From dfd7066272fe0fcfeb981c62b4ce447f394b00b2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 15 Mar 2024 19:37:31 -0500 Subject: [PATCH] Add p12tool The p12tool command has been moved from pki-tools to jss-tools. --- .github/workflows/build-tests.yml | 18 +- CMakeLists.txt | 5 +- azure-pipelines.yml | 17 +- build.sh | 1 + docs/changes/v5.6.0/Packaging-Changes.adoc | 1 + jss.spec | 3 +- tools/CMakeLists.txt | 1 + tools/src/main/native/p12tool/CMakeLists.txt | 29 + tools/src/main/native/p12tool/basicutil.c | 869 ++++ tools/src/main/native/p12tool/basicutil.h | 139 + tools/src/main/native/p12tool/berparse.c | 388 ++ tools/src/main/native/p12tool/derprint.c | 596 +++ tools/src/main/native/p12tool/ffs.c | 21 + tools/src/main/native/p12tool/moreoids.c | 83 + tools/src/main/native/p12tool/p12tool.c | 1230 +++++ tools/src/main/native/p12tool/p12tool.h | 40 + tools/src/main/native/p12tool/pk11table.c | 1517 ++++++ tools/src/main/native/p12tool/pk11table.h | 178 + tools/src/main/native/p12tool/pppolicy.c | 263 + tools/src/main/native/p12tool/secpwd.c | 168 + tools/src/main/native/p12tool/secutil.c | 4736 ++++++++++++++++++ tools/src/main/native/p12tool/secutil.h | 456 ++ tools/src/main/native/sslget/CMakeLists.txt | 2 +- 23 files changed, 10749 insertions(+), 12 deletions(-) create mode 100755 tools/src/main/native/p12tool/CMakeLists.txt create mode 100644 tools/src/main/native/p12tool/basicutil.c create mode 100644 tools/src/main/native/p12tool/basicutil.h create mode 100644 tools/src/main/native/p12tool/berparse.c create mode 100644 tools/src/main/native/p12tool/derprint.c create mode 100644 tools/src/main/native/p12tool/ffs.c create mode 100644 tools/src/main/native/p12tool/moreoids.c create mode 100755 tools/src/main/native/p12tool/p12tool.c create mode 100755 tools/src/main/native/p12tool/p12tool.h create mode 100644 tools/src/main/native/p12tool/pk11table.c create mode 100644 tools/src/main/native/p12tool/pk11table.h create mode 100644 tools/src/main/native/p12tool/pppolicy.c create mode 100644 tools/src/main/native/p12tool/secpwd.c create mode 100644 tools/src/main/native/p12tool/secutil.c create mode 100755 tools/src/main/native/p12tool/secutil.h diff --git a/.github/workflows/build-tests.yml b/.github/workflows/build-tests.yml index ed7b58f11..5f50ec8e9 100644 --- a/.github/workflows/build-tests.yml +++ b/.github/workflows/build-tests.yml @@ -47,11 +47,21 @@ jobs: - name: Install build dependencies run: | apt-get update + + # https://salsa.debian.org/freeipa-team/jss/-/blob/master/debian/control apt-get install -y \ - cmake zip unzip \ - g++ libnss3-dev libnss3-tools \ - openjdk-17-jdk libcommons-lang3-java libslf4j-java \ - junit5 libopentest4j-java maven + cmake \ + g++ \ + junit5 \ + libcommons-lang3-java \ + libnss3-dev \ + libnss3-tools \ + libopentest4j-java \ + libslf4j-java \ + maven \ + openjdk-17-jdk \ + unzip \ + zip - name: Build JSS with CMake run: ./build.sh diff --git a/CMakeLists.txt b/CMakeLists.txt index a5ad09e1b..a90e1bbe3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -89,7 +89,6 @@ if(WITH_TESTS) endif(WITH_TESTS) add_subdirectory(symkey) -add_subdirectory(tools) if(WITH_TESTS) add_subdirectory(tests) @@ -106,9 +105,11 @@ endif(WITH_TESTS) add_custom_target( native ALL - DEPENDS generate_c generate_so symkey_library sslget + DEPENDS generate_c generate_so symkey_library ) +add_subdirectory(tools) + if(WITH_TESTS) add_dependencies(native generate_test_so) endif(WITH_TESTS) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index cd9937404..b4bc55b04 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -75,11 +75,20 @@ jobs: steps: - script: | docker exec -u 0 runner apt-get update + + # https://salsa.debian.org/freeipa-team/jss/-/blob/master/debian/control docker exec -u 0 runner apt-get install -y \ - cmake zip unzip \ - g++ libnss3-dev libnss3-tools \ - openjdk-17-jdk libcommons-lang3-java libslf4j-java \ - junit5 libopentest4j-java + cmake \ + g++ \ + junit5 \ + libcommons-lang3-java \ + libnss3-dev \ + libnss3-tools \ + libopentest4j-java \ + libslf4j-java \ + openjdk-17-jdk \ + unzip \ + zip displayName: Install build dependencies - script: ./build.sh diff --git a/build.sh b/build.sh index 318cf4dcb..b48390c29 100755 --- a/build.sh +++ b/build.sh @@ -459,6 +459,7 @@ if [ "$BUILD_TARGET" = "dist" ] ; then echo "- native binaries:" echo " $WORK_DIR/libjss.so" echo " $WORK_DIR/symkey/libjss-symkey.so" + echo " $WORK_DIR/tools/src/main/native/p12tool/p12tool" echo " $WORK_DIR/tools/src/main/native/sslget/sslget" fi diff --git a/docs/changes/v5.6.0/Packaging-Changes.adoc b/docs/changes/v5.6.0/Packaging-Changes.adoc index 7b9ca2c6d..ab3157265 100644 --- a/docs/changes/v5.6.0/Packaging-Changes.adoc +++ b/docs/changes/v5.6.0/Packaging-Changes.adoc @@ -4,4 +4,5 @@ A new `jss-tools` RPM package has been added to provide tools such as: +* `p12tool` * `sslget` diff --git a/jss.spec b/jss.spec index 62bc55ca1..c257b26c4 100644 --- a/jss.spec +++ b/jss.spec @@ -185,7 +185,7 @@ Provides: jss-tools = %{version}-%{release} Provides: jss-tools = %{major_version}.%{minor_version} Provides: %{product_id}-tools = %{major_version}.%{minor_version} -# The sslget command has been moved from pki-tools into jss-tools. +# Some PKI tools have been moved into jss-tools. Conflicts: pki-tools < 11.6 Conflicts: dogtag-pki-tools < 11.6 @@ -369,6 +369,7 @@ cp base/target/jss-tests.jar %{buildroot}%{_datadir}/jss/tests/lib %files -n %{product_id}-tools ################################################################################ +%{_bindir}/p12tool %{_bindir}/sslget %if %{with javadoc} diff --git a/tools/CMakeLists.txt b/tools/CMakeLists.txt index c138b4fee..cd60f5efc 100644 --- a/tools/CMakeLists.txt +++ b/tools/CMakeLists.txt @@ -1,5 +1,6 @@ project(tools) if(WITH_NATIVE) + add_subdirectory(src/main/native/p12tool) add_subdirectory(src/main/native/sslget) endif(WITH_NATIVE) diff --git a/tools/src/main/native/p12tool/CMakeLists.txt b/tools/src/main/native/p12tool/CMakeLists.txt new file mode 100755 index 000000000..0064d35bf --- /dev/null +++ b/tools/src/main/native/p12tool/CMakeLists.txt @@ -0,0 +1,29 @@ +project(p12tool) + +set(P12TOOL_PRIVATE_INCLUDE_DIRS + ${CMAKE_BINARY_DIR} + ${NSPR_INCLUDE_DIRS} + ${NSS_INCLUDE_DIRS} +) + +set(p12tool_SRCS + basicutil.c + pppolicy.c + secutil.c + secpwd.c + moreoids.c + p12tool.c +) + +include_directories(${P12TOOL_PRIVATE_INCLUDE_DIRS}) + +add_executable(p12tool ${p12tool_SRCS}) +add_dependencies(native p12tool) +target_link_libraries(p12tool smime3 ssl3 nss3 nssutil3 plc4 plds4 nspr4) + +install( + TARGETS p12tool + RUNTIME DESTINATION ${BIN_INSTALL_DIR} + LIBRARY DESTINATION ${LIB_INSTALL_DIR} + ARCHIVE DESTINATION ${LIB_INSTALL_DIR} +) diff --git a/tools/src/main/native/p12tool/basicutil.c b/tools/src/main/native/p12tool/basicutil.c new file mode 100644 index 000000000..476475d90 --- /dev/null +++ b/tools/src/main/native/p12tool/basicutil.c @@ -0,0 +1,869 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* +** secutil.c - various functions used by security stuff +** +*/ + +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "prerror.h" +#include "prprf.h" +#include "plgetopt.h" +#include "prenv.h" +#include "prnetdb.h" + +#include "basicutil.h" +#include +#include +#include +#include + +#ifdef XP_UNIX +#include +#endif + +#include "secoid.h" + +extern long DER_GetInteger(const SECItem *src); + +static PRBool wrapEnabled = PR_TRUE; + +void +SECU_EnableWrap(PRBool enable) +{ + wrapEnabled = enable; +} + +PRBool +SECU_GetWrapEnabled(void) +{ + return wrapEnabled; +} + +void +SECU_PrintErrMsg(FILE *out, int level, const char *progName, const char *msg, + ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char *errString = PORT_ErrorToString(err); + + va_start(args, msg); + + SECU_Indent(out, level); + fprintf(out, "%s: ", progName); + vfprintf(out, msg, args); + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(out, ": %s\n", errString); + else + fprintf(out, ": error %d\n", (int)err); + + va_end(args); +} + +void +SECU_PrintError(const char *progName, const char *msg, ...) +{ + va_list args; + PRErrorCode err = PORT_GetError(); + const char *errName = PR_ErrorToName(err); + const char *errString = PR_ErrorToString(err, 0); + + va_start(args, msg); + + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); + + if (errName != NULL) { + fprintf(stderr, ": %s", errName); + } else { + fprintf(stderr, ": error %d", (int)err); + } + + if (errString != NULL && PORT_Strlen(errString) > 0) + fprintf(stderr, ": %s\n", errString); + + va_end(args); +} + +void +SECU_PrintSystemError(const char *progName, const char *msg, ...) +{ + va_list args; + + va_start(args, msg); + fprintf(stderr, "%s: ", progName); + vfprintf(stderr, msg, args); + fprintf(stderr, ": %s\n", strerror(errno)); + va_end(args); +} + +SECStatus +secu_StdinToItem(SECItem *dst) +{ + unsigned char buf[1000]; + PRInt32 numBytes; + PRBool notDone = PR_TRUE; + + dst->len = 0; + dst->data = NULL; + + while (notDone) { + numBytes = PR_Read(PR_STDIN, buf, sizeof(buf)); + + if (numBytes < 0) { + return SECFailure; + } + + if (numBytes == 0) + break; + + if (dst->data) { + unsigned char *p = dst->data; + dst->data = (unsigned char *)PORT_Realloc(p, dst->len + numBytes); + if (!dst->data) { + PORT_Free(p); + } + } else { + dst->data = (unsigned char *)PORT_Alloc(numBytes); + } + if (!dst->data) { + return SECFailure; + } + PORT_Memcpy(dst->data + dst->len, buf, numBytes); + dst->len += numBytes; + } + + return SECSuccess; +} + +SECStatus +SECU_FileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, info.size)) + goto loser; + + numBytes = PR_Read(src, dst->data, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + return SECSuccess; +loser: + SECITEM_FreeItem(dst, PR_FALSE); + dst->data = NULL; + return SECFailure; +} + +SECStatus +SECU_TextFileToItem(SECItem *dst, PRFileDesc *src) +{ + PRFileInfo info; + PRInt32 numBytes; + PRStatus prStatus; + unsigned char *buf; + + if (src == PR_STDIN) + return secu_StdinToItem(dst); + + prStatus = PR_GetOpenFileInfo(src, &info); + + if (prStatus != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + buf = (unsigned char *)PORT_Alloc(info.size); + if (!buf) + return SECFailure; + + numBytes = PR_Read(src, buf, info.size); + if (numBytes != info.size) { + PORT_SetError(SEC_ERROR_IO); + goto loser; + } + + if (buf[numBytes - 1] == '\n') + numBytes--; +#ifdef _WINDOWS + if (buf[numBytes - 1] == '\r') + numBytes--; +#endif + + /* XXX workaround for 3.1, not all utils zero dst before sending */ + dst->data = 0; + if (!SECITEM_AllocItem(NULL, dst, numBytes)) + goto loser; + + memcpy(dst->data, buf, numBytes); + + PORT_Free(buf); + return SECSuccess; +loser: + PORT_Free(buf); + return SECFailure; +} + +#define INDENT_MULT 4 +void +SECU_Indent(FILE *out, int level) +{ + int i; + + for (i = 0; i < level; i++) { + fprintf(out, " "); + } +} + +void +SECU_Newline(FILE *out) +{ + fprintf(out, "\n"); +} + +void +SECU_PrintAsHex(FILE *out, const SECItem *data, const char *m, int level) +{ + unsigned i; + int column = 0; + PRBool isString = PR_TRUE; + PRBool isWhiteSpace = PR_TRUE; + PRBool printedHex = PR_FALSE; + unsigned int limit = 15; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:", m); + level++; + if (wrapEnabled) + fprintf(out, "\n"); + } + + if (wrapEnabled) { + SECU_Indent(out, level); + column = level * INDENT_MULT; + } + if (!data->len) { + fprintf(out, "(empty)\n"); + return; + } + /* take a pass to see if it's all printable. */ + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + if (!val || !isprint(val)) { + isString = PR_FALSE; + break; + } + if (isWhiteSpace && !isspace(val)) { + isWhiteSpace = PR_FALSE; + } + } + + /* Short values, such as bit strings (which are printed with this + ** function) often look like strings, but we want to see the bits. + ** so this test assures that short values will be printed in hex, + ** perhaps in addition to being printed as strings. + ** The threshold size (4 bytes) is arbitrary. + */ + if (!isString || data->len <= 4) { + for (i = 0; i < data->len; i++) { + if (i != data->len - 1) { + fprintf(out, "%02x:", data->data[i]); + column += 3; + } else { + fprintf(out, "%02x", data->data[i]); + column += 2; + break; + } + if (wrapEnabled && + (column > 76 || (i % 16 == limit))) { + SECU_Newline(out); + SECU_Indent(out, level); + column = level * INDENT_MULT; + limit = i % 16; + } + } + printedHex = PR_TRUE; + } + if (isString && !isWhiteSpace) { + if (printedHex != PR_FALSE) { + SECU_Newline(out); + SECU_Indent(out, level); + column = level * INDENT_MULT; + } + for (i = 0; i < data->len; i++) { + unsigned char val = data->data[i]; + + if (val) { + fprintf(out, "%c", val); + column++; + } else { + column = 77; + } + if (wrapEnabled && column > 76) { + SECU_Newline(out); + SECU_Indent(out, level); + column = level * INDENT_MULT; + } + } + } + + if (column != level * INDENT_MULT) { + SECU_Newline(out); + } +} + +const char *hex = "0123456789abcdef"; + +const char printable[257] = { + "................" /* 0x */ + "................" /* 1x */ + " !\"#$%&'()*+,-./" /* 2x */ + "0123456789:;<=>?" /* 3x */ + "@ABCDEFGHIJKLMNO" /* 4x */ + "PQRSTUVWXYZ[\\]^_" /* 5x */ + "`abcdefghijklmno" /* 6x */ + "pqrstuvwxyz{|}~." /* 7x */ + "................" /* 8x */ + "................" /* 9x */ + "................" /* ax */ + "................" /* bx */ + "................" /* cx */ + "................" /* dx */ + "................" /* ex */ + "................" /* fx */ +}; + +void +SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len) +{ + const unsigned char *cp = (const unsigned char *)vp; + char buf[80]; + char *bp; + char *ap; + + fprintf(out, "%s [Len: %d]\n", msg, len); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + while (--len >= 0) { + unsigned char ch = *cp++; + *bp++ = hex[(ch >> 4) & 0xf]; + *bp++ = hex[ch & 0xf]; + *bp++ = ' '; + *ap++ = printable[ch]; + if (ap - buf >= 66) { + *ap = 0; + fprintf(out, " %s\n", buf); + memset(buf, ' ', sizeof buf); + bp = buf; + ap = buf + 50; + } + } + if (bp > buf) { + *ap = 0; + fprintf(out, " %s\n", buf); + } +} + +/* This expents i->data[0] to be the MSB of the integer. +** if you want to print a DER-encoded integer (with the tag and length) +** call SECU_PrintEncodedInteger(); +*/ +void +SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, int level) +{ + int iv; + + if (!i || !i->len || !i->data) { + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: (null)\n", m); + } else { + fprintf(out, "(null)\n"); + } + } else if (i->len > 4) { + SECU_PrintAsHex(out, i, m, level); + } else { + if (i->type == siUnsignedInteger && *i->data & 0x80) { + /* Make sure i->data has zero in the highest bite + * if i->data is an unsigned integer */ + SECItem tmpI; + char data[] = { 0, 0, 0, 0, 0 }; + + PORT_Memcpy(data + 1, i->data, i->len); + tmpI.len = i->len + 1; + tmpI.data = (void *)data; + + iv = DER_GetInteger(&tmpI); + } else { + iv = DER_GetInteger(i); + } + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: %d (0x%x)\n", m, iv, iv); + } else { + fprintf(out, "%d (0x%x)\n", iv, iv); + } + } +} + +#if defined(DEBUG) || defined(FORCE_PR_ASSERT) +/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1] */ +static PRBool +HasShortDuplicate(int i, secuCommandFlag *a, int count) +{ + char target = a[i].flag; + int j; + + /* duplicate '\0' flags are okay, they are used with long forms */ + for (j = i + 1; j < count; j++) { + if (a[j].flag && a[j].flag == target) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */ +static PRBool +HasLongDuplicate(int i, secuCommandFlag *a, int count) +{ + int j; + char *target = a[i].longform; + + if (!target) + return PR_FALSE; + + for (j = i + 1; j < count; j++) { + if (a[j].longform && strcmp(a[j].longform, target) == 0) { + return PR_TRUE; + } + } + return PR_FALSE; +} + +/* Returns true iff a has no short or long form duplicates + */ +PRBool +HasNoDuplicates(secuCommandFlag *a, int count) +{ + int i; + + for (i = 0; i < count; i++) { + if (a[i].flag && HasShortDuplicate(i, a, count)) { + return PR_FALSE; + } + if (a[i].longform && HasLongDuplicate(i, a, count)) { + return PR_FALSE; + } + } + return PR_TRUE; +} +#endif + +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, + const secuCommand *cmd) +{ + PRBool found; + PLOptState *optstate; + PLOptStatus status; + char *optstring; + PLLongOpt *longopts = NULL; + int i, j; + int lcmd = 0, lopt = 0; + + PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands)); + PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions)); + + optstring = (char *)PORT_Alloc(cmd->numCommands + 2 * cmd->numOptions + 1); + if (optstring == NULL) + return SECFailure; + + j = 0; + for (i = 0; i < cmd->numCommands; i++) { + if (cmd->commands[i].flag) /* single character option ? */ + optstring[j++] = cmd->commands[i].flag; + if (cmd->commands[i].longform) + lcmd++; + } + for (i = 0; i < cmd->numOptions; i++) { + if (cmd->options[i].flag) { + optstring[j++] = cmd->options[i].flag; + if (cmd->options[i].needsArg) + optstring[j++] = ':'; + } + if (cmd->options[i].longform) + lopt++; + } + + optstring[j] = '\0'; + + if (lcmd + lopt > 0) { + longopts = PORT_NewArray(PLLongOpt, lcmd + lopt + 1); + if (!longopts) { + PORT_Free(optstring); + return SECFailure; + } + + j = 0; + for (i = 0; j < lcmd && i < cmd->numCommands; i++) { + if (cmd->commands[i].longform) { + longopts[j].longOptName = cmd->commands[i].longform; + longopts[j].longOption = 0; + longopts[j++].valueRequired = cmd->commands[i].needsArg; + } + } + lopt += lcmd; + for (i = 0; j < lopt && i < cmd->numOptions; i++) { + if (cmd->options[i].longform) { + longopts[j].longOptName = cmd->options[i].longform; + longopts[j].longOption = 0; + longopts[j++].valueRequired = cmd->options[i].needsArg; + } + } + longopts[j].longOptName = NULL; + } + + optstate = PL_CreateLongOptState(argc, argv, optstring, longopts); + if (!optstate) { + PORT_Free(optstring); + PORT_Free(longopts); + return SECFailure; + } + /* Parse command line arguments */ + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + const char *optstatelong; + char option = optstate->option; + + /* positional parameter, single-char option or long opt? */ + if (optstate->longOptIndex == -1) { + /* not a long opt */ + if (option == '\0') + continue; /* it's a positional parameter */ + optstatelong = ""; + } else { + /* long opt */ + if (option == '\0') + option = '\377'; /* force unequal with all flags */ + optstatelong = longopts[optstate->longOptIndex].longOptName; + } + + found = PR_FALSE; + + for (i = 0; i < cmd->numCommands; i++) { + if (cmd->commands[i].flag == option || + cmd->commands[i].longform == optstatelong) { + cmd->commands[i].activated = PR_TRUE; + if (optstate->value) { + cmd->commands[i].arg = (char *)optstate->value; + } + found = PR_TRUE; + break; + } + } + + if (found) + continue; + + for (i = 0; i < cmd->numOptions; i++) { + if (cmd->options[i].flag == option || + cmd->options[i].longform == optstatelong) { + cmd->options[i].activated = PR_TRUE; + if (optstate->value) { + cmd->options[i].arg = (char *)optstate->value; + } else if (cmd->options[i].needsArg) { + status = PL_OPT_BAD; + goto loser; + } + found = PR_TRUE; + break; + } + } + + if (!found) { + status = PL_OPT_BAD; + break; + } + } + +loser: + PL_DestroyOptState(optstate); + PORT_Free(optstring); + if (longopts) + PORT_Free(longopts); + if (status == PL_OPT_BAD) + return SECFailure; + return SECSuccess; +} + +char * +SECU_GetOptionArg(const secuCommand *cmd, int optionNum) +{ + if (optionNum < 0 || optionNum >= cmd->numOptions) + return NULL; + if (cmd->options[optionNum].activated) + return PL_strdup(cmd->options[optionNum].arg); + else + return NULL; +} + +void +SECU_PrintPRandOSError(const char *progName) +{ + char buffer[513]; + PRInt32 errLenInt = PR_GetErrorTextLength(); + size_t errLen = errLenInt < 0 ? 0 : (size_t)errLenInt; + if (errLen > 0 && errLen < sizeof buffer) { + PR_GetErrorText(buffer); + } + SECU_PrintError(progName, "function failed"); + if (errLen > 0 && errLen < sizeof buffer) { + PR_fprintf(PR_STDERR, "\t%s\n", buffer); + } +} + +SECOidTag +SECU_StringToSignatureAlgTag(const char *alg) +{ + SECOidTag hashAlgTag = SEC_OID_UNKNOWN; + + if (alg) { + if (!PL_strcmp(alg, "MD2")) { + hashAlgTag = SEC_OID_MD2; + } else if (!PL_strcmp(alg, "MD4")) { + hashAlgTag = SEC_OID_MD4; + } else if (!PL_strcmp(alg, "MD5")) { + hashAlgTag = SEC_OID_MD5; + } else if (!PL_strcmp(alg, "SHA1")) { + hashAlgTag = SEC_OID_SHA1; + } else if (!PL_strcmp(alg, "SHA224")) { + hashAlgTag = SEC_OID_SHA224; + } else if (!PL_strcmp(alg, "SHA256")) { + hashAlgTag = SEC_OID_SHA256; + } else if (!PL_strcmp(alg, "SHA384")) { + hashAlgTag = SEC_OID_SHA384; + } else if (!PL_strcmp(alg, "SHA512")) { + hashAlgTag = SEC_OID_SHA512; + } + } + return hashAlgTag; +} + +/* Caller ensures that dst is at least item->len*2+1 bytes long */ +void +SECU_SECItemToHex(const SECItem *item, char *dst) +{ + if (dst && item && item->data) { + unsigned char *src = item->data; + unsigned int len = item->len; + for (; len > 0; --len, dst += 2) { + sprintf(dst, "%02x", *src++); + } + *dst = '\0'; + } +} + +static unsigned char +nibble(char c) +{ + c = PORT_Tolower(c); + return (c >= '0' && c <= '9') ? c - '0' : (c >= 'a' && c <= 'f') ? c - 'a' + 10 : -1; +} + +SECStatus +SECU_SECItemHexStringToBinary(SECItem *srcdest) +{ + unsigned int i; + + if (!srcdest) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + if (srcdest->len < 4 || (srcdest->len % 2)) { + /* too short to convert, or even number of characters */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + if (PORT_Strncasecmp((const char *)srcdest->data, "0x", 2)) { + /* wrong prefix */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + /* 1st pass to check for hex characters */ + for (i = 2; i < srcdest->len; i++) { + char c = PORT_Tolower(srcdest->data[i]); + if (!((c >= '0' && c <= '9') || + (c >= 'a' && c <= 'f'))) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + } + + /* 2nd pass to convert */ + for (i = 2; i < srcdest->len; i += 2) { + srcdest->data[(i - 2) / 2] = (nibble(srcdest->data[i]) << 4) + + nibble(srcdest->data[i + 1]); + } + + /* adjust length */ + srcdest->len -= 2; + srcdest->len /= 2; + return SECSuccess; +} + +SECItem * +SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str) +{ + int i = 0; + int byteval = 0; + int tmp = PORT_Strlen(str); + + PORT_Assert(item); + + if ((tmp % 2) != 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + item = SECITEM_AllocItem(arena, item, tmp / 2); + if (item == NULL) { + return NULL; + } + + while (str[i]) { + if ((str[i] >= '0') && (str[i] <= '9')) { + tmp = str[i] - '0'; + } else if ((str[i] >= 'a') && (str[i] <= 'f')) { + tmp = str[i] - 'a' + 10; + } else if ((str[i] >= 'A') && (str[i] <= 'F')) { + tmp = str[i] - 'A' + 10; + } else { + if (!arena) { + SECITEM_FreeItem(item, PR_FALSE); + } + return NULL; + } + + byteval = byteval * 16 + tmp; + if ((i % 2) != 0) { + item->data[i / 2] = byteval; + byteval = 0; + } + i++; + } + + return item; +} + +/* mapping between ECCurveName enum and SECOidTags */ +static SECOidTag ecCurve_oid_map[] = { + SEC_OID_UNKNOWN, /* ECCurve_noName */ + SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */ + SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */ + SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */ + SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */ + SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */ + SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */ + SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */ + SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */ + SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */ + SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */ + SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */ + SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */ + SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */ + SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */ + SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */ + SEC_OID_ANSIX962_EC_PRIME192V2, + SEC_OID_ANSIX962_EC_PRIME192V3, + SEC_OID_ANSIX962_EC_PRIME239V1, + SEC_OID_ANSIX962_EC_PRIME239V2, + SEC_OID_ANSIX962_EC_PRIME239V3, + SEC_OID_ANSIX962_EC_C2PNB163V1, + SEC_OID_ANSIX962_EC_C2PNB163V2, + SEC_OID_ANSIX962_EC_C2PNB163V3, + SEC_OID_ANSIX962_EC_C2PNB176V1, + SEC_OID_ANSIX962_EC_C2TNB191V1, + SEC_OID_ANSIX962_EC_C2TNB191V2, + SEC_OID_ANSIX962_EC_C2TNB191V3, + SEC_OID_ANSIX962_EC_C2PNB208W1, + SEC_OID_ANSIX962_EC_C2TNB239V1, + SEC_OID_ANSIX962_EC_C2TNB239V2, + SEC_OID_ANSIX962_EC_C2TNB239V3, + SEC_OID_ANSIX962_EC_C2PNB272W1, + SEC_OID_ANSIX962_EC_C2PNB304W1, + SEC_OID_ANSIX962_EC_C2TNB359V1, + SEC_OID_ANSIX962_EC_C2PNB368W1, + SEC_OID_ANSIX962_EC_C2TNB431R1, + SEC_OID_SECG_EC_SECP112R1, + SEC_OID_SECG_EC_SECP112R2, + SEC_OID_SECG_EC_SECP128R1, + SEC_OID_SECG_EC_SECP128R2, + SEC_OID_SECG_EC_SECP160K1, + SEC_OID_SECG_EC_SECP160R1, + SEC_OID_SECG_EC_SECP160R2, + SEC_OID_SECG_EC_SECP192K1, + SEC_OID_SECG_EC_SECP224K1, + SEC_OID_SECG_EC_SECP256K1, + SEC_OID_SECG_EC_SECT113R1, + SEC_OID_SECG_EC_SECT113R2, + SEC_OID_SECG_EC_SECT131R1, + SEC_OID_SECG_EC_SECT131R2, + SEC_OID_SECG_EC_SECT163R1, + SEC_OID_SECG_EC_SECT193R1, + SEC_OID_SECG_EC_SECT193R2, + SEC_OID_SECG_EC_SECT239K1, + SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */ + SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */ + SEC_OID_CURVE25519, + SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */ +}; + +SECStatus +SECU_ecName2params(ECCurveName curve, SECItem *params) +{ + SECOidData *oidData = NULL; + + if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) || + ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); + return SECFailure; + } + + if (SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)) == NULL) { + return SECFailure; + } + /* + * params->data needs to contain the ASN encoding of an object ID (OID) + * representing the named curve. The actual OID is in + * oidData->oid.data so we simply prepend 0x06 and OID length + */ + params->data[0] = SEC_ASN1_OBJECT_ID; + params->data[1] = oidData->oid.len; + memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); + + return SECSuccess; +} diff --git a/tools/src/main/native/p12tool/basicutil.h b/tools/src/main/native/p12tool/basicutil.h new file mode 100644 index 000000000..ba76b1798 --- /dev/null +++ b/tools/src/main/native/p12tool/basicutil.h @@ -0,0 +1,139 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _BASIC_UTILS_H_ +#define _BASIC_UTILS_H_ + +#include "seccomon.h" +#include "secitem.h" +#include "secoid.h" +#include "secoidt.h" +#include "secport.h" +#include "prerror.h" +#include "base64.h" +#include "secasn1.h" +#include "secder.h" +#include "ecl-exp.h" +#include + +#ifdef SECUTIL_NEW +typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, + char *msg, int level); +#else +typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level); +#endif + +/* print out an error message */ +extern void SECU_PrintError(const char *progName, const char *msg, ...); + +/* print out a system error message */ +extern void SECU_PrintSystemError(const char *progName, const char *msg, ...); + +/* print a formatted error message */ +extern void SECU_PrintErrMsg(FILE *out, int level, const char *progName, + const char *msg, ...); + +/* Read the contents of a file into a SECItem */ +extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src); +extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src); + +/* Indent based on "level" */ +extern void SECU_Indent(FILE *out, int level); + +/* Print a newline to out */ +extern void SECU_Newline(FILE *out); + +/* Print integer value and hex */ +extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, + int level); + +/* Print SECItem as hex */ +extern void SECU_PrintAsHex(FILE *out, const SECItem *i, const char *m, + int level); + +/* dump a buffer in hex and ASCII */ +extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); + +/* Dump contents of private key */ +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); + +/* Init PKCS11 stuff */ +extern SECStatus SECU_PKCS11Init(PRBool readOnly); + +/* Dump contents of signed data */ +extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, + int level, SECU_PPFunc inner); + +extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m, + int level); +extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level); + +extern void SECU_PrintPRandOSError(const char *progName); + +/* Caller ensures that dst is at least item->len*2+1 bytes long */ +void +SECU_SECItemToHex(const SECItem *item, char *dst); + +/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if + * successful */ +SECStatus +SECU_SECItemHexStringToBinary(SECItem *srcdest); + +/* +** Read a hex string into a SecItem. +*/ +extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, + const char *str); + +extern SECStatus SECU_ecName2params(ECCurveName curve, SECItem *params); + +/* + * + * Utilities for parsing security tools command lines + * + */ + +/* A single command flag */ +typedef struct { + char flag; + PRBool needsArg; + char *arg; + PRBool activated; + char *longform; +} secuCommandFlag; + +/* A full array of command/option flags */ +typedef struct +{ + int numCommands; + int numOptions; + + secuCommandFlag *commands; + secuCommandFlag *options; +} secuCommand; + +/* fill the "arg" and "activated" fields for each flag */ +SECStatus +SECU_ParseCommandLine(int argc, char **argv, char *progName, + const secuCommand *cmd); +char * +SECU_GetOptionArg(const secuCommand *cmd, int optionNum); + +/* + * + * Error messaging + * + */ + +void printflags(char *trusts, unsigned int flags); + +#if !defined(XP_UNIX) && !defined(XP_OS2) +extern int ffs(unsigned int i); +#endif + +#include "secerr.h" + +extern const char *hex; +extern const char printable[]; + +#endif /* _BASIC_UTILS_H_ */ diff --git a/tools/src/main/native/p12tool/berparse.c b/tools/src/main/native/p12tool/berparse.c new file mode 100644 index 000000000..8cd1ebae0 --- /dev/null +++ b/tools/src/main/native/p12tool/berparse.c @@ -0,0 +1,388 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "secutil.h" + +typedef enum { + tagDone, + lengthDone, + leafDone, + compositeDone, + notDone, + parseError, + parseComplete +} ParseState; + +typedef unsigned char Byte; +typedef void (*ParseProc)(BERParse *h, unsigned char **buf, int *len); +typedef struct { + SECArb arb; + int pos; /* length from global start to item start */ + SECArb *parent; +} ParseStackElem; + +struct BERParseStr { + PLArenaPool *his; + PLArenaPool *mine; + ParseProc proc; + int stackDepth; + ParseStackElem *stackPtr; + ParseStackElem *stack; + int pending; /* bytes remaining to complete this part */ + int pos; /* running length of consumed characters */ + ParseState state; + PRBool keepLeaves; + PRBool derOnly; + BERFilterProc filter; + void *filterArg; + BERNotifyProc before; + void *beforeArg; + BERNotifyProc after; + void *afterArg; +}; + +#define UNKNOWN -1 + +static unsigned char +NextChar(BERParse *h, unsigned char **buf, int *len) +{ + unsigned char c = *(*buf)++; + (*len)--; + h->pos++; + if (h->filter) + (*h->filter)(h->filterArg, &c, 1); + return c; +} + +static void +ParseTag(BERParse *h, unsigned char **buf, int *len) +{ + SECArb *arb = &(h->stackPtr->arb); + arb->tag = NextChar(h, buf, len); + + PORT_Assert(h->state == notDone); + + /* + * NOTE: This does not handle the high-tag-number form + */ + if ((arb->tag & DER_HIGH_TAG_NUMBER) == DER_HIGH_TAG_NUMBER) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return; + } + + h->pending = UNKNOWN; + arb->length = UNKNOWN; + if (arb->tag & DER_CONSTRUCTED) { + arb->body.cons.numSubs = 0; + arb->body.cons.subs = NULL; + } else { + arb->body.item.len = UNKNOWN; + arb->body.item.data = NULL; + } + + h->state = tagDone; +} + +static void +ParseLength(BERParse *h, unsigned char **buf, int *len) +{ + Byte b; + SECArb *arb = &(h->stackPtr->arb); + + PORT_Assert(h->state == notDone); + + if (h->pending == UNKNOWN) { + b = NextChar(h, buf, len); + if ((b & 0x80) == 0) { /* short form */ + arb->length = b; + /* + * if the tag and the length are both zero bytes, then this + * should be the marker showing end of list for the + * indefinite length composite + */ + if (arb->length == 0 && arb->tag == 0) + h->state = compositeDone; + else + h->state = lengthDone; + return; + } + + h->pending = b & 0x7f; + /* 0 implies this is an indefinite length */ + if (h->pending > 4) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return; + } + arb->length = 0; + } + + while ((*len > 0) && (h->pending > 0)) { + b = NextChar(h, buf, len); + arb->length = (arb->length << 8) + b; + h->pending--; + } + if (h->pending == 0) { + if (h->derOnly && (arb->length == 0)) + h->state = parseError; + else + h->state = lengthDone; + } + return; +} + +static void +ParseLeaf(BERParse *h, unsigned char **buf, int *len) +{ + int count; + SECArb *arb = &(h->stackPtr->arb); + + PORT_Assert(h->state == notDone); + PORT_Assert(h->pending >= 0); + + if (*len < h->pending) + count = *len; + else + count = h->pending; + + if (h->keepLeaves) + memcpy(arb->body.item.data + arb->body.item.len, *buf, count); + if (h->filter) + (*h->filter)(h->filterArg, *buf, count); + *buf += count; + *len -= count; + arb->body.item.len += count; + h->pending -= count; + h->pos += count; + if (h->pending == 0) { + h->state = leafDone; + } + return; +} + +static void +CreateArbNode(BERParse *h) +{ + SECArb *arb = PORT_ArenaAlloc(h->his, sizeof(SECArb)); + + *arb = h->stackPtr->arb; + + /* + * Special case closing the root + */ + if (h->stackPtr == h->stack) { + PORT_Assert(arb->tag & DER_CONSTRUCTED); + h->state = parseComplete; + } else { + SECArb *parent = h->stackPtr->parent; + parent->body.cons.subs = DS_ArenaGrow( + h->his, parent->body.cons.subs, + (parent->body.cons.numSubs) * sizeof(SECArb *), + (parent->body.cons.numSubs + 1) * sizeof(SECArb *)); + parent->body.cons.subs[parent->body.cons.numSubs] = arb; + parent->body.cons.numSubs++; + h->proc = ParseTag; + h->state = notDone; + h->pending = UNKNOWN; + } + if (h->after) + (*h->after)(h->afterArg, arb, h->stackPtr - h->stack, PR_FALSE); +} + +SECStatus +BER_ParseSome(BERParse *h, unsigned char *buf, int len) +{ + if (h->state == parseError) + return PR_TRUE; + + while (len) { + (*h->proc)(h, &buf, &len); + if (h->state == parseComplete) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return PR_TRUE; + } + if (h->state == parseError) + return PR_TRUE; + PORT_Assert(h->state != parseComplete); + + if (h->state <= compositeDone) { + if (h->proc == ParseTag) { + PORT_Assert(h->state == tagDone); + h->proc = ParseLength; + h->state = notDone; + } else if (h->proc == ParseLength) { + SECArb *arb = &(h->stackPtr->arb); + PORT_Assert(h->state == lengthDone || h->state == compositeDone); + + if (h->before) + (*h->before)(h->beforeArg, arb, + h->stackPtr - h->stack, PR_TRUE); + + /* + * Check to see if this is the end of an indefinite + * length composite + */ + if (h->state == compositeDone) { + SECArb *parent = h->stackPtr->parent; + PORT_Assert(parent); + PORT_Assert(parent->tag & DER_CONSTRUCTED); + if (parent->length != 0) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return PR_TRUE; + } + /* + * NOTE: This does not check for an indefinite length + * composite being contained inside a definite length + * composite. It is not clear that is legal. + */ + h->stackPtr--; + CreateArbNode(h); + } else { + h->stackPtr->pos = h->pos; + + if (arb->tag & DER_CONSTRUCTED) { + SECArb *parent; + /* + * Make sure there is room on the stack before we + * stick anything else there. + */ + PORT_Assert(h->stackPtr - h->stack < h->stackDepth); + if (h->stackPtr - h->stack == h->stackDepth - 1) { + int newDepth = h->stackDepth * 2; + h->stack = DS_ArenaGrow(h->mine, h->stack, + sizeof(ParseStackElem) * + h->stackDepth, + sizeof(ParseStackElem) * + newDepth); + h->stackPtr = h->stack + h->stackDepth + 1; + h->stackDepth = newDepth; + } + parent = &(h->stackPtr->arb); + h->stackPtr++; + h->stackPtr->parent = parent; + h->proc = ParseTag; + h->state = notDone; + h->pending = UNKNOWN; + } else { + if (arb->length < 0) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return PR_TRUE; + } + arb->body.item.len = 0; + if (arb->length > 0 && h->keepLeaves) { + arb->body.item.data = + PORT_ArenaAlloc(h->his, arb->length); + } else { + arb->body.item.data = NULL; + } + h->proc = ParseLeaf; + h->state = notDone; + h->pending = arb->length; + } + } + } else { + ParseStackElem *parent; + PORT_Assert(h->state = leafDone); + PORT_Assert(h->proc == ParseLeaf); + + for (;;) { + CreateArbNode(h); + if (h->stackPtr == h->stack) + break; + parent = (h->stackPtr - 1); + PORT_Assert(parent->arb.tag & DER_CONSTRUCTED); + if (parent->arb.length == 0) /* need explicit end */ + break; + if (parent->pos + parent->arb.length > h->pos) + break; + if (parent->pos + parent->arb.length < h->pos) { + PORT_SetError(SEC_ERROR_BAD_DER); + h->state = parseError; + return PR_TRUE; + } + h->stackPtr = parent; + } + } + } + } + return PR_FALSE; +} +BERParse * +BER_ParseInit(PLArenaPool *arena, PRBool derOnly) +{ + BERParse *h; + PLArenaPool *temp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (temp == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + h = PORT_ArenaAlloc(temp, sizeof(BERParse)); + if (h == NULL) { + PORT_FreeArena(temp, PR_FALSE); + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + h->his = arena; + h->mine = temp; + h->proc = ParseTag; + h->stackDepth = 20; + h->stack = PORT_ArenaZAlloc(h->mine, + sizeof(ParseStackElem) * h->stackDepth); + h->stackPtr = h->stack; + h->state = notDone; + h->pos = 0; + h->keepLeaves = PR_TRUE; + h->before = NULL; + h->after = NULL; + h->filter = NULL; + h->derOnly = derOnly; + return h; +} + +SECArb * +BER_ParseFini(BERParse *h) +{ + PLArenaPool *myArena = h->mine; + SECArb *arb; + + if (h->state != parseComplete) { + arb = NULL; + } else { + arb = PORT_ArenaAlloc(h->his, sizeof(SECArb)); + *arb = h->stackPtr->arb; + } + + PORT_FreeArena(myArena, PR_FALSE); + + return arb; +} + +void +BER_SetFilter(BERParse *h, BERFilterProc proc, void *instance) +{ + h->filter = proc; + h->filterArg = instance; +} + +void +BER_SetLeafStorage(BERParse *h, PRBool keep) +{ + h->keepLeaves = keep; +} + +void +BER_SetNotifyProc(BERParse *h, BERNotifyProc proc, void *instance, + PRBool beforeData) +{ + if (beforeData) { + h->before = proc; + h->beforeArg = instance; + } else { + h->after = proc; + h->afterArg = instance; + } +} diff --git a/tools/src/main/native/p12tool/derprint.c b/tools/src/main/native/p12tool/derprint.c new file mode 100644 index 000000000..b86179e30 --- /dev/null +++ b/tools/src/main/native/p12tool/derprint.c @@ -0,0 +1,596 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "secutil.h" +#include "secoid.h" + +#include + +#ifdef __sun +extern int fprintf(FILE *strm, const char *format, ... /* args */); +extern int fflush(FILE *stream); +#endif + +#define RIGHT_MARGIN 24 +/*#define RAW_BYTES 1 */ + +static int prettyColumn = 0; + +static int +getInteger256(const unsigned char *data, unsigned int nb) +{ + int val; + + switch (nb) { + case 1: + val = data[0]; + break; + case 2: + val = (data[0] << 8) | data[1]; + break; + case 3: + val = (data[0] << 16) | (data[1] << 8) | data[2]; + break; + case 4: + /* If the most significant bit of data[0] is 1, val would be negative. + * Treat it as an error. + */ + if (data[0] & 0x80) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + val = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + break; + default: + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + + return val; +} + +static int +prettyNewline(FILE *out) +{ + int rv; + + if (prettyColumn != -1) { + rv = fprintf(out, "\n"); + prettyColumn = -1; + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + } + return 0; +} + +static int +prettyIndent(FILE *out, unsigned level) +{ + unsigned int i; + int rv; + + if (prettyColumn == -1) { + prettyColumn = level; + for (i = 0; i < level; i++) { + rv = fprintf(out, " "); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + } + } + + return 0; +} + +static int +prettyPrintByte(FILE *out, unsigned char item, unsigned int level) +{ + int rv; + + rv = prettyIndent(out, level); + if (rv < 0) + return rv; + + rv = fprintf(out, "%02x ", item); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + prettyColumn++; + if (prettyColumn >= RIGHT_MARGIN) { + return prettyNewline(out); + } + + return 0; +} + +static int +prettyPrintLeaf(FILE *out, const unsigned char *data, + unsigned int len, unsigned int lv) +{ + unsigned int i; + int rv; + + for (i = 0; i < len; i++) { + rv = prettyPrintByte(out, *data++, lv); + if (rv < 0) + return rv; + } + return prettyNewline(out); +} + +static int +prettyPrintStringStart(FILE *out, const unsigned char *str, + unsigned int len, unsigned int level) +{ +#define BUF_SIZE 100 + unsigned char buf[BUF_SIZE]; + int rv; + + if (len >= BUF_SIZE) + len = BUF_SIZE - 1; + + rv = prettyNewline(out); + if (rv < 0) + return rv; + + rv = prettyIndent(out, level); + if (rv < 0) + return rv; + + memcpy(buf, str, len); + buf[len] = '\000'; + + rv = fprintf(out, "\"%s\"", buf); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + return 0; +#undef BUF_SIZE +} + +static int +prettyPrintString(FILE *out, const unsigned char *str, + unsigned int len, unsigned int level, PRBool raw) +{ + int rv; + + rv = prettyPrintStringStart(out, str, len, level); + if (rv < 0) + return rv; + + rv = prettyNewline(out); + if (rv < 0) + return rv; + + if (raw) { + rv = prettyPrintLeaf(out, str, len, level); + if (rv < 0) + return rv; + } + + return 0; +} + +static int +prettyPrintTime(FILE *out, const unsigned char *str, + unsigned int len, unsigned int level, PRBool raw, PRBool utc) +{ + SECItem time_item; + int rv; + + rv = prettyPrintStringStart(out, str, len, level); + if (rv < 0) + return rv; + + time_item.data = (unsigned char *)str; + time_item.len = len; + + rv = fprintf(out, " ("); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + if (utc) + SECU_PrintUTCTime(out, &time_item, NULL, 0); + else + SECU_PrintGeneralizedTime(out, &time_item, NULL, 0); + + rv = fprintf(out, ")"); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + rv = prettyNewline(out); + if (rv < 0) + return rv; + + if (raw) { + rv = prettyPrintLeaf(out, str, len, level); + if (rv < 0) + return rv; + } + + return 0; +} + +static int +prettyPrintObjectID(FILE *out, const unsigned char *data, + unsigned int len, unsigned int level, PRBool raw) +{ + SECOidData *oiddata; + SECItem oiditem; + unsigned int i; + unsigned long val; + int rv; + + /* + * First print the Object Id in numeric format + */ + + rv = prettyIndent(out, level); + if (rv < 0) + return rv; + + if (len == 0) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + val = data[0]; + i = val % 40; + val = val / 40; + rv = fprintf(out, "%lu %u ", val, i); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + val = 0; + for (i = 1; i < len; ++i) { + unsigned long j; + + j = data[i]; + val = (val << 7) | (j & 0x7f); + if (j & 0x80) + continue; + rv = fprintf(out, "%lu ", val); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + val = 0; + } + + /* + * Now try to look it up and print a symbolic version. + */ + oiditem.data = (unsigned char *)data; + oiditem.len = len; + oiddata = SECOID_FindOID(&oiditem); + if (oiddata != NULL) { + i = PORT_Strlen(oiddata->desc); + if ((prettyColumn + 1 + (i / 3)) > RIGHT_MARGIN) { + rv = prettyNewline(out); + if (rv < 0) + return rv; + } + + rv = prettyIndent(out, level); + if (rv < 0) + return rv; + + rv = fprintf(out, "(%s)", oiddata->desc); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + } + + rv = prettyNewline(out); + if (rv < 0) + return rv; + + if (raw) { + rv = prettyPrintLeaf(out, data, len, level); + if (rv < 0) + return rv; + } + + return 0; +} + +static char *prettyTagType[32] = { + "End of Contents", + "Boolean", + "Integer", + "Bit String", + "Octet String", + "NULL", + "Object Identifier", + "0x07", + "0x08", + "0x09", + "Enumerated", + "0x0B", + "UTF8 String", + "0x0D", + "0x0E", + "0x0F", + "Sequence", + "Set", + "0x12", + "Printable String", + "T61 String", + "0x15", + "IA5 String", + "UTC Time", + "Generalized Time", + "0x19", + "Visible String", + "0x1B", + "Universal String", + "0x1D", + "BMP String", + "High-Tag-Number" +}; + +static int +prettyPrintTag(FILE *out, const unsigned char *src, const unsigned char *end, + unsigned char *codep, unsigned int level, PRBool raw) +{ + int rv; + unsigned char code, tagnum; + + if (src >= end) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + + code = *src; + tagnum = code & SEC_ASN1_TAGNUM_MASK; + + /* + * NOTE: This code does not (yet) handle the high-tag-number form! + */ + if (tagnum == SEC_ASN1_HIGH_TAG_NUMBER) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + + if (raw) + rv = prettyPrintByte(out, code, level); + else + rv = prettyIndent(out, level); + + if (rv < 0) + return rv; + + if (code & SEC_ASN1_CONSTRUCTED) { + rv = fprintf(out, "C-"); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + } + + switch (code & SEC_ASN1_CLASS_MASK) { + case SEC_ASN1_UNIVERSAL: + rv = fprintf(out, "%s ", prettyTagType[tagnum]); + break; + case SEC_ASN1_APPLICATION: + rv = fprintf(out, "Application: %d ", tagnum); + break; + case SEC_ASN1_CONTEXT_SPECIFIC: + rv = fprintf(out, "[%d] ", tagnum); + break; + case SEC_ASN1_PRIVATE: + rv = fprintf(out, "Private: %d ", tagnum); + break; + } + + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + *codep = code; + + return 1; +} + +static int +prettyPrintLength(FILE *out, const unsigned char *data, const unsigned char *end, + int *lenp, PRBool *indefinitep, unsigned int lv, PRBool raw) +{ + unsigned char lbyte; + int lenLen; + int rv; + + if (data >= end) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + + rv = fprintf(out, " "); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + *indefinitep = PR_FALSE; + + lbyte = *data++; + lenLen = 1; + if (lbyte >= 0x80) { + /* Multibyte length */ + unsigned nb = (unsigned)(lbyte & 0x7f); + if (nb > 4) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + if (nb > 0) { + int il; + + if ((data + nb) > end) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + il = getInteger256(data, nb); + if (il < 0) + return -1; + *lenp = (unsigned)il; + } else { + *lenp = 0; + *indefinitep = PR_TRUE; + } + lenLen += nb; + if (raw) { + unsigned int i; + + rv = prettyPrintByte(out, lbyte, lv); + if (rv < 0) + return rv; + for (i = 0; i < nb; i++) { + rv = prettyPrintByte(out, data[i], lv); + if (rv < 0) + return rv; + } + } + } else { + *lenp = lbyte; + if (raw) { + rv = prettyPrintByte(out, lbyte, lv); + if (rv < 0) + return rv; + } + } + if (*indefinitep) + rv = fprintf(out, "(indefinite)\n"); + else + rv = fprintf(out, "(%d)\n", *lenp); + if (rv < 0) { + PORT_SetError(SEC_ERROR_IO); + return rv; + } + + prettyColumn = -1; + return lenLen; +} + +static int +prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end, + unsigned int lv, PRBool raw) +{ + int slen; + int lenLen; + const unsigned char *orig = data; + int rv; + + while (data < end) { + unsigned char code; + PRBool indefinite; + + slen = prettyPrintTag(out, data, end, &code, lv, raw); + if (slen < 0) + return slen; + data += slen; + + lenLen = prettyPrintLength(out, data, end, &slen, &indefinite, lv, raw); + if (lenLen < 0) + return lenLen; + data += lenLen; + + /* + * Just quit now if slen more bytes puts us off the end. + */ + if (data > end || slen > (end - data)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + + if (code & SEC_ASN1_CONSTRUCTED) { + if (slen > 0 || indefinite) { + slen = prettyPrintItem(out, data, + slen == 0 ? end : data + slen, + lv + 1, raw); + if (slen < 0) + return slen; + data += slen; + } + } else if (code == 0) { + if (slen != 0 || lenLen != 1) { + PORT_SetError(SEC_ERROR_BAD_DER); + return -1; + } + break; + } else { + switch (code) { + case SEC_ASN1_PRINTABLE_STRING: + case SEC_ASN1_IA5_STRING: + case SEC_ASN1_VISIBLE_STRING: + rv = prettyPrintString(out, data, slen, lv + 1, raw); + if (rv < 0) + return rv; + break; + case SEC_ASN1_UTC_TIME: + rv = prettyPrintTime(out, data, slen, lv + 1, raw, PR_TRUE); + if (rv < 0) + return rv; + break; + case SEC_ASN1_GENERALIZED_TIME: + rv = prettyPrintTime(out, data, slen, lv + 1, raw, PR_FALSE); + if (rv < 0) + return rv; + break; + case SEC_ASN1_OBJECT_ID: + rv = prettyPrintObjectID(out, data, slen, lv + 1, raw); + if (rv < 0) + return rv; + break; + case SEC_ASN1_BOOLEAN: /* could do nicer job */ + case SEC_ASN1_INTEGER: /* could do nicer job */ + case SEC_ASN1_BIT_STRING: /* could do nicer job */ + case SEC_ASN1_OCTET_STRING: + case SEC_ASN1_NULL: + case SEC_ASN1_ENUMERATED: /* could do nicer job, as INTEGER */ + case SEC_ASN1_UTF8_STRING: + case SEC_ASN1_T61_STRING: /* print as printable string? */ + case SEC_ASN1_UNIVERSAL_STRING: + case SEC_ASN1_BMP_STRING: + default: + rv = prettyPrintLeaf(out, data, slen, lv + 1); + if (rv < 0) + return rv; + break; + } + data += slen; + } + } + + rv = prettyNewline(out); + if (rv < 0) + return rv; + + return data - orig; +} + +SECStatus +DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw) +{ + int rv; + + prettyColumn = -1; + + rv = prettyPrintItem(out, it->data, it->data + it->len, 0, raw); + if (rv < 0) + return SECFailure; + return SECSuccess; +} diff --git a/tools/src/main/native/p12tool/ffs.c b/tools/src/main/native/p12tool/ffs.c new file mode 100644 index 000000000..d1cbf67e2 --- /dev/null +++ b/tools/src/main/native/p12tool/ffs.c @@ -0,0 +1,21 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#if !defined(XP_UNIX) && !defined(XP_OS2) + +int +ffs(unsigned int i) +{ + int rv = 1; + + if (!i) + return 0; + + while (!(i & 1)) { + i >>= 1; + ++rv; + } + + return rv; +} +#endif diff --git a/tools/src/main/native/p12tool/moreoids.c b/tools/src/main/native/p12tool/moreoids.c new file mode 100644 index 000000000..f21a00b61 --- /dev/null +++ b/tools/src/main/native/p12tool/moreoids.c @@ -0,0 +1,83 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "secoid.h" +#include "secmodt.h" /* for CKM_INVALID_MECHANISM */ + +#define OI(x) \ + { \ + siDEROID, (unsigned char *)x, sizeof x \ + } +#define OD(oid, tag, desc, mech, ext) \ + { \ + OI(oid) \ + , tag, desc, mech, ext \ + } +#define ODN(oid, desc) \ + { \ + OI(oid) \ + , 0, desc, CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION \ + } + +#define OIDT static const unsigned char + + +/* USGov algorithm OID space: { 2 16 840 1 101 } */ +#define USGOV 0x60, 0x86, 0x48, 0x01, 0x65 +#define NISTALGS USGOV, 3, 4 +#define AES NISTALGS, 1 + +/* AES_KEY_WRAP_KWP oids */ + +OIDT aes128_KEY_WRAP_KWP[] = { AES, 8 }; +OIDT aes192_KEY_WRAP_KWP[] = { AES, 28 }; +OIDT aes256_KEY_WRAP_KWP[] = { AES, 48 }; + +/* ------------------------------------------------------------------- */ +static const SECOidData oids[] = { + /* AES_KEY_WRAP_KWP oids */ + + OD(aes128_KEY_WRAP_KWP,0,"AES-128 Key Wrap Kwp", CKM_AES_KEY_WRAP_KWP, INVALID_CERT_EXTENSION), + OD(aes192_KEY_WRAP_KWP,0,"AES-192 Key Wrap Kwp", CKM_AES_KEY_WRAP_KWP, INVALID_CERT_EXTENSION), + OD(aes256_KEY_WRAP_KWP,0,"AES-256 Key Wrap Kwp", CKM_AES_KEY_WRAP_KWP, INVALID_CERT_EXTENSION), + +}; + +static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]); + +static SECOidTag newOIDTags[3]; +/* Fetch and register an oid if it hasn't been done already */ +void +SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src) +{ + if (*data == SEC_OID_UNKNOWN) { + /* AddEntry does the right thing if someone else has already + * added the oid. (that is return that oid tag) */ + *data = SECOID_AddEntry(src); + } +} + +SECOidTag SECU_GetNewTagFromOffset(unsigned int offset) { + if(offset >= numOids) { + return SEC_OID_UNKNOWN; + } + return newOIDTags[offset]; +} + +SECStatus +SECU_RegisterDynamicOids(void) +{ + unsigned int i; + SECStatus rv = SECSuccess; + + for (i = 0; i < numOids; ++i) { + SECOidTag tag = SECOID_AddEntry(&oids[i]); + if (tag == SEC_OID_UNKNOWN) { + rv = SECFailure; + } else { + newOIDTags[i] = tag; + } + } + return rv; +} diff --git a/tools/src/main/native/p12tool/p12tool.c b/tools/src/main/native/p12tool/p12tool.c new file mode 100755 index 000000000..72a326163 --- /dev/null +++ b/tools/src/main/native/p12tool/p12tool.c @@ -0,0 +1,1230 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This file and the rest of this tool is heavily based on the nss + * tool "pk12util". This file is from: cmd/pk12util/pk12util.c, in + * the nss source tree. + * + * The new file: moreoids.c was added to support new. AES_KEY_WRAP_KWP oids. + * This file p12tools.c has been modifed to call SECU_RegisterDynamicOids() provided in moreoids.c, + * which actually registers these new OIDS dynamically into nss. + */ + +#ifdef _CRTDBG_MAP_ALLOC +#include +#include +#endif + +#include "nspr.h" +#include "secutil.h" +#include "pk11func.h" +#include "pkcs12.h" +#include "p12plcy.h" +#include "p12tool.h" +#include "nss.h" +#include "secport.h" +#include "secpkcs5.h" +#include "sechash.h" +#include "certdb.h" + +#define PKCS12_IN_BUFFER_SIZE 200 + +#define MAX_WRAPPED_KEY_LEN 4096 + + +static char *progName; +PRBool pk12_debugging = PR_FALSE; +PRBool dumpRawFile; +static PRBool pk12uForceUnicode; + +PRIntn pk12uErrno = 0; + +static void +Usage() +{ +#define FPS PR_fprintf(PR_STDERR, + FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n", + progName); + FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); + FPS "\t\t [-v]\n"); + + FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n", + progName); + FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); + FPS "\t\t [-v]\n"); + + FPS "Usage: %s -o exportfile -n certname [-d certdir] [-P dbprefix]\n", + progName); + FPS "\t\t [-c key_cipher] [-C cert_cipher] [-M mac_alg]\n" + "\t\t [-m | --key_len keyLen] [--cert_key_len certKeyLen] [-v]\n"); + FPS "\t\t [-k slotpwfile | -K slotpw]\n" + "\t\t [-w p12filepwfile | -W p12filepw]\n"); + + exit(PK12UERR_USAGE); +} + +static PRBool +p12u_OpenFile(p12uContext *p12cxt, PRBool fileRead) +{ + if (!p12cxt || !p12cxt->filename) { + return PR_FALSE; + } + + if (fileRead) { + p12cxt->file = PR_Open(p12cxt->filename, + PR_RDONLY, 0400); + } else { + p12cxt->file = PR_Open(p12cxt->filename, + PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, + 0600); + } + + if (!p12cxt->file) { + p12cxt->error = PR_TRUE; + return PR_FALSE; + } + + return PR_TRUE; +} + +static void +p12u_DestroyContext(p12uContext **ppCtx, PRBool removeFile) +{ + if (!ppCtx || !(*ppCtx)) { + return; + } + + if ((*ppCtx)->file != NULL) { + PR_Close((*ppCtx)->file); + } + + if ((*ppCtx)->filename != NULL) { + if (removeFile) { + PR_Delete((*ppCtx)->filename); + } + PL_strfree((*ppCtx)->filename); + (*ppCtx)->filename = NULL; + } + + PR_Free(*ppCtx); + *ppCtx = NULL; +} + +static p12uContext * +p12u_InitContext(PRBool fileImport, char *filename) +{ + p12uContext *p12cxt; + + p12cxt = PORT_ZNew(p12uContext); + if (!p12cxt) { + return NULL; + } + + p12cxt->error = PR_FALSE; + p12cxt->errorValue = 0; + p12cxt->filename = PL_strdup(filename); + + if (!p12u_OpenFile(p12cxt, fileImport)) { + p12u_DestroyContext(&p12cxt, PR_FALSE); + return NULL; + } + + return p12cxt; +} + +SECItem * +P12U_NicknameCollisionCallback(SECItem *old_nick, PRBool *cancel, void *wincx) +{ + char *nick = NULL; + SECItem *ret_nick = NULL; + CERTCertificate *cert = (CERTCertificate *)wincx; + + if (!cancel || !cert) { + pk12uErrno = PK12UERR_USER_CANCELLED; + return NULL; + } + + if (!old_nick) + fprintf(stdout, "pk12util: no nickname for cert in PKCS12 file.\n"); + +#if 0 + /* XXX not handled yet */ + *cancel = PR_TRUE; + return NULL; + +#else + + nick = CERT_MakeCANickname(cert); + if (!nick) { + return NULL; + } + + if (old_nick && old_nick->data && old_nick->len && + PORT_Strlen(nick) == old_nick->len && + !PORT_Strncmp((char *)old_nick->data, nick, old_nick->len)) { + PORT_Free(nick); + PORT_SetError(SEC_ERROR_IO); + return NULL; + } + + fprintf(stdout, "pk12util: using nickname: %s\n", nick); + ret_nick = PORT_ZNew(SECItem); + if (ret_nick == NULL) { + PORT_Free(nick); + return NULL; + } + + ret_nick->data = (unsigned char *)nick; + ret_nick->len = PORT_Strlen(nick); + + return ret_nick; +#endif +} + +static SECStatus +p12u_SwapUnicodeBytes(SECItem *uniItem) +{ + unsigned int i; + unsigned char a; + if ((uniItem == NULL) || (uniItem->len % 2)) { + return SECFailure; + } + for (i = 0; i < uniItem->len; i += 2) { + a = uniItem->data[i]; + uniItem->data[i] = uniItem->data[i + 1]; + uniItem->data[i + 1] = a; + } + return SECSuccess; +} + +static PRBool +p12u_ucs2_ascii_conversion_function(PRBool toUnicode, + unsigned char *inBuf, + unsigned int inBufLen, + unsigned char *outBuf, + unsigned int maxOutBufLen, + unsigned int *outBufLen, + PRBool swapBytes) +{ + SECItem it = { 0 }; + SECItem *dup = NULL; + PRBool ret; + +#ifdef DEBUG_CONVERSION + if (pk12_debugging) { + int i; + printf("Converted from:\n"); + for (i = 0; i < inBufLen; i++) { + printf("%2x ", inBuf[i]); + /*if (i%60 == 0) printf("\n");*/ + } + printf("\n"); + } +#endif + it.data = inBuf; + it.len = inBufLen; + dup = SECITEM_DupItem(&it); + if (!dup) { + return PR_FALSE; + } + /* If converting Unicode to ASCII, swap bytes before conversion + * as neccessary. + */ + if (!toUnicode && swapBytes) { + if (p12u_SwapUnicodeBytes(dup) != SECSuccess) { + SECITEM_ZfreeItem(dup, PR_TRUE); + return PR_FALSE; + } + } + /* Perform the conversion. */ + ret = PORT_UCS2_UTF8Conversion(toUnicode, dup->data, dup->len, + outBuf, maxOutBufLen, outBufLen); + SECITEM_ZfreeItem(dup, PR_TRUE); + +#ifdef DEBUG_CONVERSION + if (pk12_debugging) { + int i; + printf("Converted to:\n"); + for (i = 0; i < *outBufLen; i++) { + printf("%2x ", outBuf[i]); + /*if (i%60 == 0) printf("\n");*/ + } + printf("\n"); + } +#endif + return ret; +} + +SECStatus +P12U_UnicodeConversion(PLArenaPool *arena, SECItem *dest, SECItem *src, + PRBool toUnicode, PRBool swapBytes) +{ + unsigned int allocLen; + if (!dest || !src) { + return SECFailure; + } + allocLen = ((toUnicode) ? (src->len << 2) : src->len); + if (arena) { + dest->data = PORT_ArenaZAlloc(arena, allocLen); + } else { + dest->data = PORT_ZAlloc(allocLen); + } + if (PORT_UCS2_ASCIIConversion(toUnicode, src->data, src->len, + dest->data, allocLen, &dest->len, + swapBytes) == PR_FALSE) { + if (!arena) { + PORT_Free(dest->data); + } + dest->data = NULL; + return SECFailure; + } + return SECSuccess; +} + +/* + * + */ +SECItem * +P12U_GetP12FilePassword(PRBool confirmPw, secuPWData *p12FilePw) +{ + char *p0 = NULL; + SECItem *pwItem = NULL; + + if (p12FilePw == NULL || p12FilePw->source == PW_NONE) { + char *p1 = NULL; + int rc; + for (;;) { + p0 = SECU_GetPasswordString(NULL, + "Enter password for PKCS12 file: "); + if (!confirmPw || p0 == NULL) + break; + p1 = SECU_GetPasswordString(NULL, "Re-enter password: "); + if (p1 == NULL) { + PORT_ZFree(p0, PL_strlen(p0)); + p0 = NULL; + break; + } + rc = PL_strcmp(p0, p1); + PORT_ZFree(p1, PL_strlen(p1)); + if (rc == 0) + break; + PORT_ZFree(p0, PL_strlen(p0)); + } + } else if (p12FilePw->source == PW_FROMFILE) { + p0 = SECU_FilePasswd(NULL, PR_FALSE, p12FilePw->data); + } else { /* Plaintext */ + p0 = PORT_Strdup(p12FilePw->data); + } + + if (p0 == NULL) { + return NULL; + } + pwItem = SECITEM_AllocItem(NULL, NULL, PL_strlen(p0) + 1); + memcpy(pwItem->data, p0, pwItem->len); + + PORT_ZFree(p0, PL_strlen(p0)); + + return pwItem; +} + +SECStatus +P12U_InitSlot(PK11SlotInfo *slot, secuPWData *slotPw) +{ + SECStatus rv; + + /* New databases, initialize keydb password. */ + if (PK11_NeedUserInit(slot)) { + rv = SECU_ChangePW(slot, + (slotPw->source == PW_PLAINTEXT) ? slotPw->data : 0, + (slotPw->source == PW_FROMFILE) ? slotPw->data : 0); + if (rv != SECSuccess) { + SECU_PrintError(progName, "Failed to initialize slot \"%s\"", + PK11_GetSlotName(slot)); + return SECFailure; + } + } + + if (PK11_Authenticate(slot, PR_TRUE, slotPw) != SECSuccess) { + SECU_PrintError(progName, + "Failed to authenticate to PKCS11 slot"); + PORT_SetError(SEC_ERROR_USER_CANCELLED); + pk12uErrno = PK12UERR_USER_CANCELLED; + return SECFailure; + } + + return SECSuccess; +} + +/* This routine takes care of getting the PKCS12 file password, then reading and + * verifying the file. It returns the decoder context and a filled in password. + * (The password is needed by P12U_ImportPKCS12Object() to import the private + * key.) + */ +SEC_PKCS12DecoderContext * +p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, + secuPWData *slotPw, secuPWData *p12FilePw) +{ + SEC_PKCS12DecoderContext *p12dcx = NULL; + p12uContext *p12cxt = NULL; + SECItem *pwitem = NULL; + SECItem p12file = { 0 }; + SECStatus rv = SECFailure; + PRBool swapUnicode = PR_FALSE; + PRBool forceUnicode = pk12uForceUnicode; + PRBool trypw; + int error; + +#ifdef IS_LITTLE_ENDIAN + swapUnicode = PR_TRUE; +#endif + + p12cxt = p12u_InitContext(PR_TRUE, in_file); + if (!p12cxt) { + SECU_PrintError(progName, "File Open failed: %s", in_file); + pk12uErrno = PK12UERR_INIT_FILE; + return NULL; + } + + /* get the password */ + pwitem = P12U_GetP12FilePassword(PR_FALSE, p12FilePw); + if (!pwitem) { + pk12uErrno = PK12UERR_USER_CANCELLED; + goto done; + } + + if (P12U_UnicodeConversion(NULL, uniPwp, pwitem, PR_TRUE, + swapUnicode) != SECSuccess) { + SECU_PrintError(progName, "Unicode conversion failed"); + pk12uErrno = PK12UERR_UNICODECONV; + goto done; + } + rv = SECU_FileToItem(&p12file, p12cxt->file); + if (rv != SECSuccess) { + SECU_PrintError(progName, "Failed to read from import file"); + goto done; + } + + do { + trypw = PR_FALSE; /* normally we do this once */ + rv = SECFailure; + /* init the decoder context */ + p12dcx = SEC_PKCS12DecoderStart(uniPwp, slot, slotPw, + NULL, NULL, NULL, NULL, NULL); + if (!p12dcx) { + SECU_PrintError(progName, "PKCS12 decoder start failed"); + pk12uErrno = PK12UERR_PK12DECODESTART; + break; + } + + /* decode the item */ + rv = SEC_PKCS12DecoderUpdate(p12dcx, p12file.data, p12file.len); + + if (rv != SECSuccess) { + error = PR_GetError(); + if (error == SEC_ERROR_DECRYPTION_DISALLOWED) { + PR_SetError(error, 0); + break; + } + SECU_PrintError(progName, "PKCS12 decoding failed"); + pk12uErrno = PK12UERR_DECODE; + } + + /* does the blob authenticate properly? */ + rv = SEC_PKCS12DecoderVerify(p12dcx); + if (rv != SECSuccess) { + if (uniPwp->len == 2) { + /* this is a null PW, try once more with a zero-length PW + instead of a null string */ + SEC_PKCS12DecoderFinish(p12dcx); + uniPwp->len = 0; + trypw = PR_TRUE; + } else if (forceUnicode == pk12uForceUnicode) { + /* try again with a different password encoding */ + forceUnicode = !pk12uForceUnicode; + rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, + forceUnicode); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decoding failed to set option"); + pk12uErrno = PK12UERR_DECODEVERIFY; + break; + } + SEC_PKCS12DecoderFinish(p12dcx); + trypw = PR_TRUE; + } else { + SECU_PrintError(progName, "PKCS12 decode not verified"); + pk12uErrno = PK12UERR_DECODEVERIFY; + break; + } + } + } while (trypw == PR_TRUE); + + /* revert the option setting */ + if (forceUnicode != pk12uForceUnicode) { + rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decoding failed to set option"); + pk12uErrno = PK12UERR_DECODEVERIFY; + } + } +/* rv has been set at this point */ + +done: + if (rv != SECSuccess) { + if (p12dcx != NULL) { + SEC_PKCS12DecoderFinish(p12dcx); + p12dcx = NULL; + } + if (uniPwp->data) { + SECITEM_ZfreeItem(uniPwp, PR_FALSE); + uniPwp->data = NULL; + } + } + PR_Close(p12cxt->file); + p12cxt->file = NULL; + /* PK11_FreeSlot(slot); */ + p12u_DestroyContext(&p12cxt, PR_FALSE); + + if (pwitem) { + SECITEM_ZfreeItem(pwitem, PR_TRUE); + } + SECITEM_ZfreeItem(&p12file, PR_FALSE); + return p12dcx; +} + +/* + * given a filename for pkcs12 file, imports certs and keys + * + * Change: altitude + * I've changed this function so that it takes the keydb and pkcs12 file + * passwords from files. The "pwdKeyDB" and "pwdP12File" + * variables have been added for this purpose. + */ +PRIntn +P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot, + secuPWData *slotPw, secuPWData *p12FilePw) +{ + SEC_PKCS12DecoderContext *p12dcx = NULL; + SECItem uniPwitem = { 0 }; + PRBool forceUnicode = pk12uForceUnicode; + PRBool trypw; + SECStatus rv = SECFailure; + + rv = P12U_InitSlot(slot, slotPw); + if (rv != SECSuccess) { + SECU_PrintError(progName, "Failed to authenticate to \"%s\"", + PK11_GetSlotName(slot)); + pk12uErrno = PK12UERR_PK11GETSLOT; + return rv; + } + + do { + trypw = PR_FALSE; /* normally we do this once */ + rv = SECFailure; + p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); + + if (p12dcx == NULL) { + goto loser; + } + + /* make sure the bags are okey dokey -- nicknames correct, etc. */ + rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback); + if (rv != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) { + pk12uErrno = PK12UERR_CERTALREADYEXISTS; + } else { + pk12uErrno = PK12UERR_DECODEVALIBAGS; + } + SECU_PrintError(progName, "PKCS12 decode validate bags failed"); + goto loser; + } + + /* stuff 'em in */ + if (forceUnicode != pk12uForceUnicode) { + rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, + forceUnicode); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decode set option failed"); + pk12uErrno = PK12UERR_DECODEIMPTBAGS; + goto loser; + } + } + rv = SEC_PKCS12DecoderImportBags(p12dcx); + if (rv != SECSuccess) { + if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY && + forceUnicode == pk12uForceUnicode) { + /* try again with a different password encoding */ + forceUnicode = !pk12uForceUnicode; + SEC_PKCS12DecoderFinish(p12dcx); + SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); + trypw = PR_TRUE; + } else { + SECU_PrintError(progName, "PKCS12 decode import bags failed"); + pk12uErrno = PK12UERR_DECODEIMPTBAGS; + goto loser; + } + } + } while (trypw); + + /* revert the option setting */ + if (forceUnicode != pk12uForceUnicode) { + rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decode set option failed"); + pk12uErrno = PK12UERR_DECODEIMPTBAGS; + goto loser; + } + } + + fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName); + rv = SECSuccess; + +loser: + if (p12dcx) { + SEC_PKCS12DecoderFinish(p12dcx); + } + + if (uniPwitem.data) { + SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); + } + + return rv; +} + +static void +p12u_DoPKCS12ExportErrors() +{ + PRErrorCode error_value; + + error_value = PORT_GetError(); + if ((error_value == SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY) || + (error_value == SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME) || + (error_value == SEC_ERROR_PKCS12_UNABLE_TO_WRITE)) { + fputs(SECU_Strerror(error_value), stderr); + } else if (error_value == SEC_ERROR_USER_CANCELLED) { + ; + } else { + fputs(SECU_Strerror(SEC_ERROR_EXPORTING_CERTIFICATES), stderr); + } +} + +static void +p12u_WriteToExportFile(void *arg, const char *buf, unsigned long len) +{ + p12uContext *p12cxt = arg; + int writeLen; + + if (!p12cxt || (p12cxt->error == PR_TRUE)) { + return; + } + + if (p12cxt->file == NULL) { + p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE; + p12cxt->error = PR_TRUE; + return; + } + + writeLen = PR_Write(p12cxt->file, (unsigned char *)buf, (PRInt32)len); + + if (writeLen != (int)len) { + PR_Close(p12cxt->file); + PL_strfree(p12cxt->filename); + p12cxt->filename = NULL; + p12cxt->file = NULL; + p12cxt->errorValue = SEC_ERROR_PKCS12_UNABLE_TO_WRITE; + p12cxt->error = PR_TRUE; + } +} + +void +P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, + SECOidTag cipher, SECOidTag certCipher, SECOidTag hash, + secuPWData *slotPw, secuPWData *p12FilePw) +{ + SEC_PKCS12ExportContext *p12ecx = NULL; + SEC_PKCS12SafeInfo *keySafe = NULL, *certSafe = NULL; + SECItem *pwitem = NULL; + p12uContext *p12cxt = NULL; + CERTCertList *certlist = NULL; + CERTCertListNode *node = NULL; + PK11SlotInfo *slot = NULL; + + if (P12U_InitSlot(inSlot, slotPw) != SECSuccess) { + SECU_PrintError(progName, "Failed to authenticate to \"%s\"", + PK11_GetSlotName(inSlot)); + pk12uErrno = PK12UERR_PK11GETSLOT; + goto loser; + } + certlist = PK11_FindCertsFromNickname(nn, slotPw); + if (!certlist) { + PORT_SetError(SEC_ERROR_UNKNOWN_CERT); + SECU_PrintError(progName, "find user certs from nickname failed"); + pk12uErrno = PK12UERR_FINDCERTBYNN; + return; + } + + if ((SECSuccess != CERT_FilterCertListForUserCerts(certlist)) || + CERT_LIST_EMPTY(certlist)) { + PR_fprintf(PR_STDERR, "%s: no user certs from given nickname\n", + progName); + pk12uErrno = PK12UERR_FINDCERTBYNN; + goto loser; + } + + /* Password to use for PKCS12 file. */ + pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw); + if (!pwitem) { + goto loser; + } + + p12cxt = p12u_InitContext(PR_FALSE, outfile); + if (!p12cxt) { + SECU_PrintError(progName, "Initialization failed: %s", outfile); + pk12uErrno = PK12UERR_INIT_FILE; + goto loser; + } + + if (certlist) { + CERTCertificate *cert = CERT_LIST_HEAD(certlist)->cert; + if (cert) { + slot = cert->slot; /* use the slot from the first matching + certificate to create the context . This is for keygen */ + } + } + if (!slot) { + SECU_PrintError(progName, "cert does not have a slot"); + pk12uErrno = PK12UERR_FINDCERTBYNN; + goto loser; + } + p12ecx = SEC_PKCS12CreateExportContext(NULL, NULL, slot, slotPw); + if (!p12ecx) { + SECU_PrintError(progName, "export context creation failed"); + pk12uErrno = PK12UERR_EXPORTCXCREATE; + goto loser; + } + + if (SEC_PKCS12AddPasswordIntegrity(p12ecx, pwitem, hash) != + SECSuccess) { + SECU_PrintError(progName, "PKCS12 add password integrity failed"); + pk12uErrno = PK12UERR_PK12ADDPWDINTEG; + goto loser; + } + + for (node = CERT_LIST_HEAD(certlist); + !CERT_LIST_END(node, certlist); + node = CERT_LIST_NEXT(node)) { + CERTCertificate *cert = node->cert; + if (!cert->slot) { + SECU_PrintError(progName, "cert does not have a slot"); + pk12uErrno = PK12UERR_FINDCERTBYNN; + goto loser; + } + + keySafe = SEC_PKCS12CreateUnencryptedSafe(p12ecx); + if (certCipher == SEC_OID_UNKNOWN) { + certSafe = keySafe; + } else { + certSafe = + SEC_PKCS12CreatePasswordPrivSafe(p12ecx, pwitem, certCipher); + } + + if (!certSafe || !keySafe) { + SECU_PrintError(progName, "key or cert safe creation failed"); + pk12uErrno = PK12UERR_CERTKEYSAFE; + goto loser; + } + + if (SEC_PKCS12AddCertAndKey(p12ecx, certSafe, NULL, cert, + CERT_GetDefaultCertDB(), keySafe, NULL, + PR_TRUE, pwitem, cipher) != SECSuccess) { + SECU_PrintError(progName, "add cert and key failed"); + pk12uErrno = PK12UERR_ADDCERTKEY; + goto loser; + } + } + + CERT_DestroyCertList(certlist); + certlist = NULL; + + if (SEC_PKCS12Encode(p12ecx, p12u_WriteToExportFile, p12cxt) != + SECSuccess) { + SECU_PrintError(progName, "PKCS12 encode failed"); + pk12uErrno = PK12UERR_ENCODE; + goto loser; + } + + p12u_DestroyContext(&p12cxt, PR_FALSE); + SECITEM_ZfreeItem(pwitem, PR_TRUE); + fprintf(stdout, "%s: PKCS12 EXPORT SUCCESSFUL\n", progName); + SEC_PKCS12DestroyExportContext(p12ecx); + + return; + +loser: + SEC_PKCS12DestroyExportContext(p12ecx); + + if (certlist) { + CERT_DestroyCertList(certlist); + certlist = NULL; + } + + p12u_DestroyContext(&p12cxt, PR_TRUE); + if (pwitem) { + SECITEM_ZfreeItem(pwitem, PR_TRUE); + } + p12u_DoPKCS12ExportErrors(); + return; +} + +PRIntn +P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot, + secuPWData *slotPw, secuPWData *p12FilePw) +{ + SEC_PKCS12DecoderContext *p12dcx = NULL; + SECItem uniPwitem = { 0 }; + SECStatus rv = SECFailure; + const SEC_PKCS12DecoderItem *dip; + + p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); + /* did the blob authenticate properly? */ + if (p12dcx == NULL) { + SECU_PrintError(progName, "PKCS12 decode not verified"); + pk12uErrno = PK12UERR_DECODEVERIFY; + goto loser; + } + rv = SEC_PKCS12DecoderIterateInit(p12dcx); + if (rv != SECSuccess) { + SECU_PrintError(progName, "PKCS12 decode iterate bags failed"); + pk12uErrno = PK12UERR_DECODEIMPTBAGS; + rv = SECFailure; + } else { + int fileCounter = 0; + while (SEC_PKCS12DecoderIterateNext(p12dcx, &dip) == SECSuccess) { + switch (dip->type) { + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + printf("Certificate"); + if (dumpRawFile) { + PRFileDesc *fd; + char fileName[20]; + sprintf(fileName, "file%04d.der", ++fileCounter); + fd = PR_Open(fileName, + PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, + 0600); + if (!fd) { + SECU_PrintError(progName, + "Cannot create output file"); + } else { + PR_Write(fd, dip->der->data, dip->der->len); + PR_Close(fd); + } + } else if (SECU_PrintSignedData(stdout, dip->der, + (dip->hasKey) ? "(has private key)" + : "", + 0, (SECU_PPFunc)SECU_PrintCertificate) != + 0) { + SECU_PrintError(progName, "PKCS12 print cert bag failed"); + } + if (dip->friendlyName != NULL) { + printf(" Friendly Name: %s\n\n", + dip->friendlyName->data); + } + if (dip->shroudAlg) { + SECU_PrintAlgorithmID(stdout, dip->shroudAlg, + "Encryption algorithm", 1); + } + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: + printf("Key"); + if (dip->type == SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID) + printf("(shrouded)"); + printf(":\n"); + if (dip->friendlyName != NULL) { + printf(" Friendly Name: %s\n\n", + dip->friendlyName->data); + } + if (dip->shroudAlg) { + SECU_PrintAlgorithmID(stdout, dip->shroudAlg, + "Encryption algorithm", 1); + } + break; + default: + printf("unknown bag type(%d): %s\n\n", dip->type, + SECOID_FindOIDTagDescription(dip->type)); + break; + } + } + rv = SECSuccess; + } + +loser: + + if (p12dcx) { + SEC_PKCS12DecoderFinish(p12dcx); + } + + if (uniPwitem.data) { + SECITEM_ZfreeItem(&uniPwitem, PR_FALSE); + } + + return rv; +} + +SECOidTag +PKCS12U_FindTagFromString(char *cipherString) +{ + SECOidTag tag; + SECOidData *oid; + + /* future enhancement: accept dotted oid spec? */ + + for (tag = 1; (oid = SECOID_FindOIDByTag(tag)) != NULL; tag++) { + /* only interested in oids that we actually understand */ + if (oid->mechanism == CKM_INVALID_MECHANISM) { + continue; + } + if (PORT_Strcasecmp(oid->desc, cipherString) != 0) { + continue; + } + return tag; + } + return SEC_OID_UNKNOWN; +} + +/* + * use the oid table description to map a user input string to a particular + * oid. + */ +SECOidTag +PKCS12U_MapCipherFromString(char *cipherString, int keyLen) +{ + SECOidTag tag; + SECOidTag cipher; + + /* future enhancement: provide 'friendlier' typed in names for + * pbe mechanisms. + */ + + /* look for the oid tag by Description */ + tag = PKCS12U_FindTagFromString(cipherString); + if (tag == SEC_OID_UNKNOWN) { + return tag; + } + + cipher = SEC_OID_UNKNOWN; + /* we found a match... get the PBE version of this + * cipher... */ + if (!SEC_PKCS5IsAlgorithmPBEAlgTag(tag)) { + cipher = SEC_PKCS5GetPBEAlgorithm(tag, keyLen); + /* no eqivalent PKCS5/PKCS12 cipher, use the raw + * encryption tag we got and pass it directly in, + * pkcs12 will use the pkcsv5 mechanism */ + if (cipher == SEC_OID_PKCS5_PBES2) { + cipher = tag; + } else if (cipher == SEC_OID_PKCS5_PBMAC1) { + /* make sure we have not macing ciphers here */ + cipher = SEC_OID_UNKNOWN; + } + } else { + cipher = tag; + } + return cipher; +} + +SECOidTag +PKCS12U_MapHashFromString(char *hashString) +{ + SECOidTag hashAlg; + + /* look for the oid tag by Description */ + hashAlg = PKCS12U_FindTagFromString(hashString); + if (hashAlg == SEC_OID_UNKNOWN) { + return hashAlg; + } + /* make sure it's a hashing oid */ + if (HASH_GetHashTypeByOidTag(hashAlg) == HASH_AlgNULL) { + return SEC_OID_UNKNOWN; + } + return hashAlg; +} + +static void +p12u_EnableAllCiphers() +{ + SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); + SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); + SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_128, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_192, 1); + SEC_PKCS12EnableCipher(PKCS12_AES_CBC_256, 1); + SEC_PKCS12SetPreferredCipher(PKCS12_AES_CBC_256, 1); +} + +static PRUintn +P12U_Init(char *dir, char *dbprefix, PRBool listonly) +{ + SECStatus rv; + PK11_SetPasswordFunc(SECU_GetModulePassword); + + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + if (listonly && NSS_NoDB_Init("") == SECSuccess) { + rv = SECSuccess; + } else { + rv = NSS_Initialize(dir, dbprefix, dbprefix, "secmod.db", 0); + } + if (rv != SECSuccess) { + SECU_PrintPRandOSError(progName); + exit(-1); + } + + /* setup unicode callback functions */ + PORT_SetUCS2_ASCIIConversionFunction(p12u_ucs2_ascii_conversion_function); + /* use the defaults for UCS4-UTF8 and UCS2-UTF8 */ + + p12u_EnableAllCiphers(); + SECU_RegisterDynamicOids(); + return 0; +} + +enum { + opt_CertDir = 0, + opt_TokenName, + opt_Import, + opt_SlotPWFile, + opt_SlotPW, + opt_List, + opt_Nickname, + opt_Export, + opt_Raw, + opt_P12FilePWFile, + opt_P12FilePW, + opt_DBPrefix, + opt_Debug, + opt_Cipher, + opt_CertCipher, + opt_KeyLength, + opt_CertKeyLength, + opt_Mac +}; + +static secuCommandFlag pk12util_options[] = + { + { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE }, + { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE }, + { /* opt_Import */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_SlotPWFile */ 'k', PR_TRUE, 0, PR_FALSE }, + { /* opt_SlotPW */ 'K', PR_TRUE, 0, PR_FALSE }, + { /* opt_List */ 'l', PR_TRUE, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_Export */ 'o', PR_TRUE, 0, PR_FALSE }, + { /* opt_Raw */ 'r', PR_FALSE, 0, PR_FALSE }, + { /* opt_P12FilePWFile */ 'w', PR_TRUE, 0, PR_FALSE }, + { /* opt_P12FilePW */ 'W', PR_TRUE, 0, PR_FALSE }, + { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE }, + { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }, + { /* opt_Cipher */ 'c', PR_TRUE, 0, PR_FALSE }, + { /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE }, + { /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" }, + { /* opt_CertKeyLength */ 0, PR_TRUE, 0, PR_FALSE, "cert_key_len" }, + { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE, PR_FALSE } + }; + +int +main(int argc, char **argv) +{ + secuPWData slotPw = { PW_NONE, NULL }; + secuPWData p12FilePw = { PW_NONE, NULL }; + PK11SlotInfo *slot; + char *slotname = NULL; + char *import_file = NULL; + char *export_file = NULL; + char *dbprefix = ""; + SECStatus rv; + SECOidTag cipher = + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC; + SECOidTag hash = SEC_OID_SHA1; + SECOidTag certCipher = + SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC; + int keyLen = 0; + int certKeyLen = 0; + secuCommand pk12util; + PRInt32 forceUnicode; + +#ifdef _CRTDBG_MAP_ALLOC + _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); +#endif + + pk12util.numCommands = 0; + pk12util.commands = 0; + pk12util.numOptions = sizeof(pk12util_options) / sizeof(secuCommandFlag); + pk12util.options = pk12util_options; + + progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + rv = SECU_ParseCommandLine(argc, argv, progName, &pk12util); + + if (rv != SECSuccess) + Usage(); + + pk12_debugging = pk12util.options[opt_Debug].activated; + + if ((pk12util.options[opt_Import].activated + + pk12util.options[opt_Export].activated + + pk12util.options[opt_List].activated) != 1) { + Usage(); + } + + if (pk12util.options[opt_Export].activated && + !pk12util.options[opt_Nickname].activated) { + Usage(); + } + + rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode); + if (rv != SECSuccess) { + SECU_PrintError(progName, + "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option"); + Usage(); + } + pk12uForceUnicode = forceUnicode; + + slotname = SECU_GetOptionArg(&pk12util, opt_TokenName); + + import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List) + : SECU_GetOptionArg(&pk12util, opt_Import); + export_file = SECU_GetOptionArg(&pk12util, opt_Export); + + if (pk12util.options[opt_P12FilePWFile].activated) { + p12FilePw.source = PW_FROMFILE; + p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePWFile].arg); + } + + if (pk12util.options[opt_P12FilePW].activated) { + p12FilePw.source = PW_PLAINTEXT; + p12FilePw.data = PORT_Strdup(pk12util.options[opt_P12FilePW].arg); + } + + if (pk12util.options[opt_SlotPWFile].activated) { + slotPw.source = PW_FROMFILE; + slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPWFile].arg); + } + + if (pk12util.options[opt_SlotPW].activated) { + slotPw.source = PW_PLAINTEXT; + slotPw.data = PORT_Strdup(pk12util.options[opt_SlotPW].arg); + } + + if (pk12util.options[opt_CertDir].activated) { + SECU_ConfigDirectory(pk12util.options[opt_CertDir].arg); + } + if (pk12util.options[opt_DBPrefix].activated) { + dbprefix = pk12util.options[opt_DBPrefix].arg; + } + if (pk12util.options[opt_Raw].activated) { + dumpRawFile = PR_TRUE; + } + if (pk12util.options[opt_KeyLength].activated) { + keyLen = atoi(pk12util.options[opt_KeyLength].arg); + } + if (pk12util.options[opt_CertKeyLength].activated) { + certKeyLen = atoi(pk12util.options[opt_CertKeyLength].arg); + } + + P12U_Init(SECU_ConfigDirectory(NULL), dbprefix, + pk12util.options[opt_List].activated); + + if (!slotname || PL_strcmp(slotname, "internal") == 0) + slot = PK11_GetInternalKeySlot(); + else + slot = PK11_FindSlotByName(slotname); + + if (!slot) { + SECU_PrintError(progName, "Invalid slot \"%s\"", slotname); + pk12uErrno = PK12UERR_PK11GETSLOT; + goto done; + } + + if (pk12util.options[opt_Cipher].activated) { + char *cipherString = pk12util.options[opt_Cipher].arg; + + cipher = PKCS12U_MapCipherFromString(cipherString, keyLen); + /* We only want encryption PBE's. make sure we don't have + * any MAC pbes */ + if (cipher == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString); + pk12uErrno = PK12UERR_INVALIDALGORITHM; + goto done; + } + } + + if (PK11_IsFIPS()) { + certCipher = SEC_OID_UNKNOWN; + } + if (pk12util.options[opt_CertCipher].activated) { + char *cipherString = pk12util.options[opt_CertCipher].arg; + + if (PORT_Strcasecmp(cipherString, "none") == 0) { + certCipher = SEC_OID_UNKNOWN; + } else { + certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen); + /* If the user requested a cipher and we didn't find it, then + * don't just silently not encrypt. */ + if (certCipher == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString); + pk12uErrno = PK12UERR_INVALIDALGORITHM; + goto done; + } + } + } + if (pk12util.options[opt_Mac].activated) { + char *hashString = pk12util.options[opt_Mac].arg; + + hash = PKCS12U_MapHashFromString(hashString); + /* We don't support creating Mac-less pkcs 12 files */ + if (hash == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + SECU_PrintError(progName, "Algorithm: \"%s\"", hashString); + pk12uErrno = PK12UERR_INVALIDALGORITHM; + goto done; + } + } + + if (pk12util.options[opt_Import].activated) { + P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw); + + } else if (pk12util.options[opt_Export].activated) { + P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg, + export_file, slot, cipher, certCipher, + hash, &slotPw, &p12FilePw); + + } else if (pk12util.options[opt_List].activated) { + P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw); + + } else { + Usage(); + pk12uErrno = PK12UERR_USAGE; + } + +done: + if (import_file != NULL) + PORT_ZFree(import_file, PL_strlen(import_file)); + if (export_file != NULL) + PORT_ZFree(export_file, PL_strlen(export_file)); + if (slotPw.data != NULL) + PORT_ZFree(slotPw.data, PL_strlen(slotPw.data)); + if (p12FilePw.data != NULL) + PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data)); + if (slot) + PK11_FreeSlot(slot); + if (NSS_Shutdown() != SECSuccess) { + pk12uErrno = 1; + } + PL_ArenaFinish(); + PR_Cleanup(); + return pk12uErrno; +} diff --git a/tools/src/main/native/p12tool/p12tool.h b/tools/src/main/native/p12tool/p12tool.h new file mode 100755 index 000000000..d1588814e --- /dev/null +++ b/tools/src/main/native/p12tool/p12tool.h @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * ERROR codes in pk12util + * - should be organized better later + */ +#define PK12UERR_USER_CANCELLED 1 +#define PK12UERR_USAGE 2 +#define PK12UERR_CERTDB_OPEN 8 +#define PK12UERR_KEYDB_OPEN 9 +#define PK12UERR_INIT_FILE 10 +#define PK12UERR_UNICODECONV 11 +#define PK12UERR_TMPDIGCREATE 12 +#define PK12UERR_PK11GETSLOT 13 +#define PK12UERR_PK12DECODESTART 14 +#define PK12UERR_IMPORTFILEREAD 15 +#define PK12UERR_DECODE 16 +#define PK12UERR_DECODEVERIFY 17 +#define PK12UERR_DECODEVALIBAGS 18 +#define PK12UERR_DECODEIMPTBAGS 19 +#define PK12UERR_CERTALREADYEXISTS 20 +#define PK12UERR_PATCHDB 22 +#define PK12UERR_GETDEFCERTDB 23 +#define PK12UERR_FINDCERTBYNN 24 +#define PK12UERR_EXPORTCXCREATE 25 +#define PK12UERR_PK12ADDPWDINTEG 26 +#define PK12UERR_CERTKEYSAFE 27 +#define PK12UERR_ADDCERTKEY 28 +#define PK12UERR_ENCODE 29 +#define PK12UERR_INVALIDALGORITHM 30 + +/* additions for importing and exporting PKCS 12 files */ +typedef struct p12uContextStr { + char *filename; /* name of file */ + PRFileDesc *file; /* pointer to file */ + PRBool error; /* error occurred? */ + int errorValue; /* which error occurred? */ +} p12uContext; diff --git a/tools/src/main/native/p12tool/pk11table.c b/tools/src/main/native/p12tool/pk11table.c new file mode 100644 index 000000000..f7a45fa84 --- /dev/null +++ b/tools/src/main/native/p12tool/pk11table.c @@ -0,0 +1,1517 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "pk11table.h" + +const char *_valueString[] = { + "None", + "Variable", + "CK_ULONG", + "Data", + "UTF8", + "CK_INFO", + "CK_SLOT_INFO", + "CK_TOKEN_INFO", + "CK_SESSION_INFO", + "CK_ATTRIBUTE", + "CK_MECHANISM", + "CK_MECHANISM_INFO", + "CK_C_INITIALIZE_ARGS", + "CK_FUNCTION_LIST" +}; + +const char **valueString = &_valueString[0]; +const int valueCount = sizeof(_valueString) / sizeof(_valueString[0]); + +const char *_constTypeString[] = { + "None", + "Bool", + "InfoFlags", + "SlotFlags", + "TokenFlags", + "SessionFlags", + "MechanismFlags", + "InitializeFlags", + "Users", + "SessionState", + "Object", + "Hardware", + "KeyType", + "CertificateType", + "Attribute", + "Mechanism", + "Result", + "Trust", + "AvailableSizes", + "CurrentSize" +}; + +const char **constTypeString = &_constTypeString[0]; +const int constTypeCount = sizeof(_constTypeString) / sizeof(_constTypeString[0]); + +#define mkEntry(x, t) \ + { \ + #x, x, Const##t, ConstNone \ + } +#define mkEntry2(x, t, t2) \ + { \ + #x, x, Const##t, Const##t2 \ + } + +const Constant _consts[] = { + mkEntry(CK_FALSE, Bool), + mkEntry(CK_TRUE, Bool), + + mkEntry(CKF_TOKEN_PRESENT, SlotFlags), + mkEntry(CKF_REMOVABLE_DEVICE, SlotFlags), + mkEntry(CKF_HW_SLOT, SlotFlags), + + mkEntry(CKF_RNG, TokenFlags), + mkEntry(CKF_WRITE_PROTECTED, TokenFlags), + mkEntry(CKF_LOGIN_REQUIRED, TokenFlags), + mkEntry(CKF_USER_PIN_INITIALIZED, TokenFlags), + mkEntry(CKF_RESTORE_KEY_NOT_NEEDED, TokenFlags), + mkEntry(CKF_CLOCK_ON_TOKEN, TokenFlags), + mkEntry(CKF_PROTECTED_AUTHENTICATION_PATH, TokenFlags), + mkEntry(CKF_DUAL_CRYPTO_OPERATIONS, TokenFlags), + mkEntry(CKF_TOKEN_INITIALIZED, TokenFlags), + mkEntry(CKF_SECONDARY_AUTHENTICATION, TokenFlags), + mkEntry(CKF_USER_PIN_COUNT_LOW, TokenFlags), + mkEntry(CKF_USER_PIN_FINAL_TRY, TokenFlags), + mkEntry(CKF_USER_PIN_LOCKED, TokenFlags), + mkEntry(CKF_USER_PIN_TO_BE_CHANGED, TokenFlags), + mkEntry(CKF_SO_PIN_COUNT_LOW, TokenFlags), + mkEntry(CKF_SO_PIN_FINAL_TRY, TokenFlags), + mkEntry(CKF_SO_PIN_LOCKED, TokenFlags), + mkEntry(CKF_SO_PIN_TO_BE_CHANGED, TokenFlags), + + mkEntry(CKF_RW_SESSION, SessionFlags), + mkEntry(CKF_SERIAL_SESSION, SessionFlags), + + mkEntry(CKF_HW, MechanismFlags), + mkEntry(CKF_ENCRYPT, MechanismFlags), + mkEntry(CKF_DECRYPT, MechanismFlags), + mkEntry(CKF_DIGEST, MechanismFlags), + mkEntry(CKF_SIGN, MechanismFlags), + mkEntry(CKF_SIGN_RECOVER, MechanismFlags), + mkEntry(CKF_VERIFY, MechanismFlags), + mkEntry(CKF_VERIFY_RECOVER, MechanismFlags), + mkEntry(CKF_GENERATE, MechanismFlags), + mkEntry(CKF_GENERATE_KEY_PAIR, MechanismFlags), + mkEntry(CKF_WRAP, MechanismFlags), + mkEntry(CKF_UNWRAP, MechanismFlags), + mkEntry(CKF_DERIVE, MechanismFlags), + mkEntry(CKF_EC_F_P, MechanismFlags), + mkEntry(CKF_EC_F_2M, MechanismFlags), + mkEntry(CKF_EC_ECPARAMETERS, MechanismFlags), + mkEntry(CKF_EC_NAMEDCURVE, MechanismFlags), + mkEntry(CKF_EC_UNCOMPRESS, MechanismFlags), + mkEntry(CKF_EC_COMPRESS, MechanismFlags), + + mkEntry(CKF_LIBRARY_CANT_CREATE_OS_THREADS, InitializeFlags), + mkEntry(CKF_OS_LOCKING_OK, InitializeFlags), + + mkEntry(CKU_SO, Users), + mkEntry(CKU_USER, Users), + + mkEntry(CKS_RO_PUBLIC_SESSION, SessionState), + mkEntry(CKS_RO_USER_FUNCTIONS, SessionState), + mkEntry(CKS_RW_PUBLIC_SESSION, SessionState), + mkEntry(CKS_RW_USER_FUNCTIONS, SessionState), + mkEntry(CKS_RW_SO_FUNCTIONS, SessionState), + + mkEntry(CKO_DATA, Object), + mkEntry(CKO_CERTIFICATE, Object), + mkEntry(CKO_PUBLIC_KEY, Object), + mkEntry(CKO_PRIVATE_KEY, Object), + mkEntry(CKO_SECRET_KEY, Object), + mkEntry(CKO_HW_FEATURE, Object), + mkEntry(CKO_DOMAIN_PARAMETERS, Object), + mkEntry(CKO_NSS_CRL, Object), + mkEntry(CKO_NSS_SMIME, Object), + mkEntry(CKO_NSS_TRUST, Object), + mkEntry(CKO_NSS_BUILTIN_ROOT_LIST, Object), + + mkEntry(CKH_MONOTONIC_COUNTER, Hardware), + mkEntry(CKH_CLOCK, Hardware), + + mkEntry(CKK_RSA, KeyType), + mkEntry(CKK_DSA, KeyType), + mkEntry(CKK_DH, KeyType), + mkEntry(CKK_ECDSA, KeyType), + mkEntry(CKK_EC, KeyType), + mkEntry(CKK_X9_42_DH, KeyType), + mkEntry(CKK_KEA, KeyType), + mkEntry(CKK_GENERIC_SECRET, KeyType), + mkEntry(CKK_RC2, KeyType), + mkEntry(CKK_RC4, KeyType), + mkEntry(CKK_DES, KeyType), + mkEntry(CKK_DES2, KeyType), + mkEntry(CKK_DES3, KeyType), + mkEntry(CKK_CAST, KeyType), + mkEntry(CKK_CAST3, KeyType), + mkEntry(CKK_CAST5, KeyType), + mkEntry(CKK_CAST128, KeyType), + mkEntry(CKK_RC5, KeyType), + mkEntry(CKK_IDEA, KeyType), + mkEntry(CKK_SKIPJACK, KeyType), + mkEntry(CKK_BATON, KeyType), + mkEntry(CKK_JUNIPER, KeyType), + mkEntry(CKK_CDMF, KeyType), + mkEntry(CKK_AES, KeyType), + mkEntry(CKK_CAMELLIA, KeyType), + mkEntry(CKK_NSS_PKCS8, KeyType), + + mkEntry(CKC_X_509, CertType), + mkEntry(CKC_X_509_ATTR_CERT, CertType), + + mkEntry2(CKA_CLASS, Attribute, Object), + mkEntry2(CKA_TOKEN, Attribute, Bool), + mkEntry2(CKA_PRIVATE, Attribute, Bool), + mkEntry2(CKA_LABEL, Attribute, None), + mkEntry2(CKA_APPLICATION, Attribute, None), + mkEntry2(CKA_VALUE, Attribute, None), + mkEntry2(CKA_OBJECT_ID, Attribute, None), + mkEntry2(CKA_CERTIFICATE_TYPE, Attribute, CertType), + mkEntry2(CKA_ISSUER, Attribute, None), + mkEntry2(CKA_SERIAL_NUMBER, Attribute, None), + mkEntry2(CKA_AC_ISSUER, Attribute, None), + mkEntry2(CKA_OWNER, Attribute, None), + mkEntry2(CKA_ATTR_TYPES, Attribute, None), + mkEntry2(CKA_TRUSTED, Attribute, Bool), + mkEntry2(CKA_KEY_TYPE, Attribute, KeyType), + mkEntry2(CKA_SUBJECT, Attribute, None), + mkEntry2(CKA_ID, Attribute, None), + mkEntry2(CKA_SENSITIVE, Attribute, Bool), + mkEntry2(CKA_ENCRYPT, Attribute, Bool), + mkEntry2(CKA_DECRYPT, Attribute, Bool), + mkEntry2(CKA_WRAP, Attribute, Bool), + mkEntry2(CKA_UNWRAP, Attribute, Bool), + mkEntry2(CKA_SIGN, Attribute, Bool), + mkEntry2(CKA_SIGN_RECOVER, Attribute, Bool), + mkEntry2(CKA_VERIFY, Attribute, Bool), + mkEntry2(CKA_VERIFY_RECOVER, Attribute, Bool), + mkEntry2(CKA_DERIVE, Attribute, Bool), + mkEntry2(CKA_START_DATE, Attribute, None), + mkEntry2(CKA_END_DATE, Attribute, None), + mkEntry2(CKA_MODULUS, Attribute, None), + mkEntry2(CKA_MODULUS_BITS, Attribute, None), + mkEntry2(CKA_PUBLIC_EXPONENT, Attribute, None), + mkEntry2(CKA_PRIVATE_EXPONENT, Attribute, None), + mkEntry2(CKA_PRIME_1, Attribute, None), + mkEntry2(CKA_PRIME_2, Attribute, None), + mkEntry2(CKA_EXPONENT_1, Attribute, None), + mkEntry2(CKA_EXPONENT_2, Attribute, None), + mkEntry2(CKA_COEFFICIENT, Attribute, None), + mkEntry2(CKA_PRIME, Attribute, None), + mkEntry2(CKA_SUBPRIME, Attribute, None), + mkEntry2(CKA_BASE, Attribute, None), + mkEntry2(CKA_PRIME_BITS, Attribute, None), + mkEntry2(CKA_SUB_PRIME_BITS, Attribute, None), + mkEntry2(CKA_VALUE_BITS, Attribute, None), + mkEntry2(CKA_VALUE_LEN, Attribute, None), + mkEntry2(CKA_EXTRACTABLE, Attribute, Bool), + mkEntry2(CKA_LOCAL, Attribute, Bool), + mkEntry2(CKA_NEVER_EXTRACTABLE, Attribute, Bool), + mkEntry2(CKA_ALWAYS_SENSITIVE, Attribute, Bool), + mkEntry2(CKA_KEY_GEN_MECHANISM, Attribute, Mechanism), + mkEntry2(CKA_MODIFIABLE, Attribute, Bool), + mkEntry2(CKA_ECDSA_PARAMS, Attribute, None), + mkEntry2(CKA_EC_PARAMS, Attribute, None), + mkEntry2(CKA_EC_POINT, Attribute, None), + mkEntry2(CKA_SECONDARY_AUTH, Attribute, None), + mkEntry2(CKA_AUTH_PIN_FLAGS, Attribute, None), + mkEntry2(CKA_HW_FEATURE_TYPE, Attribute, Hardware), + mkEntry2(CKA_RESET_ON_INIT, Attribute, Bool), + mkEntry2(CKA_HAS_RESET, Attribute, Bool), + mkEntry2(CKA_NSS_URL, Attribute, None), + mkEntry2(CKA_NSS_EMAIL, Attribute, None), + mkEntry2(CKA_NSS_SMIME_INFO, Attribute, None), + mkEntry2(CKA_NSS_SMIME_TIMESTAMP, Attribute, None), + mkEntry2(CKA_NSS_PKCS8_SALT, Attribute, None), + mkEntry2(CKA_NSS_PASSWORD_CHECK, Attribute, None), + mkEntry2(CKA_NSS_EXPIRES, Attribute, None), + mkEntry2(CKA_NSS_KRL, Attribute, None), + mkEntry2(CKA_NSS_PQG_COUNTER, Attribute, None), + mkEntry2(CKA_NSS_PQG_SEED, Attribute, None), + mkEntry2(CKA_NSS_PQG_H, Attribute, None), + mkEntry2(CKA_NSS_PQG_SEED_BITS, Attribute, None), + mkEntry2(CKA_TRUST_DIGITAL_SIGNATURE, Attribute, Trust), + mkEntry2(CKA_TRUST_NON_REPUDIATION, Attribute, Trust), + mkEntry2(CKA_TRUST_KEY_ENCIPHERMENT, Attribute, Trust), + mkEntry2(CKA_TRUST_DATA_ENCIPHERMENT, Attribute, Trust), + mkEntry2(CKA_TRUST_KEY_AGREEMENT, Attribute, Trust), + mkEntry2(CKA_TRUST_KEY_CERT_SIGN, Attribute, Trust), + mkEntry2(CKA_TRUST_CRL_SIGN, Attribute, Trust), + mkEntry2(CKA_TRUST_SERVER_AUTH, Attribute, Trust), + mkEntry2(CKA_TRUST_CLIENT_AUTH, Attribute, Trust), + mkEntry2(CKA_TRUST_CODE_SIGNING, Attribute, Trust), + mkEntry2(CKA_TRUST_EMAIL_PROTECTION, Attribute, Trust), + mkEntry2(CKA_TRUST_IPSEC_END_SYSTEM, Attribute, Trust), + mkEntry2(CKA_TRUST_IPSEC_TUNNEL, Attribute, Trust), + mkEntry2(CKA_TRUST_IPSEC_USER, Attribute, Trust), + mkEntry2(CKA_TRUST_TIME_STAMPING, Attribute, Trust), + mkEntry2(CKA_CERT_SHA1_HASH, Attribute, None), + mkEntry2(CKA_CERT_MD5_HASH, Attribute, None), + mkEntry2(CKA_NSS_DB, Attribute, None), + mkEntry2(CKA_NSS_TRUST, Attribute, Trust), + + mkEntry(CKM_RSA_PKCS, Mechanism), + mkEntry(CKM_RSA_9796, Mechanism), + mkEntry(CKM_RSA_X_509, Mechanism), + mkEntry(CKM_RSA_PKCS_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_MD2_RSA_PKCS, Mechanism), + mkEntry(CKM_MD5_RSA_PKCS, Mechanism), + mkEntry(CKM_SHA1_RSA_PKCS, Mechanism), + mkEntry(CKM_RIPEMD128_RSA_PKCS, Mechanism), + mkEntry(CKM_RIPEMD160_RSA_PKCS, Mechanism), + mkEntry(CKM_RSA_PKCS_OAEP, Mechanism), + mkEntry(CKM_RSA_X9_31_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_RSA_X9_31, Mechanism), + mkEntry(CKM_SHA1_RSA_X9_31, Mechanism), + mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_DSA, Mechanism), + mkEntry(CKM_DSA_SHA1, Mechanism), + mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_DH_PKCS_DERIVE, Mechanism), + mkEntry(CKM_X9_42_DH_DERIVE, Mechanism), + mkEntry(CKM_X9_42_DH_HYBRID_DERIVE, Mechanism), + mkEntry(CKM_X9_42_MQV_DERIVE, Mechanism), + mkEntry(CKM_SHA256_RSA_PKCS, Mechanism), + mkEntry(CKM_SHA384_RSA_PKCS, Mechanism), + mkEntry(CKM_SHA512_RSA_PKCS, Mechanism), + mkEntry(CKM_RC2_KEY_GEN, Mechanism), + mkEntry(CKM_RC2_ECB, Mechanism), + mkEntry(CKM_RC2_CBC, Mechanism), + mkEntry(CKM_RC2_MAC, Mechanism), + mkEntry(CKM_RC2_MAC_GENERAL, Mechanism), + mkEntry(CKM_RC2_CBC_PAD, Mechanism), + mkEntry(CKM_RC4_KEY_GEN, Mechanism), + mkEntry(CKM_RC4, Mechanism), + mkEntry(CKM_DES_KEY_GEN, Mechanism), + mkEntry(CKM_DES_ECB, Mechanism), + mkEntry(CKM_DES_CBC, Mechanism), + mkEntry(CKM_DES_MAC, Mechanism), + mkEntry(CKM_DES_MAC_GENERAL, Mechanism), + mkEntry(CKM_DES_CBC_PAD, Mechanism), + mkEntry(CKM_DES2_KEY_GEN, Mechanism), + mkEntry(CKM_DES3_KEY_GEN, Mechanism), + mkEntry(CKM_DES3_ECB, Mechanism), + mkEntry(CKM_DES3_CBC, Mechanism), + mkEntry(CKM_DES3_MAC, Mechanism), + mkEntry(CKM_DES3_MAC_GENERAL, Mechanism), + mkEntry(CKM_DES3_CBC_PAD, Mechanism), + mkEntry(CKM_CDMF_KEY_GEN, Mechanism), + mkEntry(CKM_CDMF_ECB, Mechanism), + mkEntry(CKM_CDMF_CBC, Mechanism), + mkEntry(CKM_CDMF_MAC, Mechanism), + mkEntry(CKM_CDMF_MAC_GENERAL, Mechanism), + mkEntry(CKM_CDMF_CBC_PAD, Mechanism), + mkEntry(CKM_MD2, Mechanism), + mkEntry(CKM_MD2_HMAC, Mechanism), + mkEntry(CKM_MD2_HMAC_GENERAL, Mechanism), + mkEntry(CKM_MD5, Mechanism), + mkEntry(CKM_MD5_HMAC, Mechanism), + mkEntry(CKM_MD5_HMAC_GENERAL, Mechanism), + mkEntry(CKM_SHA_1, Mechanism), + mkEntry(CKM_SHA_1_HMAC, Mechanism), + mkEntry(CKM_SHA_1_HMAC_GENERAL, Mechanism), + mkEntry(CKM_RIPEMD128, Mechanism), + mkEntry(CKM_RIPEMD128_HMAC, Mechanism), + mkEntry(CKM_RIPEMD128_HMAC_GENERAL, Mechanism), + mkEntry(CKM_RIPEMD160, Mechanism), + mkEntry(CKM_RIPEMD160_HMAC, Mechanism), + mkEntry(CKM_RIPEMD160_HMAC_GENERAL, Mechanism), + mkEntry(CKM_SHA256, Mechanism), + mkEntry(CKM_SHA256_HMAC_GENERAL, Mechanism), + mkEntry(CKM_SHA256_HMAC, Mechanism), + mkEntry(CKM_SHA384, Mechanism), + mkEntry(CKM_SHA384_HMAC_GENERAL, Mechanism), + mkEntry(CKM_SHA384_HMAC, Mechanism), + mkEntry(CKM_SHA512, Mechanism), + mkEntry(CKM_SHA512_HMAC_GENERAL, Mechanism), + mkEntry(CKM_SHA512_HMAC, Mechanism), + mkEntry(CKM_AES_CMAC, Mechanism), + mkEntry(CKM_AES_CMAC_GENERAL, Mechanism), + mkEntry(CKM_CAST_KEY_GEN, Mechanism), + mkEntry(CKM_CAST_ECB, Mechanism), + mkEntry(CKM_CAST_CBC, Mechanism), + mkEntry(CKM_CAST_MAC, Mechanism), + mkEntry(CKM_CAST_MAC_GENERAL, Mechanism), + mkEntry(CKM_CAST_CBC_PAD, Mechanism), + mkEntry(CKM_CAST3_KEY_GEN, Mechanism), + mkEntry(CKM_CAST3_ECB, Mechanism), + mkEntry(CKM_CAST3_CBC, Mechanism), + mkEntry(CKM_CAST3_MAC, Mechanism), + mkEntry(CKM_CAST3_MAC_GENERAL, Mechanism), + mkEntry(CKM_CAST3_CBC_PAD, Mechanism), + mkEntry(CKM_CAST5_KEY_GEN, Mechanism), + mkEntry(CKM_CAST128_KEY_GEN, Mechanism), + mkEntry(CKM_CAST5_ECB, Mechanism), + mkEntry(CKM_CAST128_ECB, Mechanism), + mkEntry(CKM_CAST5_CBC, Mechanism), + mkEntry(CKM_CAST128_CBC, Mechanism), + mkEntry(CKM_CAST5_MAC, Mechanism), + mkEntry(CKM_CAST128_MAC, Mechanism), + mkEntry(CKM_CAST5_MAC_GENERAL, Mechanism), + mkEntry(CKM_CAST128_MAC_GENERAL, Mechanism), + mkEntry(CKM_CAST5_CBC_PAD, Mechanism), + mkEntry(CKM_CAST128_CBC_PAD, Mechanism), + mkEntry(CKM_RC5_KEY_GEN, Mechanism), + mkEntry(CKM_RC5_ECB, Mechanism), + mkEntry(CKM_RC5_CBC, Mechanism), + mkEntry(CKM_RC5_MAC, Mechanism), + mkEntry(CKM_RC5_MAC_GENERAL, Mechanism), + mkEntry(CKM_RC5_CBC_PAD, Mechanism), + mkEntry(CKM_IDEA_KEY_GEN, Mechanism), + mkEntry(CKM_IDEA_ECB, Mechanism), + mkEntry(CKM_IDEA_CBC, Mechanism), + mkEntry(CKM_IDEA_MAC, Mechanism), + mkEntry(CKM_IDEA_MAC_GENERAL, Mechanism), + mkEntry(CKM_IDEA_CBC_PAD, Mechanism), + mkEntry(CKM_GENERIC_SECRET_KEY_GEN, Mechanism), + mkEntry(CKM_CONCATENATE_BASE_AND_KEY, Mechanism), + mkEntry(CKM_CONCATENATE_BASE_AND_DATA, Mechanism), + mkEntry(CKM_CONCATENATE_DATA_AND_BASE, Mechanism), + mkEntry(CKM_XOR_BASE_AND_DATA, Mechanism), + mkEntry(CKM_EXTRACT_KEY_FROM_KEY, Mechanism), + mkEntry(CKM_SSL3_PRE_MASTER_KEY_GEN, Mechanism), + mkEntry(CKM_SSL3_MASTER_KEY_DERIVE, Mechanism), + mkEntry(CKM_SSL3_KEY_AND_MAC_DERIVE, Mechanism), + mkEntry(CKM_SSL3_MASTER_KEY_DERIVE_DH, Mechanism), + mkEntry(CKM_TLS_PRE_MASTER_KEY_GEN, Mechanism), + mkEntry(CKM_TLS_MASTER_KEY_DERIVE, Mechanism), + mkEntry(CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, Mechanism), + mkEntry(CKM_TLS_KEY_AND_MAC_DERIVE, Mechanism), + mkEntry(CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, Mechanism), + mkEntry(CKM_TLS_MASTER_KEY_DERIVE_DH, Mechanism), + mkEntry(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, Mechanism), + mkEntry(CKM_SSL3_MD5_MAC, Mechanism), + mkEntry(CKM_SSL3_SHA1_MAC, Mechanism), + mkEntry(CKM_MD5_KEY_DERIVATION, Mechanism), + mkEntry(CKM_MD2_KEY_DERIVATION, Mechanism), + mkEntry(CKM_SHA1_KEY_DERIVATION, Mechanism), + mkEntry(CKM_SHA256_KEY_DERIVATION, Mechanism), + mkEntry(CKM_SHA384_KEY_DERIVATION, Mechanism), + mkEntry(CKM_SHA512_KEY_DERIVATION, Mechanism), + mkEntry(CKM_PBE_MD2_DES_CBC, Mechanism), + mkEntry(CKM_PBE_MD5_DES_CBC, Mechanism), + mkEntry(CKM_PBE_MD5_CAST_CBC, Mechanism), + mkEntry(CKM_PBE_MD5_CAST3_CBC, Mechanism), + mkEntry(CKM_PBE_MD5_CAST5_CBC, Mechanism), + mkEntry(CKM_PBE_MD5_CAST128_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_CAST5_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_CAST128_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_RC4_128, Mechanism), + mkEntry(CKM_PBE_SHA1_RC4_40, Mechanism), + mkEntry(CKM_PBE_SHA1_DES3_EDE_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_DES2_EDE_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_RC2_128_CBC, Mechanism), + mkEntry(CKM_PBE_SHA1_RC2_40_CBC, Mechanism), + mkEntry(CKM_PKCS5_PBKD2, Mechanism), + mkEntry(CKM_PBA_SHA1_WITH_SHA1_HMAC, Mechanism), + mkEntry(CKM_KEY_WRAP_LYNKS, Mechanism), + mkEntry(CKM_KEY_WRAP_SET_OAEP, Mechanism), + mkEntry(CKM_SKIPJACK_KEY_GEN, Mechanism), + mkEntry(CKM_SKIPJACK_ECB64, Mechanism), + mkEntry(CKM_SKIPJACK_CBC64, Mechanism), + mkEntry(CKM_SKIPJACK_OFB64, Mechanism), + mkEntry(CKM_SKIPJACK_CFB64, Mechanism), + mkEntry(CKM_SKIPJACK_CFB32, Mechanism), + mkEntry(CKM_SKIPJACK_CFB16, Mechanism), + mkEntry(CKM_SKIPJACK_CFB8, Mechanism), + mkEntry(CKM_SKIPJACK_WRAP, Mechanism), + mkEntry(CKM_SKIPJACK_PRIVATE_WRAP, Mechanism), + mkEntry(CKM_SKIPJACK_RELAYX, Mechanism), + mkEntry(CKM_KEA_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_KEA_KEY_DERIVE, Mechanism), + mkEntry(CKM_FORTEZZA_TIMESTAMP, Mechanism), + mkEntry(CKM_BATON_KEY_GEN, Mechanism), + mkEntry(CKM_BATON_ECB128, Mechanism), + mkEntry(CKM_BATON_ECB96, Mechanism), + mkEntry(CKM_BATON_CBC128, Mechanism), + mkEntry(CKM_BATON_COUNTER, Mechanism), + mkEntry(CKM_BATON_SHUFFLE, Mechanism), + mkEntry(CKM_BATON_WRAP, Mechanism), + mkEntry(CKM_ECDSA_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_ECDSA, Mechanism), + mkEntry(CKM_ECDSA_SHA1, Mechanism), + mkEntry(CKM_ECDH1_DERIVE, Mechanism), + mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism), + mkEntry(CKM_ECMQV_DERIVE, Mechanism), + mkEntry(CKM_JUNIPER_KEY_GEN, Mechanism), + mkEntry(CKM_JUNIPER_ECB128, Mechanism), + mkEntry(CKM_JUNIPER_CBC128, Mechanism), + mkEntry(CKM_JUNIPER_COUNTER, Mechanism), + mkEntry(CKM_JUNIPER_SHUFFLE, Mechanism), + mkEntry(CKM_JUNIPER_WRAP, Mechanism), + mkEntry(CKM_FASTHASH, Mechanism), + mkEntry(CKM_AES_KEY_GEN, Mechanism), + mkEntry(CKM_AES_ECB, Mechanism), + mkEntry(CKM_AES_CBC, Mechanism), + mkEntry(CKM_AES_MAC, Mechanism), + mkEntry(CKM_AES_MAC_GENERAL, Mechanism), + mkEntry(CKM_AES_CBC_PAD, Mechanism), + mkEntry(CKM_CAMELLIA_KEY_GEN, Mechanism), + mkEntry(CKM_CAMELLIA_ECB, Mechanism), + mkEntry(CKM_CAMELLIA_CBC, Mechanism), + mkEntry(CKM_CAMELLIA_MAC, Mechanism), + mkEntry(CKM_CAMELLIA_MAC_GENERAL, Mechanism), + mkEntry(CKM_CAMELLIA_CBC_PAD, Mechanism), + mkEntry(CKM_SEED_KEY_GEN, Mechanism), + mkEntry(CKM_SEED_ECB, Mechanism), + mkEntry(CKM_SEED_CBC, Mechanism), + mkEntry(CKM_SEED_MAC, Mechanism), + mkEntry(CKM_SEED_MAC_GENERAL, Mechanism), + mkEntry(CKM_SEED_CBC_PAD, Mechanism), + mkEntry(CKM_SEED_ECB_ENCRYPT_DATA, Mechanism), + mkEntry(CKM_SEED_CBC_ENCRYPT_DATA, Mechanism), + mkEntry(CKM_DSA_PARAMETER_GEN, Mechanism), + mkEntry(CKM_DH_PKCS_PARAMETER_GEN, Mechanism), + mkEntry(CKM_NSS_AES_KEY_WRAP, Mechanism), + mkEntry(CKM_NSS_AES_KEY_WRAP_PAD, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_40_BIT_RC4, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_128_BIT_RC4, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, Mechanism), + mkEntry(CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_NSS_PBE_MD5_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_NSS_PBE_MD2_HMAC_KEY_GEN, Mechanism), + mkEntry(CKM_TLS_PRF_GENERAL, Mechanism), + mkEntry(CKM_NSS_TLS_PRF_GENERAL_SHA256, Mechanism), + + mkEntry(CKR_OK, Result), + mkEntry(CKR_CANCEL, Result), + mkEntry(CKR_HOST_MEMORY, Result), + mkEntry(CKR_SLOT_ID_INVALID, Result), + mkEntry(CKR_GENERAL_ERROR, Result), + mkEntry(CKR_FUNCTION_FAILED, Result), + mkEntry(CKR_ARGUMENTS_BAD, Result), + mkEntry(CKR_NO_EVENT, Result), + mkEntry(CKR_NEED_TO_CREATE_THREADS, Result), + mkEntry(CKR_CANT_LOCK, Result), + mkEntry(CKR_ATTRIBUTE_READ_ONLY, Result), + mkEntry(CKR_ATTRIBUTE_SENSITIVE, Result), + mkEntry(CKR_ATTRIBUTE_TYPE_INVALID, Result), + mkEntry(CKR_ATTRIBUTE_VALUE_INVALID, Result), + mkEntry(CKR_DATA_INVALID, Result), + mkEntry(CKR_DATA_LEN_RANGE, Result), + mkEntry(CKR_DEVICE_ERROR, Result), + mkEntry(CKR_DEVICE_MEMORY, Result), + mkEntry(CKR_DEVICE_REMOVED, Result), + mkEntry(CKR_ENCRYPTED_DATA_INVALID, Result), + mkEntry(CKR_ENCRYPTED_DATA_LEN_RANGE, Result), + mkEntry(CKR_FUNCTION_CANCELED, Result), + mkEntry(CKR_FUNCTION_NOT_PARALLEL, Result), + mkEntry(CKR_FUNCTION_NOT_SUPPORTED, Result), + mkEntry(CKR_KEY_HANDLE_INVALID, Result), + mkEntry(CKR_KEY_SIZE_RANGE, Result), + mkEntry(CKR_KEY_TYPE_INCONSISTENT, Result), + mkEntry(CKR_KEY_NOT_NEEDED, Result), + mkEntry(CKR_KEY_CHANGED, Result), + mkEntry(CKR_KEY_NEEDED, Result), + mkEntry(CKR_KEY_INDIGESTIBLE, Result), + mkEntry(CKR_KEY_FUNCTION_NOT_PERMITTED, Result), + mkEntry(CKR_KEY_NOT_WRAPPABLE, Result), + mkEntry(CKR_KEY_UNEXTRACTABLE, Result), + mkEntry(CKR_MECHANISM_INVALID, Result), + mkEntry(CKR_MECHANISM_PARAM_INVALID, Result), + mkEntry(CKR_OBJECT_HANDLE_INVALID, Result), + mkEntry(CKR_OPERATION_ACTIVE, Result), + mkEntry(CKR_OPERATION_NOT_INITIALIZED, Result), + mkEntry(CKR_PIN_INCORRECT, Result), + mkEntry(CKR_PIN_INVALID, Result), + mkEntry(CKR_PIN_LEN_RANGE, Result), + mkEntry(CKR_PIN_EXPIRED, Result), + mkEntry(CKR_PIN_LOCKED, Result), + mkEntry(CKR_SESSION_CLOSED, Result), + mkEntry(CKR_SESSION_COUNT, Result), + mkEntry(CKR_SESSION_HANDLE_INVALID, Result), + mkEntry(CKR_SESSION_PARALLEL_NOT_SUPPORTED, Result), + mkEntry(CKR_SESSION_READ_ONLY, Result), + mkEntry(CKR_SESSION_EXISTS, Result), + mkEntry(CKR_SESSION_READ_ONLY_EXISTS, Result), + mkEntry(CKR_SESSION_READ_WRITE_SO_EXISTS, Result), + mkEntry(CKR_SIGNATURE_INVALID, Result), + mkEntry(CKR_SIGNATURE_LEN_RANGE, Result), + mkEntry(CKR_TEMPLATE_INCOMPLETE, Result), + mkEntry(CKR_TEMPLATE_INCONSISTENT, Result), + mkEntry(CKR_TOKEN_NOT_PRESENT, Result), + mkEntry(CKR_TOKEN_NOT_RECOGNIZED, Result), + mkEntry(CKR_TOKEN_WRITE_PROTECTED, Result), + mkEntry(CKR_UNWRAPPING_KEY_HANDLE_INVALID, Result), + mkEntry(CKR_UNWRAPPING_KEY_SIZE_RANGE, Result), + mkEntry(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT, Result), + mkEntry(CKR_USER_ALREADY_LOGGED_IN, Result), + mkEntry(CKR_USER_NOT_LOGGED_IN, Result), + mkEntry(CKR_USER_PIN_NOT_INITIALIZED, Result), + mkEntry(CKR_USER_TYPE_INVALID, Result), + mkEntry(CKR_USER_ANOTHER_ALREADY_LOGGED_IN, Result), + mkEntry(CKR_USER_TOO_MANY_TYPES, Result), + mkEntry(CKR_WRAPPED_KEY_INVALID, Result), + mkEntry(CKR_WRAPPED_KEY_LEN_RANGE, Result), + mkEntry(CKR_WRAPPING_KEY_HANDLE_INVALID, Result), + mkEntry(CKR_WRAPPING_KEY_SIZE_RANGE, Result), + mkEntry(CKR_WRAPPING_KEY_TYPE_INCONSISTENT, Result), + mkEntry(CKR_RANDOM_SEED_NOT_SUPPORTED, Result), + mkEntry(CKR_RANDOM_NO_RNG, Result), + mkEntry(CKR_DOMAIN_PARAMS_INVALID, Result), + mkEntry(CKR_BUFFER_TOO_SMALL, Result), + mkEntry(CKR_SAVED_STATE_INVALID, Result), + mkEntry(CKR_INFORMATION_SENSITIVE, Result), + mkEntry(CKR_STATE_UNSAVEABLE, Result), + mkEntry(CKR_CRYPTOKI_NOT_INITIALIZED, Result), + mkEntry(CKR_CRYPTOKI_ALREADY_INITIALIZED, Result), + mkEntry(CKR_MUTEX_BAD, Result), + mkEntry(CKR_MUTEX_NOT_LOCKED, Result), + mkEntry(CKR_VENDOR_DEFINED, Result), + + mkEntry(CKT_NSS_TRUSTED, Trust), + mkEntry(CKT_NSS_TRUSTED_DELEGATOR, Trust), + mkEntry(CKT_NSS_NOT_TRUSTED, Trust), + mkEntry(CKT_NSS_MUST_VERIFY_TRUST, Trust), + mkEntry(CKT_NSS_TRUST_UNKNOWN, Trust), + mkEntry(CKT_NSS_VALID_DELEGATOR, Trust), + + mkEntry(CK_EFFECTIVELY_INFINITE, AvailableSizes), + mkEntry(CK_UNAVAILABLE_INFORMATION, CurrentSize), +}; + +const Constant *consts = &_consts[0]; +const unsigned int constCount = sizeof(_consts) / sizeof(_consts[0]); + +const Commands _commands[] = { + { "C_Initialize", + F_C_Initialize, + "C_Initialize pInitArgs\n\n" + "C_Initialize initializes the PKCS #11 library.\n" + " pInitArgs if this is not NULL_PTR it gets cast to and dereferenced\n", + { ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_Finalize", + F_C_Finalize, + "C_Finalize pReserved\n\n" + "C_Finalize indicates that an application is done with the PKCS #11 library.\n" + " pReserved reserved. Should be NULL_PTR\n", + { ArgInitializeArgs, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_GetInfo", + F_C_GetInfo, + "C_GetInfo pInfo\n\n" + "C_GetInfo returns general information about PKCS #11.\n" + " pInfo location that receives information\n", + { ArgInfo | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_GetFunctionList", + F_C_GetFunctionList, + "C_GetFunctionList ppFunctionList\n\n" + "C_GetFunctionList returns the function list.\n" + " ppFunctionList receives pointer to function list\n", + { ArgFunctionList | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_GetSlotList", + F_C_GetSlotList, + "C_GetSlotList tokenPresent pSlotList pulCount\n\n" + "C_GetSlotList obtains a list of slots in the system.\n" + " tokenPresent only slots with tokens?\n" + " pSlotList receives array of slot IDs\n" + " pulCount receives number of slots\n", + { ArgULong, ArgULong | ArgArray | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_GetSlotInfo", + F_C_GetSlotInfo, + "C_GetSlotInfo slotID pInfo\n\n" + "C_GetSlotInfo obtains information about a particular slot in the system.\n" + " slotID the ID of the slot\n" + " pInfo receives the slot information\n", + { ArgULong, ArgSlotInfo | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_GetTokenInfo", + F_C_GetTokenInfo, + "C_GetTokenInfo slotID pInfo\n\n" + "C_GetTokenInfo obtains information about a particular token in the system.\n" + " slotID ID of the token's slot\n" + " pInfo receives the token information\n", + { ArgULong, ArgTokenInfo | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_GetMechanismList", + F_C_GetMechanismList, + "C_GetMechanismList slotID pMechanismList pulCount\n\n" + "C_GetMechanismList obtains a list of mechanism types supported by a token.\n" + " slotID ID of token's slot\n" + " pMechanismList gets mech. array\n" + " pulCount gets # of mechs.\n", + { ArgULong, ArgULong | ArgArray | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_GetMechanismInfo", + F_C_GetMechanismInfo, + "C_GetMechanismInfo slotID type pInfo\n\n" + "C_GetMechanismInfo obtains information about a particular mechanism possibly\n" + "supported by a token.\n" + " slotID ID of the token's slot\n" + " type type of mechanism\n" + " pInfo receives mechanism info\n", + { ArgULong, ArgULong, ArgMechanismInfo | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_InitToken", + F_C_InitToken, + "C_InitToken slotID pPin ulPinLen pLabel\n\n" + "C_InitToken initializes a token.\n" + " slotID ID of the token's slot\n" + " pPin the SO's initial PIN\n" + " ulPinLen length in bytes of the PIN\n" + " pLabel 32-byte token label (blank padded)\n", + { ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_InitPIN", + F_C_InitPIN, + "C_InitPIN hSession pPin ulPinLen\n\n" + "C_InitPIN initializes the normal user's PIN.\n" + " hSession the session's handle\n" + " pPin the normal user's PIN\n" + " ulPinLen length in bytes of the PIN\n", + { ArgULong, ArgUTF8, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_SetPIN", + F_C_SetPIN, + "C_SetPIN hSession pOldPin ulOldLen pNewPin ulNewLen\n\n" + "C_SetPIN modifies the PIN of the user who is logged in.\n" + " hSession the session's handle\n" + " pOldPin the old PIN\n" + " ulOldLen length of the old PIN\n" + " pNewPin the new PIN\n" + " ulNewLen length of the new PIN\n", + { ArgULong, ArgUTF8, ArgULong, ArgUTF8, ArgULong, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_OpenSession", + F_C_OpenSession, + "C_OpenSession slotID flags phSession\n\n" + "C_OpenSession opens a session between an application and a token.\n" + " slotID the slot's ID\n" + " flags from\n" + " phSession gets session handle\n", + { ArgULong, ArgULong, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_CloseSession", + F_C_CloseSession, + "C_CloseSession hSession\n\n" + "C_CloseSession closes a session between an application and a token.\n" + " hSession the session's handle\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_CloseAllSessions", + F_C_CloseAllSessions, + "C_CloseAllSessions slotID\n\n" + "C_CloseAllSessions closes all sessions with a token.\n" + " slotID the token's slot\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_GetSessionInfo", + F_C_GetSessionInfo, + "C_GetSessionInfo hSession pInfo\n\n" + "C_GetSessionInfo obtains information about the session.\n" + " hSession the session's handle\n" + " pInfo receives session info\n", + { ArgULong, ArgSessionInfo | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_GetOperationState", + F_C_GetOperationState, + "C_GetOperationState hSession pOpState pulOpStateLen\n\n" + "C_GetOperationState obtains the state of the cryptographic operation in a\n" + "session.\n" + " hSession session's handle\n" + " pOpState gets state\n" + " pulOpStateLen gets state length\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_SetOperationState", + F_C_SetOperationState, + "C_SetOperationState hSession pOpState ulOpStateLen hEncKey hAuthKey\n\n" + "C_SetOperationState restores the state of the cryptographic operation in a\n" + "session.\n" + " hSession session's handle\n" + " pOpState holds state\n" + " ulOpStateLen holds state length\n" + " hEncKey en/decryption key\n" + " hAuthnKey sign/verify key\n", + { ArgULong, ArgChar | ArgOut, ArgULong, ArgULong, ArgULong, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_Login", + F_C_Login, + "C_Login hSession userType pPin ulPinLen\n\n" + "C_Login logs a user into a token.\n" + " hSession the session's handle\n" + " userType the user type\n" + " pPin the user's PIN\n" + " ulPinLen the length of the PIN\n", + { ArgULong, ArgULong, ArgVar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_Logout", + F_C_Logout, + "C_Logout hSession\n\n" + "C_Logout logs a user out from a token.\n" + " hSession the session's handle\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_CreateObject", + F_C_CreateObject, + "C_CreateObject hSession pTemplate ulCount phObject\n\n" + "C_CreateObject creates a new object.\n" + " hSession the session's handle\n" + " pTemplate the object's template\n" + " ulCount attributes in template\n" + " phObject gets new object's handle.\n", + { ArgULong, ArgAttribute | ArgArray, ArgULong, ArgULong | ArgOut, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_CopyObject", + F_C_CopyObject, + "C_CopyObject hSession hObject pTemplate ulCount phNewObject\n\n" + "C_CopyObject copies an object creating a new object for the copy.\n" + " hSession the session's handle\n" + " hObject the object's handle\n" + " pTemplate template for new object\n" + " ulCount attributes in template\n" + " phNewObject receives handle of copy\n", + { ArgULong, ArgULong, ArgAttribute | ArgArray, ArgULong, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DestroyObject", + F_C_DestroyObject, + "C_DestroyObject hSession hObject\n\n" + "C_DestroyObject destroys an object.\n" + " hSession the session's handle\n" + " hObject the object's handle\n", + { ArgULong, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_GetObjectSize", + F_C_GetObjectSize, + "C_GetObjectSize hSession hObject pulSize\n\n" + "C_GetObjectSize gets the size of an object in bytes.\n" + " hSession the session's handle\n" + " hObject the object's handle\n" + " pulSize receives size of object\n", + { ArgULong, ArgULong, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_GetAttributeValue", + F_C_GetAttributeValue, + "C_GetAttributeValue hSession hObject pTemplate ulCount\n\n" + "C_GetAttributeValue obtains the value of one or more object attributes.\n" + " hSession the session's handle\n" + " hObject the object's handle\n" + " pTemplate specifies attrs; gets vals\n" + " ulCount attributes in template\n", + { ArgULong, ArgULong, ArgAttribute | ArgArray, ArgULong, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_SetAttributeValue", + F_C_SetAttributeValue, + "C_SetAttributeValue hSession hObject pTemplate ulCount\n\n" + "C_SetAttributeValue modifies the value of one or more object attributes\n" + " hSession the session's handle\n" + " hObject the object's handle\n" + " pTemplate specifies attrs and values\n" + " ulCount attributes in template\n", + { ArgULong, ArgULong, ArgAttribute | ArgArray, ArgULong, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_FindObjectsInit", + F_C_FindObjectsInit, + "C_FindObjectsInit hSession pTemplate ulCount\n\n" + "C_FindObjectsInit initializes a search for token and session objects that\n" + "match a template.\n" + " hSession the session's handle\n" + " pTemplate attribute values to match\n" + " ulCount attrs in search template\n", + { ArgULong, ArgAttribute | ArgArray, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_FindObjectsFinal", + F_C_FindObjectsFinal, + "C_FindObjectsFinal hSession\n\n" + "C_FindObjectsFinal finishes a search for token and session objects.\n" + " hSession the session's handle\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_FindObjects", + F_C_FindObjects, + "C_FindObjects hSession phObject ulMaxObjectCount pulObjectCount\n\n" + "C_FindObjects continues a search for token and session objects that match\n" + "a template obtaining additional object handles.\n" + " hSession session's handle\n" + " phObject gets obj. handles\n" + " ulMaxObjectCount max handles to get\n" + " pulObjectCount actual # returned\n", + { ArgULong, ArgULong | ArgOut, ArgULong, ArgULong | ArgOut, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_EncryptInit", + F_C_EncryptInit, + "C_EncryptInit hSession pMechanism hKey\n\n" + "C_EncryptInit initializes an encryption operation.\n" + " hSession the session's handle\n" + " pMechanism the encryption mechanism\n" + " hKey handle of encryption key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_EncryptUpdate", + F_C_EncryptUpdate, + "C_EncryptUpdate hSession pPart ulPartLen pEncryptedPart pulEncryptedPartLen\n" + "\n" + "C_EncryptUpdate continues a multiple-part encryption operation.\n" + " hSession session's handle\n" + " pPart the plaintext data\n" + " ulPartLen plaintext data len\n" + " pEncryptedPart gets ciphertext\n" + " pulEncryptedPartLen gets c-text size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_EncryptFinal", + F_C_EncryptFinal, + "C_EncryptFinal hSession pLastEncryptedPart pulLastEncryptedPartLen\n\n" + "C_EncryptFinal finishes a multiple-part encryption operation.\n" + " hSession session handle\n" + " pLastEncryptedPart last c-text\n" + " pulLastEncryptedPartLen gets last size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_Encrypt", + F_C_Encrypt, + "C_Encrypt hSession pData ulDataLen pEncryptedData pulEncryptedDataLen\n\n" + "C_Encrypt encrypts single-part data.\n" + " hSession session's handle\n" + " pData the plaintext data\n" + " ulDataLen bytes of plaintext\n" + " pEncryptedData gets ciphertext\n" + " pulEncryptedDataLen gets c-text size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DecryptInit", + F_C_DecryptInit, + "C_DecryptInit hSession pMechanism hKey\n\n" + "C_DecryptInit initializes a decryption operation.\n" + " hSession the session's handle\n" + " pMechanism the decryption mechanism\n" + " hKey handle of decryption key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_DecryptUpdate", + F_C_DecryptUpdate, + "C_DecryptUpdate hSession pEncryptedPart ulEncryptedPartLen pPart pulPartLen\n" + "\n" + "C_DecryptUpdate continues a multiple-part decryption operation.\n" + " hSession session's handle\n" + " pEncryptedPart encrypted data\n" + " ulEncryptedPartLen input length\n" + " pPart gets plaintext\n" + " pulPartLen p-text size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DecryptFinal", + F_C_DecryptFinal, + "C_DecryptFinal hSession pLastPart pulLastPartLen\n\n" + "C_DecryptFinal finishes a multiple-part decryption operation.\n" + " hSession the session's handle\n" + " pLastPart gets plaintext\n" + " pulLastPartLen p-text size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_Decrypt", + F_C_Decrypt, + "C_Decrypt hSession pEncryptedData ulEncryptedDataLen pData pulDataLen\n\n" + "C_Decrypt decrypts encrypted data in a single part.\n" + " hSession session's handle\n" + " pEncryptedData ciphertext\n" + " ulEncryptedDataLen ciphertext length\n" + " pData gets plaintext\n" + " pulDataLen gets p-text size\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DigestInit", + F_C_DigestInit, + "C_DigestInit hSession pMechanism\n\n" + "C_DigestInit initializes a message-digesting operation.\n" + " hSession the session's handle\n" + " pMechanism the digesting mechanism\n", + { ArgULong, ArgMechanism, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_DigestUpdate", + F_C_DigestUpdate, + "C_DigestUpdate hSession pPart ulPartLen\n\n" + "C_DigestUpdate continues a multiple-part message-digesting operation.\n" + " hSession the session's handle\n" + " pPart data to be digested\n" + " ulPartLen bytes of data to be digested\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DigestKey", + F_C_DigestKey, + "C_DigestKey hSession hKey\n\n" + "C_DigestKey continues a multi-part message-digesting operation by digesting\n" + "the value of a secret key as part of the data already digested.\n" + " hSession the session's handle\n" + " hKey secret key to digest\n", + { ArgULong, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_DigestFinal", + F_C_DigestFinal, + "C_DigestFinal hSession pDigest pulDigestLen\n\n" + "C_DigestFinal finishes a multiple-part message-digesting operation.\n" + " hSession the session's handle\n" + " pDigest gets the message digest\n" + " pulDigestLen gets byte count of digest\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_Digest", + F_C_Digest, + "C_Digest hSession pData ulDataLen pDigest pulDigestLen\n\n" + "C_Digest digests data in a single part.\n" + " hSession the session's handle\n" + " pData data to be digested\n" + " ulDataLen bytes of data to digest\n" + " pDigest gets the message digest\n" + " pulDigestLen gets digest length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_SignInit", + F_C_SignInit, + "C_SignInit hSession pMechanism hKey\n\n" + "C_SignInit initializes a signature (private key encryption operation where\n" + "the signature is (will be) an appendix to the data and plaintext cannot be\n" + "recovered from the signature.\n" + " hSession the session's handle\n" + " pMechanism the signature mechanism\n" + " hKey handle of signature key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_SignUpdate", + F_C_SignUpdate, + "C_SignUpdate hSession pPart ulPartLen\n\n" + "C_SignUpdate continues a multiple-part signature operation where the\n" + "signature is (will be) an appendix to the data and plaintext cannot be\n" + "recovered from the signature.\n" + " hSession the session's handle\n" + " pPart the data to sign\n" + " ulPartLen count of bytes to sign\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_SignFinal", + F_C_SignFinal, + "C_SignFinal hSession pSignature pulSignatureLen\n\n" + "C_SignFinal finishes a multiple-part signature operation returning the\n" + "signature.\n" + " hSession the session's handle\n" + " pSignature gets the signature\n" + " pulSignatureLen gets signature length\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_SignRecoverInit", + F_C_SignRecoverInit, + "C_SignRecoverInit hSession pMechanism hKey\n\n" + "C_SignRecoverInit initializes a signature operation where the data can be\n" + "recovered from the signature.\n" + " hSession the session's handle\n" + " pMechanism the signature mechanism\n" + " hKey handle of the signature key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_SignRecover", + F_C_SignRecover, + "C_SignRecover hSession pData ulDataLen pSignature pulSignatureLen\n\n" + "C_SignRecover signs data in a single operation where the data can be\n" + "recovered from the signature.\n" + " hSession the session's handle\n" + " pData the data to sign\n" + " ulDataLen count of bytes to sign\n" + " pSignature gets the signature\n" + " pulSignatureLen gets signature length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_Sign", + F_C_Sign, + "C_Sign hSession pData ulDataLen pSignature pulSignatureLen\n\n" + "C_Sign signs (encrypts with private key) data in a single part where the\n" + "signature is (will be) an appendix to the data and plaintext cannot be\n" + "recovered from the signature.\n" + " hSession the session's handle\n" + " pData the data to sign\n" + " ulDataLen count of bytes to sign\n" + " pSignature gets the signature\n" + " pulSignatureLen gets signature length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_VerifyInit", + F_C_VerifyInit, + "C_VerifyInit hSession pMechanism hKey\n\n" + "C_VerifyInit initializes a verification operation where the signature is an\n" + "appendix to the data and plaintext cannot cannot be recovered from the\n" + "signature (e.g. DSA).\n" + " hSession the session's handle\n" + " pMechanism the verification mechanism\n" + " hKey verification key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_VerifyUpdate", + F_C_VerifyUpdate, + "C_VerifyUpdate hSession pPart ulPartLen\n\n" + "C_VerifyUpdate continues a multiple-part verification operation where the\n" + "signature is an appendix to the data and plaintext cannot be recovered from\n" + "the signature.\n" + " hSession the session's handle\n" + " pPart signed data\n" + " ulPartLen length of signed data\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_VerifyFinal", + F_C_VerifyFinal, + "C_VerifyFinal hSession pSignature ulSignatureLen\n\n" + "C_VerifyFinal finishes a multiple-part verification operation checking the\n" + "signature.\n" + " hSession the session's handle\n" + " pSignature signature to verify\n" + " ulSignatureLen signature length\n", + { ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "C_VerifyRecoverInit", + F_C_VerifyRecoverInit, + "C_VerifyRecoverInit hSession pMechanism hKey\n\n" + "C_VerifyRecoverInit initializes a signature verification operation where the\n" + "data is recovered from the signature.\n" + " hSession the session's handle\n" + " pMechanism the verification mechanism\n" + " hKey verification key\n", + { ArgULong, ArgMechanism, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "C_VerifyRecover", + F_C_VerifyRecover, + "C_VerifyRecover hSession pSignature ulSignatureLen pData pulDataLen\n\n" + "C_VerifyRecover verifies a signature in a single-part operation where the\n" + "data is recovered from the signature.\n" + " hSession the session's handle\n" + " pSignature signature to verify\n" + " ulSignatureLen signature length\n" + " pData gets signed data\n" + " pulDataLen gets signed data len\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_Verify", + F_C_Verify, + "C_Verify hSession pData ulDataLen pSignature ulSignatureLen\n\n" + "C_Verify verifies a signature in a single-part operation where the signature\n" + "is an appendix to the data and plaintext cannot be recovered from the\n" + "signature.\n" + " hSession the session's handle\n" + " pData signed data\n" + " ulDataLen length of signed data\n" + " pSignature signature\n" + " ulSignatureLen signature length*/\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DigestEncryptUpdate", + F_C_DigestEncryptUpdate, + "C_DigestEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n" + " pulEncryptedPartLen\n\n" + "C_DigestEncryptUpdate continues a multiple-part digesting and encryption\n" + "operation.\n" + " hSession session's handle\n" + " pPart the plaintext data\n" + " ulPartLen plaintext length\n" + " pEncryptedPart gets ciphertext\n" + " pulEncryptedPartLen gets c-text length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DecryptDigestUpdate", + F_C_DecryptDigestUpdate, + "C_DecryptDigestUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n" + " pulPartLen\n\n" + "C_DecryptDigestUpdate continues a multiple-part decryption and digesting\n" + "operation.\n" + " hSession session's handle\n" + " pEncryptedPart ciphertext\n" + " ulEncryptedPartLen ciphertext length\n" + " pPart gets plaintext\n" + " pulPartLen gets plaintext len\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_SignEncryptUpdate", + F_C_SignEncryptUpdate, + "C_SignEncryptUpdate hSession pPart ulPartLen pEncryptedPart \\\n" + " pulEncryptedPartLen\n\n" + "C_SignEncryptUpdate continues a multiple-part signing and encryption\n" + "operation.\n" + " hSession session's handle\n" + " pPart the plaintext data\n" + " ulPartLen plaintext length\n" + " pEncryptedPart gets ciphertext\n" + " pulEncryptedPartLen gets c-text length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_DecryptVerifyUpdate", + F_C_DecryptVerifyUpdate, + "C_DecryptVerifyUpdate hSession pEncryptedPart ulEncryptedPartLen pPart \\\n" + " pulPartLen\n\n" + "C_DecryptVerifyUpdate continues a multiple-part decryption and verify\n" + "operation.\n" + " hSession session's handle\n" + " pEncryptedPart ciphertext\n" + " ulEncryptedPartLen ciphertext length\n" + " pPart gets plaintext\n" + " pulPartLen gets p-text length\n", + { ArgULong, ArgChar, ArgULong, ArgChar | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_GenerateKeyPair", + F_C_GenerateKeyPair, + "C_GenerateKeyPair hSession pMechanism pPublicKeyTemplate \\\n" + " ulPublicKeyAttributeCount pPrivateKeyTemplate ulPrivateKeyAttributeCount \\\n" + " phPublicKey phPrivateKey\n\n" + "C_GenerateKeyPair generates a public-key/private-key pair creating new key\n" + "objects.\n" + " hSession sessionhandle\n" + " pMechanism key-genmech.\n" + " pPublicKeyTemplate templatefor pub. key\n" + " ulPublicKeyAttributeCount # pub. attrs.\n" + " pPrivateKeyTemplate templatefor priv. key\n" + " ulPrivateKeyAttributeCount # priv. attrs.\n" + " phPublicKey gets pub. keyhandle\n" + " phPrivateKey getspriv. keyhandle\n", + { ArgULong, ArgMechanism, ArgAttribute | ArgArray, ArgULong, + ArgAttribute | ArgArray, ArgULong, ArgULong | ArgOut, ArgULong | ArgOut, ArgNone, + ArgNone } }, + { "C_GenerateKey", + F_C_GenerateKey, + "C_GenerateKey hSession pMechanism pTemplate ulCount phKey\n\n" + "C_GenerateKey generates a secret key creating a new key object.\n" + " hSession the session's handle\n" + " pMechanism key generation mech.\n" + " pTemplate template for new key\n" + " ulCount # of attrs in template\n" + " phKey gets handle of new key\n", + { ArgULong, ArgMechanism, ArgAttribute | ArgArray, ArgULong, ArgULong | ArgOut, + ArgNone, ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_WrapKey", + F_C_WrapKey, + "C_WrapKey hSession pMechanism hWrappingKey hKey pWrappedKey pulWrappedKeyLen\n\n" + "C_WrapKey wraps (i.e. encrypts) a key.\n" + " hSession the session's handle\n" + " pMechanism the wrapping mechanism\n" + " hWrappingKey wrapping key\n" + " hKey key to be wrapped\n" + " pWrappedKey gets wrapped key\n" + " pulWrappedKeyLen gets wrapped key size\n", + { ArgULong, ArgMechanism, ArgULong, ArgULong, ArgULong, ArgChar | ArgOut, + ArgULong | ArgOut, ArgNone, ArgNone, ArgNone } }, + { "C_UnwrapKey", + F_C_UnwrapKey, + "C_UnwrapKey hSession pMechanism hUnwrappingKey pWrappedKey ulWrappedKeyLen \\\n" + " pTemplate ulAttributeCount phKey\n\n" + "C_UnwrapKey unwraps (decrypts) a wrapped key creating a new key object.\n" + " hSession session's handle\n" + " pMechanism unwrapping mech.\n" + " hUnwrappingKey unwrapping key\n" + " pWrappedKey the wrapped key\n" + " ulWrappedKeyLen wrapped key len\n" + " pTemplate new key template\n" + " ulAttributeCount template length\n" + " phKey gets new handle\n", + { ArgULong, ArgMechanism, ArgULong, ArgChar, ArgULong, ArgAttribute | ArgArray, + ArgULong, ArgULong | ArgOut, ArgNone, ArgNone } }, + { "C_DeriveKey", + F_C_DeriveKey, + "C_DeriveKey hSession pMechanism hBaseKey pTemplate ulAttributeCount phKey\n\n" + "C_DeriveKey derives a key from a base key creating a new key object.\n" + " hSession session's handle\n" + " pMechanism key deriv. mech.\n" + " hBaseKey base key\n" + " pTemplate new key template\n" + " ulAttributeCount template length\n" + " phKey gets new handle\n", + { ArgULong, ArgMechanism, ArgULong, ArgAttribute | ArgArray, ArgULong, + ArgULong | ArgOut, ArgNone, ArgNone, ArgNone, ArgNone } }, + { "C_SeedRandom", + F_C_SeedRandom, + "C_SeedRandom hSession pSeed ulSeedLen\n\n" + "C_SeedRandom mixes additional seed material into the token's random number\n" + "generator.\n" + " hSession the session's handle\n" + " pSeed the seed material\n" + " ulSeedLen length of seed material\n", + { ArgULong, ArgChar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_GenerateRandom", + F_C_GenerateRandom, + "C_GenerateRandom hSession RandomData ulRandomLen\n\n" + "C_GenerateRandom generates random data.\n" + " hSession the session's handle\n" + " RandomData receives the random data\n" + " ulRandomLen # of bytes to generate\n", + { ArgULong, ArgChar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_GetFunctionStatus", + F_C_GetFunctionStatus, + "C_GetFunctionStatus hSession\n\n" + "C_GetFunctionStatus is a legacy function; it obtains an updated status of\n" + "a function running in parallel with an application.\n" + " hSession the session's handle\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_CancelFunction", + F_C_CancelFunction, + "C_CancelFunction hSession\n\n" + "C_CancelFunction is a legacy function; it cancels a function running in\n" + "parallel.\n" + " hSession the session's handle\n", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "C_WaitForSlotEvent", + F_C_WaitForSlotEvent, + "C_WaitForSlotEvent flags pSlot pRserved\n\n" + "C_WaitForSlotEvent waits for a slot event (token insertion removal etc.)\n" + "to occur.\n" + " flags blocking/nonblocking flag\n" + " pSlot location that receives the slot ID\n" + " pRserved reserved. Should be NULL_PTR\n", + { ArgULong, ArgULong | ArgArray, ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "NewArray", + F_NewArray, + "NewArray varName varType array size\n\n" + "Creates a new array variable.\n" + " varName variable name of the new array\n" + " varType data type of the new array\n" + " size number of elements in the array\n", + { ArgVar | ArgNew, ArgVar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "NewInitArg", + F_NewInitializeArgs, + "NewInitArg varName flags string\n\n" + "Creates a new init variable.\n" + " varName variable name of the new initArg\n" + " flags value to set the flags field\n" + " string string parameter for init arg\n", + { ArgVar | ArgNew, ArgULong, ArgVar | ArgNew, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "NewTemplate", + F_NewTemplate, + "NewTemplate varName attributeList\n\n" + "Create a new empty template and populate the attribute list\n" + " varName variable name of the new template\n" + " attributeList comma separated list of CKA_ATTRIBUTE types\n", + { ArgVar | ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "NewMechanism", + F_NewMechanism, + "NewMechanism varName mechanismType\n\n" + "Create a new CK_MECHANISM object with type NULL parameters and specified type\n" + " varName variable name of the new mechansim\n" + " mechanismType CKM_ mechanism type value to set int the type field\n", + { ArgVar | ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "BuildTemplate", + F_BuildTemplate, + "BuildTemplate template\n\n" + "Allocates space for the value in a template which has the sizes filled in,\n" + "but no values allocated yet.\n" + " template variable name of the template\n", + { ArgAttribute, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "SetTemplate", + F_SetTemplate, + "SetTemplate template index value\n\n" + "Sets a particular element of a template to a CK_ULONG\n" + " template variable name of the template\n" + " index index into the template to the element to change\n" + " value 32 bit value to set in the template\n", + { ArgAttribute, ArgULong, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "SetString", + F_SetStringVar, + "SetString varName string\n\n" + "Sets a particular variable to a string value\n" + " variable variable name of new string\n" + " string String to set the variable to\n", + { ArgVar | ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Set", + F_SetVar, + "Set varName value\n\n" + "Sets a particular variable to CK_ULONG\n" + " variable name of the new variable\n" + " value 32 bit value to set variable to\n", + { ArgVar | ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Print", + F_Print, + "Print varName\n\n" + "prints a variable\n" + " variable name of the variable to print\n", + { ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "Delete", + F_Delete, + "Delete varName\n\n" + "delete a variable\n" + " variable name of the variable to delete\n", + { ArgVar | ArgNew, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Load", + F_Load, + "load libraryName\n\n" + "load a pkcs #11 module\n" + " libraryName Name of a shared library\n", + { ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "Save", + F_SaveVar, + "Save filename variable\n\n" + "Saves the binary value of 'variable' in file 'filename'\n" + " fileName target file to save the variable in\n" + " variable variable to save\n", + { ArgVar | ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Restore", + F_RestoreVar, + "Restore filename variable\n\n" + "Restores a variable from a file\n" + " fileName target file to restore the variable from\n" + " variable variable to restore\n", + { ArgVar | ArgNew, ArgVar, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Increment", + F_Increment, + "Increment variable value\n\n" + "Increment a variable by value\n", + { ArgVar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "Decrement", + F_Decrement, + "Decrement variable value\n\n" + "Decrement a variable by value\n", + { ArgVar, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "List", + F_List, + "List all the variables\n", + { ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "Unload", + F_Unload, + "Unload the currrently loaded PKCS #11 library\n", + { ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "Run", + F_Run, + "Run filename\n\n" + "reads filename as script of commands to execute\n", + { ArgVar | ArgNew, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "Time", + F_Time, + "Time pkcs11 command\n\n" + "Execute a pkcs #11 command and time the results\n", + { ArgVar | ArgFull, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "System", + F_System, + "Set System Flag", + { ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, + { "LoopRun", + F_Loop, + "LoopRun filename var start end step\n\n" + "Run in a loop. Loop exit if scrip does and explicit quit (Quit QuitIf etc.)", + { ArgVar | ArgNew, ArgVar | ArgNew, ArgULong, ArgULong, ArgULong, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone } }, + { "Help", + F_Help, + "Help [command]\n\n" + "print general help, or help for a specific command\n", + { ArgVar | ArgOpt, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "QuitIf", + F_QuitIf, + "QuitIf arg1 comparator arg2\n\n" + "Exit from this program if Condition is valid, valid comparators:\n" + " < > <= >= = !=\n", + { ArgULong, ArgVar | ArgNew, ArgULong, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone } }, + { "QuitIfString", + F_QuitIfString, + "QuitIfString arg1 comparator arg2\n\n" + "Exit from this program if Condition is valid, valid comparators:\n" + " = !=\n", + { ArgVar | ArgNew, ArgVar | ArgNew, ArgVar | ArgNew, ArgNone, ArgNone, ArgNone, + ArgNone, ArgNone, ArgNone, ArgNone } }, + { "Quit", + F_Quit, + "Exit from this program", + { ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, ArgNone, + ArgNone } }, +}; + +const Commands *commands = &_commands[0]; +const int commandCount = sizeof(_commands) / sizeof(_commands[0]); + +const Topics _topics[] = { + { "variables", + "Variables are random strings of characters. These should begin with alpha\n" + " characters, and should not contain any spaces, nor should they match any\n" + " built-in constants. There is some checking in the code for these things,\n" + " but it's not 100% and using invalid variable names can cause problems.\n" + " Variables are created by any 'OUT' parameter. If the variable does not\n" + " exist, it will be created. For in parameters variables must already exist.\n" }, + { "constants", + "pk11util recognizes *lots* of constants. All CKA_, CKF_, CKO_, CKU_, CKS_,\n" + " CKC_, CKK_, CKH_, CKM_, CKT_ values from the PKCS #11 spec are recognized.\n" + " Constants can be specified with their fully qualified CK?_ value, or the\n" + " prefix can be dropped. Constants are matched case insensitve.\n" }, + { "arrays", + "Arrays are special variables which represent 'C' arrays. Each array \n" + " variable can be referenced as a group (using just the name), or as \n" + " individual elements (with the [int] operator). Example:\n" + " print myArray # prints the full array.\n" + " print myArray[3] # prints the 3rd elemement of the array \n" }, + { "sizes", + "Size operaters returns the size in bytes of a variable, or the number of\n" + " elements in an array.\n" + " size(var) and sizeof(var) return the size of var in bytes.\n" + " sizea(var) and sizeofarray(var) return the number of elements in var.\n" + " If var is not an array, sizea(var) returns 1.\n" }, +}; + +const Topics *topics = &_topics[0]; +const int topicCount = sizeof(_topics) / sizeof(_topics[0]); + +const char * +getName(CK_ULONG value, ConstType type) +{ + unsigned int i; + + for (i = 0; i < constCount; i++) { + if (consts[i].type == type && consts[i].value == value) { + return consts[i].name; + } + if (type == ConstNone && consts[i].value == value) { + return consts[i].name; + } + } + + return NULL; +} + +const char * +getNameFromAttribute(CK_ATTRIBUTE_TYPE type) +{ + return getName(type, ConstAttribute); +} + +unsigned int +totalKnownType(ConstType type) +{ + unsigned int count = 0; + unsigned int i; + + for (i = 0; i < constCount; i++) { + if (consts[i].type == type) + count++; + } + return count; +} diff --git a/tools/src/main/native/p12tool/pk11table.h b/tools/src/main/native/p12tool/pk11table.h new file mode 100644 index 000000000..3dea8204d --- /dev/null +++ b/tools/src/main/native/p12tool/pk11table.h @@ -0,0 +1,178 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _PK11_TABLE_H_ +#define _PK11_TABLE_H_ + +/* + * Supported functions.. + */ +#include +#include "nspr.h" +#include "prtypes.h" + +typedef enum { + F_No_Function, +#undef CK_NEED_ARG_LIST +#define CK_PKCS11_FUNCTION_INFO(func) F_##func, +#include "pkcs11f.h" +#undef CK_NEED_ARG_LISt +#undef CK_PKCS11_FUNCTION_INFO + F_SetVar, + F_SetStringVar, + F_NewArray, + F_NewInitializeArgs, + F_NewTemplate, + F_NewMechanism, + F_BuildTemplate, + F_SetTemplate, + F_Print, + F_SaveVar, + F_RestoreVar, + F_Increment, + F_Decrement, + F_Delete, + F_List, + F_Run, + F_Load, + F_Unload, + F_System, + F_Loop, + F_Time, + F_Help, + F_Quit, + F_QuitIf, + F_QuitIfString +} FunctionType; + +/* + * Supported Argument Types + */ +typedef enum { + ArgNone, + ArgVar, + ArgULong, + ArgChar, + ArgUTF8, + ArgInfo, + ArgSlotInfo, + ArgTokenInfo, + ArgSessionInfo, + ArgAttribute, + ArgMechanism, + ArgMechanismInfo, + ArgInitializeArgs, + ArgFunctionList, + /* Modifier Flags */ + ArgMask = 0xff, + ArgOut = 0x100, + ArgArray = 0x200, + ArgNew = 0x400, + ArgFile = 0x800, + ArgStatic = 0x1000, + ArgOpt = 0x2000, + ArgFull = 0x4000 +} ArgType; + +typedef enum _constType { + ConstNone, + ConstBool, + ConstInfoFlags, + ConstSlotFlags, + ConstTokenFlags, + ConstSessionFlags, + ConstMechanismFlags, + ConstInitializeFlags, + ConstUsers, + ConstSessionState, + ConstObject, + ConstHardware, + ConstKeyType, + ConstCertType, + ConstAttribute, + ConstMechanism, + ConstResult, + ConstTrust, + ConstAvailableSizes, + ConstCurrentSize +} ConstType; + +typedef struct _constant { + const char *name; + CK_ULONG value; + ConstType type; + ConstType attrType; +} Constant; + +/* + * Values structures. + */ +typedef struct _values { + ArgType type; + ConstType constType; + int size; + char *filename; + void *data; + int reference; + int arraySize; +} Value; + +/* + * Variables + */ +typedef struct _variable Variable; +struct _variable { + Variable *next; + char *vname; + Value *value; +}; + +/* NOTE: if you change MAX_ARGS, you need to change the commands array + * below as well. + */ + +#define MAX_ARGS 10 +/* + * structure for master command array + */ +typedef struct _commands { + char *fname; + FunctionType fType; + char *helpString; + ArgType args[MAX_ARGS]; +} Commands; + +typedef struct _module { + PRLibrary *library; + CK_FUNCTION_LIST *functionList; +} Module; + +typedef struct _topics { + char *name; + char *helpString; +} Topics; + +/* + * the command array itself. Make name to function and it's arguments + */ + +extern const char **valueString; +extern const int valueCount; +extern const char **constTypeString; +extern const int constTypeCount; +extern const Constant *consts; +extern const unsigned int constCount; +extern const Commands *commands; +extern const int commandCount; +extern const Topics *topics; +extern const int topicCount; + +extern const char * +getName(CK_ULONG value, ConstType type); + +extern const char * +getNameFromAttribute(CK_ATTRIBUTE_TYPE type); + +extern unsigned int totalKnownType(ConstType type); + +#endif /* _PK11_TABLE_H_ */ diff --git a/tools/src/main/native/p12tool/pppolicy.c b/tools/src/main/native/p12tool/pppolicy.c new file mode 100644 index 000000000..aaf45599d --- /dev/null +++ b/tools/src/main/native/p12tool/pppolicy.c @@ -0,0 +1,263 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Support for various policy related extensions + */ + +#include "seccomon.h" +#include "secport.h" +#include "secder.h" +#include "cert.h" +#include "secoid.h" +#include "secasn1.h" +#include "secerr.h" +#include "nspr.h" +#include "secutil.h" + +/* This implementation is derived from the one in nss/lib/certdb/policyxtn.c . +** The chief difference is the addition of the OPTIONAL flag to many +** parts. The idea is to be able to parse and print as much of the +** policy extension as possible, even if some parts are invalid. +** +** If this approach still is unable to decode policy extensions that +** contain invalid parts, then the next approach will be to parse +** the PolicyInfos as a SEQUENCE of ANYs, and then parse each of them +** as PolicyInfos, with the PolicyQualifiers being ANYs, and finally +** parse each of the PolicyQualifiers. +*/ + +static const SEC_ASN1Template secu_PolicyQualifierTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyQualifier) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyQualifier, qualifierID) }, + { SEC_ASN1_ANY | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyQualifier, qualifierValue) }, + { 0 } +}; + +static const SEC_ASN1Template secu_PolicyInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CERTPolicyInfo) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CERTPolicyInfo, policyID) }, + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_OPTIONAL, + offsetof(CERTPolicyInfo, policyQualifiers), + secu_PolicyQualifierTemplate }, + { 0 } +}; + +static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { + { SEC_ASN1_SEQUENCE_OF, + offsetof(CERTCertificatePolicies, policyInfos), + secu_PolicyInfoTemplate, sizeof(CERTCertificatePolicies) } +}; + +static CERTCertificatePolicies * +secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) +{ + PLArenaPool *arena = NULL; + SECStatus rv; + CERTCertificatePolicies *policies; + CERTPolicyInfo **policyInfos, *policyInfo; + CERTPolicyQualifier **policyQualifiers, *policyQualifier; + SECItem newExtnValue; + + /* make a new arena */ + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!arena) { + goto loser; + } + + /* allocate the certifiate policies structure */ + policies = PORT_ArenaZNew(arena, CERTCertificatePolicies); + if (policies == NULL) { + goto loser; + } + + policies->arena = arena; + + /* copy the DER into the arena, since Quick DER returns data that points + into the DER input, which may get freed by the caller */ + rv = SECITEM_CopyItem(arena, &newExtnValue, extnValue); + if (rv != SECSuccess) { + goto loser; + } + + /* decode the policy info */ + rv = SEC_QuickDERDecodeItem(arena, policies, + secu_CertificatePoliciesTemplate, + &newExtnValue); + + if (rv != SECSuccess) { + goto loser; + } + + /* initialize the oid tags */ + policyInfos = policies->policyInfos; + while (policyInfos != NULL && *policyInfos != NULL) { + policyInfo = *policyInfos; + policyInfo->oid = SECOID_FindOIDTag(&policyInfo->policyID); + policyQualifiers = policyInfo->policyQualifiers; + while (policyQualifiers && *policyQualifiers != NULL) { + policyQualifier = *policyQualifiers; + policyQualifier->oid = + SECOID_FindOIDTag(&policyQualifier->qualifierID); + policyQualifiers++; + } + policyInfos++; + } + + return (policies); + +loser: + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); + } + + return (NULL); +} + +static char * +itemToString(SECItem *item) +{ + char *string; + + string = PORT_ZAlloc(item->len + 1); + if (string == NULL) + return NULL; + PORT_Memcpy(string, item->data, item->len); + string[item->len] = 0; + return string; +} + +static SECStatus +secu_PrintUserNoticeQualifier(FILE *out, SECItem *qualifierValue, + char *msg, int level) +{ + CERTUserNotice *userNotice = NULL; + if (qualifierValue) + userNotice = CERT_DecodeUserNotice(qualifierValue); + if (userNotice) { + if (userNotice->noticeReference.organization.len != 0) { + char *string = + itemToString(&userNotice->noticeReference.organization); + SECItem **itemList = userNotice->noticeReference.noticeNumbers; + + while (itemList && *itemList) { + SECU_PrintInteger(out, *itemList, string, level + 1); + itemList++; + } + PORT_Free(string); + } + if (userNotice->displayText.len != 0) { + SECU_PrintString(out, &userNotice->displayText, + "Display Text", level + 1); + } + CERT_DestroyUserNotice(userNotice); + return SECSuccess; + } + return SECFailure; /* caller will print this value */ +} + +static SECStatus +secu_PrintPolicyQualifier(FILE *out, CERTPolicyQualifier *policyQualifier, + char *msg, int level) +{ + SECStatus rv; + SECItem *qualifierValue = &policyQualifier->qualifierValue; + + SECU_PrintObjectID(out, &policyQualifier->qualifierID, + "Policy Qualifier Name", level); + if (!qualifierValue->data) { + SECU_Indent(out, level); + fprintf(out, "Error: missing qualifier\n"); + } else + switch (policyQualifier->oid) { + case SEC_OID_PKIX_USER_NOTICE_QUALIFIER: + rv = secu_PrintUserNoticeQualifier(out, qualifierValue, msg, level); + if (SECSuccess == rv) + break; + /* fall through on error */ + case SEC_OID_PKIX_CPS_POINTER_QUALIFIER: + default: + SECU_PrintAny(out, qualifierValue, "Policy Qualifier Data", level); + break; + } + return SECSuccess; +} + +static SECStatus +secu_PrintPolicyInfo(FILE *out, CERTPolicyInfo *policyInfo, char *msg, int level) +{ + CERTPolicyQualifier **policyQualifiers; + + policyQualifiers = policyInfo->policyQualifiers; + SECU_PrintObjectID(out, &policyInfo->policyID, "Policy Name", level); + + while (policyQualifiers && *policyQualifiers != NULL) { + secu_PrintPolicyQualifier(out, *policyQualifiers, "", level + 1); + policyQualifiers++; + } + return SECSuccess; +} + +void +SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level) +{ + CERTCertificatePolicies *policies = NULL; + CERTPolicyInfo **policyInfos; + + if (msg) { + SECU_Indent(out, level); + fprintf(out, "%s: \n", msg); + level++; + } + policies = secu_DecodeCertificatePoliciesExtension(value); + if (policies == NULL) { + SECU_PrintAny(out, value, "Invalid Policy Data", level); + return; + } + + policyInfos = policies->policyInfos; + while (policyInfos && *policyInfos != NULL) { + secu_PrintPolicyInfo(out, *policyInfos, "", level); + policyInfos++; + } + + CERT_DestroyCertificatePoliciesExtension(policies); +} + +void +SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level) +{ + CERTPrivKeyUsagePeriod *prd; + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!arena) { + goto loser; + } + prd = CERT_DecodePrivKeyUsagePeriodExtension(arena, value); + if (!prd) { + goto loser; + } + if (prd->notBefore.data) { + SECU_PrintGeneralizedTime(out, &prd->notBefore, "Not Before", level); + } + if (prd->notAfter.data) { + SECU_PrintGeneralizedTime(out, &prd->notAfter, "Not After ", level); + } + if (!prd->notBefore.data && !prd->notAfter.data) { + SECU_Indent(out, level); + fprintf(out, "Error: notBefore or notAfter MUST be present.\n"); + loser: + SECU_PrintAny(out, value, msg, level); + } + if (arena) { + PORT_FreeArena(arena, PR_FALSE); + } +} diff --git a/tools/src/main/native/p12tool/secpwd.c b/tools/src/main/native/p12tool/secpwd.c new file mode 100644 index 000000000..e8ca792e8 --- /dev/null +++ b/tools/src/main/native/p12tool/secpwd.c @@ -0,0 +1,168 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "secutil.h" + +/* + * NOTE: The contents of this file are NOT used by the client. + * (They are part of the security library as a whole, but they are + * NOT USED BY THE CLIENT.) Do not change things on behalf of the + * client (like localizing strings), or add things that are only + * for the client (put them elsewhere). + */ + +#ifdef XP_UNIX +#include +#endif + +#if defined(XP_UNIX) || defined(XP_BEOS) +#include /* for isatty() */ +#endif + +#if defined(_WINDOWS) +#include +#include +#define QUIET_FGETS quiet_fgets +static char *quiet_fgets(char *buf, int length, FILE *input); +#else +#define QUIET_FGETS fgets +#endif + +static void +echoOff(int fd) +{ +#if defined(XP_UNIX) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag &= ~ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +static void +echoOn(int fd) +{ +#if defined(XP_UNIX) + if (isatty(fd)) { + struct termios tio; + tcgetattr(fd, &tio); + tio.c_lflag |= ECHO; + tcsetattr(fd, TCSAFLUSH, &tio); + } +#endif +} + +char * +SEC_GetPassword(FILE *input, FILE *output, char *prompt, + PRBool (*ok)(char *)) +{ +#if defined(_WINDOWS) + int isTTY = (input == stdin); +#define echoOn(x) +#define echoOff(x) +#else + int infd = fileno(input); + int isTTY = isatty(infd); +#endif + char phrase[500] = { '\0' }; /* ensure EOF doesn't return junk */ + + for (;;) { + /* Prompt for password */ + if (isTTY) { + fprintf(output, "%s", prompt); + fflush(output); + echoOff(infd); + } + + if (QUIET_FGETS(phrase, sizeof(phrase), input) == NULL) { + return NULL; + } + + if (isTTY) { + fprintf(output, "\n"); + echoOn(infd); + } + + /* stomp on newline */ + phrase[PORT_Strlen(phrase) - 1] = 0; + + /* Validate password */ + if (!(*ok)(phrase)) { + /* Not weird enough */ + if (!isTTY) + return NULL; + fprintf(output, "Password must be at least 8 characters long with one or more\n"); + fprintf(output, "non-alphabetic characters\n"); + continue; + } + return (char *)PORT_Strdup(phrase); + } +} + +PRBool +SEC_CheckPassword(char *cp) +{ + int len; + char *end; + + len = PORT_Strlen(cp); + if (len < 8) { + return PR_FALSE; + } + end = cp + len; + while (cp < end) { + unsigned char ch = *cp++; + if (!((ch >= 'A') && (ch <= 'Z')) && + !((ch >= 'a') && (ch <= 'z'))) { + /* pass phrase has at least one non alphabetic in it */ + return PR_TRUE; + } + } + return PR_FALSE; +} + +PRBool +SEC_BlindCheckPassword(char *cp) +{ + if (cp != NULL) { + return PR_TRUE; + } + return PR_FALSE; +} + +/* Get a password from the input terminal, without echoing */ + +#if defined(_WINDOWS) +static char * +quiet_fgets(char *buf, int length, FILE *input) +{ + int c; + char *end = buf; + + /* fflush (input); */ + memset(buf, 0, length); + + if (!isatty(fileno(input))) { + return fgets(buf, length, input); + } + + while (1) { + c = getch(); /* getch gets a character from the console */ + + if (c == '\b') { + if (end > buf) + end--; + } + + else if (--length > 0) + *end++ = c; + + if (!c || c == '\n' || c == '\r') + break; + } + + return buf; +} +#endif diff --git a/tools/src/main/native/p12tool/secutil.c b/tools/src/main/native/p12tool/secutil.c new file mode 100644 index 000000000..2fa76207a --- /dev/null +++ b/tools/src/main/native/p12tool/secutil.c @@ -0,0 +1,4736 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +/* +** secutil.c - various functions used by security stuff +** +*/ + +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "prerror.h" +#include "prprf.h" +#include "plgetopt.h" +#include "prenv.h" +#include "prnetdb.h" + +#include "cryptohi.h" +#include "secutil.h" +#include "secpkcs7.h" +#include "secpkcs5.h" +#include +#include +#include +#include + +#ifdef XP_UNIX +#include +#endif + +/* for SEC_TraverseNames */ +#include "cert.h" +#include "certt.h" +#include "certdb.h" + +#include "secmod.h" +#include "pk11func.h" +#include "secoid.h" +#include "pk11pub.h" + + +static char consoleName[] = { +#ifdef XP_UNIX + "/dev/tty" +#else +#ifdef XP_OS2 + "\\DEV\\CON" +#else + "CON:" +#endif +#endif +}; + +#include "nssutil.h" +#include "ssl.h" +#include "sslproto.h" + +static PRBool utf8DisplayEnabled = PR_FALSE; + +/* The minimum password/pin length (in Unicode characters) in FIPS mode, + * defined in lib/softoken/pkcs11i.h. */ +#define FIPS_MIN_PIN 7 + +void +SECU_EnableUtf8Display(PRBool enable) +{ + utf8DisplayEnabled = enable; +} + +PRBool +SECU_GetUtf8DisplayEnabled(void) +{ + return utf8DisplayEnabled; +} + +static void +secu_ClearPassword(char *p) +{ + if (p) { + PORT_Memset(p, 0, PORT_Strlen(p)); + PORT_Free(p); + } +} + +char * +SECU_GetPasswordString(void *arg, char *prompt) +{ +#ifndef _WINDOWS + char *p = NULL; + FILE *input, *output; + + /* open terminal */ + input = fopen(consoleName, "r"); + if (input == NULL) { + fprintf(stderr, "Error opening input terminal for read\n"); + return NULL; + } + + output = fopen(consoleName, "w"); + if (output == NULL) { + fprintf(stderr, "Error opening output terminal for write\n"); + fclose(input); + return NULL; + } + + p = SEC_GetPassword(input, output, prompt, SEC_BlindCheckPassword); + + fclose(input); + fclose(output); + + return p; + +#else + /* Win32 version of above. opening the console may fail + on windows95, and certainly isn't necessary.. */ + + char *p = NULL; + + p = SEC_GetPassword(stdin, stdout, prompt, SEC_BlindCheckPassword); + return p; + +#endif +} + +/* + * p a s s w o r d _ h a r d c o d e + * + * A function to use the password passed in the -f(pwfile) argument + * of the command line. + * After use once, null it out otherwise PKCS11 calls us forever.? + * + */ +char * +SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *phrases, *phrase; + PRFileDesc *fd; + PRInt32 nb; + char *pwFile = arg; + int i; + const long maxPwdFileSize = 4096; + char *tokenName = NULL; + int tokenLen = 0; + + if (!pwFile) + return 0; + + if (retry) { + return 0; /* no good retrying - the files contents will be the same */ + } + + phrases = PORT_ZAlloc(maxPwdFileSize); + + if (!phrases) { + return 0; /* out of memory */ + } + + fd = PR_Open(pwFile, PR_RDONLY, 0); + if (!fd) { + fprintf(stderr, "No password file \"%s\" exists.\n", pwFile); + PORT_Free(phrases); + return NULL; + } + + nb = PR_Read(fd, phrases, maxPwdFileSize); + + PR_Close(fd); + + if (nb == 0) { + fprintf(stderr, "password file contains no data\n"); + PORT_Free(phrases); + return NULL; + } + + if (slot) { + tokenName = PK11_GetTokenName(slot); + if (tokenName) { + tokenLen = PORT_Strlen(tokenName); + } + } + i = 0; + do { + int startphrase = i; + int phraseLen; + + /* handle the Windows EOL case */ + while (phrases[i] != '\r' && phrases[i] != '\n' && i < nb) + i++; + /* terminate passphrase */ + phrases[i++] = '\0'; + /* clean up any EOL before the start of the next passphrase */ + while ((i < nb) && (phrases[i] == '\r' || phrases[i] == '\n')) { + phrases[i++] = '\0'; + } + /* now analyze the current passphrase */ + phrase = &phrases[startphrase]; + if (!tokenName) + break; + if (PORT_Strncmp(phrase, tokenName, tokenLen)) + continue; + phraseLen = PORT_Strlen(phrase); + if (phraseLen < (tokenLen + 1)) + continue; + if (phrase[tokenLen] != ':') + continue; + phrase = &phrase[tokenLen + 1]; + break; + + } while (i < nb); + + phrase = PORT_Strdup((char *)phrase); + PORT_Free(phrases); + return phrase; +} + +char * +SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char prompt[255]; + secuPWData *pwdata = (secuPWData *)arg; + secuPWData pwnull = { PW_NONE, 0 }; + secuPWData pwxtrn = { PW_EXTERNAL, "external" }; + + if (pwdata == NULL) + pwdata = &pwnull; + + if (PK11_ProtectedAuthenticationPath(slot)) { + pwdata = &pwxtrn; + } + if (retry && pwdata->source != PW_NONE) { + PR_fprintf(PR_STDERR, "Incorrect password/PIN entered.\n"); + return NULL; + } + + switch (pwdata->source) { + case PW_NONE: + sprintf(prompt, "Enter Password or Pin for \"%s\":", + PK11_GetTokenName(slot)); + return SECU_GetPasswordString(NULL, prompt); + case PW_FROMFILE: + return SECU_FilePasswd(slot, retry, pwdata->data); + case PW_EXTERNAL: + sprintf(prompt, + "Press Enter, then enter PIN for \"%s\" on external device.\n", + PK11_GetTokenName(slot)); + char *pw = SECU_GetPasswordString(NULL, prompt); + PORT_Free(pw); + /* Fall Through */ + case PW_PLAINTEXT: + return PL_strdup(pwdata->data); + default: + break; + } + + PR_fprintf(PR_STDERR, "Password check failed: No password found.\n"); + return NULL; +} + +char * +secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + char *p0 = NULL; + char *p1 = NULL; + FILE *input, *output; + secuPWData *pwdata = arg; + + if (pwdata->source == PW_FROMFILE) { + return SECU_FilePasswd(slot, retry, pwdata->data); + } + if (pwdata->source == PW_PLAINTEXT) { + return PL_strdup(pwdata->data); + } + +/* PW_NONE - get it from tty */ +/* open terminal */ +#ifdef _WINDOWS + input = stdin; +#else + input = fopen(consoleName, "r"); +#endif + if (input == NULL) { + PR_fprintf(PR_STDERR, "Error opening input terminal for read\n"); + return NULL; + } + + /* we have no password, so initialize database with one */ + if (PK11_IsFIPS()) { + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least %d characters long,\n" + "and should consist of at least three character classes.\n" + "The available character classes are: digits (0-9), ASCII\n" + "lowercase letters, ASCII uppercase letters, ASCII\n" + "non-alphanumeric characters, and non-ASCII characters.\n\n" + "If an ASCII uppercase letter appears at the beginning of\n" + "the password, it is not counted toward its character class.\n" + "Similarly, if a digit appears at the end of the password,\n" + "it is not counted toward its character class.\n\n", + FIPS_MIN_PIN); + } else { + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least 8 characters long,\n" + "and should contain at least one non-alphabetic character.\n\n"); + } + + output = fopen(consoleName, "w"); + if (output == NULL) { + PR_fprintf(PR_STDERR, "Error opening output terminal for write\n"); +#ifndef _WINDOWS + fclose(input); +#endif + return NULL; + } + + for (;;) { + if (p0) + PORT_Free(p0); + p0 = SEC_GetPassword(input, output, "Enter new password: ", + SEC_BlindCheckPassword); + + if (p1) + PORT_Free(p1); + p1 = SEC_GetPassword(input, output, "Re-enter password: ", + SEC_BlindCheckPassword); + if (p0 && p1 && !PORT_Strcmp(p0, p1)) { + break; + } + PR_fprintf(PR_STDERR, "Passwords do not match. Try again.\n"); + } + + /* clear out the duplicate password string */ + secu_ClearPassword(p1); + + fclose(input); + fclose(output); + + return p0; +} + +SECStatus +SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile) +{ + return SECU_ChangePW2(slot, passwd, 0, pwFile, 0); +} + +SECStatus +SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass, + char *oldPwFile, char *newPwFile) +{ + SECStatus rv; + secuPWData pwdata, newpwdata; + char *oldpw = NULL, *newpw = NULL; + + if (oldPass) { + pwdata.source = PW_PLAINTEXT; + pwdata.data = oldPass; + } else if (oldPwFile) { + pwdata.source = PW_FROMFILE; + pwdata.data = oldPwFile; + } else { + pwdata.source = PW_NONE; + pwdata.data = NULL; + } + + if (newPass) { + newpwdata.source = PW_PLAINTEXT; + newpwdata.data = newPass; + } else if (newPwFile) { + newpwdata.source = PW_FROMFILE; + newpwdata.data = newPwFile; + } else { + newpwdata.source = PW_NONE; + newpwdata.data = NULL; + } + + if (PK11_NeedUserInit(slot)) { + newpw = secu_InitSlotPassword(slot, PR_FALSE, &pwdata); + rv = PK11_InitPin(slot, (char *)NULL, newpw); + goto done; + } + + for (;;) { + oldpw = SECU_GetModulePassword(slot, PR_FALSE, &pwdata); + + if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) { + if (pwdata.source == PW_NONE) { + PR_fprintf(PR_STDERR, "Invalid password. Try again.\n"); + } else { + PR_fprintf(PR_STDERR, "Invalid password.\n"); + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + rv = SECFailure; + goto done; + } + } else + break; + + PORT_Free(oldpw); + } + + newpw = secu_InitSlotPassword(slot, PR_FALSE, &newpwdata); + + rv = PK11_ChangePW(slot, oldpw, newpw); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed to change password.\n"); + } else { + PR_fprintf(PR_STDOUT, "Password changed successfully.\n"); + } + + PORT_Memset(oldpw, 0, PL_strlen(oldpw)); + PORT_Free(oldpw); + +done: + if (newpw) { + PORT_Memset(newpw, 0, PL_strlen(newpw)); + PORT_Free(newpw); + } + return rv; +} + +struct matchobj { + SECItem index; + char *nname; + PRBool found; +}; + +char * +SECU_DefaultSSLDir(void) +{ + char *dir; + static char sslDir[1000]; + + dir = PR_GetEnvSecure("SSL_DIR"); + if (!dir) + return NULL; + + if (strlen(dir) >= PR_ARRAY_SIZE(sslDir)) { + return NULL; + } + sprintf(sslDir, "%s", dir); + + if (sslDir[strlen(sslDir) - 1] == '/') + sslDir[strlen(sslDir) - 1] = 0; + + return sslDir; +} + +char * +SECU_AppendFilenameToDir(char *dir, char *filename) +{ + static char path[1000]; + + if (dir[strlen(dir) - 1] == '/') + sprintf(path, "%s%s", dir, filename); + else + sprintf(path, "%s/%s", dir, filename); + return path; +} + +char * +SECU_ConfigDirectory(const char *base) +{ + static PRBool initted = PR_FALSE; + const char *dir = ".netscape"; + char *home; + static char buf[1000]; + + if (initted) + return buf; + + if (base == NULL || *base == 0) { + home = PR_GetEnvSecure("HOME"); + if (!home) + home = ""; + + if (*home && home[strlen(home) - 1] == '/') + sprintf(buf, "%.900s%s", home, dir); + else + sprintf(buf, "%.900s/%s", home, dir); + } else { + sprintf(buf, "%.900s", base); + if (buf[strlen(buf) - 1] == '/') + buf[strlen(buf) - 1] = 0; + } + + initted = PR_TRUE; + return buf; +} + +SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, + PRBool warnOnPrivateKeyInAsciiFile) +{ + SECStatus rv; + if (ascii) { + /* First convert ascii to binary */ + SECItem filedata; + + /* Read in ascii data */ + rv = SECU_FileToItem(&filedata, inFile); + if (rv != SECSuccess) + return rv; + if (!filedata.data) { + fprintf(stderr, "unable to read data from input file\n"); + return SECFailure; + } + /* need one additional byte for zero terminator */ + rv = SECITEM_ReallocItemV2(NULL, &filedata, filedata.len + 1); + if (rv != SECSuccess) { + PORT_Free(filedata.data); + return rv; + } + char *asc = (char *)filedata.data; + asc[filedata.len - 1] = '\0'; + + if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) { + fprintf(stderr, "Warning: ignoring private key. Consider to use " + "pk12util.\n"); + } + + char *body; + /* check for headers and trailers and remove them */ + if ((body = strstr(asc, "-----BEGIN")) != NULL) { + char *trailer = NULL; + asc = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ + if (body) + trailer = strstr(++body, "-----END"); + if (trailer != NULL) { + *trailer = '\0'; + } else { + fprintf(stderr, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = asc; + } + + /* Convert to binary */ + rv = ATOB_ConvertAsciiToItem(der, body); + if (rv != SECSuccess) { + fprintf(stderr, "error converting ascii to binary (%s)\n", + SECU_Strerror(PORT_GetError())); + PORT_Free(filedata.data); + return SECFailure; + } + + PORT_Free(filedata.data); + } else { + /* Read in binary der */ + rv = SECU_FileToItem(der, inFile); + if (rv != SECSuccess) { + fprintf(stderr, "error converting der (%s)\n", + SECU_Strerror(PORT_GetError())); + return SECFailure; + } + } + return SECSuccess; +} + +#define INDENT_MULT 4 + +/* + * remove the tag and length and just leave the bare BER data + */ +SECStatus +SECU_StripTagAndLength(SECItem *i) +{ + unsigned int start; + PRBool isIndefinite; + + if (!i || !i->data || i->len < 2) { /* must be at least tag and length */ + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + isIndefinite = (i->data[1] == 0x80); + start = ((i->data[1] & 0x80) ? (i->data[1] & 0x7f) + 2 : 2); + if (i->len < start) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + i->data += start; + i->len -= start; + /* we are using indefinite encoding, drop the trailing zero */ + if (isIndefinite) { + if (i->len <= 1) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + /* verify tags are zero */ + if ((i->data[i->len - 1] != 0) || (i->data[i->len - 2] != 0)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + i->len -= 2; + } + + return SECSuccess; +} + +/* + * Create a new SECItem which points to the current BER tag and length with + * all it's data. For indefinite encoding, this will also include the trailing + * indefinite markers + * The 'in' item is advanced to point to the next BER tag. + * You don't want to use this in an actual BER/DER parser as NSS already + * has 3 to choose from) + */ +SECStatus +SECU_ExtractBERAndStep(SECItem *in, SECItem *out) +{ + if (!in || !in->data || in->len < 2) { /* must be at least tag and length */ + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + + *out = *in; + + /* first handle indefinite encoding */ + if (out->data[1] == 0x80) { + SECItem this = *out; + SECItem next; + this.data += 2; + this.len -= 2; + out->len = 2; + /* walk through all the entries until we find the '0' */ + while ((this.len >= 2) && (this.data[0] != 0)) { + SECStatus rv = SECU_ExtractBERAndStep(&this, &next); + if (rv != SECSuccess) { + return rv; + } + out->len += next.len; + } + if ((this.len < 2) || ((this.data[0] != 0) && (this.data[1] != 0))) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + out->len += 2; /* include the trailing zeros */ + in->data += out->len; + in->len -= out->len; + return SECSuccess; + } + + /* now handle normal DER encoding */ + if (out->data[1] & 0x80) { + unsigned int i; + unsigned int lenlen = out->data[1] & 0x7f; + unsigned int len = 0; + if (lenlen > sizeof out->len) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + for (i = 0; i < lenlen; i++) { + len = (len << 8) | out->data[2 + i]; + } + out->len = len + lenlen + 2; + } else { + out->len = out->data[1] + 2; + } + if (out->len > in->len) { + /* we've ran into a truncated file */ + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + in->data += out->len; + in->len -= out->len; + return SECSuccess; +} + +static void +secu_PrintRawStringQuotesOptional(FILE *out, SECItem *si, const char *m, + int level, PRBool quotes) +{ + int column; + unsigned int i; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s: ", m); + column = (level * INDENT_MULT) + strlen(m) + 2; + level++; + } else { + SECU_Indent(out, level); + column = level * INDENT_MULT; + } + if (quotes) { + fprintf(out, "\""); + column++; + } + + for (i = 0; i < si->len; i++) { + unsigned char val = si->data[i]; + unsigned char c; + if (SECU_GetWrapEnabled() && column > 76) { + SECU_Newline(out); + SECU_Indent(out, level); + column = level * INDENT_MULT; + } + + if (utf8DisplayEnabled) { + if (val < 32) + c = '.'; + else + c = val; + } else { + c = printable[val]; + } + fprintf(out, "%c", c); + column++; + } + + if (quotes) { + fprintf(out, "\""); + column++; + } + if (SECU_GetWrapEnabled() && + (column != level * INDENT_MULT || column > 76)) { + SECU_Newline(out); + } +} + +static void +secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) +{ + secu_PrintRawStringQuotesOptional(out, si, m, level, PR_TRUE); +} + +void +SECU_PrintString(FILE *out, const SECItem *si, const char *m, int level) +{ + SECItem my = *si; + + if (SECSuccess != SECU_StripTagAndLength(&my) || !my.len) + return; + secu_PrintRawString(out, &my, m, level); +} + +/* print an unencoded boolean */ +static void +secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) +{ + int val = 0; + + if (i->data && i->len) { + val = i->data[0]; + } + + if (!m) { + m = "Boolean"; + } + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", m, (val ? "True" : "False")); +} + +/* + * Format and print "time". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +static void +secu_PrintTime(FILE *out, const PRTime time, const char *m, int level) +{ + PRExplodedTime printableTime; + char *timeString; + + /* Convert to local time */ + PR_ExplodeTime(time, PR_GMTParameters, &printableTime); + + timeString = PORT_Alloc(256); + if (timeString == NULL) + return; + + if (m != NULL) { + SECU_Indent(out, level); + fprintf(out, "%s: ", m); + } + + if (PR_FormatTime(timeString, 256, "%a %b %d %H:%M:%S %Y", &printableTime)) { + fputs(timeString, out); + } + + if (m != NULL) + fprintf(out, "\n"); + + PORT_Free(timeString); +} + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +void +SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m, int level) +{ + PRTime time; + SECStatus rv; + + rv = DER_UTCTimeToTime(&time, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time, m, level); +} + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, const char *m, int level) +{ + PRTime time; + SECStatus rv; + + rv = DER_GeneralizedTimeToTime(&time, t); + if (rv != SECSuccess) + return; + + secu_PrintTime(out, time, m, level); +} + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +void +SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m, int level) +{ + switch (t->type) { + case siUTCTime: + SECU_PrintUTCTime(out, t, m, level); + break; + + case siGeneralizedTime: + SECU_PrintGeneralizedTime(out, t, m, level); + break; + + default: + PORT_Assert(0); + break; + } +} + +/* This prints a SET or SEQUENCE */ +static void +SECU_PrintSet(FILE *out, const SECItem *t, const char *m, int level) +{ + int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; + const char *label; + SECItem my = *t; + + if (!constructed) { + SECU_PrintAsHex(out, t, m, level); + return; + } + if (SECSuccess != SECU_StripTagAndLength(&my)) + return; + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + + if (type == SEC_ASN1_SET) + label = "Set "; + else if (type == SEC_ASN1_SEQUENCE) + label = "Sequence "; + else + label = ""; + fprintf(out, "%s{\n", label); /* } */ + + while (my.len >= 2) { + SECItem tmp; + if (SECSuccess != SECU_ExtractBERAndStep(&my, &tmp)) { + break; + } + SECU_PrintAny(out, &tmp, NULL, level + 1); + } + SECU_Indent(out, level); + fprintf(out, /* { */ "}\n"); +} + +static void +secu_PrintContextSpecific(FILE *out, const SECItem *i, const char *m, int level) +{ + int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; + int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; + SECItem tmp; + + if (constructed) { + char *m2; + if (!m) + m2 = PR_smprintf("[%d]", type); + else + m2 = PR_smprintf("%s: [%d]", m, type); + if (m2) { + SECU_PrintSet(out, i, m2, level); + PR_smprintf_free(m2); + } + return; + } + + SECU_Indent(out, level); + if (m) { + fprintf(out, "%s: ", m); + } + fprintf(out, "[%d]\n", type); + + tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level + 1); +} + +static void +secu_PrintOctetString(FILE *out, const SECItem *i, const char *m, int level) +{ + SECItem tmp = *i; + if (SECSuccess == SECU_StripTagAndLength(&tmp)) + SECU_PrintAsHex(out, &tmp, m, level); +} + +static void +secu_PrintBitString(FILE *out, const SECItem *i, const char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + if (SECSuccess != SECU_StripTagAndLength(&tmp) || tmp.len < 2) + return; + + unused_bits = *tmp.data++; + tmp.len--; + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + +/* in a decoded bit string, the len member is a bit length. */ +static void +secu_PrintDecodedBitString(FILE *out, const SECItem *i, const char *m, int level) +{ + int unused_bits; + SECItem tmp = *i; + + unused_bits = (tmp.len & 0x7) ? 8 - (tmp.len & 7) : 0; + DER_ConvertBitString(&tmp); /* convert length to byte length */ + + SECU_PrintAsHex(out, &tmp, m, level); + if (unused_bits) { + SECU_Indent(out, level + 1); + fprintf(out, "(%d least significant bits unused)\n", unused_bits); + } +} + +/* Print a DER encoded Boolean */ +void +SECU_PrintEncodedBoolean(FILE *out, const SECItem *i, const char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + secu_PrintBoolean(out, &my, m, level); +} + +/* Print a DER encoded integer */ +void +SECU_PrintEncodedInteger(FILE *out, const SECItem *i, const char *m, int level) +{ + SECItem my = *i; + if (SECSuccess == SECU_StripTagAndLength(&my)) + SECU_PrintInteger(out, &my, m, level); +} + +/* Print a DER encoded OID */ +SECOidTag +SECU_PrintEncodedObjectID(FILE *out, const SECItem *i, const char *m, int level) +{ + SECItem my = *i; + SECOidTag tag = SEC_OID_UNKNOWN; + if (SECSuccess == SECU_StripTagAndLength(&my)) + tag = SECU_PrintObjectID(out, &my, m, level); + return tag; +} + +static void +secu_PrintBMPString(FILE *out, const SECItem *i, const char *m, int level) +{ + unsigned char *s; + unsigned char *d; + int len; + SECItem tmp = { 0, 0, 0 }; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 2) + goto loser; + len = (int)(my.len / 2); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 8) | s[1]; + s += 2; + if (!isprint(bmpChar)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level) +{ + unsigned char *s; + unsigned char *d; + int len; + SECItem tmp = { 0, 0, 0 }; + SECItem my = *i; + + if (SECSuccess != SECU_StripTagAndLength(&my)) + goto loser; + if (my.len % 4) + goto loser; + len = (int)(my.len / 4); + tmp.data = (unsigned char *)PORT_Alloc(len); + if (!tmp.data) + goto loser; + tmp.len = len; + for (s = my.data, d = tmp.data; len > 0; len--) { + PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; + s += 4; + if (!isprint(bmpChar & 0xFF)) + goto loser; + *d++ = (unsigned char)bmpChar; + } + secu_PrintRawString(out, &tmp, m, level); + PORT_Free(tmp.data); + return; + +loser: + SECU_PrintAsHex(out, i, m, level); + if (tmp.data) + PORT_Free(tmp.data); +} + +static void +secu_PrintUniversal(FILE *out, const SECItem *i, const char *m, int level) +{ + switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { + case SEC_ASN1_ENUMERATED: + case SEC_ASN1_INTEGER: + SECU_PrintEncodedInteger(out, i, m, level); + break; + case SEC_ASN1_OBJECT_ID: + SECU_PrintEncodedObjectID(out, i, m, level); + break; + case SEC_ASN1_BOOLEAN: + SECU_PrintEncodedBoolean(out, i, m, level); + break; + case SEC_ASN1_UTF8_STRING: + case SEC_ASN1_PRINTABLE_STRING: + case SEC_ASN1_VISIBLE_STRING: + case SEC_ASN1_IA5_STRING: + case SEC_ASN1_T61_STRING: + SECU_PrintString(out, i, m, level); + break; + case SEC_ASN1_GENERALIZED_TIME: + SECU_PrintGeneralizedTime(out, i, m, level); + break; + case SEC_ASN1_UTC_TIME: + SECU_PrintUTCTime(out, i, m, level); + break; + case SEC_ASN1_NULL: + SECU_Indent(out, level); + if (m && m[0]) + fprintf(out, "%s: NULL\n", m); + else + fprintf(out, "NULL\n"); + break; + case SEC_ASN1_SET: + case SEC_ASN1_SEQUENCE: + SECU_PrintSet(out, i, m, level); + break; + case SEC_ASN1_OCTET_STRING: + secu_PrintOctetString(out, i, m, level); + break; + case SEC_ASN1_BIT_STRING: + secu_PrintBitString(out, i, m, level); + break; + case SEC_ASN1_BMP_STRING: + secu_PrintBMPString(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL_STRING: + secu_PrintUniversalString(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } +} + +void +SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level) +{ + if (i && i->len && i->data) { + switch (i->data[0] & SEC_ASN1_CLASS_MASK) { + case SEC_ASN1_CONTEXT_SPECIFIC: + secu_PrintContextSpecific(out, i, m, level); + break; + case SEC_ASN1_UNIVERSAL: + secu_PrintUniversal(out, i, m, level); + break; + default: + SECU_PrintAsHex(out, i, m, level); + break; + } + } +} + +static int +secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level + 1); + SECU_PrintTimeChoice(out, &v->notAfter, "Not After ", level + 1); + return 0; +} + +/* This function does NOT expect a DER type and length. */ +SECOidTag +SECU_PrintObjectID(FILE *out, const SECItem *oid, const char *m, int level) +{ + SECOidData *oiddata; + char *oidString = NULL; + + oiddata = SECOID_FindOID(oid); + if (oiddata != NULL) { + const char *name = oiddata->desc; + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", name); + return oiddata->offset; + } + oidString = CERT_GetOidString(oid); + if (oidString) { + SECU_Indent(out, level); + if (m != NULL) + fprintf(out, "%s: ", m); + fprintf(out, "%s\n", oidString); + PR_smprintf_free(oidString); + return SEC_OID_UNKNOWN; + } + SECU_PrintAsHex(out, oid, m, level); + return SEC_OID_UNKNOWN; +} + +typedef struct secuPBEParamsStr { + SECItem salt; + SECItem iterationCount; + SECItem keyLength; + SECAlgorithmID cipherAlg; + SECAlgorithmID kdfAlg; +} secuPBEParams; + +SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) + +/* SECOID_PKCS5_PBKDF2 */ +const SEC_ASN1Template secuKDF2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +/* PKCS5v1 & PKCS12 */ +const SEC_ASN1Template secuPBEParamsTemp[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { 0 } +}; + +/* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ +const SEC_ASN1Template secuPBEV2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; + +void +secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) +{ + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + SECKEYRSAPSSParams param; + SECAlgorithmID maskHashAlg; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + + rv = SEC_QuickDERDecodeItem(pool, ¶m, + SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate), + value); + if (rv == SECSuccess) { + if (!param.hashAlg) { + SECU_Indent(out, level + 1); + fprintf(out, "Hash algorithm: default, SHA-1\n"); + } else { + SECU_PrintObjectID(out, ¶m.hashAlg->algorithm, + "Hash algorithm", level + 1); + } + if (!param.maskAlg) { + SECU_Indent(out, level + 1); + fprintf(out, "Mask algorithm: default, MGF1\n"); + SECU_Indent(out, level + 1); + fprintf(out, "Mask hash algorithm: default, SHA-1\n"); + } else { + SECU_PrintObjectID(out, ¶m.maskAlg->algorithm, + "Mask algorithm", level + 1); + rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + ¶m.maskAlg->parameters); + if (rv == SECSuccess) { + SECU_PrintObjectID(out, &maskHashAlg.algorithm, + "Mask hash algorithm", level + 1); + } else { + SECU_Indent(out, level + 1); + fprintf(out, "Invalid mask generation algorithm parameters\n"); + } + } + if (!param.saltLength.data) { + SECU_Indent(out, level + 1); + fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); + } else { + SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); + } + } else { + SECU_Indent(out, level + 1); + fprintf(out, "Invalid RSA-PSS parameters\n"); + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) +{ + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuKDF2Params, value); + if (rv == SECSuccess) { + SECU_PrintAsHex(out, ¶m.salt, "Salt", level + 1); + SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count", + level + 1); + SECU_PrintInteger(out, ¶m.keyLength, "Key Length", level + 1); + SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF algorithm", level + 1); + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level) +{ + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof param); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEV2Params, value); + if (rv == SECSuccess) { + SECU_PrintAlgorithmID(out, ¶m.kdfAlg, "KDF", level + 1); + SECU_PrintAlgorithmID(out, ¶m.cipherAlg, "Cipher", level + 1); + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level) +{ + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECStatus rv; + secuPBEParams param; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + + if (!pool) { + SECU_Indent(out, level); + fprintf(out, "Out of memory\n"); + return; + } + + PORT_Memset(¶m, 0, sizeof(secuPBEParams)); + rv = SEC_QuickDERDecodeItem(pool, ¶m, secuPBEParamsTemp, value); + if (rv == SECSuccess) { + SECU_PrintAsHex(out, ¶m.salt, "Salt", level + 1); + SECU_PrintInteger(out, ¶m.iterationCount, "Iteration Count", + level + 1); + } + PORT_FreeArena(pool, PR_FALSE); +} + +/* This function does NOT expect a DER type and length. */ +void +SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) +{ + SECOidTag algtag; + SECU_PrintObjectID(out, &a->algorithm, m, level); + + algtag = SECOID_GetAlgorithmTag(a); + if (SEC_PKCS5IsAlgorithmPBEAlgTag(algtag)) { + switch (algtag) { + case SEC_OID_PKCS5_PBKDF2: + secu_PrintKDF2Params(out, &a->parameters, "Parameters", level + 1); + break; + case SEC_OID_PKCS5_PBES2: + secu_PrintPKCS5V2Params(out, &a->parameters, "Encryption", level + 1); + break; + case SEC_OID_PKCS5_PBMAC1: + secu_PrintPKCS5V2Params(out, &a->parameters, "MAC", level + 1); + break; + default: + secu_PrintPBEParams(out, &a->parameters, "Parameters", level + 1); + break; + } + return; + } + + if (a->parameters.len == 0 || + (a->parameters.len == 2 && + PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { + /* No arguments or NULL argument */ + } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); + } else { + /* Print args to algorithm */ + SECU_PrintAsHex(out, &a->parameters, "Args", level + 1); + } +} + +static void +secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) +{ + SECItem *value; + int i; + char om[100]; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + + /* + * Should make this smarter; look at the type field and then decode + * and print the value(s) appropriately! + */ + SECU_PrintObjectID(out, &(attr->type), "Type", level + 1); + if (attr->values != NULL) { + i = 0; + while ((value = attr->values[i++]) != NULL) { + sprintf(om, "Value (%d)%s", i, attr->encoded ? " (encoded)" : ""); + if (attr->encoded || attr->typeTag == NULL) { + SECU_PrintAny(out, value, om, level + 1); + } else { + switch (attr->typeTag->offset) { + default: + SECU_PrintAsHex(out, value, om, level + 1); + break; + case SEC_OID_PKCS9_CONTENT_TYPE: + SECU_PrintObjectID(out, value, om, level + 1); + break; + case SEC_OID_PKCS9_SIGNING_TIME: + SECU_PrintTimeChoice(out, value, om, level + 1); + break; + } + } + } + } +} + +static void +secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECItem curveOID = { siBuffer, NULL, 0 }; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level + 1); + /* For named curves, the DEREncodedParams field contains an + * ASN Object ID (0x06 is SEC_ASN1_OBJECT_ID). + */ + if ((pk->u.ec.DEREncodedParams.len > 2) && + (pk->u.ec.DEREncodedParams.data[0] == 0x06)) { + curveOID.len = pk->u.ec.DEREncodedParams.data[1]; + curveOID.data = pk->u.ec.DEREncodedParams.data + 2; + curveOID.len = PR_MIN(curveOID.len, pk->u.ec.DEREncodedParams.len - 2); + SECU_PrintObjectID(out, &curveOID, "Curve", level + 1); + } +} + +void +SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level + 1); + SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level + 1); + if (pk->u.rsa.publicExponent.len == 1 && + pk->u.rsa.publicExponent.data[0] == 1) { + SECU_Indent(out, level + 1); + fprintf(out, "Error: INVALID RSA KEY!\n"); + } +} + +void +SECU_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level + 1); + SECU_PrintInteger(out, &pk->u.dsa.params.subPrime, "Subprime", level + 1); + SECU_PrintInteger(out, &pk->u.dsa.params.base, "Base", level + 1); + SECU_PrintInteger(out, &pk->u.dsa.publicValue, "PublicValue", level + 1); +} + +static void +secu_PrintSubjectPublicKeyInfo(FILE *out, PLArenaPool *arena, + CERTSubjectPublicKeyInfo *i, char *msg, int level) +{ + SECKEYPublicKey *pk; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", msg); + SECU_PrintAlgorithmID(out, &i->algorithm, "Public Key Algorithm", level + 1); + + pk = SECKEY_ExtractPublicKey(i); + if (pk) { + switch (pk->keyType) { + case rsaKey: + SECU_PrintRSAPublicKey(out, pk, "RSA Public Key", level + 1); + break; + + case dsaKey: + SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1); + break; + + case ecKey: + secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1); + break; + + case dhKey: + case fortezzaKey: + case keaKey: + SECU_Indent(out, level); + fprintf(out, "unable to format this SPKI algorithm type\n"); + goto loser; + default: + SECU_Indent(out, level); + fprintf(out, "unknown SPKI algorithm type\n"); + goto loser; + } + PORT_FreeArena(pk->arena, PR_FALSE); + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing public key"); + loser: + if (i->subjectPublicKey.data) { + SECU_PrintAny(out, &i->subjectPublicKey, "Raw", level); + } + } +} + +static void +printStringWithoutCRLF(FILE *out, const char *str) +{ + const char *c = str; + while (*c) { + if (*c != '\r' && *c != '\n') { + fputc(*c, out); + } + ++c; + } +} + +int +SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m, + int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificate *c; + int rv = SEC_ERROR_NO_MEMORY; + char *derIssuerB64; + char *derSerialB64; + + if (!arena) + return rv; + + /* Decode certificate */ + c = PORT_ArenaZNew(arena, CERTCertificate); + if (!c) + goto loser; + c->arena = arena; + rv = SEC_ASN1DecodeItem(arena, c, + SEC_ASN1_GET(CERT_CertificateTemplate), der); + if (rv) { + SECU_PrintErrMsg(out, 0, "Error", "Parsing extension"); + goto loser; + } + + SECU_PrintName(out, &c->subject, "Subject", 0); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + SECU_PrintName(out, &c->issuer, "Issuer", 0); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + SECU_PrintInteger(out, &c->serialNumber, "Serial Number", 0); + + derIssuerB64 = BTOA_ConvertItemToAscii(&c->derIssuer); + derSerialB64 = BTOA_ConvertItemToAscii(&c->serialNumber); + + fprintf(out, "Issuer DER Base64:\n"); + if (SECU_GetWrapEnabled()) { + fprintf(out, "%s\n", derIssuerB64); + } else { + printStringWithoutCRLF(out, derIssuerB64); + fputs("\n", out); + } + + fprintf(out, "Serial DER Base64:\n"); + if (SECU_GetWrapEnabled()) { + fprintf(out, "%s\n", derSerialB64); + } else { + printStringWithoutCRLF(out, derSerialB64); + fputs("\n", out); + } + + PORT_Free(derIssuerB64); + PORT_Free(derSerialB64); + + fprintf(out, "Serial DER as C source: \n{ %d, \"", c->serialNumber.len); + + { + unsigned int i; + for (i = 0; i < c->serialNumber.len; ++i) { + unsigned char *chardata = (unsigned char *)(c->serialNumber.data); + unsigned char ch = *(chardata + i); + + fprintf(out, "\\x%02x", ch); + } + fprintf(out, "\" }\n"); + } + +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +static SECStatus +secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level) +{ + SECItem decodedValue; + SECStatus rv; + PRTime invalidTime; + char *formattedTime = NULL; + + decodedValue.data = NULL; + rv = SEC_ASN1DecodeItem(NULL, &decodedValue, + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), + value); + if (rv == SECSuccess) { + rv = DER_GeneralizedTimeToTime(&invalidTime, &decodedValue); + if (rv == SECSuccess) { + formattedTime = CERT_GenTime2FormattedAscii(invalidTime, "%a %b %d %H:%M:%S %Y"); + SECU_Indent(out, level + 1); + fprintf(out, "%s: %s\n", msg, formattedTime); + PORT_Free(formattedTime); + } + } + PORT_Free(decodedValue.data); + return (rv); +} + +static SECStatus +PrintExtKeyUsageExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTOidSequence *os; + SECItem **op; + + os = CERT_DecodeOidSequence(value); + if ((CERTOidSequence *)NULL == os) { + return SECFailure; + } + + for (op = os->oids; *op; op++) { + SECU_PrintObjectID(out, *op, msg, level + 1); + } + CERT_DestroyOidSequence(os); + return SECSuccess; +} + +static SECStatus +secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) +{ + CERTBasicConstraints constraints; + SECStatus rv; + + SECU_Indent(out, level); + if (msg) { + fprintf(out, "%s: ", msg); + } + rv = CERT_DecodeBasicConstraintValue(&constraints, value); + if (rv == SECSuccess && constraints.isCA) { + if (constraints.pathLenConstraint >= 0) { + fprintf(out, "Is a CA with a maximum path length of %d.\n", + constraints.pathLenConstraint); + } else { + fprintf(out, "Is a CA with no maximum path length.\n"); + } + } else { + fprintf(out, "Is not a CA.\n"); + } + return SECSuccess; +} + +static const char *const nsTypeBits[] = { + "SSL Client", + "SSL Server", + "S/MIME", + "Object Signing", + "Reserved", + "SSL CA", + "S/MIME CA", + "ObjectSigning CA" +}; + +/* NSCertType is merely a bit string whose bits are displayed symbolically */ +static SECStatus +secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) +{ + int unused; + int NS_Type; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return SECSuccess; + } + + unused = (my.len == 2) ? (my.data[0] & 0x0f) : 0; + NS_Type = my.data[1] & (0xff << unused); + + SECU_Indent(out, level); + if (msg) { + fprintf(out, "%s: ", msg); + } else { + fprintf(out, "Netscape Certificate Type: "); + } + for (i = 0; i < 8; i++) { + if ((0x80 >> i) & NS_Type) { + fprintf(out, "%c%s", (found ? ',' : '<'), nsTypeBits[i]); + found = 1; + } + } + fprintf(out, (found ? ">\n" : "none\n")); + return SECSuccess; +} + +static const char *const usageBits[] = { + "Digital Signature", /* 0x80 */ + "Non-Repudiation", /* 0x40 */ + "Key Encipherment", /* 0x20 */ + "Data Encipherment", /* 0x10 */ + "Key Agreement", /* 0x08 */ + "Certificate Signing", /* 0x04 */ + "CRL Signing", /* 0x02 */ + "Encipher Only", /* 0x01 */ + "Decipher Only", /* 0x0080 */ + NULL +}; + +/* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ +static void +secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) +{ + int unused; + int usage; + int i; + int found = 0; + SECItem my = *value; + + if ((my.data[0] != SEC_ASN1_BIT_STRING) || + SECSuccess != SECU_StripTagAndLength(&my)) { + SECU_PrintAny(out, value, "Data", level); + return; + } + + unused = (my.len >= 2) ? (my.data[0] & 0x0f) : 0; + usage = (my.len == 2) ? (my.data[1] & (0xff << unused)) << 8 + : (my.data[1] << 8) | + (my.data[2] & (0xff << unused)); + + SECU_Indent(out, level); + fprintf(out, "Usages: "); + for (i = 0; usageBits[i]; i++) { + if ((0x8000 >> i) & usage) { + if (found) + SECU_Indent(out, level + 2); + fprintf(out, "%s\n", usageBits[i]); + found = 1; + } + } + if (!found) { + fprintf(out, "(none)\n"); + } +} + +static void +secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level) +{ + PRStatus st; + PRNetAddr addr; + char addrBuf[80]; + + memset(&addr, 0, sizeof addr); + if (value->len == 4) { + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, value->data, value->len); + } else if (value->len == 16) { + addr.ipv6.family = PR_AF_INET6; + memcpy(addr.ipv6.ip.pr_s6_addr, value->data, value->len); + if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { + /* convert to IPv4. */ + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); + memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); + } + } else { + goto loser; + } + + st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); + if (st == PR_SUCCESS) { + SECU_Indent(out, level); + fprintf(out, "%s: %s\n", msg, addrBuf); + } else { + loser: + SECU_PrintAsHex(out, value, msg, level); + } +} + +static void +secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) +{ + char label[40]; + if (msg && msg[0]) { + SECU_Indent(out, level++); + fprintf(out, "%s: \n", msg); + } + switch (gname->type) { + case certOtherName: + SECU_PrintAny(out, &gname->name.OthName.name, "Other Name", level); + SECU_PrintObjectID(out, &gname->name.OthName.oid, "OID", level + 1); + break; + case certDirectoryName: + SECU_PrintName(out, &gname->name.directoryName, "Directory Name", level); + break; + case certRFC822Name: + secu_PrintRawString(out, &gname->name.other, "RFC822 Name", level); + break; + case certDNSName: + secu_PrintRawString(out, &gname->name.other, "DNS name", level); + break; + case certURI: + secu_PrintRawString(out, &gname->name.other, "URI", level); + break; + case certIPAddress: + secu_PrintIPAddress(out, &gname->name.other, "IP Address", level); + break; + case certRegisterID: + SECU_PrintObjectID(out, &gname->name.other, "Registered ID", level); + break; + case certX400Address: + SECU_PrintAny(out, &gname->name.other, "X400 Address", level); + break; + case certEDIPartyName: + SECU_PrintAny(out, &gname->name.other, "EDI Party", level); + break; + default: + PR_snprintf(label, sizeof label, "unknown type [%d]", + (int)gname->type - 1); + SECU_PrintAsHex(out, &gname->name.other, label, level); + break; + } +} + +static void +secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level) +{ + CERTGeneralName *name = gname; + do { + secu_PrintGeneralName(out, name, msg, level); + name = CERT_GetNextGeneralName(name); + } while (name && name != gname); +} + +static void +secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthKeyID *kid = NULL; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + kid = CERT_DecodeAuthKeyID(pool, value); + if (!kid) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + int keyIDPresent = (kid->keyID.data && kid->keyID.len); + int issuerPresent = kid->authCertIssuer != NULL; + int snPresent = (kid->authCertSerialNumber.data && + kid->authCertSerialNumber.len); + + if (keyIDPresent) + SECU_PrintAsHex(out, &kid->keyID, "Key ID", level); + if (issuerPresent) + secu_PrintGeneralName(out, kid->authCertIssuer, "Issuer", level); + if (snPresent) + SECU_PrintInteger(out, &kid->authCertSerialNumber, + "Serial Number", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTGeneralName *nameList; + CERTGeneralName *current; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + nameList = current = CERT_DecodeAltNameExtension(pool, value); + if (!current) { + if (PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + /* Decoder found empty sequence, which is invalid. */ + PORT_SetError(SEC_ERROR_EXTENSION_VALUE_INVALID); + } + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } else { + do { + secu_PrintGeneralName(out, current, msg, level); + current = CERT_GetNextGeneralName(current); + } while (current != nameList); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTCrlDistributionPoints *dPoints; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + dPoints = CERT_DecodeCRLDistributionPoints(pool, value); + if (dPoints && dPoints->distPoints && dPoints->distPoints[0]) { + CRLDistributionPoint **pPoints = dPoints->distPoints; + CRLDistributionPoint *pPoint; + while (NULL != (pPoint = *pPoints++)) { + SECU_Indent(out, level); + fputs("Distribution point:\n", out); + if (pPoint->distPointType == generalName && + pPoint->distPoint.fullName != NULL) { + secu_PrintGeneralNames(out, pPoint->distPoint.fullName, NULL, + level + 1); + } else if (pPoint->distPointType == relativeDistinguishedName && + pPoint->distPoint.relativeName.avas) { + SECU_PrintRDN(out, &pPoint->distPoint.relativeName, "RDN", + level + 1); + } else if (pPoint->derDistPoint.data) { + SECU_PrintAny(out, &pPoint->derDistPoint, "Point", level + 1); + } + if (pPoint->reasons.data) { + secu_PrintDecodedBitString(out, &pPoint->reasons, "Reasons", + level + 1); + } + if (pPoint->crlIssuer) { + secu_PrintGeneralName(out, pPoint->crlIssuer, "CRL issuer", + level + 1); + } + } + } else { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Data", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, + char *msg, int level) +{ + CERTNameConstraint *head = value; + SECU_Indent(out, level); + fprintf(out, "%s Subtree:\n", msg); + level++; + do { + secu_PrintGeneralName(out, &value->name, NULL, level); + if (value->min.data) + SECU_PrintInteger(out, &value->min, "Minimum", level + 1); + if (value->max.data) + SECU_PrintInteger(out, &value->max, "Maximum", level + 1); + value = CERT_GetNextNameConstraint(value); + } while (value != head); +} + +static void +secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level) +{ + CERTNameConstraints *cnstrnts; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + cnstrnts = CERT_DecodeNameConstraintsExtension(pool, value); + if (!cnstrnts) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + if (cnstrnts->permited) + secu_PrintNameConstraintSubtree(out, cnstrnts->permited, + "Permitted", level); + if (cnstrnts->excluded) + secu_PrintNameConstraintSubtree(out, cnstrnts->excluded, + "Excluded", level); + } + PORT_FreeArena(pool, PR_FALSE); +} + +static void +secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) +{ + CERTAuthInfoAccess **infos = NULL; + PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + + if (!pool) { + SECU_PrintError("Error", "Allocating new ArenaPool"); + return; + } + infos = CERT_DecodeAuthInfoAccessExtension(pool, value); + if (!infos) { + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, value, "Raw", level); + } else { + CERTAuthInfoAccess *info; + while (NULL != (info = *infos++)) { + if (info->method.data) { + SECU_PrintObjectID(out, &info->method, "Method", level); + } else { + SECU_Indent(out, level); + fprintf(out, "Error: missing method\n"); + } + if (info->location) { + secu_PrintGeneralName(out, info->location, "Location", level); + } else { + SECU_PrintAny(out, &info->derLocation, "Location", level); + } + } + } + PORT_FreeArena(pool, PR_FALSE); +} + +void +SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level) +{ + SECOidTag oidTag; + + if (extensions) { + if (msg && *msg) { + SECU_Indent(out, level++); + fprintf(out, "%s:\n", msg); + } + + while (*extensions) { + SECItem *tmpitem; + + tmpitem = &(*extensions)->id; + SECU_PrintObjectID(out, tmpitem, "Name", level); + + tmpitem = &(*extensions)->critical; + if (tmpitem->len) { + secu_PrintBoolean(out, tmpitem, "Critical", level); + } + + oidTag = SECOID_FindOIDTag(&((*extensions)->id)); + tmpitem = &((*extensions)->value); + + switch (oidTag) { + case SEC_OID_X509_INVALID_DATE: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_TIME: + secu_PrintX509InvalidDate(out, tmpitem, "Date", level); + break; + case SEC_OID_X509_CERTIFICATE_POLICIES: + SECU_PrintPolicy(out, tmpitem, "Data", level); + break; + case SEC_OID_NS_CERT_EXT_BASE_URL: + case SEC_OID_NS_CERT_EXT_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL: + case SEC_OID_NS_CERT_EXT_CA_CRL_URL: + case SEC_OID_NS_CERT_EXT_CA_CERT_URL: + case SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL: + case SEC_OID_NS_CERT_EXT_CA_POLICY_URL: + case SEC_OID_NS_CERT_EXT_HOMEPAGE_URL: + case SEC_OID_NS_CERT_EXT_LOST_PASSWORD_URL: + case SEC_OID_OCSP_RESPONDER: + SECU_PrintString(out, tmpitem, "URL", level); + break; + case SEC_OID_NS_CERT_EXT_COMMENT: + SECU_PrintString(out, tmpitem, "Comment", level); + break; + case SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME: + SECU_PrintString(out, tmpitem, "ServerName", level); + break; + case SEC_OID_NS_CERT_EXT_CERT_TYPE: + secu_PrintNSCertType(out, tmpitem, "Data", level); + break; + case SEC_OID_X509_BASIC_CONSTRAINTS: + secu_PrintBasicConstraints(out, tmpitem, "Data", level); + break; + case SEC_OID_X509_EXT_KEY_USAGE: + PrintExtKeyUsageExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_KEY_USAGE: + secu_PrintX509KeyUsage(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_AUTH_KEY_ID: + secu_PrintAuthKeyIDExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_SUBJECT_ALT_NAME: + case SEC_OID_X509_ISSUER_ALT_NAME: + secu_PrintAltNameExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_CRL_DIST_POINTS: + secu_PrintCRLDistPtsExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD: + SECU_PrintPrivKeyUsagePeriodExtension(out, tmpitem, NULL, + level); + break; + case SEC_OID_X509_NAME_CONSTRAINTS: + secu_PrintNameConstraintsExtension(out, tmpitem, NULL, level); + break; + case SEC_OID_X509_AUTH_INFO_ACCESS: + secu_PrintAuthorityInfoAcess(out, tmpitem, NULL, level); + break; + + case SEC_OID_X509_CRL_NUMBER: + case SEC_OID_X509_REASON_CODE: + + /* PKIX OIDs */ + case SEC_OID_PKIX_OCSP: + case SEC_OID_PKIX_OCSP_BASIC_RESPONSE: + case SEC_OID_PKIX_OCSP_NONCE: + case SEC_OID_PKIX_OCSP_CRL: + case SEC_OID_PKIX_OCSP_RESPONSE: + case SEC_OID_PKIX_OCSP_NO_CHECK: + case SEC_OID_PKIX_OCSP_ARCHIVE_CUTOFF: + case SEC_OID_PKIX_OCSP_SERVICE_LOCATOR: + case SEC_OID_PKIX_REGCTRL_REGTOKEN: + case SEC_OID_PKIX_REGCTRL_AUTHENTICATOR: + case SEC_OID_PKIX_REGCTRL_PKIPUBINFO: + case SEC_OID_PKIX_REGCTRL_PKI_ARCH_OPTIONS: + case SEC_OID_PKIX_REGCTRL_OLD_CERT_ID: + case SEC_OID_PKIX_REGCTRL_PROTOCOL_ENC_KEY: + case SEC_OID_PKIX_REGINFO_UTF8_PAIRS: + case SEC_OID_PKIX_REGINFO_CERT_REQUEST: + + /* Netscape extension OIDs. */ + case SEC_OID_NS_CERT_EXT_NETSCAPE_OK: + case SEC_OID_NS_CERT_EXT_ISSUER_LOGO: + case SEC_OID_NS_CERT_EXT_SUBJECT_LOGO: + case SEC_OID_NS_CERT_EXT_ENTITY_LOGO: + case SEC_OID_NS_CERT_EXT_USER_PICTURE: + + /* x.509 v3 Extensions */ + case SEC_OID_X509_SUBJECT_DIRECTORY_ATTR: + case SEC_OID_X509_SUBJECT_KEY_ID: + case SEC_OID_X509_POLICY_MAPPINGS: + case SEC_OID_X509_POLICY_CONSTRAINTS: + + default: + SECU_PrintAny(out, tmpitem, "Data", level); + break; + } + + SECU_Newline(out); + extensions++; + } + } +} + +/* An RDN is a subset of a DirectoryName, and we already know how to + * print those, so make a directory name out of the RDN, and print it. + */ +void +SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level) +{ + CERTName name; + CERTRDN *rdns[2]; + + name.arena = NULL; + name.rdns = rdns; + rdns[0] = rdn; + rdns[1] = NULL; + SECU_PrintName(out, &name, msg, level); +} + +void +SECU_PrintNameQuotesOptional(FILE *out, CERTName *name, const char *msg, + int level, PRBool quotes) +{ + char *nameStr = NULL; + char *str; + SECItem my; + + if (!name) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return; + } + if (!name->rdns || !name->rdns[0]) { + str = "(empty)"; + } else { + str = nameStr = CERT_NameToAscii(name); + } + if (!str) { + str = "!Invalid AVA!"; + } + my.data = (unsigned char *)str; + my.len = PORT_Strlen(str); +#if 1 + secu_PrintRawStringQuotesOptional(out, &my, msg, level, quotes); +#else + SECU_Indent(out, level); + fprintf(out, "%s: ", msg); + fprintf(out, str); + SECU_Newline(out); +#endif + PORT_Free(nameStr); +} + +void +SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) +{ + SECU_PrintNameQuotesOptional(out, name, msg, level, PR_TRUE); +} + +void +printflags(char *trusts, unsigned int flags) +{ + if (flags & CERTDB_VALID_CA) + if (!(flags & CERTDB_TRUSTED_CA) && + !(flags & CERTDB_TRUSTED_CLIENT_CA)) + PORT_Strcat(trusts, "c"); + if (flags & CERTDB_TERMINAL_RECORD) + if (!(flags & CERTDB_TRUSTED)) + PORT_Strcat(trusts, "p"); + if (flags & CERTDB_TRUSTED_CA) + PORT_Strcat(trusts, "C"); + if (flags & CERTDB_TRUSTED_CLIENT_CA) + PORT_Strcat(trusts, "T"); + if (flags & CERTDB_TRUSTED) + PORT_Strcat(trusts, "P"); + if (flags & CERTDB_USER) + PORT_Strcat(trusts, "u"); + if (flags & CERTDB_SEND_WARN) + PORT_Strcat(trusts, "w"); + if (flags & CERTDB_INVISIBLE_CA) + PORT_Strcat(trusts, "I"); + if (flags & CERTDB_GOVT_APPROVED_CA) + PORT_Strcat(trusts, "G"); + return; +} + +/* callback for listing certs through pkcs11 */ +SECStatus +SECU_PrintCertNickname(CERTCertListNode *node, void *data) +{ + CERTCertTrust trust; + CERTCertificate *cert; + FILE *out; + char trusts[30]; + char *name; + + cert = node->cert; + + PORT_Memset(trusts, 0, sizeof(trusts)); + out = (FILE *)data; + + name = node->appData; + if (!name || !name[0]) { + name = cert->nickname; + } + if (!name || !name[0]) { + name = cert->emailAddr; + } + if (!name || !name[0]) { + name = "(NULL)"; + } + + if (CERT_GetCertTrust(cert, &trust) == SECSuccess) { + printflags(trusts, trust.sslFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust.emailFlags); + PORT_Strcat(trusts, ","); + printflags(trusts, trust.objectSigningFlags); + } else { + PORT_Memcpy(trusts, ",,", 3); + } + fprintf(out, "%-60s %-5s\n", name, trusts); + + return (SECSuccess); +} + +int +SECU_DecodeAndPrintExtensions(FILE *out, SECItem *any, char *m, int level) +{ + CERTCertExtension **extensions = NULL; + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + int rv = 0; + + if (!arena) + return SEC_ERROR_NO_MEMORY; + + rv = SEC_QuickDERDecodeItem(arena, &extensions, + SEC_ASN1_GET(CERT_SequenceOfCertExtensionTemplate), any); + if (!rv) + SECU_PrintExtensions(out, extensions, m, level); + else + SECU_PrintAny(out, any, m, level); + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF Extensions */ +int +SECU_PrintSetOfExtensions(FILE *out, SECItem **any, char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); + fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + rv |= SECU_DecodeAndPrintExtensions(out, any[0], "", level); + any++; + } + return rv; +} + +/* print a decoded SET OF or SEQUENCE OF "ANY" */ +int +SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level) +{ + int rv = 0; + if (m && *m) { + SECU_Indent(out, level++); + fprintf(out, "%s:\n", m); + } + while (any && any[0]) { + SECU_PrintAny(out, any[0], "", level); + any++; + } + return rv; +} + +int +SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level) +{ + int rv = 0; + SECOidTag tag; + tag = SECU_PrintObjectID(out, &attr->attrType, "Attribute Type", level); + if (tag == SEC_OID_PKCS9_EXTENSION_REQUEST) { + rv = SECU_PrintSetOfExtensions(out, attr->attrValue, "Extensions", level); + } else { + rv = SECU_PrintSetOfAny(out, attr->attrValue, "Attribute Values", level); + } + return rv; +} + +int +SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) +{ + int rv = 0; + while (attrs[0]) { + rv |= SECU_PrintCertAttribute(out, attrs[0], m, level + 1); + attrs++; + } + return rv; +} + +/* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ +int +SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificateRequest *cr; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Decode certificate request */ + cr = PORT_ArenaZNew(arena, CERTCertificateRequest); + if (!cr) + goto loser; + cr->arena = arena; + rv = SEC_QuickDERDecodeItem(arena, cr, + SEC_ASN1_GET(CERT_CertificateRequestTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &cr->version, "Version", level + 1); + SECU_PrintName(out, &cr->subject, "Subject", level + 1); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, + "Subject Public Key Info", level + 1); + if (cr->attributes) + SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level + 1); + rv = 0; +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificate *c; + int rv = SEC_ERROR_NO_MEMORY; + int iv; + + if (!arena) + return rv; + + /* Decode certificate */ + c = PORT_ArenaZNew(arena, CERTCertificate); + if (!c) + goto loser; + c->arena = arena; + rv = SEC_ASN1DecodeItem(arena, c, + SEC_ASN1_GET(CERT_CertificateTemplate), der); + if (rv) { + SECU_Indent(out, level); + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, der, "Raw", level); + goto loser; + } + /* Pretty print it out */ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + iv = c->version.len ? DER_GetInteger(&c->version) : 0; /* version is optional */ + SECU_Indent(out, level + 1); + fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + + SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level + 1); + SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level + 1); + SECU_PrintName(out, &c->issuer, "Issuer", level + 1); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + secu_PrintValidity(out, &c->validity, "Validity", level + 1); + SECU_PrintName(out, &c->subject, "Subject", level + 1); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + secu_PrintSubjectPublicKeyInfo(out, arena, &c->subjectPublicKeyInfo, + "Subject Public Key Info", level + 1); + if (c->issuerID.data) + secu_PrintDecodedBitString(out, &c->issuerID, "Issuer Unique ID", level + 1); + if (c->subjectID.data) + secu_PrintDecodedBitString(out, &c->subjectID, "Subject Unique ID", level + 1); + SECU_PrintExtensions(out, c->extensions, "Signed Extensions", level + 1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCertificate *c; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Decode certificate */ + c = PORT_ArenaZNew(arena, CERTCertificate); + if (!c) + goto loser; + c->arena = arena; + rv = SEC_ASN1DecodeItem(arena, c, + SEC_ASN1_GET(CERT_CertificateTemplate), der); + if (rv) { + SECU_Indent(out, level); + SECU_PrintErrMsg(out, level, "Error", "Parsing extension"); + SECU_PrintAny(out, der, "Raw", level); + goto loser; + } + /* Pretty print it out */ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &c->serialNumber, "Serial Number", level + 1); + SECU_PrintAlgorithmID(out, &c->signature, "Signature Algorithm", level + 1); + SECU_PrintName(out, &c->issuer, "Issuer", level + 1); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); + secu_PrintValidity(out, &c->validity, "Validity", level + 1); + SECU_PrintName(out, &c->subject, "Subject", level + 1); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + int rv = SEC_ERROR_NO_MEMORY; + CERTSubjectPublicKeyInfo spki; + + if (!arena) + return rv; + + PORT_Memset(&spki, 0, sizeof spki); + rv = SEC_ASN1DecodeItem(arena, &spki, + SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate), + der); + if (!rv) { + if (m && *m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } + secu_PrintSubjectPublicKeyInfo(out, arena, &spki, + "Subject Public Key Info", level + 1); + } + + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + SECKEYEncryptedPrivateKeyInfo key; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + PORT_Memset(&key, 0, sizeof(key)); + rv = SEC_ASN1DecodeItem(arena, &key, + SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), der); + if (rv) + goto loser; + + /* Pretty print it out */ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintAlgorithmID(out, &key.algorithm, "Encryption Algorithm", + level + 1); + SECU_PrintAsHex(out, &key.encryptedData, "Encrypted Data", level + 1); +loser: + PORT_FreeArena(arena, PR_TRUE); + return rv; +} + +int +SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) +{ + unsigned char fingerprint[SHA256_LENGTH]; + char *fpStr = NULL; + int err = PORT_GetError(); + SECStatus rv; + SECItem fpItem; + + /* Print SHA-256 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_SHA256, fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = SHA256_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); + fprintf(out, "%s (SHA-256):", m); + if (SECU_GetWrapEnabled()) { + fprintf(out, "\n"); + SECU_Indent(out, level + 1); + } else { + fprintf(out, " "); + } + fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + fpStr = NULL; + if (rv != SECSuccess && !err) + err = PORT_GetError(); + + /* print SHA1 fingerprint */ + memset(fingerprint, 0, sizeof fingerprint); + rv = PK11_HashBuf(SEC_OID_SHA1, fingerprint, derCert->data, derCert->len); + fpItem.data = fingerprint; + fpItem.len = SHA1_LENGTH; + fpStr = CERT_Hexify(&fpItem, 1); + SECU_Indent(out, level); + fprintf(out, "%s (SHA1):", m); + if (SECU_GetWrapEnabled()) { + fprintf(out, "\n"); + SECU_Indent(out, level + 1); + } else { + fprintf(out, " "); + } + fprintf(out, "%s\n", fpStr); + PORT_Free(fpStr); + if (SECU_GetWrapEnabled()) + fprintf(out, "\n"); + + if (err) + PORT_SetError(err); + if (err || rv != SECSuccess) + return SECFailure; + + return 0; +} + +/* +** PKCS7 Support +*/ + +/* forward declaration */ +typedef enum { + secuPKCS7Unknown = 0, + secuPKCS7PKCS12AuthSafe, + secuPKCS7PKCS12Safe +} secuPKCS7State; + +static int +secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, secuPKCS7State, + const char *, int); +static int +secu_PrintDERPKCS7ContentInfo(FILE *, SECItem *, secuPKCS7State, + const char *, int); + +/* +** secu_PrintPKCS7EncContent +** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) +*/ +static int +secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, + secuPKCS7State state, const char *m, int level) +{ + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_Indent(out, level + 1); + fprintf(out, "Content Type: %s\n", + (src->contentTypeTag != NULL) ? src->contentTypeTag->desc + : "Unknown"); + SECU_PrintAlgorithmID(out, &(src->contentEncAlg), + "Content Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(src->encContent), + "Encrypted Content", level + 1); + return 0; +} + +/* +** secu_PrintRecipientInfo +** Prints a PKCS7RecipientInfo type +*/ +static void +secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, + const char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + /* Parse and display encrypted key */ + SECU_PrintAlgorithmID(out, &(info->keyEncAlg), + "Key Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encKey), "Encrypted Key", level + 1); +} + +/* +** secu_PrintSignerInfo +** Prints a PKCS7SingerInfo type +*/ +static void +secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, + const char *m, int level) +{ + SEC_PKCS7Attribute *attr; + int iv; + char om[100]; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(info->version), "Version", level + 1); + + SECU_PrintName(out, &(info->issuerAndSN->issuer), "Issuer", + level + 1); + SECU_PrintInteger(out, &(info->issuerAndSN->serialNumber), + "Serial Number", level + 1); + + SECU_PrintAlgorithmID(out, &(info->digestAlg), "Digest Algorithm", + level + 1); + + if (info->authAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Authenticated Attributes:\n"); + iv = 0; + while ((attr = info->authAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%d)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } + + /* Parse and display signature */ + SECU_PrintAlgorithmID(out, &(info->digestEncAlg), + "Digest Encryption Algorithm", level + 1); + SECU_PrintAsHex(out, &(info->encDigest), "Encrypted Digest", level + 1); + + if (info->unAuthAttr != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Unauthenticated Attributes:\n"); + iv = 0; + while ((attr = info->unAuthAttr[iv++]) != NULL) { + sprintf(om, "Attribute (%x)", iv); + secu_PrintAttribute(out, attr, om, level + 2); + } + } +} + +/* callers of this function must make sure that the CERTSignedCrl + from which they are extracting the CERTCrl has been fully-decoded. + Otherwise it will not have the entries even though the CRL may have + some */ + +void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) +{ + CERTCrlEntry *entry; + int iv; + char om[100]; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + /* version is optional */ + iv = crl->version.len ? DER_GetInteger(&crl->version) : 0; + SECU_Indent(out, level + 1); + fprintf(out, "%s: %d (0x%x)\n", "Version", iv + 1, iv); + SECU_PrintAlgorithmID(out, &(crl->signatureAlg), "Signature Algorithm", + level + 1); + SECU_PrintName(out, &(crl->name), "Issuer", level + 1); + SECU_PrintTimeChoice(out, &(crl->lastUpdate), "This Update", level + 1); + if (crl->nextUpdate.data && crl->nextUpdate.len) /* is optional */ + SECU_PrintTimeChoice(out, &(crl->nextUpdate), "Next Update", level + 1); + + if (crl->entries != NULL) { + iv = 0; + while ((entry = crl->entries[iv++]) != NULL) { + sprintf(om, "Entry %d (0x%x):\n", iv, iv); + SECU_Indent(out, level + 1); + fputs(om, out); + SECU_PrintInteger(out, &(entry->serialNumber), "Serial Number", + level + 2); + SECU_PrintTimeChoice(out, &(entry->revocationDate), + "Revocation Date", level + 2); + SECU_PrintExtensions(out, entry->extensions, + "Entry Extensions", level + 2); + } + } + SECU_PrintExtensions(out, crl->extensions, "CRL Extensions", level + 1); +} + +/* +** secu_PrintPKCS7Signed +** Pretty print a PKCS7 signed data type (up to version 1). +*/ +static int +secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, + secuPKCS7State state, const char *m, int level) +{ + SECAlgorithmID *digAlg; /* digest algorithms */ + SECItem *aCert; /* certificate */ + CERTSignedCrl *aCrl; /* certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* signer information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + /* Now for the content */ + rv = secu_PrintPKCS7ContentInfo(out, &(src->contentInfo), + state, "Content Information", level + 1); + if (rv != 0) + return rv; + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + (SECU_PPFunc)SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); + fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level + 3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level + 3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +/* +** secu_PrintPKCS7Enveloped +** Pretty print a PKCS7 enveloped data type (up to version 1). +*/ +static int +secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, + secuPKCS7State state, const char *m, int level) +{ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ + int iv; + char om[100]; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + return secu_PrintPKCS7EncContent(out, &src->encContentInfo, state, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7SignedEnveloped +** Pretty print a PKCS7 singed and enveloped data type (up to version 1). +*/ +static int +secu_PrintPKCS7SignedAndEnveloped(FILE *out, + SEC_PKCS7SignedAndEnvelopedData *src, + secuPKCS7State state, const char *m, + int level) +{ + SECAlgorithmID *digAlg; /* pointer for digest algorithms */ + SECItem *aCert; /* pointer for certificate */ + CERTSignedCrl *aCrl; /* pointer for certificate revocation list */ + SEC_PKCS7SignerInfo *sigInfo; /* pointer for signer information */ + SEC_PKCS7RecipientInfo *recInfo; /* pointer for recipient information */ + int rv, iv; + char om[100]; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + /* Parse and list recipients (this is not optional) */ + if (src->recipientInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Recipient Information List:\n"); + iv = 0; + while ((recInfo = src->recipientInfos[iv++]) != NULL) { + sprintf(om, "Recipient Information (%x)", iv); + secu_PrintRecipientInfo(out, recInfo, om, level + 2); + } + } + + /* Parse and list digest algorithms (if any) */ + if (src->digestAlgorithms != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Digest Algorithm List:\n"); + iv = 0; + while ((digAlg = src->digestAlgorithms[iv++]) != NULL) { + sprintf(om, "Digest Algorithm (%x)", iv); + SECU_PrintAlgorithmID(out, digAlg, om, level + 2); + } + } + + rv = secu_PrintPKCS7EncContent(out, &src->encContentInfo, state, + "Encrypted Content Information", level + 1); + if (rv) + return rv; + + /* Parse and list certificates (if any) */ + if (src->rawCerts != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Certificate List:\n"); + iv = 0; + while ((aCert = src->rawCerts[iv++]) != NULL) { + sprintf(om, "Certificate (%x)", iv); + rv = SECU_PrintSignedData(out, aCert, om, level + 2, + (SECU_PPFunc)SECU_PrintCertificate); + if (rv) + return rv; + } + } + + /* Parse and list CRL's (if any) */ + if (src->crls != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signed Revocation Lists:\n"); + iv = 0; + while ((aCrl = src->crls[iv++]) != NULL) { + sprintf(om, "Signed Revocation List (%x)", iv); + SECU_Indent(out, level + 2); + fprintf(out, "%s:\n", om); + SECU_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, + "Signature Algorithm", level + 3); + DER_ConvertBitString(&aCrl->signatureWrap.signature); + SECU_PrintAsHex(out, &aCrl->signatureWrap.signature, "Signature", + level + 3); + SECU_PrintCRLInfo(out, &aCrl->crl, "Certificate Revocation List", + level + 3); + } + } + + /* Parse and list signatures (if any) */ + if (src->signerInfos != NULL) { + SECU_Indent(out, level + 1); + fprintf(out, "Signer Information List:\n"); + iv = 0; + while ((sigInfo = src->signerInfos[iv++]) != NULL) { + sprintf(om, "Signer Information (%x)", iv); + secu_PrintSignerInfo(out, sigInfo, om, level + 2); + } + } + + return 0; +} + +int +SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTCrl *c = NULL; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + do { + /* Decode CRL */ + c = PORT_ArenaZNew(arena, CERTCrl); + if (!c) + break; + + rv = SEC_QuickDERDecodeItem(arena, c, SEC_ASN1_GET(CERT_CrlTemplate), der); + if (rv != SECSuccess) + break; + SECU_PrintCRLInfo(out, c, m, level); + } while (0); + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +/* +** secu_PrintPKCS7Encrypted +** Pretty print a PKCS7 encrypted data type (up to version 1). +*/ +static int +secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, + secuPKCS7State state, const char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + return secu_PrintPKCS7EncContent(out, &src->encContentInfo, state, + "Encrypted Content Information", level + 1); +} + +/* +** secu_PrintPKCS7Digested +** Pretty print a PKCS7 digested data type (up to version 1). +*/ +static int +secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, + secuPKCS7State state, const char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_PrintInteger(out, &(src->version), "Version", level + 1); + + SECU_PrintAlgorithmID(out, &src->digestAlg, "Digest Algorithm", + level + 1); + secu_PrintPKCS7ContentInfo(out, &src->contentInfo, state, + "Content Information", level + 1); + SECU_PrintAsHex(out, &src->digest, "Digest", level + 1); + return 0; +} + +static int +secu_PrintPKCS12Attributes(FILE *out, SECItem *item, const char *m, int level) +{ + SECItem my = *item; + SECItem attribute; + SECItem attributeID; + SECItem attributeValues; + + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SET)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + level++; + + while (my.len) { + if (SECSuccess != SECU_ExtractBERAndStep(&my, &attribute)) { + return SECFailure; + } + if ((attribute.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&attribute)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + + /* attribute ID */ + if (SECSuccess != SECU_ExtractBERAndStep(&attribute, &attributeID)) { + return SECFailure; + } + if ((attributeID.data[0] & SEC_ASN1_TAGNUM_MASK) != SEC_ASN1_OBJECT_ID) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + SECU_PrintEncodedObjectID(out, &attributeID, "Attribute ID", level); + + /* attribute values */ + if (!attribute.len) { /* skip if there aren't any */ + continue; + } + if (SECSuccess != SECU_ExtractBERAndStep(&attribute, &attributeValues)) { + return SECFailure; + } + if (SECSuccess != SECU_StripTagAndLength(&attributeValues)) { + return SECFailure; + } + while (attributeValues.len) { + SECItem tmp; + if (SECSuccess != SECU_ExtractBERAndStep(&attributeValues, &tmp)) { + return SECFailure; + } + SECU_PrintAny(out, &tmp, NULL, level + 1); + } + } + return SECSuccess; +} + +static int +secu_PrintPKCS12Bag(FILE *out, SECItem *item, const char *desc, int level) +{ + SECItem my = *item; + SECItem bagID; + SECItem bagValue; + SECItem bagAttributes; + SECOidTag bagTag; + SECStatus rv; + int i; + char *m; + + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + + /* bagId BAG-TYPE.&id ({PKCS12BagSet}) */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &bagID)) { + return SECFailure; + } + if ((bagID.data[0] & SEC_ASN1_TAGNUM_MASK) != SEC_ASN1_OBJECT_ID) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + m = PR_smprintf("%s ID", desc); + bagTag = SECU_PrintEncodedObjectID(out, &bagID, m ? m : "Bag ID", level); + if (m) + PR_smprintf_free(m); + + /* bagValue [0] EXPLICIT BAG-TYPE.&type({PKCS12BagSet}{@bagID}) */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &bagValue)) { + return SECFailure; + } + if ((bagValue.data[0] & (SEC_ASN1_CLASS_MASK | SEC_ASN1_TAGNUM_MASK)) != + (SEC_ASN1_CONTEXT_SPECIFIC | 0)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + if (SECSuccess != SECU_StripTagAndLength(&bagValue)) { + return SECFailure; + } + + rv = SECSuccess; + switch (bagTag) { + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + /* Future we need to print out raw private keys. Not a priority since + * p12util can't create files with unencrypted private keys, but + * some tools can and do */ + SECU_PrintAny(out, &bagValue, "Private Key", level); + break; + case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: + rv = SECU_PrintPrivateKey(out, &bagValue, + "Encrypted Private Key", level); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + rv = secu_PrintPKCS12Bag(out, &bagValue, "Certificate Bag", level + 1); + break; + case SEC_OID_PKCS12_V1_CRL_BAG_ID: + rv = secu_PrintPKCS12Bag(out, &bagValue, "Crl Bag", level + 1); + break; + case SEC_OID_PKCS12_V1_SECRET_BAG_ID: + rv = secu_PrintPKCS12Bag(out, &bagValue, "Secret Bag", level + 1); + break; + /* from recursive call from CRL and certificate Bag */ + case SEC_OID_PKCS9_X509_CRL: + case SEC_OID_PKCS9_X509_CERT: + case SEC_OID_PKCS9_SDSI_CERT: + /* unwrap the octect string */ + rv = SECU_StripTagAndLength(&bagValue); + if (rv != SECSuccess) { + break; + } + /* fall through */ + case SEC_OID_PKCS12_CERT_AND_CRL_BAG_ID: + case SEC_OID_PKCS12_X509_CERT_CRL_BAG: + case SEC_OID_PKCS12_SDSI_CERT_BAG: + if (strcmp(desc, "Crl Bag") == 0) { + rv = SECU_PrintSignedData(out, &bagValue, NULL, level + 1, + (SECU_PPFunc)SECU_PrintCrl); + } else { + rv = SECU_PrintSignedData(out, &bagValue, NULL, level + 1, + (SECU_PPFunc)SECU_PrintCertificate); + } + break; + case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID: + for (i = 1; my.len; i++) { + SECItem nextBag; + rv = SECU_ExtractBERAndStep(&bagValue, &nextBag); + if (rv != SECSuccess) { + break; + } + m = PR_smprintf("Nested Bag %d", i); + rv = secu_PrintPKCS12Bag(out, &nextBag, + m ? m : "Nested Bag", level + 1); + if (m) + PR_smprintf_free(m); + if (rv != SECSuccess) { + break; + } + } + break; + default: + m = PR_smprintf("%s Value", desc); + SECU_PrintAny(out, &bagValue, m ? m : "Bag Value", level); + if (m) + PR_smprintf_free(m); + } + if (rv != SECSuccess) { + return rv; + } + + /* bagAttributes SET OF PKCS12Attributes OPTIONAL */ + if (my.len && + (my.data[0] == (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SET))) { + if (SECSuccess != SECU_ExtractBERAndStep(&my, &bagAttributes)) { + return SECFailure; + } + m = PR_smprintf("%s Attributes", desc); + rv = secu_PrintPKCS12Attributes(out, &bagAttributes, + m ? m : "Bag Attributes", level); + if (m) + PR_smprintf_free(m); + } + return rv; +} + +static int +secu_PrintPKCS7Data(FILE *out, SECItem *item, secuPKCS7State state, + const char *desc, int level) +{ + SECItem my = *item; + SECItem nextbag; + int i; + SECStatus rv; + + /* walk down each safe */ + switch (state) { + case secuPKCS7PKCS12AuthSafe: + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + for (i = 1; my.len; i++) { + char *m; + if (SECSuccess != SECU_ExtractBERAndStep(&my, &nextbag)) { + return SECFailure; + } + m = PR_smprintf("Safe %d", i); + rv = secu_PrintDERPKCS7ContentInfo(out, &nextbag, + secuPKCS7PKCS12Safe, + m ? m : "Safe", level); + if (m) + PR_smprintf_free(m); + if (rv != SECSuccess) { + return SECFailure; + } + } + return SECSuccess; + case secuPKCS7PKCS12Safe: + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + for (i = 1; my.len; i++) { + char *m; + if (SECSuccess != SECU_ExtractBERAndStep(&my, &nextbag)) { + return SECFailure; + } + m = PR_smprintf("Bag %d", i); + rv = secu_PrintPKCS12Bag(out, &nextbag, + m ? m : "Bag", level); + if (m) + PR_smprintf_free(m); + if (rv != SECSuccess) { + return SECFailure; + } + } + return SECSuccess; + case secuPKCS7Unknown: + SECU_PrintAsHex(out, item, desc, level); + break; + } + return SECSuccess; +} + +/* +** secu_PrintPKCS7ContentInfo +** Takes a SEC_PKCS7ContentInfo type and sends the contents to the +** appropriate function +*/ +static int +secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, + secuPKCS7State state, const char *m, int level) +{ + const char *desc; + SECOidTag kind; + int rv; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + level++; + + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); + + if (src->contentTypeTag == NULL) { + desc = "Unknown"; + kind = SEC_OID_UNKNOWN; + } else { + desc = src->contentTypeTag->desc; + kind = src->contentTypeTag->offset; + } + + if (src->content.data == NULL) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", desc); + level++; + SECU_Indent(out, level); + fprintf(out, "\n"); + return 0; + } + + rv = 0; + switch (kind) { + case SEC_OID_PKCS7_SIGNED_DATA: /* Signed Data */ + rv = secu_PrintPKCS7Signed(out, src->content.signedData, + state, desc, level); + break; + + case SEC_OID_PKCS7_ENVELOPED_DATA: /* Enveloped Data */ + rv = secu_PrintPKCS7Enveloped(out, src->content.envelopedData, + state, desc, level); + break; + + case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA: /* Signed and Enveloped */ + rv = secu_PrintPKCS7SignedAndEnveloped(out, + src->content.signedAndEnvelopedData, + state, desc, level); + break; + + case SEC_OID_PKCS7_DIGESTED_DATA: /* Digested Data */ + rv = secu_PrintPKCS7Digested(out, src->content.digestedData, + state, desc, level); + break; + + case SEC_OID_PKCS7_ENCRYPTED_DATA: /* Encrypted Data */ + rv = secu_PrintPKCS7Encrypted(out, src->content.encryptedData, + state, desc, level); + break; + + case SEC_OID_PKCS7_DATA: + rv = secu_PrintPKCS7Data(out, src->content.data, state, desc, level); + break; + + default: + SECU_PrintAsHex(out, src->content.data, desc, level); + break; + } + + return rv; +} + +/* +** SECU_PrintPKCS7ContentInfo +** Decode and print any major PKCS7 data type (up to version 1). +*/ +static int +secu_PrintDERPKCS7ContentInfo(FILE *out, SECItem *der, secuPKCS7State state, + const char *m, int level) +{ + SEC_PKCS7ContentInfo *cinfo; + int rv; + + cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); + if (cinfo != NULL) { + /* Send it to recursive parsing and printing module */ + rv = secu_PrintPKCS7ContentInfo(out, cinfo, state, m, level); + SEC_PKCS7DestroyContentInfo(cinfo); + } else { + rv = -1; + } + + return rv; +} + +int +SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level) +{ + return secu_PrintDERPKCS7ContentInfo(out, der, secuPKCS7Unknown, m, level); +} + +/* +** End of PKCS7 functions +*/ + +void +printFlags(FILE *out, unsigned int flags, int level) +{ + if (flags & CERTDB_TERMINAL_RECORD) { + SECU_Indent(out, level); + fprintf(out, "Terminal Record\n"); + } + if (flags & CERTDB_TRUSTED) { + SECU_Indent(out, level); + fprintf(out, "Trusted\n"); + } + if (flags & CERTDB_SEND_WARN) { + SECU_Indent(out, level); + fprintf(out, "Warn When Sending\n"); + } + if (flags & CERTDB_VALID_CA) { + SECU_Indent(out, level); + fprintf(out, "Valid CA\n"); + } + if (flags & CERTDB_TRUSTED_CA) { + SECU_Indent(out, level); + fprintf(out, "Trusted CA\n"); + } + if (flags & CERTDB_NS_TRUSTED_CA) { + SECU_Indent(out, level); + fprintf(out, "Netscape Trusted CA\n"); + } + if (flags & CERTDB_USER) { + SECU_Indent(out, level); + fprintf(out, "User\n"); + } + if (flags & CERTDB_TRUSTED_CLIENT_CA) { + SECU_Indent(out, level); + fprintf(out, "Trusted Client CA\n"); + } + if (flags & CERTDB_GOVT_APPROVED_CA) { + SECU_Indent(out, level); + fprintf(out, "Step-up\n"); + } +} + +void +SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level) +{ + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + SECU_Indent(out, level + 1); + fprintf(out, "SSL Flags:\n"); + printFlags(out, trust->sslFlags, level + 2); + SECU_Indent(out, level + 1); + fprintf(out, "Email Flags:\n"); + printFlags(out, trust->emailFlags, level + 2); + SECU_Indent(out, level + 1); + fprintf(out, "Object Signing Flags:\n"); + printFlags(out, trust->objectSigningFlags, level + 2); +} + +int +SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTName *name; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + name = PORT_ArenaZNew(arena, CERTName); + if (!name) + goto loser; + + rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der); + if (rv) + goto loser; + + SECU_PrintName(out, name, m, level); + if (!SECU_GetWrapEnabled()) /*SECU_PrintName didn't add newline*/ + SECU_Newline(out); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +typedef enum { + noSignature = 0, + withSignature = 1 +} SignatureOptionType; + +static int +secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m, + int level, SECU_PPFunc inner, + SignatureOptionType signatureOption) +{ + PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + CERTSignedData *sd; + int rv = SEC_ERROR_NO_MEMORY; + + if (!arena) + return rv; + + /* Strip off the signature */ + sd = PORT_ArenaZNew(arena, CERTSignedData); + if (!sd) + goto loser; + + rv = SEC_ASN1DecodeItem(arena, sd, SEC_ASN1_GET(CERT_SignedDataTemplate), + der); + if (rv) + goto loser; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + } else { + level -= 1; + } + rv = (*inner)(out, &sd->data, "Data", level + 1); + + if (signatureOption == withSignature) { + SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", + level + 1); + DER_ConvertBitString(&sd->signature); + SECU_PrintAsHex(out, &sd->signature, "Signature", level + 1); + } + SECU_PrintFingerprints(out, der, "Fingerprint", level + 1); +loser: + PORT_FreeArena(arena, PR_FALSE); + return rv; +} + +int +SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, + int level, SECU_PPFunc inner) +{ + return secu_PrintSignedDataSigOpt(out, der, m, level, inner, + withSignature); +} + +int +SECU_PrintSignedContent(FILE *out, SECItem *der, char *m, + int level, SECU_PPFunc inner) +{ + return secu_PrintSignedDataSigOpt(out, der, m, level, inner, + noSignature); +} + +SECStatus +SEC_PrintCertificateAndTrust(CERTCertificate *cert, + const char *label, + CERTCertTrust *trust) +{ + SECStatus rv; + SECItem data; + CERTCertTrust certTrust; + PK11SlotList *slotList; + PRBool falseAttributeFound = PR_FALSE; + PRBool trueAttributeFound = PR_FALSE; + const char *moz_policy_ca_info = NULL; + + data.data = cert->derCert.data; + data.len = cert->derCert.len; + + rv = SECU_PrintSignedData(stdout, &data, label, 0, + (SECU_PPFunc)SECU_PrintCertificate); + if (rv) { + return (SECFailure); + } + + slotList = PK11_GetAllSlotsForCert(cert, NULL); + if (slotList) { + PK11SlotListElement *se = PK11_GetFirstSafe(slotList); + for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) { + CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL); + if (handle != CK_INVALID_HANDLE) { + PORT_SetError(0); + if (PK11_HasAttributeSet(se->slot, handle, + CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) { + trueAttributeFound = PR_TRUE; + } else if (!PORT_GetError()) { + falseAttributeFound = PR_TRUE; + } + } + } + PK11_FreeSlotList(slotList); + } + + if (trueAttributeFound) { + moz_policy_ca_info = "true (attribute present)"; + } else if (falseAttributeFound) { + moz_policy_ca_info = "false (attribute present)"; + } else { + moz_policy_ca_info = "false (attribute missing)"; + } + SECU_Indent(stdout, 1); + printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info); + + if (trust) { + SECU_PrintTrustFlags(stdout, trust, + "Certificate Trust Flags", 1); + } else if (CERT_GetCertTrust(cert, &certTrust) == SECSuccess) { + SECU_PrintTrustFlags(stdout, &certTrust, + "Certificate Trust Flags", 1); + } + + /* The distrust fields are hard-coded in nssckbi and read-only. + * If verifying some cert, with vfychain, for instance, the certificate may + * not have a defined slot if not imported. */ + if (cert->slot != NULL && cert->distrust != NULL) { + const unsigned int kDistrustFieldSize = 13; + fprintf(stdout, "\n"); + SECU_Indent(stdout, 1); + fprintf(stdout, "%s:\n", "Certificate Distrust Dates"); + if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->serverDistrustAfter, + "Server Distrust After", 2); + } + if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->emailDistrustAfter, + "E-mail Distrust After", 2); + } + } + + printf("\n"); + + return (SECSuccess); +} + +static char * +bestCertName(CERTCertificate *cert) +{ + if (cert->nickname) { + return cert->nickname; + } + if (cert->emailAddr && cert->emailAddr[0]) { + return cert->emailAddr; + } + return cert->subjectName; +} + +void +SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose, + PRTime datetime) +{ + CERTVerifyLog log; + CERTVerifyLogNode *node; + + PRErrorCode err = PORT_GetError(); + + log.arena = PORT_NewArena(512); + log.head = log.tail = NULL; + log.count = 0; + CERT_VerifyCertificate(handle, cert, checksig, certUsage, datetime, pinArg, &log, NULL); + + SECU_displayVerifyLog(outfile, &log, verbose); + + for (node = log.head; node; node = node->next) { + if (node->cert) + CERT_DestroyCertificate(node->cert); + } + PORT_FreeArena(log.arena, PR_FALSE); + + PORT_SetError(err); /* restore original error code */ +} + +void +SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log, + PRBool verbose) +{ + CERTVerifyLogNode *node = NULL; + unsigned int depth = (unsigned int)-1; + unsigned int flags = 0; + char *errstr = NULL; + + if (log->count > 0) { + fprintf(outfile, "PROBLEM WITH THE CERT CHAIN:\n"); + for (node = log->head; node; node = node->next) { + if (depth != node->depth) { + depth = node->depth; + fprintf(outfile, "CERT %d. %s %s:\n", depth, + bestCertName(node->cert), + depth ? "[Certificate Authority]" : ""); + if (verbose) { + const char *emailAddr; + emailAddr = CERT_GetFirstEmailAddress(node->cert); + if (emailAddr) { + fprintf(outfile, "Email Address(es): "); + do { + fprintf(outfile, "%s\n", emailAddr); + emailAddr = CERT_GetNextEmailAddress(node->cert, + emailAddr); + } while (emailAddr); + } + } + } + fprintf(outfile, " ERROR %ld: %s\n", node->error, + SECU_Strerror(node->error)); + errstr = NULL; + switch (node->error) { + case SEC_ERROR_INADEQUATE_KEY_USAGE: + flags = (unsigned int)((char *)node->arg - (char *)NULL); + switch (flags) { + case KU_DIGITAL_SIGNATURE: + errstr = "Cert cannot sign."; + break; + case KU_KEY_ENCIPHERMENT: + errstr = "Cert cannot encrypt."; + break; + case KU_KEY_CERT_SIGN: + errstr = "Cert cannot sign other certs."; + break; + default: + errstr = "[unknown usage]."; + break; + } + break; + case SEC_ERROR_INADEQUATE_CERT_TYPE: + flags = (unsigned int)((char *)node->arg - (char *)NULL); + switch (flags) { + case NS_CERT_TYPE_SSL_CLIENT: + case NS_CERT_TYPE_SSL_SERVER: + errstr = "Cert cannot be used for SSL."; + break; + case NS_CERT_TYPE_SSL_CA: + errstr = "Cert cannot be used as an SSL CA."; + break; + case NS_CERT_TYPE_EMAIL: + errstr = "Cert cannot be used for SMIME."; + break; + case NS_CERT_TYPE_EMAIL_CA: + errstr = "Cert cannot be used as an SMIME CA."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING: + errstr = "Cert cannot be used for object signing."; + break; + case NS_CERT_TYPE_OBJECT_SIGNING_CA: + errstr = "Cert cannot be used as an object signing CA."; + break; + default: + errstr = "[unknown usage]."; + break; + } + break; + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + errstr = node->cert->issuerName; + break; + default: + break; + } + if (errstr) { + fprintf(stderr, " %s\n", errstr); + } + } + } +} + +void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose) +{ + SECU_printCertProblemsOnDate(outfile, handle, cert, checksig, + certUsage, pinArg, verbose, PR_Now()); +} + +SECStatus +SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, PRFileDesc *outFile, + PRBool ascii, char *url) +{ + PORT_Assert(derCrl != NULL); + if (!derCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (outFile != NULL) { + if (ascii) { + PR_fprintf(outFile, "%s\n%s\n%s\n", NS_CRL_HEADER, + BTOA_DataToAscii(derCrl->data, derCrl->len), + NS_CRL_TRAILER); + } else { + if (PR_Write(outFile, derCrl->data, derCrl->len) != derCrl->len) { + return SECFailure; + } + } + } + if (slot) { + CERTSignedCrl *newCrl = PK11_ImportCRL(slot, derCrl, url, + SEC_CRL_TYPE, NULL, 0, NULL, 0); + if (newCrl != NULL) { + SEC_DestroyCrl(newCrl); + return SECSuccess; + } + return SECFailure; + } + if (!outFile && !slot) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + return SECSuccess; +} + +SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode) +{ + SECItem der; + SECKEYPrivateKey *caPrivateKey = NULL; + SECStatus rv; + PLArenaPool *arena; + SECOidTag algID; + void *dummy; + + PORT_Assert(issuer != NULL && signCrl != NULL); + if (!issuer || !signCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + arena = signCrl->arena; + + caPrivateKey = PK11_FindKeyByAnyCert(issuer, NULL); + if (caPrivateKey == NULL) { + *resCode = noKeyFound; + return SECFailure; + } + + algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + *resCode = noSignatureMatch; + rv = SECFailure; + goto done; + } + + if (!signCrl->crl.signatureAlg.parameters.data) { + rv = SECOID_SetAlgorithmID(arena, &signCrl->crl.signatureAlg, algID, 0); + if (rv != SECSuccess) { + *resCode = failToEncode; + goto done; + } + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem(arena, &der, &signCrl->crl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + + rv = SECU_DerSignDataCRL(arena, &signCrl->signatureWrap, + der.data, der.len, caPrivateKey, algID); + if (rv != SECSuccess) { + *resCode = failToSign; + goto done; + } + + signCrl->derCrl = PORT_ArenaZNew(arena, SECItem); + if (signCrl->derCrl == NULL) { + *resCode = noMem; + PORT_SetError(SEC_ERROR_NO_MEMORY); + rv = SECFailure; + goto done; + } + + signCrl->derCrl->len = 0; + signCrl->derCrl->data = NULL; + dummy = SEC_ASN1EncodeItem(arena, signCrl->derCrl, signCrl, + SEC_ASN1_GET(CERT_SignedCrlTemplate)); + if (!dummy) { + *resCode = failToEncode; + rv = SECFailure; + goto done; + } + +done: + SECKEY_DestroyPrivateKey(caPrivateKey); + return rv; +} + +SECStatus +SECU_CopyCRL(PLArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl) +{ + void *dummy; + SECStatus rv = SECSuccess; + SECItem der; + + PORT_Assert(destArena && srcCrl && destCrl); + if (!destArena || !srcCrl || !destCrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + der.len = 0; + der.data = NULL; + dummy = SEC_ASN1EncodeItem(destArena, &der, srcCrl, + SEC_ASN1_GET(CERT_CrlTemplate)); + if (!dummy) { + return SECFailure; + } + + rv = SEC_QuickDERDecodeItem(destArena, destCrl, + SEC_ASN1_GET(CERT_CrlTemplate), &der); + if (rv != SECSuccess) { + return SECFailure; + } + + destCrl->arena = destArena; + + return rv; +} + +SECStatus +SECU_DerSignDataCRL(PLArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, SECKEYPrivateKey *pk, + SECOidTag algID) +{ + SECItem it; + SECStatus rv; + + it.data = 0; + + /* XXX We should probably have some asserts here to make sure the key type + * and algID match + */ + + /* Sign input buffer */ + rv = SEC_SignData(&it, buf, len, pk, algID); + if (rv != SECSuccess) { + goto loser; + } + + /* Fill out SignedData object */ + PORT_Memset(sd, 0, sizeof(*sd)); + sd->data.data = buf; + sd->data.len = len; + rv = SECITEM_CopyItem(arena, &sd->signature, &it); + if (rv != SECSuccess) { + goto loser; + } + + sd->signature.len <<= 3; /* convert to bit string */ + rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0); + if (rv != SECSuccess) { + goto loser; + } + +loser: + PORT_Free(it.data); + return rv; +} + +/* + * Find the issuer of a Crl. Use the authorityKeyID if it exists. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbhandle, SECItem *subject, + CERTAuthKeyID *authorityKeyID, PRTime validTime) +{ + CERTCertificate *issuerCert = NULL; + CERTCertList *certList = NULL; + CERTCertTrust trust; + + if (!subject) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + certList = + CERT_CreateSubjectCertList(NULL, dbhandle, subject, + validTime, PR_TRUE); + if (certList) { + CERTCertListNode *node = CERT_LIST_HEAD(certList); + + /* XXX and authoritykeyid in the future */ + while (!CERT_LIST_END(node, certList)) { + CERTCertificate *cert = node->cert; + /* check cert CERTCertTrust data is allocated, check cert + usage extension, check that cert has pkey in db. Select + the first (newest) user cert */ + if (CERT_GetCertTrust(cert, &trust) == SECSuccess && + CERT_CheckCertUsage(cert, KU_CRL_SIGN) == SECSuccess && + CERT_IsUserCert(cert)) { + + issuerCert = CERT_DupCertificate(cert); + break; + } + node = CERT_LIST_NEXT(node); + } + CERT_DestroyCertList(certList); + } + return (issuerCert); +} + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PLArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn) +{ + SECItem encodedValue; + SECStatus rv; + + encodedValue.data = NULL; + encodedValue.len = 0; + do { + rv = (*EncodeValueFn)(arena, value, &encodedValue); + if (rv != SECSuccess) + break; + + rv = CERT_AddExtension(extHandle, extenType, &encodedValue, + criticality, PR_TRUE); + if (rv != SECSuccess) + break; + } while (0); + + return (rv); +} + +CERTCertificate * +SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle, + char *name, PRBool ascii, + void *pwarg) +{ + CERTCertificate *the_cert; + the_cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwarg); + if (the_cert) { + return the_cert; + } + the_cert = PK11_FindCertFromNickname(name, pwarg); + if (!the_cert) { + /* Don't have a cert with name "name" in the DB. Try to + * open a file with such name and get the cert from there.*/ + SECStatus rv; + SECItem item = { 0, NULL, 0 }; + PRFileDesc *fd = PR_Open(name, PR_RDONLY, 0777); + if (!fd) { + return NULL; + } + rv = SECU_ReadDERFromFile(&item, fd, ascii, PR_FALSE); + PR_Close(fd); + if (rv != SECSuccess || !item.len) { + PORT_Free(item.data); + return NULL; + } + the_cert = CERT_NewTempCertificate(handle, &item, + NULL /* nickname */, + PR_FALSE /* isPerm */, + PR_TRUE /* copyDER */); + PORT_Free(item.data); + } + return the_cert; +} + +/* Convert a SSL/TLS protocol version string into the respective numeric value + * defined by the SSL_LIBRARY_VERSION_* constants, + * while accepting a flexible set of case-insensitive identifiers. + * + * Caller must specify bufLen, allowing the function to operate on substrings. + */ +static SECStatus +SECU_GetSSLVersionFromName(const char *buf, size_t bufLen, PRUint16 *version) +{ + if (!buf || !version) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (!PL_strncasecmp(buf, "ssl3", bufLen)) { + *version = SSL_LIBRARY_VERSION_3_0; + return SECSuccess; + } + if (!PL_strncasecmp(buf, "tls1.0", bufLen)) { + *version = SSL_LIBRARY_VERSION_TLS_1_0; + return SECSuccess; + } + if (!PL_strncasecmp(buf, "tls1.1", bufLen)) { + *version = SSL_LIBRARY_VERSION_TLS_1_1; + return SECSuccess; + } + if (!PL_strncasecmp(buf, "tls1.2", bufLen)) { + *version = SSL_LIBRARY_VERSION_TLS_1_2; + return SECSuccess; + } + + if (!PL_strncasecmp(buf, "tls1.3", bufLen)) { + *version = SSL_LIBRARY_VERSION_TLS_1_3; + return SECSuccess; + } + + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +} + +SECStatus +SECU_ParseSSLVersionRangeString(const char *input, + const SSLVersionRange defaultVersionRange, + SSLVersionRange *vrange) +{ + const char *colonPos; + size_t colonIndex; + const char *maxStr; + + if (!input || !vrange) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + // We don't support SSL2 any longer. + if (defaultVersionRange.min < SSL_LIBRARY_VERSION_3_0 || + defaultVersionRange.max < SSL_LIBRARY_VERSION_3_0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (!strcmp(input, ":")) { + /* special value, use default */ + *vrange = defaultVersionRange; + return SECSuccess; + } + + colonPos = strchr(input, ':'); + if (!colonPos) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + colonIndex = colonPos - input; + maxStr = colonPos + 1; + + if (!colonIndex) { + /* colon was first character, min version is empty */ + vrange->min = defaultVersionRange.min; + } else { + PRUint16 version; + /* colonIndex is equivalent to the length of the min version substring */ + if (SECU_GetSSLVersionFromName(input, colonIndex, &version) != SECSuccess) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + vrange->min = version; + } + + if (!*maxStr) { + vrange->max = defaultVersionRange.max; + } else { + PRUint16 version; + /* if max version is empty, then maxStr points to the string terminator */ + if (SECU_GetSSLVersionFromName(maxStr, strlen(maxStr), &version) != + SECSuccess) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + vrange->max = version; + } + + if (vrange->min > vrange->max) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + return SECSuccess; +} + +static SSLNamedGroup +groupNameToNamedGroup(char *name) +{ + if (PL_strlen(name) == 4) { + if (!strncmp(name, "P256", 4)) { + return ssl_grp_ec_secp256r1; + } + if (!strncmp(name, "P384", 4)) { + return ssl_grp_ec_secp384r1; + } + if (!strncmp(name, "P521", 4)) { + return ssl_grp_ec_secp521r1; + } + } + if (PL_strlen(name) == 6) { + if (!strncmp(name, "x25519", 6)) { + return ssl_grp_ec_curve25519; + } + if (!strncmp(name, "FF2048", 6)) { + return ssl_grp_ffdhe_2048; + } + if (!strncmp(name, "FF3072", 6)) { + return ssl_grp_ffdhe_3072; + } + if (!strncmp(name, "FF4096", 6)) { + return ssl_grp_ffdhe_4096; + } + if (!strncmp(name, "FF6144", 6)) { + return ssl_grp_ffdhe_6144; + } + if (!strncmp(name, "FF8192", 6)) { + return ssl_grp_ffdhe_8192; + } + } + + return ssl_grp_none; +} + +static SECStatus +countItems(const char *arg, unsigned int *numItems) +{ + char *str = PORT_Strdup(arg); + if (!str) { + return SECFailure; + } + char *p = strtok(str, ","); + while (p) { + ++(*numItems); + p = strtok(NULL, ","); + } + PORT_Free(str); + str = NULL; + return SECSuccess; +} + +SECStatus +parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount) +{ + SSLNamedGroup *groups; + char *str; + char *p; + unsigned int numValues = 0; + unsigned int count = 0; + + if (countItems(arg, &numValues) != SECSuccess) { + return SECFailure; + } + groups = PORT_ZNewArray(SSLNamedGroup, numValues); + if (!groups) { + return SECFailure; + } + + /* Get group names. */ + str = PORT_Strdup(arg); + if (!str) { + goto done; + } + p = strtok(str, ","); + while (p) { + SSLNamedGroup group = groupNameToNamedGroup(p); + if (group == ssl_grp_none) { + count = 0; + goto done; + } + groups[count++] = group; + p = strtok(NULL, ","); + } + +done: + PORT_Free(str); + if (!count) { + PORT_Free(groups); + return SECFailure; + } + + *enabledGroupsCount = count; + *enabledGroups = groups; + return SECSuccess; +} + +SSLSignatureScheme +schemeNameToScheme(const char *name) +{ +#define compareScheme(x) \ + do { \ + if (!PORT_Strncmp(name, #x, PORT_Strlen(#x))) { \ + return ssl_sig_##x; \ + } \ + } while (0) + + compareScheme(rsa_pkcs1_sha1); + compareScheme(rsa_pkcs1_sha256); + compareScheme(rsa_pkcs1_sha384); + compareScheme(rsa_pkcs1_sha512); + compareScheme(ecdsa_sha1); + compareScheme(ecdsa_secp256r1_sha256); + compareScheme(ecdsa_secp384r1_sha384); + compareScheme(ecdsa_secp521r1_sha512); + compareScheme(rsa_pss_rsae_sha256); + compareScheme(rsa_pss_rsae_sha384); + compareScheme(rsa_pss_rsae_sha512); + compareScheme(ed25519); + compareScheme(ed448); + compareScheme(rsa_pss_pss_sha256); + compareScheme(rsa_pss_pss_sha384); + compareScheme(rsa_pss_pss_sha512); + compareScheme(dsa_sha1); + compareScheme(dsa_sha256); + compareScheme(dsa_sha384); + compareScheme(dsa_sha512); + +#undef compareScheme + + return ssl_sig_none; +} + +SECStatus +parseSigSchemeList(const char *arg, const SSLSignatureScheme **enabledSigSchemes, + unsigned int *enabledSigSchemeCount) +{ + SSLSignatureScheme *schemes; + unsigned int numValues = 0; + unsigned int count = 0; + + if (countItems(arg, &numValues) != SECSuccess) { + return SECFailure; + } + schemes = PORT_ZNewArray(SSLSignatureScheme, numValues); + if (!schemes) { + return SECFailure; + } + + /* Get group names. */ + char *str = PORT_Strdup(arg); + if (!str) { + goto done; + } + char *p = strtok(str, ","); + while (p) { + SSLSignatureScheme scheme = schemeNameToScheme(p); + if (scheme == ssl_sig_none) { + count = 0; + goto done; + } + schemes[count++] = scheme; + p = strtok(NULL, ","); + } + +done: + PORT_Free(str); + if (!count) { + PORT_Free(schemes); + return SECFailure; + } + + *enabledSigSchemeCount = count; + *enabledSigSchemes = schemes; + return SECSuccess; +} + +/* Parse the exporter spec in the form: LABEL[:OUTPUT-LENGTH[:CONTEXT]] */ +static SECStatus +parseExporter(const char *arg, + secuExporter *exporter) +{ + SECStatus rv = SECSuccess; + + char *str = PORT_Strdup(arg); + if (!str) { + rv = SECFailure; + goto done; + } + + char *labelEnd = strchr(str, ':'); + if (labelEnd) { + *labelEnd = '\0'; + labelEnd++; + + /* To extract CONTEXT, first skip OUTPUT-LENGTH */ + char *outputEnd = strchr(labelEnd, ':'); + if (outputEnd) { + *outputEnd = '\0'; + outputEnd++; + + exporter->hasContext = PR_TRUE; + exporter->context.data = (unsigned char *)PORT_Strdup(outputEnd); + exporter->context.len = strlen(outputEnd); + if (PORT_Strncasecmp((char *)exporter->context.data, "0x", 2) == 0) { + rv = SECU_SECItemHexStringToBinary(&exporter->context); + if (rv != SECSuccess) { + goto done; + } + } + } + } + + if (labelEnd && *labelEnd != '\0') { + long int outputLength = strtol(labelEnd, NULL, 10); + if (!(outputLength > 0 && outputLength <= UINT_MAX)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + goto done; + } + exporter->outputLength = outputLength; + } else { + exporter->outputLength = 20; + } + + char *label = PORT_Strdup(str); + exporter->label.data = (unsigned char *)label; + exporter->label.len = strlen(label); + if (PORT_Strncasecmp((char *)exporter->label.data, "0x", 2) == 0) { + rv = SECU_SECItemHexStringToBinary(&exporter->label); + if (rv != SECSuccess) { + goto done; + } + } + +done: + PORT_Free(str); + + return rv; +} + +SECStatus +parseExporters(const char *arg, + const secuExporter **enabledExporters, + unsigned int *enabledExporterCount) +{ + secuExporter *exporters; + unsigned int numValues = 0; + unsigned int count = 0; + + if (countItems(arg, &numValues) != SECSuccess) { + return SECFailure; + } + exporters = PORT_ZNewArray(secuExporter, numValues); + if (!exporters) { + return SECFailure; + } + + /* Get exporter definitions. */ + char *str = PORT_Strdup(arg); + if (!str) { + goto done; + } + char *p = strtok(str, ","); + while (p) { + SECStatus rv = parseExporter(p, &exporters[count++]); + if (rv != SECSuccess) { + count = 0; + goto done; + } + p = strtok(NULL, ","); + } + +done: + PORT_Free(str); + if (!count) { + PORT_Free(exporters); + return SECFailure; + } + + *enabledExporterCount = count; + *enabledExporters = exporters; + return SECSuccess; +} + +static SECStatus +exportKeyingMaterial(PRFileDesc *fd, const secuExporter *exporter) +{ + SECStatus rv = SECSuccess; + unsigned char *out = PORT_Alloc(exporter->outputLength); + + if (!out) { + fprintf(stderr, "Unable to allocate buffer for keying material\n"); + return SECFailure; + } + rv = SSL_ExportKeyingMaterial(fd, + (char *)exporter->label.data, + exporter->label.len, + exporter->hasContext, + exporter->context.data, + exporter->context.len, + out, + exporter->outputLength); + if (rv != SECSuccess) { + goto done; + } + fprintf(stdout, "Exported Keying Material:\n"); + secu_PrintRawString(stdout, (SECItem *)&exporter->label, "Label", 1); + if (exporter->hasContext) { + SECU_PrintAsHex(stdout, &exporter->context, "Context", 1); + } + SECU_Indent(stdout, 1); + fprintf(stdout, "Length: %u\n", exporter->outputLength); + SECItem temp = { siBuffer, out, exporter->outputLength }; + SECU_PrintAsHex(stdout, &temp, "Keying Material", 1); + +done: + PORT_Free(out); + return rv; +} + +SECStatus +exportKeyingMaterials(PRFileDesc *fd, + const secuExporter *exporters, + unsigned int exporterCount) +{ + unsigned int i; + + for (i = 0; i < exporterCount; i++) { + SECStatus rv = exportKeyingMaterial(fd, &exporters[i]); + if (rv != SECSuccess) { + return rv; + } + } + + return SECSuccess; +} + +SECStatus +readPSK(const char *arg, SECItem *psk, SECItem *label) +{ + SECStatus rv = SECFailure; + char *str = PORT_Strdup(arg); + if (!str) { + goto cleanup; + } + + char *pskBytes = strtok(str, ":"); + if (!pskBytes) { + goto cleanup; + } + if (PORT_Strncasecmp(pskBytes, "0x", 2) != 0) { + goto cleanup; + } + + psk = SECU_HexString2SECItem(NULL, psk, &pskBytes[2]); + if (!psk || !psk->data || psk->len != strlen(&str[2]) / 2) { + goto cleanup; + } + + SECItem labelItem = { siBuffer, NULL, 0 }; + char *inLabel = strtok(NULL, ":"); + if (inLabel) { + labelItem.data = (unsigned char *)PORT_Strdup(inLabel); + if (!labelItem.data) { + goto cleanup; + } + labelItem.len = strlen(inLabel); + + if (PORT_Strncasecmp(inLabel, "0x", 2) == 0) { + rv = SECU_SECItemHexStringToBinary(&labelItem); + if (rv != SECSuccess) { + SECITEM_FreeItem(&labelItem, PR_FALSE); + goto cleanup; + } + } + rv = SECSuccess; + } else { + PRUint8 defaultLabel[] = { 'C', 'l', 'i', 'e', 'n', 't', '_', + 'i', 'd', 'e', 'n', 't', 'i', 't', 'y' }; + SECItem src = { siBuffer, defaultLabel, sizeof(defaultLabel) }; + rv = SECITEM_CopyItem(NULL, &labelItem, &src); + } + if (rv == SECSuccess) { + *label = labelItem; + } + +cleanup: + PORT_Free(str); + return rv; +} + +static SECStatus +secu_PrintPKCS12DigestInfo(FILE *out, const SECItem *t, char *m, int level) +{ + SECItem my = *t; + SECItem rawDigestAlgID; + SECItem digestData; + SECStatus rv; + PLArenaPool *arena; + SECAlgorithmID digestAlgID; + char *mAlgID = NULL; + char *mDigest = NULL; + + /* strip the outer sequence */ + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + + /* get the algorithm ID */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &rawDigestAlgID)) { + return SECFailure; + } + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + return SECFailure; + } +#define DIGEST_ALGID_STRING "Digest Algorithm ID" + if (m) + mAlgID = PR_smprintf("%s " DIGEST_ALGID_STRING, m); + rv = SEC_QuickDERDecodeItem(arena, &digestAlgID, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + &rawDigestAlgID); + if (rv == SECSuccess) { + SECU_PrintAlgorithmID(out, &digestAlgID, + mAlgID ? mAlgID : DIGEST_ALGID_STRING, level); + } + if (mAlgID) + PR_smprintf_free(mAlgID); + PORT_FreeArena(arena, PR_FALSE); + if (rv != SECSuccess) { + return rv; + } + + /* get the mac data */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &digestData)) { + return SECFailure; + } + if ((digestData.data[0] & SEC_ASN1_TAGNUM_MASK) != SEC_ASN1_OCTET_STRING) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } +#define DIGEST_STRING "Digest" + if (m) + mDigest = PR_smprintf("%s " DIGEST_STRING, m); + secu_PrintOctetString(out, &digestData, + mDigest ? mDigest : DIGEST_STRING, level); + if (mDigest) + PR_smprintf_free(mDigest); + return SECSuccess; +} + +static SECStatus +secu_PrintPKCS12MacData(FILE *out, const SECItem *t, char *m, int level) +{ + SECItem my = *t; + SECItem hash; + SECItem salt; + + if (m) { + SECU_Indent(out, level); + fprintf(out, "%s: \n", m); + level++; + } + + /* strip the outer sequence */ + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + + if (SECSuccess != SECU_ExtractBERAndStep(&my, &hash)) { + return SECFailure; + } + if (SECSuccess != secu_PrintPKCS12DigestInfo(out, &hash, "Mac", level)) { + return SECFailure; + } + + /* handle the salt */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &salt)) { + return SECFailure; + ; + } + if ((salt.data[0] & SEC_ASN1_TAGNUM_MASK) != SEC_ASN1_OCTET_STRING) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + secu_PrintOctetString(out, &salt, "Mac Salt", level); + + if (my.len && + ((my.data[0] & SEC_ASN1_TAGNUM_MASK) == SEC_ASN1_INTEGER)) { + SECItem iterator; + if (SECSuccess != SECU_ExtractBERAndStep(&my, &iterator)) { + return SECFailure; + } + SECU_PrintEncodedInteger(out, &iterator, "Iterations", level); + } + return SECSuccess; +} + +SECStatus +SECU_PrintPKCS12(FILE *out, const SECItem *t, char *m, int level) +{ + SECItem my = *t; + SECItem authSafe; + SECItem macData; + + SECU_Indent(out, level); + fprintf(out, "%s:\n", m); + level++; + + /* strip the outer sequence */ + if ((my.data[0] != (SEC_ASN1_CONSTRUCTED | SEC_ASN1_SEQUENCE)) || + SECSuccess != SECU_StripTagAndLength(&my)) { + PORT_SetError(SEC_ERROR_BAD_DER); + return SECFailure; + } + /* print and remove the optional version number */ + if (my.len && ((my.data[0] & SEC_ASN1_TAGNUM_MASK) == SEC_ASN1_INTEGER)) { + SECItem version; + + if (SECSuccess != SECU_ExtractBERAndStep(&my, &version)) { + return SECFailure; + } + SECU_PrintEncodedInteger(out, &version, "Version", level); + } + + /* print the authSafe */ + if (SECSuccess != SECU_ExtractBERAndStep(&my, &authSafe)) { + return SECFailure; + } + if (SECSuccess != secu_PrintDERPKCS7ContentInfo(out, &authSafe, + secuPKCS7PKCS12AuthSafe, + "AuthSafe", level)) { + return SECFailure; + } + + /* print the mac data (optional) */ + if (!my.len) { + return SECSuccess; + } + if (SECSuccess != SECU_ExtractBERAndStep(&my, &macData)) { + return SECFailure; + } + if (SECSuccess != secu_PrintPKCS12MacData(out, &macData, + "Mac Data", level)) { + return SECFailure; + } + + if (my.len) { + fprintf(out, "Unknown extra data found \n"); + } + return SECSuccess; +} diff --git a/tools/src/main/native/p12tool/secutil.h b/tools/src/main/native/p12tool/secutil.h new file mode 100755 index 000000000..d74649d18 --- /dev/null +++ b/tools/src/main/native/p12tool/secutil.h @@ -0,0 +1,456 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _SEC_UTIL_H_ +#define _SEC_UTIL_H_ + +#include "seccomon.h" +#include "secitem.h" +#include "secport.h" +#include "prerror.h" +#include "base64.h" +#include "keyhi.h" +#include "secpkcs7.h" +#include "secasn1.h" +#include "secder.h" +#include + +#include "basicutil.h" +#include "sslerr.h" +#include "sslt.h" +#include "blapit.h" + +#define SEC_CT_PRIVATE_KEY "private-key" +#define SEC_CT_PUBLIC_KEY "public-key" +#define SEC_CT_CERTIFICATE "certificate" +#define SEC_CT_CERTIFICATE_REQUEST "certificate-request" +#define SEC_CT_CERTIFICATE_ID "certificate-identity" +#define SEC_CT_PKCS7 "pkcs7" +#define SEC_CT_PKCS12 "pkcs12" +#define SEC_CT_CRL "crl" +#define SEC_CT_NAME "name" + +#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----" +#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----" + +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" +#define NS_CERT_TRAILER "-----END CERTIFICATE-----" + +#define NS_CRL_HEADER "-----BEGIN CRL-----" +#define NS_CRL_TRAILER "-----END CRL-----" + +#define SECU_Strerror PORT_ErrorToString + +typedef struct { + enum { + PW_NONE = 0, + PW_FROMFILE = 1, + PW_PLAINTEXT = 2, + PW_EXTERNAL = 3 + } source; + char *data; +} secuPWData; + +/* +** Change a password on a token, or initialize a token with a password +** if it does not already have one. +** Use passwd to send the password in plaintext, pwFile to specify a +** file containing the password, or NULL for both to prompt the user. +*/ +SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile); + +/* +** Change a password on a token, or initialize a token with a password +** if it does not already have one. +** In this function, you can specify both the old and new passwords +** as either a string or file. NOTE: any you don't specify will +** be prompted for +*/ +SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass, + char *oldPwFile, char *newPwFile); + +/* These were stolen from the old sec.h... */ +/* +** Check a password for legitimacy. Passwords must be at least 8 +** characters long and contain one non-alphabetic. Return DSTrue if the +** password is ok, DSFalse otherwise. +*/ +extern PRBool SEC_CheckPassword(char *password); + +/* +** Blind check of a password. Complement to SEC_CheckPassword which +** ignores length and content type, just retuning DSTrue is the password +** exists, DSFalse if NULL +*/ +extern PRBool SEC_BlindCheckPassword(char *password); + +/* +** Get a password. +** First prompt with "msg" on "out", then read the password from "in". +** The password is then checked using "chkpw". +*/ +extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg, + PRBool (*chkpw)(char *)); + +char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg); + +char *SECU_GetPasswordString(void *arg, char *prompt); + +/* +** Write a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to encrypt a password "pw" into a file "fd". +*/ +extern SECStatus SEC_WriteDongleFile(int fd, char *pw); + +/* +** Get a dongle password. +** Uses MD5 to hash constant system data (hostname, etc.), and then +** creates RC4 key to decrypt and return a password from file "fd". +*/ +extern char *SEC_ReadDongleFile(int fd); + +/* End stolen headers */ + +/* Just sticks the two strings together with a / if needed */ +char *SECU_AppendFilenameToDir(char *dir, char *filename); + +/* Returns result of PR_GetEnvSecure("SSL_DIR") or NULL */ +extern char *SECU_DefaultSSLDir(void); + +/* +** Should be called once during initialization to set the default +** directory for looking for cert.db, key.db, and cert-nameidx.db files +** Removes trailing '/' in 'base' +** If 'base' is NULL, defaults to set to .netscape in home directory. +*/ +extern char *SECU_ConfigDirectory(const char *base); + +/* +** Basic callback function for SSL_GetClientAuthDataHook +*/ +extern int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey); + +extern PRBool SECU_GetWrapEnabled(void); +extern void SECU_EnableWrap(PRBool enable); + +extern PRBool SECU_GetUtf8DisplayEnabled(void); +extern void SECU_EnableUtf8Display(PRBool enable); + +/* revalidate the cert and print information about cert verification + * failure at time == now */ +extern void +SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, + SECCertificateUsage certUsage, void *pinArg, PRBool verbose); + +/* revalidate the cert and print information about cert verification + * failure at specified time */ +extern void +SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle, + CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage, + void *pinArg, PRBool verbose, PRTime datetime); + +/* print out CERTVerifyLog info. */ +extern void +SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log, + PRBool verbose); + +/* Read in a DER from a file, may be ascii */ +extern SECStatus +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, + PRBool warnOnPrivateKeyInAsciiFile); + +/* Print integer value and hex */ +extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, + int level); + +/* Print ObjectIdentifier symbolically */ +extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid, + const char *m, int level); + +/* Print AlgorithmIdentifier symbolically */ +extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, + int level); + +/* + * Format and print the UTC Time "t". If the tag message "m" is not NULL, + * do indent formatting based on "level" and add a newline afterward; + * otherwise just print the formatted time string only. + */ +extern void SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m, + int level); + +/* + * Format and print the Generalized Time "t". If the tag message "m" + * is not NULL, * do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, + const char *m, int level); + +/* + * Format and print the UTC or Generalized Time "t". If the tag message + * "m" is not NULL, do indent formatting based on "level" and add a newline + * afterward; otherwise just print the formatted time string only. + */ +extern void SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m, + int level); + +/* callback for listing certs through pkcs11 */ +extern SECStatus SECU_PrintCertNickname(CERTCertListNode *cert, void *data); + +/* Dump all certificate nicknames in a database */ +extern SECStatus +SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc *out, + PRBool sortByName, PRBool sortByTrust); + +/* See if nickname already in database. Return 1 true, 0 false, -1 error */ +int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); + +/* Dump contents of cert req */ +extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, + int level); + +/* Dump contents of certificate */ +extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m, + int level); + +extern int SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, + int level); + +extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m, + int level); + +/* Dump contents of a DER certificate name (issuer or subject) */ +extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level); + +/* print trust flags on a cert */ +extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, + int level); + +extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, + int level); + +/* Dump contents of private key */ +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); + +/* Dump contents of an RSA public key */ +extern void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level); + +/* Dump contents of a DSA public key */ +extern void SECU_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level); + +/* Print the MD5 and SHA1 fingerprints of a cert */ +extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, + int level); + +/* Pretty-print any PKCS7 thing */ +extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, + int level); +/* Pretty-print a pkcs12 file */ +extern SECStatus SECU_PrintPKCS12(FILE *out, const SECItem *der, char *m, int level); +/* Init PKCS11 stuff */ +extern SECStatus SECU_PKCS11Init(PRBool readOnly); + +/* Dump contents of signed data */ +extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, + int level, SECU_PPFunc inner); + +/* Dump contents of signed data, excluding the signature */ +extern int SECU_PrintSignedContent(FILE *out, SECItem *der, char *m, int level, + SECU_PPFunc inner); + +/* Print cert data and its trust flags */ +extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert, + const char *label, + CERTCertTrust *trust); + +extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); + +extern void +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level); + +extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m, + int level); +extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level); + +extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level); +extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level); + +extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level); + +extern void SECU_PrintNameQuotesOptional(FILE *out, CERTName *name, + const char *msg, int level, + PRBool quotes); +extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg, + int level); +extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level); + +#ifdef SECU_GetPassword +/* Convert a High public Key to a Low public Key */ +extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey); +#endif + +extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg); + +extern SECStatus DER_PrettyPrint(FILE *out, const SECItem *it, PRBool raw); + +extern char *SECU_SECModDBName(void); + +/* Fetch and register an oid if it hasn't been done already */ +extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src); + +extern SECStatus SECU_RegisterDynamicOids(void); + +extern SECOidTag SECU_GetNewTagFromOffset(unsigned int offset); + +/* Identifies hash algorithm tag by its string representation. */ +extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg); + +/* Store CRL in output file or pk11 db. Also + * encodes with base64 and exports to file if ascii flag is set + * and file is not NULL. */ +extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl, + PRFileDesc *outFile, PRBool ascii, char *url); + +/* +** DER sign a single block of data using private key encryption and the +** MD5 hashing algorithm. This routine first computes a digital signature +** using SEC_SignData, then wraps it with an CERTSignedData and then der +** encodes the result. +** "arena" is the memory arena to use to allocate data from +** "sd" returned CERTSignedData +** "result" the final der encoded data (memory is allocated) +** "buf" the input data to sign +** "len" the amount of data to sign +** "pk" the private key to encrypt with +*/ +extern SECStatus SECU_DerSignDataCRL(PLArenaPool *arena, CERTSignedData *sd, + unsigned char *buf, int len, + SECKEYPrivateKey *pk, SECOidTag algID); + +typedef enum { + noKeyFound = 1, + noSignatureMatch = 2, + failToEncode = 3, + failToSign = 4, + noMem = 5 +} SignAndEncodeFuncExitStat; + +extern SECStatus +SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl, + SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode); + +extern SECStatus +SECU_CopyCRL(PLArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl); + +/* +** Finds the crl Authority Key Id extension. Returns NULL if no such extension +** was found. +*/ +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten(PLArenaPool *arena, CERTSignedCrl *crl); + +/* + * Find the issuer of a crl. Cert usage should be checked before signing a crl. + */ +CERTCertificate * +SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem *subject, + CERTAuthKeyID *id, PRTime validTime); + +/* call back function used in encoding of an extension. Called from + * SECU_EncodeAndAddExtensionValue */ +typedef SECStatus (*EXTEN_EXT_VALUE_ENCODER)(PLArenaPool *extHandleArena, + void *value, SECItem *encodedValue); + +/* Encodes and adds extensions to the CRL or CRL entries. */ +SECStatus +SECU_EncodeAndAddExtensionValue(PLArenaPool *arena, void *extHandle, + void *value, PRBool criticality, int extenType, + EXTEN_EXT_VALUE_ENCODER EncodeValueFn); + +/* Caller ensures that dst is at least item->len*2+1 bytes long */ +void +SECU_SECItemToHex(const SECItem *item, char *dst); + +/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if + * successful */ +SECStatus +SECU_SECItemHexStringToBinary(SECItem *srcdest); + +/* Parse a version range string, with "min" and "max" version numbers, + * separated by colon (":"), and return the result in vr and v2. + * + * Both min and max values are optional. + * The following syntax is used to specify the enabled protocol versions: + * A string with only a max value is expected as ":{max}", + * and all implemented versions less than or equal to max will be enabled. + * A string with only a min value is expected as "{min}:", + * and all implemented versions greater than or equal to min will be enabled. + * A string consisting of a colon only means "all versions enabled". + * + * In order to avoid a link dependency from libsectool to libssl, + * the caller must provide the desired default values for the min/max values, + * by providing defaultVersionRange (which can be obtained from libssl by + * calling SSL_VersionRangeGetSupported). + */ +SECStatus +SECU_ParseSSLVersionRangeString(const char *input, + const SSLVersionRange defaultVersionRange, + SSLVersionRange *vrange); + +SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups, + unsigned int *enabledGroupsCount); +SECStatus parseSigSchemeList(const char *arg, + const SSLSignatureScheme **enabledSigSchemes, + unsigned int *enabledSigSchemeCount); +typedef struct { + SECItem label; + PRBool hasContext; + SECItem context; + unsigned int outputLength; +} secuExporter; + +SECStatus parseExporters(const char *arg, + const secuExporter **enabledExporters, + unsigned int *enabledExporterCount); + +SECStatus exportKeyingMaterials(PRFileDesc *fd, + const secuExporter *exporters, + unsigned int exporterCount); + +SECStatus readPSK(const char *arg, SECItem *psk, SECItem *label); + +/* + * + * Error messaging + * + */ + +void printflags(char *trusts, unsigned int flags); + +#if !defined(XP_UNIX) && !defined(XP_OS2) +extern int ffs(unsigned int i); +#endif + +/* Finds certificate by searching it in the DB or by examinig file + * in the local directory. */ +CERTCertificate * +SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle, + char *name, PRBool ascii, + void *pwarg); + +extern SECKEYPrivateKey * +SECU_FindRSAPrivKey(PK11SlotInfo *slot); + +#include "secerr.h" +#include "sslerr.h" + +#endif /* _SEC_UTIL_H_ */ diff --git a/tools/src/main/native/sslget/CMakeLists.txt b/tools/src/main/native/sslget/CMakeLists.txt index eb16c5728..5562aa93e 100644 --- a/tools/src/main/native/sslget/CMakeLists.txt +++ b/tools/src/main/native/sslget/CMakeLists.txt @@ -14,7 +14,7 @@ set(sslget_SRCS include_directories(${SSLGET_PRIVATE_INCLUDE_DIRS}) add_executable(sslget ${sslget_SRCS}) -add_dependencies(sslget symkey_library) +add_dependencies(native sslget) target_link_libraries(sslget plc4 nspr4 ssl3 nss3) install(