { - cmd->commands[i].arg = (char *)optstate->value; - } - found = PR_TRUE; - break; - } - } - - if (found) - continue; - - for (i=0; i<cmd->numOptions; i++) { - if (cmd->options[i].flag == optstate->option) { - cmd->options[i].activated = PR_TRUE; - if (optstate->value) { - cmd->options[i].arg = (char *)optstate->value; - } else if (cmd->options[i].needsArg) { - return SECFailure; - } - found = PR_TRUE; - break; - } - } - - if (!found) - return SECFailure; - } - if (status == PL_OPT_BAD) - return SECFailure; - return SECSuccess; -} - -char * -SECU_GetOptionArg(secuCommand *cmd, int optionNum) -{ - if (optionNum < 0 || optionNum >= cmd->numOptions) - return NULL; - if (cmd->options[optionNum].activated) - return PL_strdup(cmd->options[optionNum].arg); - else - return NULL; -} - -static char SECUErrorBuf[64]; - -char * -SECU_ErrorStringRaw(int16 err) -{ - if (err == 0) - SECUErrorBuf[0] = '\0'; - else if (err == SEC_ERROR_BAD_DATA) - sprintf(SECUErrorBuf, "Bad data"); - else if (err == SEC_ERROR_BAD_DATABASE) - sprintf(SECUErrorBuf, "Problem with database"); - else if (err == SEC_ERROR_BAD_DER) - sprintf(SECUErrorBuf, "Problem with DER"); - else if (err == SEC_ERROR_BAD_KEY) - sprintf(SECUErrorBuf, "Problem with key"); - else if (err == SEC_ERROR_BAD_PASSWORD) - sprintf(SECUErrorBuf, "Incorrect password"); - else if (err == SEC_ERROR_BAD_SIGNATURE) - sprintf(SECUErrorBuf, "Bad signature"); - else if (err == SEC_ERROR_EXPIRED_CERTIFICATE) - sprintf(SECUErrorBuf, "Expired certificate"); - else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) - sprintf(SECUErrorBuf, "Invalid extension value"); - else if (err == SEC_ERROR_INPUT_LEN) - sprintf(SECUErrorBuf, "Problem with input length"); - else if (err == SEC_ERROR_INVALID_ALGORITHM) - sprintf(SECUErrorBuf, "Invalid algorithm"); - else if (err == SEC_ERROR_INVALID_ARGS) - sprintf(SECUErrorBuf, "Invalid arguments"); - else if (err == SEC_ERROR_INVALID_AVA) - sprintf(SECUErrorBuf, "Invalid AVA"); - else if (err == SEC_ERROR_INVALID_TIME) - sprintf(SECUErrorBuf, "Invalid time"); - else if (err == SEC_ERROR_IO) - sprintf(SECUErrorBuf, "Security I/O error"); - else if (err == SEC_ERROR_LIBRARY_FAILURE) - sprintf(SECUErrorBuf, "Library failure"); - else if (err == SEC_ERROR_NO_MEMORY) - sprintf(SECUErrorBuf, "Out of memory"); - else if (err == SEC_ERROR_OLD_CRL) - sprintf(SECUErrorBuf, "CRL is older than the current one"); - else if (err == SEC_ERROR_OUTPUT_LEN) - sprintf(SECUErrorBuf, "Problem with output length"); - else if (err == SEC_ERROR_UNKNOWN_ISSUER) - sprintf(SECUErrorBuf, "Unknown issuer"); - else if (err == SEC_ERROR_UNTRUSTED_CERT) - sprintf(SECUErrorBuf, "Untrusted certificate"); - else if (err == SEC_ERROR_UNTRUSTED_ISSUER) - sprintf(SECUErrorBuf, "Untrusted issuer"); - else if (err == SSL_ERROR_BAD_CERTIFICATE) - sprintf(SECUErrorBuf, "Bad certificate"); - else if (err == SSL_ERROR_BAD_CLIENT) - sprintf(SECUErrorBuf, "Bad client"); - else if (err == SSL_ERROR_BAD_SERVER) - sprintf(SECUErrorBuf, "Bad server"); - else if (err == SSL_ERROR_EXPORT_ONLY_SERVER) - sprintf(SECUErrorBuf, "Export only server"); - else if (err == SSL_ERROR_NO_CERTIFICATE) - sprintf(SECUErrorBuf, "No certificate"); - else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) - sprintf(SECUErrorBuf, "No cypher overlap"); - else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE) - sprintf(SECUErrorBuf, "Unsupported certificate type"); - else if (err == SSL_ERROR_UNSUPPORTED_VERSION) - sprintf(SECUErrorBuf, "Unsupported version"); - else if (err == SSL_ERROR_US_ONLY_SERVER) - sprintf(SECUErrorBuf, "U.S. only server"); - else if (err == PR_IO_ERROR) - sprintf(SECUErrorBuf, "I/O error"); - - else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) - sprintf (SECUErrorBuf, "Expired Issuer Certificate"); - else if (err == SEC_ERROR_REVOKED_CERTIFICATE) - sprintf (SECUErrorBuf, "Revoked certificate"); - else if (err == SEC_ERROR_NO_KEY) - sprintf (SECUErrorBuf, "No private key in database for this cert"); - else if (err == SEC_ERROR_CERT_NOT_VALID) - sprintf (SECUErrorBuf, "Certificate is not valid"); - else if (err == SEC_ERROR_EXTENSION_NOT_FOUND) - sprintf (SECUErrorBuf, "Certificate extension was not found"); - else if (err == SEC_ERROR_CA_CERT_INVALID) - sprintf (SECUErrorBuf, "Issuer certificate is invalid"); - else if (err == SEC_ERROR_CERT_USAGES_INVALID) - sprintf (SECUErrorBuf, "Certificate usages is invalid"); - else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) - sprintf (SECUErrorBuf, "Certificate has unknown critical extension"); - else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE) - sprintf (SECUErrorBuf, "Bad PKCS7 signature"); - else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - - return SECUErrorBuf; -} - -char * -SECU_ErrorString(int16 err) -{ - char *error_string; - - *SECUErrorBuf = 0; - SECU_ErrorStringRaw (err); - - if (*SECUErrorBuf == 0) { - error_string = SECU_GetString(err); - if (error_string == NULL || *error_string == '\0') - sprintf(SECUErrorBuf, "No error string found for %d.", err); - else - return error_string; - } - - return SECUErrorBuf; -} - - -void -SECU_PrintPRandOSError(const char *progName) -{ - char buffer[513]; - PRInt32 errLen = PR_GetErrorTextLength(); - if ((errLen > 0) && ((size_t) errLen < sizeof(buffer))) { - PR_GetErrorText(buffer); - } - SECU_PrintError(progName, "function failed"); - if ((errLen > 0) && ((size_t) errLen < sizeof(buffer))) { - PR_fprintf(PR_STDERR, "\t%s\n", buffer); - } -} - - -static char * -bestCertName(CERTCertificate *cert) { - if (cert->nickname) { - return cert->nickname; - } - if (cert->emailAddr && cert->emailAddr[0]) { - return cert->emailAddr; - } - return cert->subjectName; -} - -void -SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, - CERTCertificate *cert, PRBool checksig, - SECCertificateUsage certUsage, void *pinArg, PRBool verbose) -{ - CERTVerifyLog log; - CERTVerifyLogNode *node = NULL; - unsigned int depth = (unsigned int)-1; - unsigned int flags = 0; - const char * errstr = NULL; - PRErrorCode err = PORT_GetError(); - - log.arena = PORT_NewArena(512); - log.head = log.tail = NULL; - log.count = 0; - CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL); - - if (log.count > 0) { - fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); - for (node = log.head; node; node = node->next) { - if (depth != node->depth) { - depth = node->depth; - fprintf(outfile,"CERT %d. %s %s:\n", depth, - bestCertName(node->cert), - depth ? "[Certificate Authority]": ""); - if (verbose) { - const char * emailAddr; - emailAddr = CERT_GetFirstEmailAddress(node->cert); - if (emailAddr) { - fprintf(outfile,"Email Address(es): "); - do { - fprintf(outfile, "%s\n", emailAddr); - emailAddr = CERT_GetNextEmailAddress(node->cert, - emailAddr); - } while (emailAddr); - } - } - } - fprintf(outfile," ERROR %ld: %s\n", node->error, - SECU_Strerror(node->error)); - errstr = NULL; - switch (node->error) { - case SEC_ERROR_INADEQUATE_KEY_USAGE: - flags = (unsigned int)node->arg; - switch (flags) { - case KU_DIGITAL_SIGNATURE: - errstr = "Cert cannot sign."; - break; - case KU_KEY_ENCIPHERMENT: - errstr = "Cert cannot encrypt."; - break; - case KU_KEY_CERT_SIGN: - errstr = "Cert cannot sign other certs."; - break; - default: - errstr = "[unknown usage]."; - break; - } - case SEC_ERROR_INADEQUATE_CERT_TYPE: - flags = (unsigned int)node->arg; - switch (flags) { - case NS_CERT_TYPE_SSL_CLIENT: - case NS_CERT_TYPE_SSL_SERVER: - errstr = "Cert cannot be used for SSL."; - break; - case NS_CERT_TYPE_SSL_CA: - errstr = "Cert cannot be used as an SSL CA."; - break; - case NS_CERT_TYPE_EMAIL: - errstr = "Cert cannot be used for SMIME."; - break; - case NS_CERT_TYPE_EMAIL_CA: - errstr = "Cert cannot be used as an SMIME CA."; - break; - case NS_CERT_TYPE_OBJECT_SIGNING: - errstr = "Cert cannot be used for object signing."; - break; - case NS_CERT_TYPE_OBJECT_SIGNING_CA: - errstr = "Cert cannot be used as an object signing CA."; - break; - default: - errstr = "[unknown usage]."; - break; - } - case SEC_ERROR_UNKNOWN_ISSUER: - case SEC_ERROR_UNTRUSTED_ISSUER: - case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: - errstr = node->cert->issuerName; - break; - default: - break; - } - if (errstr) { - fprintf(stderr," %s\n",errstr); - } - CERT_DestroyCertificate(node->cert); - } - } - PORT_SetError(err); /* restore original error code */ -} - -SECOidTag -SECU_StringToSignatureAlgTag(const char *alg) -{ - SECOidTag hashAlgTag = SEC_OID_UNKNOWN; - - if (alg) { - if (!PL_strcmp(alg, "MD2")) { - hashAlgTag = SEC_OID_MD2; - } else if (!PL_strcmp(alg, "MD4")) { - hashAlgTag = SEC_OID_MD4; - } else if (!PL_strcmp(alg, "MD5")) { - hashAlgTag = SEC_OID_MD5; - } else if (!PL_strcmp(alg, "SHA1")) { - hashAlgTag = SEC_OID_SHA1; - } else if (!PL_strcmp(alg, "SHA256")) { - hashAlgTag = SEC_OID_SHA256; - } else if (!PL_strcmp(alg, "SHA384")) { - hashAlgTag = SEC_OID_SHA384; - } else if (!PL_strcmp(alg, "SHA512")) { - hashAlgTag = SEC_OID_SHA512; - } - } - return hashAlgTag; -} - - -SECStatus -SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, - const PRBool ascii, char *url) -{ - PORT_Assert(derCrl != NULL); - if (!derCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (outFile != NULL) { - if (ascii) { - PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, - BTOA_DataToAscii(derCrl->data, derCrl->len), - NS_CRL_TRAILER); - } else { - if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) { - return SECFailure; - } - } - } - if (slot) { - CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url, - SEC_CRL_TYPE, NULL, 0, NULL, 0); - if (newCrl != NULL) { - SEC_DestroyCrl(newCrl); - return SECSuccess; - } - return SECFailure; - } - if (!outFile && !slot) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - return SECSuccess; -} - -SECStatus -SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, - SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode) -{ - SECItem der; - SECKEYPrivateKey *caPrivateKey = NULL; - SECStatus rv; - PRArenaPool *arena; - SECOidTag algID; - void *dummy; - - PORT_Assert(issuer != NULL && signCrl != NULL); - if (!issuer || !signCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - arena = signCrl->arena; - - caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL); - if (caPrivateKey == NULL) { - *resCode = noKeyFound; - return SECFailure; - } - - algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag); - if (algID == SEC_OID_UNKNOWN) { - *resCode = noSignatureMatch; - rv = SECFailure; - goto done; - } - - if (!signCrl->crl.signatureAlg.parameters.data) { - rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0); - if (rv != SECSuccess) { - *resCode = failToEncode; - goto done; - } - } - - der.len = 0; - der.data = NULL; - dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl, - SEC_ASN1_GET(CERT_CrlTemplate)); - if (!dummy) { - *resCode = failToEncode; - rv = SECFailure; - goto done; - } - - rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap, - der.data, der.len, caPrivateKey, algID); - if (rv != SECSuccess) { - *resCode = failToSign; - goto done; - } - - signCrl->derCrl = PORT_ArenaZNew(arena, SECItem); - if (signCrl->derCrl == NULL) { - *resCode = noMem; - PORT_SetError(SEC_ERROR_NO_MEMORY); - rv = SECFailure; - goto done; - } - - signCrl->derCrl->len = 0; - signCrl->derCrl->data = NULL; - dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl, - SEC_ASN1_GET(CERT_SignedCrlTemplate)); - if (!dummy) { - *resCode = failToEncode; - rv = SECFailure; - goto done; - } - -done: - if (caPrivateKey) { - SECKEY_DestroyPrivateKey(caPrivateKey); - } - return rv; -} - - - -SECStatus -SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl) -{ - void *dummy; - SECStatus rv = SECSuccess; - SECItem der; - - PORT_Assert(destArena && srcCrl && destCrl); - if (!destArena || !srcCrl || !destCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - der.len = 0; - der.data = NULL; - dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl, - SEC_ASN1_GET(CERT_CrlTemplate)); - if (!dummy) { - return SECFailure; - } - - rv = SEC_QuickDERDecodeItem(destArena, destCrl, - SEC_ASN1_GET(CERT_CrlTemplate), &der); - if (rv != SECSuccess) { - return SECFailure; - } - - destCrl->arena = destArena; - - return rv; -} - -SECStatus -SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, - unsigned char *buf, int len, SECKEYPrivateKey *pk, - SECOidTag algID) -{ - SECItem it; - SECStatus rv; - - it.data = 0; - - /* XXX We should probably have some asserts here to make sure the key type - * and algID match - */ - - /* Sign input buffer */ - rv = SEC_SignData(&it, buf, len, pk, algID); - if (rv) goto loser; - - /* Fill out SignedData object */ - PORT_Memset(sd, 0, sizeof(*sd)); - sd->data.data = buf; - sd->data.len = len; - sd->signature.data = it.data; - sd->signature.len = it.len << 3; /* convert to bit string */ - rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0); - if (rv) goto loser; - - return rv; - - loser: - PORT_Free(it.data); - return rv; -} - -#if 0 - -/* we need access to the private function cert_FindExtension for this code to work */ - -CERTAuthKeyID * -SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl) -{ - SECItem encodedExtenValue; - SECStatus rv; - CERTAuthKeyID *ret; - CERTCrl* crl; - - if (!scrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - - crl = &scrl->crl; - - encodedExtenValue.data = NULL; - encodedExtenValue.len = 0; - - rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, - &encodedExtenValue); - if ( rv != SECSuccess ) { - return (NULL); - } - - ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); - - PORT_Free(encodedExtenValue.data); - encodedExtenValue.data = NULL; - - return(ret); -} - -#endif - -/* - * Find the issuer of a Crl. Use the authorityKeyID if it exists. - */ -CERTCertificate * -SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject, - CERTAuthKeyID* authorityKeyID, PRTime validTime) -{ - CERTCertificate *issuerCert = NULL; - CERTCertList *certList = NULL; - - if (!subject) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - - certList = - CERT_CreateSubjectCertList(NULL, dbhandle, subject, - validTime, PR_TRUE); - if (certList) { - CERTCertListNode *node = CERT_LIST_HEAD(certList); - - /* XXX and authoritykeyid in the future */ - while ( ! CERT_LIST_END(node, certList) ) { - CERTCertificate *cert = node->cert; - /* check cert CERTCertTrust data is allocated, check cert - usage extension, check that cert has pkey in db. Select - the first (newest) user cert */ - if (cert->trust && - CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess && - CERT_IsUserCert(cert)) { - - issuerCert = CERT_DupCertificate(cert); - break; - } - node = CERT_LIST_NEXT(node); - } - CERT_DestroyCertList(certList); - } - return(issuerCert); -} - - -/* Encodes and adds extensions to the CRL or CRL entries. */ -SECStatus -SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, - void *value, PRBool criticality, int extenType, - EXTEN_EXT_VALUE_ENCODER EncodeValueFn) -{ - SECItem encodedValue; - SECStatus rv; - - encodedValue.data = NULL; - encodedValue.len = 0; - do { - rv = (*EncodeValueFn)(arena, value, &encodedValue); - if (rv != SECSuccess) - break; - - rv = CERT_AddExtension(extHandle, extenType, &encodedValue, - criticality, PR_TRUE); - if (rv != SECSuccess) - break; - } while (0); - - return (rv); -} diff --git a/pki/base/native-tools/src/p7tool/secutil.h b/pki/base/native-tools/src/p7tool/secutil.h deleted file mode 100644 index 10c8f9ae6..000000000 --- a/pki/base/native-tools/src/p7tool/secutil.h +++ /dev/null @@ -1,430 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.h - */ - -#ifndef _SEC_UTIL_H_ -#define _SEC_UTIL_H_ - -#include "seccomon.h" -#include "secitem.h" -#include "prerror.h" -#include "base64.h" -#include "key.h" -#include "secpkcs7.h" -#include "secasn1.h" -#include "secder.h" -#include <stdio.h> - -#define SEC_CT_PRIVATE_KEY "private-key" -#define SEC_CT_PUBLIC_KEY "public-key" -#define SEC_CT_CERTIFICATE "certificate" -#define SEC_CT_CERTIFICATE_REQUEST "certificate-request" -#define SEC_CT_PKCS7 "pkcs7" -#define SEC_CT_CRL "crl" - -#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" -#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" - -#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" -#define NS_CERT_TRAILER "-----END CERTIFICATE-----" - -#define NS_CRL_HEADER "-----BEGIN CRL-----" -#define NS_CRL_TRAILER "-----END CRL-----" - -/* From libsec/pcertdb.c --- it's not declared in sec.h */ -extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, - SECItem *derCert, char *nickname, CERTCertTrust *trust); - - -#ifdef SECUTIL_NEW -typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, - const char *msg, int level); -#else -typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, const char *msg, int level); -#endif - -typedef struct { - enum { - PW_NONE = 0, - PW_FROMFILE = 1, - PW_PLAINTEXT = 2, - PW_EXTERNAL = 3 - } source; - char *data; -} secuPWData; - -/* -** Change a password on a token, or initialize a token with a password -** if it does not already have one. -** Use passwd to send the password in plaintext, pwFile to specify a -** file containing the password, or NULL for both to prompt the user. -*/ -SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile); - -/* These were stolen from the old sec.h... */ -/* -** Check a password for legitimacy. Passwords must be at least 8 -** characters long and contain one non-alphabetic. Return DSTrue if the -** password is ok, DSFalse otherwise. -*/ -extern PRBool SEC_CheckPassword(char *password); - -/* -** Blind check of a password. Complement to SEC_CheckPassword which -** ignores length and content type, just retuning DSTrue is the password -** exists, DSFalse if NULL -*/ -extern PRBool SEC_BlindCheckPassword(char *password); - -/* -** Get a password. -** First prompt with "msg" on "out", then read the password from "in". -** The password is then checked using "chkpw". -*/ -extern char *SEC_GetPassword(FILE *in, FILE *out, const char *msg, - PRBool (*chkpw)(char *)); - -char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg); - -char *SECU_GetPasswordString(void *arg, char *prompt); - -/* -** Write a dongle password. -** Uses MD5 to hash constant system data (hostname, etc.), and then -** creates RC4 key to encrypt a password "pw" into a file "fd". -*/ -extern SECStatus SEC_WriteDongleFile(int fd, char *pw); - -/* -** Get a dongle password. -** Uses MD5 to hash constant system data (hostname, etc.), and then -** creates RC4 key to decrypt and return a password from file "fd". -*/ -extern char *SEC_ReadDongleFile(int fd); - - -/* End stolen headers */ - -/* Just sticks the two strings together with a / if needed */ -char *SECU_AppendFilenameToDir(char *dir, char *filename); - -/* Returns result of getenv("SSL_DIR") or NULL */ -extern char *SECU_DefaultSSLDir(void); - -/* -** Should be called once during initialization to set the default -** directory for looking for cert.db, key.db, and cert-nameidx.db files -** Removes trailing '/' in 'base' -** If 'base' is NULL, defaults to set to .netscape in home directory. -*/ -extern char *SECU_ConfigDirectory(const char* base); - -/* -** Basic callback function for SSL_GetClientAuthDataHook -*/ -extern int -SECU_GetClientAuthData(void *arg, PRFileDesc *fd, - struct CERTDistNamesStr *caNames, - struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey); - -/* print out an error message */ -extern void SECU_PrintError(const char *progName, const char *msg, ...); - -/* print out a system error message */ -extern void SECU_PrintSystemError(const char *progName, const char *msg, ...); - -/* Return informative error string */ -extern const char * SECU_Strerror(PRErrorCode errNum); - -/* print information about cert verification failure */ -extern void -SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, - CERTCertificate *cert, PRBool checksig, - SECCertificateUsage certUsage, void *pinArg, PRBool verbose); - -/* Read the contents of a file into a SECItem */ -extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); -extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); - -/* Read in a DER from a file, may be ascii */ -extern SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); - -/* Indent based on "level" */ -extern void SECU_Indent(FILE *out, int level); - -/* Print integer value and hex */ -extern void SECU_PrintInteger(FILE *out, SECItem *i, const char *m, int level); - -/* Print ObjectIdentifier symbolically */ -extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, const char *m, int level); - -/* Print AlgorithmIdentifier symbolically */ -extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, const char *m, - int level); - -/* Print SECItem as hex */ -extern void SECU_PrintAsHex(FILE *out, SECItem *i, const const char *m, int level); - -/* dump a buffer in hex and ASCII */ -extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); - -/* - * Format and print the UTC Time "t". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -extern void SECU_PrintUTCTime(FILE *out, SECItem *t, const char *m, int level); - -/* - * Format and print the Generalized Time "t". If the tag message "m" - * is not NULL, * do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, const char *m, - int level); - -/* - * Format and print the UTC or Generalized Time "t". If the tag message - * "m" is not NULL, do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, const char *m, int level); - -/* callback for listing certs through pkcs11 */ -extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data); - -/* Dump all certificate nicknames in a database */ -extern SECStatus -SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, - PRBool sortByName, PRBool sortByTrust); - -/* See if nickname already in database. Return 1 true, 0 false, -1 error */ -int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); - -/* Dump contents of cert req */ -extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, const char *m, - int level); - -/* Dump contents of certificate */ -extern int SECU_PrintCertificate(FILE *out, SECItem *der, const char *m, int level); - -/* print trust flags on a cert */ -extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, const char *m, int level); - -/* Dump contents of public key */ -extern int SECU_PrintPublicKey(FILE *out, SECItem *der, const char *m, int level); - -#ifdef HAVE_EPV_TEMPLATE -/* Dump contents of private key */ -extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); -#endif - -/* Print the MD5 and SHA1 fingerprints of a cert */ -extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, - int level); - -/* Pretty-print any PKCS7 thing */ -extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, const char *m, - int level); - -/* Init PKCS11 stuff */ -extern SECStatus SECU_PKCS11Init(PRBool readOnly); - -/* Dump contents of signed data */ -extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, int level, - SECU_PPFunc inner); - -extern int SECU_PrintCrl(FILE *out, SECItem *der, const char *m, int level); - -extern void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level); - -extern void SECU_PrintString(FILE *out, SECItem *si, const char *m, int level); -extern void SECU_PrintAny(FILE *out, SECItem *i, const char *m, int level); - -extern void SECU_PrintPolicy(FILE *out, SECItem *value, const char *msg, int level); -extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, - const char *msg, int level); - -extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, - const char *msg, int level); - -extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level); - -#ifdef SECU_GetPassword -/* Convert a High public Key to a Low public Key */ -extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey); -#endif - -extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); - -extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw); -extern void SEC_Init(void); - -extern char *SECU_SECModDBName(void); - -extern void SECU_PrintPRandOSError(const char *progName); - -extern SECStatus SECU_RegisterDynamicOids(void); - -/* Identifies hash algorithm tag by its string representation. */ -extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); - -/* Store CRL in output file or pk11 db. Also - * encodes with base64 and exports to file if ascii flag is set - * and file is not NULL. */ -extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, - PRFileDesc *outFile, int ascii, char *url); - - -/* -** DER sign a single block of data using private key encryption and the -** MD5 hashing algorithm. This routine first computes a digital signature -** using SEC_SignData, then wraps it with an CERTSignedData and then der -** encodes the result. -** "arena" is the memory arena to use to allocate data from -** "sd" returned CERTSignedData -** "result" the final der encoded data (memory is allocated) -** "buf" the input data to sign -** "len" the amount of data to sign -** "pk" the private key to encrypt with -*/ -extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, - unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algID); - -typedef enum { - noKeyFound = 1, - noSignatureMatch = 2, - failToEncode = 3, - failToSign = 4, - noMem = 5 -} SignAndEncodeFuncExitStat; - -extern SECStatus -SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, - SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode); - -extern SECStatus -SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl); - -/* -** Finds the crl Authority Key Id extension. Returns NULL if no such extension -** was found. -*/ -CERTAuthKeyID * -SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl); - -/* - * Find the issuer of a crl. Cert usage should be checked before signing a crl. - */ -CERTCertificate * -SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject, - CERTAuthKeyID* id, PRTime validTime); - - -/* call back function used in encoding of an extension. Called from - * SECU_EncodeAndAddExtensionValue */ -typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena, - void *value, SECItem *encodedValue); - -/* Encodes and adds extensions to the CRL or CRL entries. */ -SECStatus -SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, - void *value, PRBool criticality, int extenType, - EXTEN_EXT_VALUE_ENCODER EncodeValueFn); - - -/* - * - * Utilities for parsing security tools command lines - * - */ - -/* A single command flag */ -typedef struct { - char flag; - PRBool needsArg; - char *arg; - PRBool activated; -} secuCommandFlag; - -/* A full array of command/option flags */ -typedef struct -{ - int numCommands; - int numOptions; - - secuCommandFlag *commands; - secuCommandFlag *options; -} secuCommand; - -/* fill the "arg" and "activated" fields for each flag */ -SECStatus -SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd); -char * -SECU_GetOptionArg(secuCommand *cmd, int optionNum); - -/* - * - * Error messaging - * - */ - -/* Return informative error string */ -char *SECU_ErrorString(int16 err); - -/* Return informative error string. Does not call XP_GetString */ -char *SECU_ErrorStringRaw(int16 err); - -void printflags(char *trusts, unsigned int flags); - -#ifndef XP_UNIX -extern int ffs(unsigned int i); -#endif - -#include "secerr.h" -#include "sslerr.h" - -#endif /* _SEC_UTIL_H_ */ diff --git a/pki/base/native-tools/src/revoker/CMakeLists.txt b/pki/base/native-tools/src/revoker/CMakeLists.txt deleted file mode 100644 index 5aa5ddff3..000000000 --- a/pki/base/native-tools/src/revoker/CMakeLists.txt +++ /dev/null @@ -1,30 +0,0 @@ -project(revoker C) - -set(REVOKER_PRIVATE_INCLUDE_DIRS - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} -) - -set(REVOKER_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} -) - -set(revoker_SRCS - revoker.c - getopt.c -) - -include_directories(${REVOKER_PRIVATE_INCLUDE_DIRS}) - -add_executable(revoker ${revoker_SRCS}) - -target_link_libraries(revoker ${REVOKER_LINK_LIBRARIES}) - -install( - TARGETS revoker - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) diff --git a/pki/base/native-tools/src/revoker/getopt.c b/pki/base/native-tools/src/revoker/getopt.c deleted file mode 100644 index 7554e1a14..000000000 --- a/pki/base/native-tools/src/revoker/getopt.c +++ /dev/null @@ -1,126 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - * - * END COPYRIGHT BLOCK **/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -#include <stdio.h> -#include <string.h> /* for str*() */ -#include <io.h> /* for write() */ - -int opterr = 1; /* boolean flag, says "report error on stderr." */ -int optind = 1; /* index to element of argv from which options are - ** being parsed. */ -int optopt = 0; /* option character */ -char *optarg; /* ptr to option's parameter arg. */ - -#ifdef _WIN32 -static void -do_opterr(const char *s, int c, char * const av[]) -{ - if (opterr) { - char buff[2]; - int fd = _fileno(stderr); - - buff[0] = (char)c; - buff[1] = '\n'; - (void)write(fd, av[0], strlen(av[0])); - (void)write(fd, s, strlen(s)); - (void)write(fd, buff, 2); - } -} -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int -getopt(int ac, char * const av[], const char * opts) -{ - static int i = 1; /* offset of current option char in current arg. */ - char *p; /* opt char in opts that matched. */ - - /* Move to next value from argv? */ - if (i == 1) { - if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') - return EOF; - if (strcmp(av[optind], "--") == 0) { - optind++; - return EOF; - } - } - - /* Get next option character. */ - if ((optopt = av[optind][i]) == ':' || - (p = strchr(opts, optopt)) == NULL) { - ERR(": illegal option -- ", optopt); - if (av[optind][++i] == '\0') { - optind++; - i = 1; - } - return '?'; - } - - /* Snarf argument? */ - if (*++p == ':') { - if (av[optind][i + 1] != '\0') - optarg = &av[optind++][i + 1]; - else { - if (++optind >= ac) { - ERR(": option requires an argument -- ", optopt); - i = 1; - return '?'; - } - optarg = av[optind++]; - } - i = 1; - } else { - if (av[optind][++i] == '\0') { - i = 1; - optind++; - } - optarg = NULL; - } - - return optopt; -} - -#endif /* XP_PC */ diff --git a/pki/base/native-tools/src/revoker/revoker.c b/pki/base/native-tools/src/revoker/revoker.c deleted file mode 100644 index c7fc76294..000000000 --- a/pki/base/native-tools/src/revoker/revoker.c +++ /dev/null @@ -1,882 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -/* vi: set ts=4 sw=4 : */ -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -#include <stdio.h> -#include <string.h> -#include <time.h> - -#if defined(XP_UNIX) -#include <unistd.h> -#endif - -#include "ssl.h" - -#include "prerror.h" - -#include "pk11func.h" -#include "secitem.h" - - -#include <stdlib.h> -#include <errno.h> -#include <fcntl.h> -#include <stdarg.h> - -#include "nspr.h" -#include "prio.h" -#include "prnetdb.h" -#include "nss.h" - - -/* set Tabs to 8 */ - - -/*from nss2.8.4 secopt.h*/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -extern int opterr; -extern int optind; -extern int optopt; -extern char *optarg; - -#ifdef _WIN32 -static void do_opterr(const char *s, int c, char * const av[]); -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int getopt(int ac, char * const av[], const char * opts); -#else -#if defined(LINUX) -#include <getopt.h> -#endif -#endif /* XP_PC */ -/*end secopt.h*/ - -#define VERSIONSTRING "$Revision$ ($Date$)" - -#ifndef PORT_Sprintf -#define PORT_Sprintf sprintf -#endif - -#ifndef PORT_Strstr -#define PORT_Strstr strstr -#endif - -#ifndef PORT_Malloc -#define PORT_Malloc PR_Malloc -#endif - -#define RD_BUF_SIZE (60 * 1024) - -#define PRINTF if (verbose) printf -#define FPRINTF if (verbose) fprintf -#define FPUTS if (verbose) fputs - -#define MAX_SERIAL_LEN 8192 - -int MakeCertOK=1; - -int verbose; -SECItem bigBuf; - - -char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char *passwd = NULL; - - if ( (!retry) && arg ) { - passwd = PL_strdup((char *)arg); - } - - return passwd; -} - -static void -Usage(const char *progName) -{ - fprintf(stderr, - "Usage: %s -s serialNum -n rsa_nickname [-p password | -w pwfile ] [-d dbdir] \n" - " [-v] [-V] [-u] [-r reasoncode] [-i numberOfHours] hostname[:port]\n" - " serialNum: List of serial numbers to revoke, in hex, e.g. '0x31' or '0x44,0x643,0x22'\n" - " reasoncode: integer from 0 to 6, as follows\n" - " 0 = Unspecified (default)\n" - " 1 = Key compromised\n" - " 2 = CA key compromised\n" - " 3 = Affiliation changed\n" - " 4 = Certificate superseded\n" - " 5 = Cessation of operation\n" - " 6 = Certificate is on hold\n" - " -u : unrevoke (take off hold)\n" - " -v : verbose\n" - " -V : report version information\n", - progName); - exit(1); -} - - -static void -errWarn(char * funcString) -{ - PRErrorCode perr = PR_GetError(); - - FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); -} - -static void -errExit(char * funcString) -{ - errWarn(funcString); - exit(1); -} - -/* This invokes the "default" AuthCert handler in libssl. -** The only reason to use this one is that it prints out info as it goes. -*/ -static SECStatus -mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, - PRBool isServer) -{ - SECStatus rv; - CERTCertificate * peerCert; - - peerCert = SSL_PeerCertificate(fd); - - PRINTF("Subject: %s\nIssuer : %s\n", - peerCert->subjectName, peerCert->issuerName); - /* invoke the "default" AuthCert handler. */ - rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); - - if (rv == SECSuccess) { - FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); - } - /* error, if any, will be displayed by the Bad Cert Handler. */ - return rv; -} - -static SECStatus -myBadCertHandler( void *arg, PRFileDesc *fd) -{ - /* int err = PR_GetError(); */ - /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", - err, SECU_Strerror(err)); */ - return (MakeCertOK ? SECSuccess : SECFailure); -} - - -SECStatus -my_GetClientAuthData(void * arg, - PRFileDesc * socket, - struct CERTDistNamesStr * caNames, - struct CERTCertificateStr ** pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) -{ - CERTCertificate * cert = NULL; - SECKEYPrivateKey * privkey = NULL; - char * chosenNickName = (char *)arg; /* CONST */ - void * proto_win = NULL; - SECStatus rv = SECFailure; - - FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); - - proto_win = SSL_RevealPinArg(socket); - - if (chosenNickName) { - cert = PK11_FindCertFromNickname(chosenNickName, proto_win); - FPRINTF(stderr," mygetclientauthdata - cert = %x\n",(unsigned int)cert); - if ( cert ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - FPRINTF(stderr," mygetclientauthdata - privkey = %x\n",(unsigned int)privkey); - if ( privkey ) { - rv = SECSuccess; - } else { - CERT_DestroyCertificate(cert); - } - } - } else { /* no name given, automatically find the right cert. */ - CERTCertNicknames * names; - int i; - - names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), - SEC_CERT_NICKNAMES_USER, proto_win); - if (names != NULL) { - for (i = 0; i < names->numnicknames; i++) { - cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); - if ( !cert ) - continue; - /* Only check unexpired certs */ - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != - secCertTimeValid ) { - CERT_DestroyCertificate(cert); - continue; - } - rv = NSS_CmpCertChainWCANames(cert, caNames); - if ( rv == SECSuccess ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - if ( privkey ) - break; - } - rv = SECFailure; - CERT_DestroyCertificate(cert); - } - CERT_FreeNicknames(names); - } - } - if (rv == SECSuccess) { - *pRetCert = cert; - *pRetKey = privkey; - } - return rv; -} - - - - -void -printSecurityInfo(PRFileDesc *fd) -{ - char * cp; /* bulk cipher name */ - char * ip; /* cert issuer DN */ - char * sp; /* cert subject DN */ - int op; /* High, Low, Off */ - int kp0; /* total key bits */ - int kp1; /* secret key bits */ - int result; - - static int only_once; - - if (! only_once++ && fd) { - result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); - if (result != SECSuccess) - return; -#if 0 - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" - "subject DN: %s\n" - "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); -#else - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", - cp, kp1, kp0, op); -#endif - PR_Free(cp); - PR_Free(ip); - PR_Free(sp); - } - -} - - -PRBool useModelSocket = PR_TRUE; - -static const char outHeader[] = { - "HTTP/1.0 200 OK\r\n" - "Server: Netscape-Enterprise/2.0a\r\n" - "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" - "Content-type: text/plain\r\n" - "\r\n" -}; - - -PRInt32 -do_writes( - void * a -) -{ - PRFileDesc * ssl_sock = (PRFileDesc *)a; - PRUint32 sent = 0; - PRInt32 count = 0; - - while (sent < bigBuf.len) { - - count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); - if (count < 0) { - errWarn("PR_Write bigBuf"); - exit(4); - break; - } - FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); - FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); - - sent += (PRUint32)count; - } - if (count >= 0) { /* last write didn't fail. */ - FPRINTF(stderr, "do_writes shutting down send socket\n"); - /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ - } - - FPRINTF(stderr, "do_writes exiting with (failure = %d)\n",sent<bigBuf.len == SECFailure); - return (sent < bigBuf.len) ? SECFailure : SECSuccess; -} - - - - -SECStatus -do_io( PRFileDesc *ssl_sock, int connection) -{ - int countRead = 0; - PRInt32 rv; - char *buf; - int first=1; - - buf = PR_Malloc(RD_BUF_SIZE); - if (!buf) exit(5); - - - /* send the http request here. */ - - rv = do_writes(ssl_sock); - - if (rv == SECFailure) { - errWarn("returning from after calling do_writes"); - PR_Free(buf); - buf = 0; - exit(6); - } - printSecurityInfo(ssl_sock); - - /* read until EOF */ - while (1) { - rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); - if (rv == 0) { - break; /* EOF */ - } - if (rv < 0) { - errWarn("PR_Read"); - exit(1); - } - - countRead += rv; - FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", - connection, rv, countRead ); - FPRINTF(stderr, "these bytes read:\n"); - if (verbose) { - PR_Write(PR_STDERR,buf,rv); - PR_fprintf(PR_STDERR, "\n"); - } - - if (first) { - first=0; - if (rv < 13) { - errWarn("not enough bytes read in first read"); - exit(2); - } else { - if ( ! PL_strnstr(buf,"200",13)) { - exit(3); - } - } - } - } - PR_Free(buf); - buf = 0; - - /* Caller closes the socket. */ - - FPRINTF(stderr, - "connection %d read %d bytes total. -----------------------------\n", - connection, countRead); - - return SECSuccess; /* success */ -} - -int -do_connect( - PRNetAddr *addr, - PRFileDesc *model_sock, - int connection) -{ - PRFileDesc * ssl_sock; - PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; - PRSocketOptionData opt; - - int family = PR_NetAddrFamily( addr ); - - tcp_sock = PR_OpenTCPSocket( family ); - if (tcp_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(tcp_sock, &opt); - if (prStatus != PR_SUCCESS) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - /* Don't return SECFailure? */ - return SECSuccess; - } - - prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(6); - } - - ssl_sock = SSL_ImportFD(model_sock, tcp_sock); - /* XXX if this import fails, close tcp_sock and return. */ - if (!ssl_sock) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(7); - } - - rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); - if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); - } - - result = do_io( ssl_sock, connection); - - if( ssl_sock != NULL ) { - PR_Close(ssl_sock); - ssl_sock = NULL; - } - return SECSuccess; -} - -/* Returns IP address for hostname as PRUint32 in Host Byte Order. -** Since the value returned is an integer (not a string of bytes), -** it is inherently in Host Byte Order. -*/ -PRUint32 -getIPAddress(const char * hostName) -{ - const unsigned char *p; - PRStatus prStatus; - PRUint32 rv; - PRHostEnt prHostEnt; - char scratch[PR_NETDB_BUF_SIZE]; - - prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); - if (prStatus != PR_SUCCESS) - errExit("PR_GetHostByName"); - -#undef h_addr -#define h_addr h_addr_list[0] /* address, for backward compatibility */ - - p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ - FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); - rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - return rv; -} - -void -client_main( - unsigned short port, - int connections, - SECKEYPrivateKey ** privKey, - CERTCertificate ** cert, - const char * hostName, - char * nickName) -{ - PRFileDesc *model_sock = NULL; - int rv; - - - FPRINTF(stderr, "port: %d\n", port); - - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ - NSS_SetDomesticPolicy(); - - /* all the SSL2 and SSL3 cipher suites are enabled by default. */ - /* SSL_CipherPrefSetDefault(0xC005 */ - /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */ - /*, PR_TRUE); */ - - /* - * Rifle through the values for the host - */ - - PRAddrInfo *ai; - void *iter; - PRNetAddr addr; - int family = PR_AF_INET; - - ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); - if (ai) { - FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); - iter = NULL; - while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { - family = PR_NetAddrFamily(&addr); - FPRINTF( stderr, "family='%d'\n", family ); - break; - } - PR_FreeAddrInfo(ai); - } - - PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - - model_sock = PR_OpenTCPSocket( family ); - if (model_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - /* Should we really be re-using the same socket? */ - model_sock = SSL_ImportFD(NULL, model_sock); - - - /* check on success of call to SSL_ImportFD() */ - if (model_sock == NULL) { - errExit("SSL_ImportFD"); - } - - /* enable ECC cipher also */ - - /* do SSL configuration. */ - - rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); - if (rv < 0) { - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } - errExit("SSL_OptionSet SSL_SECURITY"); - } - - SSL_SetURL(model_sock, hostName); - - SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); - - SSL_BadCertHook(model_sock, myBadCertHandler, NULL); - - SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); - - /* I'm not going to set the HandshakeCallback function. */ - - /* end of ssl configuration. */ - - rv = do_connect(&addr, model_sock, 1); - - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } -} - - -SECStatus -createRequest(char * serials, char *reason, char *invalidity, int take_off_hold) -{ - int tmpI; - char *s; - char **strs=NULL; - char *filter = NULL; - int count = 0; - int range = 0; - int i; - char *old; - char * newstr; - char * iDate; - time_t ltime; - time_t itime; - long l; - - tmpI = strlen(serials); - if (tmpI >= MAX_SERIAL_LEN) { - fputs("Serial number length invalid.\n", stderr); - exit(1); - } - - strs = PR_Malloc((sizeof (char*)) * strlen(serials)); - if (strs == NULL) exit(1); - - /* example serials: - 23-25 - 0x34523 - 0x1010,0x10101 - 0x94,0x2202,0x10101,0202 - */ - - s = serials; - s = strchr(serials,'-'); - if (s != NULL) { - strs[count++] = serials; - *s = '\0'; - s++; - strs[count++] = s; - range = 1; - } else { - s = serials; - while (1) { - strs[count++] = s; - s = strchr(s,','); - if (s == NULL) {break;} - *s = '\0'; - s++; - } - } - - if (range == 0) { - old = ""; - for (i=0; i<count; i++) { - filter = PR_smprintf("%s(certRecordId%%3D%s)",old,strs[i]); - if (i>0) PR_smprintf_free(old); - old = filter; - } - } else { - filter = PR_smprintf("(%%26(certRecordId>%%3D%s)(certRecordId<%%3D%s))",strs[0],strs[1]); - } - - iDate = ""; - if (invalidity != NULL) { - time( <ime ); - l = atol(invalidity); - l *= 3600; - itime = (time_t)l; - ltime -= itime; - iDate = PR_smprintf("invalidityDate=%ld000&", ltime); - } - - if (take_off_hold > 0) { - newstr = PR_smprintf( - "GET /ca/doUnrevoke?serialNumber=%s HTTP/1.0\r\n\r\n", - strs[0]); - } else { - newstr = PR_smprintf( - "GET /ca/doRevoke?op=doRevoke&" - "revocationReason=%s&%s" - "revokeAll=(|%s)&totalRecordCount=1 HTTP/1.0\r\n\r\n", - reason,iDate, - filter); - } - - if (strlen(iDate) > 0) PR_smprintf_free(iDate); - if (filter != NULL) PR_smprintf_free(filter); - if (strs != NULL) PR_Free(strs); - - bigBuf.data = (unsigned char *)newstr; - - FPUTS((char *)bigBuf.data, stderr); - - bigBuf.len = PORT_Strlen((char *)bigBuf.data); - - return SECSuccess; -} - -int -main(int argc, char **argv) -{ - char * dir = "."; - char * hostName = NULL; - char * nickName = NULL; - char * progName = NULL; - char * serial = NULL; - char * tmp = NULL; - CERTCertificate * cert [kt_kea_size] = { NULL }; - SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; - int optchar; - int connections = 1; - int tmpI; - unsigned short port = 443; - SECStatus rv; - char * passwd = NULL; - char * passwdfile = NULL; - char * revocation_reason = NULL; - char * invalidity_date = NULL; - int take_off_hold = 0; - FILE *fp; - char pwbuf[256]; - int co; - char *crlf; - - /* Call the NSPR initialization routines */ - PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - - tmp = strrchr(argv[0], '/'); - tmp = tmp ? tmp + 1 : argv[0]; - progName = strrchr(tmp, '\\'); - progName = progName ? progName + 1 : tmp; - - - while ((optchar = getopt(argc, argv, "Vd:n:p:s:r:i:w:uv")) != -1) { - switch(optchar) { - -/* Version */ - case 'V': - printf("%s\n",VERSIONSTRING); - PR_Cleanup(); - return 0; - -/* Directory which holds cert8.db and key3.db */ - case 'd': - dir = optarg; - break; - -/* Nickname of certificate to use */ - case 'n': - nickName = optarg; - break; - -/* password to open key3.db */ - case 'p': - passwd = optarg; - break; - -/* name of file holding password for key3.db */ - case 'w': - passwdfile = optarg; - break; - -/* revocation reason */ - case 'r': - revocation_reason = optarg; - break; - -/* invalidity date */ - case 'i': - invalidity_date = optarg; - break; - -/* unrevoke - take off hold */ - case 'u': - take_off_hold++; - break; - -/* serial number */ - case 's': - serial = optarg; - break; - - case 'v': - verbose++; - break; - - default: - case '?': - fprintf( stderr, "ERROR: Invalid option!\n" ); - Usage(progName); - break; - - } - } - - if (optind != argc - 1) { - fprintf( stderr, "ERROR: Invalid number of arguments!\n" ); - Usage(progName); - } - - hostName = argv[optind]; - tmp = strchr(hostName, ':'); - if (tmp) { - *tmp++ = 0; - tmpI = atoi(tmp); - if (tmpI <= 0) { - fprintf( stderr, "ERROR: Invalid port!\n" ); - Usage(progName); - } - port = (unsigned short)tmpI; - } - - if (revocation_reason == NULL) { - revocation_reason = "0"; - } - - if (!nickName || !serial) { - fprintf( stderr, "ERROR: Invalid nickname or serial number!\n" ); - Usage(progName); - } - - createRequest(serial,revocation_reason,invalidity_date,take_off_hold); - - if (passwdfile) { - fp = fopen(passwdfile,"r"); - if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } - co = fread(pwbuf,1,256,fp); - pwbuf[co] = '\0'; - crlf = PL_strchr(pwbuf,'\n'); - if (crlf) { - *crlf = '\0'; - } - passwd = pwbuf; - } - - /* set our password function */ - if (passwd == NULL) { - fprintf( stderr, "ERROR: Invalid password!\n" ); - PRINTF("Password must be provided on command line in this version of revoker.\n"); - Usage(progName); - } - PK11_SetPasswordFunc(ownPasswd); - - /* Call the libsec initialization routines */ - rv = NSS_Init(dir); - if (rv != SECSuccess) { - fputs("NSS_Init failed.\n", stderr); - exit(1); - } - - cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); - if (cert[kt_rsa] == NULL) { - fprintf(stderr, "Can't find certificate %s\n", nickName); - exit(1); - } - - privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); - if (privKey[kt_rsa] == NULL) { - fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); - exit(1); - } - - - client_main(port, connections, privKey, cert, hostName, nickName); - - NSS_Shutdown(); - PR_Cleanup(); - return 0; -} - diff --git a/pki/base/native-tools/src/setpin/CMakeLists.txt b/pki/base/native-tools/src/setpin/CMakeLists.txt deleted file mode 100644 index b32e12b22..000000000 --- a/pki/base/native-tools/src/setpin/CMakeLists.txt +++ /dev/null @@ -1,43 +0,0 @@ -project(setpin C) - -find_package(Ldap REQUIRED) - -set(SETPIN_PRIVATE_INCLUDE_DIRS - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} - ${LDAP_INCLUDE_DIRS} -) - -set(SETPIN_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} - ${LDAP_LIBRARIES} -) - -set(setpin_SRCS - b64.c - options.c - setpin.c - setpin_options.c -) - -include_directories(${SETPIN_PRIVATE_INCLUDE_DIRS}) - -add_executable(setpin ${setpin_SRCS}) - -target_link_libraries(setpin ${SETPIN_LINK_LIBRARIES}) - -install( - TARGETS setpin - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) - -install( - FILES - setpin.conf - DESTINATION - ${SHARE_INSTALL_PREFIX}/pki/native-tools/ -) diff --git a/pki/base/native-tools/src/setpin/b64.c b/pki/base/native-tools/src/setpin/b64.c deleted file mode 100644 index 1c20f3792..000000000 --- a/pki/base/native-tools/src/setpin/b64.c +++ /dev/null @@ -1,102 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - - - - - - -static char nib2b64[0x40f] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - - - -static int -ldif_base64_encode_internal( unsigned char *src, char *dst, int srclen, int lenused, int wraplen ) -{ - unsigned char *byte, *stop; - unsigned char buf[3]; - char *out; - unsigned long bits; - int i, pad, len; - - len = 0; - out = dst; - stop = src + srclen; - - /* convert to base 64 (3 bytes => 4 base 64 digits) */ - for ( byte = src; byte < stop - 2; byte += 3 ) { - bits = (byte[0] & 0xff) << 16; - bits |= (byte[1] & 0xff) << 8; - bits |= (byte[2] & 0xff); - - for ( i = 0; i < 4; i++, bits <<= 6 ) { - if ( wraplen != -1 && lenused >= 0 && lenused++ > wraplen ) { - *out++ = '\n'; - *out++ = ' '; - lenused = 2; - } - - /* get b64 digit from high order 6 bits */ - *out++ = nib2b64[ (bits & 0xfc0000L) >> 18 ]; - } - } - /* add padding if necessary */ - if ( byte < stop ) { - for ( i = 0; byte + i < stop; i++ ) { - buf[i] = byte[i]; - } - for ( pad = 0; i < 3; i++, pad++ ) { - buf[i] = '\0'; - } - byte = buf; - bits = (byte[0] & 0xff) << 16; - bits |= (byte[1] & 0xff) << 8; - bits |= (byte[2] & 0xff); - - for ( i = 0; i < 4; i++, bits <<= 6 ) { - if ( wraplen != -1 && lenused >= 0 && lenused++ > wraplen ) { - *out++ = '\n'; - *out++ = ' '; - lenused = 2; - } - - if (( i == 3 && pad > 0 ) || ( i == 2 && pad == 2 )) { - /* Pad as appropriate */ - *out++ = '='; - } else { - /* get b64 digit from low order 6 bits */ - *out++ = nib2b64[ (bits & 0xfc0000L) >> 18 ]; - } - } - } - - *out = '\0'; - - return( out - dst ); -} - - -int -ldif_base64_encode( unsigned char *src, char *dst, int srclen, int lenused ) -{ - return ldif_base64_encode_internal( src, dst, srclen, lenused, 200); -} - diff --git a/pki/base/native-tools/src/setpin/options.c b/pki/base/native-tools/src/setpin/options.c deleted file mode 100644 index 9e2dab129..000000000 --- a/pki/base/native-tools/src/setpin/options.c +++ /dev/null @@ -1,184 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - - -#include "options.h" - -#include <stdio.h> -#include <string.h> -#include <assert.h> - -/* - * (C) 1998 Netscape Communications Corporation - * All rights reserved - * Intellectual property rulez! - * - */ - - - -/* this file maintains a static linked list of the - options it knows about -*/ - -static OPTION *option_list = NULL; -static OPTION *last_option = NULL; - -static char* OPT_parseArgument(char *arg,char**valid); - - -/* OPT_getValue(char *option, char** output) - - returns 1 if the specified option exists, - - value is put into 'output' - returns 0 if the specified option doesn't exist - - output is unchanged - -*/ - - -int OPT_getValue(char *option, char **output) { - OPTION *opt = option_list; - - while (opt) { - if (! strcmp(opt->name,option)) { - *output = opt->value; - return 1; - } - opt = opt->next; - } - return 0; -} - - -static char* OPT_parseOptFile(char *filename, char*validlist[]) -{ - FILE *fp; - char buffer[1024]; - - if (filename == NULL || filename[0] == '\0') { - return ("Bad syntax for 'optfile'\n"); - } - fp = fopen(filename,"r"); - if (fp == NULL) { - return ("Options file could not be opened for reading\n"); - } - while (fgets(buffer,1024,fp)) { - if (buffer[strlen(buffer)-1] == '\n') buffer[strlen(buffer)-1] = '\0'; - if (buffer[strlen(buffer)-1] == '\r') buffer[strlen(buffer)-1] = '\0'; - - OPT_parseArgument(strdup(buffer),validlist); - } - fclose(fp); - return NULL; -} - - - -static char *OPT_parseArgument(char *arg, char* validlist[]) { - char *error; - char *INV_ARG = "invalid argument: %s"; - char *eq; - - OPTION *new_opt; - - if (!strncmp(arg,"optfile=",8)) { - return OPT_parseOptFile(&arg[8],validlist); - } - - new_opt = (OPTION*)malloc(sizeof(OPTION)); - - new_opt->next = NULL; - new_opt->name = strdup(arg); - eq = strchr(new_opt->name,'='); - if (eq) { - *eq = 0; - } - new_opt->value = strchr(arg,'='); - - - if (new_opt->value != NULL) { - new_opt->value++; - } - - if (option_list == NULL) { - option_list = new_opt; - last_option = new_opt; - } - else { - last_option->next = new_opt; - last_option= new_opt; - } - if (!validlist) { - return NULL; - } - else { - int i=0; - while (validlist[i]) { - if (! strcmp(validlist[i],new_opt->name)) { - return NULL; - } - i+=2; - } - } - - error = (char *)malloc(strlen(INV_ARG)+strlen(new_opt->name)+5); - sprintf(error,INV_ARG,new_opt->name); - - return error; -} - - - - -/* char *OPT_parseOptions(int ac, char **av) - - constructs the linked list of options - ac: number of arguments - av: array of arguments - valid: array of valid arguments (can be null) - - returns: - NULL if no error - char* with error text if error. caller is responsible for - freeing this memory - -*/ - -char * OPT_parseOptions(int ac, char **av, char *valid[]) { - int i=0; - char *r=NULL; - - assert(option_list == NULL); - assert(last_option == NULL); - assert(av != NULL); - - if (ac == 1) return NULL; - - for (i=0; i<ac-1; i++) { - r = OPT_parseArgument(av[1+i],valid); - if (r) return r; - } - return r; -} - - - - diff --git a/pki/base/native-tools/src/setpin/options.h b/pki/base/native-tools/src/setpin/options.h deleted file mode 100644 index 80ccae478..000000000 --- a/pki/base/native-tools/src/setpin/options.h +++ /dev/null @@ -1,83 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - - -#ifndef OPT_INCLUDE_H -#define OPT_INCLUDE_H - -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -struct option { - struct option *next; - char *name; - char *value; -}; - -typedef struct option OPTION; - -/* OPT_getValue(char *option, char** output) - - returns 1 if the specified option exists, - - value is put into 'output' - returns 0 if the specified option doesn't exist - - output is unchanged - - 'value' will be everything after the '=' - If no '=' is present in the argument, 'output' will be - set to null. - If '=' is present, but no value is given (e.g. "file="), - output will be a pointer to a string of zero length. - -*/ - -extern int OPT_getValue(char *option, char **output); - -/* void OPT_parseOptions(int ac, char **av) - - initializes the global store with the options supplied - in av (typically used for parsing arguments passed on the - command line. Arguments are of the form 'arg=value'. - valid: array of valid arguments (can be null) - - returns: - NULL if no error - char* with error text if error. caller is responsible for - freeing this memory - - - -*/ - -extern char * OPT_parseOptions(int ac, char **av, char**valid); - -#endif diff --git a/pki/base/native-tools/src/setpin/setpin.c b/pki/base/native-tools/src/setpin/setpin.c deleted file mode 100644 index f1bf6a8c7..000000000 --- a/pki/base/native-tools/src/setpin/setpin.c +++ /dev/null @@ -1,1237 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - -/* Set-pin tool */ - - -/* This will modify the specified attribute in the directory - You must add the pin objectclass to the schema - e.g in config/slapd.oc.conf - - attribute pin bin - objectclass pinPerson - superior organizationalPerson - allows - pin -*/ - -/* - History: - version 1.2 - upgraded to NSS 3.3.1 - */ - -#define SETPIN_VERSION "1.2" - -#include "options.h" -#include "setpin_options.h" -#include <stdio.h> -#include <string.h> -#include <assert.h> - -#include <ldap.h> - -#define USE_NSS_RANDOM - -#ifdef USE_NSS_RANDOM -/* removed #include <secrng.h> as of NSS 3.9 */ -/* removed from nss3_3_1 secrngt.h*/ -typedef struct RNGContextStr RNGContext; -#endif - -#include <sechash.h> - -#include <plhash.h> -#include <prerror.h> -#include <ctype.h> - -#include <secoidt.h> -#include <nss.h> - -extern int equals(char *s, char *t); -extern SECStatus PK11_HashBuf(SECOidTag hashAlg, - unsigned char *out, - unsigned char *in, - int32 len); -extern SECStatus PK11_GenerateRandom(unsigned char *data, - int len); - -/* use NSS's new generic hash api */ -#define USE_NSS_GEN_HASH - -void exitError(char *errstring); -void exitLDAPError(char *errstring); -void doLDAPBind(); -void doLDAPSearch(LDAPMessage **result); -void doLDAPUnbind(); -void processSearchResults(LDAPMessage *r); -char *newPassword(); -void initrandom(); -void testpingen(); -void do_setup(); - - -char *sha1_pw_enc( char *pwd ); - -int errcode=0; - -LDAP *ld=NULL; -char *programName = NULL; - -FILE *output; -FILE *input; - - -PLHashTable *pinHashTable=NULL; - -#ifdef USE_NSS_RANDOM -RNGContext *rngc = NULL; -#endif - -/* this tool should really be changed to use NSPR */ -#ifdef _WIN32 -#define strcasecmp stricmp -#endif - -void exitError(char *errstring) { - char *errbuf; - - errbuf = malloc(strlen(errstring)+strlen(programName)+10); - - sprintf(errbuf,"%s error : %s\n",programName,errstring); - fputs(errbuf,stderr); - exit(errcode); -} - - -void exitLDAPError(char *errstring) { - char *ldaperr; - char *newerror; - int err; - - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); - ldaperr = ldap_err2string(err); - newerror = (char*) malloc((errstring?strlen(errstring):0) + (ldaperr?strlen(ldaperr):0) +5); - sprintf(newerror,"%s (%s)",errstring?errstring:"",ldaperr?ldaperr:""); - exitError(newerror); -} - - -/* This returns an allocated string, like strdup does, except that - the duplicate string begins with the first non-whitespace character */ - -char * trim_strdup(char *s) -{ - while (*s == ' ' || *s == '\t') { - s++; - } - if (*s == '\0') return NULL; - return strdup(s); -} - -void readInputFile() { - int more_to_read=1; - char *thedn = NULL; - char *thepin = NULL; - int linenum=0; - - pinHashTable = PL_NewHashTable(256, - PL_HashString, - PL_CompareStrings, - PL_CompareValues, - NULL, /* allocOps */ - NULL); - if (pinHashTable == NULL) { - errcode=9; - exitError("Couldn't create dn->pin hashtable"); - } - - if (o_input) { - - do { - char line[4096]; - char *n; - char *checkdn; - - do { - n = fgets(line,4096,input); - linenum++; - if (! n) { - more_to_read = 0; - break; - } - - /* replace newline with null byte */ - - line[strlen(line)-1] = 0; - - if (! strncmp("dn:",line,3)) { - thedn = trim_strdup(&line[3]); - if (thedn == NULL) { - fprintf(stderr,"warning: empty line not allowed at line: %d\n",linenum); - } - } - - if (! strncmp("pin:",line,4)) { - thepin = trim_strdup(&line[4]); - } - - } while (strlen(line)); - - /* first check to see if that dn is already in the hashtable */ - - if (thepin == NULL) { - thepin = strdup(""); - } - - if (thedn && thepin) { - - checkdn = (char*) PL_HashTableLookup(pinHashTable, thedn); - if (checkdn) { - char msg[256]; - errcode = 10; - strcpy(msg,"Duplicate entry in input file for dn="); - strcat(msg,thedn); - exitError(msg); - } - - PL_HashTableAdd(pinHashTable, - thedn, - thepin); - fprintf(stderr, "Reading dn/pin ( %s, %s )\n", thedn, thepin); - if (o_debug) { - fprintf(stderr, "Reading dn/pin ( %s, %s )\n", thedn, thepin); - } - - } else { - if (o_debug) { - fprintf(stderr," ...ignoring\n"); - } - } - if (thedn != NULL) { - free(thedn); - thedn = NULL; - } - if (thepin != NULL) { - free(thepin); - thepin = NULL; - } - } while (more_to_read); - } -} - - -int main(int ac, char **av) { - char *error; - LDAPMessage *search_results; - - programName = av[0]; - if (strlen(av[0]) == 0) { - strcpy(programName, "setpin"); - } - else { - strcpy(programName, av[0]); - } - - if (ac == 1) { - int i=0; - fprintf(stderr,"Setpin utility. Version " SETPIN_VERSION "\n" - "(C) 2005 Fedora Project.\n\n"); - fprintf(stderr,"To set up directory for pin usage, modify setpin.conf, " - "then run:\n %s optfile=<svr_root>/bin/cert/tools/setpin.conf\n", programName); - fprintf(stderr,"\nUsage: %s option=value ... option=value\n\n", programName); - - for (i = 0; i < valid_args_len; i += 2) { - if (valid_args[i]) { - fprintf(stderr,"%13s : %s\n",valid_args[i],valid_args[i+1]); - } else { - errcode=0; - fprintf(stderr,"\n"); - exit(errcode); - } - } - } - - error = OPT_parseOptions(ac, av, valid_args); - if (error) { - errcode=7; - exitError(error); - } - - setDefaultOptions(); - - getOptions(); - fprintf(stderr,"\n"); - if (o_debug) { - fprintf(stderr,"about to validateOptions\n"); - } - - validateOptions(); - - /* Initialize random number generator */ - initrandom(); - - if (o_debug) { - fprintf(stderr,"about to doLDAPBind\n"); - } - - if (! o_testpingen) { - doLDAPBind(); - } - - if (o_setup) { - do_setup(); - } - - if (o_output) { - output = fopen(o_output,"w"); - if (!output) { - errcode=5; - exitError("Couldn't open output file"); - } - } else { - output = stdout; - } - - if (o_testpingen) { - testpingen(); - exit(0); - } - - if (o_input) { - input = fopen(o_input,"r"); - if (!input) { - errcode=8; - exitError("Couldn't open input file"); - } - } - - readInputFile(); - - if (o_debug) { - fprintf(stderr,"about to doLDAPSearch\n"); - } - - doLDAPSearch(&search_results); - - if (o_debug) { - fprintf(stderr,"about to processSearchResults\n"); - } - - processSearchResults(search_results); - - if (output != stdout) { - fclose(output); - } - - return 0; -} - - - -/* This function implements the 'setup' procedure, invoked when the user - specified 'setup' as one of the arguments. The point is that in this - mode, schema modifications are performed to add these things to the - directory schema: - if (schemachange argument is specified) - - 'pin' attribute as specified by the 'attribute' argument (default 'pin') - - 'pinPerson' objectclass as specified by the 'objectclass argument (dfl: pinperson) - if ('pinmanager' argument specified) - - pin manager user, with permission to remove the pin for the basedn specified - -*/ - -void do_setup() { - int i; - - char *x_values[]={NULL,NULL,NULL}; - char *a1_values[]={NULL,NULL}; - char *a2_values[]={NULL,NULL}; - char *a3_values[]={NULL,NULL}; - char *a4_values[]={NULL,NULL}; - LDAPMod x,a1,a2,a3,a4; - LDAPMod *mods[10]; - char* password=NULL; - int err; - - x_values[0] = malloc(1024); - - doLDAPBind(); - - if (o_schemachange) { - sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.5' SINGLE-VALUE )", - o_attribute, - o_attribute); - - fprintf(stderr,"Adding attribute: %s\n",x_values[0]); - x_values[1] = NULL; - x.mod_op = LDAP_MOD_ADD; - x.mod_type = "attributetypes"; - x.mod_values = x_values; - mods[0] = &x; - mods[1] = NULL; - - i = ldap_modify_ext_s(ld, "cn=schema", mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); - if (err != LDAP_TYPE_OR_VALUE_EXISTS) { - exitLDAPError("couldn't modify schema when creating pin attribute"); - } else { - fprintf(stderr," .. successful\n\n"); - } - } - - sprintf(x_values[0],"( %s-oid NAME '%s' DESC 'User Defined ObjectClass' SUP 'top' MUST ( objectclass ) MAY ( aci $ %s )", - o_objectclass,o_objectclass, - o_attribute); - - fprintf(stderr,"Adding objectclass: %s\n",x_values[0]); - - x_values[1] = NULL; - x.mod_op = LDAP_MOD_ADD; - x.mod_type = "objectclasses"; - x.mod_values = x_values; - mods[0] = &x; - mods[1] = NULL; - - - i = ldap_modify_ext_s(ld, "cn=schema", mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); - if (err != LDAP_TYPE_OR_VALUE_EXISTS) { - exitLDAPError("couldn't modify schema when creating objectclass"); - } else { - fprintf(stderr," .. successful\n\n"); - } - } - } - - if (o_pinmanager) { - - if (o_pinmanagerpwd == NULL) { - exitError("missing pinmanagerpwd argument"); - } - if (o_basedn == NULL) { - exitError("missing basedn argument"); - } - - password = sha1_pw_enc( o_pinmanagerpwd ); - - fprintf(stderr,"Adding user: %s\n",o_pinmanager); - - a1_values[0] = "pinmanager"; - a1_values[1] = NULL; - a1.mod_op = 0; - a1.mod_type = "sn"; - a1.mod_values = a1_values; - - a2_values[0] = "pinmanager"; - a2_values[1] = NULL; - a2.mod_op = 0; - a2.mod_type = "cn"; - a2.mod_values = a2_values; - - a3_values[0] = password; - a3_values[1] = NULL; - a3.mod_op = 0; - a3.mod_type = "userPassword"; - a3.mod_values = a3_values; - - a4_values[0] = "person"; - a4_values[1] = NULL; - a4.mod_op = 0; - a4.mod_type = "objectclass"; - a4.mod_values = a4_values; - - mods[0] = &a1; - mods[1] = &a2; - mods[2] = &a3; - mods[3] = &a4; - mods[4] = NULL; - - - i = ldap_add_ext_s(ld, o_pinmanager, mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); - if (!( err == LDAP_TYPE_OR_VALUE_EXISTS || err == LDAP_ALREADY_EXISTS)) { - exitLDAPError("couldn't create new user"); - } else { - fprintf(stderr," .. successful\n\n"); - } - } - - - /* modify aci on basedn to allow pinmanager to modify pin attr */ - - fprintf(stderr,"modifying ACI for: %s\n",o_basedn); - - sprintf(x_values[0],"(target=\"ldap:///%s\")" - "(targetattr=\"pin\")" - "(version 3.0; acl \"Pin attribute\"; " - "allow (all) userdn = \"ldap:///%s\"; " - "deny(proxy,selfwrite,compare,add,write,delete,search) " - "userdn = \"ldap:///self\"; ) ", - o_basedn, - o_pinmanager); - - x_values[1] = malloc(1024); - - sprintf(x_values[1],"(target=\"ldap:///%s\")" - "(targetattr=\"objectclass\")" - "(version 3.0; acl \"Pin Objectclass\"; " - "allow (all) userdn = \"ldap:///%s\"; " - " ) ", - o_basedn, - o_pinmanager); - - x_values[2] = NULL; - x.mod_op = LDAP_MOD_ADD; - x.mod_type = "aci"; - x.mod_values = x_values; - - mods[0] = &x; - mods[1] = NULL; - - i = ldap_modify_ext_s(ld, o_basedn, mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, &err); - if (!( err == LDAP_TYPE_OR_VALUE_EXISTS || err == LDAP_ALREADY_EXISTS)) { - exitLDAPError("couldn't modify aci on basedn"); - } else { - fprintf(stderr," .. successful\n\n"); - } - } - } - exit(0); -} - -int ldif_base64_encode( - unsigned char *src, char *dst, int srclen, int lenused ); - -/* do password hashing */ - -/* - * Number of bytes each hash algorithm produces - */ -#define SHA1_LENGTH 20 - - -char * -sha1_pw_enc( char *pwd ) -{ - unsigned char hash[ SHA1_LENGTH ]; - char *enc; - - /* SHA1 hash the user's key */ - PK11_HashBuf(SEC_OID_SHA1,hash,pwd,strlen(pwd)); - enc = malloc(256); - - sprintf( enc, "{SHA}"); - - (void)ldif_base64_encode( hash, enc + 5, - SHA1_LENGTH, -1 ); - - return( enc ); -} - -/* check the first 8 characters to see if this is a string */ - -int isstring(char *s) { - int i=0; - - for (i=0;i<8;i++) { - if (*s == 0) return 1; - if (! isprint(*s)) return 0; - s++; - } - return 1; -} - - -void doLDAPBind() { - char errbuf[1024]; - char ldapuri[1024]; - int port=389; - int r; - int status; - - if (o_port == NULL) { - if (o_ssl) { - port = 636; - /* fprintf(stderr,"o_ssl = %0x, o_certdb = %0x, o_nickname= %0x\n",o_ssl,o_certdb,o_nickname); */ - } else { - port = 389; - } - } else { - port = atoi(o_port); - } - - if (o_debug) { - fprintf(stderr,"# connecting to %s:%d\n",o_host,port); - } - - if (o_ssl) { - printf("SSL not currently supported.\n"); - exit(0); - /* ld = ldapssl_init(o_host,port,LDAPSSL_AUTH_CNCHECK); */ - } else { - snprintf(ldapuri, 1024, "ldap://%s:%i", o_host, port); - status = ldap_initialize(&ld, ldapuri); - } - - if ((status != LDAP_SUCCESS) || (ld == NULL)) { - errcode=4; - exitError("could not connect to directory server"); - } - - if (o_debug) { - fprintf(stderr,"# ldap_init completed\n"); - } - - struct berval credential; - credential.bv_val = o_bindpw; - credential.bv_len= strlen(o_bindpw); - - r = ldap_sasl_bind_s(ld, o_binddn, LDAP_SASL_SIMPLE, &credential, NULL, NULL, NULL); - if (r != LDAP_SUCCESS) { - sprintf(errbuf,"could not bind to %s:%d as %s",o_host,port,o_binddn); - if (strstr(o_binddn,"=") == NULL) { - strcat(errbuf,". Perhaps you missed the 'CN=' part of the bin DN?"); - } - exitLDAPError(errbuf); - } - - if (o_debug) { - fprintf(stderr,"# ldap_simple_bind_s completed\n"); - } -} - - -void doLDAPSearch(LDAPMessage **result ) { - int r; - char errbuf[1024]; - - r = ldap_search_ext_s( ld, o_basedn, LDAP_SCOPE_SUBTREE, - o_filter, NULL, 0, NULL, NULL, NULL, 0, result ); - - if (r != LDAP_SUCCESS ) { - sprintf(errbuf,"could not complete search with that filter. Check filter and basedn"); - exitLDAPError(errbuf); - } - - if (o_debug) { - fprintf(stderr,"# ldap_search_s completed\n"); - } -} - -void doLDAPUnbind(){ - ldap_unbind_ext_s(ld, NULL, NULL); -} - - -void processSearchResults(LDAPMessage *r) { - LDAPMessage *e; - char *dn; - char *a; - struct berval **vals; -#ifdef USE_NSS_GEN_HASH - /* HASHContext *hcx; - HASH_HashType ht; */ -#else -#endif - int i; - BerElement *ber; - char *objectclass_values[]={NULL,NULL}; - int change=0; - int pin_objectclass_exists=0; - LDAPMod objectclass, pinattribute; - LDAPMod *mods[3]; - SECStatus status = SECFailure; - - char *saltval; - int action; - char *hashbuf_source = NULL; - char hashbuf_dest[256]; - char errbuf[1024]; - int pindatasize= 0; - char *pindata = NULL; - char *generatedPassword = NULL; - struct berval *bvals[2]; - struct berval bval; - - bvals[0] = &bval; - bvals[1] = NULL; - - /* Check whether any results were found. */ - i = ldap_count_entries( ld, r ); - - fprintf(stderr,"filter %s found %d matching results.\n", o_filter,i); - - /* for each entry print out name + all attrs and values */ - for ( e = ldap_first_entry( ld, r ); e != NULL; - e = ldap_next_entry( ld, e ) ) { - - generatedPassword = NULL; - - if ( (dn = ldap_get_dn( ld, e )) != NULL ) { - fprintf(stderr, "Processing: %s\n", dn ); - if (o_input) { - generatedPassword = (char*) PL_HashTableLookup(pinHashTable,dn); - if (generatedPassword) { - fprintf(stderr, " found user from input file\n"); - } - if (! generatedPassword) { - fprintf(stderr, " Skipping (not in input file)\n"); - continue; - } - } - } - - - /* what we do here is go through all the entries looking for - 'objectclass'. - */ - - pin_objectclass_exists = 0; - change = 0; - -#define ACTION_NONE 0 -#define ACTION_REPLACE 1 -#define ACTION_ADD 2 - - action = ACTION_ADD; - - saltval = NULL; - /* loop through the entries */ - for ( a = ldap_first_attribute( ld, e, &ber ); - a != NULL; a = ldap_next_attribute( ld, e, ber ) ) { - - if ((vals = ldap_get_values_len( ld, e, a)) != NULL ) { - - if (o_debug && (! strcasecmp(o_debug,"attrs"))) { - for ( i = 0; vals[i] != NULL; i++ ) { - char *bin; - bin = "<binary>"; - if (isstring(vals[i]->bv_val)) { - bin = vals[i]->bv_val; - } - - fprintf(stderr, " %s: %s\n",a,bin); - } - } - - if (o_debug) { - fprintf(stderr," examining attribute: %s\n",a); - for ( i = 0; vals[i] != NULL; i++ ) { - fprintf(stderr," val[%d]: %s\n",i,vals[i]->bv_val); - } - } - - if (o_saltattribute != NULL) { - if (!strcasecmp(a,o_saltattribute)) { - saltval = vals[0]->bv_val; - if (o_debug) { - fprintf(stderr," setting salt value to: %s\n",saltval); - } - } - } - - if (!strcasecmp(a,"objectclass")) { - /* check if we have a pin objectclass already */ - /* Cycle through all the values for this - entry, looking for the one which matches the - objectclass we specified */ - - /* if user specified objectclass= on the commandline, - without any value, then the objectclass is assumed to - exist already */ - if (strlen(o_objectclass) == 0) { - if (o_debug) { fprintf(stderr, " user objectclass assumed to already exist\n"); } - pin_objectclass_exists=1; - } else { - for ( i = 0; vals[i] != NULL; i++ ) { - if (o_debug) { - fprintf(stderr, " checking vals[%d]=%s == objectclass=%s -> %d \n", - i,vals[i]->bv_val, o_objectclass, strcasecmp(vals[i]->bv_val,o_objectclass)); - } - if (!strcasecmp(vals[i]->bv_val,o_objectclass)) { - if (o_debug) { - fprintf(stderr, " %s: %s found\n", a, vals[i]->bv_val ); - } - pin_objectclass_exists = 1; - } - } - } - } else if (!strcasecmp(a,o_attribute)) { - if (o_clobber) { - action = ACTION_REPLACE; - } else { - action = ACTION_NONE; - } - } - - /* use ldap_value_free_len */ - ldap_value_free_len( vals ); - } - ldap_memfree( a ); - } - - if (o_debug) { fprintf(stderr, " Did the objectclass exist? %d\n", pin_objectclass_exists); } - - /* add the objectclass attribute if it doesn't already exist */ - - if (! pin_objectclass_exists) { - if (o_debug) { - fprintf(stderr,"objectclass: %s doesn't exist, adding\n",o_objectclass); - } - objectclass_values[0] = o_objectclass; - objectclass_values[1] = NULL; - objectclass.mod_op = LDAP_MOD_ADD; - objectclass.mod_type = "objectclass"; - objectclass.mod_values = objectclass_values; - mods[0] = &objectclass; - mods[1] = NULL; - - if (o_write) { - i = ldap_modify_ext_s(ld, dn, mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - exitLDAPError("couldn't modify attribute"); - } - } - } - - pinattribute.mod_type = o_attribute; - - /* password could have been set from input file. If not, set it now */ - if (generatedPassword == NULL || (strlen(generatedPassword) == 0)) { - generatedPassword = newPassword(); - } - if (generatedPassword == NULL || (strlen(generatedPassword) == 0)) { - errcode=13; - exitError("Couldn't generate password."); - } - - /* should we hash the password? */ - if (o_hash) { - - /* we hash the DN of the user and the PIN together */ - - if (o_debug) { - fprintf(stderr,"checking salt attribute...\n"); - } - if (saltval == NULL) { - if (o_saltattribute != NULL) { - errcode = 11; - exitError("specified salt attribute not found for this user"); - } - if (o_debug) { - fprintf(stderr,"setting salt attribute to dn...\n"); - } - saltval = dn; - } - - hashbuf_source = - malloc(strlen(saltval) + strlen(generatedPassword) + 10); - if (hashbuf_source == NULL) { - errcode=12; - exitError("Couldn't allocate 'hashbuf_source'."); - } - strcpy(hashbuf_source,saltval); - strcat(hashbuf_source,generatedPassword); - - if (o_debug) { - fprintf(stderr,"hashing this: %s\n",hashbuf_source); - } - - saltval = NULL; - - /* We leave one byte at the beginning of the hash - buffer, to support the hash type */ - -#define SENTINEL_SHA1 0 -#define SENTINEL_MD5 1 -#define SENTINEL_NONE '-' - - if ((!strcmp(o_hash,"SHA1")) || (!strcmp(o_hash,"sha1")) ) { - status = PK11_HashBuf(SEC_OID_SHA1, - (unsigned char *)hashbuf_dest+1, - (unsigned char *)hashbuf_source, - strlen(hashbuf_source) - ); - hashbuf_dest[0] = SENTINEL_SHA1; - pindatasize = SHA1_LENGTH + 1; - } else if ((!strcmp(o_hash,"MD5")) || (!strcmp(o_hash,"md5")) ) { - status = PK11_HashBuf(SEC_OID_MD5, - (unsigned char *)hashbuf_dest+1, - (unsigned char *)hashbuf_source, - strlen(hashbuf_source) - ); - hashbuf_dest[0] = SENTINEL_MD5; - pindatasize = MD5_LENGTH + 1; - } else if ((!strcmp(o_hash,"NONE")) || (!strcmp(o_hash,"none")) ) { - hashbuf_dest[0] = SENTINEL_NONE; - status = SECSuccess; - memcpy(hashbuf_dest+1, - hashbuf_source, - strlen(hashbuf_source) - ); - } else { - sprintf(errbuf,"Unsupported hash type '%s'. Must be one of 'sha1', 'md5' or 'none",o_hash); - errcode = 7; - exitError(errbuf); - } - - if (status != SECSuccess) { - sprintf(errbuf,"Error hashing pin (%d)",PR_GetError()); - errcode = 9; - exitError(errbuf); - } - - pindata = hashbuf_dest; - - if (hashbuf_source != NULL) { - free(hashbuf_source); - hashbuf_source = NULL; - } - } else { - pindata = generatedPassword; - pindatasize = strlen(generatedPassword); - } - - bval.bv_len = pindatasize; - bval.bv_val = pindata; - - fprintf(stderr," Adding new %s\n",o_attribute); - - if (! o_write) { - fprintf(stderr, " [NOTE: 'write' was not specified, so no changes will be made to the directory]\n"); - } - - pinattribute.mod_bvalues = bvals; - if (action == ACTION_REPLACE) { - pinattribute.mod_op = LDAP_MOD_REPLACE|LDAP_MOD_BVALUES; - if (o_debug) { - fprintf(stderr," %s exists, replacing\n",o_attribute); - } - } else if (action == ACTION_ADD) { - if (o_debug) { - fprintf(stderr," %s doesn't exist, adding\n",o_attribute); - } - pinattribute.mod_op = LDAP_MOD_ADD|LDAP_MOD_BVALUES; - } else if (action == ACTION_NONE) { - if (o_debug) { - fprintf(stderr," %s exists. not replacing\n",o_attribute); - } - goto skip_write; - } - mods[0] = &pinattribute; - mods[1] = NULL; - - if (o_write) { - i = ldap_modify_ext_s(ld, dn, mods, NULL, NULL); - - if (i != LDAP_SUCCESS) { - exitLDAPError("couldn't modify attribute"); - } - } - - skip_write: - - fprintf(output,"dn:%s\n",dn); - fprintf(output,"%s:%s\n",o_attribute,generatedPassword); - if (o_debug) { - fprintf(stderr,"o_write = %0x\n",(unsigned int)o_write); - } - if (! o_write) { - fprintf(output,"status:notwritten\n"); - } else { - if (action == ACTION_NONE) { - fprintf(output,"status:notreplaced\n"); - } else { - if (i != LDAP_SUCCESS) { - fprintf(output,"status:writefailed\n"); - } else { - if (action == ACTION_ADD) { - fprintf(output,"status:added\n"); - } else if (action == ACTION_REPLACE) { - fprintf(output,"status:replaced\n"); - } - } - } - } - - fprintf(output,"\n"); - - if (dn) { - ldap_memfree( dn ); - dn = NULL; - } - - if ( ber != NULL ) { - ber_free( ber, 0 ); - } - fprintf(stderr, "\n" ); - } - ldap_msgfree( r ); -} - - -/* this function uses i_minlength and i_maxlength to determine the - size of the password to generate */ - -static char *UCalpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; - - -static char *LCalpha = "abcdefghijklmnopqrstuvwxyz"; -static char *numbers = "0123456789"; -static char *punc = "!#$%&*+,-./:;<=>?@[]^{|}"; - -static char *charpool = NULL; /* carpool, geddit? */ -static int charpoolsize; - -static char *RNG_ALPHA = "RNG-alpha"; -static char *RNG_PRINTABLEASCII = "RNG-printableascii"; -static char *RNG_ALPHANUM = "RNG-alphanum"; - - -/* build the pool of characters we can use for the password */ - -void buildCharpool() { - char err_buf[1024]; - charpool = (char*) malloc(256); - - charpool[0] = '\0'; - - if ( o_case == NULL) { - strcat(charpool,LCalpha); /* then add the lowercase */ - } else { - if (strcmp(o_case,"upperonly")) { - errcode = 7; - exitError("Illegal value for case="); - } - } - - - if ( !strcmp(o_gen,RNG_ALPHA) || - !strcmp(o_gen,RNG_ALPHANUM) || - !strcmp(o_gen,RNG_PRINTABLEASCII) ) { - strcat(charpool,UCalpha); /* add uppercase chars */ - } else { - sprintf(err_buf,"invalid value '%s' for gen= option",o_gen); - errcode = 7; - exitError(err_buf); - } - - if ( strcmp(o_gen,"RNG-alpha")) { /* not alpha-only */ - strcat(charpool,numbers); - } - if (! strcmp(o_gen,"RNG-printableascii")) { - strcat(charpool, punc); - } - if (o_debug) { - fprintf(stderr,"Character pool: %s\n",charpool); - } - charpoolsize = strlen(charpool); -} - - -/* initialize random number generator */ - -void initrandom() { - char err_buf[1024]; -#ifdef USE_NSS_RANDOM - if( NSS_Initialize( "", - "", - "", - "", - NSS_INIT_NOCERTDB | - NSS_INIT_NOMODDB | - NSS_INIT_FORCEOPEN ) != SECSuccess ) { - sprintf(err_buf,"Couldn't initialize NSS (error code %d)\n",PR_GetError()); - errcode = 9; - exitError(err_buf); - } -#else - srand(time(NULL)); -#endif - -} - - -unsigned short getRandomShort() { - unsigned short r; -#ifdef USE_NSS_RANDOM - PK11_GenerateRandom( ( unsigned char * ) &r, sizeof( r ) ); - if (o_debug) { - /* fprintf(stderr,"Random: %d\n",r); */ - } - return r; -#else - return (unsigned short) rand(); -#endif -} - - -/* - * this function is important. It needs review. - * - * returns a random number in the range (0 .. max-1) - */ - -/* We have a short, rno, and we want to convert this to a number - in the required range by just using (rno % max). However, - this may result in some of the numbers at the end of 'rno's - range being selected more frequently. So, if random number - select is in this range, we will pick another. - - As an example, assume: - a short is 4 bits (0..15) - max is 6 - - 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 - a a a a a a b b b b b b X X X X - - we want to reject everything more than 11 - - we take 16 (that largest number which can be in a short+1) - divide by 'max', which is 6. This gives us 2. Multiply by - max, gives us 12. Subtract 1, which is 11, our highest - allowable range. Now we do the modulus. - -*/ - -unsigned short getRandomInRange(unsigned short max) { - unsigned short rno; - unsigned short result; - - unsigned short max_allowed_rno = - ((65536 / max) * max) -1; - - do { - rno = getRandomShort(); - } while (rno >max_allowed_rno); - - result = rno % max; - - assert(result < max); - - return result; -} - - -char * newPassword() { - static char *pw_buf=NULL; - unsigned short l; - unsigned short r; - int i; - - if (pw_buf == NULL) { - pw_buf = (char *) malloc(i_maxlength+5); - } - - if (charpool == NULL) { - buildCharpool(); - } - - /* decide how long the password should be */ - /* It must be between i_minlength and i_maxlength */ - - if (i_minlength == i_maxlength) { - l = i_minlength; - } else { - l = getRandomInRange((unsigned short)(1 + i_maxlength - i_minlength)); - l += i_minlength; - } - - for (i=0; i<l; i++) { - r = getRandomInRange((unsigned short)(charpoolsize)); - pw_buf[i] = charpool[r]; - } - pw_buf[l] = '\0'; - return pw_buf; -} - - -void testpingen() { - int count=25; - int i,j; - int pwlen; - char *pw; - unsigned int index[256]; - unsigned int *totals; - char c; - - if (! equals(o_testpingen,"")) { - count = atoi(o_testpingen); - } - - if (charpool == NULL) { - buildCharpool(); - } - - /* last spot is used to hold invalid chars */ - totals = malloc(sizeof(int)*(charpoolsize+1)); - if (totals != NULL) { - for (i=0;i<(charpoolsize);i++) { - totals[i] = 0; - } - totals[charpoolsize]=0; - for (i=0;i<256;i++) { - index[i] = 255; /* indicates->invalid */ - } - for (i=0;i<charpoolsize;i++) { - index[(int)(charpool[i])] = i; - } - - for (i=0;i<count;i++) { - pw = newPassword(); - if (pw != NULL) { - if (o_debug) { - fprintf(output,"%d:%s\n",i+1,pw); - } - pwlen = strlen(pw); - for (j=0;j<pwlen;j++) { - c = pw[j]; - if (index[(int)c] == 255) { - printf("\ninvalid char found: %02x %c\n",c,c); - totals[charpoolsize]++; - } - else { - totals[index[(int)c]]++; - } - } - free(pw); - } - } - - for (i=0;i<charpoolsize;i++) { - fprintf(output,"%c: %10d\n",charpool[i],totals[i]); - } - fprintf(output,"invalid: %10d\n",totals[charpoolsize]); - free(totals); - } -} - - - diff --git a/pki/base/native-tools/src/setpin/setpin.conf b/pki/base/native-tools/src/setpin/setpin.conf deleted file mode 100644 index 4e5851858..000000000 --- a/pki/base/native-tools/src/setpin/setpin.conf +++ /dev/null @@ -1,83 +0,0 @@ -# --- BEGIN COPYRIGHT BLOCK --- -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2007 Red Hat, Inc. -# All rights reserved. -# --- END COPYRIGHT BLOCK --- -# -# -# Setpin has a special setup mode which allows you to -# automate the following two tasks. -# -# * To enable setpin to operate, the directory schema must be -# changed to add the pin attribute and pinPerson objectclass. -# -# * To enable pin removal to work well, you can create a new -# pin user with an ACI which lets the user remove the pin -# -# This configuration file is used as an input for setpin. -# After modifying the options in this file, invoke setpin -# with this config file: -# -# setpin optfile=setpin.conf - - -########## GENERAL INFO ABOUT YOUR DIRECTORY ##### - - -#------- Enter the hostname of the LDAP server -host=localhost - -#------- Enter the port number of the LDAP server -port=389 - -#------- Enter the DN of the Directory Manager user -binddn=CN=Directory Manager - -#------- Enter the password for the Directory manager user -bindpw= - - - -################ SCHEMA MODIFICATIONS ####### -# -# Comment-out to turn off schema modification -schemachange=yes - -# Enter the pin attribute name -attribute=pin - -# Enter the pin objectclass -objectclass=pinPerson - - -############### PIN REMOVAL ########## -# -# To enable pin removal, it is advisable to create a new -# user who has the power to remove pins, and nothing else. -# -# Enter the DN and password for the new pin manager user -pinmanager=cn=pinmanager,o=mcom.com -pinmanagerpwd= - -# Enter the base over which this user has the power -# to remove pins -basedn=ou=people,o=mcom.com - - - -## This line switches setpin into setup mode. -## Please do not change it. -setup=yes - diff --git a/pki/base/native-tools/src/setpin/setpin_options.c b/pki/base/native-tools/src/setpin/setpin_options.c deleted file mode 100644 index d8ee83a8c..000000000 --- a/pki/base/native-tools/src/setpin/setpin_options.c +++ /dev/null @@ -1,290 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - -/* Set-pin tool */ - -#include <string.h> -#include <stdio.h> -#include <errno.h> -#include <ctype.h> -#include <stdlib.h> - -extern int OPT_getValue(char *option, char **output); -extern void exitError(char *errstring); -extern int errcode; - -#define PW_DEFAULT_LENGTH 6 -#define ERR_BUF_LENGTH 512 - -char *valid_args[] = { - "host", "LDAP host [required]", - "port", "LDAP port (default 389)", - "binddn", "DN to bind to directory as [required]", - "bindpw", "Password associated with above DN ", - "filter", "Ldap search filter e.g. filter=(uid=*) [required]", -/* "ssl", "Use SSL LDAP connection?", */ -/* "certdb", "Path to SSL Client certificate database directory (not yet implemented)", - "nickname", "Nickname of cert to use for SSL client auth (not yet implemented)", - */ - "basedn", "Base DN used for LDAP search", - "length", "Length of generated pins (default 6)", - "minlength","Minimum length of generated pins (not to be used with 'length')", - "maxlength","Maximum length of generated pins (not to be used with 'length')", - "gen", "Permitted chars for pin. Type 'setpin gen' for more info", - "case", "Restrict case of pins 'case=upperonly'", - "objectclass", "Objectclass of LDAP entry to operate on (default pinPerson)", - "attribute","Which LDAP attribute to write to (default pin)", - "hash", "Hash algorithm used to store pin: 'none', 'md5' or 'sha1' (default)", - "saltattribute", "Which attribute to use for salt (default: dn)", - "input", "File to use for restricting DN's, or providing your own pins", - "output", "Redirect stdout to a file", - "write", "Turn on writing to directory (otherwise, pins will not get written)", - "clobber", "Overwrite old pins in the directory", - "testpingen", "Test pin generation mode. testpingen=count", - "debug", "Turn on debugging, or use debug=attrs for even more", - "optfile", "Read in options (one per line) from specified file", - "setup", "Switch to setup mode", - "pinmanager","Pin Manager user to create in setup mode", - "pinmanagerpwd","password of pin manager user in setup mode", - "schemachange","make schema changes in setup mode", - NULL -}; - -int valid_args_len = sizeof(valid_args)/sizeof(char *); - -int i_length, i_minlength, i_maxlength; - -char *attribute=NULL; - -char *o_certdb,*o_nickname,*o_binddn,*o_bindpw,*o_filter,*o_ssl, - *o_basedn,*o_input,*o_host,*o_port,*o_length,*o_minlength,*o_hash, - *o_maxlength,*o_gen,*o_case,*o_attribute,*o_objectclass,*o_output, - *o_retry,*o_debug, *o_write, *o_clobber, *o_saltattribute, *o_testpingen, - *o_setup,*o_pinmanager,*o_pinmanagerpwd,*o_schemachange; - -void setDefaultOptions() { - o_certdb= "."; - o_nickname= NULL; - o_binddn= NULL; - o_bindpw= NULL; - o_filter= NULL; - o_ssl= NULL; - o_basedn= NULL; - o_input= NULL; - o_host= NULL; - o_port= NULL; - o_length= NULL; /* default set later */ - o_minlength=NULL; - o_maxlength=NULL; - o_gen= "RNG-alphanum"; - o_case= NULL; - o_attribute="pin"; - o_hash= "sha1"; - o_objectclass="pinPerson"; - o_output= NULL; - o_retry= "5"; - o_debug= NULL; - o_write= NULL; - o_clobber= NULL; - o_saltattribute = NULL; - o_testpingen = NULL; - o_setup= NULL; - o_pinmanager= NULL; - o_pinmanagerpwd= NULL; - o_schemachange= NULL; -} - -void getOptions() { - int i; - char *c; - - i_length = 0; - i_minlength =0; - i_maxlength =0; - - OPT_getValue("certdb", &o_certdb); - OPT_getValue("nickname", &o_nickname); - OPT_getValue("binddn", &o_binddn); - OPT_getValue("bindpw", &o_bindpw); - OPT_getValue("filter", &o_filter); - i = OPT_getValue("ssl", &o_ssl); - if (i) o_ssl = "yes"; - OPT_getValue("basedn", &o_basedn); - OPT_getValue("input", &o_input); - OPT_getValue("host", &o_host); - OPT_getValue("port", &o_port); - OPT_getValue("length", &o_length); - if (o_length) i_length = atoi(o_length); - OPT_getValue("minlength",&o_minlength); - if (o_minlength) i_minlength = atoi(o_minlength); - OPT_getValue("maxlength",&o_maxlength); - if (o_maxlength) i_maxlength = atoi(o_maxlength); - OPT_getValue("gen", &o_gen); - OPT_getValue("case", &o_case); - OPT_getValue("attribute",&o_attribute); - OPT_getValue("hash", &o_hash); - if (o_hash) { - c = o_hash; - while (*c) { - if (isupper(*c)) { - *c = *c - 'A' + 'a'; - } - c++; - } - } - - OPT_getValue("objectclass",&o_objectclass); - OPT_getValue("output", &o_output); - OPT_getValue("retry", &o_retry); - i = OPT_getValue("debug", &o_debug); - if (i) { - if (! o_debug) { - o_debug = "yes"; - } - } - i = OPT_getValue("write", &o_write); - if (i) o_write = "yes"; - i = OPT_getValue("clobber", &o_clobber); - if (i) o_clobber = "yes"; - OPT_getValue("saltattribute", &o_saltattribute); - i = OPT_getValue("testpingen", &o_testpingen); - if (i) { - if (!o_testpingen) { - o_testpingen = "25"; - } - } - OPT_getValue("setup", &o_setup); - OPT_getValue("pinmanager", &o_pinmanager); - OPT_getValue("pinmanagerpwd", &o_pinmanagerpwd); - OPT_getValue("schemachange", &o_schemachange); - - -} - -int equals(char *s, char *t) { - return !(strcmp(s,t)); -} - -void validateOptions() { - char errbuf[ERR_BUF_LENGTH]; - - if (o_nickname && equals(o_ssl,"no")) { - snprintf(errbuf, ERR_BUF_LENGTH, "specifying nickname doesn't make sense with no SSL"); - goto loser; - } - - if (o_gen == NULL || ! - ( equals(o_gen,"RNG-printableascii") || - equals(o_gen,"RNG-alpha") || - equals(o_gen,"RNG-alphanum") || - equals(o_gen,"FIPS181-printable")) - ) { - printf("Permissible values for gen:\n" - " RNG-alpha : alpha-only characters\n" - " RNG-alphanum : alphanumeric characters\n" - " RNG-printableascii : alphanumeric and punctuation\n"); - if (o_gen) { - printf("You specified: gen=%s\n",o_gen); - } - exit(0); - } - - if (o_length && (o_minlength || o_maxlength)) { - strcpy(errbuf,"cannot use minlength or maxlength with length option"); - goto loser; - } - - if (o_minlength && !o_maxlength) { - strcpy(errbuf,"if you set minlength, you must also set maxlength"); - goto loser; - } - - if (!o_minlength && o_maxlength) { - strcpy(errbuf,"if you set maxlength, you must also set minlength"); - goto loser; - } - - if (i_minlength > i_maxlength) { - strcpy(errbuf,"cannot set minlength to be more than maxlength"); - goto loser; - } - - if (i_length > 0) { - i_minlength = i_length; - i_maxlength = i_length; - } - else { - if (i_minlength == 0 && i_maxlength == 0) { - i_minlength = PW_DEFAULT_LENGTH; - i_maxlength = PW_DEFAULT_LENGTH; - } - } - - if (o_testpingen) { - return; - } - - if (!o_host || equals(o_host,"")) { - strcpy(errbuf,"host missing"); - goto loser; - } - - if (!o_binddn || equals(o_binddn,"")) { - strcpy(errbuf,"binddn missing"); - goto loser; - } - - if (!o_bindpw || equals(o_bindpw,"")) { - strcpy(errbuf,"bindpw missing"); - goto loser; - } - - if (o_setup != NULL) { - return; - } - - if (!o_basedn) { - fprintf(stderr,"WARNING: basedn not set. Will search from root.\n"); - } - - if (!o_filter || equals(o_filter,"")) { - strcpy(errbuf,"filter missing. Example filters:\n filter=(uid=*) - all users with a UID attribute\n filter=(&(uid=*)(ou=Managers)) - all users with a UID and members of the managers group\n"); - goto loser; - } - - if (! - (equals(o_hash,"sha1") || - equals(o_hash,"md5") || - equals(o_hash,"none")) - ) { - snprintf(errbuf, ERR_BUF_LENGTH, "invalid hash: %s",o_hash); - goto loser; - } - if (equals(o_hash,"none")) o_hash = NULL; - - return ; - - loser: - errcode=13; - exitError(errbuf); - -} - - diff --git a/pki/base/native-tools/src/setpin/setpin_options.h b/pki/base/native-tools/src/setpin/setpin_options.h deleted file mode 100644 index 45373f356..000000000 --- a/pki/base/native-tools/src/setpin/setpin_options.h +++ /dev/null @@ -1,56 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - - -#ifndef SETPIN_OPTIONS_H -#define SETPIN_OPTIONS_H - -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -extern char *o_certdb,*o_nickname,*o_binddn,*o_bindpw,*o_bindpwfile,*o_filter,*o_ssl, - *o_input,*o_basedn,*o_dnfile,*o_host,*o_port,*o_length,*o_minlength, - *o_maxlength,*o_gen,*o_case,*o_attribute,*o_hash,*o_objectclass,*o_output, - *o_retry,*o_debug,*o_write,*o_clobber,*o_saltattribute,*o_testpingen,*o_setup, - *o_pinmanager,*o_pinmanagerpwd,*o_schemachange; - -extern char *valid_args[]; -extern int valid_args_len; - -extern void setDefaultOptions(); -extern void getOptions(); -extern void validateOptions(); - -extern int i_length, i_minlength, i_maxlength; - -extern char* attribute; - -#endif diff --git a/pki/base/native-tools/src/sslget/CMakeLists.txt b/pki/base/native-tools/src/sslget/CMakeLists.txt deleted file mode 100644 index ec4bd85f9..000000000 --- a/pki/base/native-tools/src/sslget/CMakeLists.txt +++ /dev/null @@ -1,30 +0,0 @@ -project(sslget C) - -set(SSLGET_PRIVATE_INCLUDE_DIRS - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} -) - -set(SSLGET_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} -) - -set(sslget_SRCS - sslget.c - getopt.c -) - -include_directories(${SSLGET_PRIVATE_INCLUDE_DIRS}) - -add_executable(sslget ${sslget_SRCS}) - -target_link_libraries(sslget ${SSLGET_LINK_LIBRARIES}) - -install( - TARGETS sslget - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) diff --git a/pki/base/native-tools/src/sslget/getopt.c b/pki/base/native-tools/src/sslget/getopt.c deleted file mode 100644 index 7554e1a14..000000000 --- a/pki/base/native-tools/src/sslget/getopt.c +++ /dev/null @@ -1,126 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - * - * END COPYRIGHT BLOCK **/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -#include <stdio.h> -#include <string.h> /* for str*() */ -#include <io.h> /* for write() */ - -int opterr = 1; /* boolean flag, says "report error on stderr." */ -int optind = 1; /* index to element of argv from which options are - ** being parsed. */ -int optopt = 0; /* option character */ -char *optarg; /* ptr to option's parameter arg. */ - -#ifdef _WIN32 -static void -do_opterr(const char *s, int c, char * const av[]) -{ - if (opterr) { - char buff[2]; - int fd = _fileno(stderr); - - buff[0] = (char)c; - buff[1] = '\n'; - (void)write(fd, av[0], strlen(av[0])); - (void)write(fd, s, strlen(s)); - (void)write(fd, buff, 2); - } -} -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int -getopt(int ac, char * const av[], const char * opts) -{ - static int i = 1; /* offset of current option char in current arg. */ - char *p; /* opt char in opts that matched. */ - - /* Move to next value from argv? */ - if (i == 1) { - if (optind >= ac || av[optind][0] != '-' || av[optind][1] == '\0') - return EOF; - if (strcmp(av[optind], "--") == 0) { - optind++; - return EOF; - } - } - - /* Get next option character. */ - if ((optopt = av[optind][i]) == ':' || - (p = strchr(opts, optopt)) == NULL) { - ERR(": illegal option -- ", optopt); - if (av[optind][++i] == '\0') { - optind++; - i = 1; - } - return '?'; - } - - /* Snarf argument? */ - if (*++p == ':') { - if (av[optind][i + 1] != '\0') - optarg = &av[optind++][i + 1]; - else { - if (++optind >= ac) { - ERR(": option requires an argument -- ", optopt); - i = 1; - return '?'; - } - optarg = av[optind++]; - } - i = 1; - } else { - if (av[optind][++i] == '\0') { - i = 1; - optind++; - } - optarg = NULL; - } - - return optopt; -} - -#endif /* XP_PC */ diff --git a/pki/base/native-tools/src/sslget/sslget.c b/pki/base/native-tools/src/sslget/sslget.c deleted file mode 100644 index 7288a1c58..000000000 --- a/pki/base/native-tools/src/sslget/sslget.c +++ /dev/null @@ -1,836 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -/* vi: set ts=4 sw=4 : */ -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -#include <stdio.h> -#include <string.h> -#include <time.h> - -#if defined(XP_UNIX) -#include <unistd.h> -#endif - -#include "ssl.h" - -#include "prerror.h" - -#include "pk11func.h" -#include "secitem.h" - - -#include <stdlib.h> -#include <errno.h> -#include <fcntl.h> -#include <stdarg.h> - -#include "nspr.h" -#include "prio.h" -#include "prnetdb.h" -#include "nss.h" - - -/* set Tabs to 8 */ - - -/*from nss2.8.4 secopt.h*/ -#ifdef XP_PC - -/* -** This comes from the AT&T public-domain getopt published in mod.sources -** (i.e., comp.sources.unix before the great Usenet renaming). -*/ - -extern int opterr; -extern int optind; -extern int optopt; -extern char *optarg; - -#ifdef _WIN32 -static void do_opterr(const char *s, int c, char * const av[]); -#define ERR(s, c) do_opterr(s, c, av) -#else -#define ERR(s, c) /* Win16 doesn't do stderr */ -#endif - -/* -** Return options and their values from the command line. -*/ -int getopt(int ac, char * const av[], const char * opts); -#else -#if defined(LINUX) -#include <getopt.h> -#endif -#endif /* XP_PC */ -/*end secopt.h*/ - -#define VERSIONSTRING "$Revision$ ($Date$)" - -#ifndef PORT_Sprintf -#define PORT_Sprintf sprintf -#endif - -#ifndef PORT_Strstr -#define PORT_Strstr strstr -#endif - -#ifndef PORT_Malloc -#define PORT_Malloc PR_Malloc -#endif - -#define RD_BUF_SIZE (60 * 1024) - -#define PRINTF if (verbose) printf -#define FPRINTF if (verbose) fprintf -#define FPUTS if (verbose) fputs - -#define MAX_SERIAL_LEN 8192 - -int MakeCertOK=1; - -int verbose; -SECItem bigBuf; - - -char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char *passwd = NULL; - - if ( (!retry) && arg ) { - passwd = PL_strdup((char *)arg); - } - - return passwd; -} - -static void -Usage(const char *progName) -{ - fprintf(stderr, - "Usage: %s [-n nickname] [-p password | -w pwfile ] [-d dbdir] \n" - " [-e post] [-v] [-V] -r url hostname[:port]\n" - " -n : nickname or hsm:nickname\n" - " -v : verbose\n" - " -V : report version information\n", - progName); - exit(1); -} - - -static void -errWarn(char * funcString) -{ - PRErrorCode perr = PR_GetError(); - - FPRINTF(stderr, "exit after %s with error %d:\n", funcString,perr ); -} - -static void -errExit(char * funcString) -{ - errWarn(funcString); - exit(1); -} - -/* This invokes the "default" AuthCert handler in libssl. -** The only reason to use this one is that it prints out info as it goes. -*/ -static SECStatus -mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig, - PRBool isServer) -{ - SECStatus rv; - CERTCertificate * peerCert; - - peerCert = SSL_PeerCertificate(fd); - - PRINTF("Subject: %s\nIssuer : %s\n", - peerCert->subjectName, peerCert->issuerName); - /* invoke the "default" AuthCert handler. */ - rv = SSL_AuthCertificate(arg, fd, checkSig, isServer); - - if (rv == SECSuccess) { - FPUTS("-- SSL3: Server Certificate Validated.\n", stderr); - } - /* error, if any, will be displayed by the Bad Cert Handler. */ - return rv; -} - -static SECStatus -myBadCertHandler( void *arg, PRFileDesc *fd) -{ - /* int err = PR_GetError(); */ - /* fprintf(stderr, "-- SSL: Server Certificate Invalid, err %d.\n%s\n", - err, SECU_Strerror(err)); */ - return (MakeCertOK ? SECSuccess : SECFailure); -} - - -SECStatus -my_GetClientAuthData(void * arg, - PRFileDesc * socket, - struct CERTDistNamesStr * caNames, - struct CERTCertificateStr ** pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) -{ - CERTCertificate * cert = NULL; - SECKEYPrivateKey * privkey = NULL; - char * chosenNickName = (char *)arg; /* CONST */ - void * proto_win = NULL; - SECStatus rv = SECFailure; - - FPRINTF(stderr,"Called mygetclientauthdata - nickname = %s\n",chosenNickName); - - proto_win = SSL_RevealPinArg(socket); - - if (chosenNickName) { - cert = PK11_FindCertFromNickname(chosenNickName, proto_win); - FPRINTF(stderr," mygetclientauthdata - cert = %x\n",(unsigned int)cert); - if ( cert ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - FPRINTF(stderr," mygetclientauthdata - privkey = %x\n",(unsigned int)privkey); - if ( privkey ) { - rv = SECSuccess; - } else { - CERT_DestroyCertificate(cert); - } - } - } else { /* no name given, automatically find the right cert. */ - CERTCertNicknames * names; - int i; - - names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), - SEC_CERT_NICKNAMES_USER, proto_win); - if (names != NULL) { - for (i = 0; i < names->numnicknames; i++) { - cert = PK11_FindCertFromNickname(names->nicknames[i],proto_win); - if ( !cert ) - continue; - /* Only check unexpired certs */ - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_TRUE) != - secCertTimeValid ) { - CERT_DestroyCertificate(cert); - continue; - } - rv = NSS_CmpCertChainWCANames(cert, caNames); - if ( rv == SECSuccess ) { - privkey = PK11_FindKeyByAnyCert(cert, proto_win); - if ( privkey ) - break; - } - rv = SECFailure; - CERT_DestroyCertificate(cert); - } - CERT_FreeNicknames(names); - } - } - if (rv == SECSuccess) { - *pRetCert = cert; - *pRetKey = privkey; - } - return rv; -} - - - - -void -printSecurityInfo(PRFileDesc *fd) -{ - char * cp; /* bulk cipher name */ - char * ip; /* cert issuer DN */ - char * sp; /* cert subject DN */ - int op; /* High, Low, Off */ - int kp0; /* total key bits */ - int kp1; /* secret key bits */ - int result; - - static int only_once; - - if (! only_once++ && fd) { - result = SSL_SecurityStatus(fd, &op, &cp, &kp0, &kp1, &ip, &sp); - if (result != SECSuccess) - return; -#if 0 - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n" - "subject DN: %s\n" - "issuer DN: %s\n", cp, kp1, kp0, op, sp, ip); -#else - PRINTF("bulk cipher %s, %d secret key bits, %d key bits, status: %d\n", - cp, kp1, kp0, op); -#endif - PR_Free(cp); - PR_Free(ip); - PR_Free(sp); - } - -} - - -PRBool useModelSocket = PR_TRUE; - -static const char outHeader[] = { - "HTTP/1.0 200 OK\r\n" - "Server: Netscape-Enterprise/2.0a\r\n" - "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" - "Content-type: text/plain\r\n" - "\r\n" -}; - - -PRInt32 -do_writes( - void * a -) -{ - PRFileDesc * ssl_sock = (PRFileDesc *)a; - PRUint32 sent = 0; - PRInt32 count = 0; - - while (sent < bigBuf.len) { - - count = PR_Write(ssl_sock, bigBuf.data + sent, bigBuf.len - sent); - if (count < 0) { - errWarn("PR_Write bigBuf"); - exit(4); - break; - } - FPRINTF(stderr, "PR_Write wrote %d bytes from bigBuf\n", count ); - FPRINTF(stderr, "bytes: [%*s]\n",count,bigBuf.data); - - sent += (PRUint32)count; - } - if (count >= 0) { /* last write didn't fail. */ - FPRINTF(stderr, "do_writes shutting down send socket\n"); - /* PR_Shutdown(ssl_sock, PR_SHUTDOWN_SEND); */ - } - - FPRINTF(stderr, "do_writes exiting with (failure = %d)\n",sent<bigBuf.len == SECFailure); - return (sent < bigBuf.len) ? SECFailure : SECSuccess; -} - - - - -SECStatus -do_io( PRFileDesc *ssl_sock, int connection) -{ - int countRead = 0; - PRInt32 rv; - char *buf; - char *buf2; - int first=1; - - buf = PR_Malloc(RD_BUF_SIZE); - if (!buf) exit(5); - - /* send the http request here. */ - - rv = do_writes(ssl_sock); - - if (rv == SECFailure) { - errWarn("returning from after calling do_writes"); - PR_Free(buf); - buf = 0; - exit(6); - } - printSecurityInfo(ssl_sock); - - /* read until EOF */ - while (1) { - rv = PR_Read(ssl_sock, buf, RD_BUF_SIZE); - if (rv == 0) { - break; /* EOF */ - } - if (rv < 0) { - errWarn("PR_Read"); - PR_Free(buf); - buf = 0; - exit(1); - } - - countRead += rv; - FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", - connection, rv, countRead ); - FPRINTF(stderr, "these bytes read:\n"); - PR_Write(PR_STDOUT,buf,rv); - - if (first) { - first=0; - if (rv < 13) { - int ret = 0; - buf2 = PR_Malloc(RD_BUF_SIZE); - if (!buf2) { - PR_Free(buf); - buf = 0; - exit(5); - } - - for (ret=0; rv < 13 ; rv += ret) { - ret = PR_Read(ssl_sock, buf2, RD_BUF_SIZE - rv); - if (ret < 0 ) { - errWarn("PR_Read"); - PR_Free(buf); - buf = 0; - PR_Free(buf2); - buf2 = 0; - exit(1); - } - if (ret == 0) { - errWarn("not enough bytes read in first read"); - PR_Free(buf); - buf = 0; - PR_Free(buf2); - buf2 = 0; - exit(2); - } - countRead += ret; - FPRINTF(stderr, "connection %d read %d bytes (%d total).\n", - connection, ret, countRead ); - FPRINTF(stderr, "these bytes read:\n"); - PR_Write(PR_STDOUT, buf2, ret); - - PR_snprintf(buf, RD_BUF_SIZE, "%s%s", buf, buf2); - } - PR_Free(buf2); - buf2 = 0; - } - - if ( ! PL_strnstr(buf,"200",13)) { - PR_Free(buf); - buf = 0; - exit(3); - } - } - } - PR_fprintf(PR_STDOUT, "\n"); - - PR_Free(buf); - buf = 0; - - /* Caller closes the socket. */ - - FPRINTF(stderr, - "connection %d read %d bytes total. -----------------------------\n", - connection, countRead); - - return SECSuccess; /* success */ -} - -int -do_connect( - PRNetAddr *addr, - PRFileDesc *model_sock, - int connection) -{ - PRFileDesc * ssl_sock; - PRFileDesc * tcp_sock; - PRStatus prStatus; - SECStatus result; - int rv = SECSuccess; - PRSocketOptionData opt; - - int family = PR_NetAddrFamily( addr ); - - tcp_sock = PR_OpenTCPSocket( family ); - if (tcp_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(tcp_sock, &opt); - if (prStatus != PR_SUCCESS) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - /* Don't return SECFailure? */ - return SECSuccess; - } - - prStatus = PR_Connect(tcp_sock, addr, PR_SecondsToInterval(3)); - if (prStatus != PR_SUCCESS) { - errWarn("PR_Connect"); - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(6); - } - - ssl_sock = SSL_ImportFD(model_sock, tcp_sock); - /* XXX if this import fails, close tcp_sock and return. */ - if (!ssl_sock) { - if( tcp_sock != NULL ) { - PR_Close(tcp_sock); - tcp_sock = NULL; - } - exit(7); - } - - rv = SSL_ResetHandshake(ssl_sock, /* asServer */ 0); - if (rv != SECSuccess) { - errWarn("SSL_ResetHandshake"); - exit(8); - } - - result = do_io( ssl_sock, connection); - - if( ssl_sock != NULL ) { - PR_Close(ssl_sock); - ssl_sock = NULL; - } - return SECSuccess; -} - -/* Returns IP address for hostname as PRUint32 in Host Byte Order. -** Since the value returned is an integer (not a string of bytes), -** it is inherently in Host Byte Order. -*/ -PRUint32 -getIPAddress(const char * hostName) -{ - const unsigned char *p; - PRStatus prStatus; - PRUint32 rv; - PRHostEnt prHostEnt; - char scratch[PR_NETDB_BUF_SIZE]; - - prStatus = PR_GetHostByName(hostName, scratch, sizeof scratch, &prHostEnt); - if (prStatus != PR_SUCCESS) - errExit("PR_GetHostByName"); - -#undef h_addr -#define h_addr h_addr_list[0] /* address, for backward compatibility */ - - p = (const unsigned char *)(prHostEnt.h_addr); /* in Network Byte order */ - FPRINTF(stderr, "%s -> %d.%d.%d.%d\n", hostName, p[0], p[1], p[2], p[3]); - rv = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; - return rv; -} - -void -client_main( - unsigned short port, - int connections, - SECKEYPrivateKey ** privKey, - CERTCertificate ** cert, - const char * hostName, - char * nickName) -{ - PRFileDesc *model_sock = NULL; - int rv; - - - FPRINTF(stderr, "port: %d\n", port); - - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ - NSS_SetDomesticPolicy(); - - /* all the SSL2 and SSL3 cipher suites are enabled by default. */ - - /* enable FIPS ciphers */ - SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); - SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); - - /* - * Rifle through the values for the host - */ - - PRAddrInfo *ai; - void *iter; - PRNetAddr addr; - int family = PR_AF_INET; - - ai = PR_GetAddrInfoByName(hostName, PR_AF_UNSPEC, PR_AI_ADDRCONFIG); - if (ai) { - FPRINTF( stderr, "addr='%s'\n", PR_GetCanonNameFromAddrInfo( ai ) ); - iter = NULL; - while ((iter = PR_EnumerateAddrInfo(iter, ai, 0, &addr)) != NULL) { - family = PR_NetAddrFamily(&addr); - FPRINTF( stderr, "family='%d'\n", family ); - break; - } - PR_FreeAddrInfo(ai); - } - - PR_SetNetAddr( PR_IpAddrNull, family, port, &addr ); - - model_sock = PR_OpenTCPSocket( family ); - if (model_sock == NULL) { - errExit("PR_OpenTCPSocket on tcp socket"); - } - - /* Should we really be re-using the same socket? */ - model_sock = SSL_ImportFD(NULL, model_sock); - - - /* check on success of call to SSL_ImportFD() */ - if (model_sock == NULL) { - errExit("SSL_ImportFD"); - } - - /* enable ECC cipher also */ - - /* do SSL configuration. */ - - rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); - if (rv < 0) { - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } - errExit("SSL_OptionSet SSL_SECURITY"); - } - - SSL_SetURL(model_sock, hostName); - - SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, - (void *)CERT_GetDefaultCertDB()); - - SSL_BadCertHook(model_sock, myBadCertHandler, NULL); - - if( nickName) { - SSL_GetClientAuthDataHook(model_sock, - (SSLGetClientAuthData)my_GetClientAuthData, - nickName); - } - - /* I'm not going to set the HandshakeCallback function. */ - - /* end of ssl configuration. */ - - rv = do_connect(&addr, model_sock, 1); - - if( model_sock != NULL ) { - PR_Close( model_sock ); - model_sock = NULL; - } -} - - -SECStatus -createRequest(char * url, char *post) -{ - char * newstr; - - if (post == NULL) { - newstr = PR_smprintf( - "GET %s HTTP/1.0\r\n\r\n", - url); - } else { - int len = strlen(post); - newstr = PR_smprintf( - "POST %s HTTP/1.0\r\nContent-Length: %d\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n%s", url, len, post); - } - - bigBuf.data = (unsigned char *)newstr; - - FPUTS((char *)bigBuf.data, stderr); - - bigBuf.len = PORT_Strlen((char *)bigBuf.data); - - return SECSuccess; -} - -int -main(int argc, char **argv) -{ - char * dir = "."; - char * hostName = NULL; - char * nickName = NULL; - char * progName = NULL; - char * tmp = NULL; - char * post = NULL; - CERTCertificate * cert [kt_kea_size] = { NULL }; - SECKEYPrivateKey * privKey[kt_kea_size] = { NULL }; - int optchar; - int connections = 1; - int tmpI; - unsigned short port = 443; - SECStatus rv; - char * passwd = NULL; - char * passwdfile = NULL; - char * url = NULL; - FILE *fp; - char pwbuf[256]; - int co; - char *crlf; - - /* Call the NSPR initialization routines */ - PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); - - tmp = strrchr(argv[0], '/'); - tmp = tmp ? tmp + 1 : argv[0]; - progName = strrchr(tmp, '\\'); - progName = progName ? progName + 1 : tmp; - - - while ((optchar = getopt(argc, argv, "Vd:e:n:p:r:w:v")) != -1) { - switch(optchar) { - -/* Version */ - case 'V': - printf("%s\n",VERSIONSTRING); - PR_Cleanup(); - return 0; - -/* Directory which holds cert8.db and key3.db */ - case 'd': - dir = optarg; - break; - -/* Nickname of certificate to use */ - case 'n': - nickName = optarg; - break; - -/* password to open key3.db */ - case 'p': - passwd = optarg; - break; - -/* name of file holding password for key3.db */ - case 'w': - passwdfile = optarg; - break; - -/* url */ - case 'r': - url = optarg; - break; - -/* post parameters */ - case 'e': - post = optarg; - break; - - case 'v': - verbose++; - break; - - default: - case '?': - fprintf( stderr, "ERROR: Invalid option!\n" ); - Usage(progName); - break; - - } - } - - if (optind != argc - 1) { - fprintf( stderr, "ERROR: Invalid number of arguments!\n" ); - Usage(progName); - } - - hostName = argv[optind]; - tmp = strchr(hostName, ':'); - if (tmp) { - *tmp++ = 0; - tmpI = atoi(tmp); - if (tmpI <= 0) { - fprintf( stderr, "ERROR: Invalid port!\n" ); - Usage(progName); - } - port = (unsigned short)tmpI; - } - - if ( !url) { - fprintf( stderr, "ERROR: Invalid url!\n" ); - Usage(progName); - } - - createRequest(url, post); - - if (passwdfile) { - fp = fopen(passwdfile,"r"); - if (!fp) { fprintf(stderr, "Couldn't open password file\n"); exit(7); } - co = fread(pwbuf,1,256,fp); - pwbuf[co] = '\0'; - crlf = PL_strchr(pwbuf,'\n'); - if (crlf) { - *crlf = '\0'; - } - passwd = pwbuf; - } - - /* set our password function */ - if (passwd == NULL) { - fprintf( stderr, "ERROR: Invalid password!\n" ); - PRINTF("Password must be provided on command line in this version of revoker.\n"); - Usage(progName); - } - PK11_SetPasswordFunc(ownPasswd); - - /* Call the libsec initialization routines */ - rv = NSS_Init(dir); - if (rv != SECSuccess) { - fputs("NSS_Init failed.\n", stderr); - exit(1); - } - - if(nickName) { - cert[kt_rsa] = PK11_FindCertFromNickname(nickName, passwd); - if (cert[kt_rsa] == NULL) { - fprintf(stderr, "Can't find certificate %s\n", nickName); - exit(1); - } - - privKey[kt_rsa] = PK11_FindKeyByAnyCert(cert[kt_rsa], passwd); - if (privKey[kt_rsa] == NULL) { - fprintf(stderr, "Can't find Private Key for cert %s (possibly incorrect password)\n", nickName); - exit(1); - } - } - - client_main(port, connections, privKey, cert, hostName, nickName); - - NSS_Shutdown(); - PR_Cleanup(); - return 0; -} - diff --git a/pki/base/native-tools/src/tkstool/CMakeLists.txt b/pki/base/native-tools/src/tkstool/CMakeLists.txt deleted file mode 100644 index 8b07950eb..000000000 --- a/pki/base/native-tools/src/tkstool/CMakeLists.txt +++ /dev/null @@ -1,45 +0,0 @@ -project(tkstool C) - -set(TKSTOOL_PRIVATE_INCLUDE_DIRS - ${CMAKE_CURRENT_SOURCE_DIR} - ${CMAKE_BINARY_DIR} - ${NSPR_INCLUDE_DIRS} - ${NSS_INCLUDE_DIRS} -) - -set(TKSTOOL_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} -) - -set(tkstool_SRCS - delete.c - file.c - find.c - help.c - key.c - list.c - modules.c - pppolicy.c - random.c - retrieve.c - secerror.c - secpwd.c - secutil.c - tkstool.c - util.c - version.c -) - -include_directories(${TKSTOOL_PRIVATE_INCLUDE_DIRS}) - -add_executable(tkstool ${tkstool_SRCS}) - -target_link_libraries(tkstool ${TKSTOOL_LINK_LIBRARIES}) - -install( - TARGETS tkstool - RUNTIME DESTINATION ${BIN_INSTALL_DIR} - LIBRARY DESTINATION ${LIB_INSTALL_DIR} - ARCHIVE DESTINATION ${LIB_INSTALL_DIR} -) diff --git a/pki/base/native-tools/src/tkstool/NSPRerrs.h b/pki/base/native-tools/src/tkstool/NSPRerrs.h deleted file mode 100644 index f0bc8b77e..000000000 --- a/pki/base/native-tools/src/tkstool/NSPRerrs.h +++ /dev/null @@ -1,161 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/NSPRerrs.h - */ - -/* General NSPR 2.0 errors */ -/* Caller must #include "prerror.h" */ - -ER2( PR_OUT_OF_MEMORY_ERROR, "Memory allocation attempt failed." ) -ER2( PR_BAD_DESCRIPTOR_ERROR, "Invalid file descriptor." ) -ER2( PR_WOULD_BLOCK_ERROR, "The operation would have blocked." ) -ER2( PR_ACCESS_FAULT_ERROR, "Invalid memory address argument." ) -ER2( PR_INVALID_METHOD_ERROR, "Invalid function for file type." ) -ER2( PR_ILLEGAL_ACCESS_ERROR, "Invalid memory address argument." ) -ER2( PR_UNKNOWN_ERROR, "Some unknown error has occurred." ) -ER2( PR_PENDING_INTERRUPT_ERROR,"Operation interrupted by another thread." ) -ER2( PR_NOT_IMPLEMENTED_ERROR, "function not implemented." ) -ER2( PR_IO_ERROR, "I/O function error." ) -ER2( PR_IO_TIMEOUT_ERROR, "I/O operation timed out." ) -ER2( PR_IO_PENDING_ERROR, "I/O operation on busy file descriptor." ) -ER2( PR_DIRECTORY_OPEN_ERROR, "The directory could not be opened." ) -ER2( PR_INVALID_ARGUMENT_ERROR, "Invalid function argument." ) -ER2( PR_ADDRESS_NOT_AVAILABLE_ERROR, "Network address not available (in use?)." ) -ER2( PR_ADDRESS_NOT_SUPPORTED_ERROR, "Network address type not supported." ) -ER2( PR_IS_CONNECTED_ERROR, "Already connected." ) -ER2( PR_BAD_ADDRESS_ERROR, "Network address is invalid." ) -ER2( PR_ADDRESS_IN_USE_ERROR, "Local Network address is in use." ) -ER2( PR_CONNECT_REFUSED_ERROR, "Connection refused by peer." ) -ER2( PR_NETWORK_UNREACHABLE_ERROR, "Network address is presently unreachable." ) -ER2( PR_CONNECT_TIMEOUT_ERROR, "Connection attempt timed out." ) -ER2( PR_NOT_CONNECTED_ERROR, "Network file descriptor is not connected." ) -ER2( PR_LOAD_LIBRARY_ERROR, "Failure to load dynamic library." ) -ER2( PR_UNLOAD_LIBRARY_ERROR, "Failure to unload dynamic library." ) -ER2( PR_FIND_SYMBOL_ERROR, -"Symbol not found in any of the loaded dynamic libraries." ) -ER2( PR_INSUFFICIENT_RESOURCES_ERROR, "Insufficient system resources." ) -ER2( PR_DIRECTORY_LOOKUP_ERROR, -"A directory lookup on a network address has failed." ) -ER2( PR_TPD_RANGE_ERROR, -"Attempt to access a TPD key that is out of range." ) -ER2( PR_PROC_DESC_TABLE_FULL_ERROR, "Process open FD table is full." ) -ER2( PR_SYS_DESC_TABLE_FULL_ERROR, "System open FD table is full." ) -ER2( PR_NOT_SOCKET_ERROR, -"Network operation attempted on non-network file descriptor." ) -ER2( PR_NOT_TCP_SOCKET_ERROR, -"TCP-specific function attempted on a non-TCP file descriptor." ) -ER2( PR_SOCKET_ADDRESS_IS_BOUND_ERROR, "TCP file descriptor is already bound." ) -ER2( PR_NO_ACCESS_RIGHTS_ERROR, "Access Denied." ) -ER2( PR_OPERATION_NOT_SUPPORTED_ERROR, -"The requested operation is not supported by the platform." ) -ER2( PR_PROTOCOL_NOT_SUPPORTED_ERROR, -"The host operating system does not support the protocol requested." ) -ER2( PR_REMOTE_FILE_ERROR, "Access to the remote file has been severed." ) -ER2( PR_BUFFER_OVERFLOW_ERROR, -"The value requested is too large to be stored in the data buffer provided." ) -ER2( PR_CONNECT_RESET_ERROR, "TCP connection reset by peer." ) -ER2( PR_RANGE_ERROR, "Unused." ) -ER2( PR_DEADLOCK_ERROR, "The operation would have deadlocked." ) -ER2( PR_FILE_IS_LOCKED_ERROR, "The file is already locked." ) -ER2( PR_FILE_TOO_BIG_ERROR, -"Write would result in file larger than the system allows." ) -ER2( PR_NO_DEVICE_SPACE_ERROR, "The device for storing the file is full." ) -ER2( PR_PIPE_ERROR, "Unused." ) -ER2( PR_NO_SEEK_DEVICE_ERROR, "Unused." ) -ER2( PR_IS_DIRECTORY_ERROR, -"Cannot perform a normal file operation on a directory." ) -ER2( PR_LOOP_ERROR, "Symbolic link loop." ) -ER2( PR_NAME_TOO_LONG_ERROR, "File name is too long." ) -ER2( PR_FILE_NOT_FOUND_ERROR, "File not found." ) -ER2( PR_NOT_DIRECTORY_ERROR, -"Cannot perform directory operation on a normal file." ) -ER2( PR_READ_ONLY_FILESYSTEM_ERROR, -"Cannot write to a read-only file system." ) -ER2( PR_DIRECTORY_NOT_EMPTY_ERROR, -"Cannot delete a directory that is not empty." ) -ER2( PR_FILESYSTEM_MOUNTED_ERROR, -"Cannot delete or rename a file object while the file system is busy." ) -ER2( PR_NOT_SAME_DEVICE_ERROR, -"Cannot rename a file to a file system on another device." ) -ER2( PR_DIRECTORY_CORRUPTED_ERROR, -"The directory object in the file system is corrupted." ) -ER2( PR_FILE_EXISTS_ERROR, -"Cannot create or rename a filename that already exists." ) -ER2( PR_MAX_DIRECTORY_ENTRIES_ERROR, -"Directory is full. No additional filenames may be added." ) -ER2( PR_INVALID_DEVICE_STATE_ERROR, -"The required device was in an invalid state." ) -ER2( PR_DEVICE_IS_LOCKED_ERROR, "The device is locked." ) -ER2( PR_NO_MORE_FILES_ERROR, "No more entries in the directory." ) -ER2( PR_END_OF_FILE_ERROR, "Encountered end of file." ) -ER2( PR_FILE_SEEK_ERROR, "Seek error." ) -ER2( PR_FILE_IS_BUSY_ERROR, "The file is busy." ) -ER2( PR_IN_PROGRESS_ERROR, -"Operation is still in progress (probably a non-blocking connect)." ) -ER2( PR_ALREADY_INITIATED_ERROR, -"Operation has already been initiated (probably a non-blocking connect)." ) - -#ifdef PR_GROUP_EMPTY_ERROR -ER2( PR_GROUP_EMPTY_ERROR, "The wait group is empty." ) -#endif - -#ifdef PR_INVALID_STATE_ERROR -ER2( PR_INVALID_STATE_ERROR, "Object state improper for request." ) -#endif - -#ifdef PR_NETWORK_DOWN_ERROR -ER2( PR_NETWORK_DOWN_ERROR, "Network is down." ) -#endif - -#ifdef PR_SOCKET_SHUTDOWN_ERROR -ER2( PR_SOCKET_SHUTDOWN_ERROR, "The socket was previously shut down." ) -#endif - -#ifdef PR_CONNECT_ABORTED_ERROR -ER2( PR_CONNECT_ABORTED_ERROR, "TCP Connection aborted." ) -#endif - -#ifdef PR_HOST_UNREACHABLE_ERROR -ER2( PR_HOST_UNREACHABLE_ERROR, "Host is unreachable." ) -#endif - -/* always last */ -ER2( PR_MAX_ERROR, "Placeholder for the end of the list" ) diff --git a/pki/base/native-tools/src/tkstool/SECerrs.h b/pki/base/native-tools/src/tkstool/SECerrs.h deleted file mode 100644 index 55858b98f..000000000 --- a/pki/base/native-tools/src/tkstool/SECerrs.h +++ /dev/null @@ -1,523 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SECerrs.h - */ - -/* General security error codes */ -/* Caller must #include "secerr.h" */ - -ER3(SEC_ERROR_IO, SEC_ERROR_BASE + 0, -"An I/O error occurred during security authorization.") - -ER3(SEC_ERROR_LIBRARY_FAILURE, SEC_ERROR_BASE + 1, -"security library failure.") - -ER3(SEC_ERROR_BAD_DATA, SEC_ERROR_BASE + 2, -"security library: received bad data.") - -ER3(SEC_ERROR_OUTPUT_LEN, SEC_ERROR_BASE + 3, -"security library: output length error.") - -ER3(SEC_ERROR_INPUT_LEN, SEC_ERROR_BASE + 4, -"security library has experienced an input length error.") - -ER3(SEC_ERROR_INVALID_ARGS, SEC_ERROR_BASE + 5, -"security library: invalid arguments.") - -ER3(SEC_ERROR_INVALID_ALGORITHM, SEC_ERROR_BASE + 6, -"security library: invalid algorithm.") - -ER3(SEC_ERROR_INVALID_AVA, SEC_ERROR_BASE + 7, -"security library: invalid AVA.") - -ER3(SEC_ERROR_INVALID_TIME, SEC_ERROR_BASE + 8, -"Improperly formatted time string.") - -ER3(SEC_ERROR_BAD_DER, SEC_ERROR_BASE + 9, -"security library: improperly formatted DER-encoded message.") - -ER3(SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_BASE + 10, -"Peer's certificate has an invalid signature.") - -ER3(SEC_ERROR_EXPIRED_CERTIFICATE, SEC_ERROR_BASE + 11, -"Peer's Certificate has expired.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_BASE + 12, -"Peer's Certificate has been revoked.") - -ER3(SEC_ERROR_UNKNOWN_ISSUER, SEC_ERROR_BASE + 13, -"Peer's Certificate issuer is not recognized.") - -ER3(SEC_ERROR_BAD_KEY, SEC_ERROR_BASE + 14, -"Peer's public key is invalid.") - -ER3(SEC_ERROR_BAD_PASSWORD, SEC_ERROR_BASE + 15, -"The security password entered is incorrect.") - -ER3(SEC_ERROR_RETRY_PASSWORD, SEC_ERROR_BASE + 16, -"New password entered incorrectly. Please try again.") - -ER3(SEC_ERROR_NO_NODELOCK, SEC_ERROR_BASE + 17, -"security library: no nodelock.") - -ER3(SEC_ERROR_BAD_DATABASE, SEC_ERROR_BASE + 18, -"security library: bad database.") - -ER3(SEC_ERROR_NO_MEMORY, SEC_ERROR_BASE + 19, -"security library: memory allocation failure.") - -ER3(SEC_ERROR_UNTRUSTED_ISSUER, SEC_ERROR_BASE + 20, -"Peer's certificate issuer has been marked as not trusted by the user.") - -ER3(SEC_ERROR_UNTRUSTED_CERT, SEC_ERROR_BASE + 21, -"Peer's certificate has been marked as not trusted by the user.") - -ER3(SEC_ERROR_DUPLICATE_CERT, (SEC_ERROR_BASE + 22), -"Certificate already exists in your database.") - -ER3(SEC_ERROR_DUPLICATE_CERT_NAME, (SEC_ERROR_BASE + 23), -"Downloaded certificate's name duplicates one already in your database.") - -ER3(SEC_ERROR_ADDING_CERT, (SEC_ERROR_BASE + 24), -"Error adding certificate to database.") - -ER3(SEC_ERROR_FILING_KEY, (SEC_ERROR_BASE + 25), -"Error refiling the key for this certificate.") - -ER3(SEC_ERROR_NO_KEY, (SEC_ERROR_BASE + 26), -"The private key for this certificate cannot be found in key database") - -ER3(SEC_ERROR_CERT_VALID, (SEC_ERROR_BASE + 27), -"This certificate is valid.") - -ER3(SEC_ERROR_CERT_NOT_VALID, (SEC_ERROR_BASE + 28), -"This certificate is not valid.") - -ER3(SEC_ERROR_CERT_NO_RESPONSE, (SEC_ERROR_BASE + 29), -"Cert Library: No Response") - -ER3(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, (SEC_ERROR_BASE + 30), -"The certificate issuer's certificate has expired. Check your system date and time.") - -ER3(SEC_ERROR_CRL_EXPIRED, (SEC_ERROR_BASE + 31), -"The CRL for the certificate's issuer has expired. Update it or check your system data and time.") - -ER3(SEC_ERROR_CRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 32), -"The CRL for the certificate's issuer has an invalid signature.") - -ER3(SEC_ERROR_CRL_INVALID, (SEC_ERROR_BASE + 33), -"New CRL has an invalid format.") - -ER3(SEC_ERROR_EXTENSION_VALUE_INVALID, (SEC_ERROR_BASE + 34), -"Certificate extension value is invalid.") - -ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), -"Certificate extension not found.") - -ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), -"Issuer certificate is invalid.") - -ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), -"Certificate path length constraint is invalid.") - -ER3(SEC_ERROR_CERT_USAGES_INVALID, (SEC_ERROR_BASE + 38), -"Certificate usages field is invalid.") - -ER3(SEC_INTERNAL_ONLY, (SEC_ERROR_BASE + 39), -"**Internal ONLY module**") - -ER3(SEC_ERROR_INVALID_KEY, (SEC_ERROR_BASE + 40), -"The key does not support the requested operation.") - -ER3(SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 41), -"Certificate contains unknown critical extension.") - -ER3(SEC_ERROR_OLD_CRL, (SEC_ERROR_BASE + 42), -"New CRL is not later than the current one.") - -ER3(SEC_ERROR_NO_EMAIL_CERT, (SEC_ERROR_BASE + 43), -"Not encrypted or signed: you do not yet have an email certificate.") - -ER3(SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, (SEC_ERROR_BASE + 44), -"Not encrypted: you do not have certificates for each of the recipients.") - -ER3(SEC_ERROR_NOT_A_RECIPIENT, (SEC_ERROR_BASE + 45), -"Cannot decrypt: you are not a recipient, or matching certificate and \ -private key not found.") - -ER3(SEC_ERROR_PKCS7_KEYALG_MISMATCH, (SEC_ERROR_BASE + 46), -"Cannot decrypt: key encryption algorithm does not match your certificate.") - -ER3(SEC_ERROR_PKCS7_BAD_SIGNATURE, (SEC_ERROR_BASE + 47), -"Signature verification failed: no signer found, too many signers found, \ -or improper or corrupted data.") - -ER3(SEC_ERROR_UNSUPPORTED_KEYALG, (SEC_ERROR_BASE + 48), -"Unsupported or unknown key algorithm.") - -ER3(SEC_ERROR_DECRYPTION_DISALLOWED, (SEC_ERROR_BASE + 49), -"Cannot decrypt: encrypted using a disallowed algorithm or key size.") - - -/* Fortezza Alerts */ -ER3(XP_SEC_FORTEZZA_BAD_CARD, (SEC_ERROR_BASE + 50), -"Fortezza card has not been properly initialized. \ -Please remove it and return it to your issuer.") - -ER3(XP_SEC_FORTEZZA_NO_CARD, (SEC_ERROR_BASE + 51), -"No Fortezza cards Found") - -ER3(XP_SEC_FORTEZZA_NONE_SELECTED, (SEC_ERROR_BASE + 52), -"No Fortezza card selected") - -ER3(XP_SEC_FORTEZZA_MORE_INFO, (SEC_ERROR_BASE + 53), -"Please select a personality to get more info on") - -ER3(XP_SEC_FORTEZZA_PERSON_NOT_FOUND, (SEC_ERROR_BASE + 54), -"Personality not found") - -ER3(XP_SEC_FORTEZZA_NO_MORE_INFO, (SEC_ERROR_BASE + 55), -"No more information on that Personality") - -ER3(XP_SEC_FORTEZZA_BAD_PIN, (SEC_ERROR_BASE + 56), -"Invalid Pin") - -ER3(XP_SEC_FORTEZZA_PERSON_ERROR, (SEC_ERROR_BASE + 57), -"Couldn't initialize Fortezza personalities.") -/* end fortezza alerts. */ - -ER3(SEC_ERROR_NO_KRL, (SEC_ERROR_BASE + 58), -"No KRL for this site's certificate has been found.") - -ER3(SEC_ERROR_KRL_EXPIRED, (SEC_ERROR_BASE + 59), -"The KRL for this site's certificate has expired.") - -ER3(SEC_ERROR_KRL_BAD_SIGNATURE, (SEC_ERROR_BASE + 60), -"The KRL for this site's certificate has an invalid signature.") - -ER3(SEC_ERROR_REVOKED_KEY, (SEC_ERROR_BASE + 61), -"The key for this site's certificate has been revoked.") - -ER3(SEC_ERROR_KRL_INVALID, (SEC_ERROR_BASE + 62), -"New KRL has an invalid format.") - -ER3(SEC_ERROR_NEED_RANDOM, (SEC_ERROR_BASE + 63), -"security library: need random data.") - -ER3(SEC_ERROR_NO_MODULE, (SEC_ERROR_BASE + 64), -"security library: no security module can perform the requested operation.") - -ER3(SEC_ERROR_NO_TOKEN, (SEC_ERROR_BASE + 65), -"The security card or token does not exist, needs to be initialized, or has been removed.") - -ER3(SEC_ERROR_READ_ONLY, (SEC_ERROR_BASE + 66), -"security library: read-only database.") - -ER3(SEC_ERROR_NO_SLOT_SELECTED, (SEC_ERROR_BASE + 67), -"No slot or token was selected.") - -ER3(SEC_ERROR_CERT_NICKNAME_COLLISION, (SEC_ERROR_BASE + 68), -"A certificate with the same nickname already exists.") - -ER3(SEC_ERROR_KEY_NICKNAME_COLLISION, (SEC_ERROR_BASE + 69), -"A key with the same nickname already exists.") - -ER3(SEC_ERROR_SAFE_NOT_CREATED, (SEC_ERROR_BASE + 70), -"error while creating safe object") - -ER3(SEC_ERROR_BAGGAGE_NOT_CREATED, (SEC_ERROR_BASE + 71), -"error while creating baggage object") - -ER3(XP_JAVA_REMOVE_PRINCIPAL_ERROR, (SEC_ERROR_BASE + 72), -"Couldn't remove the principal") - -ER3(XP_JAVA_DELETE_PRIVILEGE_ERROR, (SEC_ERROR_BASE + 73), -"Couldn't delete the privilege") - -ER3(XP_JAVA_CERT_NOT_EXISTS_ERROR, (SEC_ERROR_BASE + 74), -"This principal doesn't have a certificate") - -ER3(SEC_ERROR_BAD_EXPORT_ALGORITHM, (SEC_ERROR_BASE + 75), -"Required algorithm is not allowed.") - -ER3(SEC_ERROR_EXPORTING_CERTIFICATES, (SEC_ERROR_BASE + 76), -"Error attempting to export certificates.") - -ER3(SEC_ERROR_IMPORTING_CERTIFICATES, (SEC_ERROR_BASE + 77), -"Error attempting to import certificates.") - -ER3(SEC_ERROR_PKCS12_DECODING_PFX, (SEC_ERROR_BASE + 78), -"Unable to import. Decoding error. File not valid.") - -ER3(SEC_ERROR_PKCS12_INVALID_MAC, (SEC_ERROR_BASE + 79), -"Unable to import. Invalid MAC. Incorrect password or corrupt file.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, (SEC_ERROR_BASE + 80), -"Unable to import. MAC algorithm not supported.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE,(SEC_ERROR_BASE + 81), -"Unable to import. Only password integrity and privacy modes supported.") - -ER3(SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, (SEC_ERROR_BASE + 82), -"Unable to import. File structure is corrupt.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, (SEC_ERROR_BASE + 83), -"Unable to import. Encryption algorithm not supported.") - -ER3(SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, (SEC_ERROR_BASE + 84), -"Unable to import. File version not supported.") - -ER3(SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT,(SEC_ERROR_BASE + 85), -"Unable to import. Incorrect privacy password.") - -ER3(SEC_ERROR_PKCS12_CERT_COLLISION, (SEC_ERROR_BASE + 86), -"Unable to import. Same nickname already exists in database.") - -ER3(SEC_ERROR_USER_CANCELLED, (SEC_ERROR_BASE + 87), -"The user pressed cancel.") - -ER3(SEC_ERROR_PKCS12_DUPLICATE_DATA, (SEC_ERROR_BASE + 88), -"Not imported, already in database.") - -ER3(SEC_ERROR_MESSAGE_SEND_ABORTED, (SEC_ERROR_BASE + 89), -"Message not sent.") - -ER3(SEC_ERROR_INADEQUATE_KEY_USAGE, (SEC_ERROR_BASE + 90), -"Certificate key usage inadequate for attempted operation.") - -ER3(SEC_ERROR_INADEQUATE_CERT_TYPE, (SEC_ERROR_BASE + 91), -"Certificate type not approved for application.") - -ER3(SEC_ERROR_CERT_ADDR_MISMATCH, (SEC_ERROR_BASE + 92), -"Address in signing certificate does not match address in message headers.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, (SEC_ERROR_BASE + 93), -"Unable to import. Error attempting to import private key.") - -ER3(SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, (SEC_ERROR_BASE + 94), -"Unable to import. Error attempting to import certificate chain.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, (SEC_ERROR_BASE + 95), -"Unable to export. Unable to locate certificate or key by nickname.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, (SEC_ERROR_BASE + 96), -"Unable to export. Private Key could not be located and exported.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_WRITE, (SEC_ERROR_BASE + 97), -"Unable to export. Unable to write the export file.") - -ER3(SEC_ERROR_PKCS12_UNABLE_TO_READ, (SEC_ERROR_BASE + 98), -"Unable to import. Unable to read the import file.") - -ER3(SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, (SEC_ERROR_BASE + 99), -"Unable to export. Key database corrupt or deleted.") - -ER3(SEC_ERROR_KEYGEN_FAIL, (SEC_ERROR_BASE + 100), -"Unable to generate public/private key pair.") - -ER3(SEC_ERROR_INVALID_PASSWORD, (SEC_ERROR_BASE + 101), -"Password entered is invalid. Please pick a different one.") - -ER3(SEC_ERROR_RETRY_OLD_PASSWORD, (SEC_ERROR_BASE + 102), -"Old password entered incorrectly. Please try again.") - -ER3(SEC_ERROR_BAD_NICKNAME, (SEC_ERROR_BASE + 103), -"Certificate nickname already in use.") - -ER3(SEC_ERROR_NOT_FORTEZZA_ISSUER, (SEC_ERROR_BASE + 104), -"Peer FORTEZZA chain has a non-FORTEZZA Certificate.") - -ER3(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, (SEC_ERROR_BASE + 105), -"A sensitive key cannot be moved to the slot where it is needed.") - -ER3(SEC_ERROR_JS_INVALID_MODULE_NAME, (SEC_ERROR_BASE + 106), -"Invalid module name.") - -ER3(SEC_ERROR_JS_INVALID_DLL, (SEC_ERROR_BASE + 107), -"Invalid module path/filename") - -ER3(SEC_ERROR_JS_ADD_MOD_FAILURE, (SEC_ERROR_BASE + 108), -"Unable to add module") - -ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), -"Unable to delete module") - -ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), -"New KRL is not later than the current one.") - -ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), -"New CKL has different issuer than current CKL. Delete current CKL.") - -ER3(SEC_ERROR_CERT_NOT_IN_NAME_SPACE, (SEC_ERROR_BASE + 112), -"The Certifying Authority for this certificate is not permitted to issue a \ -certificate with this name.") - -ER3(SEC_ERROR_KRL_NOT_YET_VALID, (SEC_ERROR_BASE + 113), -"The key revocation list for this certificate is not yet valid.") - -ER3(SEC_ERROR_CRL_NOT_YET_VALID, (SEC_ERROR_BASE + 114), -"The certificate revocation list for this certificate is not yet valid.") - -ER3(SEC_ERROR_UNKNOWN_CERT, (SEC_ERROR_BASE + 115), -"The requested certificate could not be found.") - -ER3(SEC_ERROR_UNKNOWN_SIGNER, (SEC_ERROR_BASE + 116), -"The signer's certificate could not be found.") - -ER3(SEC_ERROR_CERT_BAD_ACCESS_LOCATION, (SEC_ERROR_BASE + 117), -"The location for the certificate status server has invalid format.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, (SEC_ERROR_BASE + 118), -"The OCSP response cannot be fully decoded; it is of an unknown type.") - -ER3(SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, (SEC_ERROR_BASE + 119), -"The OCSP server returned unexpected/invalid HTTP data.") - -ER3(SEC_ERROR_OCSP_MALFORMED_REQUEST, (SEC_ERROR_BASE + 120), -"The OCSP server found the request to be corrupted or improperly formed.") - -ER3(SEC_ERROR_OCSP_SERVER_ERROR, (SEC_ERROR_BASE + 121), -"The OCSP server experienced an internal error.") - -ER3(SEC_ERROR_OCSP_TRY_SERVER_LATER, (SEC_ERROR_BASE + 122), -"The OCSP server suggests trying again later.") - -ER3(SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, (SEC_ERROR_BASE + 123), -"The OCSP server requires a signature on this request.") - -ER3(SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, (SEC_ERROR_BASE + 124), -"The OCSP server has refused this request as unauthorized.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, (SEC_ERROR_BASE + 125), -"The OCSP server returned an unrecognizable status.") - -ER3(SEC_ERROR_OCSP_UNKNOWN_CERT, (SEC_ERROR_BASE + 126), -"The OCSP server has no status for the certificate.") - -ER3(SEC_ERROR_OCSP_NOT_ENABLED, (SEC_ERROR_BASE + 127), -"You must enable OCSP before performing this operation.") - -ER3(SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, (SEC_ERROR_BASE + 128), -"You must set the OCSP default responder before performing this operation.") - -ER3(SEC_ERROR_OCSP_MALFORMED_RESPONSE, (SEC_ERROR_BASE + 129), -"The response from the OCSP server was corrupted or improperly formed.") - -ER3(SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, (SEC_ERROR_BASE + 130), -"The signer of the OCSP response is not authorized to give status for \ -this certificate.") - -ER3(SEC_ERROR_OCSP_FUTURE_RESPONSE, (SEC_ERROR_BASE + 131), -"The OCSP response is not yet valid (contains a date in the future).") - -ER3(SEC_ERROR_OCSP_OLD_RESPONSE, (SEC_ERROR_BASE + 132), -"The OCSP response contains out-of-date information.") - -ER3(SEC_ERROR_DIGEST_NOT_FOUND, (SEC_ERROR_BASE + 133), -"The CMS or PKCS #7 Digest was not found in signed message.") - -ER3(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, (SEC_ERROR_BASE + 134), -"The CMS or PKCS #7 Message type is unsupported.") - -ER3(SEC_ERROR_MODULE_STUCK, (SEC_ERROR_BASE + 135), -"PKCS #11 module could not be removed because it is still in use.") - -ER3(SEC_ERROR_BAD_TEMPLATE, (SEC_ERROR_BASE + 136), -"Could not decode ASN.1 data. Specified template was invalid.") - -ER3(SEC_ERROR_CRL_NOT_FOUND, (SEC_ERROR_BASE + 137), -"No matching CRL was found.") - -ER3(SEC_ERROR_REUSED_ISSUER_AND_SERIAL, (SEC_ERROR_BASE + 138), -"You are attempting to import a cert with the same issuer/serial as \ -an existing cert, but that is not the same cert.") - -ER3(SEC_ERROR_BUSY, (SEC_ERROR_BASE + 139), -"NSS could not shutdown. Objects are still in use.") - -ER3(SEC_ERROR_EXTRA_INPUT, (SEC_ERROR_BASE + 140), -"DER-encoded message contained extra unused data.") - -ER3(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, (SEC_ERROR_BASE + 141), -"Unsupported elliptic curve.") - -ER3(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, (SEC_ERROR_BASE + 142), -"Unsupported elliptic curve point form.") - -ER3(SEC_ERROR_UNRECOGNIZED_OID, (SEC_ERROR_BASE + 143), -"Unrecognized Object IDentifier.") - -ER3(SEC_ERROR_OCSP_INVALID_SIGNING_CERT, (SEC_ERROR_BASE + 144), -"Invalid OCSP signing certificate in OCSP response.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE_CRL, (SEC_ERROR_BASE + 145), -"Certificate is revoked in issuer's certificate revocation list.") - -ER3(SEC_ERROR_REVOKED_CERTIFICATE_OCSP, (SEC_ERROR_BASE + 146), -"Issuer's OCSP responder reports certificate is revoked.") - -ER3(SEC_ERROR_CRL_INVALID_VERSION, (SEC_ERROR_BASE + 147), -"Issuer's Certificate Revocation List has an unknown version number.") - -ER3(SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 148), -"Issuer's V1 Certificate Revocation List has a critical extension.") - -ER3(SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, (SEC_ERROR_BASE + 149), -"Issuer's V2 Certificate Revocation List has an unknown critical extension.") - -ER3(SEC_ERROR_UNKNOWN_OBJECT_TYPE, (SEC_ERROR_BASE + 150), -"Unknown object type specified.") - -ER3(SEC_ERROR_INCOMPATIBLE_PKCS11, (SEC_ERROR_BASE + 151), -"PKCS #11 driver violates the spec in an incompatible way.") - -ER3(SEC_ERROR_NO_EVENT, (SEC_ERROR_BASE + 152), -"No new slot event is available at this time.") - -ER3(SEC_ERROR_CRL_ALREADY_EXISTS, (SEC_ERROR_BASE + 153), -"CRL already exists.") - -ER3(SEC_ERROR_NOT_INITIALIZED, (SEC_ERROR_BASE + 154), -"NSS is not initialized.") - -ER3(SEC_ERROR_TOKEN_NOT_LOGGED_IN, (SEC_ERROR_BASE + 155), -"The operation failed because the PKCS#11 token is not logged in.") - diff --git a/pki/base/native-tools/src/tkstool/SSLerrs.h b/pki/base/native-tools/src/tkstool/SSLerrs.h deleted file mode 100644 index d6ec13b47..000000000 --- a/pki/base/native-tools/src/tkstool/SSLerrs.h +++ /dev/null @@ -1,393 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/SSLerrs.h - */ - -/* SSL-specific security error codes */ -/* caller must include "sslerr.h" */ - -ER3(SSL_ERROR_EXPORT_ONLY_SERVER, SSL_ERROR_BASE + 0, -"Unable to communicate securely. Peer does not support high-grade encryption.") - -ER3(SSL_ERROR_US_ONLY_SERVER, SSL_ERROR_BASE + 1, -"Unable to communicate securely. Peer requires high-grade encryption which is not supported.") - -ER3(SSL_ERROR_NO_CYPHER_OVERLAP, SSL_ERROR_BASE + 2, -"Cannot communicate securely with peer: no common encryption algorithm(s).") - -ER3(SSL_ERROR_NO_CERTIFICATE, SSL_ERROR_BASE + 3, -"Unable to find the certificate or key necessary for authentication.") - -ER3(SSL_ERROR_BAD_CERTIFICATE, SSL_ERROR_BASE + 4, -"Unable to communicate securely with peer: peers's certificate was rejected.") - -/* unused (SSL_ERROR_BASE + 5),*/ - -ER3(SSL_ERROR_BAD_CLIENT, SSL_ERROR_BASE + 6, -"The server has encountered bad data from the client.") - -ER3(SSL_ERROR_BAD_SERVER, SSL_ERROR_BASE + 7, -"The client has encountered bad data from the server.") - -ER3(SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE, SSL_ERROR_BASE + 8, -"Unsupported certificate type.") - -ER3(SSL_ERROR_UNSUPPORTED_VERSION, SSL_ERROR_BASE + 9, -"Peer using unsupported version of security protocol.") - -/* unused (SSL_ERROR_BASE + 10),*/ - -ER3(SSL_ERROR_WRONG_CERTIFICATE, SSL_ERROR_BASE + 11, -"Client authentication failed: private key in key database does not match public key in certificate database.") - -ER3(SSL_ERROR_BAD_CERT_DOMAIN, SSL_ERROR_BASE + 12, -"Unable to communicate securely with peer: requested domain name does not match the server's certificate.") - -/* SSL_ERROR_POST_WARNING (SSL_ERROR_BASE + 13), - defined in sslerr.h -*/ - -ER3(SSL_ERROR_SSL2_DISABLED, (SSL_ERROR_BASE + 14), -"Peer only supports SSL version 2, which is locally disabled.") - - -ER3(SSL_ERROR_BAD_MAC_READ, (SSL_ERROR_BASE + 15), -"SSL received a record with an incorrect Message Authentication Code.") - -ER3(SSL_ERROR_BAD_MAC_ALERT, (SSL_ERROR_BASE + 16), -"SSL peer reports incorrect Message Authentication Code.") - -ER3(SSL_ERROR_BAD_CERT_ALERT, (SSL_ERROR_BASE + 17), -"SSL peer cannot verify your certificate.") - -ER3(SSL_ERROR_REVOKED_CERT_ALERT, (SSL_ERROR_BASE + 18), -"SSL peer rejected your certificate as revoked.") - -ER3(SSL_ERROR_EXPIRED_CERT_ALERT, (SSL_ERROR_BASE + 19), -"SSL peer rejected your certificate as expired.") - -ER3(SSL_ERROR_SSL_DISABLED, (SSL_ERROR_BASE + 20), -"Cannot connect: SSL is disabled.") - -ER3(SSL_ERROR_FORTEZZA_PQG, (SSL_ERROR_BASE + 21), -"Cannot connect: SSL peer is in another FORTEZZA domain.") - - -ER3(SSL_ERROR_UNKNOWN_CIPHER_SUITE , (SSL_ERROR_BASE + 22), -"An unknown SSL cipher suite has been requested.") - -ER3(SSL_ERROR_NO_CIPHERS_SUPPORTED , (SSL_ERROR_BASE + 23), -"No cipher suites are present and enabled in this program.") - -ER3(SSL_ERROR_BAD_BLOCK_PADDING , (SSL_ERROR_BASE + 24), -"SSL received a record with bad block padding.") - -ER3(SSL_ERROR_RX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 25), -"SSL received a record that exceeded the maximum permissible length.") - -ER3(SSL_ERROR_TX_RECORD_TOO_LONG , (SSL_ERROR_BASE + 26), -"SSL attempted to send a record that exceeded the maximum permissible length.") - -/* - * Received a malformed (too long or short or invalid content) SSL handshake. - */ -ER3(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST , (SSL_ERROR_BASE + 27), -"SSL received a malformed Hello Request handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CLIENT_HELLO , (SSL_ERROR_BASE + 28), -"SSL received a malformed Client Hello handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_SERVER_HELLO , (SSL_ERROR_BASE + 29), -"SSL received a malformed Server Hello handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERTIFICATE , (SSL_ERROR_BASE + 30), -"SSL received a malformed Certificate handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 31), -"SSL received a malformed Server Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERT_REQUEST , (SSL_ERROR_BASE + 32), -"SSL received a malformed Certificate Request handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_HELLO_DONE , (SSL_ERROR_BASE + 33), -"SSL received a malformed Server Hello Done handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CERT_VERIFY , (SSL_ERROR_BASE + 34), -"SSL received a malformed Certificate Verify handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 35), -"SSL received a malformed Client Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_MALFORMED_FINISHED , (SSL_ERROR_BASE + 36), -"SSL received a malformed Finished handshake message.") - -/* - * Received a malformed (too long or short) SSL record. - */ -ER3(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER , (SSL_ERROR_BASE + 37), -"SSL received a malformed Change Cipher Spec record.") - -ER3(SSL_ERROR_RX_MALFORMED_ALERT , (SSL_ERROR_BASE + 38), -"SSL received a malformed Alert record.") - -ER3(SSL_ERROR_RX_MALFORMED_HANDSHAKE , (SSL_ERROR_BASE + 39), -"SSL received a malformed Handshake record.") - -ER3(SSL_ERROR_RX_MALFORMED_APPLICATION_DATA , (SSL_ERROR_BASE + 40), -"SSL received a malformed Application Data record.") - -/* - * Received an SSL handshake that was inappropriate for the state we're in. - * E.g. Server received message from server, or wrong state in state machine. - */ -ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST , (SSL_ERROR_BASE + 41), -"SSL received an unexpected Hello Request handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO , (SSL_ERROR_BASE + 42), -"SSL received an unexpected Client Hello handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO , (SSL_ERROR_BASE + 43), -"SSL received an unexpected Server Hello handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE , (SSL_ERROR_BASE + 44), -"SSL received an unexpected Certificate handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH , (SSL_ERROR_BASE + 45), -"SSL received an unexpected Server Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST , (SSL_ERROR_BASE + 46), -"SSL received an unexpected Certificate Request handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE , (SSL_ERROR_BASE + 47), -"SSL received an unexpected Server Hello Done handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY , (SSL_ERROR_BASE + 48), -"SSL received an unexpected Certificate Verify handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH , (SSL_ERROR_BASE + 49), -"SSL received an unexpected Cllient Key Exchange handshake message.") - -ER3(SSL_ERROR_RX_UNEXPECTED_FINISHED , (SSL_ERROR_BASE + 50), -"SSL received an unexpected Finished handshake message.") - -/* - * Received an SSL record that was inappropriate for the state we're in. - */ -ER3(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER , (SSL_ERROR_BASE + 51), -"SSL received an unexpected Change Cipher Spec record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 52), -"SSL received an unexpected Alert record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE , (SSL_ERROR_BASE + 53), -"SSL received an unexpected Handshake record.") - -ER3(SSL_ERROR_RX_UNEXPECTED_APPLICATION_DATA, (SSL_ERROR_BASE + 54), -"SSL received an unexpected Application Data record.") - -/* - * Received record/message with unknown discriminant. - */ -ER3(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE , (SSL_ERROR_BASE + 55), -"SSL received a record with an unknown content type.") - -ER3(SSL_ERROR_RX_UNKNOWN_HANDSHAKE , (SSL_ERROR_BASE + 56), -"SSL received a handshake message with an unknown message type.") - -ER3(SSL_ERROR_RX_UNKNOWN_ALERT , (SSL_ERROR_BASE + 57), -"SSL received an alert record with an unknown alert description.") - -/* - * Received an alert reporting what we did wrong. (more alerts above) - */ -ER3(SSL_ERROR_CLOSE_NOTIFY_ALERT , (SSL_ERROR_BASE + 58), -"SSL peer has closed this connection.") - -ER3(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT , (SSL_ERROR_BASE + 59), -"SSL peer was not expecting a handshake message it received.") - -ER3(SSL_ERROR_DECOMPRESSION_FAILURE_ALERT , (SSL_ERROR_BASE + 60), -"SSL peer was unable to succesfully decompress an SSL record it received.") - -ER3(SSL_ERROR_HANDSHAKE_FAILURE_ALERT , (SSL_ERROR_BASE + 61), -"SSL peer was unable to negotiate an acceptable set of security parameters.") - -ER3(SSL_ERROR_ILLEGAL_PARAMETER_ALERT , (SSL_ERROR_BASE + 62), -"SSL peer rejected a handshake message for unacceptable content.") - -ER3(SSL_ERROR_UNSUPPORTED_CERT_ALERT , (SSL_ERROR_BASE + 63), -"SSL peer does not support certificates of the type it received.") - -ER3(SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT , (SSL_ERROR_BASE + 64), -"SSL peer had some unspecified issue with the certificate it received.") - - -ER3(SSL_ERROR_GENERATE_RANDOM_FAILURE , (SSL_ERROR_BASE + 65), -"SSL experienced a failure of its random number generator.") - -ER3(SSL_ERROR_SIGN_HASHES_FAILURE , (SSL_ERROR_BASE + 66), -"Unable to digitally sign data required to verify your certificate.") - -ER3(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE , (SSL_ERROR_BASE + 67), -"SSL was unable to extract the public key from the peer's certificate.") - -ER3(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 68), -"Unspecified failure while processing SSL Server Key Exchange handshake.") - -ER3(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE , (SSL_ERROR_BASE + 69), -"Unspecified failure while processing SSL Client Key Exchange handshake.") - -ER3(SSL_ERROR_ENCRYPTION_FAILURE , (SSL_ERROR_BASE + 70), -"Bulk data encryption algorithm failed in selected cipher suite.") - -ER3(SSL_ERROR_DECRYPTION_FAILURE , (SSL_ERROR_BASE + 71), -"Bulk data decryption algorithm failed in selected cipher suite.") - -ER3(SSL_ERROR_SOCKET_WRITE_FAILURE , (SSL_ERROR_BASE + 72), -"Attempt to write encrypted data to underlying socket failed.") - -ER3(SSL_ERROR_MD5_DIGEST_FAILURE , (SSL_ERROR_BASE + 73), -"MD5 digest function failed.") - -ER3(SSL_ERROR_SHA_DIGEST_FAILURE , (SSL_ERROR_BASE + 74), -"SHA-1 digest function failed.") - -ER3(SSL_ERROR_MAC_COMPUTATION_FAILURE , (SSL_ERROR_BASE + 75), -"MAC computation failed.") - -ER3(SSL_ERROR_SYM_KEY_CONTEXT_FAILURE , (SSL_ERROR_BASE + 76), -"Failure to create Symmetric Key context.") - -ER3(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE , (SSL_ERROR_BASE + 77), -"Failure to unwrap the Symmetric key in Client Key Exchange message.") - -ER3(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED , (SSL_ERROR_BASE + 78), -"SSL Server attempted to use domestic-grade public key with export cipher suite.") - -ER3(SSL_ERROR_IV_PARAM_FAILURE , (SSL_ERROR_BASE + 79), -"PKCS11 code failed to translate an IV into a param.") - -ER3(SSL_ERROR_INIT_CIPHER_SUITE_FAILURE , (SSL_ERROR_BASE + 80), -"Failed to initialize the selected cipher suite.") - -ER3(SSL_ERROR_SESSION_KEY_GEN_FAILURE , (SSL_ERROR_BASE + 81), -"Client failed to generate session keys for SSL session.") - -ER3(SSL_ERROR_NO_SERVER_KEY_FOR_ALG , (SSL_ERROR_BASE + 82), -"Server has no key for the attempted key exchange algorithm.") - -ER3(SSL_ERROR_TOKEN_INSERTION_REMOVAL , (SSL_ERROR_BASE + 83), -"PKCS#11 token was inserted or removed while operation was in progress.") - -ER3(SSL_ERROR_TOKEN_SLOT_NOT_FOUND , (SSL_ERROR_BASE + 84), -"No PKCS#11 token could be found to do a required operation.") - -ER3(SSL_ERROR_NO_COMPRESSION_OVERLAP , (SSL_ERROR_BASE + 85), -"Cannot communicate securely with peer: no common compression algorithm(s).") - -ER3(SSL_ERROR_HANDSHAKE_NOT_COMPLETED , (SSL_ERROR_BASE + 86), -"Cannot initiate another SSL handshake until current handshake is complete.") - -ER3(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE , (SSL_ERROR_BASE + 87), -"Received incorrect handshakes hash values from peer.") - -ER3(SSL_ERROR_CERT_KEA_MISMATCH , (SSL_ERROR_BASE + 88), -"The certificate provided cannot be used with the selected key exchange algorithm.") - -ER3(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA , (SSL_ERROR_BASE + 89), -"No certificate authority is trusted for SSL client authentication.") - -ER3(SSL_ERROR_SESSION_NOT_FOUND , (SSL_ERROR_BASE + 90), -"Client's SSL session ID not found in server's session cache.") - -ER3(SSL_ERROR_DECRYPTION_FAILED_ALERT , (SSL_ERROR_BASE + 91), -"Peer was unable to decrypt an SSL record it received.") - -ER3(SSL_ERROR_RECORD_OVERFLOW_ALERT , (SSL_ERROR_BASE + 92), -"Peer received an SSL record that was longer than is permitted.") - -ER3(SSL_ERROR_UNKNOWN_CA_ALERT , (SSL_ERROR_BASE + 93), -"Peer does not recognize and trust the CA that issued your certificate.") - -ER3(SSL_ERROR_ACCESS_DENIED_ALERT , (SSL_ERROR_BASE + 94), -"Peer received a valid certificate, but access was denied.") - -ER3(SSL_ERROR_DECODE_ERROR_ALERT , (SSL_ERROR_BASE + 95), -"Peer could not decode an SSL handshake message.") - -ER3(SSL_ERROR_DECRYPT_ERROR_ALERT , (SSL_ERROR_BASE + 96), -"Peer reports failure of signature verification or key exchange.") - -ER3(SSL_ERROR_EXPORT_RESTRICTION_ALERT , (SSL_ERROR_BASE + 97), -"Peer reports negotiation not in compliance with export regulations.") - -ER3(SSL_ERROR_PROTOCOL_VERSION_ALERT , (SSL_ERROR_BASE + 98), -"Peer reports incompatible or unsupported protocol version.") - -ER3(SSL_ERROR_INSUFFICIENT_SECURITY_ALERT , (SSL_ERROR_BASE + 99), -"Server requires ciphers more secure than those supported by client.") - -ER3(SSL_ERROR_INTERNAL_ERROR_ALERT , (SSL_ERROR_BASE + 100), -"Peer reports it experienced an internal error.") - -ER3(SSL_ERROR_USER_CANCELED_ALERT , (SSL_ERROR_BASE + 101), -"Peer user canceled handshake.") - -ER3(SSL_ERROR_NO_RENEGOTIATION_ALERT , (SSL_ERROR_BASE + 102), -"Peer does not permit renegotiation of SSL security parameters.") - -ER3(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED , (SSL_ERROR_BASE + 103), -"SSL server cache not configured and not disabled for this socket.") - -ER3(SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT , (SSL_ERROR_BASE + 104), -"SSL peer does not support requested TLS hello extension.") - -ER3(SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT , (SSL_ERROR_BASE + 105), -"SSL peer could not obtain your certificate from the supplied URL.") - -ER3(SSL_ERROR_UNRECOGNIZED_NAME_ALERT , (SSL_ERROR_BASE + 106), -"SSL peer has no certificate for the requested DNS name.") - -ER3(SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT , (SSL_ERROR_BASE + 107), -"SSL peer was unable to get an OCSP response for its certificate.") - -ER3(SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT , (SSL_ERROR_BASE + 108), -"SSL peer reported bad certificate hash value.") diff --git a/pki/base/native-tools/src/tkstool/delete.c b/pki/base/native-tools/src/tkstool/delete.c deleted file mode 100644 index f40e66d16..000000000 --- a/pki/base/native-tools/src/tkstool/delete.c +++ /dev/null @@ -1,111 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -static SECStatus -DeleteKey( char *keyname, - PK11SymKey *key ) -{ - char *name = NULL; - SECStatus rv = SECFailure; - - name = PK11_GetSymKeyNickname( /* symmetric key */ key ); - if( name == NULL ) { - name = PORT_Strdup( "< orphaned >" ); - } - - /* Delete this key ONLY if its name is the specified keyname */ - /* */ - /* NOTE: If duplicate keys are allowed to be added to an */ - /* individual token, this function will delete */ - /* EVERY key named by the specified keyname; */ - /* therefore, MORE than ONE key may be DELETED from */ - /* the specified token!!! */ - if( PL_strcmp( keyname, name ) == 0 ) { - rv = PK11_DeleteTokenSymKey( /* symmetric key */ key ); - } - - PORT_Free( name ); - - return rv; -} - - -SECStatus -TKS_DeleteKeys( char *progName, - PK11SlotInfo *slot, - char *keyname, - secuPWData *pwdata ) -{ - int count = 0; - int keys_deleted = 0; - PK11SymKey *symKey = NULL; - PK11SymKey *nextSymKey = NULL; - SECStatus rvDelete = SECFailure; - SECStatus rv; - - if( PK11_NeedLogin( /* slot */ slot ) ) { - PK11_Authenticate( - /* slot */ slot, - /* load certs */ PR_TRUE, - /* wincx */ pwdata ); - } - - /* Initialize the symmetric key list. */ - symKey = PK11_ListFixedKeysInSlot( - /* slot */ slot, - /* nickname */ NULL, - /* wincx */ ( void *) pwdata ); - - /* Iterate through the symmetric key list. */ - while( symKey != NULL ) { - rvDelete = DeleteKey( keyname, - symKey ); - if( rvDelete != SECFailure ) { - keys_deleted++; - } - - nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); - PK11_FreeSymKey( /* symmetric key */ symKey ); - symKey = nextSymKey; - - count++; - } - - if( keys_deleted == 0 ) { - PR_fprintf( PR_STDOUT, - "\t%s: no key(s) called \"%s\" could be deleted\n", - progName, - keyname ); - - rv = SECFailure; - } else { - PR_fprintf( PR_STDOUT, - "%s: %d key(s) called \"%s\" were deleted\n", - progName, - keys_deleted, - keyname ); - - rv = SECSuccess; - } - - return rv; -} - diff --git a/pki/base/native-tools/src/tkstool/file.c b/pki/base/native-tools/src/tkstool/file.c deleted file mode 100644 index d757225fc..000000000 --- a/pki/base/native-tools/src/tkstool/file.c +++ /dev/null @@ -1,518 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -SECStatus -TKS_ReadInputFileIntoSECItem( char *input, - char *hexInternalKeyKCV, - int hexInternalKeyKCVLength, - char *wrappedKeyName, - SECItem *wrappedKey ) -{ - char buf[1]; - PRFileDesc *fd = NULL; - PRInt32 c = 0; - PRInt32 k = 0; - PRInt32 count = 0; - PRIntn firstCount = 0; - PRIntn secondCount = 0; - PRIntn thirdCount = 0; - PRIntn i = 0; - SECItem hexWrappedKey = { siBuffer, - NULL, - 0 }; - SECStatus status = SECFailure; - - /* Create a clean new hex display buffer for this wrapped key */ - hexWrappedKey.type = ( SECItemType ) siBuffer; - hexWrappedKey.len = ( ( wrappedKey->len * 2 ) + 1 ); - hexWrappedKey.data = ( unsigned char * ) - PORT_ZAlloc( hexWrappedKey.len ); - if( hexWrappedKey.data == NULL ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* open the input file read-only */ - fd = PR_OpenFile( input, PR_RDONLY, 0666 ); - if( !fd ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* read in the wrapped key */ - while( c < HEX_WRAPPED_KEY_LENGTH ) { - /* read in the next byte */ - count = PR_Read( fd, buf, 1 ); - - /* check for EOF */ - if( count > 0 ) { - /* save acceptable hex characters */ - /* silently throw anything else away */ - switch( *buf ) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - /* acceptable character; save it as typed */ - hexWrappedKey.data[c] = buf[0]; - break; - case 'A': - case 'a': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'A'; - break; - case 'B': - case 'b': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'B'; - break; - case 'C': - case 'c': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'C'; - break; - case 'D': - case 'd': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'D'; - break; - case 'E': - case 'e': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'E'; - break; - case 'F': - case 'f': - /* acceptable character; save uppercase version */ - hexWrappedKey.data[c] = 'F'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - - /* increment the number of wrapped key bytes read */ - c++; - } - } - - /* insure that the wrapped key was completely obtained */ - if( c != HEX_WRAPPED_KEY_LENGTH ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* Convert these wrapped key hex digits */ - /* into the data portion of a SECItem */ - TKS_ConvertStringOfHexCharactersIntoBitStream( ( char * ) hexWrappedKey.data, - ( hexWrappedKey.len - 1 ), - wrappedKey->data ); - - /* read in the wrapped key KCV */ - while( k < HEX_WRAPPED_KEY_KCV_LENGTH ) { - count = PR_Read( fd, buf, 1 ); - - if( count > 0 ) { - /* save acceptable hex characters; silently */ - /* throw anything else away */ - switch( *buf ) { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - /* acceptable character; save it as typed */ - hexInternalKeyKCV[k] = buf[0]; - break; - case 'A': - case 'a': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'A'; - break; - case 'B': - case 'b': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'B'; - break; - case 'C': - case 'c': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'C'; - break; - case 'D': - case 'd': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'D'; - break; - case 'E': - case 'e': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'E'; - break; - case 'F': - case 'f': - /* acceptable character; save uppercase version */ - hexInternalKeyKCV[k] = 'F'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - - /* increment the number of key KCV bytes read */ - k++; - } - } - - /* insure that the wrapped key KCV was completely obtained */ - if( k != HEX_WRAPPED_KEY_KCV_LENGTH ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* For convenience, display the read-in wrapped key */ - /* and its associated KCV to the user. */ - if( hexWrappedKey.data != NULL ) { - /* Display this final wrapped key */ - if( ( hexWrappedKey.len - 1 ) != - HEX_WRAPPED_KEY_LENGTH ) { - /* invalid key length */ - PR_fprintf( PR_STDERR, - "ERROR: Invalid data length of %d bytes!\n\n\n", - hexWrappedKey.len ); - status = SECFailure; - goto destroyHexWrappedKey; - } else { - /* Print wrapped data blob */ - PR_fprintf( PR_STDOUT, - "\n wrapped data: " ); - - /* Print first DES_LENGTH bytes */ - if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { - firstCount = ( ( hexWrappedKey.len - 1 ) / 3 ); - } else { - firstCount = ( ( hexWrappedKey.len - 1 ) / 2 ); - } - for( i = 0; i < firstCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - - /* Print appropriate padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - - /* Print second DES_LENGTH bytes */ - secondCount = firstCount * 2; - for( i = firstCount; i < secondCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - - /* print out last 8 bytes of triple-DES keys */ - if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { - /* Print appropriate padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - - /* Print third DES_LENGTH bytes */ - thirdCount = hexWrappedKey.len; - for( i = secondCount; i < thirdCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - } - - /* Print appropriate vertical spacing */ - PR_fprintf( PR_STDOUT, "\n\n\n" ); - } - } - - if( hexInternalKeyKCV != NULL ) { - /* Display this final wrapped key's KCV */ - if( ( hexInternalKeyKCVLength - 1 ) != - HEX_WRAPPED_KEY_KCV_LENGTH ) { - /* invalid key length */ - PR_fprintf( PR_STDERR, - "ERROR: Invalid key KCV length " - "of %d bytes!\n\n\n", - hexInternalKeyKCVLength ); - status = SECFailure; - goto destroyHexWrappedKey; - } else { - PR_fprintf( PR_STDOUT, - " master key KCV: " - "%c%c%c%c %c%c%c%c\n (pre-computed KCV of the " - "master key residing inside the wrapped data)\n\n\n", - hexInternalKeyKCV[0], - hexInternalKeyKCV[1], - hexInternalKeyKCV[2], - hexInternalKeyKCV[3], - hexInternalKeyKCV[4], - hexInternalKeyKCV[5], - hexInternalKeyKCV[6], - hexInternalKeyKCV[7] ); - } - } - - /* close the input file */ - PR_Close( fd ); - - status = SECSuccess; - -destroyHexWrappedKey: - /* Destroy the hex wrapped key */ - if( hexWrappedKey.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexWrappedKey.data, - hexWrappedKey.len ); - hexWrappedKey.data = NULL; - hexWrappedKey.len = 0; - } - - return status; -} - - -SECStatus -TKS_WriteSECItemIntoOutputFile( SECItem *wrappedKey, - char *wrappedKeyName, - char *hexInternalKeyKCV, - int hexInternalKeyKCVLength, - char *output ) -{ - PRFileDesc *fd = NULL; - PRInt32 count = 0; - PRInt32 r = 0; - PRIntn firstCount = 0; - PRIntn secondCount = 0; - PRIntn thirdCount = 0; - PRIntn i = 0; - SECItem hexWrappedKey = { siBuffer, - NULL, - 0 }; - SECStatus status = SECFailure; - - /* Create a clean new hex display buffer for this wrapped key */ - hexWrappedKey.type = ( SECItemType ) siBuffer; - hexWrappedKey.len = ( ( wrappedKey->len * 2 ) + 1 ); - hexWrappedKey.data = ( unsigned char * ) - PORT_ZAlloc( hexWrappedKey.len ); - if( hexWrappedKey.data == NULL ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* Convert this wrapped key into hex digits */ - TKS_StringToHex( ( PRUint8 * ) wrappedKey->data, - ( PRIntn ) wrappedKey->len, - ( PRUint8 * ) hexWrappedKey.data, - ( PRIntn ) hexWrappedKey.len ); - - /* For convenience, display this wrapped key to the user. */ - if( hexWrappedKey.data != NULL ) { - /* Display this final wrapped key */ - if( ( hexWrappedKey.len - 1 ) != - HEX_WRAPPED_KEY_LENGTH ) { - /* invalid key length */ - PR_fprintf( PR_STDERR, - "ERROR: Invalid data length of %d bytes!\n\n\n", - hexWrappedKey.len ); - status = SECFailure; - goto destroyHexWrappedKey; - } else { - /* Print wrapped data blob */ - PR_fprintf( PR_STDOUT, - " wrapped data: " ); - - /* Print first DES_LENGTH bytes */ - if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { - firstCount = ( ( hexWrappedKey.len - 1 ) / 3 ); - } else { - firstCount = ( ( hexWrappedKey.len - 1 ) / 2 ); - } - for( i = 0; i < firstCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - - /* Print appropriate padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - - /* Print second DES_LENGTH bytes */ - secondCount = firstCount * 2; - for( i = firstCount; i < secondCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - - /* print out last 8 bytes of triple-DES keys */ - if( wrappedKey->len == ( 3 * DES_LENGTH ) ) { - /* Print appropriate padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - - /* Print third DES_LENGTH bytes */ - thirdCount = hexWrappedKey.len; - for( i = secondCount; i < thirdCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexWrappedKey.data[i], - hexWrappedKey.data[i + 1], - hexWrappedKey.data[i + 2], - hexWrappedKey.data[i + 3] ); - } - } - - /* Print appropriate vertical spacing */ - PR_fprintf( PR_STDOUT, "\n\n\n" ); - } - } - - /* For convenience, display this wrapped key's */ - /* master key KCV to the user. */ - if( ( hexInternalKeyKCV != NULL ) && - ( hexInternalKeyKCVLength == HEX_WRAPPED_KEY_KCV_LENGTH ) ) { - /* display this wrapped key's computed KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - " master key KCV: " - "%c%c%c%c %c%c%c%c\n (computed KCV of the " - "master key residing inside the wrapped data)\n\n\n", - hexInternalKeyKCV[0], - hexInternalKeyKCV[1], - hexInternalKeyKCV[2], - hexInternalKeyKCV[3], - hexInternalKeyKCV[4], - hexInternalKeyKCV[5], - hexInternalKeyKCV[6], - hexInternalKeyKCV[7] ); - } - - /* open the output file read-write */ - fd = PR_OpenFile( output, ( PR_RDWR | PR_CREATE_FILE ), 0666 ); - if( !fd ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* write out the wrapped key (in hex) to the output file */ - while( count < HEX_WRAPPED_KEY_LENGTH ) { - /* write out 4 bytes */ - r = PR_Write( fd, &( hexWrappedKey.data[count] ), 4 ); - if( r != 4 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* increment the byte count by 4 */ - count += 4; - - if( count >= HEX_WRAPPED_KEY_LENGTH ) { - r = PR_Write( fd, "\n", 1 ); - if( r != 1 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - } else { - r = PR_Write( fd, " ", 1 ); - if( r != 1 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - } - } - - /* reinitialize count */ - count = 0; - - /* write out the master key KCV (in hex) to the output file */ - while( count < HEX_WRAPPED_KEY_KCV_LENGTH ) { - /* write out 4 bytes */ - r = PR_Write( fd, &( hexInternalKeyKCV[count] ), 4 ); - if( r != 4 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - - /* increment the byte count by 4 */ - count += 4; - - if( count >= HEX_WRAPPED_KEY_KCV_LENGTH ) { - r = PR_Write( fd, "\n", 1 ); - if( r != 1 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - } else { - r = PR_Write( fd, " ", 1 ); - if( r != 1 ) { - status = SECFailure; - goto destroyHexWrappedKey; - } - } - } - - /* close the output file */ - PR_Close( fd ); - - status = SECSuccess; - -destroyHexWrappedKey: - /* Destroy the hex wrapped key */ - if( hexWrappedKey.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexWrappedKey.data, - hexWrappedKey.len ); - hexWrappedKey.data = NULL; - hexWrappedKey.len = 0; - } - - return status; -} - diff --git a/pki/base/native-tools/src/tkstool/find.c b/pki/base/native-tools/src/tkstool/find.c deleted file mode 100644 index 8926d5cbb..000000000 --- a/pki/base/native-tools/src/tkstool/find.c +++ /dev/null @@ -1,81 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -SECStatus -TKS_FindSymKey( PK11SlotInfo *slot, - char *keyname, - void *pwdata ) -{ - char *name = NULL; - int count = 0; - int keys_found = 0; - PK11SymKey *symKey = NULL; - PK11SymKey *nextSymKey = NULL; - SECStatus rv = SECFailure; - - if( PK11_NeedLogin( /* slot */ slot ) ) { - PK11_Authenticate( - /* slot */ slot, - /* load certs */ PR_TRUE, - /* wincx */ pwdata ); - } - - /* Initialize the symmetric key list. */ - symKey = PK11_ListFixedKeysInSlot( - /* slot */ slot, - /* nickname */ NULL, - /* wincx */ ( void *) pwdata ); - - /* Iterate through the symmetric key list. */ - while( symKey != NULL ) { - name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); - if( name != NULL ) { - if( keyname != NULL ) { - if( PL_strcmp( keyname, name ) == 0 ) { - keys_found++; - rv = SECSuccess; - } - } - } - - nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); - PK11_FreeSymKey( /* symmetric key */ symKey ); - symKey = nextSymKey; - - count++; - } - - /* case 1: the token is empty */ - if( count == 0 ) { - /* the specified token is empty */ - rv = SECFailure; - } - - /* case 2: the specified key is not on this token */ - if( ( keyname != NULL ) && - ( keys_found == 0 ) ) { - /* the key called "keyname" could not be found */ - rv = SECFailure; - } - - return rv; -} - diff --git a/pki/base/native-tools/src/tkstool/help.c b/pki/base/native-tools/src/tkstool/help.c deleted file mode 100644 index 97c724459..000000000 --- a/pki/base/native-tools/src/tkstool/help.c +++ /dev/null @@ -1,499 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -void -TKS_Usage( char *progName ) -{ - PR_fprintf( PR_STDERR, - "Usage: %s -D -n keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -H\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -I -n keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -K -n keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -L -d DBDir [-h all | -h token_name]\n" - "\t\t[-p DBPrefix] [-n keyname] [-f pwfile] [-x]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -M -n keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -N -d DBDir\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -P -d DBDir\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -R -n keyname -r new_keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -S -d DBDir\n" - "\t\t[-p DBPrefix] [-x]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -T -n keyname -d DBDir [-h token_name]\n" - "\t\t[-p DBPrefix] [-f pwfile] [-z noisefile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -U -n keyname -d DBDir -t transport_keyname -i infile\n" - "\t\t[-h token_name] [-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -V\n\n", - progName ); - PR_fprintf( PR_STDERR, - "\t%s -W -n keyname -d DBDir -t transport_keyname -o outfile\n" - "\t\t[-h token_name] [-p DBPrefix] [-f pwfile]\n\n", - progName ); - PR_fprintf( PR_STDERR, - "Type \"%s -H\" for more detailed descriptions\n\n", - progName ); -} - - -void -TKS_PrintHelp( char *progName ) -{ - /**********************/ - /* -D command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Delete a key from the token\n", - "-D" ); - PR_fprintf( PR_STDERR, - "%-24s The name of the key to delete\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token from which to remove key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -H command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Display this extended help for Usage\n", - "-H" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -I command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Input shares to generate a new transport key\n", - "-I" ); - PR_fprintf( PR_STDERR, - "%-24s The name to assign to the generated transport key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to generate transport key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -K command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Display the KCV of the specified key\n", - "-K" ); - PR_fprintf( PR_STDERR, - "%-24s The name of the key to perform a KCV on\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token on which the named key resides\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -L command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s List out a specified key, or all keys\n", - "-L" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Look on all tokens OR\n" - "%-24s Name of token in which to look for keys\n" - "\t\t [optional]\n", - " -h all |", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s The name of the key to list\n" - "\t\t [optional]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "%-24s force the database to open R/W (software only)\n" - "\t\t [optional]\n", - " -x" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -M command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Generate a new master key\n", - "-M" ); - PR_fprintf( PR_STDERR, - "%-24s The name to assign to the generated master key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to generate master key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -N command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Create a new key database (software only)\n", - "-N" ); - PR_fprintf( PR_STDERR, - "%-24s Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Key database prefix (software only)\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -P command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Change the key database password (software only)\n", - "-P" ); - PR_fprintf( PR_STDERR, - "%-24s Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Key database prefix (software only)\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -R command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Rename a symmetric key\n", - "-R" ); - PR_fprintf( PR_STDERR, - "%-24s The original name assigned to a pre-existing\n" - "\t\t symmetric key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s The new name assigned to the original pre-existing\n" - "\t\t symmetric key\n" - "\t\t [required]\n", - " -r new_keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to generate master key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -S command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s List all security modules\n", - /*, or print out a single named module\n",*/ - "-S" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s force the database to open R/W (software only)\n" - "\t\t [optional]\n", - " -x" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -T command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Generate a new transport key\n", - "-T" ); - PR_fprintf( PR_STDERR, - "%-24s The name to assign to the generated transport key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to generate transport key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the noise file to be used\n" - "\t\t [optional]\n", - " -z noisefile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -U command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Unwrap the wrapped master key\n", - "-U" ); - PR_fprintf( PR_STDERR, - "%-24s The name to assign to the unwrapped master key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s The name of the transport key (e. g. - unwrapping key)\n" - "\t\t [required]\n", - " -t transport_keyname" ); - PR_fprintf( PR_STDERR, - "%-24s The filename from which to input the wrapped master key\n" - "\t\t [required]\n", - " -i infile" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to store wrapped master key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -V command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Display the version number of this tool\n", - "-V" ); - PR_fprintf( PR_STDERR, - "\n" ); - - - /**********************/ - /* -W command options */ - /**********************/ - - PR_fprintf( PR_STDERR, - "%-15s Wrap a newly generated master key\n", - "-W" ); - PR_fprintf( PR_STDERR, - "%-24s The name to assign to the generated master key\n" - "\t\t [required]\n", - " -n keyname" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database directory (HSM);\n" - "\t\t Key database directory (software only)\n" - "\t\t [required]\n", - " -d DBDir" ); - PR_fprintf( PR_STDERR, - "%-24s The name of the transport key (e. g. - wrapping key)\n" - "\t\t [required]\n", - " -t transport_keyname" ); - PR_fprintf( PR_STDERR, - "%-24s The filename in which to output the wrapped master key\n" - "\t\t [required]\n", - " -o outfile" ); - PR_fprintf( PR_STDERR, - "%-24s Name of token in which to generate master key\n" - "\t\t [optional]\n", - " -h token_name" ); - PR_fprintf( PR_STDERR, - "%-24s Security module database prefix\n" - "\t\t [optional]\n", - " -p DBPrefix" ); - PR_fprintf( PR_STDERR, - "%-24s Specify the password file\n" - "\t\t [optional]\n", - " -f pwfile" ); - PR_fprintf( PR_STDERR, - "\n" ); -} - diff --git a/pki/base/native-tools/src/tkstool/key.c b/pki/base/native-tools/src/tkstool/key.c deleted file mode 100644 index 4fd37963b..000000000 --- a/pki/base/native-tools/src/tkstool/key.c +++ /dev/null @@ -1,1350 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -/*******************************/ -/** local private functions **/ -/*******************************/ - -/* returns 0 for success, -1 for failure (EOF encountered) */ -static int -InputHexSessionKey( char *sessionKeyShareName, - SECItem *hexSessionKeyShare ) -{ - int fd; - int i; - int count; - int c; - int rv = 0; -#ifdef XP_UNIX - cc_t orig_cc_min; - cc_t orig_cc_time; - tcflag_t orig_lflag; - struct termios tio; -#endif - - PR_fprintf( PR_STDOUT, - "Type in the %s session key share (or ^C to break):\n\n", - sessionKeyShareName ); - PR_fprintf( PR_STDOUT, - "[ ] [ ] [ ] [ ] " - "[ ] [ ] [ ] [ ]\r" ); - - /* turn off echo on stdin & return on 1 char instead of NL */ - fd = fileno( stdin ); - -#if defined( XP_UNIX ) && !defined( VMS ) - tcgetattr( fd, &tio ); - orig_lflag = tio.c_lflag; - orig_cc_min = tio.c_cc[VMIN]; - orig_cc_time = tio.c_cc[VTIME]; - tio.c_lflag &= ~ECHO; - tio.c_lflag &= ~ICANON; - tio.c_cc[VMIN] = 1; - tio.c_cc[VTIME] = 0; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - /* Get user input from keyboard strokes */ - count = 0; - while( count < HEX_SESSION_KEY_BUF_LENGTH ) { -#ifdef VMS - c = GENERIC_GETCHAR_NOECHO(); -#elif XP_UNIX - c = getc( stdin ); -#else - c = getch(); -#endif - /* break on EOF */ - if( c == EOF ) { - rv = -1; - break; - } - - /* break on ^C */ - if( c == CTRL_C ) { - rv = -1; - break; - } - - /* save acceptable hex characters; silently throw anything else away */ - switch( c ) { - case '\010': /* backspace */ - /* acceptable character; save it as a NULL value */ - hexSessionKeyShare->data[count] = '\0'; - break; - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - /* acceptable character; save it as typed */ - hexSessionKeyShare->data[count] = c; - break; - case 'A': - case 'a': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'A'; - break; - case 'B': - case 'b': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'B'; - break; - case 'C': - case 'c': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'C'; - break; - case 'D': - case 'd': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'D'; - break; - case 'E': - case 'e': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'E'; - break; - case 'F': - case 'f': - /* acceptable character; save uppercase version */ - hexSessionKeyShare->data[count] = 'F'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - - /* adjust the character count appropriately */ - if( c != '\010' ) { - /* only increment the character count if everything is OK */ - count++; - } else { - /* only decrement the character count if a backspace was entered */ - if( count > 0 ) { - count--; - } - } - - /* redisplay the left bracket */ - PR_fprintf( PR_STDOUT, - "\r[" ); - - /* display the characters input so far */ - for( i = 0 ; i < count ; i++ ) { - PR_fprintf( PR_STDOUT, - "%c", - hexSessionKeyShare->data[i] ); - if( ( i > 0 ) && - ( ( ( i + 1 ) % 4 ) == 0 ) ) { - PR_fprintf( PR_STDOUT, "] [" ); - } - } - - /* display a "cursor" pointing to the next character */ - PR_fprintf( PR_STDOUT, - "/" ); - - /* display spaces to pad the remainder */ - for( i = ( count + 1 ); - i < HEX_SESSION_KEY_BUF_LENGTH; - i++ ) { - if( ( i % 4 ) != 0 ) { - PR_fprintf( PR_STDOUT, " " ); - } else { - if( ( i > 0 ) && - ( ( i + 1 ) < HEX_SESSION_KEY_BUF_LENGTH ) ) { - PR_fprintf( PR_STDOUT, "] [" ); - PR_fprintf( PR_STDOUT, " " ); - } - } - } - - /* redisplay the right bracket */ - PR_fprintf( PR_STDOUT, - "]" ); - } - - /* Null terminate the entered character sequence */ - hexSessionKeyShare->data[count] = '\0'; - - - /**************************************/ - /* Print the final character sequence */ - /**************************************/ - - /* Clear input line by outputting 78 blank */ - /* spaces from the beginning of this line */ - PR_fprintf( PR_STDOUT, - "\r" - " " - " " ); - - /* Print appropriate key share name */ - PR_fprintf( PR_STDOUT, - "\r %s session key share: ", - sessionKeyShareName ); - - /* Print first DES_LENGTH bytes */ - count = ( ( hexSessionKeyShare->len - 1 ) / 2 ); - for( i = 0; i < count; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSessionKeyShare->data[i], - hexSessionKeyShare->data[i + 1], - hexSessionKeyShare->data[i + 2], - hexSessionKeyShare->data[i + 3] ); - } - - /* Print appropriate key share padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - for( i = 0; i < PL_strlen( sessionKeyShareName ); i++ ) { - PR_fprintf( PR_STDOUT, " " ); - } - - /* Print second DES_LENGTH bytes */ - for( i = count; i < hexSessionKeyShare->len; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSessionKeyShare->data[i], - hexSessionKeyShare->data[i + 1], - hexSessionKeyShare->data[i + 2], - hexSessionKeyShare->data[i + 3] ); - } - - /* Print appropriate vertical spacing */ - PR_fprintf( PR_STDOUT, "\n\n\n" ); - -#if defined( XP_UNIX ) && !defined( VMS ) - /* set back termio the way it was */ - tio.c_lflag = orig_lflag; - tio.c_cc[VMIN] = orig_cc_min; - tio.c_cc[VTIME] = orig_cc_time; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - return rv; -} - - -/* returns 0 for success, -1 for failure (EOF encountered) */ -static int -InputHexKCV( char *sessionKeyShareName, - PRUint8 *hexKCV ) -{ - int fd; - int i; - int count; - int c; - int rv = 0; -#ifdef XP_UNIX - cc_t orig_cc_min; - cc_t orig_cc_time; - tcflag_t orig_lflag; - struct termios tio; -#endif - - PR_fprintf( PR_STDOUT, - "Type in the corresponding KCV for the " - "%s session key share (or ^C to break):\n\n", - sessionKeyShareName ); - PR_fprintf( PR_STDOUT, - "[ ] [ ]\r" ); - - /* turn off echo on stdin & return on 1 char instead of NL */ - fd = fileno( stdin ); - -#if defined( XP_UNIX ) && !defined( VMS ) - tcgetattr( fd, &tio ); - orig_lflag = tio.c_lflag; - orig_cc_min = tio.c_cc[VMIN]; - orig_cc_time = tio.c_cc[VTIME]; - tio.c_lflag &= ~ECHO; - tio.c_lflag &= ~ICANON; - tio.c_cc[VMIN] = 1; - tio.c_cc[VTIME] = 0; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - /* Get user input from keyboard strokes */ - count = 0; - while( count < HEX_SESSION_KEY_KCV_BUF_LENGTH ) { -#ifdef VMS - c = GENERIC_GETCHAR_NOECHO(); -#elif XP_UNIX - c = getc( stdin ); -#else - c = getch(); -#endif - /* break on EOF */ - if( c == EOF ) { - rv = -1; - break; - } - - /* break on ^C */ - if( c == CTRL_C ) { - rv = -1; - break; - } - - /* save acceptable hex characters; silently throw anything else away */ - switch( c ) { - case '\010': /* backspace */ - /* acceptable character; save it as a NULL value */ - hexKCV[count] = '\0'; - break; - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - /* acceptable character; save it as typed */ - hexKCV[count] = c; - break; - case 'A': - case 'a': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'A'; - break; - case 'B': - case 'b': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'B'; - break; - case 'C': - case 'c': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'C'; - break; - case 'D': - case 'd': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'D'; - break; - case 'E': - case 'e': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'E'; - break; - case 'F': - case 'f': - /* acceptable character; save uppercase version */ - hexKCV[count] = 'F'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - - /* adjust the character count appropriately */ - if( c != '\010' ) { - /* only increment the character count if everything is OK */ - count++; - } else { - /* only decrement the character count if a backspace was entered */ - if( count > 0 ) { - count--; - } - } - - /* redisplay the left bracket */ - PR_fprintf( PR_STDOUT, - "\r[" ); - - /* display the characters input so far */ - for( i = 0 ; i < count ; i++ ) { - PR_fprintf( PR_STDOUT, - "%c", - hexKCV[i] ); - if( ( i > 0 ) && - ( ( ( i + 1 ) % 4 ) == 0 ) ) { - PR_fprintf( PR_STDOUT, "] [" ); - } - } - - /* display a "cursor" pointing to the next character */ - PR_fprintf( PR_STDOUT, - "/" ); - - /* display spaces to pad the remainder */ - for( i = ( count + 1 ); - i < HEX_SESSION_KEY_KCV_BUF_LENGTH; - i++ ) { - if( ( i % 4 ) != 0 ) { - PR_fprintf( PR_STDOUT, " " ); - } else { - if( ( i > 0 ) && - ( ( i + 1 ) < HEX_SESSION_KEY_KCV_BUF_LENGTH ) ) { - PR_fprintf( PR_STDOUT, "] [" ); - PR_fprintf( PR_STDOUT, " " ); - } - } - } - - /* redisplay the right bracket */ - PR_fprintf( PR_STDOUT, - "]" ); - } - - /* Null terminate the entered character sequence */ - hexKCV[count] = '\0'; - - - /**************************************/ - /* Print the final character sequence */ - /**************************************/ - - /* Clear input line by outputting 78 blank */ - /* spaces from the beginning of this line */ - PR_fprintf( PR_STDOUT, - "\r" - " " - " " ); - - /* display this session key share's entered KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - "\r %s session key share KCV: " - "%c%c%c%c %c%c%c%c\n\n\n", - sessionKeyShareName, - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - -#if defined( XP_UNIX ) && !defined( VMS ) - /* set back termio the way it was */ - tio.c_lflag = orig_lflag; - tio.c_cc[VMIN] = orig_cc_min; - tio.c_cc[VTIME] = orig_cc_time; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - return rv; -} - - -/************************************/ -/** public session key functions **/ -/************************************/ - -SECStatus -TKS_ComputeAndDisplayKCV( PRUint8 *newKey, - PRIntn newKeyLen, - PRUint8 *KCV, - PRIntn KCVLen, - PK11SymKey *symKey, - char *keyName, - char *keyType, - PRBool displayKCV, - PRUint8 *expectedHexKCV ) -{ - int len; - unsigned char value[8]; - PK11SymKey *key = NULL; - PK11SlotInfo *slot = NULL; - PK11Context *context = NULL; - PRIntn hexKCVLen = ( 2 * KCVLen ) + 1; - PRUint8 *hexKCV = NULL; - PRUint8 *keyData = NULL; - SECItem keyItem = { siBuffer, - NULL, - 0 }; - SECItem noParams = { siBuffer, - NULL, - 0 }; - SECStatus s = SECFailure; - SECStatus status = SECFailure; - - /* for all keys except keys that are resident/wrapped/unwrapped . . . */ - if( ( PL_strcmp( keyType, RESIDENT_KEY ) != 0 ) && - ( PL_strcmp( keyType, UNWRAPPED_KEY ) != 0 ) && - ( PL_strcmp( keyType, WRAPPED_KEY ) != 0 ) ) { - slot = PK11_GetInternalKeySlot(); - - if( newKeyLen == ( 2 * DES_LENGTH ) ) { -#if defined(PAD_DES2_KEY_LENGTH) - /* double-DES key */ - keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen + DES_LENGTH ); - - keyItem.type = ( SECItemType ) siBuffer; - keyItem.data = ( unsigned char * ) keyData; - keyItem.len = ( unsigned int ) ( newKeyLen + DES_LENGTH ); - - /* convert 16-byte double-DES key to 24-byte triple-DES key */ - PORT_Memcpy( keyData, newKey, newKeyLen ); - PORT_Memcpy( ( keyData + ( 2 * DES_LENGTH ) ), - newKey, DES_LENGTH ); -#else - /* double-DES key */ - keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen ); - - keyItem.type = ( SECItemType ) siBuffer; - keyItem.data = ( unsigned char * ) keyData; - keyItem.len = ( unsigned int ) newKeyLen; - - PORT_Memcpy( keyData, newKey, newKeyLen ); -#endif - } else if( newKeyLen == ( 3 * DES_LENGTH ) ) { - /* triple-DES key */ - keyData = ( PRUint8 * ) PORT_ZAlloc( newKeyLen ); - - keyItem.type = ( SECItemType ) siBuffer; - keyItem.data = ( unsigned char * ) keyData; - keyItem.len = ( unsigned int ) newKeyLen; - - PORT_Memcpy( keyData, newKey, newKeyLen ); - } else { - /* invalid key size */ - PR_fprintf( PR_STDOUT, - "Attempting to perform KCV on invalid key length!\n\n\n" ); - status = SECFailure; - goto done; - } - - key = PK11_ImportSymKeyWithFlags( - /* slot */ slot, - /* mechanism type */ CKM_DES3_ECB, - /* origin */ PK11_OriginGenerated, - /* operation */ CKA_ENCRYPT, - /* key */ &keyItem, - /* flags */ CKF_ENCRYPT, - /* isPerm */ PR_FALSE, - /* wincx */ 0 ); - - if( ! key ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to import %s key!\n\n\n", - keyType ); - status = SECFailure; - goto done; - } - } else { - /* since resident/wrapped/unwrapped keys are already present . . . */ - key = symKey; - } - - PORT_Memset( value, 0, sizeof( value ) ); - - context = PK11_CreateContextBySymKey( - /* mechanism type */ CKM_DES3_ECB, - /* operation */ CKA_ENCRYPT, - /* symmetric key */ key, - /* param */ &noParams ); - - if( ! context ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to create crypto context!\n\n\n" ); - status = SECFailure; - goto done; - } - - s = PK11_CipherOp( - /* context */ context, - /* output */ &value[0], - /* output length */ &len, - /* maximum output length */ DES_LENGTH, - /* input */ &value[0], - /* input length */ DES_LENGTH ); - if( s != SECSuccess) { - PR_fprintf( PR_STDERR, - "ERROR: CipherOp Failed!\n\n\n" ); - status = SECFailure; - goto done; - } - - KCV = ( PRUint8 * ) PORT_ZAlloc( KCVLen ); - - PORT_Memcpy( KCV, value, KCVLen ); - - /* Create a clean new display buffer for this */ - /* symmetric key/session key share KCV */ - hexKCV = ( PRUint8 * ) PORT_ZAlloc( hexKCVLen ); - if( hexKCV == NULL ) { - status = SECFailure; - goto done; - } - - /* Display the symmetric key/session key share KCV (in hex digits) */ - TKS_StringToHex( ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - ( PRUint8 * ) hexKCV, - ( PRIntn ) hexKCVLen ); - - if( displayKCV != PR_FALSE ) { - /********************************************/ - /* The following code is ONLY relevant to: */ - /* */ - /* (1) resident, */ - /* (2) session, */ - /* (3) symmetric, and */ - /* (4) transport keys. */ - /* */ - /********************************************/ - - if( PL_strcmp( keyType, RESIDENT_KEY ) == 0 ) { - /* display this resident key's computed KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - " %s key KCV: " - "%c%c%c%c %c%c%c%c\n\n\n", - keyName, - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - } else if( PL_strcmp( keyType, SESSION_KEY ) == 0 ) { - /* display this session key share's computed KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - " %s session key share KCV: " - "%c%c%c%c %c%c%c%c\n\n\n", - keyName, - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - } else if( PL_strcmp( keyType, SYMMETRIC_KEY ) == 0 ) { - /* display this symmetric key's computed KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - " %s key KCV: " - "%c%c%c%c %c%c%c%c\n\n\n", - keyName, - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - } else if( PL_strcmp( keyType, TRANSPORT_KEY ) == 0 ) { - /* display this transport key's computed KCV value (in hex) */ - PR_fprintf( PR_STDOUT, - " %s key KCV: " - "%c%c%c%c %c%c%c%c\n\n\n", - keyName, - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - } - } else { - /**********************************************/ - /* The following code is ONLY relevant to: */ - /* */ - /* (1) session keys, */ - /* (2) keys that have been unwrapped, and */ - /* (3) keys that will be wrapped. */ - /* */ - /**********************************************/ - - if( PL_strcmp( keyType, SESSION_KEY ) == 0 ) { - /* compare this session key share's computed KCV value (in hex) */ - /* with the expected KCV value (in hex) */ - if( PL_strcmp( ( const char * ) hexKCV, - ( const char * ) expectedHexKCV ) == 0 ) { - PR_fprintf( PR_STDOUT, - "Congratulations, the %s session key share KCV " - "value entered CORRESPONDS\nto the %s session key " - "share value entered!\n", - keyName, - keyName ); - - /* Wait for the user to type "proceed" to continue */ - TKS_TypeProceedToContinue(); - } else { - PR_fprintf( PR_STDOUT, - "Unfortunately, a MISMATCH exists between the %s " - "session key share entered\nand the %s session key " - "share KCV entered. Please try again . . .\n", - keyName, - keyName ); - - /* Wait for the user to type "proceed" to continue */ - TKS_TypeProceedToContinue(); - - status = SECFailure; - goto done; - } - } else if( PL_strcmp( keyType, UNWRAPPED_KEY ) == 0 ) { - PR_fprintf( PR_STDOUT, - " master key KCV: " - "%c%c%c%c %c%c%c%c\n (computed KCV of the " - "master key residing inside the wrapped data)\n\n\n", - hexKCV[0], - hexKCV[1], - hexKCV[2], - hexKCV[3], - hexKCV[4], - hexKCV[5], - hexKCV[6], - hexKCV[7] ); - - PR_fprintf( PR_STDOUT, - " master key KCV: " - "%c%c%c%c %c%c%c%c\n (pre-computed KCV of the " - "master key residing inside the wrapped data)\n\n\n", - expectedHexKCV[0], - expectedHexKCV[1], - expectedHexKCV[2], - expectedHexKCV[3], - expectedHexKCV[4], - expectedHexKCV[5], - expectedHexKCV[6], - expectedHexKCV[7] ); - - /* compare this wrapped key's computed KCV value (in hex) */ - /* with the expected KCV value (in hex) -- silently */ - if( PL_strcmp( ( const char * ) hexKCV, - ( const char * ) expectedHexKCV ) != 0 ) { - PR_fprintf( PR_STDOUT, - "Unfortunately, a MISMATCH exists between the " - "wrapped data read in\nfrom the input file " - "and the master key KCV that was recomputed.\n\n", - keyName, - keyName ); - status = SECFailure; - goto done; - } - } else if( PL_strcmp( keyType, WRAPPED_KEY ) == 0 ) { - /* store this master key's computed KCV value (in hex) */ - expectedHexKCV[0] = hexKCV[0]; - expectedHexKCV[1] = hexKCV[1]; - expectedHexKCV[2] = hexKCV[2]; - expectedHexKCV[3] = hexKCV[3]; - expectedHexKCV[4] = hexKCV[4]; - expectedHexKCV[5] = hexKCV[5]; - expectedHexKCV[6] = hexKCV[6]; - expectedHexKCV[7] = hexKCV[7]; - } - } - - status = SECSuccess; - -done: - if( keyItem.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - keyItem.data, - keyItem.len ); - keyItem.data = NULL; - keyItem.len = 0; - } - - if( hexKCV != NULL ) { - PORT_ZFree( ( PRUint8 * ) - hexKCV, - hexKCVLen ); - } - - if( context ) { - PK11_DestroyContext( - /* context */ context, - /* free it */ PR_TRUE ); - } - - if( slot ) { - PK11_FreeSlot( /* slot */ slot ); - } - - /* for all keys except keys that are resident/wrapped/unwrapped . . . */ - if( ( PL_strcmp( keyType, RESIDENT_KEY ) != 0 ) && - ( PL_strcmp( keyType, UNWRAPPED_KEY ) != 0 ) && - ( PL_strcmp( keyType, WRAPPED_KEY ) != 0 ) ) { - if( key ) { - PK11_FreeSymKey( /* symmetric key */ key ); - } - } - - return status; -} - - -SECStatus -TKS_GenerateSessionKeyShare( char *sessionKeyShareName, - SECItem *sessionKeyShare ) -{ - PRIntn count = 0; - PRIntn i = 0; - PRIntn KCVLen = KCV_LENGTH; - PRUint8 *KCV = NULL; - SECItem hexSessionKeyShare = { siBuffer, - NULL, - 0 }; - SECStatus rvKCV = SECFailure; - SECStatus sessionKeyShareStatus = SECFailure; - SECStatus status = SECFailure; - - /* Clear the screen */ - TKS_ClearScreen(); - - /* Generate a new session key share */ - PR_fprintf( PR_STDOUT, - "\nGenerating the %s session key share . . .\n\n\n", - sessionKeyShareName ); - - sessionKeyShareStatus = PK11_GenerateRandom( ( unsigned char * ) - /* data */ sessionKeyShare->data, - /* length */ sessionKeyShare->len ); - if( sessionKeyShareStatus != SECSuccess ) { - goto destroyHexSessionKeyShare; - } - - /* Create a clean new display buffer for this session key share */ - hexSessionKeyShare.type = ( SECItemType ) siBuffer; - hexSessionKeyShare.len = ( ( sessionKeyShare->len * 2 ) + 1 ); - hexSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( hexSessionKeyShare.len ); - if( hexSessionKeyShare.data == NULL ) { - goto destroyHexSessionKeyShare; - } - - /* Convert this session key share into hex digits */ - TKS_StringToHex( ( PRUint8 * ) sessionKeyShare->data, - ( PRIntn ) sessionKeyShare->len, - ( PRUint8 * ) hexSessionKeyShare.data, - ( PRIntn ) hexSessionKeyShare.len ); - - /* Adjust the first DES-sized (8-byte) chunk */ - TKS_AdjustOddParity( ( PRUint8 * ) sessionKeyShare->data ); - - /* Adjust the second DES-sized (8-byte) chunk */ - TKS_AdjustOddParity( ( PRUint8 * ) ( sessionKeyShare->data + DES_LENGTH ) ); - - /* Finally, display this session key share */ - /* (adjusted for odd parity in hex digits) */ - TKS_StringToHex( ( PRUint8 * ) sessionKeyShare->data, - ( PRIntn ) sessionKeyShare->len, - ( PRUint8 * ) hexSessionKeyShare.data, - ( PRIntn ) hexSessionKeyShare.len ); - - if( ( ( hexSessionKeyShare.len - 1 ) % 4 ) != 0 ) { - /* invalid key length */ - PR_fprintf( PR_STDERR, - "ERROR: Invalid session key share length " - "of %d bytes!\n\n\n", - hexSessionKeyShare.len ); - goto destroyHexSessionKeyShare; - } else { - /* Print appropriate key share name */ - PR_fprintf( PR_STDOUT, - " %s session key share: ", - sessionKeyShareName ); - - /* Print first DES_LENGTH bytes */ - count = ( ( hexSessionKeyShare.len - 1 ) / 2 ); - for( i = 0; i < count; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSessionKeyShare.data[i], - hexSessionKeyShare.data[i + 1], - hexSessionKeyShare.data[i + 2], - hexSessionKeyShare.data[i + 3] ); - } - - /* Print appropriate key share padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - for( i = 0; i < PL_strlen( sessionKeyShareName ); i++ ) { - PR_fprintf( PR_STDOUT, " " ); - } - - /* Print second DES_LENGTH bytes */ - for( i = count; i < hexSessionKeyShare.len; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSessionKeyShare.data[i], - hexSessionKeyShare.data[i + 1], - hexSessionKeyShare.data[i + 2], - hexSessionKeyShare.data[i + 3] ); - } - - /* Print appropriate vertical spacing */ - PR_fprintf( PR_STDOUT, "\n\n\n" ); - } - - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) sessionKeyShare->data, - ( PRIntn ) sessionKeyShare->len, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - NULL, - sessionKeyShareName, - SESSION_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to compute KCV of " - "this %s session key share!\n\n", - sessionKeyShareName ); - goto destroyHexSessionKeyShare; - } - - PR_fprintf( PR_STDOUT, - "(1) Write down and save the value " - "for this %s session key share.\n\n", - sessionKeyShareName ); - - PR_fprintf( PR_STDOUT, - "(2) Write down and save the KCV value " - "for this %s session key share.\n", - sessionKeyShareName ); - - /* Wait for the user to type "proceed" to continue */ - TKS_TypeProceedToContinue(); - - /* Clear the screen */ - TKS_ClearScreen(); - - /* Report success */ - status = SECSuccess; - -destroyHexSessionKeyShare: - /* Destroy the hex session key share */ - if( hexSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexSessionKeyShare.data, - hexSessionKeyShare.len ); - hexSessionKeyShare.data = NULL; - hexSessionKeyShare.len = 0; - } - - return status; -} - -SECStatus -TKS_InputSessionKeyShare( char *sessionKeyShareName, - SECItem *sessionKeyShare ) -{ - int rv = 0; - PRIntn KCVLen = KCV_LENGTH; - PRUint8 *KCV = NULL; - SECItem hexSessionKeyShare; - PRIntn hexKCVLen = ( 2 * KCVLen ) + 1; - PRUint8 *hexKCV = NULL; - SECStatus rvKCV = SECFailure; - SECStatus status = SECFailure; - - /* Clear the screen */ - TKS_ClearScreen(); - - /* Enter a new session key share */ - PR_fprintf( PR_STDOUT, - "\nEnter the %s session key share . . .\n\n\n", - sessionKeyShareName ); - - /* Create a clean new display buffer for this session key share */ - hexSessionKeyShare.type = ( SECItemType ) siBuffer; - hexSessionKeyShare.len = ( ( sessionKeyShare->len * 2 ) + 1 ); - hexSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( hexSessionKeyShare.len ); - if( hexSessionKeyShare.data == NULL ) { - goto destroyHexSessionKeyShare; - } - - rv = InputHexSessionKey( sessionKeyShareName, - &hexSessionKeyShare ); - if( rv ) { - PORT_SetError( PR_END_OF_FILE_ERROR ); - return SECFailure; - } - - /* Convert these hex digits into a session key share */ - TKS_ConvertStringOfHexCharactersIntoBitStream( ( char * ) hexSessionKeyShare.data, - ( hexSessionKeyShare.len - 1 ), - sessionKeyShare->data ); - - /* Create a clean new display buffer for this session key share KCV */ - hexKCV = ( PRUint8 * ) PORT_ZAlloc( hexKCVLen ); - if( hexKCV == NULL ) { - goto destroyHexSessionKeyShare; - } - - rv = InputHexKCV( sessionKeyShareName, - hexKCV ); - if( rv ) { - PORT_SetError( PR_END_OF_FILE_ERROR ); - return SECFailure; - } - - /* Enter the corresponding KCV */ - PR_fprintf( PR_STDOUT, - "Verifying that this session key share and KCV " - "correspond to each other . . .\n\n\n" ); - - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) sessionKeyShare->data, - ( PRIntn ) sessionKeyShare->len, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - NULL, - sessionKeyShareName, - SESSION_KEY, - PR_FALSE, - hexKCV ); - if( rvKCV != SECSuccess ) { - goto destroyHexSessionKeyShare; - } - - /* Clear the screen */ - TKS_ClearScreen(); - - /* Report success */ - status = SECSuccess; - -destroyHexSessionKeyShare: - /* Destroy the hex session key share */ - if( hexSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexSessionKeyShare.data, - hexSessionKeyShare.len ); - hexSessionKeyShare.data = NULL; - hexSessionKeyShare.len = 0; - } - - if( hexKCV != NULL ) { - PORT_ZFree( ( PRUint8 * ) - hexKCV, - hexKCVLen ); - } - - return status; -} - - -/**************************************/ -/** public symmetric key functions **/ -/**************************************/ - -PK11SymKey * -TKS_ImportSymmetricKey( char *symmetricKeyName, - PK11SlotInfo *slot, - CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, - SECItem *sessionKeyShare, - secuPWData *pwdata ) -{ - PK11Origin origin = PK11_OriginGenerated; - PK11SymKey *symKey = NULL; - - if( slot == NULL ) { - return NULL; - } - - PR_fprintf( PR_STDOUT, - "\n" ); - PR_fprintf( PR_STDOUT, - "Generating %s symmetric key . . .\n\n", - symmetricKeyName ); - - symKey = PK11_ImportSymKeyWithFlags( - /* slot */ slot, - /* mechanism type */ mechanism, - /* origin */ origin, - /* operation */ operation, - /* key */ sessionKeyShare, - /* flags */ 0, - /* isPerm */ PR_FALSE, - /* wincx */ pwdata ); - return symKey; -} - - -PK11SymKey * -TKS_DeriveSymmetricKey( char *symmetricKeyName, - PK11SymKey *symKey, - CK_MECHANISM_TYPE derive, - SECItem *sessionKeyShare, - CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, - int keysize ) -{ - PK11SymKey *newSymKey = NULL; - - if( symKey == NULL ) { - return NULL; - } - - if( keysize <= 0 ) { - return NULL; - } - - PR_fprintf( PR_STDOUT, - "Generating %s symmetric key . . .\n\n", - symmetricKeyName ); - - newSymKey = PK11_Derive( - /* base symmetric key */ symKey, - /* mechanism derive type */ derive, - /* param */ sessionKeyShare, - /* target */ target, - /* operation */ operation, - /* key size */ keysize ); - return newSymKey; -} - - -SECStatus -TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, - char *keyname, - PK11SlotInfo *slot, - CK_ATTRIBUTE_TYPE operation, - CK_FLAGS flags, - PK11SymKey *symKey ) -{ - PK11SymKey *newSymKey = NULL; - PRIntn KCVLen = KCV_LENGTH; - PRUint8 *KCV = NULL; - SECItem *symmetricKey = NULL; - SECStatus rvExtractSymmetricKey = SECFailure; - SECStatus rvKCV = SECFailure; - SECStatus rvSymmetricKeyname = SECFailure; - SECStatus status = SECFailure; -#if defined(DEBUG) - PRIntn firstCount = 0; - PRIntn secondCount = 0; - PRIntn thirdCount = 0; - PRIntn i = 0; - SECItem hexSymmetricKey; -#endif - - PR_fprintf( PR_STDOUT, - "Extracting %s key from operational token . . .\n\n", - symmetricKeyName ); - - rvExtractSymmetricKey = PK11_ExtractKeyValue( /* symmetric key */ symKey ); - if( rvExtractSymmetricKey != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to extract the %s key!\n\n", - symmetricKeyName ); - goto destroyHexSymmetricKey; - } - - /* If present, retrieve the raw key data */ - symmetricKey = PK11_GetKeyData( /* symmetric key */ symKey ); - -#if defined(DEBUG) - /* For convenience, display the final symmetric key and */ - /* its associated KCV to the user in DEBUG mode ONLY!!! */ - if( symmetricKey != NULL ) { - - /* Create a clean new display buffer for this symmetric key */ - hexSymmetricKey.type = ( SECItemType ) siBuffer; - hexSymmetricKey.len = ( ( symmetricKey->len * 2 ) + 1 ); - hexSymmetricKey.data = ( unsigned char * ) - PORT_ZAlloc( hexSymmetricKey.len ); - if( hexSymmetricKey.data == NULL ) { - goto destroyHexSymmetricKey; - } - - /* Convert this symmetric key into hex digits */ - TKS_StringToHex( ( PRUint8 * ) symmetricKey->data, - ( PRIntn ) symmetricKey->len, - ( PRUint8 * ) hexSymmetricKey.data, - ( PRIntn ) hexSymmetricKey.len ); - - /* Display this final symmetric key */ - if( ( ( hexSymmetricKey.len - 1 ) % 4 ) != 0 ) { - /* invalid key length */ - PR_fprintf( PR_STDERR, - "ERROR: Invalid symmetric key length " - "of %d bytes!\n\n\n", - hexSymmetricKey.len ); - goto destroyHexSymmetricKey; - } else { - /* Print appropriate key name */ - PR_fprintf( PR_STDOUT, - "\n %s key: ", - symmetricKeyName ); - - /* Print first DES_LENGTH bytes */ - if( symmetricKey->len == ( 3 * DES_LENGTH ) ) { - firstCount = ( ( hexSymmetricKey.len - 1 ) / 3 ); - } else { - firstCount = ( ( hexSymmetricKey.len - 1 ) / 2 ); - } - for( i = 0; i < firstCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSymmetricKey.data[i], - hexSymmetricKey.data[i + 1], - hexSymmetricKey.data[i + 2], - hexSymmetricKey.data[i + 3] ); - } - - /* Print appropriate key padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - for( i = 0; i < PL_strlen( symmetricKeyName ); i++ ) { - PR_fprintf( PR_STDOUT, " " ); - } - - /* Print second DES_LENGTH bytes */ - secondCount = firstCount * 2; - for( i = firstCount; i < secondCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSymmetricKey.data[i], - hexSymmetricKey.data[i + 1], - hexSymmetricKey.data[i + 2], - hexSymmetricKey.data[i + 3] ); - } - - /* print out last 8 bytes of triple-DES keys */ - if( symmetricKey->len == ( 3 * DES_LENGTH ) ) { - /* Print appropriate key padding length */ - PR_fprintf( PR_STDOUT, "\n " ); - for( i = 0; i < PL_strlen( symmetricKeyName ); i++ ) { - PR_fprintf( PR_STDOUT, " " ); - } - - /* Print third DES_LENGTH bytes */ - thirdCount = hexSymmetricKey.len; - for( i = secondCount; i < thirdCount; i += 4 ) { - PR_fprintf( PR_STDOUT, - "%c%c%c%c ", - hexSymmetricKey.data[i], - hexSymmetricKey.data[i + 1], - hexSymmetricKey.data[i + 2], - hexSymmetricKey.data[i + 3] ); - } - } - - /* Print appropriate vertical spacing */ - PR_fprintf( PR_STDOUT, "\n\n\n" ); - } - - /* Compute and display this final symmetric key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) symmetricKey->data, - ( PRIntn ) symmetricKey->len, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - NULL, - symmetricKeyName, - SYMMETRIC_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to compute KCV of this %s key!\n\n", - symmetricKeyName ); - goto destroyHexSymmetricKey; - } - } -#else - /* Display the final symmetric key's associated KCV to the user . . . */ - if( symmetricKey != NULL ) { - /* . . . if and only if this is the transport key!!! */ - if( PL_strcmp( symmetricKeyName, TRANSPORT_KEY ) == 0 ) { - /* Compute and display this transport key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) symmetricKey->data, - ( PRIntn ) symmetricKey->len, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - NULL, - symmetricKeyName, - TRANSPORT_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to compute KCV of this %s key!\n\n", - symmetricKeyName ); - goto destroyHexSymmetricKey; - } - } - } -#endif - - PR_fprintf( PR_STDOUT, - "Storing %s key on final specified token . . .\n\n", - symmetricKeyName ); - - newSymKey = PK11_MoveSymKey( - /* slot */ slot, - /* operation */ operation, - /* flags */ flags, - /* permanence */ PR_TRUE, - /* symmetric key */ symKey ); - if( newSymKey == NULL ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to store the %s key: %d!\n\n", - symmetricKeyName, - PR_GetError() ); - goto destroyHexSymmetricKey; - } - - - PR_fprintf( PR_STDOUT, - "Naming %s key \"%s\" . . .\n\n", - symmetricKeyName, - keyname ); - - rvSymmetricKeyname = PK11_SetSymKeyNickname( - /* symmetric key */ newSymKey, - /* nickname */ keyname ); - if( rvSymmetricKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to name the %s key!\n\n", - symmetricKeyName ); - goto destroyHexSymmetricKey; - } - - status = SECSuccess; - - -destroyHexSymmetricKey: - -#if defined(DEBUG) - /* Destroy the hex symmetric key */ - if( hexSymmetricKey.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexSymmetricKey.data, - hexSymmetricKey.len ); - hexSymmetricKey.data = NULL; - hexSymmetricKey.len = 0; - } -#endif - - return status; -} - diff --git a/pki/base/native-tools/src/tkstool/list.c b/pki/base/native-tools/src/tkstool/list.c deleted file mode 100644 index 44173fa36..000000000 --- a/pki/base/native-tools/src/tkstool/list.c +++ /dev/null @@ -1,181 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -/* callback for listing keys through pkcs11 */ -static SECStatus -PrintSymKey( struct PRFileDesc *out, - int count, - char *keyname, - PK11SymKey *key ) -{ - char *name = NULL; - SECStatus rv = SECFailure; - - name = PK11_GetSymKeyNickname( /* symmetric key */ key ); - if( name == NULL ) { - name = PORT_Strdup( "\t< orphaned >" ); - } - - if( keyname != NULL ) { - /* ONLY print this name if it is the requested key */ - if( PL_strcmp( keyname, name ) == 0 ) { - PR_fprintf( out, - "\t<%d> %s\n", - count, - name ); - - rv = SECSuccess; - } - } else { - PR_fprintf( out, - "\t<%d> %s\n", - count, - name ); - - rv = SECSuccess; - } - - PORT_Free( name ); - - return rv; -} - - -static SECStatus -listKeys( char *progName, - PK11SlotInfo *slot, - char *keyname, - void *pwdata ) -{ - int count = 0; - int keys_found = 0; - PK11SymKey *symKey = NULL; - PK11SymKey *nextSymKey = NULL; - SECStatus rvPrint = SECFailure; - - if( PK11_NeedLogin( /* slot */ slot ) ) { - PK11_Authenticate( - /* slot */ slot, - /* load certs */ PR_TRUE, - /* wincx */ pwdata ); - } - - /* Initialize the symmetric key list. */ - symKey = PK11_ListFixedKeysInSlot( - /* slot */ slot, - /* nickname */ NULL, - /* wincx */ ( void *) pwdata ); - - /* Iterate through the symmetric key list. */ - while( symKey != NULL ) { - rvPrint = PrintSymKey( PR_STDOUT, - count, - keyname, - symKey ); - if( rvPrint != SECFailure ) { - keys_found++; - } - - nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); - PK11_FreeSymKey( /* symmetric key */ symKey ); - symKey = nextSymKey; - - count++; - } - - /* case 1: the token is empty */ - if( count == 0 ) { - PR_fprintf( PR_STDOUT, - "\t%s: the specified token is empty\n", - progName ); - - return SECFailure; - } - - /* case 2: the specified key is not on this token */ - if( ( keyname != NULL ) && - ( keys_found == 0 ) ) { - PR_fprintf( PR_STDOUT, - "\t%s: the key called \"%s\" could not be found\n", - progName, - keyname ); - - return SECFailure; - } - - return SECSuccess; -} - - -SECStatus -TKS_ListKeys( char *progName, - PK11SlotInfo *slot, - char *keyname, - int index, - PRBool dopriv, - secuPWData *pwdata ) -{ - SECStatus rv = SECSuccess; - - if( slot == NULL ) { - PK11SlotList *list; - PK11SlotListElement *le; - - list = PK11_GetAllTokens( - /* mechanism type */ CKM_INVALID_MECHANISM, - /* need R/W */ PR_FALSE, - /* load certs */ PR_FALSE, - /* wincx */ pwdata ); - - if( list ) { - for( le = list->head ; le ; le = le->next ) { - PR_fprintf( PR_STDOUT, - "\n slot: %s\n", - PK11_GetSlotName( /* slot */ le->slot ) ); - - PR_fprintf( PR_STDOUT, - "token: %s\n\n", - PK11_GetTokenName( /* slot */ le->slot ) ); - - rv = listKeys( progName, - le->slot, - keyname, - pwdata ); - } - } - } else { - PR_fprintf( PR_STDOUT, - "\n slot: %s\n", - PK11_GetSlotName( /* slot */ slot ) ); - - PR_fprintf( PR_STDOUT, - "token: %s\n\n", - PK11_GetTokenName( /* slot */ slot ) ); - - rv = listKeys( progName, - slot, - keyname, - pwdata ); - } - - return rv; -} - diff --git a/pki/base/native-tools/src/tkstool/modules.c b/pki/base/native-tools/src/tkstool/modules.c deleted file mode 100644 index 0c4297251..000000000 --- a/pki/base/native-tools/src/tkstool/modules.c +++ /dev/null @@ -1,63 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -/* - * L i s t S e c M o d u l e s - * - * Print a list of the PKCS11 security modules that are - * available. This is useful for smartcard people to - * make sure they have the drivers loaded. - * - */ -SECStatus -TKS_ListSecModules( void ) -{ - PK11SlotList *list; - PK11SlotListElement *le; - - /* get them all! */ - list = PK11_GetAllTokens( - /* mechanism type */ CKM_INVALID_MECHANISM, - /* need R/W */ PR_FALSE, - /* load certs */ PR_FALSE, - /* wincx */ NULL ); - - if( list == NULL ) { - return SECFailure; - } - - /* look at each slot */ - for( le = list->head ; le ; le = le->next ) { - PR_fprintf ( PR_STDOUT, - "\n" ); - PR_fprintf ( PR_STDOUT, - " slot: %s\n", - PK11_GetSlotName( /* slot */ le->slot ) ); - PR_fprintf ( PR_STDOUT, - " token: %s\n", - PK11_GetTokenName( /* slot */ le->slot ) ); - } - - PK11_FreeSlotList( /* slot list */ list ); - - return SECSuccess; -} - diff --git a/pki/base/native-tools/src/tkstool/pppolicy.c b/pki/base/native-tools/src/tkstool/pppolicy.c deleted file mode 100644 index 8b198ca52..000000000 --- a/pki/base/native-tools/src/tkstool/pppolicy.c +++ /dev/null @@ -1,306 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 2004 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/pppolicy.c - */ - -/* - * Support for various policy related extensions - * - * $Id$ - */ - -#include "seccomon.h" -#include "secport.h" -#include "secder.h" -#include "cert.h" -#include "secoid.h" -#include "secasn1.h" -#include "secerr.h" -#include "nspr.h" -#include "secutil.h" - -/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c . -** The chief difference is the addition of the OPTIONAL flag to many -** parts. The idea is to be able to parse and print as much of the -** policy extension as possible, even if some parts are invalid. -** -** If this approach still is unable to decode policy extensions that -** contain invalid parts, then the next approach will be to parse -** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them -** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally -** parse each of the PolicyQualifiers. -*/ - -static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTPolicyQualifier) }, - { SEC_ASN1_OBJECT_ID, - offsetof(CERTPolicyQualifier, qualifierID) }, - { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL, - offsetof(CERTPolicyQualifier, qualifierValue) }, - { 0 } -}; - -static const SEC_ASN1Template secu_PolicyInfoTemplate[] = { - { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CERTPolicyInfo) }, - { SEC_ASN1_OBJECT_ID, - offsetof(CERTPolicyInfo, policyID) }, - { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL, - offsetof(CERTPolicyInfo, policyQualifiers), - secu_PolicyQualifierTemplate }, - { 0 } -}; - -static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { - { SEC_ASN1_SEQUENCE_OF, - offsetof(CERTCertificatePolicies, policyInfos), - secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) } -}; - - -static CERTCertificatePolicies * -secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) -{ - PRArenaPool *arena = NULL; - SECStatus rv; - CERTCertificatePolicies *policies; - CERTPolicyInfo **policyInfos, *policyInfo; - CERTPolicyQualifier **policyQualifiers, *policyQualifier; - SECItem newExtnValue; - - /* make a new arena */ - arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - goto loser; - } - - /* allocate the certifiate policies structure */ - policies = PORT_ArenaZNew(arena, CERTCertificatePolicies); - if ( policies == NULL ) { - goto loser; - } - - policies->arena = arena; - - /* copy the DER into the arena, since Quick DER returns data that points - into the DER input, which may get freed by the caller */ - rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); - if ( rv != SECSuccess ) { - goto loser; - } - - /* decode the policy info */ - rv = SEC_QuickDERDecodeItem(arena, policies, - secu_CertificatePoliciesTemplate, - &newExtnValue); - - if ( rv != SECSuccess ) { - goto loser; - } - - /* initialize the oid tags */ - policyInfos = policies->policyInfos; - while (policyInfos != NULL && *policyInfos != NULL ) { - policyInfo = *policyInfos; - policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); - policyQualifiers = policyInfo->policyQualifiers; - while ( policyQualifiers && *policyQualifiers != NULL ) { - policyQualifier = *policyQualifiers; - policyQualifier->oid = - SECOID_FindOIDTag(&policyQualifier->qualifierID); - policyQualifiers++; - } - policyInfos++; - } - - return(policies); - -loser: - if ( arena != NULL ) { - PORT_FreeArena(arena, PR_FALSE); - } - - return(NULL); -} - - -static char * -itemToString(SECItem *item) -{ - char *string; - - string = PORT_ZAlloc(item->len+1); - if (string == NULL) return NULL; - PORT_Memcpy(string,item->data,item->len); - string[item->len] = 0; - return string; -} - -static SECStatus -secu_PrintUserNoticeQualifier(FILE *out, SECItem * qualifierValue, - char *msg, int level) -{ - CERTUserNotice *userNotice = NULL; - if (qualifierValue) - userNotice = CERT_DecodeUserNotice(qualifierValue); - if (userNotice) { - if (userNotice->noticeReference.organization.len != 0) { - char *string = - itemToString(&userNotice->noticeReference.organization); - SECItem **itemList = userNotice->noticeReference.noticeNumbers; - - while (itemList && *itemList) { - SECU_PrintInteger(out,*itemList,string,level+1); - itemList++; - } - PORT_Free(string); - } - if (userNotice->displayText.len != 0) { - SECU_PrintString(out,&userNotice->displayText, - "Display Text", level+1); - } - CERT_DestroyUserNotice(userNotice); - return SECSuccess; - } - return SECFailure; /* caller will print this value */ -} - -static SECStatus -secu_PrintPolicyQualifier(FILE *out,CERTPolicyQualifier *policyQualifier, - char *msg,int level) -{ - SECStatus rv; - SECItem * qualifierValue = &policyQualifier->qualifierValue; - - SECU_PrintObjectID(out, &policyQualifier->qualifierID , - "Policy Qualifier Name", level); - if (!qualifierValue->data) { - SECU_Indent(out, level); - fprintf(out,"Error: missing qualifier\n"); - } else - switch (policyQualifier->oid) { - case SEC_OID_PKIX_USER_NOTICE_QUALIFIER: - rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level); - if (SECSuccess == rv) - break; - /* fall through on error */ - case SEC_OID_PKIX_CPS_POINTER_QUALIFIER: - default: - SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level); - break; - } - return SECSuccess; -} - -static SECStatus -secu_PrintPolicyInfo(FILE *out,CERTPolicyInfo *policyInfo,char *msg,int level) -{ - CERTPolicyQualifier **policyQualifiers; - - policyQualifiers = policyInfo->policyQualifiers; - SECU_PrintObjectID(out, &policyInfo->policyID , "Policy Name", level); - - while (policyQualifiers && *policyQualifiers != NULL) { - secu_PrintPolicyQualifier(out,*policyQualifiers,"",level+1); - policyQualifiers++; - } - return SECSuccess; -} - -void -SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level) -{ - CERTCertificatePolicies *policies = NULL; - CERTPolicyInfo **policyInfos; - - if (msg) { - SECU_Indent(out, level); - fprintf(out,"%s: \n",msg); - level++; - } - policies = secu_DecodeCertificatePoliciesExtension(value); - if (policies == NULL) { - SECU_PrintAny(out, value, "Invalid Policy Data", level); - return; - } - - policyInfos = policies->policyInfos; - while (policyInfos && *policyInfos != NULL) { - secu_PrintPolicyInfo(out,*policyInfos,"",level); - policyInfos++; - } - - CERT_DestroyCertificatePoliciesExtension(policies); -} - - -void -SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, - char *msg, int level) -{ - CERTPrivKeyUsagePeriod * prd; - PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if ( !arena ) { - goto loser; - } - prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value); - if (!prd) { - goto loser; - } - if (prd->notBefore.data) { - SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level); - } - if (prd->notAfter.data) { - SECU_PrintGeneralizedTime(out, &prd->notAfter, "Not After ", level); - } - if (!prd->notBefore.data && !prd->notAfter.data) { - SECU_Indent(out, level); - fprintf(out, "Error: notBefore or notAfter MUST be present.\n"); -loser: - SECU_PrintAny(out, value, msg, level); - } - if (arena) { - PORT_FreeArena(arena, PR_FALSE); - } -} diff --git a/pki/base/native-tools/src/tkstool/random.c b/pki/base/native-tools/src/tkstool/random.c deleted file mode 100644 index 49dfb525e..000000000 --- a/pki/base/native-tools/src/tkstool/random.c +++ /dev/null @@ -1,173 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -/* returns 0 for success, -1 for failure (EOF encountered) */ -static int -UpdateRNG( void ) -{ - char *randbuf; - int fd; - int i; - int count; - int c; - int rv = 0; -#ifdef XP_UNIX - cc_t orig_cc_min; - cc_t orig_cc_time; - tcflag_t orig_lflag; - struct termios tio; -#endif - -#define FPS PR_fprintf( PR_STDOUT, - FPS "\n"); - FPS "A random seed must be generated that will be used in the\n"); - FPS "creation of your key. One of the easiest ways to create a\n"); - FPS "random seed is to use the timing of keystrokes on a keyboard.\n"); - FPS "\n"); - FPS "To begin, type keys on the keyboard until this progress meter\n"); - FPS "is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!\n"); - FPS "\n"); - FPS "\n"); - FPS "Continue typing until the progress meter is full:\n\n"); - FPS "| |\r|"); - - /* turn off echo on stdin & return on 1 char instead of NL */ - fd = fileno( stdin ); - -#if defined( XP_UNIX ) && !defined( VMS ) - tcgetattr( fd, &tio ); - orig_lflag = tio.c_lflag; - orig_cc_min = tio.c_cc[VMIN]; - orig_cc_time = tio.c_cc[VTIME]; - tio.c_lflag &= ~ECHO; - tio.c_lflag &= ~ICANON; - tio.c_cc[VMIN] = 1; - tio.c_cc[VTIME] = 0; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - /* Get random noise from keyboard strokes */ - randbuf = ( char * ) PORT_Alloc( RAND_BUF_LENGTH ); - count = 0; - while( randbuf != NULL && count < NUM_KEYSTROKES+1 ) { -#ifdef VMS - c = GENERIC_GETCHAR_NOECHO(); -#elif XP_UNIX - c = getc( stdin ); -#else - c = getch(); -#endif - if( c == EOF ) { - rv = -1; - break; - } - - PK11_RandomUpdate( - /* data */ randbuf, - /* length in bytes */ RAND_BUF_LENGTH ); - - if( c != randbuf[0] ) { - randbuf[0] = c; - - FPS "\r|"); - - for( i = 0 ; - i < count / ( NUM_KEYSTROKES / RAND_BUF_LENGTH ) ; - i++ ) { - FPS "*"); - } - - if( count % ( NUM_KEYSTROKES / RAND_BUF_LENGTH ) == 1 ) { - FPS "/"); - } - - count++; - } - } - - if (randbuf != NULL) free (randbuf); - - FPS "\n\n"); - FPS "Finished.\n"); - - TKS_TypeProceedToContinue(); - - FPS "\n"); - -#undef FPS - -#if defined( XP_UNIX ) && !defined( VMS ) - /* set back termio the way it was */ - tio.c_lflag = orig_lflag; - tio.c_cc[VMIN] = orig_cc_min; - tio.c_cc[VTIME] = orig_cc_time; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - return rv; -} - - -void -TKS_FileForRNG( char *noise ) -{ - char buf[2048]; - PRFileDesc *fd; - PRInt32 count; - - fd = PR_OpenFile( noise, PR_RDONLY, 0666 ); - if( !fd ) { - return; - } - - do { - count = PR_Read( fd, buf, sizeof( buf ) ); - if (count > 0) { - PK11_RandomUpdate( - /* data */ buf, - /* length in bytes */ count ); - } - } while( count > 0 ); - - PR_Close( fd ); -} - - -SECStatus -TKS_SeedRNG( char *noise ) -{ - /* Clear the screen */ - TKS_ClearScreen(); - - /* Seed the RNG */ - if( noise ) { - TKS_FileForRNG( noise ); - } else { - int rv = UpdateRNG(); - if( rv ) { - PORT_SetError( PR_END_OF_FILE_ERROR ); - return SECFailure; - } - } - - return SECSuccess; -} - diff --git a/pki/base/native-tools/src/tkstool/retrieve.c b/pki/base/native-tools/src/tkstool/retrieve.c deleted file mode 100644 index 44cf3c069..000000000 --- a/pki/base/native-tools/src/tkstool/retrieve.c +++ /dev/null @@ -1,114 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -PK11SymKey * -TKS_RetrieveSymKey( PK11SlotInfo *slot, - char *keyname, - void *pwdata ) -{ - char *name = NULL; - int count = 0; - int keys_found = 0; - PK11SymKey *symKey = NULL; - PK11SymKey *nextSymKey = NULL; - PK11SymKey *rvSymKey = NULL; - - if( PK11_NeedLogin( /* slot */ slot ) ) { - PK11_Authenticate( - /* slot */ slot, - /* load certs */ PR_TRUE, - /* wincx */ pwdata ); - } - - /* Initialize the symmetric key list. */ - symKey = PK11_ListFixedKeysInSlot( - /* slot */ slot, - /* nickname */ NULL, - /* wincx */ ( void *) pwdata ); - - /* Iterate through the symmetric key list. */ - while( symKey != NULL ) { - name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); - if( name != NULL ) { - if( keyname != NULL ) { - if( PL_strcmp( keyname, name ) == 0 ) { - keys_found++; - } - } - } - - nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); - PK11_FreeSymKey( /* symmetric key */ symKey ); - symKey = nextSymKey; - - count++; - } - - /* case 1: the token is empty */ - if( count == 0 ) { - /* the specified token is empty */ - rvSymKey = NULL; - goto retrievedSymKey; - } - - /* case 2: the specified key is not on this token */ - if( ( keyname != NULL ) && - ( keys_found == 0 ) ) { - /* the key called "keyname" could not be found */ - rvSymKey = NULL; - goto retrievedSymKey; - } - - /* case 3: the specified key exists more than once on this token */ - if( keys_found != 1 ) { - /* more than one key called "keyname" was found on this token */ - rvSymKey = NULL; - goto retrievedSymKey; - } else { - /* Re-initialize the symmetric key list. */ - symKey = PK11_ListFixedKeysInSlot( - /* slot */ slot, - /* nickname */ NULL, - /* wincx */ ( void *) pwdata ); - - /* Reiterate through the symmetric key list once more, */ - /* this time returning an actual reference to the key. */ - while( symKey != NULL ) { - name = PK11_GetSymKeyNickname( /* symmetric key */ symKey ); - if( name != NULL ) { - if( keyname != NULL ) { - if( PL_strcmp( keyname, name ) == 0 ) { - rvSymKey = symKey; - goto retrievedSymKey; - } - } - } - - nextSymKey = PK11_GetNextSymKey( /* symmetric key */ symKey ); - PK11_FreeSymKey( /* symmetric key */ symKey ); - symKey = nextSymKey; - } - } - -retrievedSymKey: - return rvSymKey; -} - diff --git a/pki/base/native-tools/src/tkstool/secerror.c b/pki/base/native-tools/src/tkstool/secerror.c deleted file mode 100644 index 6b0f40d70..000000000 --- a/pki/base/native-tools/src/tkstool/secerror.c +++ /dev/null @@ -1,118 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secerror.c - */ - -#include "nspr.h" - -struct tuple_str { - PRErrorCode errNum; - const char * errString; -}; - -typedef struct tuple_str tuple_str; - -#define ER2(a,b) {a, b}, -#define ER3(a,b,c) {a, c}, - -#include "secerr.h" -#include "sslerr.h" - -const tuple_str errStrings[] = { - -/* keep this list in asceding order of error numbers */ -#include "SSLerrs.h" -#include "SECerrs.h" -#include "NSPRerrs.h" - -}; - -const PRInt32 numStrings = sizeof(errStrings) / sizeof(tuple_str); - -/* Returns a UTF-8 encoded constant error string for "errNum". - * Returns NULL of errNum is unknown. - */ -const char * -SECU_Strerror(PRErrorCode errNum) { - PRInt32 low = 0; - PRInt32 high = numStrings - 1; - PRInt32 i; - PRErrorCode num; - static int initDone; - - /* make sure table is in ascending order. - * binary search depends on it. - */ - if (!initDone) { - PRErrorCode lastNum = ((PRInt32)0x80000000); - for (i = low; i <= high; ++i) { - num = errStrings[i].errNum; - if (num <= lastNum) { - fprintf(stderr, -"sequence error in error strings at item %d\n" -"error %d (%s)\n" -"should come after \n" -"error %d (%s)\n", - i, lastNum, errStrings[i-1].errString, - num, errStrings[i].errString); - } - lastNum = num; - } - initDone = 1; - } - - /* Do binary search of table. */ - while (low + 1 < high) { - i = (low + high) / 2; - num = errStrings[i].errNum; - if (errNum == num) - return errStrings[i].errString; - if (errNum < num) - high = i; - else - low = i; - } - if (errNum == errStrings[low].errNum) - return errStrings[low].errString; - if (errNum == errStrings[high].errNum) - return errStrings[high].errString; - return NULL; -} diff --git a/pki/base/native-tools/src/tkstool/secpwd.c b/pki/base/native-tools/src/tkstool/secpwd.c deleted file mode 100644 index 542885858..000000000 --- a/pki/base/native-tools/src/tkstool/secpwd.c +++ /dev/null @@ -1,213 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secpwd.c - */ - -#include "secutil.h" - -/* - * NOTE: The contents of this file are NOT used by the client. - * (They are part of the security library as a whole, but they are - * NOT USED BY THE CLIENT.) Do not change things on behalf of the - * client (like localizing strings), or add things that are only - * for the client (put them elsewhere). - */ - - -#ifdef XP_UNIX -#include <termios.h> -#endif - -#if defined(XP_UNIX) || defined(XP_BEOS) -#include <unistd.h> /* for isatty() */ -#endif - -#if( defined(_WINDOWS) && !defined(_WIN32_WCE)) || defined(XP_OS2_VACPP) -#include <conio.h> -#include <io.h> -#define QUIET_FGETS quiet_fgets -static char * quiet_fgets (char *buf, int length, FILE *input); -#else -#define QUIET_FGETS fgets -#endif - -static void echoOff(int fd) -{ -#if defined(XP_UNIX) && !defined(VMS) - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag &= ~ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } -#endif -} - -static void echoOn(int fd) -{ -#if defined(XP_UNIX) && !defined(VMS) - if (isatty(fd)) { - struct termios tio; - tcgetattr(fd, &tio); - tio.c_lflag |= ECHO; - tcsetattr(fd, TCSAFLUSH, &tio); - } -#endif -} - -char *SEC_GetPassword(FILE *input, FILE *output, char *prompt, - PRBool (*ok)(char *)) -{ -#if defined(_WINDOWS) - int isTTY = (input == stdin); -#define echoOn(x) -#define echoOff(x) -#else - int infd = fileno(input); - int isTTY = isatty(infd); -#endif - char phrase[200] = {'\0'}; /* ensure EOF doesn't return junk */ - - for (;;) { - /* Prompt for password */ - if (isTTY) { - fprintf(output, "%s", prompt); - fflush (output); - echoOff(infd); - } - - QUIET_FGETS ( phrase, sizeof(phrase), input); - - if (isTTY) { - fprintf(output, "\n"); - echoOn(infd); - } - - /* stomp on newline */ - phrase[PORT_Strlen(phrase)-1] = 0; - - /* Validate password */ - if (!(*ok)(phrase)) { - /* Not weird enough */ - if (!isTTY) return 0; - fprintf(output, "Password must be at least 8 characters long with one or more\n"); - fprintf(output, "non-alphabetic characters\n"); - continue; - } - return (char*) PORT_Strdup(phrase); - } -} - - - -PRBool SEC_CheckPassword(char *cp) -{ - int len; - char *end; - - len = PORT_Strlen(cp); - if (len < 8) { - return PR_FALSE; - } - end = cp + len; - while (cp < end) { - unsigned char ch = *cp++; - if (!((ch >= 'A') && (ch <= 'Z')) && - !((ch >= 'a') && (ch <= 'z'))) { - /* pass phrase has at least one non alphabetic in it */ - return PR_TRUE; - } - } - return PR_FALSE; -} - -PRBool SEC_BlindCheckPassword(char *cp) -{ - if (cp != NULL) { - return PR_TRUE; - } - return PR_FALSE; -} - -/* Get a password from the input terminal, without echoing */ - -#if defined(_WINDOWS) || defined(XP_OS2_VACPP) -static char * quiet_fgets (char *buf, int length, FILE *input) - { - int c; - char *end = buf; - - /* fflush (input); */ - memset (buf, 0, length); - -#ifndef XP_OS2_VACPP - if (input != stdin) { - return fgets(buf,length,input); - } -#else - if (!isatty(fileno(input))) { - return fgets(buf,length,input); - } -#endif - - while (1) - { -#if defined (_WIN32_WCE) - c = getchar(); /* gets a character from stdin */ -#else - c = getch(); /* getch gets a character from the console */ -#endif - if (c == '\b') - { - if (end > buf) - end--; - } - - else if (--length > 0) - *end++ = c; - - if (!c || c == '\n' || c == '\r') - break; - } - - return buf; - } -#endif diff --git a/pki/base/native-tools/src/tkstool/secutil.c b/pki/base/native-tools/src/tkstool/secutil.c deleted file mode 100644 index 9ece007fa..000000000 --- a/pki/base/native-tools/src/tkstool/secutil.c +++ /dev/null @@ -1,3662 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.c - */ - -/* -** secutil.c - various functions used by security stuff -** -*/ - -#include "prtypes.h" -#include "prtime.h" -#include "prlong.h" -#include "prerror.h" -#include "prprf.h" -#include "plgetopt.h" -#include "prenv.h" -#include "prnetdb.h" - -#include "cryptohi.h" -#include "secutil.h" -#include "secpkcs7.h" -#include <stdarg.h> -#if !defined(_WIN32_WCE) -#include <sys/stat.h> -#include <errno.h> -#endif - -#ifdef XP_UNIX -#include <unistd.h> -#endif - -/* for SEC_TraverseNames */ -#include "cert.h" -#include "certt.h" -#include "certdb.h" - -/* #include "secmod.h" */ -#include "pk11func.h" -#include "secoid.h" - -static char consoleName[] = { -#ifdef XP_UNIX -#ifdef VMS - "TT" -#else - "/dev/tty" -#endif -#else -#ifdef XP_OS2 - "\\DEV\\CON" -#else - "CON:" -#endif -#endif -}; - - -char * -SECU_GetString(int16 error_number) -{ - - static char errString[80]; - sprintf(errString, "Unknown error string (%d)", error_number); - return errString; -} - -void -SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) -{ - va_list args; - PRErrorCode err = PORT_GetError(); - const char * errString = SECU_Strerror(err); - - va_start(args, msg); - - SECU_Indent(out, level); - fprintf(out, "%s: ", progName); - vfprintf(out, msg, args); - if (errString != NULL && PORT_Strlen(errString) > 0) - fprintf(out, ": %s\n", errString); - else - fprintf(out, ": error %d\n", (int)err); - - va_end(args); -} - -void -SECU_PrintError(char *progName, char *msg, ...) -{ - va_list args; - PRErrorCode err = PORT_GetError(); - const char * errString = SECU_Strerror(err); - - va_start(args, msg); - - fprintf(stderr, "%s: ", progName); - vfprintf(stderr, msg, args); - if (errString != NULL && PORT_Strlen(errString) > 0) - fprintf(stderr, ": %s\n", errString); - else - fprintf(stderr, ": error %d\n", (int)err); - - va_end(args); -} - -void -SECU_PrintSystemError(char *progName, char *msg, ...) -{ - va_list args; - - va_start(args, msg); - fprintf(stderr, "%s: ", progName); - vfprintf(stderr, msg, args); -#if defined(_WIN32_WCE) - fprintf(stderr, ": %d\n", PR_GetOSError()); -#else - fprintf(stderr, ": %s\n", strerror(errno)); -#endif - va_end(args); -} - -static void -secu_ClearPassword(char *p) -{ - if (p) { - PORT_Memset(p, 0, PORT_Strlen(p)); - PORT_Free(p); - } -} - -char * -SECU_GetPasswordString(void *arg, char *prompt) -{ -#ifndef _WINDOWS - char *p = NULL; - FILE *input, *output; - - /* open terminal */ - input = fopen(consoleName, "r"); - if (input == NULL) { - fprintf(stderr, "Error opening input terminal for read\n"); - return NULL; - } - - output = fopen(consoleName, "w"); - if (output == NULL) { - fprintf(stderr, "Error opening output terminal for write\n"); - fclose(input); - return NULL; - } - - p = SEC_GetPassword (input, output, prompt, SEC_BlindCheckPassword); - - - fclose(input); - fclose(output); - - return p; - -#else - /* Win32 version of above. opening the console may fail - on windows95, and certainly isn't necessary.. */ - - char *p = NULL; - - p = SEC_GetPassword (stdin, stdout, prompt, SEC_BlindCheckPassword); - return p; - -#endif -} - - -/* - * p a s s w o r d _ h a r d c o d e - * - * A function to use the password passed in the -f(pwfile) argument - * of the command line. - * After use once, null it out otherwise PKCS11 calls us forever.? - * - */ -char * -SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - unsigned char phrase[200]; - PRFileDesc *fd; - PRInt32 nb; - char *pwFile = arg; - int i; - - if (!pwFile) - return 0; - - if (retry) { - return 0; /* no good retrying - the files contents will be the same */ - } - - fd = PR_Open(pwFile, PR_RDONLY, 0); - if (!fd) { - fprintf(stderr, "No password file \"%s\" exists.\n", pwFile); - return NULL; - } - - nb = PR_Read(fd, phrase, sizeof(phrase)); - - PR_Close(fd); - /* handle the Windows EOL case */ - i = 0; - while (phrase[i] != '\r' && phrase[i] != '\n' && i < nb) i++; - phrase[i] = '\0'; - if (nb == 0) { - fprintf(stderr,"password file contains no data\n"); - return NULL; - } - return (char*) PORT_Strdup((char*)phrase); -} - -char * -SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char prompt[255]; - secuPWData *pwdata = (secuPWData *)arg; - secuPWData pwnull = { PW_NONE, 0 }; - secuPWData pwxtrn = { PW_EXTERNAL, "external" }; - char *pw; - - if (pwdata == NULL) - pwdata = &pwnull; - - if (PK11_ProtectedAuthenticationPath(slot)) { - pwdata = &pwxtrn; - } - if (retry && pwdata->source != PW_NONE) { - PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); - return NULL; - } - - switch (pwdata->source) { - case PW_NONE: - sprintf(prompt, "Enter Password or Pin for \"%s\":", - PK11_GetTokenName(slot)); - return SECU_GetPasswordString(NULL, prompt); - case PW_FROMFILE: - /* Instead of opening and closing the file every time, get the pw - * once, then keep it in memory (duh). - */ - pw = SECU_FilePasswd(slot, retry, pwdata->data); - pwdata->source = PW_PLAINTEXT; - pwdata->data = PL_strdup(pw); - /* it's already been dup'ed */ - return pw; - case PW_EXTERNAL: - sprintf(prompt, - "Press Enter, then enter PIN for \"%s\" on external device.\n", - PK11_GetTokenName(slot)); - (void) SECU_GetPasswordString(NULL, prompt); - /* Fall Through */ - case PW_PLAINTEXT: - return PL_strdup(pwdata->data); - default: - break; - } - - PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); - return NULL; -} - -char * -secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - char *p0 = NULL; - char *p1 = NULL; - FILE *input, *output; - secuPWData *pwdata = arg; - - if (pwdata->source == PW_FROMFILE) { - return SECU_FilePasswd(slot, retry, pwdata->data); - } - if (pwdata->source == PW_PLAINTEXT) { - return PL_strdup(pwdata->data); - } - - /* PW_NONE - get it from tty */ - /* open terminal */ -#ifdef _WINDOWS - input = stdin; -#else - input = fopen(consoleName, "r"); -#endif - if (input == NULL) { - PR_fprintf(PR_STDERR, "Error opening input terminal for read\n"); - return NULL; - } - - /* we have no password, so initialize database with one */ - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least 8 characters long,\n" - "and should contain at least one non-alphabetic character.\n\n"); - - output = fopen(consoleName, "w"); - if (output == NULL) { - PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); - fclose(input); - return NULL; - } - - - for (;;) { - if (p0) - PORT_Free(p0); - p0 = SEC_GetPassword(input, output, "Enter new password: ", - SEC_BlindCheckPassword); - - if (p1) - PORT_Free(p1); - p1 = SEC_GetPassword(input, output, "Re-enter password: ", - SEC_BlindCheckPassword); - if (p0 && p1 && !PORT_Strcmp(p0, p1)) { - break; - } - PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n"); - } - - /* clear out the duplicate password string */ - secu_ClearPassword(p1); - - fclose(input); - fclose(output); - - return p0; -} - -SECStatus -SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile) -{ - SECStatus rv; - secuPWData pwdata, newpwdata; - char *oldpw = NULL, *newpw = NULL; - - if (passwd) { - pwdata.source = PW_PLAINTEXT; - pwdata.data = passwd; - } else if (pwFile) { - pwdata.source = PW_FROMFILE; - pwdata.data = pwFile; - } else { - pwdata.source = PW_NONE; - pwdata.data = NULL; - } - - if (PK11_NeedUserInit(slot)) { - newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata); - rv = PK11_InitPin(slot, (char*)NULL, newpw); - goto done; - } - - for (;;) { - oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata); - - if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { - if (pwdata.source == PW_NONE) { - PR_fprintf(PR_STDERR, "Invalid password. Try again.\n"); - } else { - PR_fprintf(PR_STDERR, "Invalid password.\n"); - PORT_Memset(oldpw, 0, PL_strlen(oldpw)); - PORT_Free(oldpw); - return SECFailure; - } - } else - break; - - PORT_Free(oldpw); - } - - newpwdata.source = PW_NONE; - newpwdata.data = NULL; - - newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); - - if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { - PR_fprintf(PR_STDERR, "Failed to change password.\n"); - return SECFailure; - } - - PORT_Memset(oldpw, 0, PL_strlen(oldpw)); - PORT_Free(oldpw); - - PR_fprintf(PR_STDOUT, "Password changed successfully.\n"); - -done: - PORT_Memset(newpw, 0, PL_strlen(newpw)); - PORT_Free(newpw); - return SECSuccess; -} - -struct matchobj { - SECItem index; - char *nname; - PRBool found; -}; - -char * -SECU_DefaultSSLDir(void) -{ - char *dir; - static char sslDir[1000]; - - dir = PR_GetEnv("SSL_DIR"); - if (!dir) - return NULL; - - sprintf(sslDir, "%s", dir); - - if (sslDir[strlen(sslDir)-1] == '/') - sslDir[strlen(sslDir)-1] = 0; - - return sslDir; -} - -char * -SECU_AppendFilenameToDir(char *dir, char *filename) -{ - static char path[1000]; - - if (dir[strlen(dir)-1] == '/') - sprintf(path, "%s%s", dir, filename); - else - sprintf(path, "%s/%s", dir, filename); - return path; -} - -char * -SECU_ConfigDirectory(const char* base) -{ - static PRBool initted = PR_FALSE; - const char *dir = ".netscape"; - char *home; - static char buf[1000]; - - if (initted) return buf; - - - if (base == NULL || *base == 0) { - home = PR_GetEnv("HOME"); - if (!home) home = ""; - - if (*home && home[strlen(home) - 1] == '/') - sprintf (buf, "%.900s%s", home, dir); - else - sprintf (buf, "%.900s/%s", home, dir); - } else { - sprintf(buf, "%.900s", base); - if (buf[strlen(buf) - 1] == '/') - buf[strlen(buf) - 1] = 0; - } - - - initted = PR_TRUE; - return buf; -} - -/*Turn off SSL for now */ -/* This gets called by SSL when server wants our cert & key */ -int -SECU_GetClientAuthData(void *arg, PRFileDesc *fd, - struct CERTDistNamesStr *caNames, - struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey) -{ - SECKEYPrivateKey *key; - CERTCertificate *cert; - int errsave; - - if (arg == NULL) { - fprintf(stderr, "no key/cert name specified for client auth\n"); - return -1; - } - cert = PK11_FindCertFromNickname(arg, NULL); - errsave = PORT_GetError(); - if (!cert) { - if (errsave == SEC_ERROR_BAD_PASSWORD) - fprintf(stderr, "Bad password\n"); - else if (errsave > 0) - fprintf(stderr, "Unable to read cert (error %d)\n", errsave); - else if (errsave == SEC_ERROR_BAD_DATABASE) - fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); - else - fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); - return -1; - } - - key = PK11_FindKeyByAnyCert(arg,NULL); - if (!key) { - fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); - return -1; - } - - - *pRetCert = cert; - *pRetKey = key; - - return 0; -} - -SECStatus -secu_StdinToItem(SECItem *dst) -{ - unsigned char buf[1000]; - PRInt32 numBytes; - PRBool notDone = PR_TRUE; - - dst->len = 0; - dst->data = NULL; - - while (notDone) { - numBytes = PR_Read(PR_STDIN, buf, sizeof(buf)); - - if (numBytes < 0) { - return SECFailure; - } - - if (numBytes == 0) - break; - - if (dst->data) { - unsigned char * p = dst->data; - dst->data = (unsigned char*)PORT_Realloc(p, dst->len + numBytes); - if (!dst->data) { - PORT_Free(p); - } - } else { - dst->data = (unsigned char*)PORT_Alloc(numBytes); - } - if (!dst->data) { - return SECFailure; - } - PORT_Memcpy(dst->data + dst->len, buf, numBytes); - dst->len += numBytes; - } - - return SECSuccess; -} - -SECStatus -SECU_FileToItem(SECItem *dst, PRFileDesc *src) -{ - PRFileInfo info; - PRInt32 numBytes; - PRStatus prStatus; - - if (src == PR_STDIN) - return secu_StdinToItem(dst); - - prStatus = PR_GetOpenFileInfo(src, &info); - - if (prStatus != PR_SUCCESS) { - PORT_SetError(SEC_ERROR_IO); - return SECFailure; - } - - /* XXX workaround for 3.1, not all utils zero dst before sending */ - dst->data = 0; - if (!SECITEM_AllocItem(NULL, dst, info.size)) - goto loser; - - numBytes = PR_Read(src, dst->data, info.size); - if (numBytes != info.size) { - PORT_SetError(SEC_ERROR_IO); - goto loser; - } - - return SECSuccess; -loser: - SECITEM_FreeItem(dst, PR_FALSE); - return SECFailure; -} - -SECStatus -SECU_TextFileToItem(SECItem *dst, PRFileDesc *src) -{ - PRFileInfo info; - PRInt32 numBytes; - PRStatus prStatus; - unsigned char *buf; - - if (src == PR_STDIN) - return secu_StdinToItem(dst); - - prStatus = PR_GetOpenFileInfo(src, &info); - - if (prStatus != PR_SUCCESS) { - PORT_SetError(SEC_ERROR_IO); - return SECFailure; - } - - buf = (unsigned char*)PORT_Alloc(info.size); - if (!buf) - return SECFailure; - - numBytes = PR_Read(src, buf, info.size); - if (numBytes != info.size) { - PORT_SetError(SEC_ERROR_IO); - goto loser; - } - - if (buf[numBytes-1] == '\n') numBytes--; -#ifdef _WINDOWS - if (buf[numBytes-1] == '\r') numBytes--; -#endif - - /* XXX workaround for 3.1, not all utils zero dst before sending */ - dst->data = 0; - if (!SECITEM_AllocItem(NULL, dst, numBytes)) - goto loser; - - memcpy(dst->data, buf, numBytes); - - PORT_Free(buf); - return SECSuccess; -loser: - PORT_Free(buf); - return SECFailure; -} - -SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) -{ - SECStatus rv; - if (ascii) { - /* First convert ascii to binary */ - SECItem filedata; - char *asc, *body; - - /* Read in ascii data */ - rv = SECU_FileToItem(&filedata, inFile); - asc = (char *)filedata.data; - if (!asc) { - fprintf(stderr, "unable to read data from input file\n"); - return SECFailure; - } - - /* check for headers and trailers and remove them */ - if ((body = strstr(asc, "-----BEGIN")) != NULL) { - char *trailer = NULL; - asc = body; - body = PORT_Strchr(body, '\n'); - if (!body) - body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ - if (body) - trailer = strstr(++body, "-----END"); - if (trailer != NULL) { - *trailer = '\0'; - } else { - fprintf(stderr, "input has header but no trailer\n"); - PORT_Free(filedata.data); - return SECFailure; - } - } else { - body = asc; - } - - /* Convert to binary */ - rv = ATOB_ConvertAsciiToItem(der, body); - if (rv) { - fprintf(stderr, "error converting ascii to binary (%s)\n", - SECU_Strerror(PORT_GetError())); - PORT_Free(filedata.data); - return SECFailure; - } - - PORT_Free(filedata.data); - } else { - /* Read in binary der */ - rv = SECU_FileToItem(der, inFile); - if (rv) { - fprintf(stderr, "error converting der (%s)\n", - SECU_Strerror(PORT_GetError())); - return SECFailure; - } - } - return SECSuccess; -} - -#define INDENT_MULT 4 -void -SECU_Indent(FILE *out, int level) -{ - int i; - - for (i = 0; i < level; i++) { - fprintf(out, " "); - } -} - -static void secu_Newline(FILE *out) -{ - fprintf(out, "\n"); -} - -void -SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) -{ - unsigned i; - int column; - PRBool isString = PR_TRUE; - PRBool isWhiteSpace = PR_TRUE; - PRBool printedHex = PR_FALSE; - unsigned int limit = 15; - - if ( m ) { - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - level++; - } - - SECU_Indent(out, level); column = level*INDENT_MULT; - if (!data->len) { - fprintf(out, "(empty)\n"); - return; - } - /* take a pass to see if it's all printable. */ - for (i = 0; i < data->len; i++) { - unsigned char val = data->data[i]; - if (!val || !isprint(val)) { - isString = PR_FALSE; - break; - } - if (isWhiteSpace && !isspace(val)) { - isWhiteSpace = PR_FALSE; - } - } - - /* Short values, such as bit strings (which are printed with this - ** function) often look like strings, but we want to see the bits. - ** so this test assures that short values will be printed in hex, - ** perhaps in addition to being printed as strings. - ** The threshold size (4 bytes) is arbitrary. - */ - if (!isString || data->len <= 4) { - for (i = 0; i < data->len; i++) { - if (i != data->len - 1) { - fprintf(out, "%02x:", data->data[i]); - column += 3; - } else { - fprintf(out, "%02x", data->data[i]); - column += 2; - break; - } - if (column > 76 || (i % 16 == limit)) { - secu_Newline(out); - SECU_Indent(out, level); - column = level*INDENT_MULT; - limit = i % 16; - } - } - printedHex = PR_TRUE; - } - if (isString && !isWhiteSpace) { - if (printedHex != PR_FALSE) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - for (i = 0; i < data->len; i++) { - unsigned char val = data->data[i]; - - if (val) { - fprintf(out,"%c",val); - column++; - } else { - column = 77; - } - if (column > 76) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - } - } - - if (column != level*INDENT_MULT) { - secu_Newline(out); - } -} - -static const char *hex = "0123456789abcdef"; - -static const char printable[257] = { - "................" /* 0x */ - "................" /* 1x */ - " !\"#$%&'()*+,-./" /* 2x */ - "0123456789:;<=>?" /* 3x */ - "@ABCDEFGHIJKLMNO" /* 4x */ - "PQRSTUVWXYZ[\\]^_" /* 5x */ - "`abcdefghijklmno" /* 6x */ - "pqrstuvwxyz{|}~." /* 7x */ - "................" /* 8x */ - "................" /* 9x */ - "................" /* ax */ - "................" /* bx */ - "................" /* cx */ - "................" /* dx */ - "................" /* ex */ - "................" /* fx */ -}; - -void -SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len) -{ - const unsigned char *cp = (const unsigned char *)vp; - char buf[80]; - char *bp; - char *ap; - - fprintf(out, "%s [Len: %d]\n", msg, len); - memset(buf, ' ', sizeof buf); - bp = buf; - ap = buf + 50; - while (--len >= 0) { - unsigned char ch = *cp++; - *bp++ = hex[(ch >> 4) & 0xf]; - *bp++ = hex[ch & 0xf]; - *bp++ = ' '; - *ap++ = printable[ch]; - if (ap - buf >= 66) { - *ap = 0; - fprintf(out, " %s\n", buf); - memset(buf, ' ', sizeof buf); - bp = buf; - ap = buf + 50; - } - } - if (bp > buf) { - *ap = 0; - fprintf(out, " %s\n", buf); - } -} - -SECStatus -SECU_StripTagAndLength(SECItem *i) -{ - unsigned int start; - - if (!i || !i->data || i->len < 2) { /* must be at least tag and length */ - return SECFailure; - } - start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2); - if (i->len < start) { - return SECFailure; - } - i->data += start; - i->len -= start; - return SECSuccess; -} - - -/* This expents i->data[0] to be the MSB of the integer. -** if you want to print a DER-encoded integer (with the tag and length) -** call SECU_PrintEncodedInteger(); -*/ -void -SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level) -{ - int iv; - - if (!i || !i->len || !i->data) { - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: (null)\n", m); - } else { - fprintf(out, "(null)\n"); - } - } else if (i->len > 4) { - SECU_PrintAsHex(out, i, m, level); - } else { - iv = DER_GetInteger(i); - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: %d (0x%x)\n", m, iv, iv); - } else { - fprintf(out, "%d (0x%x)\n", iv, iv); - } - } -} - -static void -secu_PrintRawString(FILE *out, SECItem *si, char *m, int level) -{ - int column; - unsigned int i; - - if ( m ) { - SECU_Indent(out, level); fprintf(out, "%s: ", m); - column = (level * INDENT_MULT) + strlen(m) + 2; - level++; - } else { - SECU_Indent(out, level); - column = level*INDENT_MULT; - } - fprintf(out, "\""); column++; - - for (i = 0; i < si->len; i++) { - unsigned char val = si->data[i]; - if (column > 76) { - secu_Newline(out); - SECU_Indent(out, level); column = level*INDENT_MULT; - } - - fprintf(out,"%c", printable[val]); column++; - } - - fprintf(out, "\""); column++; - if (column != level*INDENT_MULT || column > 76) { - secu_Newline(out); - } -} - -void -SECU_PrintString(FILE *out, SECItem *si, char *m, int level) -{ - SECItem my = *si; - - if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len) - return; - secu_PrintRawString(out, &my, m, level); -} - -/* print an unencoded boolean */ -static void -secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) -{ - int val = 0; - - if ( i->data && i->len ) { - val = i->data[0]; - } - - if (!m) { - m = "Boolean"; - } - SECU_Indent(out, level); - fprintf(out, "%s: %s\n", m, (val ? "True" : "False")); -} - -/* - * Format and print "time". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -static void -secu_PrintTime(FILE *out, int64 time, char *m, int level) -{ - PRExplodedTime printableTime; - char *timeString; - - /* Convert to local time */ - PR_ExplodeTime(time, PR_GMTParameters, &printableTime); - - timeString = PORT_Alloc(100); - if (timeString == NULL) - return; - - if (m != NULL) { - SECU_Indent(out, level); - fprintf(out, "%s: ", m); - } - - PR_FormatTime(timeString, 100, "%a %b %d %H:%M:%S %Y", &printableTime); - fprintf(out, timeString); - - if (m != NULL) - fprintf(out, "\n"); - - PORT_Free(timeString); -} - -/* - * Format and print the UTC Time "t". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -void -SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level) -{ - int64 time; - SECStatus rv; - - rv = DER_UTCTimeToTime(&time, t); - if (rv != SECSuccess) - return; - - secu_PrintTime(out, time, m, level); -} - -/* - * Format and print the Generalized Time "t". If the tag message "m" - * is not NULL, * do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -void -SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level) -{ - int64 time; - SECStatus rv; - - - rv = DER_GeneralizedTimeToTime(&time, t); - if (rv != SECSuccess) - return; - - secu_PrintTime(out, time, m, level); -} - -/* - * Format and print the UTC or Generalized Time "t". If the tag message - * "m" is not NULL, do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -void -SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level) -{ - switch (t->type) { - case siUTCTime: - SECU_PrintUTCTime(out, t, m, level); - break; - - case siGeneralizedTime: - SECU_PrintGeneralizedTime(out, t, m, level); - break; - - default: - PORT_Assert(0); - break; - } -} - - -/* This prints a SET or SEQUENCE */ -void -SECU_PrintSet(FILE *out, SECItem *t, char *m, int level) -{ - int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; - int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; - const char * label; - SECItem my = *t; - - if (!constructed) { - SECU_PrintAsHex(out, t, m, level); - return; - } - if (SECSuccess != SECU_StripTagAndLength(&my)) - return; - - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: ", m); - } - - if (type == SEC_ASN1_SET) - label = "Set "; - else if (type == SEC_ASN1_SEQUENCE) - label = "Sequence "; - else - label = ""; - fprintf(out,"%s{\n", label); /* } */ - - while (my.len >= 2) { - SECItem tmp = my; - - if (tmp.data[1] & 0x80) { - unsigned int i; - unsigned int lenlen = tmp.data[1] & 0x7f; - if (lenlen > sizeof tmp.len) - break; - tmp.len = 0; - for (i=0; i < lenlen; i++) { - tmp.len = (tmp.len << 8) | tmp.data[2+i]; - } - tmp.len += lenlen + 2; - } else { - tmp.len = tmp.data[1] + 2; - } - if (tmp.len > my.len) { - tmp.len = my.len; - } - my.data += tmp.len; - my.len -= tmp.len; - SECU_PrintAny(out, &tmp, NULL, level + 1); - } - SECU_Indent(out, level); fprintf(out, /* { */ "}\n"); -} - -static void -secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level) -{ - int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; - int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; - SECItem tmp; - - if (constructed) { - char * m2; - if (!m) - m2 = PR_smprintf("[%d]", type); - else - m2 = PR_smprintf("%s: [%d]", m, type); - if (m2) { - SECU_PrintSet(out, i, m2, level); - PR_smprintf_free(m2); - } - return; - } - - SECU_Indent(out, level); - if (m) { - fprintf(out, "%s: ", m); - } - fprintf(out,"[%d]\n", type); - - tmp = *i; - if (SECSuccess == SECU_StripTagAndLength(&tmp)) - SECU_PrintAsHex(out, &tmp, m, level+1); -} - -static void -secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level) -{ - SECItem tmp = *i; - if (SECSuccess == SECU_StripTagAndLength(&tmp)) - SECU_PrintAsHex(out, &tmp, m, level); -} - -static void -secu_PrintBitString(FILE *out, SECItem *i, char *m, int level) -{ - int unused_bits; - SECItem tmp = *i; - - if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2) - return; - - unused_bits = *tmp.data++; - tmp.len--; - - SECU_PrintAsHex(out, &tmp, m, level); - if (unused_bits) { - SECU_Indent(out, level + 1); - fprintf(out, "(%d least significant bits unused)\n", unused_bits); - } -} - -/* in a decoded bit string, the len member is a bit length. */ -static void -secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level) -{ - int unused_bits; - SECItem tmp = *i; - - - unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0; - DER_ConvertBitString(&tmp); /* convert length to byte length */ - - SECU_PrintAsHex(out, &tmp, m, level); - if (unused_bits) { - SECU_Indent(out, level + 1); - fprintf(out, "(%d least significant bits unused)\n", unused_bits); - } -} - - -/* Print a DER encoded Boolean */ -void -SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - secu_PrintBoolean(out, &my, m, level); -} - -/* Print a DER encoded integer */ -void -SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - SECU_PrintInteger(out, &my, m, level); -} - -/* Print a DER encoded OID */ -void -SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level) -{ - SECItem my = *i; - if (SECSuccess == SECU_StripTagAndLength(&my)) - SECU_PrintObjectID(out, &my, m, level); -} - -static void -secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level) -{ - unsigned char * s; - unsigned char * d; - int len; - SECItem tmp = {0, 0, 0}; - SECItem my = *i; - - if (SECSuccess != SECU_StripTagAndLength(&my)) - goto loser; - if (my.len % 2) - goto loser; - len = (int)(my.len / 2); - tmp.data = (unsigned char *)PORT_Alloc(len); - if (!tmp.data) - goto loser; - tmp.len = len; - for (s = my.data, d = tmp.data ; len > 0; len--) { - PRUint32 bmpChar = (s[0] << 8) | s[1]; s += 2; - if (!isprint(bmpChar)) - goto loser; - *d++ = (unsigned char)bmpChar; - } - secu_PrintRawString(out, &tmp, m, level); - PORT_Free(tmp.data); - return; - -loser: - SECU_PrintAsHex(out, i, m, level); - if (tmp.data) - PORT_Free(tmp.data); -} - -static void -secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level) -{ - unsigned char * s; - unsigned char * d; - int len; - SECItem tmp = {0, 0, 0}; - SECItem my = *i; - - if (SECSuccess != SECU_StripTagAndLength(&my)) - goto loser; - if (my.len % 4) - goto loser; - len = (int)(my.len / 4); - tmp.data = (unsigned char *)PORT_Alloc(len); - if (!tmp.data) - goto loser; - tmp.len = len; - for (s = my.data, d = tmp.data ; len > 0; len--) { - PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; - s += 4; - if (!isprint(bmpChar)) - goto loser; - *d++ = (unsigned char)bmpChar; - } - secu_PrintRawString(out, &tmp, m, level); - PORT_Free(tmp.data); - return; - -loser: - SECU_PrintAsHex(out, i, m, level); - if (tmp.data) - PORT_Free(tmp.data); -} - -static void -secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level) -{ - switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { - case SEC_ASN1_ENUMERATED: - case SEC_ASN1_INTEGER: - SECU_PrintEncodedInteger(out, i, m, level); - break; - case SEC_ASN1_OBJECT_ID: - SECU_PrintEncodedObjectID(out, i, m, level); - break; - case SEC_ASN1_BOOLEAN: - SECU_PrintEncodedBoolean(out, i, m, level); - break; - case SEC_ASN1_UTF8_STRING: - case SEC_ASN1_PRINTABLE_STRING: - case SEC_ASN1_VISIBLE_STRING: - case SEC_ASN1_IA5_STRING: - case SEC_ASN1_T61_STRING: - SECU_PrintString(out, i, m, level); - break; - case SEC_ASN1_GENERALIZED_TIME: - SECU_PrintGeneralizedTime(out, i, m, level); - break; - case SEC_ASN1_UTC_TIME: - SECU_PrintUTCTime(out, i, m, level); - break; - case SEC_ASN1_NULL: - SECU_Indent(out, level); - if (m && m[0]) - fprintf(out, "%s: NULL\n", m); - else - fprintf(out, "NULL\n"); - break; - case SEC_ASN1_SET: - case SEC_ASN1_SEQUENCE: - SECU_PrintSet(out, i, m, level); - break; - case SEC_ASN1_OCTET_STRING: - secu_PrintOctetString(out, i, m, level); - break; - case SEC_ASN1_BIT_STRING: - secu_PrintBitString(out, i, m, level); - break; - case SEC_ASN1_BMP_STRING: - secu_PrintBMPString(out, i, m, level); - break; - case SEC_ASN1_UNIVERSAL_STRING: - secu_PrintUniversalString(out, i, m, level); - break; - default: - SECU_PrintAsHex(out, i, m, level); - break; - } -} - -void -SECU_PrintAny(FILE *out, SECItem *i, char *m, int level) -{ - if ( i && i->len && i->data ) { - switch (i->data[0] & SEC_ASN1_CLASS_MASK) { - case SEC_ASN1_CONTEXT_SPECIFIC: - secu_PrintContextSpecific(out, i, m, level); - break; - case SEC_ASN1_UNIVERSAL: - secu_PrintUniversal(out, i, m, level); - break; - default: - SECU_PrintAsHex(out, i, m, level); - break; - } - } -} - -static int -secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1); - SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level+1); - return 0; -} - -/* This function does NOT expect a DER type and length. */ -SECOidTag -SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level) -{ - SECOidData *oiddata; - char * oidString = NULL; - - oiddata = SECOID_FindOID(oid); - if (oiddata != NULL) { - const char *name = oiddata->desc; - SECU_Indent(out, level); - if (m != NULL) - fprintf(out, "%s: ", m); - fprintf(out, "%s\n", name); - return oiddata->offset; - } - oidString = CERT_GetOidString(oid); - if (oidString) { - SECU_Indent(out, level); - if (m != NULL) - fprintf(out, "%s: ", m); - fprintf(out, "%s\n", oidString); - PR_smprintf_free(oidString); - return SEC_OID_UNKNOWN; - } - SECU_PrintAsHex(out, oid, m, level); - return SEC_OID_UNKNOWN; -} - - -/* This function does NOT expect a DER type and length. */ -void -SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) -{ - SECU_PrintObjectID(out, &a->algorithm, m, level); - - if (a->parameters.len == 0 - || (a->parameters.len == 2 - && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { - /* No arguments or NULL argument */ - } else { - /* Print args to algorithm */ - SECU_PrintAsHex(out, &a->parameters, "Args", level+1); - } -} - -static void -secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) -{ - SECItem *value; - int i; - char om[100]; - - if (m) { - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - } - - /* - * Should make this smarter; look at the type field and then decode - * and print the value(s) appropriately! - */ - SECU_PrintObjectID(out, &(attr->type), "Type", level+1); - if (attr->values != NULL) { - i = 0; - while ((value = attr->values[i++]) != NULL) { - sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); - if (attr->encoded || attr->typeTag == NULL) { - SECU_PrintAny(out, value, om, level+1); - } else { - switch (attr->typeTag->offset) { - default: - SECU_PrintAsHex(out, value, om, level+1); - break; - case SEC_OID_PKCS9_CONTENT_TYPE: - SECU_PrintObjectID(out, value, om, level+1); - break; - case SEC_OID_PKCS9_SIGNING_TIME: - SECU_PrintTimeChoice(out, value, om, level+1); - break; - } - } - } - } -} - -static void -secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) -{ - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1); - SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1); - if (pk->u.rsa.publicExponent.len == 1 && - pk->u.rsa.publicExponent.data[0] == 1) { - SECU_Indent(out, level +1); fprintf(out, "Error: INVALID RSA KEY!\n"); - } -} - -static void -secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1); - SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level+1); - SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level+1); - SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level+1); -} - -#ifdef NSS_ENABLE_ECC -static void -secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) -{ - SECItem curveOID = { siBuffer, NULL, 0}; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1); - /* For named curves, the DEREncodedParams field contains an - * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID). - */ - if ((pk->u.ec.DEREncodedParams.len > 2) && - (pk->u.ec.DEREncodedParams.data[0] == 0x06)) { - curveOID.len = pk->u.ec.DEREncodedParams.data[1]; - curveOID.data = pk->u.ec.DEREncodedParams.data + 2; - SECU_PrintObjectID(out, &curveOID, "Curve", level +1); - } -} -#endif /* NSS_ENABLE_ECC */ - -static void -secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena, - CERTSubjectPublicKeyInfo *i, char *msg, int level) -{ - SECKEYPublicKey *pk; - - SECU_Indent(out, level); fprintf(out, "%s:\n", msg); - SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level+1); - - pk = SECKEY_ExtractPublicKey(i); - if (pk) { - switch (pk->keyType) { - case rsaKey: - secu_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1); - break; - - case dsaKey: - secu_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1); - break; - -#ifdef NSS_ENABLE_ECC - case ecKey: - secu_PrintECPublicKey(out, pk, "EC Public Key", level +1); - break; -#endif - - case dhKey: - case fortezzaKey: - case keaKey: - SECU_Indent(out, level); - fprintf(out, "unable to format this SPKI algorithm type\n"); - goto loser; - default: - SECU_Indent(out, level); - fprintf(out, "unknown SPKI algorithm type\n"); - goto loser; - } - PORT_FreeArena(pk->arena, PR_FALSE); - } else { - SECU_PrintErrMsg(out, level, "Error", "Parsing public key"); -loser: - if (i->subjectPublicKey.data) { - SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level); - } - } -} - -static SECStatus -secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level) -{ - SECItem decodedValue; - SECStatus rv; - int64 invalidTime; - char *formattedTime = NULL; - - decodedValue.data = NULL; - rv = SEC_ASN1DecodeItem (NULL, &decodedValue, - SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), - value); - if (rv == SECSuccess) { - rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue); - if (rv == SECSuccess) { - formattedTime = CERT_GenTime2FormattedAscii - (invalidTime, "%a %b %d %H:%M:%S %Y"); - SECU_Indent(out, level +1); - fprintf (out, "%s: %s\n", msg, formattedTime); - PORT_Free (formattedTime); - } - } - PORT_Free (decodedValue.data); - return (rv); -} - -static SECStatus -PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level) -{ - CERTOidSequence *os; - SECItem **op; - - os = CERT_DecodeOidSequence(value); - if( (CERTOidSequence *)NULL == os ) { - return SECFailure; - } - - for( op = os->oids; *op; op++ ) { - SECU_PrintObjectID(out, *op, msg, level + 1); - } - CERT_DestroyOidSequence(os); - return SECSuccess; -} - -static SECStatus -secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) { - CERTBasicConstraints constraints; - SECStatus rv; - - SECU_Indent(out, level); - if (msg) { - fprintf(out,"%s: ",msg); - } - rv = CERT_DecodeBasicConstraintValue(&constraints,value); - if (rv == SECSuccess && constraints.isCA) { - if (constraints.pathLenConstraint >= 0) { - fprintf(out,"Is a CA with a maximum path length of %d.\n", - constraints.pathLenConstraint); - } else { - fprintf(out,"Is a CA with no maximum path length.\n"); - } - } else { - fprintf(out,"Is not a CA.\n"); - } - return SECSuccess; -} - -static const char * const nsTypeBits[] = { - "SSL Client", - "SSL Server", - "S/MIME", - "Object Signing", - "Reserved", - "SSL CA", - "S/MIME CA", - "ObjectSigning CA" -}; - -/* NSCertType is merely a bit string whose bits are displayed symbolically */ -static SECStatus -secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) -{ - int unused; - int NS_Type; - int i; - int found = 0; - SECItem my = *value; - - if ((my.data[0] != SEC_ASN1_BIT_STRING) || - SECSuccess != SECU_StripTagAndLength(&my)) { - SECU_PrintAny(out, value, "Data", level); - return SECSuccess; - } - - unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0; - NS_Type = my.data[1] & (0xff << unused); - - - SECU_Indent(out, level); - if (msg) { - fprintf(out,"%s: ",msg); - } else { - fprintf(out,"Netscape Certificate Type: "); - } - for (i=0; i < 8; i++) { - if ( (0x80 >> i) & NS_Type) { - fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]); - found = 1; - } - } - fprintf(out, (found ? ">\n" : "none\n")); - return SECSuccess; -} - -static const char * const usageBits[] = { - "Digital Signature", /* 0x80 */ - "Non-Repudiation", /* 0x40 */ - "Key Encipherment", /* 0x20 */ - "Data Encipherment", /* 0x10 */ - "Key Agreement", /* 0x08 */ - "Certificate Signing", /* 0x04 */ - "CRL Signing", /* 0x02 */ - "Encipher Only", /* 0x01 */ - "Decipher Only", /* 0x0080 */ - NULL -}; - -/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ -static void -secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) -{ - int unused; - int usage; - int i; - int found = 0; - SECItem my = *value; - - if ((my.data[0] != SEC_ASN1_BIT_STRING) || - SECSuccess != SECU_StripTagAndLength(&my)) { - SECU_PrintAny(out, value, "Data", level); - return; - } - - unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0; - usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8 - : (my.data[1] << 8) | - (my.data[2] & (0xff << unused)); - - SECU_Indent(out, level); - fprintf(out, "Usages: "); - for (i=0; usageBits[i]; i++) { - if ( (0x8000 >> i) & usage) { - if (found) - SECU_Indent(out, level + 2); - fprintf(out, "%s\n", usageBits[i]); - found = 1; - } - } - if (!found) { - fprintf(out, "(none)\n"); - } -} - -static void -secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level) -{ - PRStatus st; - PRNetAddr addr; - char addrBuf[80]; - - memset(&addr, 0, sizeof addr); - if (value->len == 4) { - addr.inet.family = PR_AF_INET; - memcpy(&addr.inet.ip, value->data, value->len); - } else if (value->len == 16) { - addr.ipv6.family = PR_AF_INET6; - memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len); - if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { - /* convert to IPv4. */ - addr.inet.family = PR_AF_INET; - memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); - memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); - } - } else { - goto loser; - } - - st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); - if (st == PR_SUCCESS) { - SECU_Indent(out, level); - fprintf(out, "%s: %s\n", msg, addrBuf); - } else { -loser: - SECU_PrintAsHex(out, value, msg, level); - } -} - - -static void -secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) -{ - char label[40]; - if (msg && msg[0]) { - SECU_Indent(out, level++); fprintf(out, "%s: \n", msg); - } - switch (gname->type) { - case certOtherName : - SECU_PrintAny( out, &gname->name.OthName.name, "Other Name", level); - SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level+1); - break; - case certDirectoryName : - SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level); - break; - case certRFC822Name : - secu_PrintRawString( out, &gname->name.other, "RFC822 Name", level); - break; - case certDNSName : - secu_PrintRawString( out, &gname->name.other, "DNS name", level); - break; - case certURI : - secu_PrintRawString( out, &gname->name.other, "URI", level); - break; - case certIPAddress : - secu_PrintIPAddress(out, &gname->name.other, "IP Address", level); - break; - case certRegisterID : - SECU_PrintObjectID( out, &gname->name.other, "Registered ID", level); - break; - case certX400Address : - SECU_PrintAny( out, &gname->name.other, "X400 Address", level); - break; - case certEDIPartyName : - SECU_PrintAny( out, &gname->name.other, "EDI Party", level); - break; - default: - PR_snprintf(label, sizeof label, "unknown type [%d]", - (int)gname->type - 1); - SECU_PrintAsHex(out, &gname->name.other, label, level); - break; - } -} - -static void -secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTAuthKeyID *kid = NULL; - PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - kid = CERT_DecodeAuthKeyID(pool, value); - if (!kid) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } else { - int keyIDPresent = (kid->keyID.data && kid->keyID.len); - int issuerPresent = kid->authCertIssuer != NULL; - int snPresent = (kid->authCertSerialNumber.data && - kid->authCertSerialNumber.len); - - if ((keyIDPresent && !issuerPresent && !snPresent) || - (!keyIDPresent && issuerPresent && snPresent)) { - /* all is well */ - } else { - SECU_Indent(out, level); - fprintf(out, - "Error: KeyID OR (Issuer AND Serial) must be present, not both.\n"); - } - if (keyIDPresent) - SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); - if (issuerPresent) - secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level); - if (snPresent) - SECU_PrintInteger(out, &kid->authCertSerialNumber, - "Serial Number", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTGeneralName * nameList; - CERTGeneralName * current; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - nameList = current = CERT_DecodeAltNameExtension(pool, value); - if (!current) { - if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { - /* Decoder found empty sequence, which is invalid. */ - PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); - } - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } else { - do { - secu_PrintGeneralName(out, current, msg, level); - current = CERT_GetNextGeneralName(current); - } while (current != nameList); - } - PORT_FreeArena(pool, PR_FALSE); -} - -static void -secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTCrlDistributionPoints * dPoints; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - dPoints = CERT_DecodeCRLDistributionPoints(pool, value); - if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) { - CRLDistributionPoint ** pPoints = dPoints->distPoints; - CRLDistributionPoint * pPoint; - while (NULL != (pPoint = *pPoints++)) { - if (pPoint->distPointType == generalName && - pPoint->distPoint.fullName != NULL) { - secu_PrintGeneralName(out, pPoint->distPoint.fullName, NULL, - level); -#if defined(LATER) - } else if (pPoint->distPointType == relativeDistinguishedName) { - /* print the relative name */ -#endif - } else if (pPoint->derDistPoint.data) { - SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level); - } - if (pPoint->reasons.data) { - secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", - level); - } - if (pPoint->crlIssuer) { - secu_PrintGeneralName(out, pPoint->crlIssuer, "Issuer", level); - } - } - } else { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Data", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, - char *msg, int level) -{ - CERTNameConstraint *head = value; - SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg); - level++; - do { - secu_PrintGeneralName(out, &value->name, NULL, level); - if (value->min.data) - SECU_PrintInteger(out, &value->min, "Minimum", level+1); - if (value->max.data) - SECU_PrintInteger(out, &value->max, "Maximum", level+1); - value = CERT_GetNextNameConstraint(value); - } while (value != head); -} - -static void -secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level) -{ - CERTNameConstraints * cnstrnts; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value); - if (!cnstrnts) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Raw", level); - } else { - if (cnstrnts->permited) - secu_PrintNameConstraintSubtree(out, cnstrnts->permited, - "Permitted", level); - if (cnstrnts->excluded) - secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, - "Excluded", level); - } - PORT_FreeArena(pool, PR_FALSE); -} - - -static void -secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) -{ - CERTAuthInfoAccess **infos = NULL; - PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - - if (!pool) { - SECU_PrintError("Error", "Allocating new ArenaPool"); - return; - } - infos = CERT_DecodeAuthInfoAccessExtension(pool, value); - if (!infos) { - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, value, "Raw", level); - } else { - CERTAuthInfoAccess *info; - while (NULL != (info = *infos++)) { - if (info->method.data) { - SECU_PrintObjectID(out, &info->method, "Method", level); - } else { - SECU_Indent(out,level); - fprintf(out, "Error: missing method\n"); - } - if (info->location) { - secu_PrintGeneralName(out, info->location, "Location", level); - } else { - SECU_PrintAny(out, &info->derLocation, "Location", level); - } - } - } - PORT_FreeArena(pool, PR_FALSE); -} - - -void -SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, - char *msg, int level) -{ - SECOidTag oidTag; - - if ( extensions ) { - if (msg && *msg) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", msg); - } - - while ( *extensions ) { - SECItem *tmpitem; - - tmpitem = &(*extensions)->id; - SECU_PrintObjectID(out, tmpitem, "Name", level); - - tmpitem = &(*extensions)->critical; - if ( tmpitem->len ) { - secu_PrintBoolean(out, tmpitem, "Critical", level); - } - - oidTag = SECOID_FindOIDTag (&((*extensions)->id)); - tmpitem = &((*extensions)->value); - - switch (oidTag) { - case SEC_OID_X509_INVALID_DATE: - case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME: - secu_PrintX509InvalidDate(out, tmpitem, "Date", level ); - break; - case SEC_OID_X509_CERTIFICATE_POLICIES: - SECU_PrintPolicy(out, tmpitem, "Data", level ); - break; - case SEC_OID_NS_CERT_EXT_BASE_URL: - case SEC_OID_NS_CERT_EXT_REVOCATION_URL: - case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL: - case SEC_OID_NS_CERT_EXT_CA_CRL_URL: - case SEC_OID_NS_CERT_EXT_CA_CERT_URL: - case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL: - case SEC_OID_NS_CERT_EXT_CA_POLICY_URL: - case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL: - case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL: - case SEC_OID_OCSP_RESPONDER: - SECU_PrintString(out,tmpitem, "URL", level); - break; - case SEC_OID_NS_CERT_EXT_COMMENT: - SECU_PrintString(out,tmpitem, "Comment", level); - break; - case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME: - SECU_PrintString(out,tmpitem, "ServerName", level); - break; - case SEC_OID_NS_CERT_EXT_CERT_TYPE: - secu_PrintNSCertType(out,tmpitem,"Data",level); - break; - case SEC_OID_X509_BASIC_CONSTRAINTS: - secu_PrintBasicConstraints(out,tmpitem,"Data",level); - break; - case SEC_OID_X509_EXT_KEY_USAGE: - PrintExtKeyUsageExtension(out, tmpitem, NULL, level); - break; - case SEC_OID_X509_KEY_USAGE: - secu_PrintX509KeyUsage(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_AUTH_KEY_ID: - secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_SUBJECT_ALT_NAME: - case SEC_OID_X509_ISSUER_ALT_NAME: - secu_PrintAltNameExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_CRL_DIST_POINTS: - secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level ); - break; - case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD: - SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, - level ); - break; - case SEC_OID_X509_NAME_CONSTRAINTS: - secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level); - break; - case SEC_OID_X509_AUTH_INFO_ACCESS: - secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level); - break; - - case SEC_OID_X509_CRL_NUMBER: - case SEC_OID_X509_REASON_CODE: - - /* PKIX OIDs */ - case SEC_OID_PKIX_OCSP: - case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: - case SEC_OID_PKIX_OCSP_NONCE: - case SEC_OID_PKIX_OCSP_CRL: - case SEC_OID_PKIX_OCSP_RESPONSE: - case SEC_OID_PKIX_OCSP_NO_CHECK: - case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF: - case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR: - case SEC_OID_PKIX_REGCTRL_REGTOKEN: - case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR: - case SEC_OID_PKIX_REGCTRL_PKIPUBINFO: - case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS: - case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID: - case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY: - case SEC_OID_PKIX_REGINFO_UTF8_PAIRS: - case SEC_OID_PKIX_REGINFO_CERT_REQUEST: - - /* Netscape extension OIDs. */ - case SEC_OID_NS_CERT_EXT_NETSCAPE_OK: - case SEC_OID_NS_CERT_EXT_ISSUER_LOGO: - case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO: - case SEC_OID_NS_CERT_EXT_ENTITY_LOGO: - case SEC_OID_NS_CERT_EXT_USER_PICTURE: - - /* x.509 v3 Extensions */ - case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR: - case SEC_OID_X509_SUBJECT_KEY_ID: - case SEC_OID_X509_POLICY_MAPPINGS: - case SEC_OID_X509_POLICY_CONSTRAINTS: - - - default: - SECU_PrintAny(out, tmpitem, "Data", level); - break; - } - - secu_Newline(out); - extensions++; - } - } -} - - -void -SECU_PrintName(FILE *out, CERTName *name, char *msg, int level) -{ - char *nameStr; - char *str; - SECItem my; - - str = nameStr = CERT_NameToAscii(name); - if (!str) { - str = "!Invalid AVA!"; - } - my.data = (unsigned char *)str; - my.len = PORT_Strlen(str); -#if 1 - secu_PrintRawString(out, &my, msg, level); -#else - SECU_Indent(out, level); fprintf(out, "%s: ", msg); - fprintf(out, str); - secu_Newline(out); -#endif - PORT_Free(nameStr); -} - -void -printflags(char *trusts, unsigned int flags) -{ - if (flags & CERTDB_VALID_CA) - if (!(flags & CERTDB_TRUSTED_CA) && - !(flags & CERTDB_TRUSTED_CLIENT_CA)) - PORT_Strcat(trusts, "c"); - if (flags & CERTDB_VALID_PEER) - if (!(flags & CERTDB_TRUSTED)) - PORT_Strcat(trusts, "p"); - if (flags & CERTDB_TRUSTED_CA) - PORT_Strcat(trusts, "C"); - if (flags & CERTDB_TRUSTED_CLIENT_CA) - PORT_Strcat(trusts, "T"); - if (flags & CERTDB_TRUSTED) - PORT_Strcat(trusts, "P"); - if (flags & CERTDB_USER) - PORT_Strcat(trusts, "u"); - if (flags & CERTDB_SEND_WARN) - PORT_Strcat(trusts, "w"); - if (flags & CERTDB_INVISIBLE_CA) - PORT_Strcat(trusts, "I"); - if (flags & CERTDB_GOVT_APPROVED_CA) - PORT_Strcat(trusts, "G"); - return; -} - -/* callback for listing certs through pkcs11 */ -SECStatus -SECU_PrintCertNickname(CERTCertListNode *node, void *data) -{ - CERTCertTrust *trust; - CERTCertificate* cert; - FILE *out; - char trusts[30]; - char *name; - - cert = node->cert; - - PORT_Memset (trusts, 0, sizeof (trusts)); - out = (FILE *)data; - - name = node->appData; - if (!name || !name[0]) { - name = cert->nickname; - } - if (!name || !name[0]) { - name = cert->emailAddr; - } - if (!name || !name[0]) { - name = "(NULL)"; - } - - trust = cert->trust; - if (trust) { - printflags(trusts, trust->sslFlags); - PORT_Strcat(trusts, ","); - printflags(trusts, trust->emailFlags); - PORT_Strcat(trusts, ","); - printflags(trusts, trust->objectSigningFlags); - } else { - PORT_Memcpy(trusts,",,",3); - } - fprintf(out, "%-60s %-5s\n", name, trusts); - - return (SECSuccess); -} - -int -SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level) -{ - CERTCertExtension **extensions = NULL; - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - int rv = 0; - - if (!arena) - return SEC_ERROR_NO_MEMORY; - - rv = SEC_QuickDERDecodeItem(arena, &extensions, - SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any); - if (!rv) - SECU_PrintExtensions(out, extensions, m, level); - else - SECU_PrintAny(out, any, m, level); - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -/* print a decoded SET OF or SEQUENCE OF Extensions */ -int -SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level) -{ - int rv = 0; - if (m && *m) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", m); - } - while (any && any[0]) { - rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level); - any++; - } - return rv; -} - -/* print a decoded SET OF or SEQUENCE OF "ANY" */ -int -SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level) -{ - int rv = 0; - if (m && *m) { - SECU_Indent(out, level++); fprintf(out, "%s:\n", m); - } - while (any && any[0]) { - SECU_PrintAny(out, any[0], "", level); - any++; - } - return rv; -} - -int -SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level) -{ - int rv = 0; - SECOidTag tag; - tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level); - if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) { - rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level); - } else { - rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level); - } - return rv; -} - -int -SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) -{ - int rv = 0; - while (attrs[0]) { - rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1); - attrs++; - } - return rv; -} - -int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ -SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCertificateRequest *cr; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - /* Decode certificate request */ - cr = PORT_ArenaZNew(arena, CERTCertificateRequest); - if (!cr) - goto loser; - cr->arena = arena; - rv = SEC_QuickDERDecodeItem(arena, cr, - SEC_ASN1_GET(CERT_CertificateRequestTemplate), der); - if (rv) - goto loser; - - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &cr->version, "Version", level+1); - SECU_PrintName(out, &cr->subject, "Subject", level+1); - secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, - "Subject Public Key Info", level+1); - if (cr->attributes) - SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); - rv = 0; -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -int -SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCertificate *c; - int rv = SEC_ERROR_NO_MEMORY; - int iv; - - if (!arena) - return rv; - - /* Decode certificate */ - c = PORT_ArenaZNew(arena, CERTCertificate); - if (!c) - goto loser; - c->arena = arena; - rv = SEC_ASN1DecodeItem(arena, c, - SEC_ASN1_GET(CERT_CertificateTemplate), der); - if (rv) { - SECU_Indent(out, level); - SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); - SECU_PrintAny(out, der, "Raw", level); - goto loser; - } - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */ - SECU_Indent(out, level+1); fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); - - SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level+1); - SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level+1); - SECU_PrintName(out, &c->issuer, "Issuer", level+1); - secu_PrintValidity(out, &c->validity, "Validity", level+1); - SECU_PrintName(out, &c->subject, "Subject", level+1); - secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, - "Subject Public Key Info", level+1); - if (c->issuerID.data) - secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level+1); - if (c->subjectID.data) - secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level+1); - SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level+1); -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -int -SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - SECKEYPublicKey key; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - PORT_Memset(&key, 0, sizeof(key)); - rv = SEC_ASN1DecodeItem(arena, &key, - SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate), der); - if (!rv) { - /* Pretty print it out */ - secu_PrintRSAPublicKey(out, &key, m, level); - } - - PORT_FreeArena(arena, PR_FALSE); - return rv; -} - -#ifdef HAVE_EPV_TEMPLATE -int -SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - SECKEYEncryptedPrivateKeyInfo key; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - PORT_Memset(&key, 0, sizeof(key)); - rv = SEC_ASN1DecodeItem(arena, &key, - SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der); - if (rv) - goto loser; - - /* Pretty print it out */ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", - level+1); - SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level+1); -loser: - PORT_FreeArena(arena, PR_TRUE); - return rv; -} -#endif - -int -SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) -{ - unsigned char fingerprint[20]; - char *fpStr = NULL; - int err = PORT_GetError(); - SECStatus rv; - SECItem fpItem; - - /* print MD5 fingerprint */ - memset(fingerprint, 0, sizeof fingerprint); - rv = PK11_HashBuf(SEC_OID_MD5,fingerprint, derCert->data, derCert->len); - fpItem.data = fingerprint; - fpItem.len = MD5_LENGTH; - fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (MD5):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); - PORT_Free(fpStr); - fpStr = NULL; - if (rv != SECSuccess && !err) - err = PORT_GetError(); - - /* print SHA1 fingerprint */ - memset(fingerprint, 0, sizeof fingerprint); - rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len); - fpItem.data = fingerprint; - fpItem.len = SHA1_LENGTH; - fpStr = CERT_Hexify(&fpItem, 1); - SECU_Indent(out, level); fprintf(out, "%s (SHA1):\n", m); - SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr); - PORT_Free(fpStr); - fprintf(out, "\n"); - - if (err) - PORT_SetError(err); - if (err || rv != SECSuccess) - return SECFailure; - - return 0; -} - -/* -** PKCS7 Support -*/ - -/* forward declaration */ -static int -secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int); - -/* -** secu_PrintPKCS7EncContent -** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) -*/ -static void -secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, - char *m, int level) -{ - if (src->contentTypeTag == NULL) - src->contentTypeTag = SECOID_FindOID(&(src->contentType)); - - SECU_Indent(out, level); - fprintf(out, "%s:\n", m); - SECU_Indent(out, level + 1); - fprintf(out, "Content Type: %s\n", - (src->contentTypeTag != NULL) ? src->contentTypeTag->desc - : "Unknown"); - SECU_PrintAlgorithmID(out, &(src->contentEncAlg), - "Content Encryption Algorithm", level+1); - SECU_PrintAsHex(out, &(src->encContent), - "Encrypted Content", level+1); -} - -/* -** secu_PrintRecipientInfo -** Prints a PKCS7RecipientInfo type -*/ -static void -secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, - int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(info->version), "Version", level + 1); - - SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", - level + 1); - SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), - "Serial Number", level + 1); - - /* Parse and display encrypted key */ - SECU_PrintAlgorithmID(out, &(info->keyEncAlg), - "Key Encryption Algorithm", level + 1); - SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1); -} - -/* -** secu_PrintSignerInfo -** Prints a PKCS7SingerInfo type -*/ -static void -secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level) -{ - SEC_PKCS7Attribute *attr; - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(info->version), "Version", level + 1); - - SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", - level + 1); - SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), - "Serial Number", level + 1); - - SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm", - level + 1); - - if (info->authAttr != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Authenticated Attributes:\n"); - iv = 0; - while ((attr = info->authAttr[iv++]) != NULL) { - sprintf(om, "Attribute (%d)", iv); - secu_PrintAttribute(out, attr, om, level + 2); - } - } - - /* Parse and display signature */ - SECU_PrintAlgorithmID(out, &(info->digestEncAlg), - "Digest Encryption Algorithm", level + 1); - SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1); - - if (info->unAuthAttr != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Unauthenticated Attributes:\n"); - iv = 0; - while ((attr = info->unAuthAttr[iv++]) != NULL) { - sprintf(om, "Attribute (%x)", iv); - secu_PrintAttribute(out, attr, om, level + 2); - } - } -} - -/* callers of this function must make sure that the CERTSignedCrl - from which they are extracting the CERTCrl has been fully-decoded. - Otherwise it will not have the entries even though the CRL may have - some */ - -void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) -{ - CERTCrlEntry *entry; - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - /* version is optional */ - iv = crl->version.len ? DER_GetInteger(&crl->version) : 0; - SECU_Indent(out, level+1); - fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); - SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm", - level + 1); - SECU_PrintName(out, &(crl->name), "Issuer", level + 1); - SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1); - if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */ - SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1); - - if (crl->entries != NULL) { - iv = 0; - while ((entry = crl->entries[iv++]) != NULL) { - sprintf(om, "Entry (%x):\n", iv); - SECU_Indent(out, level + 1); fprintf(out, om); - SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", - level + 2); - SECU_PrintTimeChoice(out, &(entry->revocationDate), - "Revocation Date", level + 2); - SECU_PrintExtensions(out, entry->extensions, - "Entry Extensions", level + 2); - } - } - SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1); -} - -/* -** secu_PrintPKCS7Signed -** Pretty print a PKCS7 signed data type (up to version 1). -*/ -static int -secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, - const char *m, int level) -{ - SECAlgorithmID *digAlg; /* digest algorithms */ - SECItem *aCert; /* certificate */ - CERTSignedCrl *aCrl; /* certificate revocation list */ - SEC_PKCS7SignerInfo *sigInfo; /* signer information */ - int rv, iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list digest algorithms (if any) */ - if (src->digestAlgorithms != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); - iv = 0; - while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { - sprintf(om, "Digest Algorithm (%x)", iv); - SECU_PrintAlgorithmID(out, digAlg, om, level + 2); - } - } - - /* Now for the content */ - rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), - "Content Information", level + 1); - if (rv != 0) - return rv; - - /* Parse and list certificates (if any) */ - if (src->rawCerts != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); - iv = 0; - while ((aCert = src->rawCerts[iv++]) != NULL) { - sprintf(om, "Certificate (%x)", iv); - rv = SECU_PrintSignedData(out, aCert, om, level + 2, - SECU_PrintCertificate); - if (rv) - return rv; - } - } - - /* Parse and list CRL's (if any) */ - if (src->crls != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signed Revocation Lists:\n"); - iv = 0; - while ((aCrl = src->crls[iv++]) != NULL) { - sprintf(om, "Signed Revocation List (%x)", iv); - SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); - SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, - "Signature Algorithm", level+3); - DER_ConvertBitString(&aCrl->signatureWrap.signature); - SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", - level+3); - SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", - level + 3); - } - } - - /* Parse and list signatures (if any) */ - if (src->signerInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signer Information List:\n"); - iv = 0; - while ((sigInfo = src->signerInfos[iv++]) != NULL) { - sprintf(om, "Signer Information (%x)", iv); - secu_PrintSignerInfo(out, sigInfo, om, level + 2); - } - } - - return 0; -} - -/* -** secu_PrintPKCS7Enveloped -** Pretty print a PKCS7 enveloped data type (up to version 1). -*/ -static void -secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, - const char *m, int level) -{ - SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ - int iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list recipients (this is not optional) */ - if (src->recipientInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Recipient Information List:\n"); - iv = 0; - while ((recInfo = src->recipientInfos[iv++]) != NULL) { - sprintf(om, "Recipient Information (%x)", iv); - secu_PrintRecipientInfo(out, recInfo, om, level + 2); - } - } - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); -} - -/* -** secu_PrintPKCS7SignedEnveloped -** Pretty print a PKCS7 singed and enveloped data type (up to version 1). -*/ -static int -secu_PrintPKCS7SignedAndEnveloped(FILE *out, - SEC_PKCS7SignedAndEnvelopedData *src, - const char *m, int level) -{ - SECAlgorithmID *digAlg; /* pointer for digest algorithms */ - SECItem *aCert; /* pointer for certificate */ - CERTSignedCrl *aCrl; /* pointer for certificate revocation list */ - SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */ - SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */ - int rv, iv; - char om[100]; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - /* Parse and list recipients (this is not optional) */ - if (src->recipientInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Recipient Information List:\n"); - iv = 0; - while ((recInfo = src->recipientInfos[iv++]) != NULL) { - sprintf(om, "Recipient Information (%x)", iv); - secu_PrintRecipientInfo(out, recInfo, om, level + 2); - } - } - - /* Parse and list digest algorithms (if any) */ - if (src->digestAlgorithms != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Digest Algorithm List:\n"); - iv = 0; - while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { - sprintf(om, "Digest Algorithm (%x)", iv); - SECU_PrintAlgorithmID(out, digAlg, om, level + 2); - } - } - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); - - /* Parse and list certificates (if any) */ - if (src->rawCerts != NULL) { - SECU_Indent(out, level + 1); fprintf(out, "Certificate List:\n"); - iv = 0; - while ((aCert = src->rawCerts[iv++]) != NULL) { - sprintf(om, "Certificate (%x)", iv); - rv = SECU_PrintSignedData(out, aCert, om, level + 2, - SECU_PrintCertificate); - if (rv) - return rv; - } - } - - /* Parse and list CRL's (if any) */ - if (src->crls != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signed Revocation Lists:\n"); - iv = 0; - while ((aCrl = src->crls[iv++]) != NULL) { - sprintf(om, "Signed Revocation List (%x)", iv); - SECU_Indent(out, level + 2); fprintf(out, "%s:\n", om); - SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, - "Signature Algorithm", level+3); - DER_ConvertBitString(&aCrl->signatureWrap.signature); - SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", - level+3); - SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", - level + 3); - } - } - - /* Parse and list signatures (if any) */ - if (src->signerInfos != NULL) { - SECU_Indent(out, level + 1); - fprintf(out, "Signer Information List:\n"); - iv = 0; - while ((sigInfo = src->signerInfos[iv++]) != NULL) { - sprintf(om, "Signer Information (%x)", iv); - secu_PrintSignerInfo(out, sigInfo, om, level + 2); - } - } - - return 0; -} - -int -SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTCrl *c = NULL; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - do { - /* Decode CRL */ - c = PORT_ArenaZNew(arena, CERTCrl); - if (!c) - break; - - rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der); - if (rv != SECSuccess) - break; - SECU_PrintCRLInfo (out, c, m, level); - } while (0); - PORT_FreeArena (arena, PR_FALSE); - return rv; -} - - -/* -** secu_PrintPKCS7Encrypted -** Pretty print a PKCS7 encrypted data type (up to version 1). -*/ -static void -secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, - const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - secu_PrintPKCS7EncContent(out, &src->encContentInfo, - "Encrypted Content Information", level + 1); -} - -/* -** secu_PrintPKCS7Digested -** Pretty print a PKCS7 digested data type (up to version 1). -*/ -static void -secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, - const char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_PrintInteger(out, &(src->version), "Version", level + 1); - - SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm", - level + 1); - secu_PrintPKCS7ContentInfo(out, &src->contentInfo, "Content Information", - level + 1); - SECU_PrintAsHex(out, &src->digest, "Digest", level + 1); -} - -/* -** secu_PrintPKCS7ContentInfo -** Takes a SEC_PKCS7ContentInfo type and sends the contents to the -** appropriate function -*/ -static int -secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, - char *m, int level) -{ - const char *desc; - SECOidTag kind; - int rv; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - level++; - - if (src->contentTypeTag == NULL) - src->contentTypeTag = SECOID_FindOID(&(src->contentType)); - - if (src->contentTypeTag == NULL) { - desc = "Unknown"; - kind = SEC_OID_PKCS7_DATA; - } else { - desc = src->contentTypeTag->desc; - kind = src->contentTypeTag->offset; - } - - if (src->content.data == NULL) { - SECU_Indent(out, level); fprintf(out, "%s:\n", desc); - level++; - SECU_Indent(out, level); fprintf(out, "<no content>\n"); - return 0; - } - - rv = 0; - switch (kind) { - case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */ - rv = secu_PrintPKCS7Signed(out, src->content.signedData, desc, level); - break; - - case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */ - secu_PrintPKCS7Enveloped(out, src->content.envelopedData, desc, level); - break; - - case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */ - rv = secu_PrintPKCS7SignedAndEnveloped(out, - src->content.signedAndEnvelopedData, - desc, level); - break; - - case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */ - secu_PrintPKCS7Digested(out, src->content.digestedData, desc, level); - break; - - case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */ - secu_PrintPKCS7Encrypted(out, src->content.encryptedData, desc, level); - break; - - default: - SECU_PrintAsHex(out, src->content.data, desc, level); - break; - } - - return rv; -} - -/* -** SECU_PrintPKCS7ContentInfo -** Decode and print any major PKCS7 data type (up to version 1). -*/ -int -SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level) -{ - SEC_PKCS7ContentInfo *cinfo; - int rv; - - cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); - if (cinfo != NULL) { - /* Send it to recursive parsing and printing module */ - rv = secu_PrintPKCS7ContentInfo(out, cinfo, m, level); - SEC_PKCS7DestroyContentInfo(cinfo); - } else { - rv = -1; - } - - return rv; -} - -/* -** End of PKCS7 functions -*/ - -void -printFlags(FILE *out, unsigned int flags, int level) -{ - if ( flags & CERTDB_VALID_PEER ) { - SECU_Indent(out, level); fprintf(out, "Valid Peer\n"); - } - if ( flags & CERTDB_TRUSTED ) { - SECU_Indent(out, level); fprintf(out, "Trusted\n"); - } - if ( flags & CERTDB_SEND_WARN ) { - SECU_Indent(out, level); fprintf(out, "Warn When Sending\n"); - } - if ( flags & CERTDB_VALID_CA ) { - SECU_Indent(out, level); fprintf(out, "Valid CA\n"); - } - if ( flags & CERTDB_TRUSTED_CA ) { - SECU_Indent(out, level); fprintf(out, "Trusted CA\n"); - } - if ( flags & CERTDB_NS_TRUSTED_CA ) { - SECU_Indent(out, level); fprintf(out, "Netscape Trusted CA\n"); - } - if ( flags & CERTDB_USER ) { - SECU_Indent(out, level); fprintf(out, "User\n"); - } - if ( flags & CERTDB_TRUSTED_CLIENT_CA ) { - SECU_Indent(out, level); fprintf(out, "Trusted Client CA\n"); - } - if ( flags & CERTDB_GOVT_APPROVED_CA ) { - SECU_Indent(out, level); fprintf(out, "Step-up\n"); - } -} - -void -SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level) -{ - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n"); - printFlags(out, trust->sslFlags, level+2); - SECU_Indent(out, level+1); fprintf(out, "Email Flags:\n"); - printFlags(out, trust->emailFlags, level+2); - SECU_Indent(out, level+1); fprintf(out, "Object Signing Flags:\n"); - printFlags(out, trust->objectSigningFlags, level+2); -} - -int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, - int level, SECU_PPFunc inner) -{ - PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERTSignedData *sd; - int rv = SEC_ERROR_NO_MEMORY; - - if (!arena) - return rv; - - /* Strip off the signature */ - sd = PORT_ArenaZNew(arena, CERTSignedData); - if (!sd) - goto loser; - - rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), - der); - if (rv) - goto loser; - - SECU_Indent(out, level); fprintf(out, "%s:\n", m); - rv = (*inner)(out, &sd->data, "Data", level+1); - - SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", - level+1); - DER_ConvertBitString(&sd->signature); - SECU_PrintAsHex(out, &sd->signature, "Signature", level+1); - SECU_PrintFingerprints(out, der, "Fingerprint", level+1); -loser: - PORT_FreeArena(arena, PR_FALSE); - return rv; - -} - -SECStatus -SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd) -{ - PRBool found; - PLOptState *optstate; - PLOptStatus status; - char *optstring; - int i, j; - - optstring = (char *)malloc(cmd->numCommands + 2*cmd->numOptions); - j = 0; - - for (i=0; i<cmd->numCommands; i++) { - optstring[j++] = cmd->commands[i].flag; - } - for (i=0; i<cmd->numOptions; i++) { - optstring[j++] = cmd->options[i].flag; - if (cmd->options[i].needsArg) - optstring[j++] = ':'; - } - optstring[j] = '\0'; - optstate = PL_CreateOptState(argc, argv, optstring); - - /* Parse command line arguments */ - while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - - /* Wasn't really an option, just standalone arg. */ - if (optstate->option == '\0') - continue; - - found = PR_FALSE; - - for (i=0; i<cmd->numCommands; i++) { - if (cmd->commands[i].flag == optstate->option) { - cmd->commands[i].activated = PR_TRUE; - if (optstate->value) { - cmd->commands[i].arg = (char *)optstate->value; - } - found = PR_TRUE; - break; - } - } - - if (found) - continue; - - for (i=0; i<cmd->numOptions; i++) { - if (cmd->options[i].flag == optstate->option) { - cmd->options[i].activated = PR_TRUE; - if (optstate->value) { - cmd->options[i].arg = (char *)optstate->value; - } else if (cmd->options[i].needsArg) { - return SECFailure; - } - found = PR_TRUE; - break; - } - } - - if (!found) - return SECFailure; - } - if (status == PL_OPT_BAD) - return SECFailure; - return SECSuccess; -} - -char * -SECU_GetOptionArg(secuCommand *cmd, int optionNum) -{ - if (optionNum < 0 || optionNum >= cmd->numOptions) - return NULL; - if (cmd->options[optionNum].activated) - return PL_strdup(cmd->options[optionNum].arg); - else - return NULL; -} - -static char SECUErrorBuf[64]; - -char * -SECU_ErrorStringRaw(int16 err) -{ - if (err == 0) - SECUErrorBuf[0] = '\0'; - else if (err == SEC_ERROR_BAD_DATA) - sprintf(SECUErrorBuf, "Bad data"); - else if (err == SEC_ERROR_BAD_DATABASE) - sprintf(SECUErrorBuf, "Problem with database"); - else if (err == SEC_ERROR_BAD_DER) - sprintf(SECUErrorBuf, "Problem with DER"); - else if (err == SEC_ERROR_BAD_KEY) - sprintf(SECUErrorBuf, "Problem with key"); - else if (err == SEC_ERROR_BAD_PASSWORD) - sprintf(SECUErrorBuf, "Incorrect password"); - else if (err == SEC_ERROR_BAD_SIGNATURE) - sprintf(SECUErrorBuf, "Bad signature"); - else if (err == SEC_ERROR_EXPIRED_CERTIFICATE) - sprintf(SECUErrorBuf, "Expired certificate"); - else if (err == SEC_ERROR_EXTENSION_VALUE_INVALID) - sprintf(SECUErrorBuf, "Invalid extension value"); - else if (err == SEC_ERROR_INPUT_LEN) - sprintf(SECUErrorBuf, "Problem with input length"); - else if (err == SEC_ERROR_INVALID_ALGORITHM) - sprintf(SECUErrorBuf, "Invalid algorithm"); - else if (err == SEC_ERROR_INVALID_ARGS) - sprintf(SECUErrorBuf, "Invalid arguments"); - else if (err == SEC_ERROR_INVALID_AVA) - sprintf(SECUErrorBuf, "Invalid AVA"); - else if (err == SEC_ERROR_INVALID_TIME) - sprintf(SECUErrorBuf, "Invalid time"); - else if (err == SEC_ERROR_IO) - sprintf(SECUErrorBuf, "Security I/O error"); - else if (err == SEC_ERROR_LIBRARY_FAILURE) - sprintf(SECUErrorBuf, "Library failure"); - else if (err == SEC_ERROR_NO_MEMORY) - sprintf(SECUErrorBuf, "Out of memory"); - else if (err == SEC_ERROR_OLD_CRL) - sprintf(SECUErrorBuf, "CRL is older than the current one"); - else if (err == SEC_ERROR_OUTPUT_LEN) - sprintf(SECUErrorBuf, "Problem with output length"); - else if (err == SEC_ERROR_UNKNOWN_ISSUER) - sprintf(SECUErrorBuf, "Unknown issuer"); - else if (err == SEC_ERROR_UNTRUSTED_CERT) - sprintf(SECUErrorBuf, "Untrusted certificate"); - else if (err == SEC_ERROR_UNTRUSTED_ISSUER) - sprintf(SECUErrorBuf, "Untrusted issuer"); - else if (err == SSL_ERROR_BAD_CERTIFICATE) - sprintf(SECUErrorBuf, "Bad certificate"); - else if (err == SSL_ERROR_BAD_CLIENT) - sprintf(SECUErrorBuf, "Bad client"); - else if (err == SSL_ERROR_BAD_SERVER) - sprintf(SECUErrorBuf, "Bad server"); - else if (err == SSL_ERROR_EXPORT_ONLY_SERVER) - sprintf(SECUErrorBuf, "Export only server"); - else if (err == SSL_ERROR_NO_CERTIFICATE) - sprintf(SECUErrorBuf, "No certificate"); - else if (err == SSL_ERROR_NO_CYPHER_OVERLAP) - sprintf(SECUErrorBuf, "No cypher overlap"); - else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE) - sprintf(SECUErrorBuf, "Unsupported certificate type"); - else if (err == SSL_ERROR_UNSUPPORTED_VERSION) - sprintf(SECUErrorBuf, "Unsupported version"); - else if (err == SSL_ERROR_US_ONLY_SERVER) - sprintf(SECUErrorBuf, "U.S. only server"); - else if (err == PR_IO_ERROR) - sprintf(SECUErrorBuf, "I/O error"); - - else if (err == SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE) - sprintf (SECUErrorBuf, "Expired Issuer Certificate"); - else if (err == SEC_ERROR_REVOKED_CERTIFICATE) - sprintf (SECUErrorBuf, "Revoked certificate"); - else if (err == SEC_ERROR_NO_KEY) - sprintf (SECUErrorBuf, "No private key in database for this cert"); - else if (err == SEC_ERROR_CERT_NOT_VALID) - sprintf (SECUErrorBuf, "Certificate is not valid"); - else if (err == SEC_ERROR_EXTENSION_NOT_FOUND) - sprintf (SECUErrorBuf, "Certificate extension was not found"); - else if (err == SEC_ERROR_CA_CERT_INVALID) - sprintf (SECUErrorBuf, "Issuer certificate is invalid"); - else if (err == SEC_ERROR_CERT_USAGES_INVALID) - sprintf (SECUErrorBuf, "Certificate usages is invalid"); - else if (err == SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION) - sprintf (SECUErrorBuf, "Certificate has unknown critical extension"); - else if (err == SEC_ERROR_PKCS7_BAD_SIGNATURE) - sprintf (SECUErrorBuf, "Bad PKCS7 signature"); - else if (err == SEC_ERROR_INADEQUATE_KEY_USAGE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - else if (err == SEC_ERROR_INADEQUATE_CERT_TYPE) - sprintf (SECUErrorBuf, "Certificate not approved for this operation"); - - return SECUErrorBuf; -} - -char * -SECU_ErrorString(int16 err) -{ - char *error_string; - - *SECUErrorBuf = 0; - SECU_ErrorStringRaw (err); - - if (*SECUErrorBuf == 0) { - error_string = SECU_GetString(err); - if (error_string == NULL || *error_string == '\0') - sprintf(SECUErrorBuf, "No error string found for %d.", err); - else - return error_string; - } - - return SECUErrorBuf; -} - - -void -SECU_PrintPRandOSError(char *progName) -{ - char buffer[513]; - PRInt32 errLen = PR_GetErrorTextLength(); - if (errLen > 0 && errLen < sizeof buffer) { - PR_GetErrorText(buffer); - } - SECU_PrintError(progName, "function failed"); - if (errLen > 0 && errLen < sizeof buffer) { - PR_fprintf(PR_STDERR, "\t%s\n", buffer); - } -} - - -static char * -bestCertName(CERTCertificate *cert) { - if (cert->nickname) { - return cert->nickname; - } - if (cert->emailAddr && cert->emailAddr[0]) { - return cert->emailAddr; - } - return cert->subjectName; -} - -void -SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, - CERTCertificate *cert, PRBool checksig, - SECCertificateUsage certUsage, void *pinArg, PRBool verbose) -{ - CERTVerifyLog log; - CERTVerifyLogNode *node = NULL; - unsigned int depth = (unsigned int)-1; - unsigned int flags = 0; - char * errstr = NULL; - PRErrorCode err = PORT_GetError(); - - log.arena = PORT_NewArena(512); - log.head = log.tail = NULL; - log.count = 0; - CERT_VerifyCertificate(handle, cert, checksig, certUsage, PR_Now(), pinArg, &log, NULL); - - if (log.count > 0) { - fprintf(outfile,"PROBLEM WITH THE CERT CHAIN:\n"); - for (node = log.head; node; node = node->next) { - if (depth != node->depth) { - depth = node->depth; - fprintf(outfile,"CERT %d. %s %s:\n", depth, - bestCertName(node->cert), - depth ? "[Certificate Authority]": ""); - if (verbose) { - const char * emailAddr; - emailAddr = CERT_GetFirstEmailAddress(node->cert); - if (emailAddr) { - fprintf(outfile,"Email Address(es): "); - do { - fprintf(outfile, "%s\n", emailAddr); - emailAddr = CERT_GetNextEmailAddress(node->cert, - emailAddr); - } while (emailAddr); - } - } - } - fprintf(outfile," ERROR %ld: %s\n", node->error, - SECU_Strerror(node->error)); - errstr = NULL; - switch (node->error) { - case SEC_ERROR_INADEQUATE_KEY_USAGE: - flags = (unsigned int)node->arg; - switch (flags) { - case KU_DIGITAL_SIGNATURE: - errstr = "Cert cannot sign."; - break; - case KU_KEY_ENCIPHERMENT: - errstr = "Cert cannot encrypt."; - break; - case KU_KEY_CERT_SIGN: - errstr = "Cert cannot sign other certs."; - break; - default: - errstr = "[unknown usage]."; - break; - } - case SEC_ERROR_INADEQUATE_CERT_TYPE: - flags = (unsigned int)node->arg; - switch (flags) { - case NS_CERT_TYPE_SSL_CLIENT: - case NS_CERT_TYPE_SSL_SERVER: - errstr = "Cert cannot be used for SSL."; - break; - case NS_CERT_TYPE_SSL_CA: - errstr = "Cert cannot be used as an SSL CA."; - break; - case NS_CERT_TYPE_EMAIL: - errstr = "Cert cannot be used for SMIME."; - break; - case NS_CERT_TYPE_EMAIL_CA: - errstr = "Cert cannot be used as an SMIME CA."; - break; - case NS_CERT_TYPE_OBJECT_SIGNING: - errstr = "Cert cannot be used for object signing."; - break; - case NS_CERT_TYPE_OBJECT_SIGNING_CA: - errstr = "Cert cannot be used as an object signing CA."; - break; - default: - errstr = "[unknown usage]."; - break; - } - case SEC_ERROR_UNKNOWN_ISSUER: - case SEC_ERROR_UNTRUSTED_ISSUER: - case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: - errstr = node->cert->issuerName; - break; - default: - break; - } - if (errstr) { - fprintf(stderr," %s\n",errstr); - } - CERT_DestroyCertificate(node->cert); - } - } - PORT_SetError(err); /* restore original error code */ -} - -SECOidTag -SECU_StringToSignatureAlgTag(const char *alg) -{ - SECOidTag hashAlgTag = SEC_OID_UNKNOWN; - - if (alg) { - if (!PL_strcmp(alg, "MD2")) { - hashAlgTag = SEC_OID_MD2; - } else if (!PL_strcmp(alg, "MD4")) { - hashAlgTag = SEC_OID_MD4; - } else if (!PL_strcmp(alg, "MD5")) { - hashAlgTag = SEC_OID_MD5; - } else if (!PL_strcmp(alg, "SHA1")) { - hashAlgTag = SEC_OID_SHA1; - } else if (!PL_strcmp(alg, "SHA256")) { - hashAlgTag = SEC_OID_SHA256; - } else if (!PL_strcmp(alg, "SHA384")) { - hashAlgTag = SEC_OID_SHA384; - } else if (!PL_strcmp(alg, "SHA512")) { - hashAlgTag = SEC_OID_SHA512; - } - } - return hashAlgTag; -} - - -SECStatus -SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, - const PRBool ascii, char *url) -{ - PORT_Assert(derCrl != NULL); - if (!derCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - if (outFile != NULL) { - if (ascii) { - PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, - BTOA_DataToAscii(derCrl->data, derCrl->len), - NS_CRL_TRAILER); - } else { - if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) { - return SECFailure; - } - } - } - if (slot) { - CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url, - SEC_CRL_TYPE, NULL, 0, NULL, 0); - if (newCrl != NULL) { - SEC_DestroyCrl(newCrl); - return SECSuccess; - } - return SECFailure; - } - if (!outFile && !slot) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - return SECSuccess; -} - -SECStatus -SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, - SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode) -{ - SECItem der; - SECKEYPrivateKey *caPrivateKey = NULL; - SECStatus rv; - PRArenaPool *arena; - SECOidTag algID; - void *dummy; - - PORT_Assert(issuer != NULL && signCrl != NULL); - if (!issuer || !signCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - arena = signCrl->arena; - - caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL); - if (caPrivateKey == NULL) { - *resCode = noKeyFound; - return SECFailure; - } - - algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag); - if (algID == SEC_OID_UNKNOWN) { - *resCode = noSignatureMatch; - rv = SECFailure; - goto done; - } - - if (!signCrl->crl.signatureAlg.parameters.data) { - rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0); - if (rv != SECSuccess) { - *resCode = failToEncode; - goto done; - } - } - - der.len = 0; - der.data = NULL; - dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl, - SEC_ASN1_GET(CERT_CrlTemplate)); - if (!dummy) { - *resCode = failToEncode; - rv = SECFailure; - goto done; - } - - rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap, - der.data, der.len, caPrivateKey, algID); - if (rv != SECSuccess) { - *resCode = failToSign; - goto done; - } - - signCrl->derCrl = PORT_ArenaZNew(arena, SECItem); - if (signCrl->derCrl == NULL) { - *resCode = noMem; - PORT_SetError(SEC_ERROR_NO_MEMORY); - rv = SECFailure; - goto done; - } - - signCrl->derCrl->len = 0; - signCrl->derCrl->data = NULL; - dummy = SEC_ASN1EncodeItem (arena, signCrl->derCrl, signCrl, - SEC_ASN1_GET(CERT_SignedCrlTemplate)); - if (!dummy) { - *resCode = failToEncode; - rv = SECFailure; - goto done; - } - -done: - if (caPrivateKey) { - SECKEY_DestroyPrivateKey(caPrivateKey); - } - return rv; -} - - - -SECStatus -SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl) -{ - void *dummy; - SECStatus rv = SECSuccess; - SECItem der; - - PORT_Assert(destArena && srcCrl && destCrl); - if (!destArena || !srcCrl || !destCrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - - der.len = 0; - der.data = NULL; - dummy = SEC_ASN1EncodeItem (destArena, &der, srcCrl, - SEC_ASN1_GET(CERT_CrlTemplate)); - if (!dummy) { - return SECFailure; - } - - rv = SEC_QuickDERDecodeItem(destArena, destCrl, - SEC_ASN1_GET(CERT_CrlTemplate), &der); - if (rv != SECSuccess) { - return SECFailure; - } - - destCrl->arena = destArena; - - return rv; -} - -SECStatus -SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, - unsigned char *buf, int len, SECKEYPrivateKey *pk, - SECOidTag algID) -{ - SECItem it; - SECStatus rv; - - it.data = 0; - - /* XXX We should probably have some asserts here to make sure the key type - * and algID match - */ - - /* Sign input buffer */ - rv = SEC_SignData(&it, buf, len, pk, algID); - if (rv) goto loser; - - /* Fill out SignedData object */ - PORT_Memset(sd, 0, sizeof(*sd)); - sd->data.data = buf; - sd->data.len = len; - sd->signature.data = it.data; - sd->signature.len = it.len << 3; /* convert to bit string */ - rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0); - if (rv) goto loser; - - return rv; - - loser: - PORT_Free(it.data); - return rv; -} - -#if 0 - -/* we need access to the private function cert_FindExtension for this code to work */ - -CERTAuthKeyID * -SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *scrl) -{ - SECItem encodedExtenValue; - SECStatus rv; - CERTAuthKeyID *ret; - CERTCrl* crl; - - if (!scrl) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - - crl = &scrl->crl; - - encodedExtenValue.data = NULL; - encodedExtenValue.len = 0; - - rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, - &encodedExtenValue); - if ( rv != SECSuccess ) { - return (NULL); - } - - ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); - - PORT_Free(encodedExtenValue.data); - encodedExtenValue.data = NULL; - - return(ret); -} - -#endif - -/* - * Find the issuer of a Crl. Use the authorityKeyID if it exists. - */ -CERTCertificate * -SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem* subject, - CERTAuthKeyID* authorityKeyID, PRTime validTime) -{ - CERTCertificate *issuerCert = NULL; - CERTCertList *certList = NULL; - - if (!subject) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } - - certList = - CERT_CreateSubjectCertList(NULL, dbhandle, subject, - validTime, PR_TRUE); - if (certList) { - CERTCertListNode *node = CERT_LIST_HEAD(certList); - - /* XXX and authoritykeyid in the future */ - while ( ! CERT_LIST_END(node, certList) ) { - CERTCertificate *cert = node->cert; - /* check cert CERTCertTrust data is allocated, check cert - usage extension, check that cert has pkey in db. Select - the first (newest) user cert */ - if (cert->trust && - CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess && - CERT_IsUserCert(cert)) { - - issuerCert = CERT_DupCertificate(cert); - break; - } - node = CERT_LIST_NEXT(node); - } - CERT_DestroyCertList(certList); - } - return(issuerCert); -} - - -/* Encodes and adds extensions to the CRL or CRL entries. */ -SECStatus -SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, - void *value, PRBool criticality, int extenType, - EXTEN_EXT_VALUE_ENCODER EncodeValueFn) -{ - SECItem encodedValue; - SECStatus rv; - - encodedValue.data = NULL; - encodedValue.len = 0; - do { - rv = (*EncodeValueFn)(arena, value, &encodedValue); - if (rv != SECSuccess) - break; - - rv = CERT_AddExtension(extHandle, extenType, &encodedValue, - criticality, PR_TRUE); - if (rv != SECSuccess) - break; - } while (0); - - return (rv); -} diff --git a/pki/base/native-tools/src/tkstool/secutil.h b/pki/base/native-tools/src/tkstool/secutil.h deleted file mode 100644 index a2f065067..000000000 --- a/pki/base/native-tools/src/tkstool/secutil.h +++ /dev/null @@ -1,430 +0,0 @@ -/** BEGIN COPYRIGHT BLOCK - * - * Version: MPL 1.1/GPL 2.0/LGPL 2.1 - * - * The contents of this file are subject to the Mozilla Public License Version - * 1.1 (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS IS" basis, - * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License - * for the specific language governing rights and limitations under the - * License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is - * Netscape Communications Corporation. - * Portions created by the Initial Developer are Copyright (C) 1994-2000 - * the Initial Developer. All Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the terms of - * either the GNU General Public License Version 2 or later (the "GPL"), or - * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), - * in which case the provisions of the GPL or the LGPL are applicable instead - * of those above. If you wish to allow use of your version of this file only - * under the terms of either the GPL or the LGPL, and not to allow others to - * use your version of this file under the terms of the MPL, indicate your - * decision by deleting the provisions above and replace them with the notice - * and other provisions required by the GPL or the LGPL. If you do not delete - * the provisions above, a recipient may use your version of this file under - * the terms of any one of the MPL, the GPL or the LGPL. - * - * END COPYRIGHT BLOCK **/ - -/* Originally obtained from: - * - * CVSROOT=:pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot - * cvs export -r NSS_3_11_3_RTM -N mozilla/security/nss/cmd/lib/secutil.h - */ - -#ifndef _SEC_UTIL_H_ -#define _SEC_UTIL_H_ - -#include "seccomon.h" -#include "secitem.h" -#include "prerror.h" -#include "base64.h" -#include "key.h" -#include "secpkcs7.h" -#include "secasn1.h" -#include "secder.h" -#include <stdio.h> - -#define SEC_CT_PRIVATE_KEY "private-key" -#define SEC_CT_PUBLIC_KEY "public-key" -#define SEC_CT_CERTIFICATE "certificate" -#define SEC_CT_CERTIFICATE_REQUEST "certificate-request" -#define SEC_CT_PKCS7 "pkcs7" -#define SEC_CT_CRL "crl" - -#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" -#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" - -#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" -#define NS_CERT_TRAILER "-----END CERTIFICATE-----" - -#define NS_CRL_HEADER "-----BEGIN CRL-----" -#define NS_CRL_TRAILER "-----END CRL-----" - -/* From libsec/pcertdb.c --- it's not declared in sec.h */ -extern SECStatus SEC_AddPermCertificate(CERTCertDBHandle *handle, - SECItem *derCert, char *nickname, CERTCertTrust *trust); - - -#ifdef SECUTIL_NEW -typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, - char *msg, int level); -#else -typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level); -#endif - -typedef struct { - enum { - PW_NONE = 0, - PW_FROMFILE = 1, - PW_PLAINTEXT = 2, - PW_EXTERNAL = 3 - } source; - char *data; -} secuPWData; - -/* -** Change a password on a token, or initialize a token with a password -** if it does not already have one. -** Use passwd to send the password in plaintext, pwFile to specify a -** file containing the password, or NULL for both to prompt the user. -*/ -SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile); - -/* These were stolen from the old sec.h... */ -/* -** Check a password for legitimacy. Passwords must be at least 8 -** characters long and contain one non-alphabetic. Return DSTrue if the -** password is ok, DSFalse otherwise. -*/ -extern PRBool SEC_CheckPassword(char *password); - -/* -** Blind check of a password. Complement to SEC_CheckPassword which -** ignores length and content type, just retuning DSTrue is the password -** exists, DSFalse if NULL -*/ -extern PRBool SEC_BlindCheckPassword(char *password); - -/* -** Get a password. -** First prompt with "msg" on "out", then read the password from "in". -** The password is then checked using "chkpw". -*/ -extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg, - PRBool (*chkpw)(char *)); - -char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg); - -char *SECU_GetPasswordString(void *arg, char *prompt); - -/* -** Write a dongle password. -** Uses MD5 to hash constant system data (hostname, etc.), and then -** creates RC4 key to encrypt a password "pw" into a file "fd". -*/ -extern SECStatus SEC_WriteDongleFile(int fd, char *pw); - -/* -** Get a dongle password. -** Uses MD5 to hash constant system data (hostname, etc.), and then -** creates RC4 key to decrypt and return a password from file "fd". -*/ -extern char *SEC_ReadDongleFile(int fd); - - -/* End stolen headers */ - -/* Just sticks the two strings together with a / if needed */ -char *SECU_AppendFilenameToDir(char *dir, char *filename); - -/* Returns result of getenv("SSL_DIR") or NULL */ -extern char *SECU_DefaultSSLDir(void); - -/* -** Should be called once during initialization to set the default -** directory for looking for cert.db, key.db, and cert-nameidx.db files -** Removes trailing '/' in 'base' -** If 'base' is NULL, defaults to set to .netscape in home directory. -*/ -extern char *SECU_ConfigDirectory(const char* base); - -/* -** Basic callback function for SSL_GetClientAuthDataHook -*/ -extern int -SECU_GetClientAuthData(void *arg, PRFileDesc *fd, - struct CERTDistNamesStr *caNames, - struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey); - -/* print out an error message */ -extern void SECU_PrintError(char *progName, char *msg, ...); - -/* print out a system error message */ -extern void SECU_PrintSystemError(char *progName, char *msg, ...); - -/* Return informative error string */ -extern const char * SECU_Strerror(PRErrorCode errNum); - -/* print information about cert verification failure */ -extern void -SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, - CERTCertificate *cert, PRBool checksig, - SECCertificateUsage certUsage, void *pinArg, PRBool verbose); - -/* Read the contents of a file into a SECItem */ -extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); -extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); - -/* Read in a DER from a file, may be ascii */ -extern SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); - -/* Indent based on "level" */ -extern void SECU_Indent(FILE *out, int level); - -/* Print integer value and hex */ -extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level); - -/* Print ObjectIdentifier symbolically */ -extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level); - -/* Print AlgorithmIdentifier symbolically */ -extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, - int level); - -/* Print SECItem as hex */ -extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level); - -/* dump a buffer in hex and ASCII */ -extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); - -/* - * Format and print the UTC Time "t". If the tag message "m" is not NULL, - * do indent formatting based on "level" and add a newline afterward; - * otherwise just print the formatted time string only. - */ -extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level); - -/* - * Format and print the Generalized Time "t". If the tag message "m" - * is not NULL, * do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, - int level); - -/* - * Format and print the UTC or Generalized Time "t". If the tag message - * "m" is not NULL, do indent formatting based on "level" and add a newline - * afterward; otherwise just print the formatted time string only. - */ -extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level); - -/* callback for listing certs through pkcs11 */ -extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data); - -/* Dump all certificate nicknames in a database */ -extern SECStatus -SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, - PRBool sortByName, PRBool sortByTrust); - -/* See if nickname already in database. Return 1 true, 0 false, -1 error */ -int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); - -/* Dump contents of cert req */ -extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, - int level); - -/* Dump contents of certificate */ -extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level); - -/* print trust flags on a cert */ -extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level); - -/* Dump contents of public key */ -extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level); - -#ifdef HAVE_EPV_TEMPLATE -/* Dump contents of private key */ -extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); -#endif - -/* Print the MD5 and SHA1 fingerprints of a cert */ -extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, - int level); - -/* Pretty-print any PKCS7 thing */ -extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, - int level); - -/* Init PKCS11 stuff */ -extern SECStatus SECU_PKCS11Init(PRBool readOnly); - -/* Dump contents of signed data */ -extern int SECU_PrintSignedData(FILE *out, SECItem *der, char *m, int level, - SECU_PPFunc inner); - -extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); - -extern void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level); - -extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level); -extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level); - -extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level); -extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, - char *msg, int level); - -extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, - char *msg, int level); - -extern void SECU_PrintName(FILE *out, CERTName *name, char *msg, int level); - -#ifdef SECU_GetPassword -/* Convert a High public Key to a Low public Key */ -extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey); -#endif - -extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); - -extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw); -extern void SEC_Init(void); - -extern char *SECU_SECModDBName(void); - -extern void SECU_PrintPRandOSError(char *progName); - -extern SECStatus SECU_RegisterDynamicOids(void); - -/* Identifies hash algorithm tag by its string representation. */ -extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); - -/* Store CRL in output file or pk11 db. Also - * encodes with base64 and exports to file if ascii flag is set - * and file is not NULL. */ -extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, - PRFileDesc *outFile, int ascii, char *url); - - -/* -** DER sign a single block of data using private key encryption and the -** MD5 hashing algorithm. This routine first computes a digital signature -** using SEC_SignData, then wraps it with an CERTSignedData and then der -** encodes the result. -** "arena" is the memory arena to use to allocate data from -** "sd" returned CERTSignedData -** "result" the final der encoded data (memory is allocated) -** "buf" the input data to sign -** "len" the amount of data to sign -** "pk" the private key to encrypt with -*/ -extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd, - unsigned char *buf, int len, - SECKEYPrivateKey *pk, SECOidTag algID); - -typedef enum { - noKeyFound = 1, - noSignatureMatch = 2, - failToEncode = 3, - failToSign = 4, - noMem = 5 -} SignAndEncodeFuncExitStat; - -extern SECStatus -SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, - SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode); - -extern SECStatus -SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl); - -/* -** Finds the crl Authority Key Id extension. Returns NULL if no such extension -** was found. -*/ -CERTAuthKeyID * -SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl); - -/* - * Find the issuer of a crl. Cert usage should be checked before signing a crl. - */ -CERTCertificate * -SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject, - CERTAuthKeyID* id, PRTime validTime); - - -/* call back function used in encoding of an extension. Called from - * SECU_EncodeAndAddExtensionValue */ -typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena, - void *value, SECItem *encodedValue); - -/* Encodes and adds extensions to the CRL or CRL entries. */ -SECStatus -SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, - void *value, PRBool criticality, int extenType, - EXTEN_EXT_VALUE_ENCODER EncodeValueFn); - - -/* - * - * Utilities for parsing security tools command lines - * - */ - -/* A single command flag */ -typedef struct { - char flag; - PRBool needsArg; - char *arg; - PRBool activated; -} secuCommandFlag; - -/* A full array of command/option flags */ -typedef struct -{ - int numCommands; - int numOptions; - - secuCommandFlag *commands; - secuCommandFlag *options; -} secuCommand; - -/* fill the "arg" and "activated" fields for each flag */ -SECStatus -SECU_ParseCommandLine(int argc, char **argv, char *progName, secuCommand *cmd); -char * -SECU_GetOptionArg(secuCommand *cmd, int optionNum); - -/* - * - * Error messaging - * - */ - -/* Return informative error string */ -char *SECU_ErrorString(int16 err); - -/* Return informative error string. Does not call XP_GetString */ -char *SECU_ErrorStringRaw(int16 err); - -void printflags(char *trusts, unsigned int flags); - -#ifndef XP_UNIX -extern int ffs(unsigned int i); -#endif - -#include "secerr.h" -#include "sslerr.h" - -#endif /* _SEC_UTIL_H_ */ diff --git a/pki/base/native-tools/src/tkstool/tkstool.c b/pki/base/native-tools/src/tkstool/tkstool.c deleted file mode 100644 index 5368b2e7b..000000000 --- a/pki/base/native-tools/src/tkstool/tkstool.c +++ /dev/null @@ -1,2660 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - - -static char *progName; - - -/* tkstool commands */ -enum { - cmd_DeleteKey = 0, - cmd_PrintHelp, - cmd_InputGenTransportKey, - cmd_DisplayKCV, - cmd_ListKeys, - cmd_GenMasterKey, - cmd_NewDBs, - cmd_ChangePassword, - cmd_RenameKey, - cmd_ListSecModules, - cmd_GenTransportKey, - cmd_UnWrapMasterKey, - cmd_Version, - cmd_WrapMasterKey -}; - - -/* tkstool options */ -enum { - opt_DBDir = 0, - opt_PasswordFile, - opt_TokenName, - opt_InFile, - opt_Keyname, - opt_OutFile, - opt_DBPrefix, - opt_NewKeyname, - opt_TransportKeyname, - opt_RW, - opt_NoiseFile -}; - - -static secuCommandFlag tkstool_commands[] = { - { /* cmd_DeleteKey */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* cmd_PrintHelp */ 'H', PR_FALSE, 0, PR_FALSE }, - { /* cmd_InputGenTransportKey */ 'I', PR_FALSE, 0, PR_FALSE }, - { /* cmd_DisplayKCV */ 'K', PR_FALSE, 0, PR_FALSE }, - { /* cmd_ListKeys */ 'L', PR_FALSE, 0, PR_FALSE }, - { /* cmd_GenMasterKey */ 'M', PR_FALSE, 0, PR_FALSE }, - { /* cmd_NewDBs */ 'N', PR_FALSE, 0, PR_FALSE }, - { /* cmd_ChangePassword */ 'P', PR_FALSE, 0, PR_FALSE }, - { /* cmd_RenameKey */ 'R', PR_FALSE, 0, PR_FALSE }, - { /* cmd_ListSecModules */ 'S', PR_FALSE, 0, PR_FALSE }, - { /* cmd_GenTransportKey */ 'T', PR_FALSE, 0, PR_FALSE }, - { /* cmd_UnWrapMasterKey */ 'U', PR_FALSE, 0, PR_FALSE }, - { /* cmd_Version */ 'V', PR_FALSE, 0, PR_FALSE }, - { /* cmd_WrapMasterKey */ 'W', PR_FALSE, 0, PR_FALSE } -}; - - -static secuCommandFlag tkstool_options[] = { - { /* opt_DBDir */ 'd', PR_TRUE, 0, PR_FALSE }, - { /* opt_PasswordFile */ 'f', PR_TRUE, 0, PR_FALSE }, - { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE }, - { /* opt_InFile */ 'i', PR_TRUE, 0, PR_FALSE }, - { /* opt_Keyname */ 'n', PR_TRUE, 0, PR_FALSE }, - { /* opt_OutFile */ 'o', PR_TRUE, 0, PR_FALSE }, - { /* opt_DBPrefix */ 'p', PR_TRUE, 0, PR_FALSE }, - { /* opt_NewKeyname */ 'r', PR_TRUE, 0, PR_FALSE }, - { /* opt_TransportKeyname */ 't', PR_TRUE, 0, PR_FALSE }, - { /* opt_RW */ 'x', PR_FALSE, 0, PR_FALSE }, - { /* opt_NoiseFile */ 'z', PR_TRUE, 0, PR_FALSE }, -}; - - -int -main( int argc, char **argv ) -{ - CK_KEY_DERIVATION_STRING_DATA secondDerivationData = { NULL, - 0 }; - CK_KEY_DERIVATION_STRING_DATA thirdDerivationData = { NULL, - 0 }; - PK11SlotInfo *internalSlot = NULL; - PK11SlotInfo *slot = NULL; - PK11SymKey *symmetricKey = NULL; - PK11SymKey *masterKey = NULL; - PK11SymKey *temporaryMasterKey = NULL; - PK11SymKey *firstSymmetricKey = NULL; - PK11SymKey *secondSymmetricKey = NULL; - PK11SymKey *thirdSymmetricKey = NULL; - PK11SymKey *transportKey = NULL; - PRBool readOnly = PR_FALSE; - PRIntn KCVLen = KCV_LENGTH; - PRUint8 *KCV = NULL; - SECItem firstSessionKeyShare = { siBuffer, - NULL, - 0 }; - SECItem secondSessionKeyShare = { siBuffer, - NULL, - 0 }; - SECItem thirdSessionKeyShare = { siBuffer, - NULL, - 0 }; -#if defined(PAD_DES2_KEY_LENGTH) - SECItem paddedFirstSessionKeyShare = { siBuffer, - NULL, - 0 }; - SECItem paddedSecondSessionKeyShare = { siBuffer, - NULL, - 0 }; - SECItem paddedThirdSessionKeyShare = { siBuffer, - NULL, - 0 }; -#endif - SECItem hexInternalKeyKCV = { siBuffer, - NULL, - 0 }; - SECItem wrappedMasterKey = { siBuffer, - NULL, - 0 }; - SECStatus rvKCV = SECFailure; - SECStatus rvParse = SECSuccess; - SECStatus rvNSSinit = SECSuccess; - SECStatus rvFindSymKey = SECSuccess; - SECStatus rvSeedRNG = SECSuccess; - SECStatus rvFirstSessionKeyShare = SECFailure; - SECStatus rvSecondSessionKeyShare = SECFailure; - SECStatus rvThirdSessionKeyShare = SECFailure; - SECStatus rvSaveWrappedMasterKey = SECSuccess; - SECStatus rvSymmetricKeyname = SECSuccess; - SECStatus rvWrappedMasterKey = SECSuccess; - SECStatus rvMasterKeyname = SECSuccess; - SECStatus rv = SECSuccess; - SECStatus status = PR_FALSE; - char commandToRun = '\0'; - char *DBDir = NULL; - char *DBPrefix = ""; - char *input = NULL; - char *keyname = NULL; - char *new_keyname = NULL; - char *output = NULL; - char *SeedNoise = NULL; - char *slotname = "internal"; - char *transport_keyname = NULL; - int commandsEntered = 0; - int i = 0; - int optionsEntered = 0; - secuPWData pwdata = { PW_NONE, - 0 }; - - - /**************************/ - /* Parse the command line */ - /**************************/ - - secuCommand tkstool; - tkstool.numCommands = sizeof( tkstool_commands ) / - sizeof( secuCommandFlag ); - tkstool.numOptions = sizeof( tkstool_options ) / - sizeof( secuCommandFlag ); - tkstool.commands = tkstool_commands; - tkstool.options = tkstool_options; - - /* retrieve name of command */ - progName = strrchr( argv[0], '/' ); - progName = progName ? ( progName + 1 ) : argv[0]; - - /* parse command line (command(s) and options) from command line */ - rvParse = SECU_ParseCommandLine( argc, argv, progName, &tkstool ); - if( rvParse != SECSuccess ) { - TKS_Usage( progName ); - - return 255; - } - - - /*********************************************************/ - /* Check the number of command line "command(s)" entered */ - /*********************************************************/ - - commandsEntered = 0; - for( i = 0 ; i < tkstool.numCommands ; i++ ) { - if( tkstool.commands[i].activated ) { - commandToRun = tkstool.commands[i].flag; - commandsEntered++; - } - - if( commandsEntered > 1 ) { - break; - } - } - - if( commandsEntered > 1 ) { - PR_fprintf( PR_STDERR, - "%s: only one command at a time!\n", - progName ); - - PR_fprintf( PR_STDERR, - "You entered: " ); - - for( i = 0 ; i < tkstool.numCommands ; i++ ) { - if( tkstool.commands[i].activated ) { - PR_fprintf( PR_STDERR, - " -%c", - tkstool.commands[i].flag ); - } - } - - PR_fprintf( PR_STDERR, - "\n" ); - return 255; - } - - if( commandsEntered == 0 ) { - PR_fprintf( PR_STDERR, - "%s: you must enter one of the following commands:\n\n", - progName ); - - TKS_Usage( progName ); - - return 255; - } - - - /********************************************************/ - /* Check the number of command line "option(s)" entered */ - /********************************************************/ - - optionsEntered = 0; - for( i = 0 ; i < tkstool.numOptions ; i++ ) { - if( tkstool.options[i].activated ) { - optionsEntered++; - } - - if( optionsEntered > 1 ) { - break; - } - } - - if( optionsEntered == 0 && - ! ( tkstool.commands[cmd_PrintHelp].activated || - tkstool.commands[cmd_Version].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: you must enter the following options " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - - /***************************************************/ - /* Check that command line "options" correspond to */ - /* one of their specified command line "commands" */ - /***************************************************/ - - /* the "-d DBDir" command option may ONLY be used with */ - /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ - /* "-S", "-T", "-U", and "-W" commands */ - if( tkstool.options[opt_DBDir].activated && - ! ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_NewDBs].activated || - tkstool.commands[cmd_ChangePassword].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_ListSecModules].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-d DBDir\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-f pwfile" command option may ONLY be used with */ - /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ - /* "-T", "-U", and "-W" commands */ - if( tkstool.options[opt_PasswordFile].activated && - ! ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_NewDBs].activated || - tkstool.commands[cmd_ChangePassword].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-f pwfile\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-h token_name" command option may ONLY be used with */ - /* the "-D", "-I", "-K", "-L", "-M", "-R", "-T", "-U", and */ - /* "-W" commands */ - if( tkstool.options[opt_TokenName].activated && - ! ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-h token_name\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-i infile" command option may ONLY be used with */ - /* the "-U" command */ - if( tkstool.options[opt_InFile].activated && - !tkstool.commands[cmd_UnWrapMasterKey].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-i infile\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-n keyname" command option may ONLY be used with the */ - /* "-D", "-I", "-K", "-L", "-M", "-R", "-T", "-U", and "-W" */ - /* commands */ - if( tkstool.options[opt_Keyname].activated && - ! ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-n keyname\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-o outfile" command option may ONLY be used with */ - /* the "-W" command */ - if( tkstool.options[opt_OutFile].activated && - !tkstool.commands[cmd_WrapMasterKey].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-o outfile\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-p DBPrefix" command option may ONLY be used with */ - /* the "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", */ - /* "-S", "-T", "-U", and "-W" commands */ - if( tkstool.options[opt_DBPrefix].activated && - ! ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_NewDBs].activated || - tkstool.commands[cmd_ChangePassword].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_ListSecModules].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-p DBPrefix\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-r new_keyname" command option may */ - /* ONLY be used with the "-R" command */ - if( tkstool.options[opt_NewKeyname].activated && - ! ( tkstool.commands[cmd_RenameKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-r new_keyname\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-t transport_keyname" command option may ONLY be used with */ - /* the "-U", and "-W" commands */ - if( tkstool.options[opt_TransportKeyname].activated && - !( tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-t transport_keyname\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-x" command option may ONLY be used with */ - /* the "-L", and "-S" commands */ - if( tkstool.options[opt_RW].activated && - ! ( tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_ListSecModules].activated ) ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-x\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* the "-z noisefile" command option may ONLY be used with */ - /* the "-T" command */ - if( tkstool.options[opt_NoiseFile].activated && - !tkstool.commands[cmd_GenTransportKey].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-z noisefile\" option may only be " - "specified with one of the following command(s):\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - - /********************************************************/ - /* Perform special processing on command line "options" */ - /********************************************************/ - - /* "-d DBDir" command option */ - if( tkstool.options[opt_DBDir].activated ) { - if( tkstool.options[opt_DBDir].arg ) { - DBDir = SECU_ConfigDirectory( tkstool.options[opt_DBDir].arg ); - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-d\" option must contain a " - "\"DBDir\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-f pwfile" command option */ - if( tkstool.options[opt_PasswordFile].activated ) { - pwdata.source = PW_FROMFILE; - if( tkstool.options[opt_PasswordFile].arg ) { - pwdata.data = tkstool.options[opt_PasswordFile].arg; - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-f\" option must contain a " - "\"pwfile\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-i infile" command option */ - if( tkstool.options[opt_InFile].activated ) { - if( tkstool.options[opt_InFile].arg ) { - input = tkstool.options[opt_InFile].arg; - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-i\" option must contain an " - "\"infile\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-h token_name" command option */ - if( tkstool.options[opt_TokenName].activated ) { - if( tkstool.options[opt_TokenName].arg ) { - if( PL_strcmp( tkstool.options[opt_TokenName].arg, "all" ) == 0 ) { - slotname = NULL; - } else { - slotname = PL_strdup( tkstool.options[opt_TokenName].arg ); - } - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-h\" option must contain a " - "\"token_name\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-n keyname" command option */ - if( tkstool.options[opt_Keyname].activated ) { - if( tkstool.options[opt_Keyname].arg ) { - keyname = SECU_GetOptionArg( &tkstool, - opt_Keyname ); - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-n\" option must contain a " - "\"keyname\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-o outfile" command option */ - if( tkstool.options[opt_OutFile].activated ) { - if( tkstool.options[opt_OutFile].arg ) { - output = tkstool.options[opt_OutFile].arg; - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-o\" option must contain an " - "\"outfile\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-p DBPrefix" command option */ - if( tkstool.options[opt_DBPrefix].activated ) { - if( tkstool.options[opt_DBPrefix].arg ) { - DBPrefix = strdup( tkstool.options[opt_DBPrefix].arg ); - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-p\" option must contain a " - "\"DBPrefix\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-r new_keyname" command option */ - if( tkstool.options[opt_NewKeyname].activated ) { - if( tkstool.options[opt_NewKeyname].arg ) { - new_keyname = SECU_GetOptionArg( &tkstool, - opt_NewKeyname ); - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-r\" option must contain a " - "\"new_keyname\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-t transport_keyname" command option */ - if( tkstool.options[opt_TransportKeyname].activated ) { - if( tkstool.options[opt_TransportKeyname].arg ) { - transport_keyname = SECU_GetOptionArg( &tkstool, - opt_TransportKeyname ); - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-t\" option must contain a " - "\"transport_keyname\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - /* "-x" command option is processed below */ - /* ONLY based upon specific commands */ - - /* "-z noisefile" command option */ - if( tkstool.options[opt_NoiseFile].activated ) { - if( tkstool.options[opt_NoiseFile].arg ) { - SeedNoise = tkstool.options[opt_NoiseFile].arg; - } else { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-z\" option must contain a " - "\"noisefile\" argument:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - } - - - /******************************************************************/ - /* Perform special processing on specific command line "commands" */ - /******************************************************************/ - - /* "-D", "-I", "-K", "-M", "-R", "-T", "-U" and "-W" */ - /* commands require the "-n keyname" command line */ - /* option to be specified */ - if( ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) && - !tkstool.options[opt_Keyname].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-n keyname\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-D", "-I", "-K", "-L", "-M", "-N", "-P", "-R", "-S", */ - /* "-T", "-U", and "-W" commands require the "-d DBDir" */ - /* command line option to be specified */ - if( ( tkstool.commands[cmd_DeleteKey].activated || - tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_DisplayKCV].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_GenMasterKey].activated || - tkstool.commands[cmd_NewDBs].activated || - tkstool.commands[cmd_ChangePassword].activated || - tkstool.commands[cmd_RenameKey].activated || - tkstool.commands[cmd_ListSecModules].activated || - tkstool.commands[cmd_GenTransportKey].activated || - tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) && - !tkstool.options[opt_DBDir].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-d DBDir\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-H", "-L", "-S", and "-V" commands require the "-x" */ - /* command line option to be silently turned off */ - if( tkstool.commands[cmd_PrintHelp].activated || - tkstool.commands[cmd_ListKeys].activated || - tkstool.commands[cmd_ListSecModules].activated || - tkstool.commands[cmd_Version].activated ) { - readOnly = !tkstool.options[opt_RW].activated; - } - - /* "-L" command is the ONLY command that allows */ - /* the "-h all" command line option to be used */ - /* */ - /* NOTE: ONLY use "slotname == NULL" to */ - /* LIST keys on all slots */ - if( !tkstool.commands[cmd_ListKeys].activated && slotname == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: cannot use \"-h all\" for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-R" commands require the "-r new_keyname" */ - /* command line option to be specified */ - if( ( tkstool.commands[cmd_RenameKey].activated ) && - !tkstool.options[opt_NewKeyname].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-r new_keyname\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-U", and "-W" commands require the "-t transport_keyname" */ - /* command line option to be specified */ - if( ( tkstool.commands[cmd_UnWrapMasterKey].activated || - tkstool.commands[cmd_WrapMasterKey].activated ) && - !tkstool.options[opt_TransportKeyname].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-t transport_keyname\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-U" commands require the "-i infile" */ - /* command line option to be specified */ - if( tkstool.commands[cmd_UnWrapMasterKey].activated && - !tkstool.options[opt_InFile].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-i infile\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - /* "-W" commands require the "-o outfile" */ - /* command line option to be specified */ - if( tkstool.commands[cmd_WrapMasterKey].activated && - !tkstool.options[opt_OutFile].activated ) { - PR_fprintf( PR_STDERR, - "%s -%c: the \"-o outfile\" option is required " - "for this command:\n\n", - progName, - commandToRun ); - - TKS_Usage( progName ); - - return 255; - } - - - /*********************************/ - /* Execute the "-H" help command */ - /*********************************/ - - if( tkstool.commands[cmd_PrintHelp].activated ) { - TKS_PrintHelp( progName ); - - return 0; - } - - - /************************************/ - /* Execute the "-V" version command */ - /************************************/ - - /* "-V" version command */ - if( tkstool.commands[cmd_Version].activated ) { - TKS_Version( progName ); - - return 0; - } - - - /************************************************/ - /* Initialize PKCS #11 Security Module Password */ - /************************************************/ - - PK11_SetPasswordFunc( /* password callback */ SECU_GetModulePassword ); - - - /*******************/ - /* Initialize NSPR */ - /*******************/ - - PR_Init( PR_SYSTEM_THREAD, - PR_PRIORITY_NORMAL, - 1 ); - - - /******************/ - /* Initialize NSS */ - /******************/ - - rvNSSinit = NSS_Initialize( DBDir, - DBPrefix, - DBPrefix, - "secmod.db", - readOnly ? NSS_INIT_READONLY : 0 ); - if( rvNSSinit != SECSuccess ) { - char buffer[513]; - PRInt32 errLen = PR_GetErrorTextLength(); - - if( errLen > 0 && errLen < sizeof buffer ) { - PR_GetErrorText( buffer ); - } - - PR_fprintf( PR_STDERR, - "%s -%c: %s", - progName, - commandToRun, - "NSS_Initialize() failed" ); - - if( errLen > 0 && errLen < sizeof buffer ) { - PR_fprintf( PR_STDERR, "\t%s\n", buffer ); - } else { - PR_fprintf( PR_STDERR, "\n" ); - } - - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************/ - /* Initialize internal PKCS #11 software crypto slot */ - /* as well as any specified PKCS #11 slot */ - /*****************************************************/ - - /* Always initialize the internal software crypto slot */ - internalSlot = PK11_GetInternalSlot(); - - /* If "slotname != NULL", initialize the slot based upon the slotname */ - if( PL_strcmp( slotname, "internal" ) == 0 ) { - slot = PK11_GetInternalKeySlot(); - } else if( slotname != NULL ) { - slot = PK11_FindSlotByName( /* slot name */ slotname ); - - /* Fixes Bugscape Bug #55178: tkstool dumps core if -h <token> */ - /* specifies a nonexistent token */ - if( slot == NULL ) { - char buffer[513]; - PRInt32 errLen = PR_GetErrorTextLength(); - - if( errLen > 0 && errLen < sizeof buffer ) { - PR_GetErrorText( buffer ); - } - - PR_fprintf( PR_STDERR, - "%s -%c: %s%s%s", - progName, - commandToRun, - "no token called \"", - slotname, - "\" exists!" ); - - if( errLen > 0 && errLen < sizeof buffer ) { - PR_fprintf( PR_STDERR, "\t%s\n", buffer ); - } else { - PR_fprintf( PR_STDERR, "\n" ); - } - - rv = SECFailure; - goto shutdown; - } - } - - - /****************************************/ - /* Execute the "-D" delete keys command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /****************************************/ - - if( tkstool.commands[cmd_DeleteKey].activated ) { - rv = TKS_DeleteKeys( progName, - slot, - keyname, - &pwdata ); - goto shutdown; - } - - - /*******************************************************************/ - /* Execute the "-I" input shares to generate transport key command */ - /* */ - /* --- OR --- */ - /* */ - /* Execute the "-T" generate transport key command */ - /* */ - /* NOTE: Each of these commands is mutually */ - /* exclusive from all others, including */ - /* each other. */ - /*******************************************************************/ - - if( tkstool.commands[cmd_InputGenTransportKey].activated || - tkstool.commands[cmd_GenTransportKey].activated ) { - - /**********************************************************/ - /* Do not allow duplicate symmetric keys to be generated */ - /* (i. e. - disallow symmetric keys specified */ - /* by the same keyname) */ - /* */ - /* NOTE: The following code snippet effectively */ - /* prohibits this tool from generating any */ - /* symmetric key with a keyname that already */ - /* resides in the specified token */ - /**********************************************************/ - - rvFindSymKey = TKS_FindSymKey( slot, - keyname, - &pwdata ); - if( rvFindSymKey == SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" keyname specified by " - "\n\t\t\"-n %s\"\n\t\talready exists in the " - "specified token.\n\t\tPlease specify a " - "different keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /**********************************************/ - /* Seed the Random Number Generator (RNG). */ - /* ("-T" generate transport key command ONLY) */ - /**********************************************/ - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - rvSeedRNG = TKS_SeedRNG( SeedNoise ); - if( rvSeedRNG != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s", - progName, - commandToRun, - "unable to seed random number generator\n" ); - rv = SECFailure; - goto shutdown; - } - } - - - /***********************************/ - /* Clear screen and wait for user. */ - /***********************************/ - - TKS_ClearScreen(); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - PR_fprintf( PR_STDOUT, - "\nThe next screen generates the " - "first session key share . . .\n" ); - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - PR_fprintf( PR_STDOUT, - "\nUse the next screen to input the " - "first session key share . . .\n" ); - } - - TKS_TypeProceedToContinue(); - - - /******************************************************************/ - /* Input ("-I"), or Generate ("-T"), the first session key share. */ - /******************************************************************/ - - firstSessionKeyShare.len = FIRST_SESSION_KEY_SHARE_LENGTH; - firstSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( FIRST_SESSION_KEY_SHARE_LENGTH ); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - rvFirstSessionKeyShare = TKS_GenerateSessionKeyShare( - FIRST_SESSION_KEY_SHARE, - &firstSessionKeyShare ); - - if( rvFirstSessionKeyShare != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s", - progName, - commandToRun, - "unable to generate the ", - FIRST_SESSION_KEY_SHARE, - " session key share\n" ); - rv = SECFailure; - goto shutdown; - } - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - while( rvFirstSessionKeyShare != SECSuccess ) { - rvFirstSessionKeyShare = TKS_InputSessionKeyShare( - FIRST_SESSION_KEY_SHARE, - &firstSessionKeyShare ); - } - } - -#if defined(PAD_DES2_KEY_LENGTH) - /****************************************************************/ - /* Since TKS uses double-DES keys instead of triple-DES keys, */ - /* the final 8 bytes of this session key share must be padded */ - /* in order to use the standard PKCS #11 triple-DES operations! */ - /* */ - /* Therefore, in order to perform this operation, the 16 bytes */ - /* comprising the original buffer are first copied into the new */ - /* buffer, and then the first 8 bytes of the original buffer */ - /* are copied into the final 8 bytes of the new buffer. */ - /****************************************************************/ - - paddedFirstSessionKeyShare.len = PADDED_FIRST_SESSION_KEY_SHARE_LENGTH; - paddedFirstSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( PADDED_FIRST_SESSION_KEY_SHARE_LENGTH ); - - PORT_Memcpy( paddedFirstSessionKeyShare.data, - firstSessionKeyShare.data, - FIRST_SESSION_KEY_SHARE_LENGTH ); - PORT_Memcpy( ( paddedFirstSessionKeyShare.data + - FIRST_SESSION_KEY_SHARE_LENGTH ), - firstSessionKeyShare.data, - DES_LENGTH ); -#endif - - - /***********************************/ - /* Clear screen and wait for user. */ - /***********************************/ - - TKS_ClearScreen(); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - PR_fprintf( PR_STDOUT, - "\nThe next screen generates the " - "second session key share . . .\n" ); - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - PR_fprintf( PR_STDOUT, - "\nUse the next screen to input the " - "second session key share . . .\n" ); - } - - TKS_TypeProceedToContinue(); - - - /*******************************************************************/ - /* Input ("-I"), or Generate ("-T"), the second session key share. */ - /*******************************************************************/ - - secondSessionKeyShare.len = SECOND_SESSION_KEY_SHARE_LENGTH; - secondSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( SECOND_SESSION_KEY_SHARE_LENGTH ); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - rvSecondSessionKeyShare = TKS_GenerateSessionKeyShare( - SECOND_SESSION_KEY_SHARE, - &secondSessionKeyShare ); - - if( rvSecondSessionKeyShare != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s", - progName, - commandToRun, - "unable to generate the ", - SECOND_SESSION_KEY_SHARE, - " session key share\n" ); - rv = SECFailure; - goto shutdown; - } - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - while( rvSecondSessionKeyShare != SECSuccess ) { - rvSecondSessionKeyShare = TKS_InputSessionKeyShare( - SECOND_SESSION_KEY_SHARE, - &secondSessionKeyShare ); - } - } - -#if defined(PAD_DES2_KEY_LENGTH) - /****************************************************************/ - /* Since TKS uses double-DES keys instead of triple-DES keys, */ - /* the final 8 bytes of this session key share must be padded */ - /* in order to use the standard PKCS #11 triple-DES operations! */ - /* */ - /* Therefore, in order to perform this operation, the 16 bytes */ - /* comprising the original buffer are first copied into the new */ - /* buffer, and then the first 8 bytes of the original buffer */ - /* are copied into the final 8 bytes of the new buffer. */ - /****************************************************************/ - - paddedSecondSessionKeyShare.len = PADDED_SECOND_SESSION_KEY_SHARE_LENGTH; - paddedSecondSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( PADDED_SECOND_SESSION_KEY_SHARE_LENGTH ); - - PORT_Memcpy( paddedSecondSessionKeyShare.data, - secondSessionKeyShare.data, - SECOND_SESSION_KEY_SHARE_LENGTH ); - PORT_Memcpy( ( paddedSecondSessionKeyShare.data + - SECOND_SESSION_KEY_SHARE_LENGTH ), - secondSessionKeyShare.data, - DES_LENGTH ); - - - /**********************************************/ - /* Prepare this key share to be used with the */ - /* TKS_DeriveSymmetricKey() function . . . */ - /**********************************************/ - - /* store a copy of the "original" padded second session key share */ - secondDerivationData.ulLen = paddedSecondSessionKeyShare.len; - secondDerivationData.pData = ( unsigned char * ) - PORT_ZAlloc( paddedSecondSessionKeyShare.len ); - PORT_Memcpy( secondDerivationData.pData, - paddedSecondSessionKeyShare.data, - paddedSecondSessionKeyShare.len ); - - /* destroy the "original" padded second session key share */ - if( paddedSecondSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - paddedSecondSessionKeyShare.data, - paddedSecondSessionKeyShare.len ); - paddedSecondSessionKeyShare.data = NULL; - paddedSecondSessionKeyShare.len = 0; - } - - /* create a "new" container for the padded second session key share */ - paddedSecondSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); - paddedSecondSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( paddedSecondSessionKeyShare.len ); - - /* copy the "original" padded second session key share */ - /* into the "new" container */ - PORT_Memcpy( paddedSecondSessionKeyShare.data, - &secondDerivationData, - paddedSecondSessionKeyShare.len ); -#else - /**********************************************/ - /* Prepare this key share to be used with the */ - /* TKS_DeriveSymmetricKey() function . . . */ - /**********************************************/ - - /* store a copy of the "original" second session key share */ - secondDerivationData.ulLen = secondSessionKeyShare.len; - secondDerivationData.pData = ( unsigned char * ) - PORT_ZAlloc( secondSessionKeyShare.len ); - PORT_Memcpy( secondDerivationData.pData, - secondSessionKeyShare.data, - secondSessionKeyShare.len ); - - /* destroy the "original" second session key share */ - if( secondSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - secondSessionKeyShare.data, - secondSessionKeyShare.len ); - secondSessionKeyShare.data = NULL; - secondSessionKeyShare.len = 0; - } - - /* create a "new" container for the second session key share */ - secondSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); - secondSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( secondSessionKeyShare.len ); - - /* copy the "original" second session key share */ - /* into the "new" container */ - PORT_Memcpy( secondSessionKeyShare.data, - &secondDerivationData, - secondSessionKeyShare.len ); -#endif - - - /***********************************/ - /* Clear screen and wait for user. */ - /***********************************/ - - TKS_ClearScreen(); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - PR_fprintf( PR_STDOUT, - "\nThe next screen generates the " - "third session key share . . .\n" ); - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - PR_fprintf( PR_STDOUT, - "\nUse the next screen to input the " - "third session key share . . .\n" ); - } - - TKS_TypeProceedToContinue(); - - - /******************************************************************/ - /* Input ("-I"), or Generate ("-T"), the third session key share. */ - /******************************************************************/ - - thirdSessionKeyShare.len = THIRD_SESSION_KEY_SHARE_LENGTH; - thirdSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( THIRD_SESSION_KEY_SHARE_LENGTH ); - - if( tkstool.commands[cmd_GenTransportKey].activated ) { - rvThirdSessionKeyShare = TKS_GenerateSessionKeyShare( - THIRD_SESSION_KEY_SHARE, - &thirdSessionKeyShare ); - - if( rvThirdSessionKeyShare != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s", - progName, - commandToRun, - "unable to generate the ", - THIRD_SESSION_KEY_SHARE, - " session key share\n" ); - rv = SECFailure; - goto shutdown; - } - } else { - /* ( tkstool.commands[cmd_InputGenTransportKey].activated ) */ - while( rvThirdSessionKeyShare != SECSuccess ) { - rvThirdSessionKeyShare = TKS_InputSessionKeyShare( - THIRD_SESSION_KEY_SHARE, - &thirdSessionKeyShare ); - } - } - -#if defined(PAD_DES2_KEY_LENGTH) - /****************************************************************/ - /* Since TKS uses double-DES keys instead of triple-DES keys, */ - /* the final 8 bytes of this session key share must be padded */ - /* in order to use the standard PKCS #11 triple-DES operations! */ - /* */ - /* Therefore, in order to perform this operation, the 16 bytes */ - /* comprising the original buffer are first copied into the new */ - /* buffer, and then the first 8 bytes of the original buffer */ - /* are copied into the final 8 bytes of the new buffer. */ - /****************************************************************/ - - paddedThirdSessionKeyShare.len = PADDED_THIRD_SESSION_KEY_SHARE_LENGTH; - paddedThirdSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( PADDED_THIRD_SESSION_KEY_SHARE_LENGTH ); - - PORT_Memcpy( paddedThirdSessionKeyShare.data, - thirdSessionKeyShare.data, - THIRD_SESSION_KEY_SHARE_LENGTH ); - PORT_Memcpy( ( paddedThirdSessionKeyShare.data + - THIRD_SESSION_KEY_SHARE_LENGTH ), - thirdSessionKeyShare.data, - DES_LENGTH ); - - - /**********************************************/ - /* Prepare this key share to be used with the */ - /* TKS_DeriveSymmetricKey() function . . . */ - /**********************************************/ - - /* store a copy of the "original" padded third session key share */ - thirdDerivationData.ulLen = paddedThirdSessionKeyShare.len; - thirdDerivationData.pData = ( unsigned char * ) - PORT_ZAlloc( paddedThirdSessionKeyShare.len ); - PORT_Memcpy( thirdDerivationData.pData, - paddedThirdSessionKeyShare.data, - paddedThirdSessionKeyShare.len ); - - /* destroy the "original" padded third session key share */ - if( paddedThirdSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - paddedThirdSessionKeyShare.data, - paddedThirdSessionKeyShare.len ); - paddedThirdSessionKeyShare.data = NULL; - paddedThirdSessionKeyShare.len = 0; - } - - /* create a "new" container for the padded third session key share */ - paddedThirdSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); - paddedThirdSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( paddedThirdSessionKeyShare.len ); - - /* copy the "original" padded third session key share */ - /* into the "new" container */ - PORT_Memcpy( paddedThirdSessionKeyShare.data, - &thirdDerivationData, - paddedThirdSessionKeyShare.len ); -#else - /**********************************************/ - /* Prepare this key share to be used with the */ - /* TKS_DeriveSymmetricKey() function . . . */ - /**********************************************/ - - /* store a copy of the "original" third session key share */ - thirdDerivationData.ulLen = thirdSessionKeyShare.len; - thirdDerivationData.pData = ( unsigned char * ) - PORT_ZAlloc( thirdSessionKeyShare.len ); - PORT_Memcpy( thirdDerivationData.pData, - thirdSessionKeyShare.data, - thirdSessionKeyShare.len ); - - /* destroy the "original" third session key share */ - if( thirdSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - thirdSessionKeyShare.data, - thirdSessionKeyShare.len ); - thirdSessionKeyShare.data = NULL; - thirdSessionKeyShare.len = 0; - } - - /* create a "new" container for the third session key share */ - thirdSessionKeyShare.len = sizeof( CK_KEY_DERIVATION_STRING_DATA ); - thirdSessionKeyShare.data = ( unsigned char * ) - PORT_ZAlloc( thirdSessionKeyShare.len ); - - /* copy the "original" third session key share */ - /* into the "new" container */ - PORT_Memcpy( thirdSessionKeyShare.data, - &thirdDerivationData, - thirdSessionKeyShare.len ); -#endif - - - /***********************************/ - /* Clear screen and wait for user. */ - /***********************************/ - - TKS_ClearScreen(); - - PR_fprintf( PR_STDOUT, - "\nThe next screen uses the session key shares to " - "generate the transport key . . .\n" ); - - TKS_TypeProceedToContinue(); - - TKS_ClearScreen(); - - - /**************************************/ - /* Generate the first symmetric key */ - /* using the first session key share. */ - /**************************************/ - - -#if defined(PAD_DES2_KEY_LENGTH) - firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, - internalSlot, - CKM_DES3_KEY_GEN, - CKA_ENCRYPT, - &paddedFirstSessionKeyShare, - &pwdata ); -#else - firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, - internalSlot, - CKM_DES2_KEY_GEN, - CKA_ENCRYPT, - &firstSessionKeyShare, - &pwdata ); -#endif - if( firstSymmetricKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate the first (or initial) " - "symmetric key", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /*********************************************************/ - /* Generate the second symmetric key using the */ - /* first symmetric key and the second session key share. */ - /*********************************************************/ - -#if defined(PAD_DES2_KEY_LENGTH) - secondSymmetricKey = TKS_DeriveSymmetricKey( SECOND_SYMMETRIC_KEY, - firstSymmetricKey, - CKM_XOR_BASE_AND_DATA, - &paddedSecondSessionKeyShare, - CKM_DES3_ECB, - ( CKA_DERIVE | - CKA_ENCRYPT ), - PADDED_SECOND_SESSION_KEY_SHARE_LENGTH ); -#else - secondSymmetricKey = TKS_DeriveSymmetricKey( SECOND_SYMMETRIC_KEY, - firstSymmetricKey, - CKM_XOR_BASE_AND_DATA, - &secondSessionKeyShare, - CKM_DES3_ECB, - ( CKA_DERIVE | - CKA_ENCRYPT ), - SECOND_SESSION_KEY_SHARE_LENGTH ); -#endif - if( secondSymmetricKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate the second (or intermediate) " - "symmetric key", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /*********************************************************/ - /* Generate the third symmetric key using the */ - /* second symmetric key and the third session key share. */ - /*********************************************************/ - -#if defined(PAD_DES2_KEY_LENGTH) - thirdSymmetricKey = TKS_DeriveSymmetricKey( THIRD_SYMMETRIC_KEY, - secondSymmetricKey, - CKM_XOR_BASE_AND_DATA, - &paddedThirdSessionKeyShare, - CKM_DES3_ECB, - ( CKA_DERIVE | - CKA_ENCRYPT ), - PADDED_THIRD_SESSION_KEY_SHARE_LENGTH ); -#else - thirdSymmetricKey = TKS_DeriveSymmetricKey( THIRD_SYMMETRIC_KEY, - secondSymmetricKey, - CKM_XOR_BASE_AND_DATA, - &thirdSessionKeyShare, - CKM_DES3_ECB, - ( CKA_DERIVE | - CKA_ENCRYPT ), - THIRD_SESSION_KEY_SHARE_LENGTH ); -#endif - if( thirdSymmetricKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate the third (or final) " - "symmetric key", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /*******************************************************************/ - /* Finally, store the third symmetric key (the transport key) into */ - /* the specified slot, and provide a name for this transport key. */ - /*******************************************************************/ - - rvSymmetricKeyname = TKS_StoreSymmetricKeyAndNameIt( TRANSPORT_KEY, - keyname, - slot, - ( CKA_ENCRYPT | - CKA_WRAP ), - ( CKF_ENCRYPT | - CKF_UNWRAP | - CKF_WRAP ), - thirdSymmetricKey ); - if( rvSymmetricKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to save/name the transport key!\n\n" ); - rv = SECFailure; - goto shutdown; - } else { - PR_fprintf( PR_STDOUT, - "Successfully generated, stored, and named the " - "transport key!\n\n" ); - } - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - - /****************************************/ - /* Execute the "-K" display KCV command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /****************************************/ - - if( tkstool.commands[cmd_DisplayKCV].activated ) { - - /*****************************************************/ - /* Retrieve a handle to the specified symmetric key. */ - /* This insures that the specified symmetric key */ - /* already resides on the specified token. */ - /*****************************************************/ - - symmetricKey = TKS_RetrieveSymKey( slot, - keyname, - &pwdata ); - if( symmetricKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" symmetric keyname specified by " - "\n\t\t\"-n %s\" does NOT exist on the specified " - "token.\n\t\tPlease specify a " - "different symmetric keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*************************************************/ - /* Compute and display this symmetric key's KCV. */ - /*************************************************/ - - PR_fprintf( PR_STDOUT, - "\nComputing and displaying KCV of the symmetric key " - "on the specified token . . .\n\n" ); - - /* Calculate this symmetric key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - symmetricKey, - keyname, - RESIDENT_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Unable to compute/display KCV of " - "this symmetric key!\n\n" ); - rv = SECFailure; - goto shutdown; - } - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - - /**************************************/ - /* Execute the "-L" list keys command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /**************************************/ - - if( tkstool.commands[cmd_ListKeys].activated ) { - rv = TKS_ListKeys( progName, - slot, - keyname, - 0 /*keyindex*/, - PR_FALSE /*dopriv*/, - &pwdata ); - goto shutdown; - } - - - /************************************************/ - /* Execute the "-M" generate master key command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /************************************************/ - - if( tkstool.commands[cmd_GenMasterKey].activated ) { - - /**********************************************************/ - /* Do not allow duplicate symmetric keys to be generated */ - /* (i. e. - disallow symmetric keys specified */ - /* by the same keyname) */ - /* */ - /* NOTE: The following code snippet effectively */ - /* prohibits this tool from generating any */ - /* symmetric key with a keyname that already */ - /* resides in the specified token */ - /**********************************************************/ - - rvFindSymKey = TKS_FindSymKey( slot, - keyname, - &pwdata ); - if( rvFindSymKey == SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" keyname specified by " - "\n\t\t\"-n %s\"\n\t\talready exists in the " - "specified token.\n\t\tPlease specify a " - "different keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Generate the master key and store it on the designated token. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "\nGenerating and storing the master key " - "on the specified token . . .\n\n" ); - - if( MASTER_KEY_LENGTH == ( 2 * DES_LENGTH ) ) { - masterKey = PK11_TokenKeyGen( - /* slot */ slot, - /* mechanism */ CKM_DES2_KEY_GEN, - /* param */ 0, - /* keySize */ 0, - /* keyid */ 0, - /* isToken (i. e. - isPerm) */ PR_TRUE, - /* wincx */ &pwdata ); - if( masterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate/store this DES2 master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - } else if( MASTER_KEY_LENGTH == ( 3 * DES_LENGTH ) ) { - masterKey = PK11_TokenKeyGen( - /* slot */ slot, - /* mechanism */ CKM_DES3_KEY_GEN, - /* param */ 0, - /* keySize */ 0, - /* keyid */ 0, - /* isToken (i. e. - isPerm) */ PR_TRUE, - /* wincx */ &pwdata ); - if( masterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate/store this DES3 master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - } else { - /* invalid key size */ - PR_fprintf( PR_STDERR, - "%s -%c: %s\n\n\n", - progName, - commandToRun, - "MASTER_KEY_LENGTH must be DES2 or DES3 length!" ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Finally, name the master key with the specified name. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "Naming the master key \"%s\" . . .\n\n", - keyname ); - - rvMasterKeyname = PK11_SetSymKeyNickname( - /* symmetric key */ masterKey, - /* nickname */ keyname ); - if( rvMasterKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to name the master key!\n\n" ); - rv = SECFailure; - goto shutdown; - } - - - /*********************************************/ - /* Compute and display the master key's KCV. */ - /*********************************************/ - - PR_fprintf( PR_STDOUT, - "Computing and displaying KCV of the master key " - "on the specified token . . .\n\n" ); - - /* Calculate the master key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - masterKey, - keyname, - RESIDENT_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Unable to compute/display KCV of " - "the master key!\n\n" ); - rv = SECFailure; - goto shutdown; - } else { - PR_fprintf( PR_STDOUT, - "Successfully generated, stored, and named the " - "master key\nincluding computing and displaying " - "its KCV!\n\n" ); - } - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - - /**************************************************************/ - /* Execute the "-N" new software database creation command */ - /* */ - /* NOTE: This command is mutually exclusive from all others. */ - /* Always initialize the password when creating a new */ - /* set of software databases */ - /**************************************************************/ - - if( tkstool.commands[cmd_NewDBs].activated ) { - rv = SECU_ChangePW( slot, - 0, - pwdata.data ); - goto shutdown; - } - - - /****************************************************/ - /* Execute the "-P" change key DB password command */ - /* */ - /* NOTE: This command is mutually exclusive from */ - /* all others. (future - change pw to slot?) */ - /****************************************************/ - - if( tkstool.commands[cmd_ChangePassword].activated ) { - rv = SECU_ChangePW( slot, - 0, - pwdata.data ); - goto shutdown; - } - - - /***************************************/ - /* Execute the "-R" rename key command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /***************************************/ - - if( tkstool.commands[cmd_RenameKey].activated ) { - - /*****************************************************/ - /* Check that specified keynames are not identical. */ - /*****************************************************/ - if( PL_strcmp( keyname, new_keyname ) == 0 ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe two keynames specified by " - "\n\t\t\"-n %s\" and \"-r %s\" are identical." - "\n\t\tPlease provide two non-identical keynames.\n\n", - progName, - commandToRun, - keyname, - new_keyname ); - rv = SECFailure; - goto shutdown; - } - - /*****************************************************/ - /* Retrieve a handle to the specified symmetric key. */ - /* This insures that the specified symmetric key */ - /* already resides on the specified token. */ - /*****************************************************/ - - symmetricKey = TKS_RetrieveSymKey( slot, - keyname, - &pwdata ); - if( symmetricKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" symmetric keyname specified by " - "\n\t\t\"-n %s\" does NOT exist on the specified " - "token.\n\t\tPlease specify a " - "different symmetric keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /**********************************************************/ - /* Do not allow the renamed key to overwrite a */ - /* preexisting key of the same name */ - /* */ - /* NOTE: The following code snippet effectively */ - /* prohibits this tool from renaming any */ - /* symmetric key with a keyname that already */ - /* resides in the specified token */ - /**********************************************************/ - - rvFindSymKey = TKS_FindSymKey( slot, - new_keyname, - &pwdata ); - if( rvFindSymKey == SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" keyname specified by " - "\n\t\t\"-r %s\"\n\t\talready exists in the " - "specified token.\n\t\tPlease specify a " - "different keyname for renaming purposes.\n\n", - progName, - commandToRun, - new_keyname, - new_keyname ); - rv = SECFailure; - goto shutdown; - } - - -#if defined(DEBUG) - /*****************************************************************/ - /* For convenience, compute and display the symmetric key's KCV. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "Computing and displaying KCV of the symmetric key " - "on the specified token . . .\n\n" ); - - /* Calculate the symmetric key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - symmetricKey, - keyname, - RESIDENT_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Unable to compute/display KCV of " - "the symmetric key!\n\n" ); - rv = SECFailure; - goto shutdown; - } -#endif - - - /********************************************************************/ - /* Finally, rename the symmetric key with the newly specified name. */ - /********************************************************************/ - - PR_fprintf( PR_STDOUT, - "Renaming the symmetric key named \"%s\" to \"%s\" . . .\n\n", - keyname, - new_keyname ); - - rvSymmetricKeyname = PK11_SetSymKeyNickname( - /* symmetric key */ symmetricKey, - /* nickname */ new_keyname ); - if( rvSymmetricKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to rename the symmetric key!\n\n" ); - rv = SECFailure; - goto shutdown; - } else { - PR_fprintf( PR_STDOUT, - "Successfully renamed the symmetric key named \"%s\" " - "to \"%s\"!\n\n", - keyname, - new_keyname ); - } - - -#if defined(DEBUG) - /********************************************************/ - /* For convenience, compute and display the renamed */ - /* symmetric key's KCV. */ - /********************************************************/ - - PR_fprintf( PR_STDOUT, - "Computing and displaying KCV of the renamed symmetric key " - "on the specified token . . .\n\n" ); - - /* Calculate the renamed symmetric key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - symmetricKey, - new_keyname, - RESIDENT_KEY, - PR_TRUE, - NULL ); - if( rvKCV != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Unable to compute/display KCV of " - "the renamed symmetric key!\n\n" ); - rv = SECFailure; - goto shutdown; - } -#endif - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - - /**************************************************/ - /* Execute the "-S" list security modules command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /**************************************************/ - - if( tkstool.commands[cmd_ListSecModules].activated ) { - rv = TKS_ListSecModules(); - goto shutdown; - } - - - /**********************************************/ - /* Execute the "-U" unwrap master key command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /**********************************************/ - - if( tkstool.commands[cmd_UnWrapMasterKey].activated ) { - - /**********************************************************/ - /* Do not allow duplicate symmetric keys to be stored */ - /* (i. e. - disallow symmetric keys specified */ - /* by the same keyname) */ - /* */ - /* NOTE: The following code snippet effectively */ - /* prohibits this tool from storing any */ - /* symmetric key with a keyname that already */ - /* resides in the specified token */ - /**********************************************************/ - - rvFindSymKey = TKS_FindSymKey( slot, - keyname, - &pwdata ); - if( rvFindSymKey == SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" keyname specified by " - "\n\t\t\"-n %s\"\n\t\talready exists in the " - "specified token.\n\t\tPlease specify a " - "different keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*******************************************************************/ - /* Retrieve a handle to the specified unwrapping key. This insures */ - /* that the specified unwrapping key (i. e. - transport key) */ - /* already exists on the specified token. */ - /* */ - /* NOTE: Requiring that the transport key AND the master key */ - /* reside on the same token is a FIPS 140-1 requirement! */ - /*******************************************************************/ - - TKS_ClearScreen(); - - PR_fprintf( PR_STDOUT, - "\nRetrieving the transport key from the " - "specified token (for unwrapping) . . .\n\n" ); - - transportKey = TKS_RetrieveSymKey( slot, - transport_keyname, - &pwdata ); - if( transportKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" transport keyname specified by " - "\"-t %s\"\n\t\tdoes NOT exist on the specified " - "token.\n\t\tPlease specify a " - "different transport keyname.\n\n", - progName, - commandToRun, - transport_keyname, - transport_keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Read in the wrapped master key from the specified input file. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "Reading in the wrapped data (and resident master key KCV) " - "from the file called\n\"%s\" . . .\n\n", - input ); - - /* Create a clean new storage buffer for this wrapped key */ - wrappedMasterKey.len = WRAPPED_KEY_LENGTH; - wrappedMasterKey.data = ( unsigned char * ) - PORT_ZAlloc( WRAPPED_KEY_LENGTH ); - - /* Create a clean new hex storage buffer for this master key's KCV */ - hexInternalKeyKCV.type = ( SECItemType ) siBuffer; - hexInternalKeyKCV.len = ( HEX_WRAPPED_KEY_KCV_LENGTH + 1 ); - hexInternalKeyKCV.data = ( unsigned char * ) - PORT_ZAlloc( hexInternalKeyKCV.len ); - if( hexInternalKeyKCV.data == NULL ) { - rv = SECFailure; - goto shutdown; - } - - rvWrappedMasterKey = TKS_ReadInputFileIntoSECItem( input, - ( char * ) hexInternalKeyKCV.data, - hexInternalKeyKCV.len, - keyname, - &wrappedMasterKey ); - if( rvWrappedMasterKey != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tunable to read in wrapped master key " - "from file called \"%s\".\n", - progName, - commandToRun, - input ); - rv = SECFailure; - goto shutdown; - } - - - /*************************************************************/ - /* Temporarily unwrap the master key to check its KCV value. */ - /*************************************************************/ - - PR_fprintf( PR_STDOUT, - "Using the transport key to temporarily unwrap " - "the master key to recompute\nits KCV value to " - "check against its pre-computed KCV value . . .\n\n" ); - - temporaryMasterKey = PK11_UnwrapSymKeyWithFlagsPerm( - /* wrapping key */ transportKey, - /* wraptype */ CKM_DES3_ECB, - /* param */ 0, - /* wrapped key */ &wrappedMasterKey, - /* target */ CKM_DES3_ECB, - /* operation */ CKA_ENCRYPT, - /* target key length */ WRAPPED_KEY_LENGTH, - /* flags */ 0, - /* isPerm */ PR_FALSE ); - if( temporaryMasterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to temporarily unwrap the master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - /* verify that the wrapped key and KCV read in from */ - /* the input file correspond to each other . . . */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - temporaryMasterKey, - keyname, - UNWRAPPED_KEY, - PR_FALSE, - hexInternalKeyKCV.data ); - if( rvKCV != SECSuccess ) { - rv = SECFailure; - goto shutdown; - } - - - /***************************************************************/ - /* Unwrap the master key and store it on the designated token. */ - /***************************************************************/ - - PR_fprintf( PR_STDOUT, - "Using the transport key to unwrap and store " - "the master key\non the specified token . . .\n\n" ); - - masterKey = PK11_UnwrapSymKeyWithFlagsPerm( - /* wrapping key */ transportKey, - /* wraptype */ CKM_DES3_ECB, - /* param */ 0, - /* wrapped key */ &wrappedMasterKey, - /* target */ CKM_DES3_ECB, - /* operation */ CKA_ENCRYPT, - /* target key length */ WRAPPED_KEY_LENGTH, - /* flags */ 0, - /* isPerm */ PR_TRUE ); - if( masterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to unwrap/store the master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Finally, name the master key with the specified name. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "Naming the master key \"%s\" . . .\n\n", - keyname ); - - rvMasterKeyname = PK11_SetSymKeyNickname( - /* symmetric key */ masterKey, - /* nickname */ keyname ); - if( rvMasterKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to name the master key!\n\n" ); - rv = SECFailure; - goto shutdown; - } else { - PR_fprintf( PR_STDOUT, - "Successfully unwrapped, stored, and named the " - "master key!\n\n" ); - } - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - - /******************************************************/ - /* Execute the "-W" wrap generated master key command */ - /* */ - /* NOTE: This command is mutually */ - /* exclusive from all others. */ - /******************************************************/ - - if( tkstool.commands[cmd_WrapMasterKey].activated ) { - - /**********************************************************/ - /* Do not allow duplicate symmetric keys to be stored */ - /* (i. e. - disallow symmetric keys specified */ - /* by the same keyname) */ - /* */ - /* NOTE: The following code snippet effectively */ - /* prohibits this tool from storing any */ - /* symmetric key with a keyname that already */ - /* resides in the specified token */ - /**********************************************************/ - - rvFindSymKey = TKS_FindSymKey( slot, - keyname, - &pwdata ); - if( rvFindSymKey == SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" keyname specified by " - "\n\t\t\"-n %s\"\n\t\talready exists in the " - "specified token.\n\t\tPlease specify a " - "different keyname.\n\n", - progName, - commandToRun, - keyname, - keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Retrieve a handle to the specified wrapping key. This insures */ - /* that the specified wrapping key (i. e. - transport key) */ - /* already exists on the specified token. */ - /* */ - /* NOTE: Requiring that the transport key AND the master key */ - /* reside on the same token is a FIPS 140-1 requirement! */ - /*****************************************************************/ - - TKS_ClearScreen(); - - PR_fprintf( PR_STDOUT, - "\nRetrieving the transport key (for wrapping) " - "from the specified token . . .\n\n" ); - - transportKey = TKS_RetrieveSymKey( slot, - transport_keyname, - &pwdata ); - if( transportKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c:\tthe \"%s\" transport keyname specified by " - "\"-t %s\"\n\t\tdoes NOT exist on the specified " - "token.\n\t\tPlease specify a " - "different transport keyname.\n\n", - progName, - commandToRun, - transport_keyname, - transport_keyname ); - rv = SECFailure; - goto shutdown; - } - - - /*****************************************************************/ - /* Generate the master key and store it on the designated token. */ - /*****************************************************************/ - - PR_fprintf( PR_STDOUT, - "Generating and storing the master key " - "on the specified token . . .\n\n" ); - - if( WRAPPED_KEY_LENGTH == ( 2 * DES_LENGTH ) ) { - masterKey = PK11_TokenKeyGen( - /* slot */ slot, - /* mechanism */ CKM_DES2_KEY_GEN, - /* param */ 0, - /* keySize */ 0, - /* keyid */ 0, - /* isToken (i. e. - isPerm) */ PR_TRUE, - /* wincx */ &pwdata ); - if( masterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate/store this DES2 master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - } else if( WRAPPED_KEY_LENGTH == ( 3 * DES_LENGTH ) ) { - masterKey = PK11_TokenKeyGen( - /* slot */ slot, - /* mechanism */ CKM_DES3_KEY_GEN, - /* param */ 0, - /* keySize */ 0, - /* keyid */ 0, - /* isToken (i. e. - isPerm) */ PR_TRUE, - /* wincx */ &pwdata ); - if( masterKey == NULL ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to generate/store this DES3 master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - } else { - /* invalid key size */ - PR_fprintf( PR_STDERR, - "%s -%c: %s\n\n\n", - progName, - commandToRun, - "WRAPPED_KEY_LENGTH must be DES2 or DES3 length!" ); - rv = SECFailure; - goto shutdown; - } - - - /************************************************/ - /* Name the master key with the specified name. */ - /************************************************/ - - PR_fprintf( PR_STDOUT, - "Naming the master key \"%s\" . . .\n\n", - keyname ); - - rvMasterKeyname = PK11_SetSymKeyNickname( - /* symmetric key */ masterKey, - /* nickname */ keyname ); - if( rvMasterKeyname != SECSuccess ) { - PR_fprintf( PR_STDERR, - "ERROR: Failed to name the master key!\n\n" ); - rv = SECFailure; - goto shutdown; - } else { - PR_fprintf( PR_STDOUT, - "Successfully generated, stored, and named the " - "master key!\n\n" ); - } - - - /**********************************/ - /* Compute this master key's KCV. */ - /**********************************/ - - /* Create a clean new hex storage buffer for this master key's KCV */ - hexInternalKeyKCV.type = ( SECItemType ) siBuffer; - hexInternalKeyKCV.len = ( HEX_WRAPPED_KEY_KCV_LENGTH + 1 ); - hexInternalKeyKCV.data = ( unsigned char * ) - PORT_ZAlloc( hexInternalKeyKCV.len ); - if( hexInternalKeyKCV.data == NULL ) { - rv = SECFailure; - goto shutdown; - } - - /* Calculate this master key's KCV */ - rvKCV = TKS_ComputeAndDisplayKCV( ( PRUint8 * ) NULL, - ( PRIntn ) 0, - ( PRUint8 * ) KCV, - ( PRIntn ) KCVLen, - masterKey, - keyname, - WRAPPED_KEY, - PR_FALSE, - hexInternalKeyKCV.data ); - if( rvKCV != SECSuccess ) { - rv = SECFailure; - goto shutdown; - } - - - /****************************************/ - /* Wrap the newly generated master key. */ - /****************************************/ - - PR_fprintf( PR_STDOUT, - "Using the transport key to wrap and store " - "the master key . . .\n\n" ); - - wrappedMasterKey.len = WRAPPED_KEY_LENGTH; - wrappedMasterKey.data = ( unsigned char * ) - PORT_ZAlloc( WRAPPED_KEY_LENGTH ); - - rvWrappedMasterKey = PK11_WrapSymKey( - /* mechanism type */ CKM_DES3_ECB, - /* param */ 0, - /* wrapping key */ transportKey, - /* key to be wrapped */ masterKey, - /* wrapped key */ &wrappedMasterKey ); - if( rvWrappedMasterKey != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to wrap the master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /**************************************************************/ - /* Write the wrapped master key to the specified output file. */ - /**************************************************************/ - - PR_fprintf( PR_STDOUT, - "Writing the wrapped data (and resident master key KCV) " - "into the file called\n\"%s\" . . .\n\n", - output ); - - rvSaveWrappedMasterKey = TKS_WriteSECItemIntoOutputFile( &wrappedMasterKey, - keyname, - ( char * ) hexInternalKeyKCV.data, - ( hexInternalKeyKCV.len - 1 ), - output ); - if( rvSaveWrappedMasterKey != SECSuccess ) { - PR_fprintf( PR_STDERR, - "%s -%c: %s:%d\n", - progName, - commandToRun, - "unable to save the wrapped master key ", - PR_GetError() ); - rv = SECFailure; - goto shutdown; - } - - - /*********************************/ - /* Cleanup and exit with success */ - /*********************************/ - - rv = SECSuccess; - goto shutdown; - } - - -shutdown: - /* free internal slot */ - if( slot ) { - PK11_FreeSlot( /* slot */ internalSlot ); - } - - - /* free slot */ - if( slot ) { - PK11_FreeSlot( /* slot */ slot ); - } - - - /* destroy the pwdata */ - if( pwdata.data != NULL ) { - pwdata.source = PW_NONE; - i = 0; - do { - if( pwdata.data[i] != 0 ) { - pwdata.data[i] = 0; - i++; - } else { - status = PR_TRUE; - } - } while( status == PR_FALSE ); - } - - - /* destroy the first session key share */ - if( firstSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - firstSessionKeyShare.data, - firstSessionKeyShare.len ); - firstSessionKeyShare.data = NULL; - firstSessionKeyShare.len = 0; - } - - -#if defined(PAD_DES2_KEY_LENGTH) - /* destroy the first padded session key share */ - if( paddedFirstSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - paddedFirstSessionKeyShare.data, - paddedFirstSessionKeyShare.len ); - paddedFirstSessionKeyShare.data = NULL; - paddedFirstSessionKeyShare.len = 0; - } -#endif - - - /* destroy the "original" second session key share */ - if( secondDerivationData.pData != NULL ) { - PORT_ZFree( ( unsigned char * ) - secondDerivationData.pData, - secondDerivationData.ulLen ); - secondDerivationData.pData = NULL; - secondDerivationData.ulLen = 0; - } - - -#if defined(PAD_DES2_KEY_LENGTH) - /* destroy the second padded session key share */ - if( paddedSecondSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - paddedSecondSessionKeyShare.data, - paddedSecondSessionKeyShare.len ); - paddedSecondSessionKeyShare.data = NULL; - paddedSecondSessionKeyShare.len = 0; - } -#endif - - - /* destroy the second session key share container */ - if( secondSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - secondSessionKeyShare.data, - secondSessionKeyShare.len ); - secondSessionKeyShare.data = NULL; - secondSessionKeyShare.len = 0; - } - - - /* destroy the "original" third session key share */ - if( thirdDerivationData.pData != NULL ) { - PORT_ZFree( ( unsigned char * ) - thirdDerivationData.pData, - thirdDerivationData.ulLen ); - thirdDerivationData.pData = NULL; - thirdDerivationData.ulLen = 0; - } - - -#if defined(PAD_DES2_KEY_LENGTH) - /* destroy the third padded session key share */ - if( paddedThirdSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - paddedThirdSessionKeyShare.data, - paddedThirdSessionKeyShare.len ); - paddedThirdSessionKeyShare.data = NULL; - paddedThirdSessionKeyShare.len = 0; - } -#endif - - - /* destroy the third session key share container */ - if( thirdSessionKeyShare.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - thirdSessionKeyShare.data, - thirdSessionKeyShare.len ); - thirdSessionKeyShare.data = NULL; - thirdSessionKeyShare.len = 0; - } - - - /* destroy the first symmetric key */ - if( firstSymmetricKey ) { - PK11_FreeSymKey( /* symmetric key */ firstSymmetricKey ); - } - - - /* destroy the second symmetric key */ - if( secondSymmetricKey ) { - PK11_FreeSymKey( /* symmetric key */ secondSymmetricKey ); - } - - - /* destroy the third symmetric key (transport key) */ - if( thirdSymmetricKey ) { - PK11_FreeSymKey( /* symmetric key */ thirdSymmetricKey ); - } - - - /* destroy the hexInternalKeyKCV */ - if( hexInternalKeyKCV.data != NULL ) { - PORT_ZFree( ( unsigned char * ) - hexInternalKeyKCV.data, - hexInternalKeyKCV.len ); - hexInternalKeyKCV.data = NULL; - hexInternalKeyKCV.len = 0; - } - - - /* destroy the KCV */ - if( KCV != NULL ) { - PORT_ZFree( ( unsigned char * ) - KCV, - KCVLen ); - KCV = NULL; - KCVLen = 0; - } - - - /* destroy the temporary master key */ - if( temporaryMasterKey ) { - PK11_FreeSymKey( /* symmetric key */ temporaryMasterKey ); - } - - - /* destroy the master key */ - if( masterKey ) { - PK11_FreeSymKey( /* symmetric key */ masterKey ); - } - - - /* destroy the transport key */ - if( transportKey ) { - PK11_FreeSymKey( /* symmetric key */ transportKey ); - } - - - /* shutdown NSS */ - if( NSS_Shutdown() != SECSuccess ) { - return 255; - } - - - /* exit with an appropriate return value */ - if( rv == SECSuccess ) { - return 0; - } else { - return 255; - } -} - diff --git a/pki/base/native-tools/src/tkstool/tkstool.h b/pki/base/native-tools/src/tkstool/tkstool.h deleted file mode 100644 index 3b0407227..000000000 --- a/pki/base/native-tools/src/tkstool/tkstool.h +++ /dev/null @@ -1,321 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -/************************/ -/** #include headers **/ -/************************/ - -#ifdef HAVE_CONFIG_H -#ifndef AUTOTOOLS_CONFIG_H -#define AUTOTOOLS_CONFIG_H - -/* Eliminate warnings when using Autotools */ -#undef PACKAGE_BUGREPORT -#undef PACKAGE_NAME -#undef PACKAGE_STRING -#undef PACKAGE_TARNAME -#undef PACKAGE_VERSION - -#include <config.h> -#endif /* AUTOTOOLS_CONFIG_H */ -#endif /* HAVE_CONFIG_H */ - -#include <stdio.h> -#include <string.h> - -#if defined(WIN32) -#include "fcntl.h" -#include "io.h" -#endif - -#if defined(XP_UNIX) -#include <unistd.h> -#include <sys/time.h> -#include <termios.h> -#endif - -#if defined(XP_WIN) || defined (XP_PC) -#include <time.h> -#include <conio.h> -#endif - -#include "secutil.h" -#include "nspr.h" -#include "prtypes.h" -#include "prtime.h" -#include "prlong.h" -#include "pk11func.h" -#include "secasn1.h" -#include "cert.h" -#include "cryptohi.h" -#include "secoid.h" -#include "certdb.h" -#include "nss.h" - - -/****************/ -/** #defines **/ -/****************/ - -#define TKSTOOL_MAJOR_VERSION_NUMBER 1 -#define TKSTOOL_MINOR_VERSION_NUMBER 0 -#define TKSTOOL_VERSION_SUFFIX "" - -#define DEFAULT_KEY_BITS 1024 -#define NUM_KEYSTROKES 120 -#define RAND_BUF_LENGTH 60 -#define DES_LENGTH 8 -#define KEYSTROKES_TO_PROCEED 8 -#define KCV_LENGTH 4 -#define CTRL_C 3 - -#define FIRST_SESSION_KEY_SHARE "first" -#define FIRST_SESSION_KEY_SHARE_LENGTH 16 -#define SECOND_SESSION_KEY_SHARE "second" -#define SECOND_SESSION_KEY_SHARE_LENGTH 16 -#define THIRD_SESSION_KEY_SHARE "third" -#define THIRD_SESSION_KEY_SHARE_LENGTH 16 -#define HEX_SESSION_KEY_BUF_LENGTH 32 -#define HEX_SESSION_KEY_KCV_BUF_LENGTH 8 - -#define MASTER_KEY_LENGTH 16 - -#define WRAPPED_KEY_LENGTH 16 -#define HEX_WRAPPED_KEY_LENGTH 32 -#define HEX_WRAPPED_KEY_KCV_LENGTH 8 - -#if defined(PAD_DES2_KEY_LENGTH) -#define PADDED_FIRST_SESSION_KEY_SHARE_LENGTH 24 -#define PADDED_SECOND_SESSION_KEY_SHARE_LENGTH 24 -#define PADDED_THIRD_SESSION_KEY_SHARE_LENGTH 24 -#endif - -#define FIRST_SYMMETRIC_KEY "first" -#define SECOND_SYMMETRIC_KEY "second" -#define THIRD_SYMMETRIC_KEY "third" -#define MASTER_KEY "master" -#define RESIDENT_KEY "resident" -#define SESSION_KEY "session" -#define SYMMETRIC_KEY "symmetric" -#define TRANSPORT_KEY "transport" -#define UNWRAPPED_KEY "unwrapped" -#define WRAPPED_KEY "wrapped" - -#define CONTINUATION_MESSAGE "Press enter to continue " \ - "(or ^C to break): " - -#define PROCEED_MESSAGE "Type the word \"proceed\" " \ - "and press enter to continue " \ - "(or ^C to break): " - - -/**************************************/ -/** external function declarations **/ -/**************************************/ - -#if defined(__sun) && !defined(SVR4) -extern int fclose( FILE* ); -extern int fprintf( FILE *, char *, ... ); -extern int isatty( int ); -extern char *sys_errlist[]; -#define strerror( errno ) sys_errlist[errno] -#endif - - -/***************************/ -/** function prototypes **/ -/***************************/ - -/************/ -/* delete.c */ -/************/ - -SECStatus -TKS_DeleteKeys( char *progName, - PK11SlotInfo *slot, - char *keyname, - secuPWData *pwdata ); - - -/**********/ -/* file.c */ -/**********/ - -SECStatus -TKS_ReadInputFileIntoSECItem( char *input, - char *hexInternalKeyKCV, - int hexInternalKeyKCVLength, - char *keyname, - SECItem *wrappedKey ); - -SECStatus -TKS_WriteSECItemIntoOutputFile( SECItem *wrappedKey, - char *keyname, - char *hexInternalKeyKCV, - int hexInternalKeyKCVLength, - char *output ); - - -/**********/ -/* find.c */ -/**********/ - -SECStatus -TKS_FindSymKey( PK11SlotInfo *slot, - char *keyname, - void *pwdata ); - - -/**********/ -/* help.c */ -/**********/ - -void -TKS_Usage( char *progName ); - -void -TKS_PrintHelp( char *progName ); - - -/*********/ -/* key.c */ -/*********/ - -SECStatus -TKS_ComputeAndDisplayKCV( PRUint8 *newKey, - PRIntn newKeyLen, - PRUint8 *KCV, - PRIntn KCVLen, - PK11SymKey *symKey, - char *keyName, - char *keyType, - PRBool displayKCV, - PRUint8 *expectedHexKCV ); - -SECStatus -TKS_GenerateSessionKeyShare( char *sessionKeyShareName, - SECItem *sessionKeyShare ); - -SECStatus -TKS_InputSessionKeyShare( char *sessionKeyShareName, - SECItem *sessionKeyShare ); - -PK11SymKey * -TKS_ImportSymmetricKey( char *symmetricKeyName, - PK11SlotInfo *slot, - CK_MECHANISM_TYPE mechanism, - CK_ATTRIBUTE_TYPE operation, - SECItem *sessionKeyShare, - secuPWData *pwdata ); - -PK11SymKey * -TKS_DeriveSymmetricKey( char *symmetricKeyName, - PK11SymKey *symKey, - CK_MECHANISM_TYPE derive, - SECItem *sessionKeyShare, - CK_MECHANISM_TYPE target, - CK_ATTRIBUTE_TYPE operation, - int keysize ); - -SECStatus -TKS_StoreSymmetricKeyAndNameIt( char *symmetricKeyName, - char *keyname, - PK11SlotInfo *slot, - CK_ATTRIBUTE_TYPE operation, - CK_FLAGS flags, - PK11SymKey *symKey ); - - -/**********/ -/* list.c */ -/**********/ - -SECStatus -TKS_ListKeys( char *progName, - PK11SlotInfo *slot, - char *keyname, - int index, - PRBool dopriv, - secuPWData *pwdata ); - - -/*************/ -/* modules.c */ -/*************/ - -SECStatus -TKS_ListSecModules( void ); - - -/************/ -/* random.c */ -/************/ - -void -TKS_FileForRNG( char *noise ); - -SECStatus -TKS_SeedRNG( char *noise ); - - -/**************/ -/* retrieve.c */ -/**************/ - -PK11SymKey * -TKS_RetrieveSymKey( PK11SlotInfo *slot, - char *keyname, - void *pwdata ); - - -/**********/ -/* util.c */ -/**********/ - -PR_IMPLEMENT( void ) -TKS_ClearScreen(); - -PR_IMPLEMENT( void ) -TKS_WaitForUser(); - -PR_IMPLEMENT( void ) -TKS_TypeProceedToContinue(); - -PR_IMPLEMENT( void ) -TKS_AdjustOddParity( PRUint8 *key ); - -PR_IMPLEMENT( void ) -TKS_StringToHex( PRUint8 *key, - PRIntn len, - PRUint8 *hex_key, - PRIntn hex_len ); - -PR_IMPLEMENT( PRBool ) -TKS_ConvertStringOfHexCharactersIntoBitStream( char* input, - PRIntn input_bytes, - PRUint8* output ); - - -/*************/ -/* version.c */ -/*************/ - -void -TKS_Version( char *progName ); - diff --git a/pki/base/native-tools/src/tkstool/util.c b/pki/base/native-tools/src/tkstool/util.c deleted file mode 100644 index 5fda75f8e..000000000 --- a/pki/base/native-tools/src/tkstool/util.c +++ /dev/null @@ -1,640 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -static PRBool -IsValidHexCharacter( char byte ) -{ - switch( byte ) - { - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': - case 'a': - case 'A': - case 'b': - case 'B': - case 'c': - case 'C': - case 'd': - case 'D': - case 'e': - case 'E': - case 'f': - case 'F': - { - /* Character may be converted into a hexadecimal number. */ - return PR_TRUE; - } - default: - { - return PR_FALSE; - } - } -} - - -static void -InsertUpperFourBits( char* byte, char bits ) -{ - switch( bits ) - { - case '0': - { - *byte &= ~( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case '1': - { - *byte &= ~( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case '2': - { - *byte &= ~( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case '3': - { - *byte &= ~( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case '4': - { - *byte &= ~( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case '5': - { - *byte &= ~( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case '6': - { - *byte &= ~( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case '7': - { - *byte &= ~( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case '8': - { - *byte |= ( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case '9': - { - *byte |= ( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case 'a': - case 'A': - { - *byte |= ( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case 'b': - case 'B': - { - *byte |= ( 1 << 7 ); - *byte &= ~( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case 'c': - case 'C': - { - *byte |= ( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case 'd': - case 'D': - { - *byte |= ( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte &= ~( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - case 'e': - case 'E': - { - *byte |= ( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte &= ~( 1 << 4 ); - break; - } - case 'f': - case 'F': - { - *byte |= ( 1 << 7 ); - *byte |= ( 1 << 6 ); - *byte |= ( 1 << 5 ); - *byte |= ( 1 << 4 ); - break; - } - } -} - - -static void -InsertLowerFourBits( char* byte, char bits ) -{ - switch( bits ) - { - case '0': - { - *byte &= ~( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case '1': - { - *byte &= ~( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case '2': - { - *byte &= ~( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case '3': - { - *byte &= ~( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case '4': - { - *byte &= ~( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case '5': - { - *byte &= ~( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case '6': - { - *byte &= ~( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case '7': - { - *byte &= ~( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case '8': - { - *byte |= ( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case '9': - { - *byte |= ( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case 'a': - case 'A': - { - *byte |= ( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case 'b': - case 'B': - { - *byte |= ( 1 << 3 ); - *byte &= ~( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case 'c': - case 'C': - { - *byte |= ( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case 'd': - case 'D': - { - *byte |= ( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte &= ~( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - case 'e': - case 'E': - { - *byte |= ( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte &= ~( 1 << 0 ); - break; - } - case 'f': - case 'F': - { - *byte |= ( 1 << 3 ); - *byte |= ( 1 << 2 ); - *byte |= ( 1 << 1 ); - *byte |= ( 1 << 0 ); - break; - } - } -} - - -PR_IMPLEMENT( void ) -TKS_ClearScreen() -{ -#if defined(XP_UNIX) && !defined(VMS) - system( "tput clear" ); -#else - system( "cls" ); -#endif -} - - -PR_IMPLEMENT( void ) -TKS_WaitForUser() -{ - int c; - - PR_fprintf( PR_STDOUT, "\n\n" ); - PR_fprintf( PR_STDOUT, "%s", CONTINUATION_MESSAGE ); -#if defined(VMS) - while((c = GENERIC_GETCHAR_NO_ECHO()) != '\r' && c != EOF && c != CTRL_C ) - ; -#else - while ((c = getc(stdin)) != '\n' && c != EOF && c != CTRL_C ) - ; -#endif - PR_fprintf( PR_STDOUT, "\n" ); -} - - -PR_IMPLEMENT( void ) -TKS_TypeProceedToContinue() -{ - int fd; - int i; - int count; - int c; - int rv = 0; -#ifdef XP_UNIX - cc_t orig_cc_min; - cc_t orig_cc_time; - tcflag_t orig_lflag; - struct termios tio; -#endif - char keystrokes[KEYSTROKES_TO_PROCEED + 1] = "\0\0\0\0\0\0\0\0\0"; - - /* display the continuation message */ - PR_fprintf( PR_STDOUT, "\n\n" ); - PR_fprintf( PR_STDOUT, "%s", PROCEED_MESSAGE ); - - /* turn off echo on stdin & return on 1 char instead of NL */ - fd = fileno( stdin ); - -#if defined( XP_UNIX ) && !defined( VMS ) - tcgetattr( fd, &tio ); - orig_lflag = tio.c_lflag; - orig_cc_min = tio.c_cc[VMIN]; - orig_cc_time = tio.c_cc[VTIME]; - tio.c_lflag &= ~ECHO; - tio.c_lflag &= ~ICANON; - tio.c_cc[VMIN] = 1; - tio.c_cc[VTIME] = 0; - tcsetattr( fd, TCSAFLUSH, &tio ); -#endif - - /* Get user input from keyboard strokes */ - count = 0; - while( count < KEYSTROKES_TO_PROCEED ) { -#ifdef VMS - c = GENERIC_GETCHAR_NOECHO(); -#elif XP_UNIX - c = getc( stdin ); -#else - c = getch(); -#endif - /* break on EOF */ - if( c == EOF ) { - rv = -1; - break; - } - - /* break on ^C */ - if( c == CTRL_C ) { - rv = -1; - break; - } - - /* save acceptable characters; silently throw anything else away */ - switch( count ) { - case 0: - switch( c ) { - case 'P': - case 'p': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'p'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 1: - switch( c ) { - case 'R': - case 'r': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'r'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 2: - switch( c ) { - case 'O': - case 'o': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'o'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 3: - switch( c ) { - case 'C': - case 'c': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'c'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 4: - switch( c ) { - case 'E': - case 'e': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'e'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 5: - switch( c ) { - case 'E': - case 'e': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'e'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 6: - switch( c ) { - case 'D': - case 'd': - /* acceptable character; save lowercase version */ - keystrokes[count] = 'd'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - case 7: - switch( c ) { - case '\n': - case '\r': - /* acceptable character; save lowercase version */ - keystrokes[count] = '\n'; - break; - default: - /* unacceptable character; don't save it */ - continue; - } - break; - default: - /* unacceptable character; don't save it */ - continue; - } - - /* adjust the character count appropriately */ - count++; - - /* redisplay the message */ - PR_fprintf( PR_STDOUT, "\r%s", PROCEED_MESSAGE ); - - /* display the characters input so far */ - for( i = 0 ; i < count ; i++ ) { - PR_fprintf( PR_STDOUT, - "%c", - keystrokes[i] ); - } - } -} - - -PR_IMPLEMENT( void ) -TKS_AdjustOddParity( PRUint8 *key ) -{ - PRIntn i; - PRIntn j; - PRIntn one; - - /* this must be performed for each DES-sized (8-byte) chunk */ - for( j = 0 ; j < DES_LENGTH ; j++ ) { - for( one = 0, i = key[j] ; i ; i >>= 1 ) { - if( i & 1 ) { - one++; - } - } - - key[j] ^= !( one & 1 ); - } -} - - -PR_IMPLEMENT( void ) -TKS_StringToHex( PRUint8 *key, - PRIntn len, - PRUint8 *hex_key, - PRIntn hex_len ) -{ - PRIntn i; - - for( i = 0 ; i < len ; i++ ) { - ( void ) PR_snprintf( ( char * ) &( hex_key[ ( 2 * i ) ] ), - hex_len, - "%X", - ( key[i] >> 4 ) & 0x0F ); - ( void ) PR_snprintf( ( char * ) &( hex_key[ ( 2 * i ) + 1 ] ), - hex_len, - "%X", - key[i] & 0x0F ); - } - - hex_key[ ( hex_len - 1 ) ] = '\0'; - - return; -} - - -/* Convert a signed character string such as "de43a58f. . ." into an */ -/* unsigned character string which is one/half the size of the input */ -PR_IMPLEMENT( PRBool ) -TKS_ConvertStringOfHexCharactersIntoBitStream( char* input, - PRIntn input_bytes, - PRUint8* output ) -{ - PRIntn i; - PRIntn output_bytes; - - /* Check to be sure that the input string contains an */ - /* "even" number of bytes so that it may be converted. */ - if( input_bytes % 2 ) { - ( void ) PR_fprintf( PR_STDERR, - "ERROR: " - "ConvertStringOfHexCharactersIntoBitStream() " - "contained an illegal " - "input byte length of %d bytes!\r\n", - input_bytes ); - return PR_FALSE; - } - - output_bytes = ( input_bytes / 2 ); - - for( i = 0; i < output_bytes; i++ ) { - if( IsValidHexCharacter( input[ ( 2 * i ) ] ) && - IsValidHexCharacter( input[ ( 2 * i ) + 1 ] ) ) { - InsertUpperFourBits( ( char* ) &( output[i] ), input[ ( 2 * i ) ] ); - InsertLowerFourBits( ( char* ) &( output[i] ), input[ ( 2 * i ) + 1 ] ); - } else { - ( void ) PR_fprintf( PR_STDERR, - "ERROR: " - "ConvertStringOfHexCharactersIntoBitStream() " - "contained a " - "byte in the input string which can not be " - "converted!\r\n" ); - return PR_FALSE; - } - } - - return PR_TRUE; -} - - diff --git a/pki/base/native-tools/src/tkstool/version.c b/pki/base/native-tools/src/tkstool/version.c deleted file mode 100644 index b8d4c5fbb..000000000 --- a/pki/base/native-tools/src/tkstool/version.c +++ /dev/null @@ -1,49 +0,0 @@ -/* --- BEGIN COPYRIGHT BLOCK --- - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; version 2 of the License. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Copyright (C) 2007 Red Hat, Inc. - * All rights reserved. - * --- END COPYRIGHT BLOCK --- - */ - -#include "tkstool.h" - -void -TKS_Version( char *progName ) -{ -#if defined(TKSTOOL_VERSION_SUFFIX) - if( TKSTOOL_VERSION_SUFFIX != NULL && - PL_strcmp( TKSTOOL_VERSION_SUFFIX, "" ) != 0 ) { - PR_fprintf( PR_STDOUT, - "%s: Version %d.%d %s\n", - progName, - TKSTOOL_MAJOR_VERSION_NUMBER, - TKSTOOL_MINOR_VERSION_NUMBER, - TKSTOOL_VERSION_SUFFIX ); - } else { - PR_fprintf( PR_STDOUT, - "%s: Version %d.%d\n", - progName, - TKSTOOL_MAJOR_VERSION_NUMBER, - TKSTOOL_MINOR_VERSION_NUMBER ); - } -#else - PR_fprintf( PR_STDOUT, - "%s: Version %d.%d\n", - progName, - TKSTOOL_MAJOR_VERSION_NUMBER, - TKSTOOL_MINOR_VERSION_NUMBER ); -#endif -} - |