/**
* xmlSecNssAppInit:
* @config: the path to NSS database files.
*
* General crypto engine initialization. This function is used
* by XMLSec command line utility and called before
* @xmlSecInit function.
*
* Returns: 0 on success or a negative value otherwise.
*/
int
xmlSecNssAppInit(const char* config) {
SECStatus rv;
if(config) {
rv = NSS_InitReadWrite(config);
if(rv != SECSuccess) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"NSS_InitReadWrite",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
"config=%s",
xmlSecErrorsSafeString(config));
return(-1);
}
} else {
rv = NSS_NoDB_Init(NULL);
if(rv != SECSuccess) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"NSS_NoDB_Init",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
}
/* configure PKCS11 */
PK11_ConfigurePKCS11("manufacturesID", "libraryDescription",
"tokenDescription", "privateTokenDescription",
"slotDescription", "privateSlotDescription",
"fipsSlotDescription", "fipsPrivateSlotDescription",
0, 0);
/* setup for PKCS12 */
PORT_SetUCS2_ASCIIConversionFunction(xmlSecNssAppAscii2UCS2Conv);
SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1);
SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1);
SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1);
SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_56, 1);
SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1);
SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1);
return(0);
}
int main(int argc, char ** argv)
{
SECStatus rv;
PRFileDesc *in;
PRFileDesc *out;
PRPollDesc pd;
PRIntervalTime timeout = PR_INTERVAL_NO_TIMEOUT;
char buf[1024];
PRInt32 nBytes;
char * command;
char * tokenName;
char * tokenpw;
int fipsmode = 0;
int semid = 0;
union semun semarg;
if (argc < 4 || argc > 5) {
fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
exit(1);
}
signal(SIGHUP, SIG_IGN);
semid = strtol(argv[1], NULL, 10);
if (!strcasecmp(argv[2], "on"))
fipsmode = 1;
/* Initialize NSPR */
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
/* Set the PKCS #11 strings for the internal token. */
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
/* Initialize NSS and open the certificate database read-only. */
rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
if (rv != SECSuccess) {
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
exit(1);
}
if (fipsmode) {
if (!PK11_IsFIPS()) {
char * internal_name = PR_smprintf("%s",
SECMOD_GetInternalModule()->commonName);
if ((SECMOD_DeleteInternalModule(internal_name) != SECSuccess) ||
!PK11_IsFIPS()) {
NSS_Shutdown();
fprintf(stderr,
"Unable to enable FIPS mode");
exit(1);
}
PR_smprintf_free(internal_name);
}
}
in = PR_GetSpecialFD(PR_StandardInput);
out = PR_GetSpecialFD(PR_StandardOutput);
if (in == NULL || out == NULL) {
fprintf(stderr, "PR_GetInheritedFD failed\n");
exit(1);
}
pd.fd = in;
pd.in_flags = PR_POLL_READ | PR_POLL_EXCEPT;
while (1) {
rv = PR_Poll(&pd, 1, timeout);
if (rv == -1) { /* PR_Poll failed */
break;
}
if (pd.out_flags & (PR_POLL_HUP | PR_POLL_ERR | PR_POLL_NVAL | PR_POLL_EXCEPT)) {
break;
}
if (pd.out_flags & PR_POLL_READ) {
memset(buf, 0, sizeof(buf));
nBytes = PR_Read(in, buf, sizeof(buf));
if (nBytes == -1 || nBytes == 0) {
break;
}
command = getstr(buf, 0);
tokenName = getstr(buf, 1);
tokenpw = getstr(buf, 2);
if (command && !strcmp(command, "QUIT")) {
break;
} else if (command && !strcmp(command, "STOR")) {
PRInt32 err = PIN_SUCCESS;
Node *node = NULL;
if (tokenName && tokenpw) {
node = (Node*)malloc(sizeof (Node));
if (!node) { err = PIN_NOMEMORY; }
node->tokenName = strdup(tokenName);
node->store = 0;
node->next = 0;
if (err == PIN_SUCCESS)
err = CreatePk11PinStore(&node->store, tokenName, tokenpw);
memset(tokenpw, 0, strlen(tokenpw));
} else
err = PIN_SYSTEMERROR;
sprintf(buf, "%d", err);
PR_Write(out, buf, 1);
if (err == PIN_SUCCESS) {
if (pinList)
node->next = pinList;
pinList = node;
}
/* Now clean things up */
if (command) free(command);
if (tokenName) free(tokenName);
if (tokenpw) free(tokenpw);
} else if (command && !strcmp(command, "RETR")) {
Node *node;
char *pin = 0;
PRBool found = PR_FALSE;
for (node = pinList; node != NULL; node = node->next) {
if (!strcmp(node->tokenName, tokenName)) {
if (Pk11StoreGetPin(&pin, node->store) == SECSuccess) {
if (strlen(pin) == 0)
PR_Write(out, "", 1);
else
PR_Write(out, pin, strlen(pin));
memset(pin, 0, strlen(pin));
free(pin);
found = PR_TRUE;
break;
}
}
}
if (found != PR_TRUE)
PR_Write(out, "", 1);
free(command);
free(tokenName);
} else {
; /* ack, unknown command */
}
}
}
freeList(pinList);
PR_Close(in);
/* Remove the semaphore used for locking here. This is because this
* program only goes away when Apache shuts down so we don't have to
* worry about reloads.
*/
semctl(semid, 0, IPC_RMID, semarg);
return 0;
}
