Fix for bug 369144 . certutil needs option to generate SubjectKeyID extension. r=nelson

author: julien.pierre.boogz%sun.com <devnull@localhost> 2008-02-16 01:17:45 +0000
committer: julien.pierre.boogz%sun.com <devnull@localhost> 2008-02-16 01:17:45 +0000
commit: e007f1311dd8650c45624e1f610a5a10603215ec (patch)
tree: a088b86946d5f66d8af090ae04bd44bd80c39cf4
parent: 8bcce02194e1bab11405de803b42043a1bbd9058 (diff)
download: nss-hg-e007f1311dd8650c45624e1f610a5a10603215ec.tar.gz
10 files changed, 125 insertions, 21 deletions
diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c
index 339030969..038b55f98 100644
--- a/security/nss/cmd/certcgi/certcgi.c
+++ b/security/nss/cmd/certcgi/certcgi.c
@@ -952,8 +952,7 @@ AddSubKeyID(void             *extHandle,
 	(data,"subjectKeyIdentifier-text", PR_TRUE);
     subjectCert->subjectKeyID.len = len;
     rv = CERT_EncodeSubjectKeyID
-	(NULL, find_field(data,"subjectKeyIdentifier-text", PR_TRUE),
-	 len, &encodedValue);
+	(NULL, &subjectCert->subjectKeyID, &encodedValue);
     if (rv) {
 	return (rv);
     }
diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c
index eb5703324..cdebedc6b 100644
--- a/security/nss/cmd/certutil/certext.c
+++ b/security/nss/cmd/certutil/certext.c
@@ -57,6 +57,7 @@
 #endif
 
 #include "cert.h"
+#include "xconst.h"
 #include "prprf.h"
 #include "certutil.h"
 
@@ -703,6 +704,9 @@ AddAuthKeyID (void *extHandle)
                         "enter to omit:", &authKeyID->keyID);
         if (rv != SECSuccess)
             break;
+
+        SECU_SECItemHexStringToBinary(&authKeyID->keyID);
+
         authKeyID->authCertIssuer = GetGeneralName (arena);
         if (authKeyID->authCertIssuer == NULL && 
             SECFailure == PORT_GetError ())
@@ -727,6 +731,43 @@ AddAuthKeyID (void *extHandle)
 }   
     
 static SECStatus 
+AddSubjKeyID (void *extHandle)
+{
+    SECItem keyID;
+    PRArenaPool *arena = NULL;
+    SECStatus rv = SECSuccess;
+    PRBool yesNoAns;
+
+    do {
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if ( !arena ) {
+            SECU_PrintError(progName, "out of memory");
+            GEN_BREAK (SECFailure);
+        }
+        printf("Adding Subject Key ID extension.\n");
+
+        rv = GetString (arena, "Enter value for the key identifier fields,"
+                        "enter to omit:", &keyID);
+        if (rv != SECSuccess)
+            break;
+
+        SECU_SECItemHexStringToBinary(&keyID);
+
+        yesNoAns = GetYesNo ("Is this a critical extension [y/N]?");
+
+        rv = SECU_EncodeAndAddExtensionValue(arena, extHandle,
+		     &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID, 
+		     (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID);
+        if (rv)
+            break;
+
+    } while (0);
+    if (arena)
+        PORT_FreeArena (arena, PR_FALSE);
+    return (rv);
+}   
+
+static SECStatus 
 AddCrlDistPoint(void *extHandle)
 {
     PRArenaPool *arena = NULL;
@@ -1548,6 +1589,14 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames,
 		errstring = "AuthorityKeyID";
                 break;
 	    }
+        }
+
+        if (extList[ext_subjectKeyID]) {
+            rv = AddSubjKeyID(extHandle);
+            if (rv) {
+		errstring = "SubjectKeyID";
+                break;
+	    }
         }    
 
         if (extList[ext_CRLDistPts]) {
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index bbf7abaad..f56c9d88c 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -958,8 +958,8 @@ Usage(char *progName)
 	"\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n"
         "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n"
         "\t\t [-8 DNS-names]\n"
-        "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n",
-	progName);
+        "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n"
+        "\t\t [--extSKID]\n", progName);
     FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName);
     exit(1);
 }
@@ -1331,6 +1331,8 @@ static void LongUsage(char *progName)
 	"   --extPC ");
     FPS "%-20s Create an Inhibit Any Policy extension\n",
 	"   --extIA ");
+    FPS "%-20s Create a subject key ID extension\n",
+	"   --extSKID ");
     FPS "\n");
 
     exit(1);
@@ -1635,7 +1637,8 @@ enum certutilOpts {
     opt_AddCertPoliciesExt,
     opt_AddPolicyMapExt,
     opt_AddPolicyConstrExt,
-    opt_AddInhibAnyExt
+    opt_AddInhibAnyExt,
+    opt_AddSubjectKeyIDExt
 };
 
 static const
@@ -1711,7 +1714,8 @@ secuCommandFlag options_init[] =
 	{ /* opt_AddCertPoliciesExt  */  0,   PR_FALSE, 0, PR_FALSE, "extCP" },
 	{ /* opt_AddPolicyMapExt     */  0,   PR_FALSE, 0, PR_FALSE, "extPM" },
 	{ /* opt_AddPolicyConstrExt  */  0,   PR_FALSE, 0, PR_FALSE, "extPC" },
-	{ /* opt_AddInhibAnyExt      */  0,   PR_FALSE, 0, PR_FALSE, "extIA" }
+	{ /* opt_AddInhibAnyExt      */  0,   PR_FALSE, 0, PR_FALSE, "extIA" },
+	{ /* opt_AddSubjectKeyIDExt  */  0,   PR_FALSE, 0, PR_FALSE, "extSKID" }
 };
 #define NUM_OPTIONS ((sizeof options_init)  / (sizeof options_init[0]))
 
@@ -2301,6 +2305,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
 				certutil.options[opt_AddBasicConstraintExt].activated;
         certutil_extns[ext_authorityKeyID] =
 				certutil.options[opt_AddAuthorityKeyIDExt].activated;
+        certutil_extns[ext_subjectKeyID] =
+				certutil.options[opt_AddSubjectKeyIDExt].activated;
         certutil_extns[ext_CRLDistPts] =
 				certutil.options[opt_AddCRLDistPtsExt].activated;
         certutil_extns[ext_NSCertType] =
diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h
index b4b3f427c..eda0c497e 100644
--- a/security/nss/cmd/certutil/certutil.h
+++ b/security/nss/cmd/certutil/certutil.h
@@ -63,6 +63,7 @@ enum certutilExtns {
     ext_policyMappings,
     ext_policyConstr,
     ext_inhibitAnyPolicy,
+    ext_subjectKeyID,
     ext_End
 };
 
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index a83b7719f..1862f3b7d 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -4004,3 +4004,53 @@ SECU_SECItemToHex(const SECItem * item, char * dst)
 	*dst = '\0';
     }
 }
+
+static unsigned char nibble(char c) {
+    c = PORT_Tolower(c);
+    return ( c >= '0' && c <= '9') ? c - '0' :
+           ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1;
+}
+
+SECStatus
+SECU_SECItemHexStringToBinary(SECItem* srcdest)
+{
+    int i;
+
+    if (!srcdest) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+    if (srcdest->len < 4 || (srcdest->len % 2) ) {
+        /* too short to convert, or even number of characters */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+    if (PORT_Strncasecmp((const char*)srcdest->data, "0x", 2)) {
+        /* wrong prefix */
+        PORT_SetError(SEC_ERROR_BAD_DATA);
+        return SECFailure;
+    }
+
+    /* 1st pass to check for hex characters */
+    for (i=2; i<srcdest->len; i++) {
+        char c = PORT_Tolower(srcdest->data[i]);
+        if (! ( ( c >= '0' && c <= '9') ||
+                ( c >= 'a' && c <= 'f')
+              ) ) {
+            PORT_SetError(SEC_ERROR_BAD_DATA);
+            return SECFailure;
+        }
+    }
+
+    /* 2nd pass to convert */
+    for (i=2; i<srcdest->len; i+=2) {
+        srcdest->data[(i-2)/2] = (nibble(srcdest->data[i]) << 4) +
+                                 nibble(srcdest->data[i+1]);
+    }
+
+    /* adjust length */
+    srcdest->len -= 2;
+    srcdest->len /= 2;
+    return SECSuccess;
+}
+
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index 8a19b07c3..d96116e44 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -403,6 +403,11 @@ SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
 void
 SECU_SECItemToHex(const SECItem * item, char * dst);
 
+/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if
+ * successful */
+SECStatus
+SECU_SECItemHexStringToBinary(SECItem* srcdest);
+
 /*
  *
  *  Utilities for parsing security tools command lines 
diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h
index f37ab2c4e..7aa323a0a 100644
--- a/security/nss/lib/certdb/cert.h
+++ b/security/nss/lib/certdb/cert.h
@@ -1258,10 +1258,6 @@ CERT_CheckForEvilCert(CERTCertificate *cert);
 CERTGeneralName *
 CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena);
 
-
-SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue);
-
 char *
 CERT_GetNickName(CERTCertificate   *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena);
 
diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c
index 6b65d7524..226b04e69 100644
--- a/security/nss/lib/certdb/xconst.c
+++ b/security/nss/lib/certdb/xconst.c
@@ -63,7 +63,7 @@ static const SEC_ASN1Template CERTIA5TypeTemplate[] = {
     { SEC_ASN1_IA5_STRING }
 };
 
-SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate);
+SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate)
 
 static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = {
     { SEC_ASN1_SEQUENCE,
@@ -99,19 +99,16 @@ const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = {
 
 
 SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue)
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString,
+                        SECItem *encodedValue)
 {
-    SECItem encodeContext;
     SECStatus rv = SECSuccess;
 
-
-    PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
-    
-    if (value != NULL) {
-	encodeContext.data = (unsigned char *)value;
-	encodeContext.len = len;
+    if (!srcString) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
-    if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
+    if (SEC_ASN1EncodeItem (arena, encodedValue, srcString,
 			    CERTSubjectKeyIDTemplate) == NULL) {
 	rv = SECFailure;
     }
diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h
index f1b19358c..dfaf256b8 100644
--- a/security/nss/lib/certdb/xconst.h
+++ b/security/nss/lib/certdb/xconst.h
@@ -57,7 +57,7 @@ CERT_EncodeNameConstraintsExtension(PRArenaPool *arena,
 			            SECItem *encodedValue);
 
 extern SECStatus 
-CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, 
+CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString,
                         SECItem *encodedValue);
 
 extern SECStatus 
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
index 0d5fd55a7..a41cbd298 100644
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -916,6 +916,7 @@ CERT_EncodeInhibitAnyExtension;
 CERT_EncodeNoticeReference;
 CERT_EncodePolicyConstraintsExtension;
 CERT_EncodePolicyMappingExtension;
+CERT_EncodeSubjectKeyID;
 CERT_EncodeUserNotice;
 CERT_FindCRLEntryReasonExten;
 CERT_FindCRLNumberExten;
author	julien.pierre.boogz%sun.com <devnull@localhost>	2008-02-16 01:17:45 +0000
committer	julien.pierre.boogz%sun.com <devnull@localhost>	2008-02-16 01:17:45 +0000
commit	e007f1311dd8650c45624e1f610a5a10603215ec (patch)
tree	a088b86946d5f66d8af090ae04bd44bd80c39cf4
parent	8bcce02194e1bab11405de803b42043a1bbd9058 (diff)
download	nss-hg-e007f1311dd8650c45624e1f610a5a10603215ec.tar.gz