static int
HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
SECCertUsage usage, char *progName)
{
SECItem derdata;
SEC_PKCS7ContentInfo *cinfo;
SEC_PKCS7SignedData *signedData;
HASH_HashType digestType;
SECItem digest;
unsigned char buffer[32];
if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) {
SECU_PrintError(progName, "error reading signature file");
return -1;
}
cinfo = SEC_PKCS7DecodeItem(&derdata, NULL, NULL, NULL, NULL,
NULL, NULL, NULL);
if (cinfo == NULL)
return -1;
if (! SEC_PKCS7ContentIsSigned(cinfo)) {
fprintf (out, "Signature file is pkcs7 data, but not signed.\n");
return -1;
}
signedData = cinfo->content.signedData;
/* assume that there is only one digest algorithm for now */
digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
if (digestType == HASH_AlgNULL) {
fprintf (out, "Invalid hash algorithmID\n");
return -1;
}
digest.data = buffer;
if (DigestFile (digest.data, &digest.len, 32, content, digestType)) {
SECU_PrintError (progName, "problem computing message digest");
return -1;
}
fprintf(out, "Signature is ");
if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage, &digest, digestType,
PR_FALSE))
fprintf(out, "valid.\n");
else
fprintf(out, "invalid (Reason: %s).\n",
SECU_Strerror(PORT_GetError()));
SEC_PKCS7DestroyContentInfo(cinfo);
return 0;
}
int
SV_PrintPKCS7ContentInfo(FILE *out, SECItem *der)
{
SEC_PKCS7ContentInfo *cinfo;
int rv = -1;
cinfo = SEC_PKCS7DecodeItem(der, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
if (cinfo != NULL) {
rv = sv_PrintPKCS7ContentInfo(out, cinfo, "pkcs7.contentInfo=");
SEC_PKCS7DestroyContentInfo(cinfo);
}
return rv;
}
SECStatus
SEC_ReadPKCS7Certs(SECItem *pkcs7Item, CERTImportCertificateFunc f, void *arg)
{
SEC_PKCS7ContentInfo *contentInfo = NULL;
SECStatus rv;
SECItem **certs;
int count;
contentInfo = SEC_PKCS7DecodeItem(pkcs7Item, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if ( contentInfo == NULL ) {
goto loser;
}
if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_PKCS7_SIGNED_DATA ) {
goto loser;
}
certs = contentInfo->content.signedData->rawCerts;
if ( certs ) {
count = 0;
while ( *certs ) {
count++;
certs++;
}
rv = (* f)(arg, contentInfo->content.signedData->rawCerts, count);
}
rv = SECSuccess;
goto done;
loser:
rv = SECFailure;
done:
if ( contentInfo ) {
SEC_PKCS7DestroyContentInfo(contentInfo);
}
return(rv);
}
int main(int argc, char **argv)
{
PRFileDesc *contentFile = NULL;
PRFileDesc *signFile = PR_STDIN;
FILE * outFile = stdout;
char * progName;
SECStatus rv;
int result = 1;
SECItem pkcs7der, content;
secuCommand signver;
pkcs7der.data = NULL;
content.data = NULL;
signver.numCommands = sizeof(signver_commands) /sizeof(secuCommandFlag);
signver.numOptions = sizeof(signver_options) / sizeof(secuCommandFlag);
signver.commands = signver_commands;
signver.options = signver_options;
#ifdef XP_PC
progName = strrchr(argv[0], '\\');
#else
progName = strrchr(argv[0], '/');
#endif
progName = progName ? progName+1 : argv[0];
rv = SECU_ParseCommandLine(argc, argv, progName, &signver);
if (SECSuccess != rv) {
Usage(progName, outFile);
}
debugInfo = signver.options[opt_DebugInfo ].activated;
verbose = signver.options[opt_PrintWhyFailure ].activated;
doVerify = signver.commands[cmd_VerifySignedObj].activated;
displayAll= signver.commands[cmd_DisplayAllPCKS7Info].activated;
if (!doVerify && !displayAll)
doVerify = PR_TRUE;
/* Set the certdb directory (default is ~/.netscape) */
rv = NSS_Init(SECU_ConfigDirectory(signver.options[opt_CertDir].arg));
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
return result;
}
/* below here, goto cleanup */
SECU_RegisterDynamicOids();
/* Open the input content file. */
if (signver.options[opt_InputDataFile].activated &&
signver.options[opt_InputDataFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputDataFile].arg)) {
contentFile = PR_Open(signver.options[opt_InputDataFile].arg,
PR_RDONLY, 0);
if (!contentFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputDataFile].arg);
goto cleanup;
}
} else
contentFile = PR_STDIN;
}
/* Open the input signature file. */
if (signver.options[opt_InputSigFile].activated &&
signver.options[opt_InputSigFile].arg) {
if (PL_strcmp("-", signver.options[opt_InputSigFile].arg)) {
signFile = PR_Open(signver.options[opt_InputSigFile].arg,
PR_RDONLY, 0);
if (!signFile) {
PR_fprintf(PR_STDERR,
"%s: unable to open \"%s\" for reading.\n",
progName, signver.options[opt_InputSigFile].arg);
goto cleanup;
}
}
}
if (contentFile == PR_STDIN && signFile == PR_STDIN && doVerify) {
PR_fprintf(PR_STDERR,
"%s: cannot read both content and signature from standard input\n",
progName);
goto cleanup;
}
/* Open|Create the output file. */
if (signver.options[opt_OutputFile].activated) {
outFile = fopen(signver.options[opt_OutputFile].arg, "w");
if (!outFile) {
PR_fprintf(PR_STDERR, "%s: unable to open \"%s\" for writing.\n",
progName, signver.options[opt_OutputFile].arg);
goto cleanup;
}
}
/* read in the input files' contents */
rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
signver.options[opt_ASCII].activated);
if (signFile != PR_STDIN)
PR_Close(signFile);
if (rv != SECSuccess) {
SECU_PrintError(progName, "problem reading PKCS7 input");
goto cleanup;
}
if (contentFile) {
rv = SECU_FileToItem(&content, contentFile);
if (contentFile != PR_STDIN)
PR_Close(contentFile);
if (rv != SECSuccess)
content.data = NULL;
}
/* Signature Verification */
if (doVerify) {
SEC_PKCS7ContentInfo *cinfo;
SEC_PKCS7SignedData *signedData;
HASH_HashType digestType;
PRBool contentIsSigned;
cinfo = SEC_PKCS7DecodeItem(&pkcs7der, NULL, NULL, NULL, NULL,
NULL, NULL, NULL);
if (cinfo == NULL) {
PR_fprintf(PR_STDERR, "Unable to decode PKCS7 data\n");
goto cleanup;
}
/* below here, goto done */
contentIsSigned = SEC_PKCS7ContentIsSigned(cinfo);
if (debugInfo) {
PR_fprintf(PR_STDERR, "Content is%s encrypted.\n",
SEC_PKCS7ContentIsEncrypted(cinfo) ? "" : " not");
}
if (debugInfo || !contentIsSigned) {
PR_fprintf(PR_STDERR, "Content is%s signed.\n",
contentIsSigned ? "" : " not");
}
if (!contentIsSigned)
goto done;
signedData = cinfo->content.signedData;
/* assume that there is only one digest algorithm for now */
digestType = AlgorithmToHashType(signedData->digestAlgorithms[0]);
if (digestType == HASH_AlgNULL) {
PR_fprintf(PR_STDERR, "Invalid hash algorithmID\n");
goto done;
}
if (content.data) {
SECCertUsage usage = certUsageEmailSigner;
SECItem digest;
unsigned char digestBuffer[HASH_LENGTH_MAX];
if (debugInfo)
PR_fprintf(PR_STDERR, "contentToVerify=%s\n", content.data);
digest.data = digestBuffer;
digest.len = sizeof digestBuffer;
if (DigestContent(&digest, &content, digestType)) {
SECU_PrintError(progName, "Message digest computation failure");
goto done;
}
if (debugInfo) {
unsigned int i;
PR_fprintf(PR_STDERR, "Data Digest=:");
for (i = 0; i < digest.len; i++)
PR_fprintf(PR_STDERR, "%02x:", digest.data[i]);
PR_fprintf(PR_STDERR, "\n");
}
fprintf(outFile, "signatureValid=");
PORT_SetError(0);
if (SEC_PKCS7VerifyDetachedSignature (cinfo, usage,
&digest, digestType, PR_FALSE)) {
fprintf(outFile, "yes");
} else {
fprintf(outFile, "no");
if (verbose) {
fprintf(outFile, ":%s",
SECU_Strerror(PORT_GetError()));
}
}
fprintf(outFile, "\n");
result = 0;
}
done:
SEC_PKCS7DestroyContentInfo(cinfo);
}
if (displayAll) {
if (SV_PrintPKCS7ContentInfo(outFile, &pkcs7der))
result = 1;
}
cleanup:
SECITEM_FreeItem(&pkcs7der, PR_FALSE);
SECITEM_FreeItem(&content, PR_FALSE);
if (NSS_Shutdown() != SECSuccess) {
result = 1;
}
return result;
}
smime_CMDExports() {
SEC_PKCS7DecodeItem();
SEC_PKCS7DestroyContentInfo();
}
SECStatus
SEC_ReadCertSequence(SECItem *certsItem, CERTImportCertificateFunc f, void *arg)
{
SECStatus rv;
SECItem **certs;
int count;
SECItem **rawCerts = NULL;
PRArenaPool *arena;
SEC_PKCS7ContentInfo *contentInfo = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
return SECFailure;
}
contentInfo = SEC_PKCS7DecodeItem(certsItem, NULL, NULL, NULL, NULL, NULL,
NULL, NULL);
if ( contentInfo == NULL ) {
goto loser;
}
if ( SEC_PKCS7ContentType (contentInfo) != SEC_OID_NS_TYPE_CERT_SEQUENCE ) {
goto loser;
}
rv = SEC_QuickDERDecodeItem(arena, &rawCerts, SEC_CertSequenceTemplate,
contentInfo->content.data);
if (rv != SECSuccess) {
goto loser;
}
certs = rawCerts;
if ( certs ) {
count = 0;
while ( *certs ) {
count++;
certs++;
}
rv = (* f)(arg, rawCerts, count);
}
rv = SECSuccess;
goto done;
loser:
rv = SECFailure;
done:
if ( contentInfo ) {
SEC_PKCS7DestroyContentInfo(contentInfo);
}
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
return(rv);
}
