summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKai Engert <kaie@kuix.de>2013-06-11 21:14:37 +0200
committerKai Engert <kaie@kuix.de>2013-06-11 21:14:37 +0200
commitd4128557f4a186c1bc7d16fa121f293c43353ac7 (patch)
tree523d92c477dca5dbc9603dde2d5fa4109270872e
parent1e62b3cbbb3c71a6d269ae6a5215331ca813c894 (diff)
downloadnss-hg-d4128557f4a186c1bc7d16fa121f293c43353ac7.tar.gz
Bug 876352 - certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust, r=rrelyea
Diffstat
-rw-r--r--cmd/certutil/certutil.c7
-rw-r--r--cmd/checkcert/checkcert.c6
-rw-r--r--cmd/crlutil/crlutil.c6
-rw-r--r--cmd/derdump/derdump.c2
-rw-r--r--cmd/lib/secutil.c10
-rw-r--r--cmd/lib/secutil.h3
-rw-r--r--cmd/libpkix/pkix/top/test_validatechain_bc.c2
-rw-r--r--cmd/libpkix/sample_apps/build_chain.c2
-rw-r--r--cmd/libpkix/sample_apps/dumpcert.c2
-rw-r--r--cmd/libpkix/sample_apps/dumpcrl.c2
-rw-r--r--cmd/libpkix/sample_apps/validate_chain.c2
-rwxr-xr-xcmd/libpkix/testutil/testutil_nss.c4
-rw-r--r--cmd/ocspclnt/ocspclnt.c2
-rw-r--r--cmd/p7content/p7content.c2
-rw-r--r--cmd/p7sign/p7sign.c3
-rw-r--r--cmd/p7verify/p7verify.c3
-rw-r--r--cmd/pk1sign/pk1sign.c3
-rw-r--r--cmd/pp/pp.c2
-rw-r--r--cmd/selfserv/selfserv.c2
-rw-r--r--cmd/signver/signver.c2
-rw-r--r--cmd/vfychain/vfychain.c2
21 files changed, 42 insertions, 27 deletions
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
index ba62799ee..6603e80e1 100644
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -3158,7 +3158,8 @@ merge_fail:
certutil.commands[cmd_AddEmailCert].activated) {
PRBool isCreate = certutil.commands[cmd_CreateNewCert].activated;
rv = SECU_ReadDERFromFile(isCreate ? &certReqDER : &certDER, inFile,
- certutil.options[opt_ASCIIForIO].activated);
+ certutil.options[opt_ASCIIForIO].activated,
+ PR_TRUE);
if (rv)
goto shutdown;
}
@@ -3229,6 +3230,10 @@ merge_fail:
if (certutil.commands[cmd_CreateAndAddCert].activated ||
certutil.commands[cmd_AddCert].activated ||
certutil.commands[cmd_AddEmailCert].activated) {
+ if (strstr(certutil.options[opt_Trust].arg, "u")) {
+ fprintf(stderr, "Notice: Trust flag u is set automatically if the "
+ "private key is present.\n");
+ }
rv = AddCert(slot, certHandle, name,
certutil.options[opt_Trust].arg,
&certDER,
diff --git a/cmd/checkcert/checkcert.c b/cmd/checkcert/checkcert.c
index 0cdd2cc28..63beea587 100644
--- a/cmd/checkcert/checkcert.c
+++ b/cmd/checkcert/checkcert.c
@@ -302,7 +302,7 @@ int main(int argc, char **argv)
exit(1);
}
- if (SECU_ReadDERFromFile(&derCert, inFile, ascii) != SECSuccess) {
+ if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) {
printf("Couldn't read input certificate as DER binary or base64\n");
exit(1);
}
@@ -315,8 +315,8 @@ int main(int argc, char **argv)
if (issuerCertFile) {
CERTSignedData *issuerCertSD=0;
- if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii)
- != SECSuccess) {
+ if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii,
+ PR_FALSE) != SECSuccess) {
printf("Couldn't read issuer certificate as DER binary or base64.\n");
exit(1);
}
diff --git a/cmd/crlutil/crlutil.c b/cmd/crlutil/crlutil.c
index 301746b5d..dd9f4932e 100644
--- a/cmd/crlutil/crlutil.c
+++ b/cmd/crlutil/crlutil.c
@@ -232,7 +232,7 @@ SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type,
/* Read in the entire file specified with the -f argument */
- rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to read input file");
return (SECFailure);
@@ -291,7 +291,7 @@ SECStatus DumpCRL(PRFileDesc *inFile)
crlDER.data = NULL;
/* Read in the entire file specified with the -f argument */
- rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to read input file");
return (SECFailure);
@@ -386,7 +386,7 @@ CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle,
}
if (inFile != NULL) {
- rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
if (rv != SECSuccess) {
SECU_PrintError(progName, "unable to read input file");
PORT_FreeArena(modArena, PR_FALSE);
diff --git a/cmd/derdump/derdump.c b/cmd/derdump/derdump.c
index 49d415c1c..3184b1b48 100644
--- a/cmd/derdump/derdump.c
+++ b/cmd/derdump/derdump.c
@@ -87,7 +87,7 @@ int main(int argc, char **argv)
return -1;
}
- rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE, PR_FALSE);
if (rv == SECSuccess) {
rv = DER_PrettyPrint(outFile, &der, raw);
if (rv == SECSuccess)
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
index 4b2270250..96273daa0 100644
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -494,7 +494,8 @@ SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
}
SECStatus
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
+ PRBool warnOnPrivateKeyInAsciiFile)
{
SECStatus rv;
if (ascii) {
@@ -512,6 +513,11 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii)
return SECFailure;
}
+ if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) {
+ fprintf(stderr, "Warning: ignoring private key. Consider to use "
+ "pk12util.\n");
+ }
+
/* check for headers and trailers and remove them */
if ((body = strstr(asc, "-----BEGIN")) != NULL) {
char *trailer = NULL;
@@ -3551,7 +3557,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
if (!fd) {
return NULL;
}
- rv = SECU_ReadDERFromFile(&item, fd, ascii);
+ rv = SECU_ReadDERFromFile(&item, fd, ascii, PR_FALSE);
PR_Close(fd);
if (rv != SECSuccess || !item.len) {
PORT_Free(item.data);
diff --git a/cmd/lib/secutil.h b/cmd/lib/secutil.h
index 022a4d5a8..71a7f59b8 100644
--- a/cmd/lib/secutil.h
+++ b/cmd/lib/secutil.h
@@ -160,7 +160,8 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
/* Read in a DER from a file, may be ascii */
extern SECStatus
-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
+SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
+ PRBool warnOnPrivateKeyInAsciiFile);
/* Print integer value and hex */
extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m,
diff --git a/cmd/libpkix/pkix/top/test_validatechain_bc.c b/cmd/libpkix/pkix/top/test_validatechain_bc.c
index 29e483f4f..cbbfd73a3 100644
--- a/cmd/libpkix/pkix/top/test_validatechain_bc.c
+++ b/cmd/libpkix/pkix/top/test_validatechain_bc.c
@@ -61,7 +61,7 @@ createCert(char *inFileName)
pkixTestErrorMsg = "Unable to open cert file";
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)certDER.data;
len = certDER.len;
diff --git a/cmd/libpkix/sample_apps/build_chain.c b/cmd/libpkix/sample_apps/build_chain.c
index 11f3005f7..fa717d9ae 100644
--- a/cmd/libpkix/sample_apps/build_chain.c
+++ b/cmd/libpkix/sample_apps/build_chain.c
@@ -66,7 +66,7 @@ createCert(char *inFileName)
pkixTestErrorMsg = "Unable to open cert file";
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)certDER.data;
len = certDER.len;
diff --git a/cmd/libpkix/sample_apps/dumpcert.c b/cmd/libpkix/sample_apps/dumpcert.c
index 4ee14d695..553507763 100644
--- a/cmd/libpkix/sample_apps/dumpcert.c
+++ b/cmd/libpkix/sample_apps/dumpcert.c
@@ -55,7 +55,7 @@ createCert(char *inFileName)
printFailure("Unable to open cert file");
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)certDER.data;
len = certDER.len;
diff --git a/cmd/libpkix/sample_apps/dumpcrl.c b/cmd/libpkix/sample_apps/dumpcrl.c
index 1f2522ec1..cfb84bd4a 100644
--- a/cmd/libpkix/sample_apps/dumpcrl.c
+++ b/cmd/libpkix/sample_apps/dumpcrl.c
@@ -57,7 +57,7 @@ createCRL(char *inFileName)
printFailure("Unable to open crl file");
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)crlDER.data;
len = crlDER.len;
diff --git a/cmd/libpkix/sample_apps/validate_chain.c b/cmd/libpkix/sample_apps/validate_chain.c
index d9c2a229c..56343a6f6 100644
--- a/cmd/libpkix/sample_apps/validate_chain.c
+++ b/cmd/libpkix/sample_apps/validate_chain.c
@@ -65,7 +65,7 @@ createCert(char *inFileName)
pkixTestErrorMsg = "Unable to open cert file";
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)certDER.data;
len = certDER.len;
diff --git a/cmd/libpkix/testutil/testutil_nss.c b/cmd/libpkix/testutil/testutil_nss.c
index 666190c42..4f7cc4096 100755
--- a/cmd/libpkix/testutil/testutil_nss.c
+++ b/cmd/libpkix/testutil/testutil_nss.c
@@ -89,7 +89,7 @@ createCert(
pkixTestErrorMsg = "Unable to open cert file";
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)certDER.data;
len = certDER.len;
@@ -154,7 +154,7 @@ createCRL(
pkixTestErrorMsg = "Unable to open crl file";
goto cleanup;
} else {
- rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE);
if (!rv){
buf = (void *)crlDER.data;
len = crlDER.len;
diff --git a/cmd/ocspclnt/ocspclnt.c b/cmd/ocspclnt/ocspclnt.c
index ea2a4ce3a..e302bb5b8 100644
--- a/cmd/ocspclnt/ocspclnt.c
+++ b/cmd/ocspclnt/ocspclnt.c
@@ -485,7 +485,7 @@ find_certificate(CERTCertDBHandle *handle, const char *name, PRBool ascii)
return NULL;
}
- if (SECU_ReadDERFromFile(&der, certFile, ascii) == SECSuccess) {
+ if (SECU_ReadDERFromFile(&der, certFile, ascii, PR_FALSE) == SECSuccess) {
cert = CERT_DecodeCertFromPackage((char*)der.data, der.len);
SECITEM_FreeItem(&der, PR_FALSE);
}
diff --git a/cmd/p7content/p7content.c b/cmd/p7content/p7content.c
index 59c0ff2cc..15f725397 100644
--- a/cmd/p7content/p7content.c
+++ b/cmd/p7content/p7content.c
@@ -78,7 +78,7 @@ DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName)
SEC_PKCS7ContentInfo *cinfo = NULL;
SEC_PKCS7DecoderContext *dcx;
- if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE)) {
+ if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE, PR_FALSE)) {
SECU_PrintError(progName, "error converting der");
return -1;
}
diff --git a/cmd/p7sign/p7sign.c b/cmd/p7sign/p7sign.c
index df664df1c..1b93a8981 100644
--- a/cmd/p7sign/p7sign.c
+++ b/cmd/p7sign/p7sign.c
@@ -96,7 +96,8 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert,
return -1;
/* suck the file in */
- if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
+ if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
+ PR_FALSE) != SECSuccess)
return -1;
if (!encapsulated) {
diff --git a/cmd/p7verify/p7verify.c b/cmd/p7verify/p7verify.c
index 5394a5189..1d87ac39e 100644
--- a/cmd/p7verify/p7verify.c
+++ b/cmd/p7verify/p7verify.c
@@ -133,7 +133,8 @@ HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature,
SECItem digest;
unsigned char buffer[32];
- if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) {
+ if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE,
+ PR_FALSE) != SECSuccess) {
SECU_PrintError(progName, "error reading signature file");
return -1;
}
diff --git a/cmd/pk1sign/pk1sign.c b/cmd/pk1sign/pk1sign.c
index 291388bd7..5750cdb2d 100644
--- a/cmd/pk1sign/pk1sign.c
+++ b/cmd/pk1sign/pk1sign.c
@@ -116,7 +116,8 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert)
return -1;
/* suck the file in */
- if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess)
+ if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
+ PR_FALSE) != SECSuccess)
return -1;
privKey = NULL;
diff --git a/cmd/pp/pp.c b/cmd/pp/pp.c
index ab58c8747..1e84889f6 100644
--- a/cmd/pp/pp.c
+++ b/cmd/pp/pp.c
@@ -105,7 +105,7 @@ int main(int argc, char **argv)
}
SECU_RegisterDynamicOids();
- rv = SECU_ReadDERFromFile(&der, inFile, ascii);
+ rv = SECU_ReadDERFromFile(&der, inFile, ascii, PR_FALSE);
if (rv != SECSuccess) {
fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
exit(1);
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
index c757a1c28..11f301558 100644
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -1028,7 +1028,7 @@ reload_crl(PRFileDesc *crlFile)
return SECFailure;
}
- rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE);
+ rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE, PR_FALSE);
if (rv != SECSuccess) {
errWarn("Unable to read input file.");
PORT_Free(crlDer);
diff --git a/cmd/signver/signver.c b/cmd/signver/signver.c
index cc9aaeb60..cd63a3c88 100644
--- a/cmd/signver/signver.c
+++ b/cmd/signver/signver.c
@@ -204,7 +204,7 @@ int main(int argc, char **argv)
/* read in the input files' contents */
rv = SECU_ReadDERFromFile(&pkcs7der, signFile,
- signver.options[opt_ASCII].activated);
+ signver.options[opt_ASCII].activated, PR_FALSE);
if (signFile != PR_STDIN)
PR_Close(signFile);
if (rv != SECSuccess) {
diff --git a/cmd/vfychain/vfychain.c b/cmd/vfychain/vfychain.c
index ddbf379cd..4d41be8f5 100644
--- a/cmd/vfychain/vfychain.c
+++ b/cmd/vfychain/vfychain.c
@@ -184,7 +184,7 @@ getCert(const char *name, PRBool isAscii, const char * progName)
return cert;
}
- rv = SECU_ReadDERFromFile(&item, fd, isAscii);
+ rv = SECU_ReadDERFromFile(&item, fd, isAscii, PR_FALSE);
PR_Close(fd);
if (rv != SECSuccess) {
fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName);
View Lorry Controller Status