SECStatus SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) { SECStatus rv; if (ascii) { /* First convert ascii to binary */ SECItem filedata; char *asc, *body; /* Read in ascii data */ rv = SECU_FileToItem(&filedata, inFile); asc = (char *)filedata.data; if (!asc) { fprintf(stderr, "unable to read data from input file\n"); return SECFailure; } /* check for headers and trailers and remove them */ if ((body = strstr(asc, "-----BEGIN")) != NULL) { char *trailer = NULL; asc = body; body = PORT_Strchr(body, '\n'); if (!body) body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */ if (body) trailer = strstr(++body, "-----END"); if (trailer != NULL) { *trailer = '\0'; } else { fprintf(stderr, "input has header but no trailer\n"); PORT_Free(filedata.data); return SECFailure; } } else { body = asc; } /* Convert to binary */ rv = ATOB_ConvertAsciiToItem(der, body); if (rv) { fprintf(stderr, "error converting ascii to binary (%d)\n", PORT_GetError()); PORT_Free(filedata.data); return SECFailure; } PORT_Free(filedata.data); } else { /* Read in binary der */ rv = SECU_FileToItem(der, inFile); if (rv) { fprintf(stderr, "error converting der (%d)\n", PORT_GetError()); return SECFailure; } } return SECSuccess; }
int main(int argc, char **argv) { SECStatus rv; char *nickname = NULL; char *trusts = NULL; char *progName; PRFileDesc *infile; CERTCertTrust trust = { 0 }; SECItem derItem = { 0 }; PRInt32 crlentry = 0; PRInt32 mutuallyExclusiveOpts = 0; PRBool decodeTrust = PR_FALSE; secuCommand addbuiltin = { 0 }; addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); addbuiltin.options = addbuiltin_options; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin); if (rv != SECSuccess) Usage(progName); if (addbuiltin.options[opt_Trust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_Distrust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_DistrustCRL].activated) ++mutuallyExclusiveOpts; if (mutuallyExclusiveOpts != 1) { fprintf(stderr, "%s: you must specify exactly one of -t or -D or -C\n", progName); Usage(progName); } if (addbuiltin.options[opt_DistrustCRL].activated) { if (!addbuiltin.options[opt_CRLEnry].activated) { fprintf(stderr, "%s: you must specify the CRL entry number.\n", progName); Usage(progName); } else { crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); if (crlentry < 1) { fprintf(stderr, "%s: The CRL entry number must be > 0.\n", progName); Usage(progName); } } } if (!addbuiltin.options[opt_Nickname].activated) { fprintf(stderr, "%s: you must specify parameter -n (a nickname or a label).\n", progName); Usage(progName); } if (addbuiltin.options[opt_Input].activated) { infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660); if (!infile) { fprintf(stderr, "%s: failed to open input file.\n", progName); exit(1); } } else { #if defined(WIN32) /* If we're going to read binary data from stdin, we must put stdin ** into O_BINARY mode or else incoming \r\n's will become \n's, ** and latin-1 characters will be altered. */ int smrv = _setmode(_fileno(stdin), _O_BINARY); if (smrv == -1) { fprintf(stderr, "%s: Cannot change stdin to binary mode. Use -i option instead.\n", progName); exit(1); } #endif infile = PR_STDIN; } nickname = strdup(addbuiltin.options[opt_Nickname].arg); NSS_NoDB_Init(NULL); if (addbuiltin.options[opt_Distrust].activated || addbuiltin.options[opt_DistrustCRL].activated) { addbuiltin.options[opt_ExcludeCert].activated = PR_TRUE; addbuiltin.options[opt_ExcludeHash].activated = PR_TRUE; } if (addbuiltin.options[opt_Distrust].activated) { trusts = strdup("p,p,p"); decodeTrust = PR_TRUE; } else if (addbuiltin.options[opt_Trust].activated) { trusts = strdup(addbuiltin.options[opt_Trust].arg); decodeTrust = PR_TRUE; } if (decodeTrust) { rv = CERT_DecodeTrustString(&trust, trusts); if (rv) { fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); Usage(progName); } } if (addbuiltin.options[opt_Trust].activated && addbuiltin.options[opt_ExcludeHash].activated) { if ((trust.sslFlags | trust.emailFlags | trust.objectSigningFlags) != CERTDB_TERMINAL_RECORD) { fprintf(stderr, "%s: Excluding the hash only allowed with distrust.\n", progName); Usage(progName); } } SECU_FileToItem(&derItem, infile); /*printheader();*/ if (addbuiltin.options[opt_DistrustCRL].activated) { rv = ConvertCRLEntry(&derItem, crlentry, nickname); } else { rv = ConvertCertificate(&derItem, nickname, &trust, addbuiltin.options[opt_ExcludeCert].activated, addbuiltin.options[opt_ExcludeHash].activated); if (rv) { fprintf(stderr, "%s: failed to convert certificate.\n", progName); exit(1); } } if (NSS_Shutdown() != SECSuccess) { exit(1); } return(SECSuccess); }
int main(int argc, char **argv) { PRFileDesc *contentFile = NULL; PRFileDesc *signFile = PR_STDIN; FILE * outFile = stdout; char * progName; SECStatus rv; int result = 1; SECItem pkcs7der, content; secuCommand signver; pkcs7der.data = NULL; content.data = NULL; signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag); signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag); signver.commands = signver_commands; signver.options = signver_options; #ifdef XP_PC progName = strrchr(argv[0], '\\'); #else progName = strrchr(argv[0], '/'); #endif progName = progName ? progName+1 : argv[0]; rv = SECU_ParseCommandLine(argc, argv, progName, &signver); if (SECSuccess != rv) { Usage(progName, outFile); } debugInfo = signver.options[opt_DebugInfo ].activated; verbose = signver.options[opt_PrintWhyFailure ].activated; doVerify = signver.commands[cmd_VerifySignedObj].activated; displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated; if (!doVerify && !displayAll) doVerify = PR_TRUE; /* Set the certdb directory (default is ~/.netscape) */ rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg)); if (rv != SECSuccess) { SECU_PrintPRandOSError(progName); return result; } /* below here, goto cleanup */ SECU_RegisterDynamicOids(); /* Open the input content file. */ if (signver.options[opt_InputDataFile].activated && signver.options[opt_InputDataFile].arg) { if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) { contentFile = PR_Open(signver.options[opt_InputDataFile].arg, PR_RDONLY, 0); if (!contentFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading.\n", progName, signver.options[opt_InputDataFile].arg); goto cleanup; } } else contentFile = PR_STDIN; } /* Open the input signature file. */ if (signver.options[opt_InputSigFile].activated && signver.options[opt_InputSigFile].arg) { if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) { signFile = PR_Open(signver.options[opt_InputSigFile].arg, PR_RDONLY, 0); if (!signFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for reading.\n", progName, signver.options[opt_InputSigFile].arg); goto cleanup; } } } if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) { PR_fprintf(PR_STDERR, "%s: cannot read both content and signature from standard input\n", progName); goto cleanup; } /* Open|Create the output file. */ if (signver.options[opt_OutputFile].activated) { outFile = fopen(signver.options[opt_OutputFile].arg, "w"); if (!outFile) { PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n", progName, signver.options[opt_OutputFile].arg); goto cleanup; } } /* read in the input files' contents */ rv = SECU_ReadDERFromFile(&pkcs7der, signFile, signver.options[opt_ASCII].activated); if (signFile != PR_STDIN) PR_Close(signFile); if (rv != SECSuccess) { SECU_PrintError(progName, "problem reading PKCS7 input"); goto cleanup; } if (contentFile) { rv = SECU_FileToItem(&content, contentFile); if (contentFile != PR_STDIN) PR_Close(contentFile); if (rv != SECSuccess) content.data = NULL; } /* Signature Verification */ if (doVerify) { SEC_PKCS7ContentInfo *cinfo; SEC_PKCS7SignedData *signedData; HASH_HashType digestType; PRBool contentIsSigned; cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL, NULL, NULL, NULL); if (cinfo == NULL) { PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n"); goto cleanup; } /* below here, goto done */ contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo); if (debugInfo) { PR_fprintf(PR_STDERR, "Content is%s encrypted.\n", SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not"); } if (debugInfo || !contentIsSigned) { PR_fprintf(PR_STDERR, "Content is%s signed.\n", contentIsSigned ? "" : " not"); } if (!contentIsSigned) goto done; signedData = cinfo->content.signedData; /* assume that there is only one digest algorithm for now */ digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]); if (digestType == HASH_AlgNULL) { PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n"); goto done; } if (content.data) { SECCertUsage usage = certUsageEmailSigner; SECItem digest; unsigned char digestBuffer[HASH_LENGTH_MAX]; if (debugInfo) PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data); digest.data = digestBuffer; digest.len = sizeof digestBuffer; if (DigestContent(&digest, &content, digestType)) { SECU_PrintError(progName, "Message digest computation failure"); goto done; } if (debugInfo) { unsigned int i; PR_fprintf(PR_STDERR, "Data Digest=:"); for (i = 0; i < digest.len; i++) PR_fprintf(PR_STDERR, "%02x:", digest.data[i]); PR_fprintf(PR_STDERR, "\n"); } fprintf(outFile, "signatureValid="); PORT_SetError(0); if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage, &digest, digestType, PR_FALSE)) { fprintf(outFile, "yes"); } else { fprintf(outFile, "no"); if (verbose) { fprintf(outFile, ":%s", SECU_Strerror(PORT_GetError())); } } fprintf(outFile, "\n"); result = 0; } done: SEC_PKCS7DestroyContentInfo(cinfo); } if (displayAll) { if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der)) result = 1; } cleanup: SECITEM_FreeItem(&pkcs7der, PR_FALSE); SECITEM_FreeItem(&content, PR_FALSE); if (NSS_Shutdown() != SECSuccess) { result = 1; } return result; }
int main(int argc, char **argv) { SECStatus rv; char *nickname; char *trusts; char *progName; PRFileDesc *infile; CERTCertTrust trust = { 0 }; SECItem derCert = { 0 }; secuCommand addbuiltin = { 0 }; addbuiltin.numOptions = sizeof(addbuiltin_options)/sizeof(secuCommandFlag); addbuiltin.options = addbuiltin_options; progName = strrchr(argv[0], '/'); progName = progName ? progName+1 : argv[0]; rv = SECU_ParseCommandLine(argc, argv, progName, &addbuiltin); if (rv != SECSuccess) Usage(progName); if (!addbuiltin.options[opt_Nickname].activated && !addbuiltin.options[opt_Trust].activated) { fprintf(stderr, "%s: you must specify both a nickname and trust.\n", progName); Usage(progName); } if (addbuiltin.options[opt_Input].activated) { infile = PR_Open(addbuiltin.options[opt_Input].arg, PR_RDONLY, 00660); if (!infile) { fprintf(stderr, "%s: failed to open input file.\n", progName); exit(1); } } else { #if defined(WIN32) /* If we're going to read binary data from stdin, we must put stdin ** into O_BINARY mode or else incoming \r\n's will become \n's, ** and latin-1 characters will be altered. */ int smrv = _setmode(_fileno(stdin), _O_BINARY); if (smrv == -1) { fprintf(stderr, "%s: Cannot change stdin to binary mode. Use -i option instead.\n", progName); exit(1); } #endif infile = PR_STDIN; } nickname = strdup(addbuiltin.options[opt_Nickname].arg); trusts = strdup(addbuiltin.options[opt_Trust].arg); NSS_NoDB_Init(NULL); rv = CERT_DecodeTrustString(&trust, trusts); if (rv) { fprintf(stderr, "%s: incorrectly formatted trust string.\n", progName); Usage(progName); } SECU_FileToItem(&derCert, infile); /*printheader();*/ rv = ConvertCertificate(&derCert, nickname, &trust); if (rv) { fprintf(stderr, "%s: failed to convert certificate.\n", progName); exit(1); } if (NSS_Shutdown() != SECSuccess) { exit(1); } return(SECSuccess); }