PK11SlotInfo *
SECMOD_FindSlot(SECMODModule *module,const char *name)
{
int i;
char *string;
PK11SlotInfo *retSlot = NULL;
if (!moduleLock) {
PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
return retSlot;
}
SECMOD_GetReadLock(moduleLock);
for (i=0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
if (PK11_IsPresent(slot)) {
string = PK11_GetTokenName(slot);
} else {
string = PK11_GetSlotName(slot);
}
if (PORT_Strcmp(name,string) == 0) {
retSlot = PK11_ReferenceSlot(slot);
break;
}
}
SECMOD_ReleaseReadLock(moduleLock);
if (retSlot == NULL) {
PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED);
}
return retSlot;
}
/*
* L i s t S e c M o d u l e s
*
* Print a list of the PKCS11 security modules that are
* available. This is useful for smartcard people to
* make sure they have the drivers loaded.
*
*/
SECStatus
TKS_ListSecModules( void )
{
PK11SlotList *list;
PK11SlotListElement *le;
/* get them all! */
list = PK11_GetAllTokens(
/* mechanism type */ CKM_INVALID_MECHANISM,
/* need R/W */ PR_FALSE,
/* load certs */ PR_FALSE,
/* wincx */ NULL );
if( list == NULL ) {
return SECFailure;
}
/* look at each slot */
for( le = list->head ; le ; le = le->next ) {
PR_fprintf ( PR_STDOUT,
"\n" );
PR_fprintf ( PR_STDOUT,
" slot: %s\n",
PK11_GetSlotName( /* slot */ le->slot ) );
PR_fprintf ( PR_STDOUT,
" token: %s\n",
PK11_GetTokenName( /* slot */ le->slot ) );
}
PK11_FreeSlotList( /* slot list */ list );
return SECSuccess;
}
int
find_slot_by_slotlabel_and_tokenlabel(pkcs11_handle_t *h,
const char *wanted_slot_label, const char *wanted_token_label,
unsigned int *slot_num)
{
SECMODModule *module = h->module;
PK11SlotInfo *slot;
unsigned long i;
int rv;
if (slot_num == NULL || module == NULL)
return (-1);
if (wanted_token_label == NULL){
rv = find_slot_by_slotlabel(h, wanted_slot_label, slot_num);
return (rv);
}
/* wanted_token_label != NULL */
if (strcmp(wanted_slot_label, "none") == 0) {
for (i = 0; i < module->slotCount; i++) {
if (module->slots[i] && PK11_IsPresent(module->slots[i])) {
const char *token_label;
slot = PK11_ReferenceSlot(module->slots[i]);
token_label = PK11_GetTokenName(slot);
if (memcmp_pad_max((void *) token_label, strlen(token_label),
(void *)wanted_token_label, strlen(wanted_token_label), 33) == 0) {
h->slot = slot;
*slot_num = PK11_GetSlotID(slot);
return (0);
}
}
}
return (-1);
} else {
for (i = 0; i < module->slotCount; i++) {
if (module->slots[i] && PK11_IsPresent(module->slots[i])) {
const char *slot_label;
const char *token_label;
slot = PK11_ReferenceSlot(module->slots[i]);
slot_label = PK11_GetSlotName(slot);
token_label = PK11_GetTokenName(slot);
if ((memcmp_pad_max((void *)slot_label, strlen(slot_label),
(void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) &&
(memcmp_pad_max((void *)token_label, strlen(token_label),
(void *)wanted_token_label, strlen(wanted_token_label), 33) == 0))
{
h->slot = slot;
*slot_num = PK11_GetSlotID(slot);
return (0);
}
}
}
return (-1);
}
}
/************************************************************************
*
* U n s e t D e f a u l t M o d u l e
*/
Error
UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int s, i;
unsigned long mechFlags = getFlagsFromString(mechanisms,
mechanismStrings, numMechanismStrings);
PRBool found = PR_FALSE;
Error rv;
mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
for (s = 0; s < module->slotCount; s++) {
slot = module->slots[s];
if ((slotName != NULL) &&
!((strcmp(PK11_GetSlotName(slot), slotName) == 0) ||
(strcmp(PK11_GetTokenName(slot), slotName) == 0))) {
/* we are only interested in changing the one slot */
continue;
}
for (i = 0; i < pk11_DefaultArraySize; i++) {
if (pk11_DefaultArray[i].flag & mechFlags) {
PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
PR_FALSE);
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
rv = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[UNDEFAULT_FAILED_ERR],
moduleName);
rv = UNDEFAULT_FAILED_ERR;
goto loser;
}
PR_fprintf(PR_STDOUT, msgStrings[UNDEFAULT_SUCCESS_MSG]);
rv = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}
/*
* This thread looks for card and reader insertions and puts events on the
* event queue
*/
static void
vcard_emul_event_thread(void *arg)
{
PK11SlotInfo *slot;
VReader *vreader;
VReaderEmul *vreader_emul;
VCard *vcard;
SECMODModule *module = (SECMODModule *)arg;
do {
slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
if (slot == NULL) {
break;
}
vreader = vcard_emul_find_vreader_from_slot(slot);
if (vreader == NULL) {
/* new vreader */
vreader_emul = vreader_emul_new(slot, default_card_type,
default_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
PK11_FreeSlot(slot);
slot = NULL;
vreader_add_reader(vreader);
vreader_free(vreader);
continue;
}
/* card remove/insert */
vreader_emul = vreader_get_private(vreader);
if (PK11_IsPresent(slot)) {
int series = PK11_GetSlotSeries(slot);
if (series != vreader_emul->series) {
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_free(vcard);
}
vreader_emul->series = series;
vreader_emul->present = 1;
vreader_free(vreader);
PK11_FreeSlot(slot);
continue;
}
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vreader_emul->series = 0;
vreader_emul->present = 0;
PK11_FreeSlot(slot);
vreader_free(vreader);
} while (1);
}
static void
printModule(SECMODModule *module, int *count)
{
int slotCount = module->loaded ? module->slotCount : 0;
char *modUri;
int i;
if ((*count)++) {
PR_fprintf(PR_STDOUT, "\n");
}
PR_fprintf(PR_STDOUT, "%3d. %s\n", *count, module->commonName);
if (module->dllName) {
PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName);
}
modUri = PK11_GetModuleURI(module);
if (modUri) {
PR_fprintf(PR_STDOUT, "\t uri: %s\n", modUri);
PORT_Free(modUri);
}
if (slotCount == 0) {
PR_fprintf(PR_STDOUT,
"\t slots: There are no slots attached to this module\n");
} else {
PR_fprintf(PR_STDOUT, "\t slots: %d slot%s attached\n",
slotCount, (slotCount == 1 ? "" : "s"));
}
if (module->loaded == 0) {
PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n");
} else {
PR_fprintf(PR_STDOUT, "\tstatus: loaded\n");
}
/* Print slot and token names */
for (i = 0; i < slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
char *tokenUri = PK11_GetTokenURI(slot);
PR_fprintf(PR_STDOUT, "\n");
PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot));
PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot));
PR_fprintf(PR_STDOUT, "\t uri: %s\n", tokenUri);
PORT_Free(tokenUri);
}
return;
}
/* readonly attribute wstring name; */
NS_IMETHODIMP
nsPKCS11Slot::GetName(char16_t **aName)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
char *csn = PK11_GetSlotName(mSlot);
if (*csn) {
*aName = ToNewUnicode(NS_ConvertUTF8toUTF16(csn));
} else if (PK11_HasRootCerts(mSlot)) {
// This is a workaround to an Root Module bug - the root certs module has
// no slot name. Not bothering to localize, because this is a workaround
// and for now all the slot names returned by NSS are char * anyway.
*aName = ToNewUnicode(NS_LITERAL_STRING("Root Certificates"));
} else {
// same as above, this is a catch-all
*aName = ToNewUnicode(NS_LITERAL_STRING("Unnamed Slot"));
}
if (!*aName) return NS_ERROR_OUT_OF_MEMORY;
return NS_OK;
}
/*
* This function will search the slot list to find a slot based on the slot
* label. If the wanted_slot_label is "none", then we will return the first
* slot with the token presented.
*
* This function return 0 if it found a matching slot; otherwise, it returns
* -1.
*/
int
find_slot_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label,
unsigned int *slotID)
{
SECMODModule *module = h->module;
PK11SlotInfo *slot;
int rv;
int i;
if (slotID == NULL || wanted_slot_label == NULL ||
strlen(wanted_slot_label) == 0 || module == NULL)
return (-1);
if (strcmp(wanted_slot_label, "none") == 0) {
rv = find_slot_by_number(h, 0, slotID);
return (rv);
} else {
/* wanted_slot_label is not "none" */
for (i = 0; i < module->slotCount; i++) {
if (module->slots[i] && PK11_IsPresent(module->slots[i])) {
const char *slot_label;
slot = PK11_ReferenceSlot(module->slots[i]);
slot_label = PK11_GetSlotName(slot);
if (memcmp_pad_max((void *)slot_label, strlen(slot_label),
(void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) {
h->slot = slot;
*slotID = PK11_GetSlotID(slot);
return 0;
}
}
}
}
return (-1);
}
VCardEmulError
vcard_emul_init(const VCardEmulOptions *options)
{
SECStatus rv;
PRBool ret, has_readers = PR_FALSE;
VReader *vreader;
VReaderEmul *vreader_emul;
SECMODListLock *module_lock;
SECMODModuleList *module_list;
SECMODModuleList *mlp;
int i;
if (vcard_emul_init_called) {
return VCARD_EMUL_INIT_ALREADY_INITED;
}
vcard_emul_init_called = 1;
vreader_init();
vevent_queue_init();
if (options == NULL) {
options = &default_options;
}
/* first initialize NSS */
if (options->nss_db) {
rv = NSS_Init(options->nss_db);
} else {
gchar *path;
#ifndef _WIN32
path = g_strdup("/etc/pki/nssdb");
#else
if (g_get_system_config_dirs() == NULL ||
g_get_system_config_dirs()[0] == NULL) {
return VCARD_EMUL_FAIL;
}
path = g_build_filename(
g_get_system_config_dirs()[0], "pki", "nssdb", NULL);
#endif
rv = NSS_Init(path);
g_free(path);
}
if (rv != SECSuccess) {
return VCARD_EMUL_FAIL;
}
/* Set password callback function */
PK11_SetPasswordFunc(vcard_emul_get_password);
/* set up soft cards emulated by software certs rather than physical cards
* */
for (i = 0; i < options->vreader_count; i++) {
int j;
int cert_count;
unsigned char **certs;
int *cert_len;
VCardKey **keys;
PK11SlotInfo *slot;
slot = PK11_FindSlotByName(options->vreader[i].name);
if (slot == NULL) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
options->vreader[i].type_params);
vreader = vreader_new(options->vreader[i].vname, vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
cert_count = options->vreader[i].cert_count;
ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
options->vreader[i].cert_count);
if (ret == PR_FALSE) {
continue;
}
cert_count = 0;
for (j = 0; j < options->vreader[i].cert_count; j++) {
/* we should have a better way of identifying certs than by
* nickname here */
CERTCertificate *cert = PK11_FindCertFromNickname(
options->vreader[i].cert_name[j],
NULL);
if (cert == NULL) {
continue;
}
certs[cert_count] = cert->derCert.data;
cert_len[cert_count] = cert->derCert.len;
keys[cert_count] = vcard_emul_make_key(slot, cert);
/* this is safe because the key is still holding a cert reference */
CERT_DestroyCertificate(cert);
cert_count++;
}
if (cert_count) {
VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
keys, cert_count);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
/* allow insertion and removal of soft cards */
vreader_emul->saved_vcard = vcard_reference(vcard);
vcard_free(vcard);
vreader_free(vreader);
has_readers = PR_TRUE;
}
g_free(certs);
g_free(cert_len);
g_free(keys);
}
/* if we aren't suppose to use hw, skip looking up hardware tokens */
if (!options->use_hw) {
nss_emul_init = has_readers;
return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
}
/* make sure we have some PKCS #11 module loaded */
module_lock = SECMOD_GetDefaultModuleListLock();
module_list = SECMOD_GetDefaultModuleList();
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
if (module_has_removable_hw_slots(module)) {
break;
}
}
SECMOD_ReleaseReadLock(module_lock);
/* now examine all the slots, finding which should be readers */
/* We should control this with options. For now we mirror out any
* removable hardware slot */
default_card_type = options->hw_card_type;
default_type_params = g_strdup(options->hw_type_params);
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
/* Ignore the internal module */
if (module == NULL || module == SECMOD_GetInternalModule()) {
continue;
}
for (i = 0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
/* only map removable HW slots */
if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
continue;
}
if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) {
/*
* coolkey <= 1.1.0-20 emulates this reader if it can't find
* any hardware readers. This causes problems, warn user of
* problems.
*/
fprintf(stderr, "known bad coolkey version - see "
"https://bugzilla.redhat.com/show_bug.cgi?id=802435\n");
continue;
}
vreader_emul = vreader_emul_new(slot, options->hw_card_type,
options->hw_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
if (PK11_IsPresent(slot)) {
VCard *vcard;
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
vcard_free(vcard);
}
}
vcard_emul_new_event_thread(module);
}
SECMOD_ReleaseReadLock(module_lock);
nss_emul_init = PR_TRUE;
return VCARD_EMUL_OK;
}
/*
* This thread looks for card and reader insertions and puts events on the
* event queue
*/
static void
vcard_emul_event_thread(void *arg)
{
PK11SlotInfo *slot;
VReader *vreader;
VReaderEmul *vreader_emul;
VCard *vcard;
SECMODModule *module = (SECMODModule *)arg;
do {
/*
* XXX - the latency value doesn't matter one bit. you only get no
* blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500),
* hard coded in coolkey. And it isn't coolkey's fault - the timeout
* value we pass get's dropped on the floor before C_WaitForSlotEvent
* is called.
*/
slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500);
if (slot == NULL) {
/* this could be just a no event indication */
if (PORT_GetError() == SEC_ERROR_NO_EVENT) {
continue;
}
break;
}
vreader = vcard_emul_find_vreader_from_slot(slot);
if (vreader == NULL) {
/* new vreader */
vreader_emul = vreader_emul_new(slot, default_card_type,
default_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
PK11_FreeSlot(slot);
slot = NULL;
vreader_add_reader(vreader);
vreader_free(vreader);
continue;
}
/* card remove/insert */
vreader_emul = vreader_get_private(vreader);
if (PK11_IsPresent(slot)) {
int series = PK11_GetSlotSeries(slot);
if (series != vreader_emul->series) {
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_free(vcard);
}
vreader_emul->series = series;
vreader_emul->present = 1;
vreader_free(vreader);
PK11_FreeSlot(slot);
continue;
}
if (vreader_emul->present) {
vreader_insert_card(vreader, NULL);
}
vreader_emul->series = 0;
vreader_emul->present = 0;
PK11_FreeSlot(slot);
vreader_free(vreader);
} while (1);
}
VCardEmulError
vcard_emul_init(const VCardEmulOptions *options)
{
SECStatus rv;
PRBool ret, has_readers = PR_FALSE, need_coolkey_module;
VReader *vreader;
VReaderEmul *vreader_emul;
SECMODListLock *module_lock;
SECMODModuleList *module_list;
SECMODModuleList *mlp;
int i;
if (vcard_emul_init_called) {
return VCARD_EMUL_INIT_ALREADY_INITED;
}
vcard_emul_init_called = 1;
vreader_init();
vevent_queue_init();
if (options == NULL) {
options = &default_options;
}
/* first initialize NSS */
if (options->nss_db) {
rv = NSS_Init(options->nss_db);
} else {
rv = NSS_Init("sql:/etc/pki/nssdb");
}
if (rv != SECSuccess) {
return VCARD_EMUL_FAIL;
}
/* Set password callback function */
PK11_SetPasswordFunc(vcard_emul_get_password);
/* set up soft cards emulated by software certs rather than physical cards
* */
for (i = 0; i < options->vreader_count; i++) {
int j;
int cert_count;
unsigned char **certs;
int *cert_len;
VCardKey **keys;
PK11SlotInfo *slot;
slot = PK11_FindSlotByName(options->vreader[i].name);
if (slot == NULL) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
options->vreader[i].type_params);
vreader = vreader_new(options->vreader[i].vname, vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
cert_count = options->vreader[i].cert_count;
ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
options->vreader[i].cert_count);
if (ret == PR_FALSE) {
continue;
}
cert_count = 0;
for (j = 0; j < options->vreader[i].cert_count; j++) {
/* we should have a better way of identifying certs than by
* nickname here */
CERTCertificate *cert = PK11_FindCertFromNickname(
options->vreader[i].cert_name[j],
NULL);
if (cert == NULL) {
continue;
}
certs[cert_count] = cert->derCert.data;
cert_len[cert_count] = cert->derCert.len;
keys[cert_count] = vcard_emul_make_key(slot, cert);
/* this is safe because the key is still holding a cert reference */
CERT_DestroyCertificate(cert);
cert_count++;
}
if (cert_count) {
VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
keys, cert_count);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
/* allow insertion and removal of soft cards */
vreader_emul->saved_vcard = vcard_reference(vcard);
vcard_free(vcard);
vreader_free(vreader);
has_readers = PR_TRUE;
}
g_free(certs);
g_free(cert_len);
g_free(keys);
}
/* if we aren't suppose to use hw, skip looking up hardware tokens */
if (!options->use_hw) {
nss_emul_init = has_readers;
return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
}
/* make sure we have some PKCS #11 module loaded */
module_lock = SECMOD_GetDefaultModuleListLock();
module_list = SECMOD_GetDefaultModuleList();
need_coolkey_module = !has_readers;
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
if (module_has_removable_hw_slots(module)) {
need_coolkey_module = PR_FALSE;
break;
}
}
SECMOD_ReleaseReadLock(module_lock);
if (need_coolkey_module) {
SECMODModule *module;
module = SECMOD_LoadUserModule(
(char *)"library=libcoolkeypk11.so name=Coolkey",
NULL, PR_FALSE);
if (module == NULL) {
return VCARD_EMUL_FAIL;
}
SECMOD_DestroyModule(module); /* free our reference, Module will still
* be on the list.
* until we destroy it */
}
/* now examine all the slots, finding which should be readers */
/* We should control this with options. For now we mirror out any
* removable hardware slot */
default_card_type = options->hw_card_type;
default_type_params = strdup(options->hw_type_params);
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
PRBool has_emul_slots = PR_FALSE;
if (module == NULL) {
continue;
}
for (i = 0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
/* only map removable HW slots */
if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->hw_card_type,
options->hw_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
has_readers = PR_TRUE;
has_emul_slots = PR_TRUE;
if (PK11_IsPresent(slot)) {
VCard *vcard;
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
vcard_free(vcard);
}
}
if (has_emul_slots) {
vcard_emul_new_event_thread(module);
}
}
SECMOD_ReleaseReadLock(module_lock);
nss_emul_init = has_readers;
return VCARD_EMUL_OK;
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
PLOptStatus optstatus;
char *program_name;
const char *input_file = NULL; /* read encrypted data from here (or create) */
const char *output_file = NULL; /* write new encrypted data here */
const char *value = default_value; /* Use this for plaintext */
SECItem data;
SECItem result = {0, 0, 0};
SECItem text;
PRBool ascii = PR_FALSE;
secuPWData pwdata = { PW_NONE, 0 };
pr_stderr = PR_STDERR;
result.data = 0;
text.data = 0; text.len = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return -1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return retval;
case 'H':
long_usage (program_name);
return retval;
case 'a':
ascii = PR_TRUE;
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = optstate->value;
break;
case 'o':
output_file = optstate->value;
break;
case 't':
value = optstate->value;
break;
case 'f':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'p':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'v':
verbose = PR_TRUE;
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return -1;
}
if (!output_file && !input_file && value == default_value) {
short_usage (program_name);
PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
return -1;
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
if (output_file) {
rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
} else {
rv = NSS_Init(SECU_ConfigDirectory(NULL));
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "NSS_Init failed");
retval = -1;
goto prdone;
}
/* Convert value into an item */
data.data = (unsigned char *)value;
data.len = strlen(value);
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
if (input_file)
{
if (verbose) printf("Reading data from %s\n", input_file);
if (!strcmp(input_file, "-")) {
retval = readStdin(&result);
ascii = PR_TRUE;
} else {
retval = readInputFile(input_file, &result);
}
if (retval != 0)
goto loser;
if (ascii) {
/* input was base64 encoded. Decode it. */
SECItem newResult = {0, 0, 0};
SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult,
(const char *)result.data, result.len);
if (!ok) {
SECU_PrintError(program_name, "Base 64 decode failed");
retval = -1;
goto loser;
}
SECITEM_ZfreeItem(&result, PR_FALSE);
result = *ok;
}
}
else
{
SECItem keyid = { 0, 0, 0 };
SECItem outBuf = { 0, 0, 0 };
PK11SlotInfo *slot = NULL;
/* sigh, initialize the key database */
slot = PK11_GetInternalKeySlot();
if (slot && PK11_NeedUserInit(slot)) {
switch (pwdata.source) {
case PW_FROMFILE:
rv = SECU_ChangePW(slot, 0, pwdata.data);
break;
case PW_PLAINTEXT:
rv = SECU_ChangePW(slot, pwdata.data, 0);
break;
default:
rv = SECU_ChangePW(slot, "", 0);
break;
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
PK11_GetSlotName(slot));
return SECFailure;
}
}
if (slot) {
PK11_FreeSlot(slot);
}
rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
if (rv != SECSuccess) {
if (verbose)
SECU_PrintError(program_name, "Encrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
if (!strcmp(output_file, "-")) {
ascii = PR_TRUE;
}
if (ascii) {
/* base64 encode output. */
char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
if (!newResult) {
SECU_PrintError(program_name, "Base 64 encode failed\n");
retval = -1;
goto loser;
}
outBuf.data = (unsigned char *)newResult;
outBuf.len = strlen(newResult);
if (verbose)
printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
} else {
outBuf = result;
}
/* -v printf("Result is %.*s\n", text.len, text.data); */
if (output_file) {
PRFileDesc *file;
PRInt32 count;
if (verbose) printf("Writing result to %s\n", output_file);
if (!strcmp(output_file, "-")) {
file = PR_STDOUT;
} else {
/* Write to file */
file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
}
if (!file) {
if (verbose)
SECU_PrintError(program_name,
"Open of output file %s failed\n",
output_file);
retval = -1;
goto loser;
}
count = PR_Write(file, outBuf.data, outBuf.len);
if (file == PR_STDOUT) {
puts("");
} else {
PR_Close(file);
}
if (count != outBuf.len) {
if (verbose) SECU_PrintError(program_name, "Write failed\n");
retval = -1;
goto loser;
}
if (ascii) {
free(outBuf.data);
}
}
}
/* Decrypt the value */
rv = PK11SDR_Decrypt(&result, &text, &pwdata);
if (rv != SECSuccess) {
if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
/* Compare to required value */
if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
{
if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
retval = -1;
goto loser;
}
loser:
if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE);
if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
prdone:
PR_Cleanup ();
if (pwdata.data) {
PORT_Free(pwdata.data);
}
return retval;
}
/***********************************************************************
*
* E n a b l e M o d u l e
*
* If enable==PR_TRUE, enables the module or slot.
* If enable==PR_FALSE, disables the module or slot.
* moduleName is the name of the module.
* slotName is the name of the slot. It is optional.
*/
Error
EnableModule(char *moduleName, char *slotName, PRBool enable)
{
int i;
SECMODModule *module = NULL;
PK11SlotInfo *slot = NULL;
PRBool found = PR_FALSE;
Error rv;
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
for (i = 0; i < module->slotCount; i++) {
slot = module->slots[i];
if (slotName && strcmp(PK11_GetSlotName(slot), slotName)) {
/* Not the right slot */
continue;
}
if (enable) {
if (!PK11_UserEnableSlot(slot)) {
PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
"enable", PK11_GetSlotName(slot));
rv = ENABLE_FAILED_ERR;
goto loser;
} else {
found = PR_TRUE;
PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
PK11_GetSlotName(slot), "enabled");
}
} else {
if (!PK11_UserDisableSlot(slot)) {
PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
"disable", PK11_GetSlotName(slot));
rv = ENABLE_FAILED_ERR;
goto loser;
} else {
found = PR_TRUE;
PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG],
PK11_GetSlotName(slot), "disabled");
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
rv = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if (SECMOD_UpdateModule(module) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], moduleName);
rv = UPDATE_MOD_FAILED_ERR;
goto loser;
}
rv = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}
/***********************************************************************
*
* L i s t M o d u l e
*
* Lists detailed information about the named module.
*/
Error
ListModule(char *moduleName)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int slotnum;
CK_INFO modinfo;
CK_SLOT_INFO slotinfo;
CK_TOKEN_INFO tokeninfo;
char *ciphers, *mechanisms;
size_t reasonIdx;
Error rv = SUCCESS;
if (!moduleName) {
return SUCCESS;
}
module = SECMOD_FindModule(moduleName);
if (!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
rv = NO_SUCH_MODULE_ERR;
goto loser;
}
if ((module->loaded) &&
(PK11_GetModInfo(module, &modinfo) != SECSuccess)) {
PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName);
rv = MOD_INFO_ERR;
goto loser;
}
/* Module info */
PR_fprintf(PR_STDOUT,
"\n-----------------------------------------------------------\n");
PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName);
if (module->internal || !module->dllName) {
PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n");
} else {
PR_fprintf(PR_STDOUT, "Library file: %s\n", module->dllName);
}
if (module->loaded) {
PR_fprintf(PR_STDOUT, "Manufacturer: %.32s\n", modinfo.manufacturerID);
PR_fprintf(PR_STDOUT, "Description: %.32s\n", modinfo.libraryDescription);
PR_fprintf(PR_STDOUT, "PKCS #11 Version %d.%d\n",
modinfo.cryptokiVersion.major, modinfo.cryptokiVersion.minor);
PR_fprintf(PR_STDOUT, "Library Version: %d.%d\n",
modinfo.libraryVersion.major, modinfo.libraryVersion.minor);
} else {
PR_fprintf(PR_STDOUT, "* Module not loaded\n");
}
/* Get cipher and mechanism flags */
ciphers = getStringFromFlags(module->ssl[0], cipherStrings,
numCipherStrings);
if (ciphers[0] == '\0') {
ciphers = "None";
}
PR_fprintf(PR_STDOUT, "Cipher Enable Flags: %s\n", ciphers);
mechanisms = NULL;
if (module->slotCount > 0) {
mechanisms = getStringFromFlags(
PK11_GetDefaultFlags(module->slots[0]),
mechanismStrings, numMechanismStrings);
}
if ((mechanisms == NULL) || (mechanisms[0] == '\0')) {
mechanisms = "None";
}
PR_fprintf(PR_STDOUT, "Default Mechanism Flags: %s\n", mechanisms);
#define PAD " "
/* Loop over each slot */
for (slotnum = 0; slotnum < module->slotCount; slotnum++) {
slot = module->slots[slotnum];
if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[SLOT_INFO_ERR],
PK11_GetSlotName(slot));
rv = SLOT_INFO_ERR;
continue;
}
/* Slot Info */
PR_fprintf(PR_STDOUT, "\n" PAD "Slot: %s\n", PK11_GetSlotName(slot));
mechanisms = getStringFromFlags(PK11_GetDefaultFlags(slot),
mechanismStrings, numMechanismStrings);
if (mechanisms[0] == '\0') {
mechanisms = "None";
}
PR_fprintf(PR_STDOUT, PAD "Slot Mechanism Flags: %s\n", mechanisms);
PR_fprintf(PR_STDOUT, PAD "Manufacturer: %.32s\n",
slotinfo.manufacturerID);
if (PK11_IsHW(slot)) {
PR_fprintf(PR_STDOUT, PAD "Type: Hardware\n");
} else {
PR_fprintf(PR_STDOUT, PAD "Type: Software\n");
}
PR_fprintf(PR_STDOUT, PAD "Version Number: %d.%d\n",
slotinfo.hardwareVersion.major, slotinfo.hardwareVersion.minor);
PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n",
slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
if (PK11_IsDisabled(slot)) {
reasonIdx = PK11_GetDisabledReason(slot);
if (reasonIdx < numDisableReasonStr) {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n",
disableReasonStr[reasonIdx]);
} else {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n");
}
} else {
PR_fprintf(PR_STDOUT, PAD "Status: Enabled\n");
}
if (PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[TOKEN_INFO_ERR],
PK11_GetTokenName(slot));
rv = TOKEN_INFO_ERR;
continue;
}
/* Token Info */
PR_fprintf(PR_STDOUT, PAD "Token Name: %.32s\n",
tokeninfo.label);
PR_fprintf(PR_STDOUT, PAD "Token Manufacturer: %.32s\n",
tokeninfo.manufacturerID);
PR_fprintf(PR_STDOUT, PAD "Token Model: %.16s\n", tokeninfo.model);
PR_fprintf(PR_STDOUT, PAD "Token Serial Number: %.16s\n",
tokeninfo.serialNumber);
PR_fprintf(PR_STDOUT, PAD "Token Version: %d.%d\n",
tokeninfo.hardwareVersion.major, tokeninfo.hardwareVersion.minor);
PR_fprintf(PR_STDOUT, PAD "Token Firmware Version: %d.%d\n",
tokeninfo.firmwareVersion.major, tokeninfo.firmwareVersion.minor);
if (tokeninfo.flags & CKF_WRITE_PROTECTED) {
PR_fprintf(PR_STDOUT, PAD "Access: Write Protected\n");
} else {
PR_fprintf(PR_STDOUT, PAD "Access: NOT Write Protected\n");
}
if (tokeninfo.flags & CKF_LOGIN_REQUIRED) {
PR_fprintf(PR_STDOUT, PAD "Login Type: Login required\n");
} else {
PR_fprintf(PR_STDOUT, PAD
"Login Type: Public (no login required)\n");
}
if (tokeninfo.flags & CKF_USER_PIN_INITIALIZED) {
PR_fprintf(PR_STDOUT, PAD "User Pin: Initialized\n");
} else {
PR_fprintf(PR_STDOUT, PAD "User Pin: NOT Initialized\n");
}
}
PR_fprintf(PR_STDOUT,
"\n-----------------------------------------------------------\n");
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return rv;
}
/*************************************************************************
*
* S e t D e f a u l t M o d u l e
*
*/
Error
SetDefaultModule(char *moduleName, char *slotName, char *mechanisms)
{
SECMODModule *module = NULL;
PK11SlotInfo *slot;
int s, i;
unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
numMechanismStrings);
PRBool found = PR_FALSE;
Error errcode = UNSPECIFIED_ERR;
if (pk11_DefaultArray == NULL) {
pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
if (pk11_DefaultArray == NULL) {
/* should assert. This shouldn't happen */
goto loser;
}
}
mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
module = SECMOD_FindModule(moduleName);
if(!module) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
errcode = NO_SUCH_MODULE_ERR;
goto loser;
}
/* Go through each slot */
for(s=0; s < module->slotCount; s++) {
slot = module->slots[s];
if ((slotName != NULL) &&
!((strcmp(PK11_GetSlotName(slot),slotName) == 0) ||
(strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) {
/* we are only interested in changing the one slot */
continue;
}
found = PR_TRUE;
/* Go through each mechanism */
for(i=0; i < pk11_DefaultArraySize; i++) {
if(pk11_DefaultArray[i].flag & mechFlags) {
/* Enable this default mechanism */
PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]),
PR_TRUE);
}
}
}
if (slotName && !found) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName);
errcode = NO_SUCH_SLOT_ERR;
goto loser;
}
/* Delete and re-add module to save changes */
if( SECMOD_UpdateModule(module) != SECSuccess ) {
PR_fprintf(PR_STDERR, errStrings[DEFAULT_FAILED_ERR],
moduleName);
errcode = DEFAULT_FAILED_ERR;
goto loser;
}
PR_fprintf(PR_STDOUT, msgStrings[DEFAULT_SUCCESS_MSG]);
errcode = SUCCESS;
loser:
if (module) {
SECMOD_DestroyModule(module);
}
return errcode;
}
