diff options
author | julien.pierre.boogz%sun.com <devnull@localhost> | 2008-02-16 01:17:45 +0000 |
---|---|---|
committer | julien.pierre.boogz%sun.com <devnull@localhost> | 2008-02-16 01:17:45 +0000 |
commit | e007f1311dd8650c45624e1f610a5a10603215ec (patch) | |
tree | a088b86946d5f66d8af090ae04bd44bd80c39cf4 | |
parent | 8bcce02194e1bab11405de803b42043a1bbd9058 (diff) | |
download | nss-hg-e007f1311dd8650c45624e1f610a5a10603215ec.tar.gz |
Fix for bug 369144 . certutil needs option to generate SubjectKeyID extension. r=nelson
-rw-r--r-- | security/nss/cmd/certcgi/certcgi.c | 3 | ||||
-rw-r--r-- | security/nss/cmd/certutil/certext.c | 49 | ||||
-rw-r--r-- | security/nss/cmd/certutil/certutil.c | 14 | ||||
-rw-r--r-- | security/nss/cmd/certutil/certutil.h | 1 | ||||
-rw-r--r-- | security/nss/cmd/lib/secutil.c | 50 | ||||
-rw-r--r-- | security/nss/cmd/lib/secutil.h | 5 | ||||
-rw-r--r-- | security/nss/lib/certdb/cert.h | 4 | ||||
-rw-r--r-- | security/nss/lib/certdb/xconst.c | 17 | ||||
-rw-r--r-- | security/nss/lib/certdb/xconst.h | 2 | ||||
-rw-r--r-- | security/nss/lib/nss/nss.def | 1 |
10 files changed, 125 insertions, 21 deletions
diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c index 339030969..038b55f98 100644 --- a/security/nss/cmd/certcgi/certcgi.c +++ b/security/nss/cmd/certcgi/certcgi.c @@ -952,8 +952,7 @@ AddSubKeyID(void *extHandle, (data,"subjectKeyIdentifier-text", PR_TRUE); subjectCert->subjectKeyID.len = len; rv = CERT_EncodeSubjectKeyID - (NULL, find_field(data,"subjectKeyIdentifier-text", PR_TRUE), - len, &encodedValue); + (NULL, &subjectCert->subjectKeyID, &encodedValue); if (rv) { return (rv); } diff --git a/security/nss/cmd/certutil/certext.c b/security/nss/cmd/certutil/certext.c index eb5703324..cdebedc6b 100644 --- a/security/nss/cmd/certutil/certext.c +++ b/security/nss/cmd/certutil/certext.c @@ -57,6 +57,7 @@ #endif #include "cert.h" +#include "xconst.h" #include "prprf.h" #include "certutil.h" @@ -703,6 +704,9 @@ AddAuthKeyID (void *extHandle) "enter to omit:", &authKeyID->keyID); if (rv != SECSuccess) break; + + SECU_SECItemHexStringToBinary(&authKeyID->keyID); + authKeyID->authCertIssuer = GetGeneralName (arena); if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError ()) @@ -727,6 +731,43 @@ AddAuthKeyID (void *extHandle) } static SECStatus +AddSubjKeyID (void *extHandle) +{ + SECItem keyID; + PRArenaPool *arena = NULL; + SECStatus rv = SECSuccess; + PRBool yesNoAns; + + do { + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if ( !arena ) { + SECU_PrintError(progName, "out of memory"); + GEN_BREAK (SECFailure); + } + printf("Adding Subject Key ID extension.\n"); + + rv = GetString (arena, "Enter value for the key identifier fields," + "enter to omit:", &keyID); + if (rv != SECSuccess) + break; + + SECU_SECItemHexStringToBinary(&keyID); + + yesNoAns = GetYesNo ("Is this a critical extension [y/N]?"); + + rv = SECU_EncodeAndAddExtensionValue(arena, extHandle, + &keyID, yesNoAns, SEC_OID_X509_SUBJECT_KEY_ID, + (EXTEN_EXT_VALUE_ENCODER) CERT_EncodeSubjectKeyID); + if (rv) + break; + + } while (0); + if (arena) + PORT_FreeArena (arena, PR_FALSE); + return (rv); +} + +static SECStatus AddCrlDistPoint(void *extHandle) { PRArenaPool *arena = NULL; @@ -1548,6 +1589,14 @@ AddExtensions(void *extHandle, const char *emailAddrs, const char *dnsNames, errstring = "AuthorityKeyID"; break; } + } + + if (extList[ext_subjectKeyID]) { + rv = AddSubjKeyID(extHandle); + if (rv) { + errstring = "SubjectKeyID"; + break; + } } if (extList[ext_CRLDistPts]) { diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index bbf7abaad..f56c9d88c 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -958,8 +958,8 @@ Usage(char *progName) "\t\t [-f pwfile] [-d certdir] [-P dbprefix]\n" "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6] [-7 emailAddrs]\n" "\t\t [-8 DNS-names]\n" - "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n", - progName); + "\t\t [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA]\n" + "\t\t [--extSKID]\n", progName); FPS "\t%s -U [-X] [-d certdir] [-P dbprefix]\n", progName); exit(1); } @@ -1331,6 +1331,8 @@ static void LongUsage(char *progName) " --extPC "); FPS "%-20s Create an Inhibit Any Policy extension\n", " --extIA "); + FPS "%-20s Create a subject key ID extension\n", + " --extSKID "); FPS "\n"); exit(1); @@ -1635,7 +1637,8 @@ enum certutilOpts { opt_AddCertPoliciesExt, opt_AddPolicyMapExt, opt_AddPolicyConstrExt, - opt_AddInhibAnyExt + opt_AddInhibAnyExt, + opt_AddSubjectKeyIDExt }; static const @@ -1711,7 +1714,8 @@ secuCommandFlag options_init[] = { /* opt_AddCertPoliciesExt */ 0, PR_FALSE, 0, PR_FALSE, "extCP" }, { /* opt_AddPolicyMapExt */ 0, PR_FALSE, 0, PR_FALSE, "extPM" }, { /* opt_AddPolicyConstrExt */ 0, PR_FALSE, 0, PR_FALSE, "extPC" }, - { /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" } + { /* opt_AddInhibAnyExt */ 0, PR_FALSE, 0, PR_FALSE, "extIA" }, + { /* opt_AddSubjectKeyIDExt */ 0, PR_FALSE, 0, PR_FALSE, "extSKID" } }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -2301,6 +2305,8 @@ certutil_main(int argc, char **argv, PRBool initialize) certutil.options[opt_AddBasicConstraintExt].activated; certutil_extns[ext_authorityKeyID] = certutil.options[opt_AddAuthorityKeyIDExt].activated; + certutil_extns[ext_subjectKeyID] = + certutil.options[opt_AddSubjectKeyIDExt].activated; certutil_extns[ext_CRLDistPts] = certutil.options[opt_AddCRLDistPtsExt].activated; certutil_extns[ext_NSCertType] = diff --git a/security/nss/cmd/certutil/certutil.h b/security/nss/cmd/certutil/certutil.h index b4b3f427c..eda0c497e 100644 --- a/security/nss/cmd/certutil/certutil.h +++ b/security/nss/cmd/certutil/certutil.h @@ -63,6 +63,7 @@ enum certutilExtns { ext_policyMappings, ext_policyConstr, ext_inhibitAnyPolicy, + ext_subjectKeyID, ext_End }; diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index a83b7719f..1862f3b7d 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -4004,3 +4004,53 @@ SECU_SECItemToHex(const SECItem * item, char * dst) *dst = '\0'; } } + +static unsigned char nibble(char c) { + c = PORT_Tolower(c); + return ( c >= '0' && c <= '9') ? c - '0' : + ( c >= 'a' && c <= 'f') ? c - 'a' +10 : -1; +} + +SECStatus +SECU_SECItemHexStringToBinary(SECItem* srcdest) +{ + int i; + + if (!srcdest) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + if (srcdest->len < 4 || (srcdest->len % 2) ) { + /* too short to convert, or even number of characters */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + if (PORT_Strncasecmp((const char*)srcdest->data, "0x", 2)) { + /* wrong prefix */ + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + /* 1st pass to check for hex characters */ + for (i=2; i<srcdest->len; i++) { + char c = PORT_Tolower(srcdest->data[i]); + if (! ( ( c >= '0' && c <= '9') || + ( c >= 'a' && c <= 'f') + ) ) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + } + + /* 2nd pass to convert */ + for (i=2; i<srcdest->len; i+=2) { + srcdest->data[(i-2)/2] = (nibble(srcdest->data[i]) << 4) + + nibble(srcdest->data[i+1]); + } + + /* adjust length */ + srcdest->len -= 2; + srcdest->len /= 2; + return SECSuccess; +} + diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index 8a19b07c3..d96116e44 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -403,6 +403,11 @@ SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle, void SECU_SECItemToHex(const SECItem * item, char * dst); +/* Requires 0x prefix. Case-insensitive. Will do in-place replacement if + * successful */ +SECStatus +SECU_SECItemHexStringToBinary(SECItem* srcdest); + /* * * Utilities for parsing security tools command lines diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index f37ab2c4e..7aa323a0a 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -1258,10 +1258,6 @@ CERT_CheckForEvilCert(CERTCertificate *cert); CERTGeneralName * CERT_GetCertificateNames(CERTCertificate *cert, PRArenaPool *arena); - -SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue); - char * CERT_GetNickName(CERTCertificate *cert, CERTCertDBHandle *handle, PRArenaPool *nicknameArena); diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c index 6b65d7524..226b04e69 100644 --- a/security/nss/lib/certdb/xconst.c +++ b/security/nss/lib/certdb/xconst.c @@ -63,7 +63,7 @@ static const SEC_ASN1Template CERTIA5TypeTemplate[] = { { SEC_ASN1_IA5_STRING } }; -SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate); +SEC_ASN1_MKSUB(SEC_GeneralizedTimeTemplate) static const SEC_ASN1Template CERTPrivateKeyUsagePeriodTemplate[] = { { SEC_ASN1_SEQUENCE, @@ -99,19 +99,16 @@ const SEC_ASN1Template CERTAuthInfoAccessTemplate[] = { SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, SECItem *encodedValue) +CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString, + SECItem *encodedValue) { - SECItem encodeContext; SECStatus rv = SECSuccess; - - PORT_Memset (&encodeContext, 0, sizeof (encodeContext)); - - if (value != NULL) { - encodeContext.data = (unsigned char *)value; - encodeContext.len = len; + if (!srcString) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } - if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext, + if (SEC_ASN1EncodeItem (arena, encodedValue, srcString, CERTSubjectKeyIDTemplate) == NULL) { rv = SECFailure; } diff --git a/security/nss/lib/certdb/xconst.h b/security/nss/lib/certdb/xconst.h index f1b19358c..dfaf256b8 100644 --- a/security/nss/lib/certdb/xconst.h +++ b/security/nss/lib/certdb/xconst.h @@ -57,7 +57,7 @@ CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, SECItem *encodedValue); extern SECStatus -CERT_EncodeSubjectKeyID(PRArenaPool *arena, char *value, int len, +CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString, SECItem *encodedValue); extern SECStatus diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def index 0d5fd55a7..a41cbd298 100644 --- a/security/nss/lib/nss/nss.def +++ b/security/nss/lib/nss/nss.def @@ -916,6 +916,7 @@ CERT_EncodeInhibitAnyExtension; CERT_EncodeNoticeReference; CERT_EncodePolicyConstraintsExtension; CERT_EncodePolicyMappingExtension; +CERT_EncodeSubjectKeyID; CERT_EncodeUserNotice; CERT_FindCRLEntryReasonExten; CERT_FindCRLNumberExten; |