static enum okay
nss_init(void)
{
static int initialized;
char *cp;
verbose = value("verbose") != NULL;
if (initialized == 0) {
if ((cp = value("nss-config-dir")) == NULL) {
fputs("Missing \"nss-config-dir\" variable.\n", stderr);
return STOP;
}
cp = expand(cp);
PR_Init(0, 0, 0);
PK11_SetPasswordFunc(password_cb);
if (NSS_Init(cp) == SECSuccess) {
NSS_SetDomesticPolicy();
initialized = 1;
return OKAY;
}
nss_gen_err("Error initializing NSS");
return STOP;
}
return OKAY;
}
int crypto_init(cert_policy *policy) {
SECStatus rv;
DBG("Initializing NSS ...");
if (NSS_IsInitialized()) {
app_has_NSS = 1;
/* we should save the app's password function */
PK11_SetPasswordFunc(password_passthrough);
DBG("... NSS is initialized");
return 0;
}
if (policy->nss_dir) {
/* initialize with read only databases */
DBG1("Initializing NSS ... database=%s", policy->nss_dir);
rv = NSS_Init(policy->nss_dir);
} else {
/* not database secified */
DBG("Initializing NSS ... with no db");
rv = NSS_NoDB_Init(NULL);
}
if (rv != SECSuccess) {
DBG1("NSS_Initialize failed: %s", SECU_Strerror(PR_GetError()));
return -1;
}
/* register a callback */
PK11_SetPasswordFunc(password_passthrough);
if (policy->ocsp_policy == OCSP_ON) {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
}
DBG("... NSS Complete");
return 0;
}
void initNSS(const SslOptions& options, bool server)
{
SslOptions::global = options;
if (options.certPasswordFile.empty()) {
PK11_SetPasswordFunc(promptForPassword);
} else {
PK11_SetPasswordFunc(readPasswordFromFile);
}
NSS_CHECK(NSS_Init(options.certDbPath.c_str()));
if (options.exportPolicy) {
NSS_CHECK(NSS_SetExportPolicy());
} else {
NSS_CHECK(NSS_SetDomesticPolicy());
}
if (server) {
//use defaults for all args, TODO: may want to make this configurable
SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
}
// disable SSLv2 and SSLv3 versions of the protocol - they are
// no longer considered secure
SSLVersionRange drange, srange; // default and supported ranges
const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0
NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
if (drange.min < tlsv1) {
drange.min = tlsv1;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
if (srange.max > drange.max) {
drange.max = srange.max;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
}
static
int runCmd(mainTestFn fnPointer,
int argc,
char **argv,
char *dbPath)
{
int retStat = 0;
/* Initialize NSPR and NSS. */
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/* if using databases, use NSS_Init and not NSS_NoDB_Init */
if (dbPath && PORT_Strlen(dbPath) != 0) {
if (NSS_Init(dbPath) != SECSuccess)
return SECFailure;
} else {
if (NSS_NoDB_Init(NULL) != 0)
return SECFailure;
}
retStat = fnPointer(argc, argv);
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
PR_Cleanup();
return retStat;
}
int
main(int argc, char **argv)
{
char * progName = NULL;
SECStatus secStatus;
PLOptState *optstate;
PLOptStatus status;
/* Call the NSPR initialization routines */
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
progName = PL_strdup(argv[0]);
hostName = NULL;
optstate = PL_CreateOptState(argc, argv, "d:h:i:o:p:t:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK)
{
switch(optstate->option)
{
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'h' : hostName = PL_strdup(optstate->value); break;
case 'i' : infileName = PL_strdup(optstate->value); break;
case 'o' : outfileName = PL_strdup(optstate->value); break;
case 'p' : port = PORT_Atoi(optstate->value); break;
case 't' : trustNewServer_p = PL_strdup(optstate->value); break;
case '?' :
default : Usage(progName);
}
}
if (port == 0 || hostName == NULL || infileName == NULL || outfileName == NULL || certDir == NULL)
Usage(progName);
#if 0 /* no client authentication */
/* Set our password function callback. */
PK11_SetPasswordFunc(myPasswd);
#endif
/* Initialize the NSS libraries. */
secStatus = NSS_InitReadWrite(certDir);
if (secStatus != SECSuccess)
{
/* Try it again, readonly. */
secStatus = NSS_Init(certDir);
if (secStatus != SECSuccess)
exitErr("Error initializing NSS", GENERAL_ERROR);
}
/* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */
NSS_SetDomesticPolicy();
client_main(port);
NSS_Shutdown();
PR_Cleanup();
return 0;
}
static int/*bool*/
nss_cmd_nss_config_dir(NSS_CTX *ctx, const char *s) {
int ret = 0;
SECStatus rv;
CALL_TRACE("nss_cmd_nss_config_dir...\n");
if (ctx == NULL) {
NSSerr(NSS_F_CMD_CONFIG_DIR, NSS_R_INVALID_ARGUMENT);
goto done;
}
if (s == NULL) {
NSSerr(NSS_F_CMD_CONFIG_DIR, NSS_R_INVALID_ARGUMENT);
goto done;
}
nss_trace(ctx, "nss_cmd_nss_config_dir('%s')\n", s);
if (ctx->config_dir != NULL) {
#if 0 /*TODO: once set we may not change until restart of engine*/
OPENSSL_free(nss_config_dir);
nss_config_dir = NULL;
#endif
NSSerr(NSS_F_CMD_CONFIG_DIR, NSS_R_CONFIG_DIR_IS_SET);
goto done;
}
ctx->config_dir = BUF_strdup(s);
if (ctx->config_dir == NULL) {
NSSerr(NSS_F_CMD_CONFIG_DIR, NSS_R_INSUFFICIENT_MEMORY);
goto done;
}
rv = NSS_Init(ctx->config_dir);
if (rv != SECSuccess) {
NSSerr(NSS_F_CMD_CONFIG_DIR, NSS_R_CANNOT_SETUP_CONFIG_DIR);
goto done;
}
#if 0
# SSL_OptionSetDefault. Changes default values for all subsequently opened sockets as long as the application is running (compare with SSL_SetURL which only configures the socket that is currently open). This function must be called once for each default value that needs to be changed. Optional.
# NSS_SetDomesticPolicy, NSS_SetExportPolicy, NSS_SetFrancePolicy, or SSL_CipherPolicySet. These functions tell the library which cipher suites are permitted by policy (for example, to comply with export restrictions). Cipher suites disabled by policy cannot be enabled by user preference. One of these functions must be called before any cryptographic operations can be performed with NSS.
# SSL_CipherPrefSetDefault. Enables all ciphers chosen by user preference. Optional.
#endif
ret = 1;
done:
return(ret);
}
SECStatus
InitializeNSS(const char* nssCertDBDir)
{
// Try initializing an existing DB.
if (NSS_Init(nssCertDBDir) == SECSuccess) {
return SECSuccess;
}
// Create a new DB if there is none...
SECStatus rv = NSS_Initialize(nssCertDBDir, nullptr, nullptr, nullptr, 0);
if (rv != SECSuccess) {
return rv;
}
// ...and load all certificates into it.
return LoadCertificatesAndKeys(nssCertDBDir);
}
void * tls_init(const struct tls_config *conf) {
char *dir;
tls_nss_ref_count++;
if (tls_nss_ref_count > 1)
return (void *) 1;
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
nss_layer_id = PR_GetUniqueIdentity("wpa_supplicant");
PK11_SetPasswordFunc(nss_password_cb);
dir = getenv("SSL_DIR");
if (dir) {
if (NSS_Init(dir) != SECSuccess) {
wpa_printf(MSG_ERROR, "NSS: NSS_Init(cert_dir=%s) "
"failed", dir);
return NULL;
}
} else {
if (NSS_NoDB_Init(NULL) != SECSuccess) {
wpa_printf(MSG_ERROR, "NSS: NSS_NoDB_Init(NULL) "
"failed");
return NULL;
}
}
if (SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, PR_FALSE) !=
SECSuccess ||
SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_FALSE) != SECSuccess ||
SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess ||
SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE) != SECSuccess) {
wpa_printf(MSG_ERROR, "NSS: SSL_OptionSetDefault failed");
return NULL;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
wpa_printf(MSG_ERROR, "NSS: NSS_SetDomesticPolicy() failed");
return NULL;
}
return (void *) 1;
}
int
main(int argc, char **argv)
{
char *progName;
FILE *inFile, *outFile;
char *certName;
CERTCertDBHandle *certHandle;
struct recipient *recipients, *rcpt;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
inFile = NULL;
outFile = NULL;
certName = NULL;
recipients = NULL;
rcpt = NULL;
/*
* Parse command line arguments
* XXX This needs to be enhanced to allow selection of algorithms
* and key sizes (or to look up algorithms and key sizes for each
* recipient in the magic database).
*/
optstate = PL_CreateOptState(argc, argv, "d:i:o:r:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
inFile = fopen(optstate->value, "r");
if (!inFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'o':
outFile = fopen(optstate->value, "wb");
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
return -1;
}
break;
case 'r':
if (rcpt == NULL) {
recipients = rcpt = PORT_Alloc (sizeof(struct recipient));
} else {
rcpt->next = PORT_Alloc (sizeof(struct recipient));
rcpt = rcpt->next;
}
if (rcpt == NULL) {
fprintf(stderr, "%s: unable to allocate recipient struct\n",
progName);
return -1;
}
rcpt->nickname = strdup(optstate->value);
rcpt->cert = NULL;
rcpt->next = NULL;
break;
}
}
if (!recipients) Usage(progName);
if (!inFile) inFile = stdin;
if (!outFile) outFile = stdout;
/* Call the NSS initialization routines */
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
rv = NSS_Init(SECU_ConfigDirectory(NULL));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
return -1;
}
/* open cert database */
certHandle = CERT_GetDefaultCertDB();
if (certHandle == NULL) {
return -1;
}
/* find certs */
for (rcpt = recipients; rcpt != NULL; rcpt = rcpt->next) {
rcpt->cert = CERT_FindCertByNickname(certHandle, rcpt->nickname);
if (rcpt->cert == NULL) {
SECU_PrintError(progName,
"the cert for name \"%s\" not found in database",
rcpt->nickname);
return -1;
}
}
if (EncryptFile(outFile, inFile, recipients, progName)) {
SECU_PrintError(progName, "problem encrypting data");
return -1;
}
return 0;
}
int
StartServer(const char *nssCertDBDir, SSLSNISocketConfig sniSocketConfig,
void *sniSocketConfigArg)
{
const char *debugLevel = PR_GetEnv("MOZ_TLS_SERVER_DEBUG_LEVEL");
if (debugLevel) {
int level = atoi(debugLevel);
switch (level) {
case DEBUG_ERRORS: gDebugLevel = DEBUG_ERRORS; break;
case DEBUG_WARNINGS: gDebugLevel = DEBUG_WARNINGS; break;
case DEBUG_VERBOSE: gDebugLevel = DEBUG_VERBOSE; break;
default:
PrintPRError("invalid MOZ_TLS_SERVER_DEBUG_LEVEL");
return 1;
}
}
const char *callbackPort = PR_GetEnv("MOZ_TLS_SERVER_CALLBACK_PORT");
if (callbackPort) {
gCallbackPort = atoi(callbackPort);
}
if (NSS_Init(nssCertDBDir) != SECSuccess) {
PrintPRError("NSS_Init failed");
return 1;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
PrintPRError("NSS_SetDomesticPolicy failed");
return 1;
}
if (SSL_ConfigServerSessionIDCache(0, 0, 0, nullptr) != SECSuccess) {
PrintPRError("SSL_ConfigServerSessionIDCache failed");
return 1;
}
ScopedPRFileDesc serverSocket(PR_NewTCPSocket());
if (!serverSocket) {
PrintPRError("PR_NewTCPSocket failed");
return 1;
}
PRSocketOptionData socketOption;
socketOption.option = PR_SockOpt_Reuseaddr;
socketOption.value.reuse_addr = true;
PR_SetSocketOption(serverSocket, &socketOption);
PRNetAddr serverAddr;
PR_InitializeNetAddr(PR_IpAddrLoopback, LISTEN_PORT, &serverAddr);
if (PR_Bind(serverSocket, &serverAddr) != PR_SUCCESS) {
PrintPRError("PR_Bind failed");
return 1;
}
if (PR_Listen(serverSocket, 1) != PR_SUCCESS) {
PrintPRError("PR_Listen failed");
return 1;
}
ScopedPRFileDesc rawModelSocket(PR_NewTCPSocket());
if (!rawModelSocket) {
PrintPRError("PR_NewTCPSocket failed for rawModelSocket");
return 1;
}
ScopedPRFileDesc modelSocket(SSL_ImportFD(nullptr, rawModelSocket.forget()));
if (!modelSocket) {
PrintPRError("SSL_ImportFD of rawModelSocket failed");
return 1;
}
if (SECSuccess != SSL_SNISocketConfigHook(modelSocket, sniSocketConfig,
sniSocketConfigArg)) {
PrintPRError("SSL_SNISocketConfigHook failed");
return 1;
}
// We have to configure the server with a certificate, but it's not one
// we're actually going to end up using. In the SNI callback, we pick
// the right certificate for the connection.
if (SECSuccess != ConfigSecureServerWithNamedCert(modelSocket,
DEFAULT_CERT_NICKNAME,
nullptr, nullptr)) {
return 1;
}
if (gCallbackPort != 0) {
if (DoCallback()) {
return 1;
}
}
while (true) {
PRNetAddr clientAddr;
PRFileDesc *clientSocket = PR_Accept(serverSocket, &clientAddr,
PR_INTERVAL_NO_TIMEOUT);
HandleConnection(clientSocket, modelSocket);
}
return 0;
}
int
main(int argc, char **argv)
{
char * certDir = NULL;
char * progName = NULL;
int connections = 1;
char * cipherString = NULL;
char * respUrl = NULL;
char * respCertName = NULL;
SECStatus secStatus;
PLOptState * optstate;
PLOptStatus status;
PRBool doOcspCheck = PR_FALSE;
/* Call the NSPR initialization routines */
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
progName = PORT_Strdup(argv[0]);
hostName = NULL;
optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch(optstate->option) {
case 'C' : cipherString = PL_strdup(optstate->value); break;
case 'c' : dumpChain = PR_TRUE; break;
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'l' : respUrl = PL_strdup(optstate->value); break;
case 'p' : port = PORT_Atoi(optstate->value); break;
case 'o' : doOcspCheck = PR_TRUE; break;
case 't' : respCertName = PL_strdup(optstate->value); break;
case 'w':
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case '\0': hostName = PL_strdup(optstate->value); break;
default : Usage(progName);
}
}
if (port == 0) {
port = 443;
}
if (port == 0 || hostName == NULL)
Usage(progName);
if (doOcspCheck &&
((respCertName != NULL && respUrl == NULL) ||
(respUrl != NULL && respCertName == NULL))) {
SECU_PrintError (progName, "options -l <url> and -t "
"<responder> must be used together");
Usage(progName);
}
PK11_SetPasswordFunc(SECU_GetModulePassword);
/* Initialize the NSS libraries. */
if (certDir) {
secStatus = NSS_Init(certDir);
} else {
secStatus = NSS_NoDB_Init(NULL);
/* load the builtins */
SECMOD_AddNewModule("Builtins",
DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
}
if (secStatus != SECSuccess) {
exitErr("NSS_Init");
}
SECU_RegisterDynamicOids();
if (doOcspCheck == PR_TRUE) {
SECStatus rv;
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
if (handle == NULL) {
SECU_PrintError (progName, "problem getting certdb handle");
goto cleanup;
}
rv = CERT_EnableOCSPChecking (handle);
if (rv != SECSuccess) {
SECU_PrintError (progName, "error enabling OCSP checking");
goto cleanup;
}
if (respUrl != NULL) {
rv = CERT_SetOCSPDefaultResponder (handle, respUrl,
respCertName);
if (rv != SECSuccess) {
SECU_PrintError (progName,
"error setting default responder");
goto cleanup;
}
rv = CERT_EnableOCSPDefaultResponder (handle);
if (rv != SECSuccess) {
SECU_PrintError (progName,
"error enabling default responder");
goto cleanup;
}
}
}
/* All cipher suites except RSA_NULL_MD5 are enabled by
* Domestic Policy. */
NSS_SetDomesticPolicy();
SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
/* all the SSL2 and SSL3 cipher suites are enabled by default. */
if (cipherString) {
int ndx;
/* disable all the ciphers, then enable the ones we want. */
disableAllSSLCiphers();
while (0 != (ndx = *cipherString++)) {
int cipher;
if (ndx == ':') {
int ctmp;
cipher = 0;
HEXCHAR_TO_INT(*cipherString, ctmp)
cipher |= (ctmp << 12);
cipherString++;
HEXCHAR_TO_INT(*cipherString, ctmp)
cipher |= (ctmp << 8);
cipherString++;
HEXCHAR_TO_INT(*cipherString, ctmp)
cipher |= (ctmp << 4);
cipherString++;
HEXCHAR_TO_INT(*cipherString, ctmp)
cipher |= ctmp;
cipherString++;
} else {
const int *cptr;
if (! isalpha(ndx))
Usage(progName);
cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites;
for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; )
/* do nothing */;
}
if (cipher > 0) {
SSL_CipherPrefSetDefault(cipher, PR_TRUE);
} else {
Usage(progName);
}
}
}
client_main(port, connections, hostName);
cleanup:
if (doOcspCheck) {
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
CERT_DisableOCSPDefaultResponder(handle);
CERT_DisableOCSPChecking (handle);
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
PR_Cleanup();
PORT_Free(progName);
return 0;
}
VCardEmulError
vcard_emul_init(const VCardEmulOptions *options)
{
SECStatus rv;
PRBool ret, has_readers = PR_FALSE;
VReader *vreader;
VReaderEmul *vreader_emul;
SECMODListLock *module_lock;
SECMODModuleList *module_list;
SECMODModuleList *mlp;
int i;
if (vcard_emul_init_called) {
return VCARD_EMUL_INIT_ALREADY_INITED;
}
vcard_emul_init_called = 1;
vreader_init();
vevent_queue_init();
if (options == NULL) {
options = &default_options;
}
/* first initialize NSS */
if (options->nss_db) {
rv = NSS_Init(options->nss_db);
} else {
gchar *path;
#ifndef _WIN32
path = g_strdup("/etc/pki/nssdb");
#else
if (g_get_system_config_dirs() == NULL ||
g_get_system_config_dirs()[0] == NULL) {
return VCARD_EMUL_FAIL;
}
path = g_build_filename(
g_get_system_config_dirs()[0], "pki", "nssdb", NULL);
#endif
rv = NSS_Init(path);
g_free(path);
}
if (rv != SECSuccess) {
return VCARD_EMUL_FAIL;
}
/* Set password callback function */
PK11_SetPasswordFunc(vcard_emul_get_password);
/* set up soft cards emulated by software certs rather than physical cards
* */
for (i = 0; i < options->vreader_count; i++) {
int j;
int cert_count;
unsigned char **certs;
int *cert_len;
VCardKey **keys;
PK11SlotInfo *slot;
slot = PK11_FindSlotByName(options->vreader[i].name);
if (slot == NULL) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
options->vreader[i].type_params);
vreader = vreader_new(options->vreader[i].vname, vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
cert_count = options->vreader[i].cert_count;
ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
options->vreader[i].cert_count);
if (ret == PR_FALSE) {
continue;
}
cert_count = 0;
for (j = 0; j < options->vreader[i].cert_count; j++) {
/* we should have a better way of identifying certs than by
* nickname here */
CERTCertificate *cert = PK11_FindCertFromNickname(
options->vreader[i].cert_name[j],
NULL);
if (cert == NULL) {
continue;
}
certs[cert_count] = cert->derCert.data;
cert_len[cert_count] = cert->derCert.len;
keys[cert_count] = vcard_emul_make_key(slot, cert);
/* this is safe because the key is still holding a cert reference */
CERT_DestroyCertificate(cert);
cert_count++;
}
if (cert_count) {
VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
keys, cert_count);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
/* allow insertion and removal of soft cards */
vreader_emul->saved_vcard = vcard_reference(vcard);
vcard_free(vcard);
vreader_free(vreader);
has_readers = PR_TRUE;
}
g_free(certs);
g_free(cert_len);
g_free(keys);
}
/* if we aren't suppose to use hw, skip looking up hardware tokens */
if (!options->use_hw) {
nss_emul_init = has_readers;
return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
}
/* make sure we have some PKCS #11 module loaded */
module_lock = SECMOD_GetDefaultModuleListLock();
module_list = SECMOD_GetDefaultModuleList();
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
if (module_has_removable_hw_slots(module)) {
break;
}
}
SECMOD_ReleaseReadLock(module_lock);
/* now examine all the slots, finding which should be readers */
/* We should control this with options. For now we mirror out any
* removable hardware slot */
default_card_type = options->hw_card_type;
default_type_params = g_strdup(options->hw_type_params);
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
/* Ignore the internal module */
if (module == NULL || module == SECMOD_GetInternalModule()) {
continue;
}
for (i = 0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
/* only map removable HW slots */
if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
continue;
}
if (strcmp("E-Gate 0 0", PK11_GetSlotName(slot)) == 0) {
/*
* coolkey <= 1.1.0-20 emulates this reader if it can't find
* any hardware readers. This causes problems, warn user of
* problems.
*/
fprintf(stderr, "known bad coolkey version - see "
"https://bugzilla.redhat.com/show_bug.cgi?id=802435\n");
continue;
}
vreader_emul = vreader_emul_new(slot, options->hw_card_type,
options->hw_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
if (PK11_IsPresent(slot)) {
VCard *vcard;
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
vcard_free(vcard);
}
}
vcard_emul_new_event_thread(module);
}
SECMOD_ReleaseReadLock(module_lock);
nss_emul_init = PR_TRUE;
return VCARD_EMUL_OK;
}
int OpenDBs() {
int r;
NSS_Init(".");
return 0;
}
int
main(int argc, char **argv)
{
char *progName;
FILE *contentFile, *outFile;
PRFileDesc *signatureFile;
SECCertUsage certUsage = certUsageEmailSigner;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
contentFile = NULL;
signatureFile = NULL;
outFile = NULL;
/*
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv, "c:d:o:s:u:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'c':
contentFile = fopen(optstate->value, "r");
if (!contentFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'o':
outFile = fopen(optstate->value, "w");
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
return -1;
}
break;
case 's':
signatureFile = PR_Open(optstate->value, PR_RDONLY, 0);
if (!signatureFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'u': {
int usageType;
usageType = atoi (strdup(optstate->value));
if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
return -1;
certUsage = (SECCertUsage)usageType;
break;
}
}
}
if (!contentFile) Usage (progName);
if (!signatureFile) Usage (progName);
if (!outFile) outFile = stdout;
/* Call the NSS initialization routines */
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
rv = NSS_Init(SECU_ConfigDirectory(NULL));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
return -1;
}
if (HashDecodeAndVerify(outFile, contentFile, signatureFile,
certUsage, progName)) {
SECU_PrintError(progName, "problem decoding/verifying signature");
return -1;
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return 0;
}
int
main(int argc, char **argv)
{
char *progName;
FILE *outFile;
PRFileDesc *inFile;
char *keyName = NULL;
CERTCertDBHandle *certHandle;
CERTCertificate *cert;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
inFile = NULL;
outFile = NULL;
keyName = NULL;
/*
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv, "ed:k:i:o:p:f:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
inFile = PR_Open(optstate->value, PR_RDONLY, 0);
if (!inFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'k':
keyName = strdup(optstate->value);
break;
case 'o':
outFile = fopen(optstate->value, "wb");
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
return -1;
}
break;
case 'p':
pwdata.source = PW_PLAINTEXT;
pwdata.data = strdup (optstate->value);
break;
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup (optstate->value);
break;
}
}
if (!keyName) Usage(progName);
if (!inFile) inFile = PR_STDIN;
if (!outFile) outFile = stdout;
/* Call the initialization routines */
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
rv = NSS_Init(SECU_ConfigDirectory(NULL));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
goto loser;
}
PK11_SetPasswordFunc(SECU_GetModulePassword);
/* open cert database */
certHandle = CERT_GetDefaultCertDB();
if (certHandle == NULL) {
rv = SECFailure;
goto loser;
}
/* find cert */
cert = CERT_FindCertByNickname(certHandle, keyName);
if (cert == NULL) {
SECU_PrintError(progName,
"the corresponding cert for key \"%s\" does not exist",
keyName);
rv = SECFailure;
goto loser;
}
if (SignFile(outFile, inFile, cert)) {
SECU_PrintError(progName, "problem signing data");
rv = SECFailure;
goto loser;
}
loser:
if (pwdata.data) {
PORT_Free(pwdata.data);
}
if (keyName) {
PORT_Free(keyName);
}
if (cert) {
CERT_DestroyCertificate(cert);
}
if (inFile && inFile != PR_STDIN) {
PR_Close(inFile);
}
if (outFile && outFile != stdout) {
fclose(outFile);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError(progName, "NSS shutdown:");
exit(1);
}
return (rv != SECSuccess);
}
int main(int argc, char **argv)
{
PRFileDesc *contentFile = NULL;
PRFileDesc *signFile = PR_STDIN;
FILE * outFile = stdout;
char * progName;
SECStatus rv;
int result = 1;
SECItem pkcs7der, content;
secuCommand signver;
pkcs7der.data = NULL;
content.data = NULL;
signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag);
signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag);
signver.commands = signver_commands;
signver.options = signver_options;
#ifdef XP_PC
progName = strrchr(argv[0], '\\');
#else
progName = strrchr(argv[0], '/');
#endif
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &signver);
if (SECSuccess != rv) {
Usage(progName, outFile);
}
debugInfo = signver.options[opt_DebugInfo ].activated;
verbose = signver.options[opt_PrintWhyFailure ].activated;
doVerify = signver.commands[cmd_VerifySignedObj].activated;
displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated;
if (!doVerify && !displayAll)
doVerify = PR_TRUE;
/* Set the certdb directory (default is ~/.netscape) */
rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
return result;
}
/* below here, goto cleanup */
SECU_RegisterDynamicOids();
/* Open the input content file. */
if (signver.options[opt_InputDataFile].activated &&
signver.options[opt_InputDataFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) {
contentFile = PR_Open(signver.options[opt_InputDataFile].arg,
PR_RDONLY, 0);
if (!contentFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputDataFile].arg);
goto cleanup;
}
} else
contentFile = PR_STDIN;
}
/* Open the input signature file. */
if (signver.options[opt_InputSigFile].activated &&
signver.options[opt_InputSigFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) {
signFile = PR_Open(signver.options[opt_InputSigFile].arg,
PR_RDONLY, 0);
if (!signFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputSigFile].arg);
goto cleanup;
}
}
}
if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) {
PR_fprintf(PR_STDERR,
"%s: cannot read both content and signature from standard input\n",
progName);
goto cleanup;
}
/* Open|Create the output file. */
if (signver.options[opt_OutputFile].activated) {
outFile = fopen(signver.options[opt_OutputFile].arg, "w");
if (!outFile) {
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
progName, signver.options[opt_OutputFile].arg);
goto cleanup;
}
}
/* read in the input files' contents */
rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
signver.options[opt_ASCII].activated);
if (signFile != PR_STDIN)
PR_Close(signFile);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem reading PKCS7 input");
goto cleanup;
}
if (contentFile) {
rv = SECU_FileToItem(&content, contentFile);
if (contentFile != PR_STDIN)
PR_Close(contentFile);
if (rv != SECSuccess)
content.data = NULL;
}
/* Signature Verification */
if (doVerify) {
SEC_PKCS7ContentInfo *cinfo;
SEC_PKCS7SignedData *signedData;
HASH_HashType digestType;
PRBool contentIsSigned;
cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL,
NULL, NULL, NULL);
if (cinfo == NULL) {
PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n");
goto cleanup;
}
/* below here, goto done */
contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo);
if (debugInfo) {
PR_fprintf(PR_STDERR, "Content is%s encrypted.\n",
SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
}
if (debugInfo || !contentIsSigned) {
PR_fprintf(PR_STDERR, "Content is%s signed.\n",
contentIsSigned ? "" : " not");
}
if (!contentIsSigned)
goto done;
signedData = cinfo->content.signedData;
/* assume that there is only one digest algorithm for now */
digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
if (digestType == HASH_AlgNULL) {
PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n");
goto done;
}
if (content.data) {
SECCertUsage usage = certUsageEmailSigner;
SECItem digest;
unsigned char digestBuffer[HASH_LENGTH_MAX];
if (debugInfo)
PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data);
digest.data = digestBuffer;
digest.len = sizeof digestBuffer;
if (DigestContent(&digest, &content, digestType)) {
SECU_PrintError(progName, "Message digest computation failure");
goto done;
}
if (debugInfo) {
unsigned int i;
PR_fprintf(PR_STDERR, "Data Digest=:");
for (i = 0; i < digest.len; i++)
PR_fprintf(PR_STDERR, "%02x:", digest.data[i]);
PR_fprintf(PR_STDERR, "\n");
}
fprintf(outFile, "signatureValid=");
PORT_SetError(0);
if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
&digest, digestType, PR_FALSE)) {
fprintf(outFile, "yes");
} else {
fprintf(outFile, "no");
if (verbose) {
fprintf(outFile, ":%s",
SECU_Strerror(PORT_GetError()));
}
}
fprintf(outFile, "\n");
result = 0;
}
done:
SEC_PKCS7DestroyContentInfo(cinfo);
}
if (displayAll) {
if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der))
result = 1;
}
cleanup:
SECITEM_FreeItem(&pkcs7der, PR_FALSE);
SECITEM_FreeItem(&content, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
result = 1;
}
return result;
}
// Constructor
OsTLSServerSocket::OsTLSServerSocket(int connectionQueueSize,
int serverPort,
UtlString certNickname,
UtlString certPassword,
UtlString dbLocation,
const UtlString bindAddress)
: OsServerSocket(connectionQueueSize,serverPort, bindAddress.data(), false),
mCertNickname(certNickname),
mCertPassword(certPassword),
mDbLocation(dbLocation),
mpMozillaSSLSocket(NULL),
mpCert(NULL),
mpPrivKey(NULL),
mTlsInitCode(TLS_INIT_SUCCESS)
{
PRSocketOptionData socketOption;
PRStatus prStatus;
SECStatus secStatus;
// import the newly created socket into NSS, and set the PRFileDesc.
if (socketDescriptor > OS_INVALID_SOCKET_DESCRIPTOR)
{
/* Call the NSPR initialization routines. */
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/* Set the cert database password callback. */
PK11_SetPasswordFunc(OsTLS::PasswordCallback);
secStatus = NSS_Init(dbLocation.data());
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_DATABASE_FAILURE;
return ;
}
/* Set the policy for this server (REQUIRED - no default). */
secStatus = NSS_SetExportPolicy();
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_DATABASE_FAILURE;
return ;
}
/* Get own certificate and private key. */
mpCert = PK11_FindCertFromNickname((char*) certNickname.data(), (void*)certPassword.data());
if (mpCert == NULL)
{
return ;
}
unsigned char* szPwd = (unsigned char*) PR_Malloc(certPassword.length()+ 1);
strncpy((char*)szPwd, certPassword.data(), certPassword.length()+1);
mpPrivKey = PK11_FindKeyByAnyCert(mpCert, (void*)szPwd);
if (mpPrivKey == NULL)
{
mTlsInitCode = TLS_INIT_BAD_PASSWORD;
// probably a wrong password
return ;
}
/* Configure the server's cache for a multi-process application
* using default timeout values (24 hrs) and directory location (/tmp).
*/
SSL_ConfigMPServerSIDCache(256, 0, 0, NULL);
mpMozillaSSLSocket = PR_ImportTCPSocket(socketDescriptor);
if (!mpMozillaSSLSocket)
{
mTlsInitCode = TLS_INIT_TCP_IMPORT_FAILURE;
}
else
{
/* Make the socket blocking. */
socketOption.option = PR_SockOpt_Nonblocking;
socketOption.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(mpMozillaSSLSocket, &socketOption);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
if (secStatus != SECSuccess)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
PRNetAddr addr;
/* Configure the network connection. */
addr.inet.family = PR_AF_INET;
addr.inet.ip = inet_addr(bindAddress.data());
addr.inet.port = PR_htons(serverPort);
/* Bind the address to the listener socket. */
prStatus = PR_Bind(mpMozillaSSLSocket, &addr);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
/* Listen for connection on the socket. The second argument is
* the maximum size of the queue for pending connections.
*/
prStatus = PR_Listen(mpMozillaSSLSocket, connectionQueueSize);
if (prStatus != PR_SUCCESS)
{
mTlsInitCode = TLS_INIT_NSS_FAILURE;
return;
}
}
}
}
int
main(int argc, char *argv[])
{
int rc;
pesign_context *ctxp;
int list = 0;
int remove = 0;
int daemon = 0;
int fork = 1;
int padding = 0;
int need_db = 0;
char *digest_name = "sha256";
char *tokenname = "NSS Certificate DB";
char *origtoken = tokenname;
char *certname = NULL;
char *certdir = "/etc/pki/pesign";
char *signum = NULL;
rc = pesign_context_new(&ctxp);
if (rc < 0) {
fprintf(stderr, "Could not initialize context: %m\n");
exit(1);
}
poptContext optCon;
struct poptOption options[] = {
{NULL, '\0', POPT_ARG_INTL_DOMAIN, "pesign" },
{"in", 'i', POPT_ARG_STRING, &ctxp->infile, 0,
"specify input file", "<infile>"},
{"out", 'o', POPT_ARG_STRING, &ctxp->outfile, 0,
"specify output file", "<outfile>" },
{"certficate", 'c', POPT_ARG_STRING, &certname, 0,
"specify certificate nickname",
"<certificate nickname>" },
{"certdir", 'n', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
&certdir, 0,
"specify nss certificate database directory",
"<certificate directory path>" },
{"force", 'f', POPT_ARG_VAL, &ctxp->force, 1,
"force overwriting of output file", NULL },
{"sign", 's', POPT_ARG_VAL, &ctxp->sign, 1,
"create a new signature", NULL },
{"hash", 'h', POPT_ARG_VAL, &ctxp->hash, 1,
"hash binary", NULL },
{"digest_type", 'd', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
&digest_name, 0, "digest type to use for pe hash" },
{"import-signed-certificate", 'm',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
&ctxp->insig, 0,"import signature from file", "<insig>" },
{"export-signed-attributes", 'E',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
&ctxp->outsattrs, 0, "export signed attributes to file",
"<signed_attributes_file>" },
{"import-signed-attributes", 'I',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
&ctxp->insattrs, 0,
"import signed attributes from file",
"<signed_attributes_file>" },
{"import-raw-signature", 'R',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN, &ctxp->rawsig,
0, "import raw signature from file", "<inraw>" },
{"signature-number", 'u', POPT_ARG_STRING, &signum, 0,
"specify which signature to operate on","<sig-number>"},
{"list-signatures", 'l',
POPT_ARG_VAL|POPT_ARGFLAG_DOC_HIDDEN,
&list, 1, "list signatures", NULL },
{"nss-token", 't', POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
&tokenname, 0, "NSS token holding signing key" },
{"show-signature", 'S', POPT_ARG_VAL, &list, 1,
"show signature", NULL },
{"remove-signature", 'r', POPT_ARG_VAL, &remove, 1,
"remove signature" },
{"export-signature", 'e',
POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
&ctxp->outsig, 0,
"export signature to file", "<outsig>" },
{"export-pubkey", 'K', POPT_ARG_STRING,
&ctxp->outkey, 0, "export pubkey to file", "<outkey>" },
{"export-cert", 'C', POPT_ARG_STRING,
&ctxp->outcert, 0, "export signing cert to file",
"<outcert>" },
{"ascii-armor", 'a', POPT_ARG_VAL, &ctxp->ascii, 1,
"use ascii armoring", NULL },
{"daemonize", 'D', POPT_ARG_VAL, &daemon, 1,
"run as a daemon process", NULL },
{"nofork", 'N', POPT_ARG_VAL, &fork, 0,
"don't fork when daemonizing", NULL },
{"verbose", 'v', POPT_ARG_VAL, &ctxp->verbose, 1,
"be very verbose", NULL },
{"padding", 'P', POPT_ARG_VAL,
&padding, 1, "pad data section", NULL },
POPT_AUTOALIAS
POPT_AUTOHELP
POPT_TABLEEND
};
optCon = poptGetContext("pesign", argc, (const char **)argv, options,0);
rc = poptReadDefaultConfig(optCon, 0);
if (rc < 0 && !(rc == POPT_ERROR_ERRNO && errno == ENOENT)) {
fprintf(stderr, "pesign: poptReadDefaultConfig failed: %s\n",
poptStrerror(rc));
exit(1);
}
while ((rc = poptGetNextOpt(optCon)) > 0)
;
if (rc < -1) {
fprintf(stderr, "pesign: Invalid argument: %s: %s\n",
poptBadOption(optCon, 0), poptStrerror(rc));
exit(1);
}
if (poptPeekArg(optCon)) {
fprintf(stderr, "pesign: Invalid Argument: \"%s\"\n",
poptPeekArg(optCon));
exit(1);
}
poptFreeContext(optCon);
if (signum) {
errno = 0;
ctxp->signum = strtol(signum, NULL, 0);
if (errno != 0) {
fprintf(stderr, "invalid signature number: %m\n");
exit(1);
}
}
int action = 0;
if (daemon)
action |= DAEMONIZE;
if (ctxp->rawsig) {
action |= IMPORT_RAW_SIGNATURE;
need_db = 1;
}
if (ctxp->insattrs)
action |= IMPORT_SATTRS;
if (ctxp->outsattrs)
action |= EXPORT_SATTRS;
if (ctxp->insig)
action |= IMPORT_SIGNATURE;
if (ctxp->outkey) {
action |= EXPORT_PUBKEY;
need_db = 1;
}
if (ctxp->outcert) {
action |= EXPORT_CERT;
need_db = 1;
}
if (ctxp->outsig)
action |= EXPORT_SIGNATURE;
if (remove != 0)
action |= REMOVE_SIGNATURE;
if (list != 0)
action |= LIST_SIGNATURES;
if (ctxp->sign) {
action |= GENERATE_SIGNATURE;
if (!(action & EXPORT_SIGNATURE))
action |= IMPORT_SIGNATURE;
need_db = 1;
}
if (ctxp->hash)
action |= GENERATE_DIGEST|PRINT_DIGEST;
if (!daemon) {
SECStatus status;
if (need_db)
status = NSS_Init(certdir);
else
status = NSS_NoDB_Init(NULL);
if (status != SECSuccess) {
fprintf(stderr, "Could not initialize nss: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
status = register_oids(ctxp->cms_ctx);
if (status != SECSuccess) {
fprintf(stderr, "Could not register OIDs\n");
exit(1);
}
}
rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
int is_help = strcmp(digest_name, "help") ? 0 : 1;
if (rc < 0) {
if (!is_help) {
fprintf(stderr, "Digest \"%s\" not found.\n",
digest_name);
}
exit(!is_help);
}
ctxp->cms_ctx->tokenname = tokenname ?
PORT_ArenaStrdup(ctxp->cms_ctx->arena, tokenname) : NULL;
if (tokenname && !ctxp->cms_ctx->tokenname) {
fprintf(stderr, "could not allocate token name: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
if (tokenname != origtoken)
free(tokenname);
ctxp->cms_ctx->certname = certname ?
PORT_ArenaStrdup(ctxp->cms_ctx->arena, certname) : NULL;
if (certname && !ctxp->cms_ctx->certname) {
fprintf(stderr, "could not allocate certificate name: %s\n",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
if (certname)
free(certname);
if (ctxp->sign) {
if (!ctxp->cms_ctx->certname) {
fprintf(stderr, "pesign: signing requested but no "
"certificate nickname provided\n");
exit(1);
}
}
ssize_t sigspace = 0;
switch (action) {
case NO_FLAGS:
fprintf(stderr, "pesign: Nothing to do.\n");
exit(0);
break;
/* in this case we have the actual binary signature and the
* signing cert, but not the pkcs7ish certificate that goes
* with it.
*/
case IMPORT_RAW_SIGNATURE|IMPORT_SATTRS:
check_inputs(ctxp);
rc = find_certificate(ctxp->cms_ctx, 0);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
ctxp->cms_ctx->certname);
exit(1);
}
open_rawsig_input(ctxp);
open_sattr_input(ctxp);
import_raw_signature(ctxp);
close_sattr_input(ctxp);
close_rawsig_input(ctxp);
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
sigspace = calculate_signature_space(ctxp->cms_ctx,
ctxp->outpe);
allocate_signature_space(ctxp->outpe, sigspace);
generate_signature(ctxp->cms_ctx);
insert_signature(ctxp->cms_ctx, ctxp->signum);
close_output(ctxp);
break;
case EXPORT_SATTRS:
open_input(ctxp);
open_sattr_output(ctxp);
generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
generate_sattr_blob(ctxp);
close_sattr_output(ctxp);
close_input(ctxp);
break;
/* add a signature from a file */
case IMPORT_SIGNATURE:
check_inputs(ctxp);
if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) {
fprintf(stderr, "Invalid signature number.\n");
exit(1);
}
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
open_sig_input(ctxp);
parse_signature(ctxp);
sigspace = get_sigspace_extend_amount(ctxp->cms_ctx,
ctxp->outpe, &ctxp->cms_ctx->newsig);
allocate_signature_space(ctxp->outpe, sigspace);
check_signature_space(ctxp);
insert_signature(ctxp->cms_ctx, ctxp->signum);
close_sig_input(ctxp);
close_output(ctxp);
break;
case EXPORT_PUBKEY:
rc = find_certificate(ctxp->cms_ctx, 1);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
ctxp->cms_ctx->certname);
exit(1);
}
open_pubkey_output(ctxp);
export_pubkey(ctxp);
break;
case EXPORT_CERT:
rc = find_certificate(ctxp->cms_ctx, 0);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
ctxp->cms_ctx->certname);
exit(1);
}
open_cert_output(ctxp);
export_cert(ctxp);
break;
/* find a signature in the binary and save it to a file */
case EXPORT_SIGNATURE:
open_input(ctxp);
open_sig_output(ctxp);
if (ctxp->signum > ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "Invalid signature number.\n");
exit(1);
}
if (ctxp->signum < 0)
ctxp->signum = 0;
if (ctxp->signum >= ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "No valid signature #%d.\n",
ctxp->signum);
exit(1);
}
memcpy(&ctxp->cms_ctx->newsig,
ctxp->cms_ctx->signatures[ctxp->signum],
sizeof (ctxp->cms_ctx->newsig));
export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
close_input(ctxp);
close_sig_output(ctxp);
memset(&ctxp->cms_ctx->newsig, '\0',
sizeof (ctxp->cms_ctx->newsig));
break;
/* remove a signature from the binary */
case REMOVE_SIGNATURE:
check_inputs(ctxp);
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
if (ctxp->signum < 0 ||
ctxp->signum >=
ctxp->cms_ctx->num_signatures) {
fprintf(stderr, "Invalid signature number %d. "
"Must be between 0 and %d.\n",
ctxp->signum,
ctxp->cms_ctx->num_signatures - 1);
exit(1);
}
remove_signature(ctxp);
close_output(ctxp);
break;
/* list signatures in the binary */
case LIST_SIGNATURES:
open_input(ctxp);
list_signatures(ctxp);
break;
case GENERATE_DIGEST|PRINT_DIGEST:
open_input(ctxp);
generate_digest(ctxp->cms_ctx, ctxp->inpe, padding);
print_digest(ctxp);
break;
/* generate a signature and save it in a separate file */
case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
rc = find_certificate(ctxp->cms_ctx, 1);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
ctxp->cms_ctx->certname);
exit(1);
}
open_input(ctxp);
open_sig_output(ctxp);
generate_digest(ctxp->cms_ctx, ctxp->inpe, 1);
generate_signature(ctxp->cms_ctx);
export_signature(ctxp->cms_ctx, ctxp->outsigfd, ctxp->ascii);
break;
/* generate a signature and embed it in the binary */
case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
check_inputs(ctxp);
rc = find_certificate(ctxp->cms_ctx, 1);
if (rc < 0) {
fprintf(stderr, "pesign: Could not find "
"certificate %s\n",
ctxp->cms_ctx->certname);
exit(1);
}
if (ctxp->signum > ctxp->cms_ctx->num_signatures + 1) {
fprintf(stderr, "Invalid signature number.\n");
exit(1);
}
open_input(ctxp);
open_output(ctxp);
close_input(ctxp);
generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
sigspace = calculate_signature_space(ctxp->cms_ctx,
ctxp->outpe);
allocate_signature_space(ctxp->outpe, sigspace);
generate_digest(ctxp->cms_ctx, ctxp->outpe, 1);
generate_signature(ctxp->cms_ctx);
insert_signature(ctxp->cms_ctx, ctxp->signum);
close_output(ctxp);
break;
case DAEMONIZE:
rc = daemonize(ctxp->cms_ctx, certdir, fork);
break;
default:
fprintf(stderr, "Incompatible flags (0x%08x): ", action);
for (int i = 1; i < FLAG_LIST_END; i <<= 1) {
if (action & i)
print_flag_name(stderr, i);
}
fprintf(stderr, "\n");
exit(1);
}
pesign_context_free(ctxp);
if (!daemon) {
SECStatus status = NSS_Shutdown();
if (status != SECSuccess) {
fprintf(stderr, "could not shut down NSS: %s",
PORT_ErrorToString(PORT_GetError()));
exit(1);
}
}
return (rc < 0);
}
int
main(int argc, char **argv)
{
SECStatus rv;
int retval = -1;
CERTCertDBHandle *certHandle = NULL;
CERTCertificate *caCert = NULL, *cert = NULL;
CERTOCSPCertID *cid = NULL;
PLArenaPool *arena = NULL;
PRTime now = PR_Now();
SECItem *encoded = NULL;
CERTOCSPResponse *decoded = NULL;
SECStatus statusDecoded;
SECItem *encodedRev = NULL;
CERTOCSPResponse *decodedRev = NULL;
SECStatus statusDecodedRev;
SECItem *encodedFail = NULL;
CERTOCSPResponse *decodedFail = NULL;
SECStatus statusDecodedFail;
CERTCertificate *obtainedSignerCert = NULL;
if (argc != 4 && argc != 6) {
return Usage();
}
if (argc == 6) {
if (!strcmp(argv[4], "-p")) {
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(argv[5]);
}
else if (!strcmp(argv[4], "-f")) {
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(argv[5]);
}
else
return Usage();
}
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/*rv = NSS_Init(SECU_ConfigDirectory(NULL));*/
rv = NSS_Init(argv[1]);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(argv[0]);
goto loser;
}
PK11_SetPasswordFunc(SECU_GetModulePassword);
certHandle = CERT_GetDefaultCertDB();
if (!certHandle)
goto loser;
if (!getCaAndSubjectCert(certHandle, argv[2], argv[3], &caCert, &cert))
goto loser;
cid = CERT_CreateOCSPCertID(cert, now);
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
encoded = encode(arena, cid, caCert);
PORT_Assert(encoded);
decoded = CERT_DecodeOCSPResponse(encoded);
statusDecoded = CERT_GetOCSPResponseStatus(decoded);
PORT_Assert(statusDecoded == SECSuccess);
statusDecoded = CERT_VerifyOCSPResponseSignature(decoded, certHandle, &pwdata,
&obtainedSignerCert, caCert);
PORT_Assert(statusDecoded == SECSuccess);
statusDecoded = CERT_GetOCSPStatusForCertID(certHandle, decoded, cid,
obtainedSignerCert, now);
PORT_Assert(statusDecoded == SECSuccess);
CERT_DestroyCertificate(obtainedSignerCert);
encodedRev = encodeRevoked(arena, cid, caCert);
PORT_Assert(encodedRev);
decodedRev = CERT_DecodeOCSPResponse(encodedRev);
statusDecodedRev = CERT_GetOCSPResponseStatus(decodedRev);
PORT_Assert(statusDecodedRev == SECSuccess);
statusDecodedRev = CERT_VerifyOCSPResponseSignature(decodedRev, certHandle, &pwdata,
&obtainedSignerCert, caCert);
PORT_Assert(statusDecodedRev == SECSuccess);
statusDecodedRev = CERT_GetOCSPStatusForCertID(certHandle, decodedRev, cid,
obtainedSignerCert, now);
PORT_Assert(statusDecodedRev == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_REVOKED_CERTIFICATE);
CERT_DestroyCertificate(obtainedSignerCert);
encodedFail = CERT_CreateEncodedOCSPErrorResponse(
arena, SEC_ERROR_OCSP_TRY_SERVER_LATER);
PORT_Assert(encodedFail);
decodedFail = CERT_DecodeOCSPResponse(encodedFail);
statusDecodedFail = CERT_GetOCSPResponseStatus(decodedFail);
PORT_Assert(statusDecodedFail == SECFailure);
PORT_Assert(PORT_GetError() == SEC_ERROR_OCSP_TRY_SERVER_LATER);
retval = 0;
loser:
if (retval != 0)
SECU_PrintError(argv[0], "tests failed");
if (cid)
CERT_DestroyOCSPCertID(cid);
if (cert)
CERT_DestroyCertificate(cert);
if (caCert)
CERT_DestroyCertificate(caCert);
if (arena)
PORT_FreeArena(arena, PR_FALSE);
if (decoded)
CERT_DestroyOCSPResponse(decoded);
if (decodedRev)
CERT_DestroyOCSPResponse(decodedRev);
if (decodedFail)
CERT_DestroyOCSPResponse(decodedFail);
if (pwdata.data) {
PORT_Free(pwdata.data);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError(argv[0], "NSS shutdown:");
if (retval == 0)
retval = -2;
}
return retval;
}
int
main(int argc, char *argv[], char *envp[])
{
char * certDir = NULL;
char * progName = NULL;
char * oidStr = NULL;
CERTCertificate * cert;
CERTCertificate * firstCert = NULL;
CERTCertificate * issuerCert = NULL;
CERTCertDBHandle * defaultDB = NULL;
PRBool isAscii = PR_FALSE;
PRBool trusted = PR_FALSE;
SECStatus secStatus;
SECCertificateUsage certUsage = certificateUsageSSLServer;
PLOptState * optstate;
PRTime time = 0;
PLOptStatus status;
int usePkix = 0;
int rv = 1;
int usage;
CERTVerifyLog log;
CERTCertList *builtChain = NULL;
PRBool certFetching = PR_FALSE;
int revDataIndex = 0;
PRBool ocsp_fetchingFailureIsAFailure = PR_TRUE;
PRBool useDefaultRevFlags = PR_TRUE;
int vfyCounts = 1;
PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
progName = PL_strdup(argv[0]);
optstate = PL_CreateOptState(argc, argv, "ab:c:d:efg:h:i:m:o:prs:tu:vw:W:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch(optstate->option) {
case 0 : /* positional parameter */ goto breakout;
case 'a' : isAscii = PR_TRUE; break;
case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
if (secStatus != SECSuccess) Usage(progName); break;
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break;
case 'f' : certFetching = PR_TRUE; break;
case 'g' :
if (revMethodsData[revDataIndex].testTypeStr ||
revMethodsData[revDataIndex].methodTypeStr) {
revDataIndex += 1;
if (revDataIndex == REV_METHOD_INDEX_MAX) {
fprintf(stderr, "Invalid revocation configuration"
"specified.\n");
secStatus = SECFailure;
break;
}
}
useDefaultRevFlags = PR_FALSE;
revMethodsData[revDataIndex].
testTypeStr = PL_strdup(optstate->value); break;
case 'h' :
revMethodsData[revDataIndex].
testFlagsStr = PL_strdup(optstate->value);break;
case 'i' : vfyCounts = PORT_Atoi(optstate->value); break;
break;
case 'm' :
if (revMethodsData[revDataIndex].methodTypeStr) {
revDataIndex += 1;
if (revDataIndex == REV_METHOD_INDEX_MAX) {
fprintf(stderr, "Invalid revocation configuration"
"specified.\n");
secStatus = SECFailure;
break;
}
}
useDefaultRevFlags = PR_FALSE;
revMethodsData[revDataIndex].
methodTypeStr = PL_strdup(optstate->value); break;
case 'o' : oidStr = PL_strdup(optstate->value); break;
case 'p' : usePkix += 1; break;
case 'r' : isAscii = PR_FALSE; break;
case 's' :
revMethodsData[revDataIndex].
methodFlagsStr = PL_strdup(optstate->value); break;
case 't' : trusted = PR_TRUE; break;
case 'u' : usage = PORT_Atoi(optstate->value);
if (usage < 0 || usage > 62) Usage(progName);
certUsage = ((SECCertificateUsage)1) << usage;
if (certUsage > certificateUsageHighest) Usage(progName);
break;
case 'w':
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'W':
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'v' : verbose++; break;
default : Usage(progName); break;
}
}
breakout:
if (status != PL_OPT_OK)
Usage(progName);
if (usePkix < 2) {
if (oidStr) {
fprintf(stderr, "Policy oid(-o) can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
Usage(progName);
}
if (trusted) {
fprintf(stderr, "Cert trust flag can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
Usage(progName);
}
}
if (!useDefaultRevFlags && parseRevMethodsAndFlags()) {
fprintf(stderr, "Invalid revocation configuration specified.\n");
goto punt;
}
/* Set our password function callback. */
PK11_SetPasswordFunc(SECU_GetModulePassword);
/* Initialize the NSS libraries. */
if (certDir) {
secStatus = NSS_Init(certDir);
} else {
secStatus = NSS_NoDB_Init(NULL);
/* load the builtins */
SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX, 0, 0);
}
if (secStatus != SECSuccess) {
exitErr("NSS_Init");
}
SECU_RegisterDynamicOids();
if (isOCSPEnabled()) {
CERT_EnableOCSPChecking(CERT_GetDefaultCertDB());
CERT_DisableOCSPDefaultResponder(CERT_GetDefaultCertDB());
if (!ocsp_fetchingFailureIsAFailure) {
CERT_SetOCSPFailureMode(ocspMode_FailureIsNotAVerificationFailure);
}
}
while (status == PL_OPT_OK) {
switch(optstate->option) {
default : Usage(progName); break;
case 'a' : isAscii = PR_TRUE; break;
case 'r' : isAscii = PR_FALSE; break;
case 't' : trusted = PR_TRUE; break;
case 0 : /* positional parameter */
if (usePkix < 2 && trusted) {
fprintf(stderr, "Cert trust flag can be used only with"
" CERT_PKIXVerifyChain(-pp) function.\n");
Usage(progName);
}
cert = getCert(optstate->value, isAscii, progName);
if (!cert)
goto punt;
rememberCert(cert, trusted);
if (!firstCert)
firstCert = cert;
trusted = PR_FALSE;
}
status = PL_GetNextOpt(optstate);
}
PL_DestroyOptState(optstate);
if (status == PL_OPT_BAD || !firstCert)
Usage(progName);
/* Initialize log structure */
log.arena = PORT_NewArena(512);
log.head = log.tail = NULL;
log.count = 0;
do {
if (usePkix < 2) {
/* NOW, verify the cert chain. */
if (usePkix) {
/* Use old API with libpkix validation lib */
CERT_SetUsePKIXForValidation(PR_TRUE);
}
if (!time)
time = PR_Now();
defaultDB = CERT_GetDefaultCertDB();
secStatus = CERT_VerifyCertificate(defaultDB, firstCert,
PR_TRUE /* check sig */,
certUsage,
time,
&pwdata, /* wincx */
&log, /* error log */
NULL);/* returned usages */
} else do {
static CERTValOutParam cvout[4];
static CERTValInParam cvin[6];
SECOidTag oidTag;
int inParamIndex = 0;
static PRUint64 revFlagsLeaf[2];
static PRUint64 revFlagsChain[2];
static CERTRevocationFlags rev;
if (oidStr) {
PRArenaPool *arena;
SECOidData od;
memset(&od, 0, sizeof od);
od.offset = SEC_OID_UNKNOWN;
od.desc = "User Defined Policy OID";
od.mechanism = CKM_INVALID_MECHANISM;
od.supportedExtension = INVALID_CERT_EXTENSION;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( !arena ) {
fprintf(stderr, "out of memory");
goto punt;
}
secStatus = SEC_StringToOID(arena, &od.oid, oidStr, 0);
if (secStatus != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
fprintf(stderr, "Can not encode oid: %s(%s)\n", oidStr,
SECU_Strerror(PORT_GetError()));
break;
}
oidTag = SECOID_AddEntry(&od);
PORT_FreeArena(arena, PR_FALSE);
if (oidTag == SEC_OID_UNKNOWN) {
fprintf(stderr, "Can not add new oid to the dynamic "
"table: %s\n", oidStr);
secStatus = SECFailure;
break;
}
cvin[inParamIndex].type = cert_pi_policyOID;
cvin[inParamIndex].value.arraySize = 1;
cvin[inParamIndex].value.array.oids = &oidTag;
inParamIndex++;
}
if (trustedCertList) {
cvin[inParamIndex].type = cert_pi_trustAnchors;
cvin[inParamIndex].value.pointer.chain = trustedCertList;
inParamIndex++;
}
cvin[inParamIndex].type = cert_pi_useAIACertFetch;
cvin[inParamIndex].value.scalar.b = certFetching;
inParamIndex++;
rev.leafTests.cert_rev_flags_per_method = revFlagsLeaf;
rev.chainTests.cert_rev_flags_per_method = revFlagsChain;
secStatus = configureRevocationParams(&rev);
if (secStatus) {
fprintf(stderr, "Can not config revocation parameters ");
break;
}
cvin[inParamIndex].type = cert_pi_revocationFlags;
cvin[inParamIndex].value.pointer.revocation = &rev;
inParamIndex++;
if (time) {
cvin[inParamIndex].type = cert_pi_date;
cvin[inParamIndex].value.scalar.time = time;
inParamIndex++;
}
cvin[inParamIndex].type = cert_pi_end;
cvout[0].type = cert_po_trustAnchor;
cvout[0].value.pointer.cert = NULL;
cvout[1].type = cert_po_certList;
cvout[1].value.pointer.chain = NULL;
/* setting pointer to CERTVerifyLog. Initialized structure
* will be used CERT_PKIXVerifyCert */
cvout[2].type = cert_po_errorLog;
cvout[2].value.pointer.log = &log;
cvout[3].type = cert_po_end;
secStatus = CERT_PKIXVerifyCert(firstCert, certUsage,
cvin, cvout, &pwdata);
if (secStatus != SECSuccess) {
break;
}
issuerCert = cvout[0].value.pointer.cert;
builtChain = cvout[1].value.pointer.chain;
} while (0);
/* Display validation results */
if (secStatus != SECSuccess || log.count > 0) {
CERTVerifyLogNode *node = NULL;
PRIntn err = PR_GetError();
fprintf(stderr, "Chain is bad, %d = %s\n", err, SECU_Strerror(err));
SECU_displayVerifyLog(stderr, &log, verbose);
/* Have cert refs in the log only in case of failure.
* Destroy them. */
for (node = log.head; node; node = node->next) {
if (node->cert)
CERT_DestroyCertificate(node->cert);
}
rv = 1;
} else {
fprintf(stderr, "Chain is good!\n");
if (issuerCert) {
if (verbose > 1) {
rv = SEC_PrintCertificateAndTrust(issuerCert, "Root Certificate",
NULL);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem printing certificate");
}
} else if (verbose > 0) {
SECU_PrintName(stdout, &issuerCert->subject, "Root "
"Certificate Subject:", 0);
}
CERT_DestroyCertificate(issuerCert);
}
if (builtChain) {
CERTCertListNode *node;
int count = 0;
char buff[256];
if (verbose) {
for(node = CERT_LIST_HEAD(builtChain); !CERT_LIST_END(node, builtChain);
node = CERT_LIST_NEXT(node), count++ ) {
sprintf(buff, "Certificate %d Subject", count + 1);
SECU_PrintName(stdout, &node->cert->subject, buff, 0);
}
}
CERT_DestroyCertList(builtChain);
}
rv = 0;
}
} while (--vfyCounts > 0);
/* Need to destroy CERTVerifyLog arena at the end */
PORT_FreeArena(log.arena, PR_FALSE);
punt:
forgetCerts();
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError(progName, "NSS_Shutdown");
rv = 1;
}
PORT_Free(progName);
PORT_Free(certDir);
PORT_Free(oidStr);
freeRevocationMethodData();
if (pwdata.data) {
PORT_Free(pwdata.data);
}
PR_Cleanup();
return rv;
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
char *program_name;
char *input_file = NULL; /* read encrypted data from here (or create) */
char *output_file = NULL; /* write new encrypted data here */
char *log_file = NULL; /* write new encrypted data here */
FILE *inFile = stdin;
FILE *outFile = stdout;
FILE *logFile = NULL;
PLOptStatus optstatus;
SECItem result;
int c;
secuPWData pwdata = { PW_NONE, NULL };
result.data = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "Hd:f:i:o:l:p:?");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return 1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return 1;
case 'H':
long_usage (program_name);
return 1;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = PL_strdup(optstate->value);
break;
case 'o':
output_file = PL_strdup(optstate->value);
break;
case 'l':
log_file = PL_strdup(optstate->value);
break;
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = PL_strdup(optstate->value);
break;
case 'p':
pwdata.source = PW_PLAINTEXT;
pwdata.data = PL_strdup(optstate->value);
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return 1;
}
if (input_file) {
inFile = fopen(input_file,"r");
if (inFile == NULL) {
perror(input_file);
return 1;
}
PR_Free(input_file);
}
if (output_file) {
outFile = fopen(output_file,"w+");
if (outFile == NULL) {
perror(output_file);
return 1;
}
PR_Free(output_file);
}
if (log_file) {
logFile = fopen(log_file,"w+");
if (logFile == NULL) {
perror(log_file);
return 1;
}
PR_Free(log_file);
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
rv = NSS_Init(SECU_ConfigDirectory(NULL));
if (rv != SECSuccess) {
SECU_PrintError (program_name, "NSS_Init failed");
retval = 1;
goto prdone;
}
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
while ((c = getc(inFile)) != EOF) {
if (c == 'M') {
char *dataString = NULL;
SECItem *inText;
rv = getData(inFile, &dataString);
if (!rv) {
fputs(dataString,outFile);
free(dataString);
continue;
}
inText = NSSBase64_DecodeBuffer(NULL, NULL, dataString,
strlen(dataString));
if ((inText == NULL) || (inText->len == 0)) {
if (logFile) {
fprintf(logFile,"Base 64 decode failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
continue;
}
result.data = NULL;
result.len = 0;
rv = PK11SDR_Decrypt(inText, &result, &pwdata);
SECITEM_FreeItem(inText, PR_TRUE);
if (rv != SECSuccess) {
if (logFile) {
fprintf(logFile,"SDR decrypt failed on <%s>\n",
dataString);
fprintf(logFile," Error %x: %s\n",PORT_GetError(),
SECU_Strerror(PORT_GetError()));
}
fputs(dataString,outFile);
free(dataString);
SECITEM_ZfreeItem(&result, PR_FALSE);
continue;
}
/* result buffer has no extra space for a NULL */
fprintf(outFile, "%.*s", result.len, result.data);
SECITEM_ZfreeItem(&result, PR_FALSE);
} else {
putc(c,outFile);
}
}
fclose(outFile);
fclose(inFile);
if (logFile) {
fclose(logFile);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError (program_name, "NSS_Shutdown failed");
exit(1);
}
prdone:
PR_Cleanup ();
return retval;
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
char *program_name;
char *input_file = NULL; /* read encrypted data from here (or create) */
char *output_file = NULL; /* write new encrypted data here */
char *log_file = NULL; /* write new encrypted data here */
FILE *inFile = stdin;
FILE *outFile = stdout;
FILE *logFile = NULL;
PLOptStatus optstatus;
secuPWData pwdata = { PW_NONE, NULL };
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "Hd:f:i:o:l:p:?");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return 1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return 1;
case 'H':
long_usage (program_name);
return 1;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = PL_strdup(optstate->value);
break;
case 'o':
output_file = PL_strdup(optstate->value);
break;
case 'l':
log_file = PL_strdup(optstate->value);
break;
case 'f':
pwdata.source = PW_FROMFILE;
pwdata.data = PL_strdup(optstate->value);
break;
case 'p':
pwdata.source = PW_PLAINTEXT;
pwdata.data = PL_strdup(optstate->value);
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return 1;
}
if (input_file) {
inFile = fopen(input_file,"r");
if (inFile == NULL) {
perror(input_file);
return 1;
}
PR_Free(input_file);
}
if (output_file) {
outFile = fopen(output_file,"w+");
if (outFile == NULL) {
perror(output_file);
return 1;
}
PR_Free(output_file);
}
if (log_file) {
if (log_file[0] == '-')
logFile = stderr;
else
logFile = fopen(log_file,"w+");
if (logFile == NULL) {
perror(log_file);
return 1;
}
PR_Free(log_file);
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
rv = NSS_Init(SECU_ConfigDirectory(NULL));
if (rv != SECSuccess) {
SECU_PrintError (program_name, "NSS_Init failed");
retval = 1;
goto prdone;
}
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
while (fgets(dataString, sizeof dataString, inFile)) {
unsigned char c = dataString[0];
if (c == 'M' && isBase64(dataString)) {
doDecrypt(dataString, outFile, logFile, &pwdata);
} else if (c == '~' && isBase64(dataString + 1)) {
doDecode(dataString, outFile, logFile);
} else {
fputs(dataString, outFile);
}
}
if (pwdata.data)
PR_Free(pwdata.data);
fclose(outFile);
fclose(inFile);
if (logFile && logFile != stderr) {
fclose(logFile);
}
if (NSS_Shutdown() != SECSuccess) {
SECU_PrintError (program_name, "NSS_Shutdown failed");
exit(1);
}
prdone:
PR_Cleanup ();
return retval;
}
int
main (int argc, char **argv)
{
int retval = 0; /* 0 - test succeeded. -1 - test failed */
SECStatus rv;
PLOptState *optstate;
PLOptStatus optstatus;
char *program_name;
const char *input_file = NULL; /* read encrypted data from here (or create) */
const char *output_file = NULL; /* write new encrypted data here */
const char *value = default_value; /* Use this for plaintext */
SECItem data;
SECItem result = {0, 0, 0};
SECItem text;
PRBool ascii = PR_FALSE;
secuPWData pwdata = { PW_NONE, 0 };
pr_stderr = PR_STDERR;
result.data = 0;
text.data = 0; text.len = 0;
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
optstate = PL_CreateOptState (argc, argv, "?Had:i:o:t:vf:p:");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return -1;
}
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return retval;
case 'H':
long_usage (program_name);
return retval;
case 'a':
ascii = PR_TRUE;
break;
case 'd':
SECU_ConfigDirectory(optstate->value);
break;
case 'i':
input_file = optstate->value;
break;
case 'o':
output_file = optstate->value;
break;
case 't':
value = optstate->value;
break;
case 'f':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_FROMFILE;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'p':
if (pwdata.data) {
PORT_Free(pwdata.data);
short_usage(program_name);
return -1;
}
pwdata.source = PW_PLAINTEXT;
pwdata.data = PORT_Strdup(optstate->value);
break;
case 'v':
verbose = PR_TRUE;
break;
}
}
PL_DestroyOptState(optstate);
if (optstatus == PL_OPT_BAD) {
short_usage (program_name);
return -1;
}
if (!output_file && !input_file && value == default_value) {
short_usage (program_name);
PR_fprintf (pr_stderr, "Must specify at least one of -t, -i or -o \n");
return -1;
}
/*
* Initialize the Security libraries.
*/
PK11_SetPasswordFunc(SECU_GetModulePassword);
if (output_file) {
rv = NSS_InitReadWrite(SECU_ConfigDirectory(NULL));
} else {
rv = NSS_Init(SECU_ConfigDirectory(NULL));
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "NSS_Init failed");
retval = -1;
goto prdone;
}
/* Convert value into an item */
data.data = (unsigned char *)value;
data.len = strlen(value);
/* Get the encrypted result, either from the input file
* or from encrypting the plaintext value
*/
if (input_file)
{
if (verbose) printf("Reading data from %s\n", input_file);
if (!strcmp(input_file, "-")) {
retval = readStdin(&result);
ascii = PR_TRUE;
} else {
retval = readInputFile(input_file, &result);
}
if (retval != 0)
goto loser;
if (ascii) {
/* input was base64 encoded. Decode it. */
SECItem newResult = {0, 0, 0};
SECItem *ok = NSSBase64_DecodeBuffer(NULL, &newResult,
(const char *)result.data, result.len);
if (!ok) {
SECU_PrintError(program_name, "Base 64 decode failed");
retval = -1;
goto loser;
}
SECITEM_ZfreeItem(&result, PR_FALSE);
result = *ok;
}
}
else
{
SECItem keyid = { 0, 0, 0 };
SECItem outBuf = { 0, 0, 0 };
PK11SlotInfo *slot = NULL;
/* sigh, initialize the key database */
slot = PK11_GetInternalKeySlot();
if (slot && PK11_NeedUserInit(slot)) {
switch (pwdata.source) {
case PW_FROMFILE:
rv = SECU_ChangePW(slot, 0, pwdata.data);
break;
case PW_PLAINTEXT:
rv = SECU_ChangePW(slot, pwdata.data, 0);
break;
default:
rv = SECU_ChangePW(slot, "", 0);
break;
}
if (rv != SECSuccess) {
SECU_PrintError(program_name, "Failed to initialize slot \"%s\"",
PK11_GetSlotName(slot));
return SECFailure;
}
}
if (slot) {
PK11_FreeSlot(slot);
}
rv = PK11SDR_Encrypt(&keyid, &data, &result, &pwdata);
if (rv != SECSuccess) {
if (verbose)
SECU_PrintError(program_name, "Encrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Encrypted result is %d bytes long\n", result.len);
if (!strcmp(output_file, "-")) {
ascii = PR_TRUE;
}
if (ascii) {
/* base64 encode output. */
char * newResult = NSSBase64_EncodeItem(NULL, NULL, 0, &result);
if (!newResult) {
SECU_PrintError(program_name, "Base 64 encode failed\n");
retval = -1;
goto loser;
}
outBuf.data = (unsigned char *)newResult;
outBuf.len = strlen(newResult);
if (verbose)
printf("Base 64 encoded result is %d bytes long\n", outBuf.len);
} else {
outBuf = result;
}
/* -v printf("Result is %.*s\n", text.len, text.data); */
if (output_file) {
PRFileDesc *file;
PRInt32 count;
if (verbose) printf("Writing result to %s\n", output_file);
if (!strcmp(output_file, "-")) {
file = PR_STDOUT;
} else {
/* Write to file */
file = PR_Open(output_file, PR_CREATE_FILE|PR_WRONLY, 0666);
}
if (!file) {
if (verbose)
SECU_PrintError(program_name,
"Open of output file %s failed\n",
output_file);
retval = -1;
goto loser;
}
count = PR_Write(file, outBuf.data, outBuf.len);
if (file == PR_STDOUT) {
puts("");
} else {
PR_Close(file);
}
if (count != outBuf.len) {
if (verbose) SECU_PrintError(program_name, "Write failed\n");
retval = -1;
goto loser;
}
if (ascii) {
free(outBuf.data);
}
}
}
/* Decrypt the value */
rv = PK11SDR_Decrypt(&result, &text, &pwdata);
if (rv != SECSuccess) {
if (verbose) SECU_PrintError(program_name, "Decrypt operation failed\n");
retval = -1;
goto loser;
}
if (verbose) printf("Decrypted result is \"%.*s\"\n", text.len, text.data);
/* Compare to required value */
if (text.len != data.len || memcmp(data.data, text.data, text.len) != 0)
{
if (verbose) PR_fprintf(pr_stderr, "Comparison failed\n");
retval = -1;
goto loser;
}
loser:
if (text.data) SECITEM_ZfreeItem(&text, PR_FALSE);
if (result.data) SECITEM_ZfreeItem(&result, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
prdone:
PR_Cleanup ();
if (pwdata.data) {
PORT_Free(pwdata.data);
}
return retval;
}
int
main (int argc, char **argv)
{
int retval;
PRFileDesc *in_file;
FILE *out_file; /* not PRFileDesc until SECU accepts it */
int crequest, dresponse;
int prequest, presponse;
int ccert, vcert;
const char *db_dir, *date_str, *cert_usage_str, *name;
const char *responder_name, *responder_url, *signer_name;
PRBool add_acceptable_responses, add_service_locator;
SECItem *data = NULL;
PLOptState *optstate;
SECStatus rv;
CERTCertDBHandle *handle = NULL;
SECCertUsage cert_usage;
PRTime verify_time;
CERTCertificate *cert = NULL;
PRBool ascii = PR_FALSE;
retval = -1; /* what we return/exit with on error */
program_name = PL_strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
in_file = PR_STDIN;
out_file = stdout;
crequest = 0;
dresponse = 0;
prequest = 0;
presponse = 0;
ccert = 0;
vcert = 0;
db_dir = NULL;
date_str = NULL;
cert_usage_str = NULL;
name = NULL;
responder_name = NULL;
responder_url = NULL;
signer_name = NULL;
add_acceptable_responses = PR_FALSE;
add_service_locator = PR_FALSE;
optstate = PL_CreateOptState (argc, argv, "AHLPR:S:V:d:l:pr:s:t:u:w:");
if (optstate == NULL) {
SECU_PrintError (program_name, "PL_CreateOptState failed");
return retval;
}
while (PL_GetNextOpt (optstate) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
short_usage (program_name);
return retval;
case 'A':
add_acceptable_responses = PR_TRUE;
break;
case 'H':
long_usage (program_name);
return retval;
case 'L':
add_service_locator = PR_TRUE;
break;
case 'P':
presponse = 1;
break;
case 'R':
dresponse = 1;
name = optstate->value;
break;
case 'S':
ccert = 1;
name = optstate->value;
break;
case 'V':
vcert = 1;
name = optstate->value;
break;
case 'a':
ascii = PR_TRUE;
break;
case 'd':
db_dir = optstate->value;
break;
case 'l':
responder_url = optstate->value;
break;
case 'p':
prequest = 1;
break;
case 'r':
crequest = 1;
name = optstate->value;
break;
case 's':
signer_name = optstate->value;
break;
case 't':
responder_name = optstate->value;
break;
case 'u':
cert_usage_str = optstate->value;
break;
case 'w':
date_str = optstate->value;
break;
}
}
PL_DestroyOptState(optstate);
if ((crequest + dresponse + prequest + presponse + ccert + vcert) != 1) {
PR_fprintf (PR_STDERR, "%s: must specify exactly one command\n\n",
program_name);
short_usage (program_name);
return retval;
}
if (vcert) {
if (cert_usage_str == NULL) {
PR_fprintf (PR_STDERR, "%s: verification requires cert usage\n\n",
program_name);
short_usage (program_name);
return retval;
}
rv = cert_usage_from_char (cert_usage_str, &cert_usage);
if (rv != SECSuccess) {
PR_fprintf (PR_STDERR, "%s: invalid cert usage (\"%s\")\n\n",
program_name, cert_usage_str);
long_usage (program_name);
return retval;
}
}
if (ccert + vcert) {
if (responder_url != NULL || responder_name != NULL) {
/*
* To do a full status check, both the URL and the cert name
* of the responder must be specified if either one is.
*/
if (responder_url == NULL || responder_name == NULL) {
if (responder_url == NULL)
PR_fprintf (PR_STDERR,
"%s: must also specify responder location\n\n",
program_name);
else
PR_fprintf (PR_STDERR,
"%s: must also specify responder name\n\n",
program_name);
short_usage (program_name);
return retval;
}
}
if (date_str != NULL) {
rv = DER_AsciiToTime (&verify_time, (char *) date_str);
if (rv != SECSuccess) {
SECU_PrintError (program_name, "error converting time string");
PR_fprintf (PR_STDERR, "\n");
long_usage (program_name);
return retval;
}
} else {
verify_time = PR_Now();
}
}
retval = -2; /* errors change from usage to runtime */
/*
* Initialize the NSPR and Security libraries.
*/
PR_Init (PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
db_dir = SECU_ConfigDirectory (db_dir);
rv = NSS_Init (db_dir);
if (rv != SECSuccess) {
SECU_PrintError (program_name, "NSS_Init failed");
goto prdone;
}
SECU_RegisterDynamicOids();
if (prequest + presponse) {
MAKE_FILE_BINARY(stdin);
data = read_file_into_item (in_file, siBuffer);
if (data == NULL) {
SECU_PrintError (program_name, "problem reading input");
goto nssdone;
}
}
if (crequest + dresponse + presponse + ccert + vcert) {
handle = CERT_GetDefaultCertDB();
if (handle == NULL) {
SECU_PrintError (program_name, "problem getting certdb handle");
goto nssdone;
}
/*
* It would be fine to do the enable for all of these commands,
* but this way we check that everything but an overall verify
* can be done without it. That is, that the individual pieces
* work on their own.
*/
if (vcert) {
rv = CERT_EnableOCSPChecking (handle);
if (rv != SECSuccess) {
SECU_PrintError (program_name, "error enabling OCSP checking");
goto nssdone;
}
}
if ((ccert + vcert) && (responder_name != NULL)) {
rv = CERT_SetOCSPDefaultResponder (handle, responder_url,
responder_name);
if (rv != SECSuccess) {
SECU_PrintError (program_name,
"error setting default responder");
goto nssdone;
}
rv = CERT_EnableOCSPDefaultResponder (handle);
if (rv != SECSuccess) {
SECU_PrintError (program_name,
"error enabling default responder");
goto nssdone;
}
}
}
#define NOTYET(opt) \
{ \
PR_fprintf (PR_STDERR, "%s not yet working\n", opt); \
exit (-1); \
}
if (name) {
cert = find_certificate(handle, name, ascii);
}
if (crequest) {
if (signer_name != NULL) {
NOTYET("-s");
}
rv = create_request (out_file, handle, cert, add_service_locator,
add_acceptable_responses);
} else if (dresponse) {
if (signer_name != NULL) {
NOTYET("-s");
}
rv = dump_response (out_file, handle, cert, responder_url);
} else if (prequest) {
rv = print_request (out_file, data);
} else if (presponse) {
rv = print_response (out_file, data, handle);
} else if (ccert) {
if (signer_name != NULL) {
NOTYET("-s");
}
rv = get_cert_status (out_file, handle, cert, name, verify_time);
} else if (vcert) {
if (signer_name != NULL) {
NOTYET("-s");
}
rv = verify_cert (out_file, handle, cert, name, cert_usage, verify_time);
}
if (rv != SECSuccess)
SECU_PrintError (program_name, "error performing requested operation");
else
retval = 0;
nssdone:
if (cert) {
CERT_DestroyCertificate(cert);
}
if (data != NULL) {
SECITEM_FreeItem (data, PR_TRUE);
}
if (handle != NULL) {
CERT_DisableOCSPDefaultResponder(handle);
CERT_DisableOCSPChecking (handle);
}
if (NSS_Shutdown () != SECSuccess) {
retval = 1;
}
prdone:
PR_Cleanup ();
return retval;
}
int
main(int argc, char **argv)
{
char *progName;
FILE *inFile, *outFile;
char *hashName;
SECOidData *hashOID;
PLOptState *optstate;
PLOptStatus status;
SECStatus rv;
progName = strrchr(argv[0], '/');
progName = progName ? progName+1 : argv[0];
inFile = NULL;
outFile = NULL;
hashName = NULL;
rv = NSS_Init("/tmp");
if (rv != SECSuccess) {
fprintf(stderr, "%s: NSS_Init failed in directory %s\n",
progName, "/tmp");
return -1;
}
/*
* Parse command line arguments
*/
optstate = PL_CreateOptState(argc, argv, "t:i:o:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
Usage(progName);
break;
case 'i':
inFile = fopen(optstate->value, "r");
if (!inFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
return -1;
}
break;
case 'o':
outFile = fopen(optstate->value, "w");
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
return -1;
}
break;
case 't':
hashName = strdup(optstate->value);
break;
}
}
if (!hashName) Usage(progName);
if (!inFile) inFile = stdin;
if (!outFile) outFile = stdout;
hashOID = HashNameToOID(hashName);
if (hashOID == NULL) {
fprintf(stderr, "%s: invalid digest type\n", progName);
Usage(progName);
}
if (DigestFile(outFile, inFile, hashOID)) {
fprintf(stderr, "%s: problem digesting data (%s)\n",
progName, SECU_Strerror(PORT_GetError()));
return -1;
}
if (NSS_Shutdown() != SECSuccess) {
exit(1);
}
return 0;
}
int
__pmSecureServerInit(void)
{
const PRUint16 *cipher;
SECStatus secsts;
int pathSpecified;
int sts = 0;
PM_INIT_LOCKS();
PM_LOCK(secureserver_lock);
/* Only attempt this once. */
if (secure_server.initialized)
goto done;
secure_server.initialized = 1;
if (PR_Initialized() != PR_TRUE)
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
/* Configure optional (cmdline) password file in case DB locked */
PK11_SetPasswordFunc(certificate_database_password);
/*
* Configure location of the NSS database with a sane default.
* For servers, we default to the shared (sql) system-wide database.
* If command line db specified, pass it directly through - allowing
* any old database format, at the users discretion.
*/
if (!secure_server.database_path[0]) {
const char *path;
pathSpecified = 0;
path = serverdb(secure_server.database_path, MAXPATHLEN, "sql:");
/* this is the default case on some platforms, so no log spam */
if (access(path, R_OK|X_OK) < 0) {
if (pmDebugOptions.context)
pmNotifyErr(LOG_INFO,
"Cannot access system security database: %s",
secure_server.database_path);
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
}
else
pathSpecified = 1;
/*
* pmproxy acts as both a client and server. Since the
* server init path happens first, the db previously
* got opened readonly. Instead try to open RW.
* Fallback if there is an error.
*/
secsts = NSS_InitReadWrite(secure_server.database_path);
if( secsts != SECSuccess )
secsts = NSS_Init(secure_server.database_path);
if (secsts != SECSuccess && !pathSpecified) {
/* fallback, older versions of NSS do not support sql: */
serverdb(secure_server.database_path, MAXPATHLEN, "");
secsts = NSS_Init(secure_server.database_path);
}
if (secsts != SECSuccess) {
pmNotifyErr(LOG_ERR, "Cannot setup certificate DB (%s): %s",
secure_server.database_path,
pmErrStr(__pmSecureSocketsError(PR_GetError())));
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
/* Some NSS versions don't do this correctly in NSS_SetDomesticPolicy. */
for (cipher = SSL_GetImplementedCiphers(); *cipher != 0; ++cipher)
SSL_CipherPolicySet(*cipher, SSL_ALLOWED);
/* Configure SSL session cache for multi-process server, using defaults */
secsts = SSL_ConfigMPServerSIDCache(1, 0, 0, NULL);
if (secsts != SECSuccess) {
pmNotifyErr(LOG_ERR, "Unable to configure SSL session ID cache: %s",
pmErrStr(__pmSecureSocketsError(PR_GetError())));
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
} else {
secure_server.ssl_session_cache_setup = 1;
}
/*
* Iterate over any/all PCP Collector nickname certificates,
* seeking one valid certificate. No-such-nickname is not an
* error (not configured by admin at all) but anything else is.
*/
CERTCertList *certlist;
CERTCertDBHandle *nssdb = CERT_GetDefaultCertDB();
CERTCertificate *dbcert = PK11_FindCertFromNickname(secure_server.cert_nickname, NULL);
if (dbcert) {
PRTime now = PR_Now();
SECItem *name = &dbcert->derSubject;
CERTCertListNode *node;
certlist = CERT_CreateSubjectCertList(NULL, nssdb, name, now, PR_FALSE);
if (certlist) {
for (node = CERT_LIST_HEAD(certlist);
!CERT_LIST_END(node, certlist);
node = CERT_LIST_NEXT (node)) {
if (pmDebugOptions.context)
__pmDumpCertificate(stderr, secure_server.cert_nickname, node->cert);
if (!__pmValidCertificate(nssdb, node->cert, now))
continue;
secure_server.certificate_verified = 1;
break;
}
CERT_DestroyCertList(certlist);
}
if (secure_server.certificate_verified) {
secure_server.certificate_KEA = NSS_FindCertKEAType(dbcert);
secure_server.private_key = PK11_FindKeyByAnyCert(dbcert, NULL);
if (!secure_server.private_key) {
pmNotifyErr(LOG_ERR, "Unable to extract %s private key",
secure_server.cert_nickname);
CERT_DestroyCertificate(dbcert);
secure_server.certificate_verified = 0;
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
} else {
pmNotifyErr(LOG_ERR, "Unable to find a valid %s", secure_server.cert_nickname);
CERT_DestroyCertificate(dbcert);
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
}
if (! secure_server.certificate_verified) {
if (pmDebugOptions.context) {
pmNotifyErr(LOG_INFO, "No valid %s in security database: %s",
secure_server.cert_nickname, secure_server.database_path);
}
sts = -EOPNOTSUPP; /* not fatal - just no secure connections */
secure_server.init_failed = 1;
goto done;
}
secure_server.certificate = dbcert;
secure_server.init_failed = 0;
sts = 0;
done:
PM_UNLOCK(secureserver_lock);
return sts;
}
VCardEmulError
vcard_emul_init(const VCardEmulOptions *options)
{
SECStatus rv;
PRBool ret, has_readers = PR_FALSE, need_coolkey_module;
VReader *vreader;
VReaderEmul *vreader_emul;
SECMODListLock *module_lock;
SECMODModuleList *module_list;
SECMODModuleList *mlp;
int i;
if (vcard_emul_init_called) {
return VCARD_EMUL_INIT_ALREADY_INITED;
}
vcard_emul_init_called = 1;
vreader_init();
vevent_queue_init();
if (options == NULL) {
options = &default_options;
}
/* first initialize NSS */
if (options->nss_db) {
rv = NSS_Init(options->nss_db);
} else {
rv = NSS_Init("sql:/etc/pki/nssdb");
}
if (rv != SECSuccess) {
return VCARD_EMUL_FAIL;
}
/* Set password callback function */
PK11_SetPasswordFunc(vcard_emul_get_password);
/* set up soft cards emulated by software certs rather than physical cards
* */
for (i = 0; i < options->vreader_count; i++) {
int j;
int cert_count;
unsigned char **certs;
int *cert_len;
VCardKey **keys;
PK11SlotInfo *slot;
slot = PK11_FindSlotByName(options->vreader[i].name);
if (slot == NULL) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->vreader[i].card_type,
options->vreader[i].type_params);
vreader = vreader_new(options->vreader[i].vname, vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
cert_count = options->vreader[i].cert_count;
ret = vcard_emul_alloc_arrays(&certs, &cert_len, &keys,
options->vreader[i].cert_count);
if (ret == PR_FALSE) {
continue;
}
cert_count = 0;
for (j = 0; j < options->vreader[i].cert_count; j++) {
/* we should have a better way of identifying certs than by
* nickname here */
CERTCertificate *cert = PK11_FindCertFromNickname(
options->vreader[i].cert_name[j],
NULL);
if (cert == NULL) {
continue;
}
certs[cert_count] = cert->derCert.data;
cert_len[cert_count] = cert->derCert.len;
keys[cert_count] = vcard_emul_make_key(slot, cert);
/* this is safe because the key is still holding a cert reference */
CERT_DestroyCertificate(cert);
cert_count++;
}
if (cert_count) {
VCard *vcard = vcard_emul_make_card(vreader, certs, cert_len,
keys, cert_count);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
/* allow insertion and removal of soft cards */
vreader_emul->saved_vcard = vcard_reference(vcard);
vcard_free(vcard);
vreader_free(vreader);
has_readers = PR_TRUE;
}
g_free(certs);
g_free(cert_len);
g_free(keys);
}
/* if we aren't suppose to use hw, skip looking up hardware tokens */
if (!options->use_hw) {
nss_emul_init = has_readers;
return has_readers ? VCARD_EMUL_OK : VCARD_EMUL_FAIL;
}
/* make sure we have some PKCS #11 module loaded */
module_lock = SECMOD_GetDefaultModuleListLock();
module_list = SECMOD_GetDefaultModuleList();
need_coolkey_module = !has_readers;
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
if (module_has_removable_hw_slots(module)) {
need_coolkey_module = PR_FALSE;
break;
}
}
SECMOD_ReleaseReadLock(module_lock);
if (need_coolkey_module) {
SECMODModule *module;
module = SECMOD_LoadUserModule(
(char *)"library=libcoolkeypk11.so name=Coolkey",
NULL, PR_FALSE);
if (module == NULL) {
return VCARD_EMUL_FAIL;
}
SECMOD_DestroyModule(module); /* free our reference, Module will still
* be on the list.
* until we destroy it */
}
/* now examine all the slots, finding which should be readers */
/* We should control this with options. For now we mirror out any
* removable hardware slot */
default_card_type = options->hw_card_type;
default_type_params = strdup(options->hw_type_params);
SECMOD_GetReadLock(module_lock);
for (mlp = module_list; mlp; mlp = mlp->next) {
SECMODModule *module = mlp->module;
PRBool has_emul_slots = PR_FALSE;
if (module == NULL) {
continue;
}
for (i = 0; i < module->slotCount; i++) {
PK11SlotInfo *slot = module->slots[i];
/* only map removable HW slots */
if (slot == NULL || !PK11_IsRemovable(slot) || !PK11_IsHW(slot)) {
continue;
}
vreader_emul = vreader_emul_new(slot, options->hw_card_type,
options->hw_type_params);
vreader = vreader_new(PK11_GetSlotName(slot), vreader_emul,
vreader_emul_delete);
vreader_add_reader(vreader);
has_readers = PR_TRUE;
has_emul_slots = PR_TRUE;
if (PK11_IsPresent(slot)) {
VCard *vcard;
vcard = vcard_emul_mirror_card(vreader);
vreader_insert_card(vreader, vcard);
vcard_emul_init_series(vreader, vcard);
vcard_free(vcard);
}
}
if (has_emul_slots) {
vcard_emul_new_event_thread(module);
}
}
SECMOD_ReleaseReadLock(module_lock);
nss_emul_init = has_readers;
return VCARD_EMUL_OK;
}
