diff options
author | Kai Engert <kaie@kuix.de> | 2013-06-11 21:14:37 +0200 |
---|---|---|
committer | Kai Engert <kaie@kuix.de> | 2013-06-11 21:14:37 +0200 |
commit | d4128557f4a186c1bc7d16fa121f293c43353ac7 (patch) | |
tree | 523d92c477dca5dbc9603dde2d5fa4109270872e | |
parent | 1e62b3cbbb3c71a6d269ae6a5215331ca813c894 (diff) | |
download | nss-hg-d4128557f4a186c1bc7d16fa121f293c43353ac7.tar.gz |
Bug 876352 - certutil: (a) Warn if importing PEM file with private key (b) fail if user attempts to import cert with requested "u" trust, r=rrelyea
-rw-r--r-- | cmd/certutil/certutil.c | 7 | ||||
-rw-r--r-- | cmd/checkcert/checkcert.c | 6 | ||||
-rw-r--r-- | cmd/crlutil/crlutil.c | 6 | ||||
-rw-r--r-- | cmd/derdump/derdump.c | 2 | ||||
-rw-r--r-- | cmd/lib/secutil.c | 10 | ||||
-rw-r--r-- | cmd/lib/secutil.h | 3 | ||||
-rw-r--r-- | cmd/libpkix/pkix/top/test_validatechain_bc.c | 2 | ||||
-rw-r--r-- | cmd/libpkix/sample_apps/build_chain.c | 2 | ||||
-rw-r--r-- | cmd/libpkix/sample_apps/dumpcert.c | 2 | ||||
-rw-r--r-- | cmd/libpkix/sample_apps/dumpcrl.c | 2 | ||||
-rw-r--r-- | cmd/libpkix/sample_apps/validate_chain.c | 2 | ||||
-rwxr-xr-x | cmd/libpkix/testutil/testutil_nss.c | 4 | ||||
-rw-r--r-- | cmd/ocspclnt/ocspclnt.c | 2 | ||||
-rw-r--r-- | cmd/p7content/p7content.c | 2 | ||||
-rw-r--r-- | cmd/p7sign/p7sign.c | 3 | ||||
-rw-r--r-- | cmd/p7verify/p7verify.c | 3 | ||||
-rw-r--r-- | cmd/pk1sign/pk1sign.c | 3 | ||||
-rw-r--r-- | cmd/pp/pp.c | 2 | ||||
-rw-r--r-- | cmd/selfserv/selfserv.c | 2 | ||||
-rw-r--r-- | cmd/signver/signver.c | 2 | ||||
-rw-r--r-- | cmd/vfychain/vfychain.c | 2 |
21 files changed, 42 insertions, 27 deletions
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c index ba62799ee..6603e80e1 100644 --- a/cmd/certutil/certutil.c +++ b/cmd/certutil/certutil.c @@ -3158,7 +3158,8 @@ merge_fail: certutil.commands[cmd_AddEmailCert].activated) { PRBool isCreate = certutil.commands[cmd_CreateNewCert].activated; rv = SECU_ReadDERFromFile(isCreate ? &certReqDER : &certDER, inFile, - certutil.options[opt_ASCIIForIO].activated); + certutil.options[opt_ASCIIForIO].activated, + PR_TRUE); if (rv) goto shutdown; } @@ -3229,6 +3230,10 @@ merge_fail: if (certutil.commands[cmd_CreateAndAddCert].activated || certutil.commands[cmd_AddCert].activated || certutil.commands[cmd_AddEmailCert].activated) { + if (strstr(certutil.options[opt_Trust].arg, "u")) { + fprintf(stderr, "Notice: Trust flag u is set automatically if the " + "private key is present.\n"); + } rv = AddCert(slot, certHandle, name, certutil.options[opt_Trust].arg, &certDER, diff --git a/cmd/checkcert/checkcert.c b/cmd/checkcert/checkcert.c index 0cdd2cc28..63beea587 100644 --- a/cmd/checkcert/checkcert.c +++ b/cmd/checkcert/checkcert.c @@ -302,7 +302,7 @@ int main(int argc, char **argv) exit(1); } - if (SECU_ReadDERFromFile(&derCert, inFile, ascii) != SECSuccess) { + if (SECU_ReadDERFromFile(&derCert, inFile, ascii, PR_FALSE) != SECSuccess) { printf("Couldn't read input certificate as DER binary or base64\n"); exit(1); } @@ -315,8 +315,8 @@ int main(int argc, char **argv) if (issuerCertFile) { CERTSignedData *issuerCertSD=0; - if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii) - != SECSuccess) { + if (SECU_ReadDERFromFile(&derIssuerCert, issuerCertFile, issuerAscii, + PR_FALSE) != SECSuccess) { printf("Couldn't read issuer certificate as DER binary or base64.\n"); exit(1); } diff --git a/cmd/crlutil/crlutil.c b/cmd/crlutil/crlutil.c index 301746b5d..dd9f4932e 100644 --- a/cmd/crlutil/crlutil.c +++ b/cmd/crlutil/crlutil.c @@ -232,7 +232,7 @@ SECStatus ImportCRL (CERTCertDBHandle *certHandle, char *url, int type, /* Read in the entire file specified with the -f argument */ - rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (rv != SECSuccess) { SECU_PrintError(progName, "unable to read input file"); return (SECFailure); @@ -291,7 +291,7 @@ SECStatus DumpCRL(PRFileDesc *inFile) crlDER.data = NULL; /* Read in the entire file specified with the -f argument */ - rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (rv != SECSuccess) { SECU_PrintError(progName, "unable to read input file"); return (SECFailure); @@ -386,7 +386,7 @@ CreateModifiedCRLCopy(PLArenaPool *arena, CERTCertDBHandle *certHandle, } if (inFile != NULL) { - rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (rv != SECSuccess) { SECU_PrintError(progName, "unable to read input file"); PORT_FreeArena(modArena, PR_FALSE); diff --git a/cmd/derdump/derdump.c b/cmd/derdump/derdump.c index 49d415c1c..3184b1b48 100644 --- a/cmd/derdump/derdump.c +++ b/cmd/derdump/derdump.c @@ -87,7 +87,7 @@ int main(int argc, char **argv) return -1; } - rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&der, inFile, PR_FALSE, PR_FALSE); if (rv == SECSuccess) { rv = DER_PrettyPrint(outFile, &der, raw); if (rv == SECSuccess) diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c index 4b2270250..96273daa0 100644 --- a/cmd/lib/secutil.c +++ b/cmd/lib/secutil.c @@ -494,7 +494,8 @@ SECU_GetClientAuthData(void *arg, PRFileDesc *fd, } SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, + PRBool warnOnPrivateKeyInAsciiFile) { SECStatus rv; if (ascii) { @@ -512,6 +513,11 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii) return SECFailure; } + if (warnOnPrivateKeyInAsciiFile && strstr(asc, "PRIVATE KEY")) { + fprintf(stderr, "Warning: ignoring private key. Consider to use " + "pk12util.\n"); + } + /* check for headers and trailers and remove them */ if ((body = strstr(asc, "-----BEGIN")) != NULL) { char *trailer = NULL; @@ -3551,7 +3557,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle, if (!fd) { return NULL; } - rv = SECU_ReadDERFromFile(&item, fd, ascii); + rv = SECU_ReadDERFromFile(&item, fd, ascii, PR_FALSE); PR_Close(fd); if (rv != SECSuccess || !item.len) { PORT_Free(item.data); diff --git a/cmd/lib/secutil.h b/cmd/lib/secutil.h index 022a4d5a8..71a7f59b8 100644 --- a/cmd/lib/secutil.h +++ b/cmd/lib/secutil.h @@ -160,7 +160,8 @@ SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log, /* Read in a DER from a file, may be ascii */ extern SECStatus -SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); +SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, + PRBool warnOnPrivateKeyInAsciiFile); /* Print integer value and hex */ extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, diff --git a/cmd/libpkix/pkix/top/test_validatechain_bc.c b/cmd/libpkix/pkix/top/test_validatechain_bc.c index 29e483f4f..cbbfd73a3 100644 --- a/cmd/libpkix/pkix/top/test_validatechain_bc.c +++ b/cmd/libpkix/pkix/top/test_validatechain_bc.c @@ -61,7 +61,7 @@ createCert(char *inFileName) pkixTestErrorMsg = "Unable to open cert file"; goto cleanup; } else { - rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)certDER.data; len = certDER.len; diff --git a/cmd/libpkix/sample_apps/build_chain.c b/cmd/libpkix/sample_apps/build_chain.c index 11f3005f7..fa717d9ae 100644 --- a/cmd/libpkix/sample_apps/build_chain.c +++ b/cmd/libpkix/sample_apps/build_chain.c @@ -66,7 +66,7 @@ createCert(char *inFileName) pkixTestErrorMsg = "Unable to open cert file"; goto cleanup; } else { - rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)certDER.data; len = certDER.len; diff --git a/cmd/libpkix/sample_apps/dumpcert.c b/cmd/libpkix/sample_apps/dumpcert.c index 4ee14d695..553507763 100644 --- a/cmd/libpkix/sample_apps/dumpcert.c +++ b/cmd/libpkix/sample_apps/dumpcert.c @@ -55,7 +55,7 @@ createCert(char *inFileName) printFailure("Unable to open cert file"); goto cleanup; } else { - rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)certDER.data; len = certDER.len; diff --git a/cmd/libpkix/sample_apps/dumpcrl.c b/cmd/libpkix/sample_apps/dumpcrl.c index 1f2522ec1..cfb84bd4a 100644 --- a/cmd/libpkix/sample_apps/dumpcrl.c +++ b/cmd/libpkix/sample_apps/dumpcrl.c @@ -57,7 +57,7 @@ createCRL(char *inFileName) printFailure("Unable to open crl file"); goto cleanup; } else { - rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)crlDER.data; len = crlDER.len; diff --git a/cmd/libpkix/sample_apps/validate_chain.c b/cmd/libpkix/sample_apps/validate_chain.c index d9c2a229c..56343a6f6 100644 --- a/cmd/libpkix/sample_apps/validate_chain.c +++ b/cmd/libpkix/sample_apps/validate_chain.c @@ -65,7 +65,7 @@ createCert(char *inFileName) pkixTestErrorMsg = "Unable to open cert file"; goto cleanup; } else { - rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&certDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)certDER.data; len = certDER.len; diff --git a/cmd/libpkix/testutil/testutil_nss.c b/cmd/libpkix/testutil/testutil_nss.c index 666190c42..4f7cc4096 100755 --- a/cmd/libpkix/testutil/testutil_nss.c +++ b/cmd/libpkix/testutil/testutil_nss.c @@ -89,7 +89,7 @@ createCert( pkixTestErrorMsg = "Unable to open cert file"; goto cleanup; } else { - rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&certDER, certFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)certDER.data; len = certDER.len; @@ -154,7 +154,7 @@ createCRL( pkixTestErrorMsg = "Unable to open crl file"; goto cleanup; } else { - rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE); + rv = SECU_ReadDERFromFile(&crlDER, inFile, PR_FALSE, PR_FALSE); if (!rv){ buf = (void *)crlDER.data; len = crlDER.len; diff --git a/cmd/ocspclnt/ocspclnt.c b/cmd/ocspclnt/ocspclnt.c index ea2a4ce3a..e302bb5b8 100644 --- a/cmd/ocspclnt/ocspclnt.c +++ b/cmd/ocspclnt/ocspclnt.c @@ -485,7 +485,7 @@ find_certificate(CERTCertDBHandle *handle, const char *name, PRBool ascii) return NULL; } - if (SECU_ReadDERFromFile(&der, certFile, ascii) == SECSuccess) { + if (SECU_ReadDERFromFile(&der, certFile, ascii, PR_FALSE) == SECSuccess) { cert = CERT_DecodeCertFromPackage((char*)der.data, der.len); SECITEM_FreeItem(&der, PR_FALSE); } diff --git a/cmd/p7content/p7content.c b/cmd/p7content/p7content.c index 59c0ff2cc..15f725397 100644 --- a/cmd/p7content/p7content.c +++ b/cmd/p7content/p7content.c @@ -78,7 +78,7 @@ DecodeAndPrintFile(FILE *out, PRFileDesc *in, char *progName) SEC_PKCS7ContentInfo *cinfo = NULL; SEC_PKCS7DecoderContext *dcx; - if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE)) { + if (SECU_ReadDERFromFile(&derdata, in, PR_FALSE, PR_FALSE)) { SECU_PrintError(progName, "error converting der"); return -1; } diff --git a/cmd/p7sign/p7sign.c b/cmd/p7sign/p7sign.c index df664df1c..1b93a8981 100644 --- a/cmd/p7sign/p7sign.c +++ b/cmd/p7sign/p7sign.c @@ -96,7 +96,8 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert, return -1; /* suck the file in */ - if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess) + if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, + PR_FALSE) != SECSuccess) return -1; if (!encapsulated) { diff --git a/cmd/p7verify/p7verify.c b/cmd/p7verify/p7verify.c index 5394a5189..1d87ac39e 100644 --- a/cmd/p7verify/p7verify.c +++ b/cmd/p7verify/p7verify.c @@ -133,7 +133,8 @@ HashDecodeAndVerify(FILE *out, FILE *content, PRFileDesc *signature, SECItem digest; unsigned char buffer[32]; - if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE) != SECSuccess) { + if (SECU_ReadDERFromFile(&derdata, signature, PR_FALSE, + PR_FALSE) != SECSuccess) { SECU_PrintError(progName, "error reading signature file"); return -1; } diff --git a/cmd/pk1sign/pk1sign.c b/cmd/pk1sign/pk1sign.c index 291388bd7..5750cdb2d 100644 --- a/cmd/pk1sign/pk1sign.c +++ b/cmd/pk1sign/pk1sign.c @@ -116,7 +116,8 @@ SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert) return -1; /* suck the file in */ - if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE) != SECSuccess) + if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, + PR_FALSE) != SECSuccess) return -1; privKey = NULL; diff --git a/cmd/pp/pp.c b/cmd/pp/pp.c index ab58c8747..1e84889f6 100644 --- a/cmd/pp/pp.c +++ b/cmd/pp/pp.c @@ -105,7 +105,7 @@ int main(int argc, char **argv) } SECU_RegisterDynamicOids(); - rv = SECU_ReadDERFromFile(&der, inFile, ascii); + rv = SECU_ReadDERFromFile(&der, inFile, ascii, PR_FALSE); if (rv != SECSuccess) { fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName); exit(1); diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index c757a1c28..11f301558 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -1028,7 +1028,7 @@ reload_crl(PRFileDesc *crlFile) return SECFailure; } - rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE); + rv = SECU_ReadDERFromFile(crlDer, crlFile, PR_FALSE, PR_FALSE); if (rv != SECSuccess) { errWarn("Unable to read input file."); PORT_Free(crlDer); diff --git a/cmd/signver/signver.c b/cmd/signver/signver.c index cc9aaeb60..cd63a3c88 100644 --- a/cmd/signver/signver.c +++ b/cmd/signver/signver.c @@ -204,7 +204,7 @@ int main(int argc, char **argv) /* read in the input files' contents */ rv = SECU_ReadDERFromFile(&pkcs7der, signFile, - signver.options[opt_ASCII].activated); + signver.options[opt_ASCII].activated, PR_FALSE); if (signFile != PR_STDIN) PR_Close(signFile); if (rv != SECSuccess) { diff --git a/cmd/vfychain/vfychain.c b/cmd/vfychain/vfychain.c index ddbf379cd..4d41be8f5 100644 --- a/cmd/vfychain/vfychain.c +++ b/cmd/vfychain/vfychain.c @@ -184,7 +184,7 @@ getCert(const char *name, PRBool isAscii, const char * progName) return cert; } - rv = SECU_ReadDERFromFile(&item, fd, isAscii); + rv = SECU_ReadDERFromFile(&item, fd, isAscii, PR_FALSE); PR_Close(fd); if (rv != SECSuccess) { fprintf(stderr, "%s: SECU_ReadDERFromFile failed\n", progName); |