summaryrefslogtreecommitdiff
path: root/security/nss/cmd/certutil/certutil.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd/certutil/certutil.c')
-rw-r--r--security/nss/cmd/certutil/certutil.c203
1 files changed, 121 insertions, 82 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index 02350a903..13c0deea4 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -78,7 +78,7 @@ extern SECKEYPrivateKey *CERTUTIL_GeneratePrivateKey(KeyType keytype,
char *noise,
SECKEYPublicKey **pubkeyp,
char *pqgFile,
- char *passFile);
+ secuPWData *pwdata);
static char *progName;
@@ -511,6 +511,7 @@ printCertCB(CERTCertificate *cert, void *arg)
{
SECStatus rv;
SECItem data;
+ CERTCertTrust *trust = (CERTCertTrust *)arg;
data.data = cert->derCert.data;
data.len = cert->derCert.len;
@@ -521,8 +522,13 @@ printCertCB(CERTCertificate *cert, void *arg)
SECU_PrintError(progName, "problem printing certificate");
return(SECFailure);
}
- SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust,
- "Certificate Trust Flags", 1);
+ if (trust) {
+ SECU_PrintTrustFlags(stdout, trust,
+ "Certificate Trust Flags", 1);
+ } else {
+ SECU_PrintTrustFlags(stdout, &cert->dbEntry->trust,
+ "Certificate Trust Flags", 1);
+ }
printf("\n");
@@ -581,7 +587,17 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
/* List certs on a non-internal slot. */
if (PK11_NeedLogin(slot))
PK11_Authenticate(slot, PR_TRUE, pwarg);
- rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout);
+ if (name) {
+ CERTCertificate *the_cert;
+ the_cert = PK11_FindCertFromNickname(name, NULL);
+ if (!the_cert) {
+ SECU_PrintError(progName, "Could not find: %s\n", name);
+ return SECFailure;
+ }
+ rv = printCertCB(the_cert, the_cert->trust);
+ } else {
+ rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout);
+ }
if (rv) {
SECU_PrintError(progName, "problem printing certificate nicknames");
return SECFailure;
@@ -593,27 +609,21 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
static SECStatus
ListCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot,
- PRBool raw, PRBool ascii, PRFileDesc *outfile, char *passFile)
+ PRBool raw, PRBool ascii, PRFileDesc *outfile, secuPWData *pwdata)
{
SECStatus rv;
- secuPWData pwdata = { PW_NONE, 0 };
-
- if (passFile) {
- pwdata.source = PW_FROMFILE;
- pwdata.data = passFile;
- }
if (slot == NULL) {
PK11SlotList *list;
PK11SlotListElement *le;
list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,
- PR_FALSE,PR_FALSE,&pwdata);
+ PR_FALSE,PR_FALSE,pwdata);
if (list) for (le = list->head; le; le = le->next) {
- rv = listCerts(handle,name,le->slot,raw,ascii,outfile,&pwdata);
+ rv = listCerts(handle,name,le->slot,raw,ascii,outfile,pwdata);
}
} else {
- rv = listCerts(handle,name,slot,raw,ascii,outfile,&pwdata);
+ rv = listCerts(handle,name,slot,raw,ascii,outfile,pwdata);
}
return rv;
}
@@ -643,7 +653,7 @@ DeleteCert(CERTCertDBHandle *handle, char *name)
static SECStatus
ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
- char *certUsage, PRBool checkSig, PRBool logit)
+ char *certUsage, PRBool checkSig, PRBool logit, secuPWData *pwdata)
{
SECStatus rv;
CERTCertificate *cert;
@@ -701,7 +711,7 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date,
}
rv = CERT_VerifyCert(handle, cert, checkSig, usage,
- timeBoundary, NULL, log);
+ timeBoundary, pwdata, log);
if ( log ) {
if ( log->head == NULL ) {
fprintf(stdout, "%s: certificate is valid\n", progName);
@@ -832,11 +842,10 @@ SECStatus
secu_PrintKeyFromCert(CERTCertificate *cert, void *data)
{
FILE *out;
- char *name;
- SECKEYPublicKey *key;
+ SECKEYPrivateKey *key;
out = (FILE *)data;
- key = CERT_ExtractPublicKey(cert);
+ key = PK11_FindPrivateKeyFromCert(PK11_GetInternalKeySlot(), cert, NULL);
if (!key) {
fprintf(out, "XXX could not extract key for %s.\n", cert->nickname);
return SECFailure;
@@ -882,15 +891,9 @@ listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg)
static SECStatus
ListKeys(PK11SlotInfo *slot, char *keyname, int index,
- KeyType keyType, PRBool dopriv, char *passFile)
+ KeyType keyType, PRBool dopriv, secuPWData *pwdata)
{
SECStatus rv = SECSuccess;
- secuPWData pwdata = { PW_NONE, 0 };
-
- if (passFile) {
- pwdata.source = PW_FROMFILE;
- pwdata.data = passFile;
- }
#ifdef notdef
if (keyname) {
@@ -909,29 +912,34 @@ ListKeys(PK11SlotInfo *slot, char *keyname, int index,
PK11SlotList *list;
PK11SlotListElement *le;
- list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,&pwdata);
+ list= PK11_GetAllTokens(CKM_INVALID_MECHANISM,PR_FALSE,PR_FALSE,pwdata);
if (list) for (le = list->head; le; le = le->next) {
- rv = listKeys(le->slot,keyType,&pwdata);
+ rv = listKeys(le->slot,keyType,pwdata);
}
} else {
- rv = listKeys(slot,keyType,&pwdata);
+ rv = listKeys(slot,keyType,pwdata);
}
return rv;
}
-#ifdef notdef
static SECStatus
-DeleteKey(SECKEYKeyDBHandle *handle, char *nickname)
+DeleteKey(char *nickname, secuPWData *pwdata)
{
SECStatus rv;
-
- rv = SECU_DeleteKeyByName(handle, nickname);
+ CERTCertificate *cert;
+ PK11SlotInfo *slot;
+
+ slot = PK11_GetInternalKeySlot();
+ if (PK11_NeedLogin(slot))
+ PK11_Authenticate(slot, PR_TRUE, pwdata);
+ cert = PK11_FindCertFromNickname(nickname, pwdata);
+ if (!cert) return SECFailure;
+ rv = PK11_DeleteTokenCertAndKey(cert, pwdata);
if (rv != SECSuccess) {
SECU_PrintError("problem deleting private key \"%s\"\n", nickname);
}
return rv;
}
-#endif
/*
@@ -969,6 +977,7 @@ Usage(char *progName)
#define FPS fprintf(stderr,
FPS "Type %s -H for more detailed descriptions\n", progName);
FPS "Usage: %s -N [-d certdir] [-P dbprefix] [-f pwfile]\n", progName);
+ FPS "Usage: %s -T [-d certdir] [-P dbprefix] [-h token-name] [-f pwfile]\n", progName);
FPS "\t%s -A -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
progName);
FPS "\t%s -C [-c issuer-name | -x] -i cert-request-file -o cert-file\n"
@@ -1000,7 +1009,7 @@ Usage(char *progName)
"\t\t [-p phone] [-1] [-2] [-3] [-4] [-5] [-6]\n",
progName);
FPS "\t%s -U [-d certdir] [-P dbprefix]\n", progName);
- exit(-1);
+ exit(1);
}
static void LongUsage(char *progName)
@@ -1159,6 +1168,15 @@ static void LongUsage(char *progName)
FPS "%-20s Cert & Key database prefix\n",
" -P dbprefix");
FPS "\n");
+ FPS "%-15s Reset the Key database or token\n",
+ "-T");
+ FPS "%-20s Cert database directory (default is ~/.netscape)\n",
+ " -d certdir");
+ FPS "%-20s Cert & Key database prefix\n",
+ " -P dbprefix");
+ FPS "%-20s Token to reset (default is internal)\n"
+ " -h token-name");
+ FPS "\n");
FPS "%-15s Generate a certificate request (stdout)\n",
"-R");
@@ -1249,7 +1267,7 @@ static void LongUsage(char *progName)
" -6 ");
FPS "\n");
- exit(-1);
+ exit(1);
#undef FPS
}
@@ -2036,6 +2054,7 @@ enum {
cmd_NewDBs,
cmd_CertReq,
cmd_CreateAndAddCert,
+ cmd_TokenReset,
cmd_ListModules,
cmd_CheckCertValidity,
cmd_ChangePassword,
@@ -2044,7 +2063,8 @@ enum {
/* Certutil options */
enum {
- opt_AddKeyUsageExt = 0,
+ opt_SSOPass = 0,
+ opt_AddKeyUsageExt,
opt_AddBasicConstraintExt,
opt_AddAuthorityKeyIDExt,
opt_AddCRLDistPtsExt,
@@ -2094,6 +2114,7 @@ static secuCommandFlag certutil_commands[] =
{ /* cmd_NewDBs */ 'N', PR_FALSE, 0, PR_FALSE },
{ /* cmd_CertReq */ 'R', PR_FALSE, 0, PR_FALSE },
{ /* cmd_CreateAndAddCert */ 'S', PR_FALSE, 0, PR_FALSE },
+ { /* cmd_TokenReset */ 'T', PR_FALSE, 0, PR_FALSE },
{ /* cmd_ListModules */ 'U', PR_FALSE, 0, PR_FALSE },
{ /* cmd_CheckCertValidity */ 'V', PR_FALSE, 0, PR_FALSE },
{ /* cmd_ChangePassword */ 'W', PR_FALSE, 0, PR_FALSE },
@@ -2102,6 +2123,7 @@ static secuCommandFlag certutil_commands[] =
static secuCommandFlag certutil_options[] =
{
+ { /* opt_SSOPass */ '0', PR_TRUE, 0, PR_FALSE },
{ /* opt_AddKeyUsageExt */ '1', PR_FALSE, 0, PR_FALSE },
{ /* opt_AddBasicConstraintExt*/ '2', PR_FALSE, 0, PR_FALSE },
{ /* opt_AddAuthorityKeyIDExt*/ '3', PR_FALSE, 0, PR_FALSE },
@@ -2199,7 +2221,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -g: Keysize must be between %d and %d.\n",
MIN_KEY_BITS, MAX_KEY_BITS);
- return -1;
+ return 255;
}
}
@@ -2222,7 +2244,7 @@ main(int argc, char **argv)
} else {
PR_fprintf(PR_STDERR, "%s -k: %s is not a recognized type.\n",
progName, certutil.options[opt_KeyType].arg);
- return -1;
+ return 255;
}
}
@@ -2232,7 +2254,7 @@ main(int argc, char **argv)
if (serialNumber < 0) {
PR_fprintf(PR_STDERR, "%s -m: %s is not a valid serial number.\n",
progName, certutil.options[opt_SerialNumber].arg);
- return -1;
+ return 255;
}
}
@@ -2245,7 +2267,7 @@ main(int argc, char **argv)
if (keytype != dsaKey) {
PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
progName);
- return -1;
+ return 255;
}
}
@@ -2255,7 +2277,7 @@ main(int argc, char **argv)
if (!subject) {
PR_fprintf(PR_STDERR, "%s -s: improperly formatted name: \"%s\"\n",
progName, certutil.options[opt_Subject].arg);
- return -1;
+ return 255;
}
}
@@ -2265,7 +2287,7 @@ main(int argc, char **argv)
if (validitylength < 0) {
PR_fprintf(PR_STDERR, "%s -v: incorrect validity period: \"%s\"\n",
progName, certutil.options[opt_Validity].arg);
- return -1;
+ return 255;
}
}
@@ -2282,7 +2304,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, "%s -y: incorrect public exponent %d.",
progName, publicExponent);
PR_fprintf(PR_STDERR, "Must be 3, 17, or 65537.\n");
- return -1;
+ return 255;
}
}
@@ -2304,7 +2326,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR, " -%c", certutil.commands[i].flag);
}
PR_fprintf(PR_STDERR, "\n");
- return -1;
+ return 255;
}
if (commandsEntered == 0) {
PR_fprintf(PR_STDERR, "%s: you must enter a command!\n", progName);
@@ -2322,7 +2344,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -%c: nickname is required for this command (-n).\n",
progName, commandToRun);
- return -1;
+ return 255;
}
/* -A, -E, -M, -S require trust */
@@ -2334,7 +2356,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -%c: trust is required for this command (-t).\n",
progName, commandToRun);
- return -1;
+ return 255;
}
/* if -L is given raw or ascii mode, it must be for only one cert. */
@@ -2345,7 +2367,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s: nickname is required to dump cert in raw or ascii mode.\n",
progName);
- return -1;
+ return 255;
}
/* -L can only be in (raw || ascii). */
@@ -2355,7 +2377,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s: cannot specify both -r and -a when dumping cert.\n",
progName);
- return -1;
+ return 255;
}
/* For now, deny -C -x combination */
@@ -2364,7 +2386,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s: self-signing a cert request is not supported.\n",
progName);
- return -1;
+ return 255;
}
/* If making a cert request, need a subject. */
@@ -2374,7 +2396,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -%c: subject is required to create a cert request.\n",
progName, commandToRun);
- return -1;
+ return 255;
}
/* If making a cert, need a serial number. */
@@ -2392,7 +2414,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -V: specify a usage to validate the cert for (-u).\n",
progName);
- return -1;
+ return 255;
}
/* To make a cert, need either a issuer or to self-sign it. */
@@ -2402,7 +2424,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -S: must specify issuer (-c) or self-sign (-x).\n",
progName);
- return -1;
+ return 255;
}
/* Using slotname == NULL for listing keys and certs on all slots,
@@ -2412,7 +2434,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -%c: cannot use \"-h all\" for this command.\n",
progName, commandToRun);
- return -1;
+ return 255;
}
/* Using keytype == nullKey for list all key types, but only that. */
@@ -2420,7 +2442,7 @@ main(int argc, char **argv)
PR_fprintf(PR_STDERR,
"%s -%c: cannot use \"-k all\" for this command.\n",
progName, commandToRun);
- return -1;
+ return 255;
}
/* -S open outFile, temporary file for cert request. */
@@ -2431,7 +2453,7 @@ main(int argc, char **argv)
"%s -o: unable to open \"%s\" for writing (%ld, %ld)\n",
progName, certreqfile,
PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
}
@@ -2443,7 +2465,7 @@ main(int argc, char **argv)
"%s: unable to open \"%s\" for reading (%ld, %ld).\n",
progName, certutil.options[opt_InputFile].arg,
PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
}
@@ -2456,7 +2478,7 @@ main(int argc, char **argv)
"%s: unable to open \"%s\" for writing (%ld, %ld).\n",
progName, certutil.options[opt_OutputFile].arg,
PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
}
@@ -2470,7 +2492,7 @@ main(int argc, char **argv)
"secmod.db", 0);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
- return -1;
+ return 255;
}
certHandle = CERT_GetDefaultCertDB();
@@ -2496,53 +2518,68 @@ main(int argc, char **argv)
rv = ListCerts(certHandle, name, slot,
certutil.options[opt_BinaryDER].activated,
certutil.options[opt_ASCIIForIO].activated,
- (outFile) ? outFile : PR_STDOUT,
- certutil.options[opt_PasswordFile].arg);
- return !rv - 1;
+ (outFile) ? outFile : PR_STDOUT, &pwdata);
+ return rv ? 255 : 0;
}
/* XXX needs work */
/* List keys (-K) */
if (certutil.commands[cmd_ListKeys].activated) {
rv = ListKeys(slot, name, 0 /*keyindex*/, keytype, PR_FALSE /*dopriv*/,
- certutil.options[opt_PasswordFile].arg);
- return !rv - 1;
+ &pwdata);
+ return rv ? 255 : 0;
}
/* List modules (-U) */
if (certutil.commands[cmd_ListModules].activated) {
rv = ListModules();
- return !rv - 1;
+ return rv ? 255 : 0;
}
/* Delete cert (-D) */
if (certutil.commands[cmd_DeleteCert].activated) {
rv = DeleteCert(certHandle, name);
- return !rv - 1;
+ return rv ? 255 : 0;
}
-#ifdef notdef
/* Delete key (-F) */
if (certutil.commands[cmd_DeleteKey].activated) {
- rv = DeleteKey(keyHandle, name);
- return !rv - 1;
+ rv = DeleteKey(name, &pwdata);
+ return rv ? 255 : 0;
}
-#endif
/* Modify trust attribute for cert (-M) */
if (certutil.commands[cmd_ModifyCertTrust].activated) {
rv = ChangeTrustAttributes(certHandle, name,
certutil.options[opt_Trust].arg);
- return !rv - 1;
+ return rv ? 255 : 0;
}
/* Change key db password (-W) (future - change pw to slot?) */
if (certutil.commands[cmd_ChangePassword].activated) {
rv = SECU_ChangePW(slot, 0, certutil.options[opt_PasswordFile].arg);
- return !rv - 1;
+ return rv ? 255 : 0;
+ }
+ /* Reset the a token */
+ if (certutil.commands[cmd_TokenReset].activated) {
+ char *sso_pass = "";
+
+ if (certutil.options[opt_SSOPass].activated) {
+ sso_pass = certutil.options[opt_SSOPass].arg;
+ }
+ rv = PK11_ResetToken(slot,sso_pass);
+
+ return !rv - 1;
}
+
/* Check cert validity against current time (-V) */
if (certutil.commands[cmd_CheckCertValidity].activated) {
+ /* XXX temporary hack for fips - must log in to get priv key */
+ if (certutil.options[opt_VerifySig].activated) {
+ if (PK11_NeedLogin(slot))
+ PK11_Authenticate(slot, PR_TRUE, &pwdata);
+ }
rv = ValidateCert(certHandle, name,
certutil.options[opt_ValidityTime].arg,
certutil.options[opt_Usage].arg,
certutil.options[opt_VerifySig].activated,
- certutil.options[opt_DetailedInfo].activated);
- return !rv - 1;
+ certutil.options[opt_DetailedInfo].activated,
+ &pwdata);
+ return rv ? 255 : 0;
}
/*
@@ -2560,11 +2597,12 @@ main(int argc, char **argv)
certutil.options[opt_NoiseFile].arg,
&pubkey,
certutil.options[opt_PQGFile].arg,
- certutil.options[opt_PasswordFile].arg);
+ &pwdata);
if (privkey == NULL) {
SECU_PrintError(progName, "unable to generate key(s)\n");
- return -1;
+ return 255;
}
+ privkey->wincx = &pwdata;
PORT_Assert(pubkey != NULL);
/* If all that was needed was keygen, exit. */
@@ -2585,7 +2623,8 @@ main(int argc, char **argv)
certutil.options[opt_ASCIIForIO].activated,
outFile ? outFile : PR_STDOUT);
if (rv)
- return -1;
+ return 255;
+ privkey->wincx = &pwdata;
}
/*
@@ -2601,13 +2640,13 @@ main(int argc, char **argv)
if (!inFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certreqfile, PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
outFile = PR_Open(certfile, PR_RDWR | PR_CREATE_FILE, 00660);
if (!outFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certfile, PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
}
@@ -2627,7 +2666,7 @@ main(int argc, char **argv)
certutil.options[opt_AddCRLDistPtsExt].activated,
certutil.options[opt_AddNSCertTypeExt].activated);
if (rv)
- return -1;
+ return 255;
}
/*
@@ -2641,7 +2680,7 @@ main(int argc, char **argv)
if (!inFile) {
PR_fprintf(PR_STDERR, "Failed to open file \"%s\" (%ld, %ld).\n",
certfile, PR_GetError(), PR_GetOSError());
- return -1;
+ return 255;
}
}
@@ -2654,7 +2693,7 @@ main(int argc, char **argv)
certutil.options[opt_ASCIIForIO].activated,
certutil.commands[cmd_AddEmailCert].activated);
if (rv)
- return -1;
+ return 255;
}
if (certutil.commands[cmd_CreateAndAddCert].activated) {
View Lorry Controller Status