diff options
author | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
---|---|---|
committer | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
commit | 4773827d33691bfe104debb0b78156574612b24d (patch) | |
tree | 56dc1dcd9dd8bb50849f5e81ba6c337383870a96 /cmd/addbuiltin | |
parent | 96a54e65e82ad4baa20ca208e633bd20f136f365 (diff) | |
download | nss-hg-4773827d33691bfe104debb0b78156574612b24d.tar.gz |
Bug 1465613 - Created two new fields for scheduled distrust from builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
Diffstat (limited to 'cmd/addbuiltin')
-rw-r--r-- | cmd/addbuiltin/addbuiltin.c | 89 |
1 files changed, 62 insertions, 27 deletions
diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c index 831672039..92ef75897 100644 --- a/cmd/addbuiltin/addbuiltin.c +++ b/cmd/addbuiltin/addbuiltin.c @@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, hasPositiveTrust(trust->objectSigningFlags)) { printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); } + printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); } if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == @@ -306,19 +308,21 @@ printheader() "#\n" "# Certificates\n" "#\n" - "# -- Attribute -- -- type -- -- value --\n" - "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" - "# CKA_TOKEN CK_BBOOL CK_TRUE\n" - "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" - "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" - "# CKA_LABEL UTF8 (varies)\n" - "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" - "# CKA_SUBJECT DER+base64 (varies)\n" - "# CKA_ID byte array (varies)\n" - "# CKA_ISSUER DER+base64 (varies)\n" - "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" - "# CKA_VALUE DER+base64 (varies)\n" - "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# -- Attribute -- -- type -- -- value --\n" + "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" + "# CKA_TOKEN CK_BBOOL CK_TRUE\n" + "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" + "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" + "# CKA_LABEL UTF8 (varies)\n" + "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" + "# CKA_SUBJECT DER+base64 (varies)\n" + "# CKA_ID byte array (varies)\n" + "# CKA_ISSUER DER+base64 (varies)\n" + "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" + "# CKA_VALUE DER+base64 (varies)\n" + "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)\n" + "# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)\n" "#\n" "# Trust\n" "#\n" @@ -392,6 +396,12 @@ Usage(char *progName) fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e"); fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file"); fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", ""); + fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp"); + fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", ""); + fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName); + fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", ""); + fprintf(stderr, "%-15s since unix epoch.\n", ""); + fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", ""); exit(-1); } @@ -403,20 +413,21 @@ enum { opt_ExcludeCert, opt_ExcludeHash, opt_DistrustCRL, - opt_CRLEnry + opt_CRLEntry, + opt_ConvertDate }; -static secuCommandFlag addbuiltin_options[] = - { - { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, - { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, - { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, - { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, - { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, - { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE }, - }; +static secuCommandFlag addbuiltin_options[] = { + { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, + { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, + { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, + { /* opt_CRLEntry */ 'e', PR_TRUE, 0, PR_FALSE }, + { /* opt_ConvertDate */ 'd', PR_TRUE, 0, PR_FALSE }, +}; int main(int argc, char **argv) @@ -444,6 +455,30 @@ main(int argc, char **argv) if (rv != SECSuccess) Usage(progName); + if (addbuiltin.options[opt_ConvertDate].activated) { + char* endPtr; + PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC; + if (*endPtr != '\0' && distrustTimestamp > 0) { + Usage(progName); + exit(1); + } + SECItem encTime; + DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp); + SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0); + printf("Locate the entry of the desired certificate in certdata.txt\n" + "Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n" + "And override with the following respective entry:\n\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0); + printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + exit(0); + } + if (addbuiltin.options[opt_Trust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_Distrust].activated) @@ -458,12 +493,12 @@ main(int argc, char **argv) } if (addbuiltin.options[opt_DistrustCRL].activated) { - if (!addbuiltin.options[opt_CRLEnry].activated) { + if (!addbuiltin.options[opt_CRLEntry].activated) { fprintf(stderr, "%s: you must specify the CRL entry number.\n", progName); Usage(progName); } else { - crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); + crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg); if (crlentry < 1) { fprintf(stderr, "%s: The CRL entry number must be > 0.\n", progName); |