Bug 1371303 - Add "digest" command to NSS tool r=ttaubert

Differential Revision: https://nss-review.dev.mozaws.net/D253

6 files changed, 204 insertions, 0 deletions

diff --git a/nss-tool/common/util.cc b/nss-tool/common/util.cc
index e5af2cb8a..77459155a 100644
--- a/nss-tool/common/util.cc
+++ b/nss-tool/common/util.cc
@@ -199,3 +199,18 @@ std::vector<uint8_t> ReadInputData(std::string dataPath) {
 
   return data;
 }
+
+std::istream &GetStreamFromFileOrStdin(std::string &path, std::ifstream &ifs) {
+  if (path.empty()) {
+    return std::cin;
+  }
+
+  ifs.open(path, std::ifstream::binary);
+  if (!ifs.good()) {
+    std::cerr << "IO Error when opening " << path << std::endl;
+    std::cerr << "Input file does not exist or you don't have permissions."
+              << std::endl;
+  }
+
+  return ifs;
+}
diff --git a/nss-tool/common/util.h b/nss-tool/common/util.h
index bc2e297a4..58fb05839 100644
--- a/nss-tool/common/util.h
+++ b/nss-tool/common/util.h
@@ -27,5 +27,6 @@ bool ChangeSlotPassword(void);
 bool DBLoginIfNeeded(const ScopedPK11SlotInfo &slot);
 std::string StringToHex(const ScopedSECItem &input);
 std::vector<uint8_t> ReadInputData(std::string dataPath);
+std::istream &GetStreamFromFileOrStdin(std::string &path, std::ifstream &ifs);
 
 #endif  // util_h__
diff --git a/nss-tool/digest/digesttool.cc b/nss-tool/digest/digesttool.cc
new file mode 100644
index 000000000..08c3e3ba7
--- /dev/null
+++ b/nss-tool/digest/digesttool.cc
@@ -0,0 +1,161 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "digesttool.h"
+#include "argparse.h"
+#include "scoped_ptrs.h"
+#include "util.h"
+
+#include <algorithm>
+#include <fstream>
+#include <iomanip>
+#include <iostream>
+
+#include <hasht.h>  // contains supported digest types
+#include <nss.h>
+#include <pk11pub.h>
+#include <prio.h>
+
+static SECOidData* HashTypeToOID(HASH_HashType hashtype) {
+  SECOidTag hashtag;
+
+  if (hashtype <= HASH_AlgNULL || hashtype >= HASH_AlgTOTAL) {
+    return nullptr;
+  }
+
+  switch (hashtype) {
+    case HASH_AlgMD5:
+      hashtag = SEC_OID_MD5;
+      break;
+    case HASH_AlgSHA1:
+      hashtag = SEC_OID_SHA1;
+      break;
+    case HASH_AlgSHA224:
+      hashtag = SEC_OID_SHA224;
+      break;
+    case HASH_AlgSHA256:
+      hashtag = SEC_OID_SHA256;
+      break;
+    case HASH_AlgSHA384:
+      hashtag = SEC_OID_SHA384;
+      break;
+    case HASH_AlgSHA512:
+      hashtag = SEC_OID_SHA512;
+      break;
+    default:
+      return nullptr;
+  }
+
+  return SECOID_FindOIDByTag(hashtag);
+}
+
+static SECOidData* HashNameToOID(const std::string& hashName) {
+  for (size_t htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
+    SECOidData* hashOID = HashTypeToOID(static_cast<HASH_HashType>(htype));
+    if (hashOID && std::string(hashOID->desc) == hashName) {
+      return hashOID;
+    }
+  }
+
+  return nullptr;
+}
+
+static bool Digest(const ArgParser& parser, SECOidData* hashOID);
+static bool ComputeDigest(std::istream& is, ScopedPK11Context& hashCtx);
+
+bool DigestTool::Run(const std::vector<std::string>& arguments) {
+  ArgParser parser(arguments);
+
+  if (parser.GetPositionalArgumentCount() != 1) {
+    Usage();
+    return false;
+  }
+
+  // no need for a db for the digest tool
+  SECStatus rv = NSS_NoDB_Init(".");
+  if (rv != SECSuccess) {
+    std::cerr << "NSS init failed!" << std::endl;
+    return false;
+  }
+
+  std::string hashName = parser.GetPositionalArgument(0);
+  std::transform(hashName.begin(), hashName.end(), hashName.begin(), ::toupper);
+  SECOidData* hashOID = HashNameToOID(hashName);
+  if (hashOID == nullptr) {
+    std::cerr << "Error: Unknown digest type "
+              << parser.GetPositionalArgument(0) << "." << std::endl;
+    return false;
+  }
+
+  bool ret = Digest(parser, hashOID);
+
+  // shutdown nss
+  if (NSS_Shutdown() != SECSuccess) {
+    std::cerr << "NSS Shutdown failed!" << std::endl;
+    return false;
+  }
+
+  return ret;
+}
+
+void DigestTool::Usage() {
+  std::cerr << "Usage: nss digest md5|sha-1|sha-224|sha-256|sha-384|sha-512 "
+               "[--infile <path>]"
+            << std::endl;
+}
+
+static bool Digest(const ArgParser& parser, SECOidData* hashOID) {
+  std::string inputFile;
+  if (parser.Has("--infile")) {
+    inputFile = parser.Get("--infile");
+  }
+
+  ScopedPK11Context hashCtx(PK11_CreateDigestContext(hashOID->offset));
+  if (hashCtx == nullptr) {
+    std::cerr << "Creating digest context failed." << std::endl;
+    return false;
+  }
+  PK11_DigestBegin(hashCtx.get());
+
+  std::ifstream fis;
+  std::istream& is = GetStreamFromFileOrStdin(inputFile, fis);
+  if (!is.good() || !ComputeDigest(is, hashCtx)) {
+    return false;
+  }
+
+  unsigned char digest[HASH_LENGTH_MAX];
+  unsigned int len;
+  SECStatus rv = PK11_DigestFinal(hashCtx.get(), digest, &len, HASH_LENGTH_MAX);
+  if (rv != SECSuccess || len == 0) {
+    std::cerr << "Calculating final hash value failed." << std::endl;
+    return false;
+  }
+
+  // human readable output
+  for (size_t i = 0; i < len; i++) {
+    std::cout << std::setw(2) << std::setfill('0') << std::hex
+              << static_cast<int>(digest[i]);
+  }
+  std::cout << std::endl;
+
+  return true;
+}
+
+static bool ComputeDigest(std::istream& is, ScopedPK11Context& hashCtx) {
+  while (is) {
+    unsigned char buf[4096];
+    is.read(reinterpret_cast<char*>(buf), sizeof(buf));
+    if (is.fail() && !is.eof()) {
+      std::cerr << "Error reading from input stream." << std::endl;
+      return false;
+    }
+    SECStatus rv = PK11_DigestOp(hashCtx.get(), buf, is.gcount());
+    if (rv != SECSuccess) {
+      std::cerr << "PK11_DigestOp failed." << std::endl;
+      return false;
+    }
+  }
+
+  return true;
+}
diff --git a/nss-tool/digest/digesttool.h b/nss-tool/digest/digesttool.h
new file mode 100644
index 000000000..0e18346f5
--- /dev/null
+++ b/nss-tool/digest/digesttool.h
@@ -0,0 +1,20 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef digest_tool_h__
+#define digest_tool_h__
+
+#include <string>
+#include <vector>
+#include "tool.h"
+
+class DigestTool : public Tool {
+ public:
+  bool Run(const std::vector<std::string>& arguments) override;
+
+ private:
+  void Usage() override;
+};
+
+#endif  // digest_tool_h__
diff --git a/nss-tool/nss_tool.cc b/nss-tool/nss_tool.cc
index 1d8fc6153..8864f140d 100644
--- a/nss-tool/nss_tool.cc
+++ b/nss-tool/nss_tool.cc
@@ -13,6 +13,7 @@
 
 #include "argparse.h"
 #include "db/dbtool.h"
+#include "digest/digesttool.h"
 #include "enc/enctool.h"
 #include "tool.h"
 
@@ -21,11 +22,13 @@ static void Usage() {
   std::cerr << "       nss db [--path <directory>] <commands>" << std::endl;
   std::cerr << "       nss encrypt <options>" << std::endl;
   std::cerr << "       nss decrypt <options>" << std::endl;
+  std::cerr << "       nss digest <options>" << std::endl;
 }
 
 static const std::string kDbCommand = "db";
 static const std::string kEncryptCommand = "encrypt";
 static const std::string kDecryptCommand = "decrypt";
+static const std::string kDigestCommand = "digest";
 
 int main(int argc, char **argv) {
   if (argc < 2) {
@@ -46,6 +49,9 @@ int main(int argc, char **argv) {
     tool = std::unique_ptr<Tool>(new EncTool());
     arguments.push_back("--decrypt");
   }
+  if (argv[1] == kDigestCommand) {
+    tool = std::unique_ptr<Tool>(new DigestTool());
+  }
   if (!tool) {
     Usage();
     return 1;
diff --git a/nss-tool/nss_tool.gyp b/nss-tool/nss_tool.gyp
index ed408e9b6..a5d03fcf9 100644
--- a/nss-tool/nss_tool.gyp
+++ b/nss-tool/nss_tool.gyp
@@ -16,6 +16,7 @@
         'common/util.cc',
         'db/dbtool.cc',
         'enc/enctool.cc',
+        'digest/digesttool.cc'
       ],
       'include_dirs': [
         'common',