SECStatus
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
{
SECStatus rv;
if (ascii) {
/* First convert ascii to binary */
SECItem filedata;
char *asc, *body;
/* Read in ascii data */
rv = SECU_FileToItem(&filedata, inFile);
asc = (char *)filedata.data;
if (!asc) {
fprintf(stderr, "unable to read data from input file\n");
return SECFailure;
}
/* check for headers and trailers and remove them */
if ((body = strstr(asc, "-----BEGIN")) != NULL) {
char *trailer = NULL;
asc = body;
body = PORT_Strchr(body, '\n');
if (!body)
body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
if (body)
trailer = strstr(++body, "-----END");
if (trailer != NULL) {
*trailer = '\0';
} else {
fprintf(stderr, "input has header but no trailer\n");
PORT_Free(filedata.data);
return SECFailure;
}
} else {
body = asc;
}
/* Convert to binary */
rv = ATOB_ConvertAsciiToItem(der, body);
if (rv) {
fprintf(stderr, "error converting ascii to binary (%d)\n",
PORT_GetError());
PORT_Free(filedata.data);
return SECFailure;
}
PORT_Free(filedata.data);
} else {
/* Read in binary der */
rv = SECU_FileToItem(der, inFile);
if (rv) {
fprintf(stderr, "error converting der (%d)\n",
PORT_GetError());
return SECFailure;
}
}
return SECSuccess;
}
int main(int argc, char **argv)
{
SECStatus rv;
char *nickname = NULL;
char *trusts = NULL;
char *progName;
PRFileDesc *infile;
CERTCertTrust trust = { 0 };
SECItem derItem = { 0 };
PRInt32 crlentry = 0;
PRInt32 mutuallyExclusiveOpts = 0;
PRBool decodeTrust = PR_FALSE;
secuCommand addbuiltin = { 0 };
addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
addbuiltin.options = addbuiltin_options;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
if (rv != SECSuccess)
Usage(progName);
if (addbuiltin.options[opt_Trust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_Distrust].activated)
++mutuallyExclusiveOpts;
if (addbuiltin.options[opt_DistrustCRL].activated)
++mutuallyExclusiveOpts;
if (mutuallyExclusiveOpts != 1) {
fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_DistrustCRL].activated) {
if (!addbuiltin.options[opt_CRLEnry].activated) {
fprintf(stderr, "%s: you must specify the CRL entry number.\n",
progName);
Usage(progName);
}
else {
crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg);
if (crlentry < 1) {
fprintf(stderr, "%s: The CRL entry number must be > 0.\n",
progName);
Usage(progName);
}
}
}
if (!addbuiltin.options[opt_Nickname].activated) {
fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_Input].activated) {
infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
if (!infile) {
fprintf(stderr, "%s: failed to open input file.\n", progName);
exit(1);
}
} else {
#if defined(WIN32)
/* If we're going to read binary data from stdin, we must put stdin
** into O_BINARY mode or else incoming \r\n's will become \n's,
** and latin-1 characters will be altered.
*/
int smrv = _setmode(_fileno(stdin), _O_BINARY);
if (smrv == -1) {
fprintf(stderr,
"%s: Cannot change stdin to binary mode. Use -i option instead.\n",
progName);
exit(1);
}
#endif
infile = PR_STDIN;
}
nickname = strdup(addbuiltin.options[opt_Nickname].arg);
NSS_NoDB_Init(NULL);
if (addbuiltin.options[opt_Distrust].activated ||
addbuiltin.options[opt_DistrustCRL].activated) {
addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE;
addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE;
}
if (addbuiltin.options[opt_Distrust].activated) {
trusts = strdup("p,p,p");
decodeTrust = PR_TRUE;
}
else if (addbuiltin.options[opt_Trust].activated) {
trusts = strdup(addbuiltin.options[opt_Trust].arg);
decodeTrust = PR_TRUE;
}
if (decodeTrust) {
rv = CERT_DecodeTrustString(&trust, trusts);
if (rv) {
fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
Usage(progName);
}
}
if (addbuiltin.options[opt_Trust].activated &&
addbuiltin.options[opt_ExcludeHash].activated) {
if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags)
!= CERTDB_TERMINAL_RECORD) {
fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName);
Usage(progName);
}
}
SECU_FileToItem(&derItem, infile);
/*printheader();*/
if (addbuiltin.options[opt_DistrustCRL].activated) {
rv = ConvertCRLEntry(&derItem, crlentry, nickname);
}
else {
rv = ConvertCertificate(&derItem, nickname, &trust,
addbuiltin.options[opt_ExcludeCert].activated,
addbuiltin.options[opt_ExcludeHash].activated);
if (rv) {
fprintf(stderr, "%s: failed to convert certificate.\n", progName);
exit(1);
}
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return(SECSuccess);
}
int main(int argc, char **argv)
{
PRFileDesc *contentFile = NULL;
PRFileDesc *signFile = PR_STDIN;
FILE * outFile = stdout;
char * progName;
SECStatus rv;
int result = 1;
SECItem pkcs7der, content;
secuCommand signver;
pkcs7der.data = NULL;
content.data = NULL;
signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag);
signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag);
signver.commands = signver_commands;
signver.options = signver_options;
#ifdef XP_PC
progName = strrchr(argv[0], '\\');
#else
progName = strrchr(argv[0], '/');
#endif
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &signver);
if (SECSuccess != rv) {
Usage(progName, outFile);
}
debugInfo = signver.options[opt_DebugInfo ].activated;
verbose = signver.options[opt_PrintWhyFailure ].activated;
doVerify = signver.commands[cmd_VerifySignedObj].activated;
displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated;
if (!doVerify && !displayAll)
doVerify = PR_TRUE;
/* Set the certdb directory (default is ~/.netscape) */
rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
return result;
}
/* below here, goto cleanup */
SECU_RegisterDynamicOids();
/* Open the input content file. */
if (signver.options[opt_InputDataFile].activated &&
signver.options[opt_InputDataFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) {
contentFile = PR_Open(signver.options[opt_InputDataFile].arg,
PR_RDONLY, 0);
if (!contentFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputDataFile].arg);
goto cleanup;
}
} else
contentFile = PR_STDIN;
}
/* Open the input signature file. */
if (signver.options[opt_InputSigFile].activated &&
signver.options[opt_InputSigFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) {
signFile = PR_Open(signver.options[opt_InputSigFile].arg,
PR_RDONLY, 0);
if (!signFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputSigFile].arg);
goto cleanup;
}
}
}
if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) {
PR_fprintf(PR_STDERR,
"%s: cannot read both content and signature from standard input\n",
progName);
goto cleanup;
}
/* Open|Create the output file. */
if (signver.options[opt_OutputFile].activated) {
outFile = fopen(signver.options[opt_OutputFile].arg, "w");
if (!outFile) {
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
progName, signver.options[opt_OutputFile].arg);
goto cleanup;
}
}
/* read in the input files' contents */
rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
signver.options[opt_ASCII].activated);
if (signFile != PR_STDIN)
PR_Close(signFile);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem reading PKCS7 input");
goto cleanup;
}
if (contentFile) {
rv = SECU_FileToItem(&content, contentFile);
if (contentFile != PR_STDIN)
PR_Close(contentFile);
if (rv != SECSuccess)
content.data = NULL;
}
/* Signature Verification */
if (doVerify) {
SEC_PKCS7ContentInfo *cinfo;
SEC_PKCS7SignedData *signedData;
HASH_HashType digestType;
PRBool contentIsSigned;
cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL,
NULL, NULL, NULL);
if (cinfo == NULL) {
PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n");
goto cleanup;
}
/* below here, goto done */
contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo);
if (debugInfo) {
PR_fprintf(PR_STDERR, "Content is%s encrypted.\n",
SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
}
if (debugInfo || !contentIsSigned) {
PR_fprintf(PR_STDERR, "Content is%s signed.\n",
contentIsSigned ? "" : " not");
}
if (!contentIsSigned)
goto done;
signedData = cinfo->content.signedData;
/* assume that there is only one digest algorithm for now */
digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
if (digestType == HASH_AlgNULL) {
PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n");
goto done;
}
if (content.data) {
SECCertUsage usage = certUsageEmailSigner;
SECItem digest;
unsigned char digestBuffer[HASH_LENGTH_MAX];
if (debugInfo)
PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data);
digest.data = digestBuffer;
digest.len = sizeof digestBuffer;
if (DigestContent(&digest, &content, digestType)) {
SECU_PrintError(progName, "Message digest computation failure");
goto done;
}
if (debugInfo) {
unsigned int i;
PR_fprintf(PR_STDERR, "Data Digest=:");
for (i = 0; i < digest.len; i++)
PR_fprintf(PR_STDERR, "%02x:", digest.data[i]);
PR_fprintf(PR_STDERR, "\n");
}
fprintf(outFile, "signatureValid=");
PORT_SetError(0);
if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
&digest, digestType, PR_FALSE)) {
fprintf(outFile, "yes");
} else {
fprintf(outFile, "no");
if (verbose) {
fprintf(outFile, ":%s",
SECU_Strerror(PORT_GetError()));
}
}
fprintf(outFile, "\n");
result = 0;
}
done:
SEC_PKCS7DestroyContentInfo(cinfo);
}
if (displayAll) {
if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der))
result = 1;
}
cleanup:
SECITEM_FreeItem(&pkcs7der, PR_FALSE);
SECITEM_FreeItem(&content, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
result = 1;
}
return result;
}
int main(int argc, char **argv)
{
SECStatus rv;
char *nickname;
char *trusts;
char *progName;
PRFileDesc *infile;
CERTCertTrust trust = { 0 };
SECItem derCert = { 0 };
secuCommand addbuiltin = { 0 };
addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag);
addbuiltin.options = addbuiltin_options;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin);
if (rv != SECSuccess)
Usage(progName);
if (!addbuiltin.options[opt_Nickname].activated &&
!addbuiltin.options[opt_Trust].activated) {
fprintf(stderr, "%s: you must specify both a nickname and trust.\n",
progName);
Usage(progName);
}
if (addbuiltin.options[opt_Input].activated) {
infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660);
if (!infile) {
fprintf(stderr, "%s: failed to open input file.\n", progName);
exit(1);
}
} else {
#if defined(WIN32)
/* If we're going to read binary data from stdin, we must put stdin
** into O_BINARY mode or else incoming \r\n's will become \n's,
** and latin-1 characters will be altered.
*/
int smrv = _setmode(_fileno(stdin), _O_BINARY);
if (smrv == -1) {
fprintf(stderr,
"%s: Cannot change stdin to binary mode. Use -i option instead.\n",
progName);
exit(1);
}
#endif
infile = PR_STDIN;
}
nickname = strdup(addbuiltin.options[opt_Nickname].arg);
trusts = strdup(addbuiltin.options[opt_Trust].arg);
NSS_NoDB_Init(NULL);
rv = CERT_DecodeTrustString(&trust, trusts);
if (rv) {
fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName);
Usage(progName);
}
SECU_FileToItem(&derCert, infile);
/*printheader();*/
rv = ConvertCertificate(&derCert, nickname, &trust);
if (rv) {
fprintf(stderr, "%s: failed to convert certificate.\n", progName);
exit(1);
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return(SECSuccess);
}
