diff options
author | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
---|---|---|
committer | Marcus Burghardt <mburghardt@mozilla.com> | 2019-10-11 03:49:25 +0000 |
commit | 4773827d33691bfe104debb0b78156574612b24d (patch) | |
tree | 56dc1dcd9dd8bb50849f5e81ba6c337383870a96 /cmd | |
parent | 96a54e65e82ad4baa20ca208e633bd20f136f365 (diff) | |
download | nss-hg-4773827d33691bfe104debb0b78156574612b24d.tar.gz |
Bug 1465613 - Created two new fields for scheduled distrust from builtins and updated support commands. r=jcj,kjacobs,mt
Added two new fields do scheduled distrust of CAs in nssckbi/builtins.
Also, created a testlib to validate these fields with gtests.
Differential Revision: https://phabricator.services.mozilla.com/D36597
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/addbuiltin/addbuiltin.c | 89 | ||||
-rw-r--r-- | cmd/lib/secutil.c | 74 |
2 files changed, 108 insertions, 55 deletions
diff --git a/cmd/addbuiltin/addbuiltin.c b/cmd/addbuiltin/addbuiltin.c index 831672039..92ef75897 100644 --- a/cmd/addbuiltin/addbuiltin.c +++ b/cmd/addbuiltin/addbuiltin.c @@ -230,6 +230,8 @@ ConvertCertificate(SECItem *sdder, char *nickname, CERTCertTrust *trust, hasPositiveTrust(trust->objectSigningFlags)) { printf("CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE\n"); } + printf("CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE\n"); } if ((trust->sslFlags | trust->emailFlags | trust->objectSigningFlags) == @@ -306,19 +308,21 @@ printheader() "#\n" "# Certificates\n" "#\n" - "# -- Attribute -- -- type -- -- value --\n" - "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" - "# CKA_TOKEN CK_BBOOL CK_TRUE\n" - "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" - "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" - "# CKA_LABEL UTF8 (varies)\n" - "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" - "# CKA_SUBJECT DER+base64 (varies)\n" - "# CKA_ID byte array (varies)\n" - "# CKA_ISSUER DER+base64 (varies)\n" - "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" - "# CKA_VALUE DER+base64 (varies)\n" - "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# -- Attribute -- -- type -- -- value --\n" + "# CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE\n" + "# CKA_TOKEN CK_BBOOL CK_TRUE\n" + "# CKA_PRIVATE CK_BBOOL CK_FALSE\n" + "# CKA_MODIFIABLE CK_BBOOL CK_FALSE\n" + "# CKA_LABEL UTF8 (varies)\n" + "# CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509\n" + "# CKA_SUBJECT DER+base64 (varies)\n" + "# CKA_ID byte array (varies)\n" + "# CKA_ISSUER DER+base64 (varies)\n" + "# CKA_SERIAL_NUMBER DER+base64 (varies)\n" + "# CKA_VALUE DER+base64 (varies)\n" + "# CKA_NSS_EMAIL ASCII7 (unused here)\n" + "# CKA_NSS_SERVER_DISTRUST_AFTER DER+base64 (varies)\n" + "# CKA_NSS_EMAIL_DISTRUST_AFTER DER+base64 (varies)\n" "#\n" "# Trust\n" "#\n" @@ -392,6 +396,12 @@ Usage(char *progName) fprintf(stderr, "%-15s a CRL entry number, as shown by \"crlutil -S\"\n", "-e"); fprintf(stderr, "%-15s input file to read (default stdin)\n", "-i file"); fprintf(stderr, "%-15s (pipe through atob if the cert is b64-encoded)\n", ""); + fprintf(stderr, "%-15s convert a timestamp to DER, and output.\n", "-d timestamp"); + fprintf(stderr, "%-15s useful to fill server and email distrust fields\n", ""); + fprintf(stderr, "%-15s Example: %s -d 1561939200\n", "", progName); + fprintf(stderr, "%-15s NOTE: The informed timestamp are interpreted as seconds\n", ""); + fprintf(stderr, "%-15s since unix epoch.\n", ""); + fprintf(stderr, "%-15s TIP: date -d \"2019-07-01 00:00:00 UTC\" +%%s\n", ""); exit(-1); } @@ -403,20 +413,21 @@ enum { opt_ExcludeCert, opt_ExcludeHash, opt_DistrustCRL, - opt_CRLEnry + opt_CRLEntry, + opt_ConvertDate }; -static secuCommandFlag addbuiltin_options[] = - { - { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, - { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, - { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, - { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, - { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, - { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, - { /* opt_CRLEnry */ 'e', PR_TRUE, 0, PR_FALSE }, - }; +static secuCommandFlag addbuiltin_options[] = { + { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', PR_TRUE, 0, PR_FALSE }, + { /* opt_Trust */ 't', PR_TRUE, 0, PR_FALSE }, + { /* opt_Distrust */ 'D', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeCert */ 'c', PR_FALSE, 0, PR_FALSE }, + { /* opt_ExcludeHash */ 'h', PR_FALSE, 0, PR_FALSE }, + { /* opt_DistrustCRL */ 'C', PR_FALSE, 0, PR_FALSE }, + { /* opt_CRLEntry */ 'e', PR_TRUE, 0, PR_FALSE }, + { /* opt_ConvertDate */ 'd', PR_TRUE, 0, PR_FALSE }, +}; int main(int argc, char **argv) @@ -444,6 +455,30 @@ main(int argc, char **argv) if (rv != SECSuccess) Usage(progName); + if (addbuiltin.options[opt_ConvertDate].activated) { + char* endPtr; + PRTime distrustTimestamp = strtol(addbuiltin.options[opt_ConvertDate].arg, &endPtr, 0) * PR_USEC_PER_SEC; + if (*endPtr != '\0' && distrustTimestamp > 0) { + Usage(progName); + exit(1); + } + SECItem encTime; + DER_EncodeTimeChoice(NULL, &encTime, distrustTimestamp); + SECU_PrintTimeChoice(stdout, &encTime, "The timestamp represents this date", 0); + printf("Locate the entry of the desired certificate in certdata.txt\n" + "Erase the CKA_NSS_[SERVER|EMAIL]_DISTRUST_AFTER CK_BBOOL CK_FALSE\n" + "And override with the following respective entry:\n\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Server Distrust After", 0); + printf("CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + SECU_PrintTimeChoice(stdout, &encTime, "# For Email Distrust After", 0); + printf("CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL\n"); + dumpbytes(encTime.data, encTime.len); + printf("END\n"); + exit(0); + } + if (addbuiltin.options[opt_Trust].activated) ++mutuallyExclusiveOpts; if (addbuiltin.options[opt_Distrust].activated) @@ -458,12 +493,12 @@ main(int argc, char **argv) } if (addbuiltin.options[opt_DistrustCRL].activated) { - if (!addbuiltin.options[opt_CRLEnry].activated) { + if (!addbuiltin.options[opt_CRLEntry].activated) { fprintf(stderr, "%s: you must specify the CRL entry number.\n", progName); Usage(progName); } else { - crlentry = atoi(addbuiltin.options[opt_CRLEnry].arg); + crlentry = atoi(addbuiltin.options[opt_CRLEntry].arg); if (crlentry < 1) { fprintf(stderr, "%s: The CRL entry number must be > 0.\n", progName); diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c index aafde9b5f..703845e98 100644 --- a/cmd/lib/secutil.c +++ b/cmd/lib/secutil.c @@ -1108,36 +1108,33 @@ typedef struct secuPBEParamsStr { SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) /* SECOID_PKCS5_PBKDF2 */ -const SEC_ASN1Template secuKDF2Params[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } - }; +const SEC_ASN1Template secuKDF2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, keyLength) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; /* PKCS5v1 & PKCS12 */ -const SEC_ASN1Template secuPBEParamsTemp[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, - { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, - { 0 } - }; +const SEC_ASN1Template secuPBEParamsTemp[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_OCTET_STRING, offsetof(secuPBEParams, salt) }, + { SEC_ASN1_INTEGER, offsetof(secuPBEParams, iterationCount) }, + { 0 } +}; /* SEC_OID_PKCS5_PBES2, SEC_OID_PKCS5_PBMAC1 */ -const SEC_ASN1Template secuPBEV2Params[] = - { - { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { 0 } - }; +const SEC_ASN1Template secuPBEV2Params[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(secuPBEParams) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, kdfAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, offsetof(secuPBEParams, cipherAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { 0 } +}; void secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) @@ -2300,8 +2297,9 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) return rv; } -int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ - SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) +/* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ +int +SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCertificateRequest *cr; @@ -3251,6 +3249,26 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, "Certificate Trust Flags", 1); } + /* The distrust fields are hard-coded in nssckbi and read-only. + * If verifying some cert, with vfychain, for instance, the certificate may + * not have a defined slot if not imported. */ + if (cert->slot != NULL && cert->distrust != NULL) { + const unsigned int kDistrustFieldSize = 13; + fprintf(stdout, "\n"); + SECU_Indent(stdout, 1); + fprintf(stdout, "%s:\n", "Certificate Distrust Dates"); + if (cert->distrust->serverDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->serverDistrustAfter, + "Server Distrust After", 2); + } + if (cert->distrust->emailDistrustAfter.len == kDistrustFieldSize) { + SECU_PrintTimeChoice(stdout, + &cert->distrust->emailDistrustAfter, + "E-mail Distrust After", 2); + } + } + printf("\n"); return (SECSuccess); |