diff options
Diffstat (limited to 'security/nss/cmd/certutil/certutil.c')
-rw-r--r-- | security/nss/cmd/certutil/certutil.c | 203 |
1 files changed, 121 insertions, 82 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 02350a903..13c0deea4 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -78,7 +78,7 @@ extern SECKEYPrivateKey *CERTUTIL_GeneratePrivateKey(KeyType keytype, char *noise, SECKEYPublicKey **pubkeyp, char *pqgFile, - char *passFile); + secuPWData *pwdata); static char *progName; @@ -511,6 +511,7 @@ printCertCB(CERTCertificate *cert, void *arg) { SECStatus rv; SECItem data; + CERTCertTrust *trust = (CERTCertTrust *)arg; data.data = cert->derCert.data; data.len = cert->derCert.len; @@ -521,8 +522,13 @@ printCertCB(CERTCertificate *cert, void *arg) SECU_PrintError(progName, "problem printing certificate"); return(SECFailure); } - SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust, - "Certificate Trust Flags", 1); + if (trust) { + SECU_PrintTrustFlags(stdout, trust, + "Certificate Trust Flags", 1); + } else { + SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust, + "Certificate Trust Flags", 1); + } printf("\n"); @@ -581,7 +587,17 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, /* List certs on a non-internal slot. */ if (PK11_NeedLogin(slot)) PK11_Authenticate(slot, PR_TRUE, pwarg); - rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout); + if (name) { + CERTCertificate *the_cert; + the_cert = PK11_FindCertFromNickname(name, NULL); + if (!the_cert) { + SECU_PrintError(progName, "Could not find: %s\n", name); + return SECFailure; + } + rv = printCertCB(the_cert, the_cert->trust); + } else { + rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout); + } if (rv) { SECU_PrintError(progName, "problem printing certificate nicknames"); return SECFailure; @@ -593,27 +609,21 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, static SECStatus ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, - PRBool raw, PRBool ascii, PRFileDesc *outfile, char *passFile) + PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata) { SECStatus rv; - secuPWData pwdata = { PW_NONE, 0 }; - - if (passFile) { - pwdata.source = PW_FROMFILE; - pwdata.data = passFile; - } if (slot == NULL) { PK11SlotList *list; PK11SlotListElement *le; list= PK11_GetAllTokens(CKM_INVALID_MECHANISM, - PR_FALSE,PR_FALSE,&pwdata); + PR_FALSE,PR_FALSE,pwdata); if (list) for (le = list->head; le; le = le->next) { - rv = listCerts(handle,name,le->slot,raw,ascii,outfile,&pwdata); + rv = listCerts(handle,name,le->slot,raw,ascii,outfile,pwdata); } } else { - rv = listCerts(handle,name,slot,raw,ascii,outfile,&pwdata); + rv = listCerts(handle,name,slot,raw,ascii,outfile,pwdata); } return rv; } @@ -643,7 +653,7 @@ DeleteCert(CERTCertDBHandle *handle, char *name) static SECStatus ValidateCert(CERTCertDBHandle *handle, char *name, char *date, - char *certUsage, PRBool checkSig, PRBool logit) + char *certUsage, PRBool checkSig, PRBool logit, secuPWData *pwdata) { SECStatus rv; CERTCertificate *cert; @@ -701,7 +711,7 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date, } rv = CERT_VerifyCert(handle, cert, checkSig, usage, - timeBoundary, NULL, log); + timeBoundary, pwdata, log); if ( log ) { if ( log->head == NULL ) { fprintf(stdout, "%s: certificate is valid\n", progName); @@ -832,11 +842,10 @@ SECStatus secu_PrintKeyFromCert(CERTCertificate *cert, void *data) { FILE *out; - char *name; - SECKEYPublicKey *key; + SECKEYPrivateKey *key; out = (FILE *)data; - key = CERT_ExtractPublicKey(cert); + key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL); if (!key) { fprintf(out, "XXX could not extract key for %s.\n", cert->nickname); return SECFailure; @@ -882,15 +891,9 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg) static SECStatus ListKeys(PK11SlotInfo *slot, char *keyname, int index, - KeyType keyType, PRBool dopriv, char *passFile) + KeyType keyType, PRBool dopriv, secuPWData *pwdata) { SECStatus rv = SECSuccess; - secuPWData pwdata = { PW_NONE, 0 }; - - if (passFile) { - pwdata.source = PW_FROMFILE; - pwdata.data = passFile; - } #ifdef notdef if (keyname) { @@ -909,29 +912,34 @@ ListKeys(PK11SlotInfo *slot, char *keyname, int index, PK11SlotList *list; PK11SlotListElement *le; - list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,&pwdata); + list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata); if (list) for (le = list->head; le; le = le->next) { - rv = listKeys(le->slot,keyType,&pwdata); + rv = listKeys(le->slot,keyType,pwdata); } } else { - rv = listKeys(slot,keyType,&pwdata); + rv = listKeys(slot,keyType,pwdata); } return rv; } -#ifdef notdef static SECStatus -DeleteKey(SECKEYKeyDBHandle *handle, char *nickname) +DeleteKey(char *nickname, secuPWData *pwdata) { SECStatus rv; - - rv = SECU_DeleteKeyByName(handle, nickname); + CERTCertificate *cert; + PK11SlotInfo *slot; + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) + PK11_Authenticate(slot, PR_TRUE, pwdata); + cert = PK11_FindCertFromNickname(nickname, pwdata); + if (!cert) return SECFailure; + rv = PK11_DeleteTokenCertAndKey(cert, pwdata); if (rv != SECSuccess) { SECU_PrintError("problem deleting private key \"%s\"\n", nickname); } return rv; } -#endif /* @@ -969,6 +977,7 @@ Usage(char *progName) #define FPS fprintf(stderr, FPS "Type %s -H for more detailed descriptions\n", progName); FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName); + FPS "Usage: %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName); FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", progName); FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n" @@ -1000,7 +1009,7 @@ Usage(char *progName) "\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6]\n", progName); FPS "\t%s -U [-d certdir] [-P dbprefix]\n", progName); - exit(-1); + exit(1); } static void LongUsage(char *progName) @@ -1159,6 +1168,15 @@ static void LongUsage(char *progName) FPS "%-20s Cert & Key database prefix\n", " -P dbprefix"); FPS "\n"); + FPS "%-15s Reset the Key database or token\n", + "-T"); + FPS "%-20s Cert database directory (default is ~/.netscape)\n", + " -d certdir"); + FPS "%-20s Cert & Key database prefix\n", + " -P dbprefix"); + FPS "%-20s Token to reset (default is internal)\n" + " -h token-name"); + FPS "\n"); FPS "%-15s Generate a certificate request (stdout)\n", "-R"); @@ -1249,7 +1267,7 @@ static void LongUsage(char *progName) " -6 "); FPS "\n"); - exit(-1); + exit(1); #undef FPS } @@ -2036,6 +2054,7 @@ enum { cmd_NewDBs, cmd_CertReq, cmd_CreateAndAddCert, + cmd_TokenReset, cmd_ListModules, cmd_CheckCertValidity, cmd_ChangePassword, @@ -2044,7 +2063,8 @@ enum { /* Certutil options */ enum { - opt_AddKeyUsageExt = 0, + opt_SSOPass = 0, + opt_AddKeyUsageExt, opt_AddBasicConstraintExt, opt_AddAuthorityKeyIDExt, opt_AddCRLDistPtsExt, @@ -2094,6 +2114,7 @@ static secuCommandFlag certutil_commands[] = { /* cmd_NewDBs */ 'N', PR_FALSE, 0, PR_FALSE }, { /* cmd_CertReq */ 'R', PR_FALSE, 0, PR_FALSE }, { /* cmd_CreateAndAddCert */ 'S', PR_FALSE, 0, PR_FALSE }, + { /* cmd_TokenReset */ 'T', PR_FALSE, 0, PR_FALSE }, { /* cmd_ListModules */ 'U', PR_FALSE, 0, PR_FALSE }, { /* cmd_CheckCertValidity */ 'V', PR_FALSE, 0, PR_FALSE }, { /* cmd_ChangePassword */ 'W', PR_FALSE, 0, PR_FALSE }, @@ -2102,6 +2123,7 @@ static secuCommandFlag certutil_commands[] = static secuCommandFlag certutil_options[] = { + { /* opt_SSOPass */ '0', PR_TRUE, 0, PR_FALSE }, { /* opt_AddKeyUsageExt */ '1', PR_FALSE, 0, PR_FALSE }, { /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE }, { /* opt_AddAuthorityKeyIDExt*/ '3', PR_FALSE, 0, PR_FALSE }, @@ -2199,7 +2221,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -g: Keysize must be between %d and %d.\n", MIN_KEY_BITS, MAX_KEY_BITS); - return -1; + return 255; } } @@ -2222,7 +2244,7 @@ main(int argc, char **argv) } else { PR_fprintf(PR_STDERR, "%s -k: %s is not a recognized type.\n", progName, certutil.options[opt_KeyType].arg); - return -1; + return 255; } } @@ -2232,7 +2254,7 @@ main(int argc, char **argv) if (serialNumber < 0) { PR_fprintf(PR_STDERR, "%s -m: %s is not a valid serial number.\n", progName, certutil.options[opt_SerialNumber].arg); - return -1; + return 255; } } @@ -2245,7 +2267,7 @@ main(int argc, char **argv) if (keytype != dsaKey) { PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)", progName); - return -1; + return 255; } } @@ -2255,7 +2277,7 @@ main(int argc, char **argv) if (!subject) { PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n", progName, certutil.options[opt_Subject].arg); - return -1; + return 255; } } @@ -2265,7 +2287,7 @@ main(int argc, char **argv) if (validitylength < 0) { PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n", progName, certutil.options[opt_Validity].arg); - return -1; + return 255; } } @@ -2282,7 +2304,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.", progName, publicExponent); PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n"); - return -1; + return 255; } } @@ -2304,7 +2326,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag); } PR_fprintf(PR_STDERR, "\n"); - return -1; + return 255; } if (commandsEntered == 0) { PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName); @@ -2322,7 +2344,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -%c: nickname is required for this command (-n).\n", progName, commandToRun); - return -1; + return 255; } /* -A, -E, -M, -S require trust */ @@ -2334,7 +2356,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -%c: trust is required for this command (-t).\n", progName, commandToRun); - return -1; + return 255; } /* if -L is given raw or ascii mode, it must be for only one cert. */ @@ -2345,7 +2367,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s: nickname is required to dump cert in raw or ascii mode.\n", progName); - return -1; + return 255; } /* -L can only be in (raw || ascii). */ @@ -2355,7 +2377,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s: cannot specify both -r and -a when dumping cert.\n", progName); - return -1; + return 255; } /* For now, deny -C -x combination */ @@ -2364,7 +2386,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s: self-signing a cert request is not supported.\n", progName); - return -1; + return 255; } /* If making a cert request, need a subject. */ @@ -2374,7 +2396,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -%c: subject is required to create a cert request.\n", progName, commandToRun); - return -1; + return 255; } /* If making a cert, need a serial number. */ @@ -2392,7 +2414,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -V: specify a usage to validate the cert for (-u).\n", progName); - return -1; + return 255; } /* To make a cert, need either a issuer or to self-sign it. */ @@ -2402,7 +2424,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -S: must specify issuer (-c) or self-sign (-x).\n", progName); - return -1; + return 255; } /* Using slotname == NULL for listing keys and certs on all slots, @@ -2412,7 +2434,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -%c: cannot use \"-h all\" for this command.\n", progName, commandToRun); - return -1; + return 255; } /* Using keytype == nullKey for list all key types, but only that. */ @@ -2420,7 +2442,7 @@ main(int argc, char **argv) PR_fprintf(PR_STDERR, "%s -%c: cannot use \"-k all\" for this command.\n", progName, commandToRun); - return -1; + return 255; } /* -S open outFile, temporary file for cert request. */ @@ -2431,7 +2453,7 @@ main(int argc, char **argv) "%s -o: unable to open \"%s\" for writing (%ld, %ld)\n", progName, certreqfile, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } } @@ -2443,7 +2465,7 @@ main(int argc, char **argv) "%s: unable to open \"%s\" for reading (%ld, %ld).\n", progName, certutil.options[opt_InputFile].arg, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } } @@ -2456,7 +2478,7 @@ main(int argc, char **argv) "%s: unable to open \"%s\" for writing (%ld, %ld).\n", progName, certutil.options[opt_OutputFile].arg, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } } @@ -2470,7 +2492,7 @@ main(int argc, char **argv) "secmod.db", 0); if (rv != SECSuccess) { SECU_PrintPRandOSError(progName); - return -1; + return 255; } certHandle = CERT_GetDefaultCertDB(); @@ -2496,53 +2518,68 @@ main(int argc, char **argv) rv = ListCerts(certHandle, name, slot, certutil.options[opt_BinaryDER].activated, certutil.options[opt_ASCIIForIO].activated, - (outFile) ? outFile : PR_STDOUT, - certutil.options[opt_PasswordFile].arg); - return !rv - 1; + (outFile) ? outFile : PR_STDOUT, &pwdata); + return rv ? 255 : 0; } /* XXX needs work */ /* List keys (-K) */ if (certutil.commands[cmd_ListKeys].activated) { rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/, - certutil.options[opt_PasswordFile].arg); - return !rv - 1; + &pwdata); + return rv ? 255 : 0; } /* List modules (-U) */ if (certutil.commands[cmd_ListModules].activated) { rv = ListModules(); - return !rv - 1; + return rv ? 255 : 0; } /* Delete cert (-D) */ if (certutil.commands[cmd_DeleteCert].activated) { rv = DeleteCert(certHandle, name); - return !rv - 1; + return rv ? 255 : 0; } -#ifdef notdef /* Delete key (-F) */ if (certutil.commands[cmd_DeleteKey].activated) { - rv = DeleteKey(keyHandle, name); - return !rv - 1; + rv = DeleteKey(name, &pwdata); + return rv ? 255 : 0; } -#endif /* Modify trust attribute for cert (-M) */ if (certutil.commands[cmd_ModifyCertTrust].activated) { rv = ChangeTrustAttributes(certHandle, name, certutil.options[opt_Trust].arg); - return !rv - 1; + return rv ? 255 : 0; } /* Change key db password (-W) (future - change pw to slot?) */ if (certutil.commands[cmd_ChangePassword].activated) { rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg); - return !rv - 1; + return rv ? 255 : 0; + } + /* Reset the a token */ + if (certutil.commands[cmd_TokenReset].activated) { + char *sso_pass = ""; + + if (certutil.options[opt_SSOPass].activated) { + sso_pass = certutil.options[opt_SSOPass].arg; + } + rv = PK11_ResetToken(slot,sso_pass); + + return !rv - 1; } + /* Check cert validity against current time (-V) */ if (certutil.commands[cmd_CheckCertValidity].activated) { + /* XXX temporary hack for fips - must log in to get priv key */ + if (certutil.options[opt_VerifySig].activated) { + if (PK11_NeedLogin(slot)) + PK11_Authenticate(slot, PR_TRUE, &pwdata); + } rv = ValidateCert(certHandle, name, certutil.options[opt_ValidityTime].arg, certutil.options[opt_Usage].arg, certutil.options[opt_VerifySig].activated, - certutil.options[opt_DetailedInfo].activated); - return !rv - 1; + certutil.options[opt_DetailedInfo].activated, + &pwdata); + return rv ? 255 : 0; } /* @@ -2560,11 +2597,12 @@ main(int argc, char **argv) certutil.options[opt_NoiseFile].arg, &pubkey, certutil.options[opt_PQGFile].arg, - certutil.options[opt_PasswordFile].arg); + &pwdata); if (privkey == NULL) { SECU_PrintError(progName, "unable to generate key(s)\n"); - return -1; + return 255; } + privkey->wincx = &pwdata; PORT_Assert(pubkey != NULL); /* If all that was needed was keygen, exit. */ @@ -2585,7 +2623,8 @@ main(int argc, char **argv) certutil.options[opt_ASCIIForIO].activated, outFile ? outFile : PR_STDOUT); if (rv) - return -1; + return 255; + privkey->wincx = &pwdata; } /* @@ -2601,13 +2640,13 @@ main(int argc, char **argv) if (!inFile) { PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", certreqfile, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE, 00660); if (!outFile) { PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", certfile, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } } @@ -2627,7 +2666,7 @@ main(int argc, char **argv) certutil.options[opt_AddCRLDistPtsExt].activated, certutil.options[opt_AddNSCertTypeExt].activated); if (rv) - return -1; + return 255; } /* @@ -2641,7 +2680,7 @@ main(int argc, char **argv) if (!inFile) { PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n", certfile, PR_GetError(), PR_GetOSError()); - return -1; + return 255; } } @@ -2654,7 +2693,7 @@ main(int argc, char **argv) certutil.options[opt_ASCIIForIO].activated, certutil.commands[cmd_AddEmailCert].activated); if (rv) - return -1; + return 255; } if (certutil.commands[cmd_CreateAndAddCert].activated) { |