From 24ff51d1d9563a9adb17067c87c30385b5a3321d Mon Sep 17 00:00:00 2001 From: "relyea%netscape.com" Date: Fri, 5 Apr 2002 00:12:21 +0000 Subject: [PATCH] Link certutil dynamically. --- security/nss/cmd/certutil/certutil.c | 232 ++++++++++---------------- security/nss/cmd/certutil/keystuff.c | 62 +++++-- security/nss/cmd/certutil/manifest.mn | 2 +- 3 files changed, 134 insertions(+), 162 deletions(-) diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 772c7d2151d1..3c6e98b1636e 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -233,13 +233,13 @@ GetCertRequest(PRFileDesc *inFile, PRBool ascii) data */ PORT_Memset(&signedData, 0, sizeof(signedData)); - rv = SEC_ASN1DecodeItem(arena, &signedData, CERT_SignedDataTemplate, - &reqDER); + rv = SEC_ASN1DecodeItem(arena, &signedData, + SEC_ASN1_GET(CERT_SignedDataTemplate), &reqDER); if (rv) break; - rv = SEC_ASN1DecodeItem(arena, certReq, CERT_CertificateRequestTemplate, - &signedData.data); + rv = SEC_ASN1DecodeItem(arena, certReq, + SEC_ASN1_GET(CERT_CertificateRequestTemplate), &signedData.data); } while (0); if (rv) { @@ -409,7 +409,7 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, /* Der encode the request */ encoding = SEC_ASN1EncodeItem(arena, NULL, cr, - CERT_CertificateRequestTemplate); + SEC_ASN1_GET(CERT_CertificateRequestTemplate)); if (encoding == NULL) { SECU_PrintError(progName, "der encoding of request failed"); return SECFailure; @@ -599,84 +599,49 @@ listCerts(CERTCertDBHandle *handle, char *name, PK11SlotInfo *slot, PRInt32 numBytes; SECStatus rv; -#ifdef nodef - /* For now, split handling of slot to internal vs. other. slot should - * probably be allowed to be NULL so that all slots can be listed. - * In that case, need to add a call to PK11_TraverseSlotCerts(). - */ - if (PK11_IsInternal(slot)) { - if (name == NULL) { - /* Print all certs in internal slot db. */ - rv = SECU_PrintCertificateNames(handle, PR_STDOUT, - PR_FALSE, PR_TRUE); - if (rv) { - SECU_PrintError(progName, - "problem printing certificate nicknames"); - return SECFailure; - } - } else if (raw || ascii) { - /* Dump binary or ascii DER for the cert to stdout. */ - cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); - if (!cert) { - SECU_PrintError(progName, - "could not find certificate named \"%s\"", name); - return SECFailure; - } - data.data = cert->derCert.data; - data.len = cert->derCert.len; - if (ascii) { - PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, - BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER); - } else if (raw) { - numBytes = PR_Write(outfile, data.data, data.len); - if (numBytes != data.len) { - SECU_PrintSystemError(progName, "error writing raw cert"); - return SECFailure; - } - } - } else { - /* Pretty-print cert. */ - rv = CERT_TraversePermCertsForNickname(handle, name, printCertCB, - NULL); - } - } else { -#endif - /* List certs on a non-internal slot. */ - if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) + /* List certs on a non-internal slot. */ + if (!PK11_IsFriendly(slot) && PK11_NeedLogin(slot)) PK11_Authenticate(slot, PR_TRUE, pwarg); - if (name) { - CERTCertificate *the_cert; - the_cert = PK11_FindCertFromNickname(name, NULL); - if (!the_cert) { - SECU_PrintError(progName, "Could not find: %s\n", name); - return SECFailure; - } - data.data = the_cert->derCert.data; - data.len = the_cert->derCert.len; - if (ascii) { - PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, - BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER); - rv = SECSuccess; - } else if (raw) { - numBytes = PR_Write(outfile, data.data, data.len); - if (numBytes != data.len) { - SECU_PrintSystemError(progName, "error writing raw cert"); - rv = SECFailure; - } - rv = SECSuccess; - } else { - rv = printCertCB(the_cert, the_cert->trust); - } - } else { - rv = PK11_TraverseCertsInSlot(slot, SECU_PrintCertNickname, stdout); - } - if (rv) { - SECU_PrintError(progName, "problem printing certificate nicknames"); + if (name) { + CERTCertificate *the_cert; + the_cert = PK11_FindCertFromNickname(name, NULL); + if (!the_cert) { + SECU_PrintError(progName, "Could not find: %s\n", name); return SECFailure; } -#ifdef notdef + data.data = the_cert->derCert.data; + data.len = the_cert->derCert.len; + if (ascii) { + PR_fprintf(outfile, "%s\n%s\n%s\n", NS_CERT_HEADER, + BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER); + rv = SECSuccess; + } else if (raw) { + numBytes = PR_Write(outfile, data.data, data.len); + if (numBytes != data.len) { + SECU_PrintSystemError(progName, "error writing raw cert"); + rv = SECFailure; + } + rv = SECSuccess; + } else { + rv = printCertCB(the_cert, the_cert->trust); + } + } else { + CERTCertList *certs; + CERTCertListNode *node; + + certs = PK11_ListCertsInSlot(slot); + if (certs) { + for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs); + node = CERT_LIST_NEXT(node)) { + SECU_PrintCertNickname(node->cert,stdout); + } + CERT_DestroyCertList(certs); + } + } + if (rv) { + SECU_PrintError(progName, "problem printing certificate nicknames"); + return SECFailure; } -#endif return SECSuccess; /* not rv ?? */ } @@ -936,31 +901,19 @@ printKeyCB(SECKEYPublicKey *key, SECItem *data, void *arg) return SECSuccess; } -struct secuCBData { - FILE *file; - int keycount; - void *wincx; -}; - /* callback for listing certs through pkcs11 */ static SECStatus -secu_PrintKeyFromCert(CERTCertificate *cert, void *data) +secu_PrintKey(FILE *out, int count, SECKEYPrivateKey *key) { - FILE *out; - struct secuCBData *cbdata; - SECKEYPrivateKey *key; + char *name; - cbdata = (struct secuCBData *)data; - out = cbdata->file; - key = PK11_FindPrivateKeyFromCert(cert->slot, cert, cbdata->wincx); - if (!key) { - fprintf(out, "XXX could not extract key for %s.\n", cert->nickname); - return SECFailure; + name = PK11_GetPrivateKeyNickname(key); + if (name == NULL) { + /* should look up associated cert */ + name = PORT_Strdup("< orphaned >"); } - /* XXX should have a type field also */ - fprintf(out, "<%d> %s\n", 0, cert->nickname); - - cbdata->keycount++; + fprintf(out, "<%d> %s\n", count, name); + PORT_Free(name); return SECSuccess; } @@ -968,43 +921,24 @@ secu_PrintKeyFromCert(CERTCertificate *cert, void *data) static SECStatus listKeys(PK11SlotInfo *slot, KeyType keyType, void *pwarg) { - SECStatus rv = SECSuccess; - struct secuCBData cbdata; + SECKEYPrivateKeyList *list; + SECKEYPrivateKeyListNode *node; + int count; - cbdata.keycount = 0; - cbdata.file = stdout; - cbdata.wincx = pwarg; - -#ifdef notdef - if (PK11_IsInternal(slot)) { - /* Print all certs in internal slot db. */ - rv = SECU_PrintKeyNames(SECKEY_GetDefaultKeyDB(), stdout); - if (rv) { - SECU_PrintError(progName, "problem listing keys"); - return SECFailure; - } - } else { -#endif - /* XXX need a function as below */ - /* could iterate over certs on slot and print keys */ - /* this would miss stranded keys */ - /*rv = PK11_TraverseSlotKeys(slotname, keyType, printKeyCB, NULL, NULL);*/ - if (PK11_NeedLogin(slot)) + if (PK11_NeedLogin(slot)) PK11_Authenticate(slot, PR_TRUE, pwarg); - rv = PK11_TraverseCertsInSlot(slot, secu_PrintKeyFromCert, &cbdata); - if (rv) { + + list = PK11_ListPrivateKeysInSlot(slot); + if (list == NULL) { SECU_PrintError(progName, "problem listing keys"); return SECFailure; - } - if (cbdata.keycount == 0) { - SECU_PrintError(progName, "no keys found"); - return SECFailure; - } - return SECSuccess; -#ifdef notdef } - return rv; -#endif + for (count=0, node=PRIVKEY_LIST_HEAD(list) ; !PRIVKEY_LIST_END(node,list); + node= PRIVKEY_LIST_NEXT(node),count++) { + secu_PrintKey(stdout, count, node->key); + } + SECKEY_DestroyPrivateKeyList(list); + return SECSuccess; } static SECStatus @@ -1013,19 +947,6 @@ ListKeys(PK11SlotInfo *slot, char *keyname, int index, { SECStatus rv = SECSuccess; -#ifdef notdef - if (keyname) { - if (dopriv) { - return DumpPrivateKey(index, keyname, stdout); - } else { - return DumpPublicKey(index, keyname, stdout); - } - } -#endif - /* For now, split handling of slot to internal vs. other. slot should - * probably be allowed to be NULL so that all slots can be listed. - * In that case, need to add a call to PK11_TraverseSlotCerts(). - */ if (slot == NULL) { PK11SlotList *list; PK11SlotListElement *le; @@ -1565,6 +1486,14 @@ CreateOidSequence(void) return (CERTOidSequence *)NULL; } +static void +DestroyOidSequence(CERTOidSequence *os) +{ + if (os->arena) { + PORT_FreeArena(os->arena, PR_FALSE); + } +} + static SECStatus AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag) { @@ -1604,11 +1533,19 @@ AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag) return SECSuccess; } +SEC_ASN1_MKSUB(SEC_ObjectIDTemplate); + +const SEC_ASN1Template CERT_OidSeqTemplate[] = { + { SEC_ASN1_SEQUENCE_OF | SEC_ASN1_XTRN, + offsetof(CERTOidSequence, oids), + SEC_ASN1_SUB(SEC_ObjectIDTemplate) } +}; + + static SECItem * EncodeOidSequence(CERTOidSequence *os) { SECItem *rv; - extern const SEC_ASN1Template CERT_OidSeqTemplate[]; rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem)); if( (SECItem *)NULL == rv ) { @@ -1697,7 +1634,7 @@ AddExtKeyUsage (void *extHandle) ? PR_TRUE : PR_FALSE), PR_TRUE); /*FALLTHROUGH*/ loser: - CERT_DestroyOidSequence(os); + DestroyOidSequence(os); return rv; } @@ -1864,7 +1801,8 @@ SECKEYPrivateKey *selfsignprivkey, char *issuerNickName, void *pwarg) der.len = 0; der.data = NULL; - dummy = SEC_ASN1EncodeItem (arena, &der, cert, CERT_CertificateTemplate); + dummy = SEC_ASN1EncodeItem (arena, &der, cert, + SEC_ASN1_GET(CERT_CertificateTemplate)); if (!dummy) { fprintf (stderr, "Could not encode certificate.\n"); goto done; diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c index 2926f8f1b9a8..317443a27b7f 100644 --- a/security/nss/cmd/certutil/keystuff.c +++ b/security/nss/cmd/certutil/keystuff.c @@ -68,6 +68,14 @@ extern char *sys_errlist[]; #define ERROR_BREAK rv = SECFailure;break; +const SEC_ASN1Template SECKEY_PQGParamsTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYPQGParams) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,prime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,subPrime) }, + { SEC_ASN1_INTEGER, offsetof(SECKEYPQGParams,base) }, + { 0, } +}; + /* returns 0 for success, -1 for failure (EOF encountered) */ static int UpdateRNG(void) @@ -126,8 +134,7 @@ UpdateRNG(void) rv = -1; break; } - RNG_GetNoise(&randbuf[1], sizeof(randbuf)-1); - RNG_RandomUpdate(randbuf, sizeof(randbuf)); + PK11_RandomUpdate(randbuf, sizeof(randbuf)); if (c != randbuf[0]) { randbuf[0] = c; FPS "\r|"); @@ -189,27 +196,27 @@ static unsigned char G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x8c, 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02 }; -static PQGParams default_pqg_params = { +static SECKEYPQGParams default_pqg_params = { NULL, { 0, P, sizeof(P) }, { 0, Q, sizeof(Q) }, { 0, G, sizeof(G) } }; -static PQGParams * +static SECKEYPQGParams * decode_pqg_params(char *str) { char *buf; unsigned int len; PRArenaPool *arena; - PQGParams *params; + SECKEYPQGParams *params; SECStatus status; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (arena == NULL) return NULL; - params = PORT_ArenaZAlloc(arena, sizeof(PQGParams)); + params = PORT_ArenaZAlloc(arena, sizeof(SECKEYPQGParams)); if (params == NULL) goto loser; params->arena = arena; @@ -229,11 +236,19 @@ loser: PORT_FreeArena(arena, PR_FALSE); return NULL; } - + +void +CERTUTIL_DestroyParamsPQG(SECKEYPQGParams *params) +{ + if (params->arena) { + PORT_FreeArena(params->arena, PR_FALSE); + } +} + static int pqg_prime_bits(char *str) { - PQGParams *params = NULL; + SECKEYPQGParams *params = NULL; int primeBits = 0, i; params = decode_pqg_params(str); @@ -246,7 +261,7 @@ pqg_prime_bits(char *str) done: if (params != NULL) - PQG_DestroyParams(params); + CERTUTIL_DestroyParamsPQG(params); return primeBits; } @@ -270,7 +285,7 @@ SECU_GetpqgString(char *filename) return NULL; } -PQGParams* +SECKEYPQGParams* getpqgfromfile(int keyBits, char *pqgFile) { char *end, *str, *pqgString; @@ -302,6 +317,26 @@ found_match: return decode_pqg_params(str); } +void CERTUTIL_FileForRNG(char *noise) +{ + char buf[2048]; + PRFileDesc *fd; + PRInt32 count; + + fd = PR_OpenFile(noise,PR_RDONLY,0666); + if (!fd) return; + + do { + count = PR_Read(fd,buf,sizeof(buf)); + if (count > 0) { + PK11_RandomUpdate(buf,count); + } + } while (count > 0); + + PR_Close(fd); + +} + SECKEYPrivateKey * CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, int publicExponent, char *noise, @@ -311,17 +346,16 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, CK_MECHANISM_TYPE mechanism; SECOidTag algtag; PK11RSAGenParams rsaparams; - PQGParams *dsaparams = NULL; + SECKEYPQGParams *dsaparams = NULL; void *params; PRArenaPool *dsaparena; /* * Do some random-number initialization. */ - RNG_SystemInfoForRNG(); if (noise) { - RNG_FileForRNG(noise); + CERTUTIL_FileForRNG(noise); } else { int rv = UpdateRNG(); if (rv) { @@ -346,7 +380,7 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, } else { dsaparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (dsaparena == NULL) return NULL; - dsaparams = PORT_ArenaZAlloc(dsaparena, sizeof(PQGParams)); + dsaparams = PORT_ArenaZAlloc(dsaparena, sizeof(SECKEYPQGParams)); if (dsaparams == NULL) return NULL; dsaparams->arena = dsaparena; SECITEM_AllocItem(dsaparena, &dsaparams->prime, sizeof P); diff --git a/security/nss/cmd/certutil/manifest.mn b/security/nss/cmd/certutil/manifest.mn index d387540b9cdd..8d93b011617e 100644 --- a/security/nss/cmd/certutil/manifest.mn +++ b/security/nss/cmd/certutil/manifest.mn @@ -49,4 +49,4 @@ REQUIRES = dbm seccmd PROGRAM = certutil -USE_STATIC_LIBS = 1 +#USE_STATIC_LIBS = 1