PK11SlotInfo * SECMOD_FindSlot(SECMODModule *module,const char *name) { int i; char *string; PK11SlotInfo *retSlot = NULL; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return retSlot; } SECMOD_GetReadLock(moduleLock); for (i=0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; if (PK11_IsPresent(slot)) { string = PK11_GetTokenName(slot); } else { string = PK11_GetSlotName(slot); } if (PORT_Strcmp(name,string) == 0) { retSlot = PK11_ReferenceSlot(slot); break; } } SECMOD_ReleaseReadLock(moduleLock); if (retSlot == NULL) { PORT_SetError(SEC_ERROR_NO_SLOT_SELECTED); } return retSlot; }
/* * L i s t S e c M o d u l e s * * Print a list of the PKCS11 security modules that are * available. This is useful for smartcard people to * make sure they have the drivers loaded. * */ SECStatus TKS_ListSecModules( void ) { PK11SlotList *list; PK11SlotListElement *le; /* get them all! */ list = PK11_GetAllTokens( /* mechanism type */ CKM_INVALID_MECHANISM, /* need R/W */ PR_FALSE, /* load certs */ PR_FALSE, /* wincx */ NULL ); if( list == NULL ) { return SECFailure; } /* look at each slot */ for( le = list->head ; le ; le = le->next ) { PR_fprintf ( PR_STDOUT, "\n" ); PR_fprintf ( PR_STDOUT, " slot: %s\n", PK11_GetSlotName( /* slot */ le->slot ) ); PR_fprintf ( PR_STDOUT, " token: %s\n", PK11_GetTokenName( /* slot */ le->slot ) ); } PK11_FreeSlotList( /* slot list */ list ); return SECSuccess; }
int find_slot_by_slotlabel_and_tokenlabel(pkcs11_handle_t *h, const char *wanted_slot_label, const char *wanted_token_label, unsigned int *slot_num) { SECMODModule *module = h->module; PK11SlotInfo *slot; unsigned long i; int rv; if (slot_num == NULL || module == NULL) return (-1); if (wanted_token_label == NULL){ rv = find_slot_by_slotlabel(h, wanted_slot_label, slot_num); return (rv); } /* wanted_token_label != NULL */ if (strcmp(wanted_slot_label, "none") == 0) { for (i = 0; i < module->slotCount; i++) { if (module->slots[i] && PK11_IsPresent(module->slots[i])) { const char *token_label; slot = PK11_ReferenceSlot(module->slots[i]); token_label = PK11_GetTokenName(slot); if (memcmp_pad_max((void *) token_label, strlen(token_label), (void *)wanted_token_label, strlen(wanted_token_label), 33) == 0) { h->slot = slot; *slot_num = PK11_GetSlotID(slot); return (0); } } } return (-1); } else { for (i = 0; i < module->slotCount; i++) { if (module->slots[i] && PK11_IsPresent(module->slots[i])) { const char *slot_label; const char *token_label; slot = PK11_ReferenceSlot(module->slots[i]); slot_label = PK11_GetSlotName(slot); token_label = PK11_GetTokenName(slot); if ((memcmp_pad_max((void *)slot_label, strlen(slot_label), (void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) && (memcmp_pad_max((void *)token_label, strlen(token_label), (void *)wanted_token_label, strlen(wanted_token_label), 33) == 0)) { h->slot = slot; *slot_num = PK11_GetSlotID(slot); return (0); } } } return (-1); } }
/************************************************************************ * * U n s e t D e f a u l t M o d u l e */ Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms) { SECMODModule *module = NULL; PK11SlotInfo *slot; int s, i; unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings, numMechanismStrings); PRBool found = PR_FALSE; Error rv; mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); module = SECMOD_FindModule(moduleName); if (!module) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); rv = NO_SUCH_MODULE_ERR; goto loser; } for (s = 0; s < module->slotCount; s++) { slot = module->slots[s]; if ((slotName != NULL) && !((strcmp(PK11_GetSlotName(slot), slotName) == 0) || (strcmp(PK11_GetTokenName(slot), slotName) == 0))) { /* we are only interested in changing the one slot */ continue; } for (i = 0; i < pk11_DefaultArraySize; i++) { if (pk11_DefaultArray[i].flag & mechFlags) { PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]), PR_FALSE); } } } if (slotName && !found) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName); rv = NO_SUCH_SLOT_ERR; goto loser; } /* Delete and re-add module to save changes */ if (SECMOD_UpdateModule(module) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[UNDEFAULT_FAILED_ERR], moduleName); rv = UNDEFAULT_FAILED_ERR; goto loser; } PR_fprintf(PR_STDOUT, msgStrings[UNDEFAULT_SUCCESS_MSG]); rv = SUCCESS; loser: if (module) { SECMOD_DestroyModule(module); } return rv; }
/* * This thread looks for card and reader insertions and puts events on the * event queue */ static void vcard_emul_event_thread(void *arg) { PK11SlotInfo *slot; VReader *vreader; VReaderEmul *vreader_emul; VCard *vcard; SECMODModule *module = (SECMODModule *)arg; do { slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); if (slot == NULL) { break; } vreader = vcard_emul_find_vreader_from_slot(slot); if (vreader == NULL) { /* new vreader */ vreader_emul = vreader_emul_new(slot, default_card_type, default_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); PK11_FreeSlot(slot); slot = NULL; vreader_add_reader(vreader); vreader_free(vreader); continue; } /* card remove/insert */ vreader_emul = vreader_get_private(vreader); if (PK11_IsPresent(slot)) { int series = PK11_GetSlotSeries(slot); if (series != vreader_emul->series) { if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_free(vcard); } vreader_emul->series = series; vreader_emul->present = 1; vreader_free(vreader); PK11_FreeSlot(slot); continue; } if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vreader_emul->series = 0; vreader_emul->present = 0; PK11_FreeSlot(slot); vreader_free(vreader); } while (1); }
static void printModule(SECMODModule *module, int *count) { int slotCount = module->loaded ? module->slotCount : 0; char *modUri; int i; if ((*count)++) { PR_fprintf(PR_STDOUT, "\n"); } PR_fprintf(PR_STDOUT, "%3d. %s\n", *count, module->commonName); if (module->dllName) { PR_fprintf(PR_STDOUT, "\tlibrary name: %s\n", module->dllName); } modUri = PK11_GetModuleURI(module); if (modUri) { PR_fprintf(PR_STDOUT, "\t uri: %s\n", modUri); PORT_Free(modUri); } if (slotCount == 0) { PR_fprintf(PR_STDOUT, "\t slots: There are no slots attached to this module\n"); } else { PR_fprintf(PR_STDOUT, "\t slots: %d slot%s attached\n", slotCount, (slotCount == 1 ? "" : "s")); } if (module->loaded == 0) { PR_fprintf(PR_STDOUT, "\tstatus: Not loaded\n"); } else { PR_fprintf(PR_STDOUT, "\tstatus: loaded\n"); } /* Print slot and token names */ for (i = 0; i < slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; char *tokenUri = PK11_GetTokenURI(slot); PR_fprintf(PR_STDOUT, "\n"); PR_fprintf(PR_STDOUT, "\t slot: %s\n", PK11_GetSlotName(slot)); PR_fprintf(PR_STDOUT, "\ttoken: %s\n", PK11_GetTokenName(slot)); PR_fprintf(PR_STDOUT, "\t uri: %s\n", tokenUri); PORT_Free(tokenUri); } return; }
/* readonly attribute wstring name; */ NS_IMETHODIMP nsPKCS11Slot::GetName(char16_t **aName) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; char *csn = PK11_GetSlotName(mSlot); if (*csn) { *aName = ToNewUnicode(NS_ConvertUTF8toUTF16(csn)); } else if (PK11_HasRootCerts(mSlot)) { // This is a workaround to an Root Module bug - the root certs module has // no slot name. Not bothering to localize, because this is a workaround // and for now all the slot names returned by NSS are char * anyway. *aName = ToNewUnicode(NS_LITERAL_STRING("Root Certificates")); } else { // same as above, this is a catch-all *aName = ToNewUnicode(NS_LITERAL_STRING("Unnamed Slot")); } if (!*aName) return NS_ERROR_OUT_OF_MEMORY; return NS_OK; }
/* * This function will search the slot list to find a slot based on the slot * label. If the wanted_slot_label is "none", then we will return the first * slot with the token presented. * * This function return 0 if it found a matching slot; otherwise, it returns * -1. */ int find_slot_by_slotlabel(pkcs11_handle_t *h, const char *wanted_slot_label, unsigned int *slotID) { SECMODModule *module = h->module; PK11SlotInfo *slot; int rv; int i; if (slotID == NULL || wanted_slot_label == NULL || strlen(wanted_slot_label) == 0 || module == NULL) return (-1); if (strcmp(wanted_slot_label, "none") == 0) { rv = find_slot_by_number(h, 0, slotID); return (rv); } else { /* wanted_slot_label is not "none" */ for (i = 0; i < module->slotCount; i++) { if (module->slots[i] && PK11_IsPresent(module->slots[i])) { const char *slot_label; slot = PK11_ReferenceSlot(module->slots[i]); slot_label = PK11_GetSlotName(slot); if (memcmp_pad_max((void *)slot_label, strlen(slot_label), (void *)wanted_slot_label, strlen(wanted_slot_label), 64) == 0) { h->slot = slot; *slotID = PK11_GetSlotID(slot); return 0; } } } } return (-1); }
VCardEmulError vcard_emul_init(const VCardEmulOptions *options) { SECStatus rv; PRBool ret, has_readers = PR_FALSE; VReader *vreader; VReaderEmul *vreader_emul; SECMODListLock *module_lock; SECMODModuleList *module_list; SECMODModuleList *mlp; int i; if (vcard_emul_init_called) { return VCARD_EMUL_INIT_ALREADY_INITED; } vcard_emul_init_called = 1; vreader_init(); vevent_queue_init(); if (options == NULL) { options = &default_options; } /* first initialize NSS */ if (options->nss_db) { rv = NSS_Init(options->nss_db); } else { gchar *path; #ifndef _WIN32 path = g_strdup("/etc/pki/nssdb"); #else if (g_get_system_config_dirs() == NULL || g_get_system_config_dirs()[0] == NULL) { return VCARD_EMUL_FAIL; } path = g_build_filename( g_get_system_config_dirs()[0], "pki", "nssdb", NULL); #endif rv = NSS_Init(path); g_free(path); } if (rv != SECSuccess) { return VCARD_EMUL_FAIL; } /* Set password callback function */ PK11_SetPasswordFunc(vcard_emul_get_password); /* set up soft cards emulated by software certs rather than physical cards * */ for (i = 0; i < options->vreader_count; i++) { int j; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; slot = PK11_FindSlotByName(options->vreader[i].name); if (slot == NULL) { continue; } vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, options->vreader[i].type_params); vreader = vreader_new(options->vreader[i].vname, vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); cert_count = options->vreader[i].cert_count; ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, options->vreader[i].cert_count); if (ret == PR_FALSE) { continue; } cert_count = 0; for (j = 0; j < options->vreader[i].cert_count; j++) { /* we should have a better way of identifying certs than by * nickname here */ CERTCertificate *cert = PK11_FindCertFromNickname( options->vreader[i].cert_name[j], NULL); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); /* this is safe because the key is still holding a cert reference */ CERT_DestroyCertificate(cert); cert_count++; } if (cert_count) { VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); /* allow insertion and removal of soft cards */ vreader_emul->saved_vcard = vcard_reference(vcard); vcard_free(vcard); vreader_free(vreader); has_readers = PR_TRUE; } g_free(certs); g_free(cert_len); g_free(keys); } /* if we aren't suppose to use hw, skip looking up hardware tokens */ if (!options->use_hw) { nss_emul_init = has_readers; return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; } /* make sure we have some PKCS #11 module loaded */ module_lock = SECMOD_GetDefaultModuleListLock(); module_list = SECMOD_GetDefaultModuleList(); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; if (module_has_removable_hw_slots(module)) { break; } } SECMOD_ReleaseReadLock(module_lock); /* now examine all the slots, finding which should be readers */ /* We should control this with options. For now we mirror out any * removable hardware slot */ default_card_type = options->hw_card_type; default_type_params = g_strdup(options->hw_type_params); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; /* Ignore the internal module */ if (module == NULL || module == SECMOD_GetInternalModule()) { continue; } for (i = 0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; /* only map removable HW slots */ if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { continue; } if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) { /* * coolkey <= 1.1.0-20 emulates this reader if it can't find * any hardware readers. This causes problems, warn user of * problems. */ fprintf(stderr, "known bad coolkey version - see " "https://bugzilla.redhat.com/show_bug.cgi?id=802435\n"); continue; } vreader_emul = vreader_emul_new(slot, options->hw_card_type, options->hw_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); if (PK11_IsPresent(slot)) { VCard *vcard; vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); vcard_free(vcard); } } vcard_emul_new_event_thread(module); } SECMOD_ReleaseReadLock(module_lock); nss_emul_init = PR_TRUE; return VCARD_EMUL_OK; }
/* * This thread looks for card and reader insertions and puts events on the * event queue */ static void vcard_emul_event_thread(void *arg) { PK11SlotInfo *slot; VReader *vreader; VReaderEmul *vreader_emul; VCard *vcard; SECMODModule *module = (SECMODModule *)arg; do { /* * XXX - the latency value doesn't matter one bit. you only get no * blocking (flags |= CKF_DONT_BLOCK) or PKCS11_WAIT_LATENCY (==500), * hard coded in coolkey. And it isn't coolkey's fault - the timeout * value we pass get's dropped on the floor before C_WaitForSlotEvent * is called. */ slot = SECMOD_WaitForAnyTokenEvent(module, 0, 500); if (slot == NULL) { /* this could be just a no event indication */ if (PORT_GetError() == SEC_ERROR_NO_EVENT) { continue; } break; } vreader = vcard_emul_find_vreader_from_slot(slot); if (vreader == NULL) { /* new vreader */ vreader_emul = vreader_emul_new(slot, default_card_type, default_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); PK11_FreeSlot(slot); slot = NULL; vreader_add_reader(vreader); vreader_free(vreader); continue; } /* card remove/insert */ vreader_emul = vreader_get_private(vreader); if (PK11_IsPresent(slot)) { int series = PK11_GetSlotSeries(slot); if (series != vreader_emul->series) { if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_free(vcard); } vreader_emul->series = series; vreader_emul->present = 1; vreader_free(vreader); PK11_FreeSlot(slot); continue; } if (vreader_emul->present) { vreader_insert_card(vreader, NULL); } vreader_emul->series = 0; vreader_emul->present = 0; PK11_FreeSlot(slot); vreader_free(vreader); } while (1); }
VCardEmulError vcard_emul_init(const VCardEmulOptions *options) { SECStatus rv; PRBool ret, has_readers = PR_FALSE, need_coolkey_module; VReader *vreader; VReaderEmul *vreader_emul; SECMODListLock *module_lock; SECMODModuleList *module_list; SECMODModuleList *mlp; int i; if (vcard_emul_init_called) { return VCARD_EMUL_INIT_ALREADY_INITED; } vcard_emul_init_called = 1; vreader_init(); vevent_queue_init(); if (options == NULL) { options = &default_options; } /* first initialize NSS */ if (options->nss_db) { rv = NSS_Init(options->nss_db); } else { rv = NSS_Init("sql:/etc/pki/nssdb"); } if (rv != SECSuccess) { return VCARD_EMUL_FAIL; } /* Set password callback function */ PK11_SetPasswordFunc(vcard_emul_get_password); /* set up soft cards emulated by software certs rather than physical cards * */ for (i = 0; i < options->vreader_count; i++) { int j; int cert_count; unsigned char **certs; int *cert_len; VCardKey **keys; PK11SlotInfo *slot; slot = PK11_FindSlotByName(options->vreader[i].name); if (slot == NULL) { continue; } vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type, options->vreader[i].type_params); vreader = vreader_new(options->vreader[i].vname, vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); cert_count = options->vreader[i].cert_count; ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys, options->vreader[i].cert_count); if (ret == PR_FALSE) { continue; } cert_count = 0; for (j = 0; j < options->vreader[i].cert_count; j++) { /* we should have a better way of identifying certs than by * nickname here */ CERTCertificate *cert = PK11_FindCertFromNickname( options->vreader[i].cert_name[j], NULL); if (cert == NULL) { continue; } certs[cert_count] = cert->derCert.data; cert_len[cert_count] = cert->derCert.len; keys[cert_count] = vcard_emul_make_key(slot, cert); /* this is safe because the key is still holding a cert reference */ CERT_DestroyCertificate(cert); cert_count++; } if (cert_count) { VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len, keys, cert_count); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); /* allow insertion and removal of soft cards */ vreader_emul->saved_vcard = vcard_reference(vcard); vcard_free(vcard); vreader_free(vreader); has_readers = PR_TRUE; } g_free(certs); g_free(cert_len); g_free(keys); } /* if we aren't suppose to use hw, skip looking up hardware tokens */ if (!options->use_hw) { nss_emul_init = has_readers; return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL; } /* make sure we have some PKCS #11 module loaded */ module_lock = SECMOD_GetDefaultModuleListLock(); module_list = SECMOD_GetDefaultModuleList(); need_coolkey_module = !has_readers; SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; if (module_has_removable_hw_slots(module)) { need_coolkey_module = PR_FALSE; break; } } SECMOD_ReleaseReadLock(module_lock); if (need_coolkey_module) { SECMODModule *module; module = SECMOD_LoadUserModule( (char *)"library=libcoolkeypk11.so name=Coolkey", NULL, PR_FALSE); if (module == NULL) { return VCARD_EMUL_FAIL; } SECMOD_DestroyModule(module); /* free our reference, Module will still * be on the list. * until we destroy it */ } /* now examine all the slots, finding which should be readers */ /* We should control this with options. For now we mirror out any * removable hardware slot */ default_card_type = options->hw_card_type; default_type_params = strdup(options->hw_type_params); SECMOD_GetReadLock(module_lock); for (mlp = module_list; mlp; mlp = mlp->next) { SECMODModule *module = mlp->module; PRBool has_emul_slots = PR_FALSE; if (module == NULL) { continue; } for (i = 0; i < module->slotCount; i++) { PK11SlotInfo *slot = module->slots[i]; /* only map removable HW slots */ if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) { continue; } vreader_emul = vreader_emul_new(slot, options->hw_card_type, options->hw_type_params); vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul, vreader_emul_delete); vreader_add_reader(vreader); has_readers = PR_TRUE; has_emul_slots = PR_TRUE; if (PK11_IsPresent(slot)) { VCard *vcard; vcard = vcard_emul_mirror_card(vreader); vreader_insert_card(vreader, vcard); vcard_emul_init_series(vreader, vcard); vcard_free(vcard); } } if (has_emul_slots) { vcard_emul_new_event_thread(module); } } SECMOD_ReleaseReadLock(module_lock); nss_emul_init = has_readers; return VCARD_EMUL_OK; }
int main (int argc, char **argv) { int retval = 0; /* 0 - test succeeded. -1 - test failed */ SECStatus rv; PLOptState *optstate; PLOptStatus optstatus; char *program_name; const char *input_file = NULL; /* read encrypted data from here (or create) */ const char *output_file = NULL; /* write new encrypted data here */ const char *value = default_value; /* Use this for plaintext */ SECItem data; SECItem result = {0, 0, 0}; SECItem text; PRBool ascii = PR_FALSE; secuPWData pwdata = { PW_NONE, 0 }; pr_stderr = PR_STDERR; result.data = 0; text.data = 0; text.len = 0; program_name = PL_strrchr(argv[0], '/'); program_name = program_name ? (program_name + 1) : argv[0]; optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:"); if (optstate == NULL) { SECU_PrintError (program_name, "PL_CreateOptState failed"); return -1; } while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': short_usage (program_name); return retval; case 'H': long_usage (program_name); return retval; case 'a': ascii = PR_TRUE; break; case 'd': SECU_ConfigDirectory(optstate->value); break; case 'i': input_file = optstate->value; break; case 'o': output_file = optstate->value; break; case 't': value = optstate->value; break; case 'f': if (pwdata.data) { PORT_Free(pwdata.data); short_usage(program_name); return -1; } pwdata.source = PW_FROMFILE; pwdata.data = PORT_Strdup(optstate->value); break; case 'p': if (pwdata.data) { PORT_Free(pwdata.data); short_usage(program_name); return -1; } pwdata.source = PW_PLAINTEXT; pwdata.data = PORT_Strdup(optstate->value); break; case 'v': verbose = PR_TRUE; break; } } PL_DestroyOptState(optstate); if (optstatus == PL_OPT_BAD) { short_usage (program_name); return -1; } if (!output_file && !input_file && value == default_value) { short_usage (program_name); PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n"); return -1; } /* * Initialize the Security libraries. */ PK11_SetPasswordFunc(SECU_GetModulePassword); if (output_file) { rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL)); } else { rv = NSS_Init(SECU_ConfigDirectory(NULL)); } if (rv != SECSuccess) { SECU_PrintError(program_name, "NSS_Init failed"); retval = -1; goto prdone; } /* Convert value into an item */ data.data = (unsigned char *)value; data.len = strlen(value); /* Get the encrypted result, either from the input file * or from encrypting the plaintext value */ if (input_file) { if (verbose) printf("Reading data from %s\n", input_file); if (!strcmp(input_file, "-")) { retval = readStdin(&result); ascii = PR_TRUE; } else { retval = readInputFile(input_file, &result); } if (retval != 0) goto loser; if (ascii) { /* input was base64 encoded. Decode it. */ SECItem newResult = {0, 0, 0}; SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult, (const char *)result.data, result.len); if (!ok) { SECU_PrintError(program_name, "Base 64 decode failed"); retval = -1; goto loser; } SECITEM_ZfreeItem(&result, PR_FALSE); result = *ok; } } else { SECItem keyid = { 0, 0, 0 }; SECItem outBuf = { 0, 0, 0 }; PK11SlotInfo *slot = NULL; /* sigh, initialize the key database */ slot = PK11_GetInternalKeySlot(); if (slot && PK11_NeedUserInit(slot)) { switch (pwdata.source) { case PW_FROMFILE: rv = SECU_ChangePW(slot, 0, pwdata.data); break; case PW_PLAINTEXT: rv = SECU_ChangePW(slot, pwdata.data, 0); break; default: rv = SECU_ChangePW(slot, "", 0); break; } if (rv != SECSuccess) { SECU_PrintError(program_name, "Failed to initialize slot \"%s\"", PK11_GetSlotName(slot)); return SECFailure; } } if (slot) { PK11_FreeSlot(slot); } rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata); if (rv != SECSuccess) { if (verbose) SECU_PrintError(program_name, "Encrypt operation failed\n"); retval = -1; goto loser; } if (verbose) printf("Encrypted result is %d bytes long\n", result.len); if (!strcmp(output_file, "-")) { ascii = PR_TRUE; } if (ascii) { /* base64 encode output. */ char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result); if (!newResult) { SECU_PrintError(program_name, "Base 64 encode failed\n"); retval = -1; goto loser; } outBuf.data = (unsigned char *)newResult; outBuf.len = strlen(newResult); if (verbose) printf("Base 64 encoded result is %d bytes long\n", outBuf.len); } else { outBuf = result; } /* -v printf("Result is %.*s\n", text.len, text.data); */ if (output_file) { PRFileDesc *file; PRInt32 count; if (verbose) printf("Writing result to %s\n", output_file); if (!strcmp(output_file, "-")) { file = PR_STDOUT; } else { /* Write to file */ file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666); } if (!file) { if (verbose) SECU_PrintError(program_name, "Open of output file %s failed\n", output_file); retval = -1; goto loser; } count = PR_Write(file, outBuf.data, outBuf.len); if (file == PR_STDOUT) { puts(""); } else { PR_Close(file); } if (count != outBuf.len) { if (verbose) SECU_PrintError(program_name, "Write failed\n"); retval = -1; goto loser; } if (ascii) { free(outBuf.data); } } } /* Decrypt the value */ rv = PK11SDR_Decrypt(&result, &text, &pwdata); if (rv != SECSuccess) { if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n"); retval = -1; goto loser; } if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data); /* Compare to required value */ if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0) { if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n"); retval = -1; goto loser; } loser: if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE); if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE); if (NSS_Shutdown() != SECSuccess) { exit(1); } prdone: PR_Cleanup (); if (pwdata.data) { PORT_Free(pwdata.data); } return retval; }
/*********************************************************************** * * E n a b l e M o d u l e * * If enable==PR_TRUE, enables the module or slot. * If enable==PR_FALSE, disables the module or slot. * moduleName is the name of the module. * slotName is the name of the slot. It is optional. */ Error EnableModule(char *moduleName, char *slotName, PRBool enable) { int i; SECMODModule *module = NULL; PK11SlotInfo *slot = NULL; PRBool found = PR_FALSE; Error rv; module = SECMOD_FindModule(moduleName); if (!module) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); rv = NO_SUCH_MODULE_ERR; goto loser; } for (i = 0; i < module->slotCount; i++) { slot = module->slots[i]; if (slotName && strcmp(PK11_GetSlotName(slot), slotName)) { /* Not the right slot */ continue; } if (enable) { if (!PK11_UserEnableSlot(slot)) { PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], "enable", PK11_GetSlotName(slot)); rv = ENABLE_FAILED_ERR; goto loser; } else { found = PR_TRUE; PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG], PK11_GetSlotName(slot), "enabled"); } } else { if (!PK11_UserDisableSlot(slot)) { PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], "disable", PK11_GetSlotName(slot)); rv = ENABLE_FAILED_ERR; goto loser; } else { found = PR_TRUE; PR_fprintf(PR_STDOUT, msgStrings[ENABLE_SUCCESS_MSG], PK11_GetSlotName(slot), "disabled"); } } } if (slotName && !found) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName); rv = NO_SUCH_SLOT_ERR; goto loser; } /* Delete and re-add module to save changes */ if (SECMOD_UpdateModule(module) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[UPDATE_MOD_FAILED_ERR], moduleName); rv = UPDATE_MOD_FAILED_ERR; goto loser; } rv = SUCCESS; loser: if (module) { SECMOD_DestroyModule(module); } return rv; }
/*********************************************************************** * * L i s t M o d u l e * * Lists detailed information about the named module. */ Error ListModule(char *moduleName) { SECMODModule *module = NULL; PK11SlotInfo *slot; int slotnum; CK_INFO modinfo; CK_SLOT_INFO slotinfo; CK_TOKEN_INFO tokeninfo; char *ciphers, *mechanisms; size_t reasonIdx; Error rv = SUCCESS; if (!moduleName) { return SUCCESS; } module = SECMOD_FindModule(moduleName); if (!module) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); rv = NO_SUCH_MODULE_ERR; goto loser; } if ((module->loaded) && (PK11_GetModInfo(module, &modinfo) != SECSuccess)) { PR_fprintf(PR_STDERR, errStrings[MOD_INFO_ERR], moduleName); rv = MOD_INFO_ERR; goto loser; } /* Module info */ PR_fprintf(PR_STDOUT, "\n-----------------------------------------------------------\n"); PR_fprintf(PR_STDOUT, "Name: %s\n", module->commonName); if (module->internal || !module->dllName) { PR_fprintf(PR_STDOUT, "Library file: **Internal ONLY module**\n"); } else { PR_fprintf(PR_STDOUT, "Library file: %s\n", module->dllName); } if (module->loaded) { PR_fprintf(PR_STDOUT, "Manufacturer: %.32s\n", modinfo.manufacturerID); PR_fprintf(PR_STDOUT, "Description: %.32s\n", modinfo.libraryDescription); PR_fprintf(PR_STDOUT, "PKCS #11 Version %d.%d\n", modinfo.cryptokiVersion.major, modinfo.cryptokiVersion.minor); PR_fprintf(PR_STDOUT, "Library Version: %d.%d\n", modinfo.libraryVersion.major, modinfo.libraryVersion.minor); } else { PR_fprintf(PR_STDOUT, "* Module not loaded\n"); } /* Get cipher and mechanism flags */ ciphers = getStringFromFlags(module->ssl[0], cipherStrings, numCipherStrings); if (ciphers[0] == '\0') { ciphers = "None"; } PR_fprintf(PR_STDOUT, "Cipher Enable Flags: %s\n", ciphers); mechanisms = NULL; if (module->slotCount > 0) { mechanisms = getStringFromFlags( PK11_GetDefaultFlags(module->slots[0]), mechanismStrings, numMechanismStrings); } if ((mechanisms == NULL) || (mechanisms[0] == '\0')) { mechanisms = "None"; } PR_fprintf(PR_STDOUT, "Default Mechanism Flags: %s\n", mechanisms); #define PAD " " /* Loop over each slot */ for (slotnum = 0; slotnum < module->slotCount; slotnum++) { slot = module->slots[slotnum]; if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[SLOT_INFO_ERR], PK11_GetSlotName(slot)); rv = SLOT_INFO_ERR; continue; } /* Slot Info */ PR_fprintf(PR_STDOUT, "\n" PAD "Slot: %s\n", PK11_GetSlotName(slot)); mechanisms = getStringFromFlags(PK11_GetDefaultFlags(slot), mechanismStrings, numMechanismStrings); if (mechanisms[0] == '\0') { mechanisms = "None"; } PR_fprintf(PR_STDOUT, PAD "Slot Mechanism Flags: %s\n", mechanisms); PR_fprintf(PR_STDOUT, PAD "Manufacturer: %.32s\n", slotinfo.manufacturerID); if (PK11_IsHW(slot)) { PR_fprintf(PR_STDOUT, PAD "Type: Hardware\n"); } else { PR_fprintf(PR_STDOUT, PAD "Type: Software\n"); } PR_fprintf(PR_STDOUT, PAD "Version Number: %d.%d\n", slotinfo.hardwareVersion.major, slotinfo.hardwareVersion.minor); PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n", slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor); if (PK11_IsDisabled(slot)) { reasonIdx = PK11_GetDisabledReason(slot); if (reasonIdx < numDisableReasonStr) { PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n", disableReasonStr[reasonIdx]); } else { PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n"); } } else { PR_fprintf(PR_STDOUT, PAD "Status: Enabled\n"); } if (PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess) { PR_fprintf(PR_STDERR, errStrings[TOKEN_INFO_ERR], PK11_GetTokenName(slot)); rv = TOKEN_INFO_ERR; continue; } /* Token Info */ PR_fprintf(PR_STDOUT, PAD "Token Name: %.32s\n", tokeninfo.label); PR_fprintf(PR_STDOUT, PAD "Token Manufacturer: %.32s\n", tokeninfo.manufacturerID); PR_fprintf(PR_STDOUT, PAD "Token Model: %.16s\n", tokeninfo.model); PR_fprintf(PR_STDOUT, PAD "Token Serial Number: %.16s\n", tokeninfo.serialNumber); PR_fprintf(PR_STDOUT, PAD "Token Version: %d.%d\n", tokeninfo.hardwareVersion.major, tokeninfo.hardwareVersion.minor); PR_fprintf(PR_STDOUT, PAD "Token Firmware Version: %d.%d\n", tokeninfo.firmwareVersion.major, tokeninfo.firmwareVersion.minor); if (tokeninfo.flags & CKF_WRITE_PROTECTED) { PR_fprintf(PR_STDOUT, PAD "Access: Write Protected\n"); } else { PR_fprintf(PR_STDOUT, PAD "Access: NOT Write Protected\n"); } if (tokeninfo.flags & CKF_LOGIN_REQUIRED) { PR_fprintf(PR_STDOUT, PAD "Login Type: Login required\n"); } else { PR_fprintf(PR_STDOUT, PAD "Login Type: Public (no login required)\n"); } if (tokeninfo.flags & CKF_USER_PIN_INITIALIZED) { PR_fprintf(PR_STDOUT, PAD "User Pin: Initialized\n"); } else { PR_fprintf(PR_STDOUT, PAD "User Pin: NOT Initialized\n"); } } PR_fprintf(PR_STDOUT, "\n-----------------------------------------------------------\n"); loser: if (module) { SECMOD_DestroyModule(module); } return rv; }
/************************************************************************* * * S e t D e f a u l t M o d u l e * */ Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms) { SECMODModule *module = NULL; PK11SlotInfo *slot; int s, i; unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings, numMechanismStrings); PRBool found = PR_FALSE; Error errcode = UNSPECIFIED_ERR; if (pk11_DefaultArray == NULL) { pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); if (pk11_DefaultArray == NULL) { /* should assert. This shouldn't happen */ goto loser; } } mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); module = SECMOD_FindModule(moduleName); if(!module) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); errcode = NO_SUCH_MODULE_ERR; goto loser; } /* Go through each slot */ for(s=0; s < module->slotCount; s++) { slot = module->slots[s]; if ((slotName != NULL) && !((strcmp(PK11_GetSlotName(slot),slotName) == 0) || (strcmp(PK11_GetTokenName(slot),slotName) == 0)) ) { /* we are only interested in changing the one slot */ continue; } found = PR_TRUE; /* Go through each mechanism */ for(i=0; i < pk11_DefaultArraySize; i++) { if(pk11_DefaultArray[i].flag & mechFlags) { /* Enable this default mechanism */ PK11_UpdateSlotAttribute(slot, &(pk11_DefaultArray[i]), PR_TRUE); } } } if (slotName && !found) { PR_fprintf(PR_STDERR, errStrings[NO_SUCH_SLOT_ERR], slotName); errcode = NO_SUCH_SLOT_ERR; goto loser; } /* Delete and re-add module to save changes */ if( SECMOD_UpdateModule(module) != SECSuccess ) { PR_fprintf(PR_STDERR, errStrings[DEFAULT_FAILED_ERR], moduleName); errcode = DEFAULT_FAILED_ERR; goto loser; } PR_fprintf(PR_STDOUT, msgStrings[DEFAULT_SUCCESS_MSG]); errcode = SUCCESS; loser: if (module) { SECMOD_DestroyModule(module); } return errcode; }