/*
* we can initialize the password if 1) The toke is not inited
* (need login == true and see need UserInit) or 2) the token has
* a NULL password. (slot->needLogin = false & need user Init = false).
*/
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
{
if (slot->needLogin && PK11_NeedUserInit(slot)) {
return PR_TRUE;
}
if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
return PR_TRUE;
}
return PR_FALSE;
}
/************************************************************************
*
* I n i t P W
*/
Error
InitPW(void)
{
PK11SlotInfo *slot;
Error ret = UNSPECIFIED_ERR;
slot = PK11_GetInternalKeySlot();
if (!slot) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal");
return NO_SUCH_TOKEN_ERR;
}
/* Set the initial password to empty */
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, NULL, "") != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]);
ret = INITPW_FAILED_ERR;
goto loser;
}
}
ret = SUCCESS;
loser:
PK11_FreeSlot(slot);
return ret;
}
NS_IMETHODIMP
nsPK11Token::GetNeedsUserInit(bool* aNeedsUserInit)
{
NS_ENSURE_ARG_POINTER(aNeedsUserInit);
*aNeedsUserInit = PK11_NeedUserInit(mSlot.get());
return NS_OK;
}
nsresult
KeyService::Init()
{
// Bring up psm
nsCOMPtr<nsISupports> nss = do_GetService("@mozilla.org/psm;1");
SECStatus sv;
mSlot = PK11_GetInternalKeySlot();
if (PK11_NeedUserInit(mSlot)) {
NS_ConvertUTF8toUTF16 tokenName(PK11_GetTokenName(mSlot));
nsCOMPtr<nsITokenPasswordDialogs> dialogs;
dialogs = do_GetService(NS_TOKENPASSWORDSDIALOG_CONTRACTID);
if (!dialogs)
return NS_ERROR_FAILURE;
PRBool cancelled;
nsresult rv = dialogs->SetPassword(nsnull, tokenName.get(), &cancelled);
NS_ENSURE_SUCCESS(rv, rv);
if (cancelled)
return NS_ERROR_FAILURE;
}
if (PK11_NeedLogin(mSlot)) {
sv = PK11_Authenticate(mSlot, PR_TRUE, NULL);
if (sv != SECSuccess)
return NS_ERROR_FAILURE;
}
return NS_OK;
}
/**
* xmlSecNssGetInternalKeySlot:
*
* Gets internal NSS key slot.
*
* Returns: internal key slot and initializes it if needed.
*/
PK11SlotInfo *
xmlSecNssGetInternalKeySlot()
{
PK11SlotInfo *slot = NULL;
SECStatus rv;
slot = PK11_GetInternalKeySlot();
if (slot == NULL) {
xmlSecNssError("PK11_GetInternalKeySlot", NULL);
return NULL;
}
if (PK11_NeedUserInit(slot)) {
rv = PK11_InitPin(slot, NULL, NULL);
if (rv != SECSuccess) {
xmlSecNssError("PK11_InitPin", NULL);
return NULL;
}
}
if(PK11_IsLoggedIn(slot, NULL) != PR_TRUE) {
rv = PK11_Authenticate(slot, PR_TRUE, NULL);
if (rv != SECSuccess) {
xmlSecNssError2("PK11_Authenticate", NULL,
"token=%s", xmlSecErrorsSafeString(PK11_GetTokenName(slot)));
return NULL;
}
}
return(slot);
}
NS_IMETHODIMP nsPK11Token::GetNeedsUserInit(bool *aNeedsUserInit)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
*aNeedsUserInit = PK11_NeedUserInit(mSlot);
return NS_OK;
}
NS_IMETHODIMP
nsPK11Token::GetHasPassword(bool* hasPassword)
{
NS_ENSURE_ARG_POINTER(hasPassword);
// PK11_NeedLogin returns true if the token is currently configured to require
// the user to log in (whether or not the user is actually logged in makes no
// difference).
*hasPassword = PK11_NeedLogin(mSlot.get()) && !PK11_NeedUserInit(mSlot.get());
return NS_OK;
}
static SECStatus nss_Init_Tokens(struct connectdata * conn)
{
PK11SlotList *slotList;
PK11SlotListElement *listEntry;
SECStatus ret, status = SECSuccess;
pphrase_arg_t *parg = NULL;
parg = (pphrase_arg_t *) malloc(sizeof(*parg));
parg->retryCount = 0;
parg->data = conn->data;
PK11_SetPasswordFunc(nss_get_password);
slotList =
PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL);
for(listEntry = PK11_GetFirstSafe(slotList);
listEntry; listEntry = listEntry->next) {
PK11SlotInfo *slot = listEntry->slot;
if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if(slot == PK11_GetInternalKeySlot()) {
failf(conn->data, "The NSS database has not been initialized.\n");
}
else {
failf(conn->data, "The token %s has not been initialized.",
PK11_GetTokenName(slot));
}
PK11_FreeSlot(slot);
continue;
}
ret = PK11_Authenticate(slot, PR_TRUE, parg);
if(SECSuccess != ret) {
if (PR_GetError() == SEC_ERROR_BAD_PASSWORD)
infof(conn->data, "The password for token '%s' is incorrect\n",
PK11_GetTokenName(slot));
status = SECFailure;
break;
}
parg->retryCount = 0; /* reset counter to 0 for the next token */
PK11_FreeSlot(slot);
}
free(parg);
return status;
}
NS_IMETHODIMP
nsPK11Token::InitPassword(const nsACString& initialPassword)
{
const nsCString& passwordCStr = PromiseFlatCString(initialPassword);
// PSM initializes the sqlite-backed softoken with an empty password. The
// implementation considers this not to be a password (GetHasPassword returns
// false), but we can't actually call PK11_InitPin again. Instead, we call
// PK11_ChangePW with the empty password.
bool hasPassword;
nsresult rv = GetHasPassword(&hasPassword);
if (NS_FAILED(rv)) {
return rv;
}
if (!PK11_NeedUserInit(mSlot.get()) && !hasPassword) {
return MapSECStatus(PK11_ChangePW(mSlot.get(), "", passwordCStr.get()));
}
return MapSECStatus(PK11_InitPin(mSlot.get(), "", passwordCStr.get()));
}
SECStatus
InitPKCS11(void)
{
PK11SlotInfo *keySlot;
PK11_SetPasswordFunc(SECU_GetModulePassword);
keySlot = PK11_GetInternalKeySlot();
if (PK11_NeedUserInit(keySlot) && PK11_NeedLogin(keySlot)) {
if (SECU_ChangePW(keySlot, NULL, NULL) != SECSuccess) {
printf ("Initializing the PINs failed.\n");
return SECFailure;
}
}
PK11_FreeSlot(keySlot);
return SECSuccess;
}
static SECStatus nss_Init_Tokens(struct connectdata * conn)
{
PK11SlotList *slotList;
PK11SlotListElement *listEntry;
SECStatus ret, status = SECSuccess;
PK11_SetPasswordFunc(nss_get_password);
slotList =
PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL);
for(listEntry = PK11_GetFirstSafe(slotList);
listEntry; listEntry = listEntry->next) {
PK11SlotInfo *slot = listEntry->slot;
if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
if(slot == PK11_GetInternalKeySlot()) {
failf(conn->data, "The NSS database has not been initialized");
}
else {
failf(conn->data, "The token %s has not been initialized",
PK11_GetTokenName(slot));
}
PK11_FreeSlot(slot);
continue;
}
ret = PK11_Authenticate(slot, PR_TRUE,
conn->data->set.str[STRING_KEY_PASSWD]);
if(SECSuccess != ret) {
if(PR_GetError() == SEC_ERROR_BAD_PASSWORD)
infof(conn->data, "The password for token '%s' is incorrect\n",
PK11_GetTokenName(slot));
status = SECFailure;
break;
}
PK11_FreeSlot(slot);
}
return status;
}
NS_IMETHODIMP
nsPKCS11Slot::GetStatus(uint32_t *_retval)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
if (PK11_IsDisabled(mSlot))
*_retval = SLOT_DISABLED;
else if (!PK11_IsPresent(mSlot))
*_retval = SLOT_NOT_PRESENT;
else if (PK11_NeedLogin(mSlot) && PK11_NeedUserInit(mSlot))
*_retval = SLOT_UNINITIALIZED;
else if (PK11_NeedLogin(mSlot) && !PK11_IsLoggedIn(mSlot, nullptr))
*_retval = SLOT_NOT_LOGGED_IN;
else if (PK11_NeedLogin(mSlot))
*_retval = SLOT_LOGGED_IN;
else
*_retval = SLOT_READY;
return NS_OK;
}
nsresult
LocalCertService::LoginToKeySlot()
{
nsresult rv;
// Get access to key slot
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
// If no user password yet, set it an empty one
if (PK11_NeedUserInit(slot.get())) {
rv = MapSECStatus(PK11_InitPin(slot.get(), "", ""));
if (NS_FAILED(rv)) {
return rv;
}
}
// If user has a password set, prompt to login
if (PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr)) {
// Switching to XPCOM to get the UI prompt that PSM owns
nsCOMPtr<nsIPK11TokenDB> tokenDB =
do_GetService(NS_PK11TOKENDB_CONTRACTID);
if (!tokenDB) {
return NS_ERROR_FAILURE;
}
nsCOMPtr<nsIPK11Token> keyToken;
tokenDB->GetInternalKeyToken(getter_AddRefs(keyToken));
if (!keyToken) {
return NS_ERROR_FAILURE;
}
// Prompt the user to login
return keyToken->Login(false /* force */);
}
return NS_OK;
}
nsresult
nsNSSCertificate::MarkForPermDeletion()
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
// make sure user is logged in to the token
nsCOMPtr<nsIInterfaceRequestor> ctx = new PipUIContext();
if (PK11_NeedLogin(mCert->slot)
&& !PK11_NeedUserInit(mCert->slot)
&& !PK11_IsInternal(mCert->slot))
{
if (SECSuccess != PK11_Authenticate(mCert->slot, true, ctx))
{
return NS_ERROR_FAILURE;
}
}
mPermDelete = true;
return NS_OK;
}
NS_IMETHODIMP
LocalCertService::GetLoginPromptRequired(bool* aRequired)
{
nsresult rv;
// Get access to key slot
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
// If no user password yet, set it an empty one
if (PK11_NeedUserInit(slot.get())) {
rv = MapSECStatus(PK11_InitPin(slot.get(), "", ""));
if (NS_FAILED(rv)) {
return rv;
}
}
*aRequired = PK11_NeedLogin(slot.get()) &&
!PK11_IsLoggedIn(slot.get(), nullptr);
return NS_OK;
}
bool nss_change_password(PK11SlotInfo* slot, const char* oldpass, const char* newpass) {
SECStatus rv;
const char *oldpw = NULL, *newpw = NULL;
oldpw = oldpass; newpw = newpass;
if (PK11_NeedUserInit(slot)) {
rv = PK11_InitPin(slot, (char*)NULL, (char*)newpw);
return true;
}
if (PK11_CheckUserPassword(slot, (char*)oldpw) != SECSuccess) {
std::cerr<<"Invalid password to nss db"<<std::endl;
return false;
}
if (PK11_ChangePW(slot, (char*)oldpw, (char*)newpw) != SECSuccess) {
std::cerr<<"Failed to change password of nss db"<<std::endl;
return false;
}
std::cout<<"Succeeded to change password"<<std::endl;
return true;
}
SECStatus
AddKeyFromFile(const char* basePath, const char* filename)
{
const char* PRIVATE_KEY_HEADER = "-----BEGIN PRIVATE KEY-----";
const char* PRIVATE_KEY_FOOTER = "-----END PRIVATE KEY-----";
char buf[16384] = { 0 };
SECStatus rv = ReadFileToBuffer(basePath, filename, buf);
if (rv != SECSuccess) {
return rv;
}
if (strncmp(buf, PRIVATE_KEY_HEADER, strlen(PRIVATE_KEY_HEADER)) != 0) {
PR_fprintf(PR_STDERR, "invalid key - not importing\n");
return SECFailure;
}
const char* bufPtr = buf + strlen(PRIVATE_KEY_HEADER);
size_t bufLen = strlen(buf);
char base64[16384] = { 0 };
char* base64Ptr = base64;
while (bufPtr < buf + bufLen) {
if (strncmp(bufPtr, PRIVATE_KEY_FOOTER, strlen(PRIVATE_KEY_FOOTER)) == 0) {
break;
}
if (*bufPtr != '\r' && *bufPtr != '\n') {
*base64Ptr = *bufPtr;
base64Ptr++;
}
bufPtr++;
}
unsigned int binLength;
UniquePORTString bin(
reinterpret_cast<char*>(ATOB_AsciiToData(base64, &binLength)));
if (!bin || binLength == 0) {
PrintPRError("ATOB_AsciiToData failed");
return SECFailure;
}
ScopedSECItem secitem(::SECITEM_AllocItem(nullptr, nullptr, binLength));
if (!secitem) {
PrintPRError("SECITEM_AllocItem failed");
return SECFailure;
}
PORT_Memcpy(secitem->data, bin.get(), binLength);
ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
PrintPRError("PK11_GetInternalKeySlot failed");
return SECFailure;
}
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, nullptr, nullptr) != SECSuccess) {
PrintPRError("PK11_InitPin failed");
return SECFailure;
}
}
SECKEYPrivateKey* privateKey;
if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, secitem, nullptr, nullptr,
true, false, KU_ALL,
&privateKey, nullptr)
!= SECSuccess) {
PrintPRError("PK11_ImportDERPrivateKeyInfoAndReturnKey failed");
return SECFailure;
}
SECKEY_DestroyPrivateKey(privateKey);
return SECSuccess;
}
/*
* authenticate to a slot. This loops until we can't recover, the user
* gives up, or we succeed. If we're already logged in and this function
* is called we will still prompt for a password, but we will probably
* succeed no matter what the password was (depending on the implementation
* of the PKCS 11 module.
*/
SECStatus
PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
{
SECStatus rv = SECFailure;
char * password;
PRBool attempt = PR_FALSE;
if (PK11_NeedUserInit(slot)) {
PORT_SetError(SEC_ERROR_IO);
return SECFailure;
}
/*
* Central server type applications which control access to multiple
* slave applications to single crypto devices need to virtuallize the
* login state. This is done by a callback out of PK11_IsLoggedIn and
* here. If we are actually logged in, then we got here because the
* higher level code told us that the particular client application may
* still need to be logged in. If that is the case, we simply tell the
* server code that it should now verify the clients password and tell us
* the results.
*/
if (PK11_IsLoggedIn(slot,NULL) &&
(PK11_Global.verifyPass != NULL)) {
if (!PK11_Global.verifyPass(slot,wincx)) {
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return SECFailure;
}
return SECSuccess;
}
/* get the password. This can drop out of the while loop
* for the following reasons:
* (1) the user refused to enter a password.
* (return error to caller)
* (2) the token user password is disabled [usually due to
* too many failed authentication attempts].
* (return error to caller)
* (3) the password was successful.
*/
while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
/* if the token has a protectedAuthPath, the application may have
* already issued the C_Login as part of it's pk11_GetPassword call.
* In this case the application will tell us what the results were in
* the password value (retry or the authentication was successful) so
* we can skip our own C_Login call (which would force the token to
* try to login again).
*
* Applications that don't know about protectedAuthPath will return a
* password, which we will ignore and trigger the token to
* 'authenticate' itself anyway. Hopefully the blinking display on
* the reader, or the flashing light under the thumbprint reader will
* attract the user's attention */
attempt = PR_TRUE;
if (slot->protectedAuthPath) {
/* application tried to authenticate and failed. it wants to try
* again, continue looping */
if (strcmp(password, PK11_PW_RETRY) == 0) {
rv = SECWouldBlock;
PORT_Free(password);
continue;
}
/* applicaton tried to authenticate and succeeded we're done */
if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
rv = SECSuccess;
PORT_Free(password);
break;
}
}
rv = pk11_CheckPassword(slot,password);
PORT_Memset(password, 0, PORT_Strlen(password));
PORT_Free(password);
if (rv != SECWouldBlock) break;
}
if (rv == SECSuccess) {
if (!PK11_IsFriendly(slot)) {
nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
slot->nssToken);
}
} else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return rv;
}
/************************************************************************
*
* C h a n g e P W
*/
Error
ChangePW(char *tokenName, char *pwFile, char *newpwFile)
{
char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL;
PK11SlotInfo *slot;
Error ret = UNSPECIFIED_ERR;
PRBool matching;
slot = PK11_FindSlotByName(tokenName);
if (!slot) {
PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], tokenName);
return NO_SUCH_TOKEN_ERR;
}
/* Get old password */
if (!PK11_NeedUserInit(slot)) {
if (pwFile) {
oldpw = SECU_FilePasswd(NULL, PR_FALSE, pwFile);
if (PK11_CheckUserPassword(slot, oldpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[BAD_PW_ERR]);
ret = BAD_PW_ERR;
goto loser;
}
} else if (PK11_NeedLogin(slot)) {
for (matching = PR_FALSE; !matching;) {
oldpw = SECU_GetPasswordString(NULL, "Enter old password: "******"Enter new password: "******"Re-enter new password: ");
if (strcmp(newpw, newpw2)) {
PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]);
PORT_ZFree(newpw, strlen(newpw));
PORT_ZFree(newpw2, strlen(newpw2));
} else {
matching = PR_TRUE;
}
}
}
/* Change the password */
if (PK11_NeedUserInit(slot)) {
if (PK11_InitPin(slot, NULL /*ssopw*/, newpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
ret = CHANGEPW_FAILED_ERR;
goto loser;
}
} else {
if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
ret = CHANGEPW_FAILED_ERR;
goto loser;
}
}
PR_fprintf(PR_STDOUT, msgStrings[CHANGEPW_SUCCESS_MSG], tokenName);
ret = SUCCESS;
loser:
if (oldpw) {
PORT_ZFree(oldpw, strlen(oldpw));
}
if (newpw) {
PORT_ZFree(newpw, strlen(newpw));
}
if (newpw2) {
PORT_ZFree(newpw2, strlen(newpw2));
}
PK11_FreeSlot(slot);
return ret;
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
PLOptStatus optstatus;
char *program_name;
const char *input_file = NULL; /* read encrypted data from here (or create) */
const char *output_file = NULL; /* write new encrypted data here */
const char *value = default_value; /* Use this for plaintext */
SECItem data;
SECItem result = {0, 0, 0};
SECItem text;
PRBool ascii = PR_FALSE;
secuPWData pwdata = { PW_NONE, 0 };
pr_stderr = PR_STDERR;
result.data = 0;
text.data = 0; text.len = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return -1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return retval;
case 'H':
long_usage (program_name);
return retval;
case 'a':
ascii = PR_TRUE;
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = optstate->value;
break;
case 'o':
output_file = optstate->value;
break;
case 't':
value = optstate->value;
break;
case 'f':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'p':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'v':
verbose = PR_TRUE;
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return -1;
}
if (!output_file && !input_file && value == default_value) {
short_usage (program_name);
PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
return -1;
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
if (output_file) {
rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
} else {
rv = NSS_Init(SECU_ConfigDirectory(NULL));
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "NSS_Init failed");
retval = -1;
goto prdone;
}
/* Convert value into an item */
data.data = (unsigned char *)value;
data.len = strlen(value);
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
if (input_file)
{
if (verbose) printf("Reading data from %s\n", input_file);
if (!strcmp(input_file, "-")) {
retval = readStdin(&result);
ascii = PR_TRUE;
} else {
retval = readInputFile(input_file, &result);
}
if (retval != 0)
goto loser;
if (ascii) {
/* input was base64 encoded. Decode it. */
SECItem newResult = {0, 0, 0};
SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult,
(const char *)result.data, result.len);
if (!ok) {
SECU_PrintError(program_name, "Base 64 decode failed");
retval = -1;
goto loser;
}
SECITEM_ZfreeItem(&result, PR_FALSE);
result = *ok;
}
}
else
{
SECItem keyid = { 0, 0, 0 };
SECItem outBuf = { 0, 0, 0 };
PK11SlotInfo *slot = NULL;
/* sigh, initialize the key database */
slot = PK11_GetInternalKeySlot();
if (slot && PK11_NeedUserInit(slot)) {
switch (pwdata.source) {
case PW_FROMFILE:
rv = SECU_ChangePW(slot, 0, pwdata.data);
break;
case PW_PLAINTEXT:
rv = SECU_ChangePW(slot, pwdata.data, 0);
break;
default:
rv = SECU_ChangePW(slot, "", 0);
break;
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
PK11_GetSlotName(slot));
return SECFailure;
}
}
if (slot) {
PK11_FreeSlot(slot);
}
rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
if (rv != SECSuccess) {
if (verbose)
SECU_PrintError(program_name, "Encrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
if (!strcmp(output_file, "-")) {
ascii = PR_TRUE;
}
if (ascii) {
/* base64 encode output. */
char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
if (!newResult) {
SECU_PrintError(program_name, "Base 64 encode failed\n");
retval = -1;
goto loser;
}
outBuf.data = (unsigned char *)newResult;
outBuf.len = strlen(newResult);
if (verbose)
printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
} else {
outBuf = result;
}
/* -v printf("Result is %.*s\n", text.len, text.data); */
if (output_file) {
PRFileDesc *file;
PRInt32 count;
if (verbose) printf("Writing result to %s\n", output_file);
if (!strcmp(output_file, "-")) {
file = PR_STDOUT;
} else {
/* Write to file */
file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
}
if (!file) {
if (verbose)
SECU_PrintError(program_name,
"Open of output file %s failed\n",
output_file);
retval = -1;
goto loser;
}
count = PR_Write(file, outBuf.data, outBuf.len);
if (file == PR_STDOUT) {
puts("");
} else {
PR_Close(file);
}
if (count != outBuf.len) {
if (verbose) SECU_PrintError(program_name, "Write failed\n");
retval = -1;
goto loser;
}
if (ascii) {
free(outBuf.data);
}
}
}
/* Decrypt the value */
rv = PK11SDR_Decrypt(&result, &text, &pwdata);
if (rv != SECSuccess) {
if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
/* Compare to required value */
if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
{
if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
retval = -1;
goto loser;
}
loser:
if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE);
if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
prdone:
PR_Cleanup ();
if (pwdata.data) {
PORT_Free(pwdata.data);
}
return retval;
}
