summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-07-18 08:24:24 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-07-18 08:24:24 +0200
commitfc61780b35af913801d72086456f493f63197da6 (patch)
treef85891288a7bd988da9f0f15ae64e5c63f00d493 /security/nss/cmd
parent69f7f9e5f1475891ce11cc4f431692f965b0cd30 (diff)
parent50d3e596bbe89c95615f96eb71f6bc5be737a1db (diff)
downloadUXP-fc61780b35af913801d72086456f493f63197da6.tar
UXP-fc61780b35af913801d72086456f493f63197da6.tar.gz
UXP-fc61780b35af913801d72086456f493f63197da6.tar.lz
UXP-fc61780b35af913801d72086456f493f63197da6.tar.xz
UXP-fc61780b35af913801d72086456f493f63197da6.zip
Merge commit '50d3e596bbe89c95615f96eb71f6bc5be737a1db' into Basilisk-releasev2018.07.18
# Conflicts: # browser/app/profile/firefox.js # browser/components/preferences/jar.mn
Diffstat (limited to 'security/nss/cmd')
-rw-r--r--security/nss/cmd/bltest/blapitest.c72
-rw-r--r--security/nss/cmd/certcgi/HOWTO.txt137
-rw-r--r--security/nss/cmd/certcgi/Makefile48
-rw-r--r--security/nss/cmd/certcgi/ca.html19
-rw-r--r--security/nss/cmd/certcgi/ca_form.html357
-rw-r--r--security/nss/cmd/certcgi/certcgi.c2246
-rw-r--r--security/nss/cmd/certcgi/index.html789
-rw-r--r--security/nss/cmd/certcgi/main.html76
-rw-r--r--security/nss/cmd/certcgi/manifest.mn22
-rw-r--r--security/nss/cmd/certcgi/nscp_ext_form.html84
-rw-r--r--security/nss/cmd/certcgi/stnd_ext_form.html219
-rw-r--r--security/nss/cmd/certutil/certutil.c336
-rw-r--r--security/nss/cmd/certutil/keystuff.c13
-rw-r--r--security/nss/cmd/crlutil/crlgen.c3
-rw-r--r--security/nss/cmd/fipstest/fipstest.c9
-rw-r--r--security/nss/cmd/fipstest/runtest.sh3
-rw-r--r--security/nss/cmd/lib/secutil.c127
-rw-r--r--security/nss/cmd/libpkix/pkix/util/test_list2.c6
-rw-r--r--security/nss/cmd/listsuites/listsuites.c48
-rw-r--r--security/nss/cmd/manifest.mn2
-rw-r--r--security/nss/cmd/modutil/error.h6
-rw-r--r--security/nss/cmd/modutil/install-ds.c3
-rw-r--r--security/nss/cmd/modutil/modutil.c2
-rw-r--r--security/nss/cmd/modutil/modutil.h1
-rw-r--r--security/nss/cmd/modutil/pk11.c35
-rw-r--r--security/nss/cmd/multinit/multinit.c3
-rw-r--r--security/nss/cmd/pk11mode/pk11mode.c58
-rw-r--r--security/nss/cmd/pk12util/pk12util.c107
-rw-r--r--security/nss/cmd/pp/pp.c4
-rw-r--r--security/nss/cmd/rsaperf/rsaperf.c3
-rw-r--r--security/nss/cmd/rsapoptst/rsapoptst.c185
-rw-r--r--security/nss/cmd/rsapoptst/rsapoptst.gyp (renamed from security/nss/cmd/certcgi/certcgi.gyp)14
-rw-r--r--security/nss/cmd/selfserv/selfserv.c26
-rw-r--r--security/nss/cmd/signtool/javascript.c3
-rw-r--r--security/nss/cmd/signtool/sign.c58
-rw-r--r--security/nss/cmd/signtool/signtool.c4
-rw-r--r--security/nss/cmd/smimetools/cmsutil.c5
-rw-r--r--security/nss/cmd/ssltap/ssltap.c12
-rw-r--r--security/nss/cmd/strsclnt/strsclnt.c6
-rw-r--r--security/nss/cmd/tstclnt/tstclnt.c301
40 files changed, 957 insertions, 4495 deletions
diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c
index a3a162da1..ca3d6f314 100644
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -20,16 +20,14 @@
#include "secport.h"
#include "secoid.h"
#include "nssutil.h"
+#include "ecl-curve.h"
#include "pkcs1_vectors.h"
-#ifndef NSS_DISABLE_ECC
-#include "ecl-curve.h"
SECStatus EC_DecodeParams(const SECItem *encodedParams,
ECParams **ecparams);
SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-#endif
char *progName;
char *testdir = NULL;
@@ -135,18 +133,14 @@ Usage()
PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
PRINTUSAGE("", "", "[-i plaintext] [-o signature] [-k key]");
PRINTUSAGE("", "", "[-b bufsize]");
-#ifndef NSS_DISABLE_ECC
PRINTUSAGE("", "", "[-n curvename]");
-#endif
PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]");
PRINTUSAGE("", "-m", "cipher mode to use");
PRINTUSAGE("", "-i", "file which contains input buffer");
PRINTUSAGE("", "-o", "file for signature");
PRINTUSAGE("", "-k", "file which contains key");
-#ifndef NSS_DISABLE_ECC
PRINTUSAGE("", "-n", "name of curve for EC key generation; one of:");
PRINTUSAGE("", "", " nistp256, nistp384, nistp521");
-#endif
PRINTUSAGE("", "-p", "do performance test");
PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)");
@@ -369,7 +363,6 @@ dsakey_from_filedata(PLArenaPool *arena, SECItem *filedata)
return key;
}
-#ifndef NSS_DISABLE_ECC
static ECPrivateKey *
eckey_from_filedata(PLArenaPool *arena, SECItem *filedata)
{
@@ -519,7 +512,6 @@ getECParams(const char *curve)
return ecparams;
}
-#endif /* NSS_DISABLE_ECC */
static void
dump_pqg(PQGParams *pqg)
@@ -537,7 +529,6 @@ dump_dsakey(DSAPrivateKey *key)
SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
}
-#ifndef NSS_DISABLE_ECC
static void
dump_ecp(ECParams *ecp)
{
@@ -552,7 +543,6 @@ dump_eckey(ECPrivateKey *key)
SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
}
-#endif
static void
dump_rsakey(RSAPrivateKey *key)
@@ -638,17 +628,15 @@ typedef enum {
bltestRSA, /* Public Key Ciphers */
bltestRSA_OAEP, /* . (Public Key Enc.) */
bltestRSA_PSS, /* . (Public Key Sig.) */
-#ifndef NSS_DISABLE_ECC
- bltestECDSA, /* . (Public Key Sig.) */
-#endif
- bltestDSA, /* . (Public Key Sig.) */
- bltestMD2, /* Hash algorithms */
- bltestMD5, /* . */
- bltestSHA1, /* . */
- bltestSHA224, /* . */
- bltestSHA256, /* . */
- bltestSHA384, /* . */
- bltestSHA512, /* . */
+ bltestECDSA, /* . (Public Key Sig.) */
+ bltestDSA, /* . (Public Key Sig.) */
+ bltestMD2, /* Hash algorithms */
+ bltestMD5, /* . */
+ bltestSHA1, /* . */
+ bltestSHA224, /* . */
+ bltestSHA256, /* . */
+ bltestSHA384, /* . */
+ bltestSHA512, /* . */
NUMMODES
} bltestCipherMode;
@@ -678,9 +666,7 @@ static char *mode_strings[] =
"rsa",
"rsa_oaep",
"rsa_pss",
-#ifndef NSS_DISABLE_ECC
"ecdsa",
-#endif
/*"pqg",*/
"dsa",
"md2",
@@ -732,13 +718,11 @@ typedef struct
PQGParams *pqg;
} bltestDSAParams;
-#ifndef NSS_DISABLE_ECC
typedef struct
{
char *curveName;
bltestIO sigseed;
} bltestECDSAParams;
-#endif
typedef struct
{
@@ -751,9 +735,7 @@ typedef struct
union {
bltestRSAParams rsa;
bltestDSAParams dsa;
-#ifndef NSS_DISABLE_ECC
bltestECDSAParams ecdsa;
-#endif
} cipherParams;
} bltestAsymKeyParams;
@@ -1310,7 +1292,6 @@ dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
}
-#ifndef NSS_DISABLE_ECC
SECStatus
ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
{
@@ -1331,7 +1312,6 @@ ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input);
}
-#endif
SECStatus
bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
@@ -1811,7 +1791,6 @@ bltest_dsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
return SECSuccess;
}
-#ifndef NSS_DISABLE_ECC
SECStatus
bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
{
@@ -1877,7 +1856,6 @@ bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
}
return SECSuccess;
}
-#endif
/* XXX unfortunately, this is not defined in blapi.h */
SECStatus
@@ -2169,11 +2147,7 @@ finish:
SECStatus
pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
-#ifndef NSS_DISABLE_ECC
int keysize, int exponent, char *curveName)
-#else
- int keysize, int exponent)
-#endif
{
int i;
SECStatus rv = SECSuccess;
@@ -2182,12 +2156,10 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
RSAPrivateKey **rsaKey = NULL;
bltestDSAParams *dsap;
DSAPrivateKey **dsaKey = NULL;
-#ifndef NSS_DISABLE_ECC
SECItem *tmpECParamsDER;
ECParams *tmpECParams = NULL;
SECItem ecSerialize[3];
ECPrivateKey **ecKey = NULL;
-#endif
switch (cipherInfo->mode) {
case bltestRSA:
case bltestRSA_PSS:
@@ -2224,7 +2196,6 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
dsap->keysize = (*dsaKey)->params.prime.len * 8;
}
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
ecKey = (ECPrivateKey **)&asymk->privKey;
if (curveName != NULL) {
@@ -2254,7 +2225,6 @@ pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
*ecKey = eckey_from_filedata(cipherInfo->arena, &asymk->key.buf);
}
break;
-#endif
default:
return SECFailure;
}
@@ -2341,7 +2311,6 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
}
return bltest_dsa_init(cipherInfo, encrypt);
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
if (encrypt) {
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
@@ -2349,7 +2318,6 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
}
return bltest_ecdsa_init(cipherInfo, encrypt);
break;
-#endif
case bltestMD2:
restart = cipherInfo->params.hash.restart;
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
@@ -2644,9 +2612,7 @@ cipherFinish(bltestCipherInfo *cipherInfo)
case bltestRSA_PSS: /* will be freed with it. */
case bltestRSA_OAEP:
case bltestDSA:
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
-#endif
case bltestMD2: /* hash contexts are ephemeral */
case bltestMD5:
case bltestSHA1:
@@ -2822,7 +2788,6 @@ print_td:
fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
}
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
if (td) {
fprintf(stdout, "%12s", "ec_curve");
@@ -2833,7 +2798,6 @@ print_td:
ecCurve_map[curveName] ? ecCurve_map[curveName]->text : "Unsupported curve");
}
break;
-#endif
case bltestMD2:
case bltestMD5:
case bltestSHA1:
@@ -3063,7 +3027,6 @@ get_params(PLArenaPool *arena, bltestParams *params,
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
load_file_data(arena, &params->asymk.sig, filename, bltestBase64Encoded);
break;
-#ifndef NSS_DISABLE_ECC
case bltestECDSA:
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
load_file_data(arena, &params->asymk.key, filename, bltestBase64Encoded);
@@ -3075,7 +3038,6 @@ get_params(PLArenaPool *arena, bltestParams *params,
sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
load_file_data(arena, &params->asymk.sig, filename, bltestBase64Encoded);
break;
-#endif
case bltestMD2:
case bltestMD5:
case bltestSHA1:
@@ -3297,13 +3259,11 @@ dump_file(bltestCipherMode mode, char *filename)
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
key = dsakey_from_filedata(arena, &keydata.buf);
dump_dsakey(key);
-#ifndef NSS_DISABLE_ECC
} else if (mode == bltestECDSA) {
ECPrivateKey *key;
load_file_data(arena, &keydata, filename, bltestBase64Encoded);
key = eckey_from_filedata(arena, &keydata.buf);
dump_eckey(key);
-#endif
}
PORT_FreeArena(arena, PR_FALSE);
return SECFailure;
@@ -3590,9 +3550,7 @@ enum {
opt_Key,
opt_HexWSpc,
opt_Mode,
-#ifndef NSS_DISABLE_ECC
opt_CurveName,
-#endif
opt_Output,
opt_Repetitions,
opt_ZeroBuf,
@@ -3644,9 +3602,7 @@ static secuCommandFlag bltest_options[] =
{ /* opt_Key */ 'k', PR_TRUE, 0, PR_FALSE },
{ /* opt_HexWSpc */ 'l', PR_FALSE, 0, PR_FALSE },
{ /* opt_Mode */ 'm', PR_TRUE, 0, PR_FALSE },
-#ifndef NSS_DISABLE_ECC
{ /* opt_CurveName */ 'n', PR_TRUE, 0, PR_FALSE },
-#endif
{ /* opt_Output */ 'o', PR_TRUE, 0, PR_FALSE },
{ /* opt_Repetitions */ 'p', PR_TRUE, 0, PR_FALSE },
{ /* opt_ZeroBuf */ 'q', PR_FALSE, 0, PR_FALSE },
@@ -3679,9 +3635,7 @@ main(int argc, char **argv)
bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL;
bltestIOMode ioMode;
int bufsize, exponent, curThrdNum;
-#ifndef NSS_DISABLE_ECC
char *curveName = NULL;
-#endif
int i, commandsEntered;
int inoff, outoff;
int threads = 1;
@@ -3917,12 +3871,10 @@ main(int argc, char **argv)
else
exponent = 65537;
-#ifndef NSS_DISABLE_ECC
if (bltest.options[opt_CurveName].activated)
curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
else
curveName = NULL;
-#endif
if (bltest.commands[cmd_Verify].activated &&
!bltest.options[opt_SigFile].activated) {
@@ -4008,11 +3960,7 @@ main(int argc, char **argv)
file = PR_Open("tmp.key", PR_WRONLY | PR_CREATE_FILE, 00660);
}
params->key.mode = bltestBase64Encoded;
-#ifndef NSS_DISABLE_ECC
pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
-#else
- pubkeyInitKey(cipherInfo, file, keysize, exponent);
-#endif
PR_Close(file);
}
diff --git a/security/nss/cmd/certcgi/HOWTO.txt b/security/nss/cmd/certcgi/HOWTO.txt
deleted file mode 100644
index 54edf8e1a..000000000
--- a/security/nss/cmd/certcgi/HOWTO.txt
+++ /dev/null
@@ -1,137 +0,0 @@
- How to setup your very own Cert-O-Matic Root CA server
-
- This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- How to setup your very own Cert-O-Matic Root CA server
-
-The program certcgi is part of a small test CA that is used inside
-Netscape by the NSS development team. That CA is affectionately known
-as "Cert-O-Matic" or "Cert-O-Matic II". It presently runs on a server
-named interzone.mcom.com inside Netscape's firewall.
-
-If you wish to setup your own Cert-O-Matic, here are directions.
-
-Disclaimer: This program does not follow good practices for root CAs.
-It should be used only for playing/testing and never for production use.
-Remember, you've been warned!
-
-Cert-O-Matic consists of some html files, shell scripts, one executable
-program that uses NSS and NSPR, the usual set of NSS .db files, and a file
-in which to remember the serial number of the last cert issued. The
-html files and the source to the executable program are in this directory.
-Sample shell scripts are shown below.
-
-The shell scripts and executable program run as CGI "scripts". The
-entire thing runs on an ordinary http web server. It would also run on
-an https web server. The shell scripts and html files must be
-customized for the server on which they run.
-
-The package assumes you have a "document root" directory $DOCROOT, and a
-"cgi-bin" directory $CGIBIN. In this example, the document root is
-assumed to be located in /var/www/htdocs, and the cgi-bin directory in
-/var/www/cgi-bin.
-
-The server is assumed to run all cgi scripts as the user "nobody".
-The names of the cgi scripts run directly by the server all end in .cgi
-because some servers like it that way.
-
-Instructions:
-
-- Create directory $DOCROOT/certomatic
-- Copy the following files from nss/cmd/certcgi to $DOCROOT/certomatic
- ca.html index.html main.html nscp_ext_form.html stnd_ext_form.html
-- Edit the html files, substituting the name of your own server for the
- server named in those files.
-- In some web page (e.g. your server's home page), provide an html link to
- $DOCROOT/certomatic/index.html. This is where users start to get their
- own certs from certomatic.
-- give these files and directories appropriate permissions.
-
-- Create directories $CGIBIN/certomatic and $CGIBIN/certomatic/bin
- make sure that $CGIBIN/certomatic is writable by "nobody"
-
-- Create a new set of NSS db files there with the following command:
-
- certutil -N -d $CGIBIN/certomatic
-
-- when certutil prompts you for the password, enter the word foo
- because that is compiled into the certcgi program.
-
-- Create the new Root CA cert with this command
-
- certutil -S -x -d $CGIBIN/certomatic -n "Cert-O-Matic II" \
- -s "CN=Cert-O-Matic II, O=Cert-O-Matic II" -t TCu,cu,cu -k rsa \
- -g 1024 -m 10001 -v 60
-
- (adjust the -g, -m and -v parameters to taste. -s and -x must be as
-shown.)
-
-- dump out the new root CA cert in base64 encoding:
-
- certutil -d $CGIBIN/certomatic -L -n "Cert-O-Matic II" -a > \
- $CGIBIN/certomatic/root.cacert
-
-- In $CGIBIN/certomatic/bin add two shell scripts - one to download the
- root CA cert on demand, and one to run the certcgi program.
-
-download.cgi, the script to install the root CA cert into a browser on
-demand, is this:
-
-#!/bin/sh
-echo "Content-type: application/x-x509-ca-cert"
-echo
-cat $CGIBIN/certomatic/root.cacert
-
-You'll have to put the real path into that cat command because CGIBIN
-won't be defined when this script is run by the server.
-
-certcgi.cgi, the script to run the certcgi program is similar to this:
-
-#!/bin/sh
-cd $CGIBIN/certomatic/bin
-LD_LIBRARY_PATH=$PLATFORM/lib
-export LD_LIBRARY_PATH
-$PLATFORM/bin/certcgi $* 2>&1
-
-Where $PLATFORM/lib is where the NSPR nad NSS DSOs are located, and
-$PLATFORM/bin is where certcgi is located. PLATFORM is not defined when
-the server runs this script, so you'll have to substitute the right value
-in your script. certcgi requires that the working directory be one level
-below the NSS DBs, that is, the DBs are accessed in the directory "..".
-
-You'll want to provide an html link somewhere to the script that downloads
-the root.cacert file. You'll probably want to put that next to the link
-that loads the index.html page. On interzone, this is done with the
-following html:
-
-<a href="/certomatic/index.html">Cert-O-Matic II Root CA server</a>
-<p>
-<a href="/cgi-bin/certomatic/bin/download.cgi">Download and trust Root CA
-certificate</a>
-
-The index.html file in this directory invokes the certcgi.cgi script with
-the form post method, so if you change the name of the certcgi.cgi script,
-you'll also have to change the index.html file in $DOCROOT/certomatic
-
-The 4 files used by the certcgi program (the 3 NSS DBs, and the serial
-number file) are not required to live in $CGIBIN/certomatic, but they are
-required to live in $CWD/.. when certcgi starts.
-
-Known bugs:
-
-1. Because multiple of these CAs exist simultaneously, it would be best if
-they didn't all have to be called "Cert-O-Matic II", but that string is
-presently hard coded into certcgi.c.
-
-2. the html files in this directory contain numerous extraneous <FORM> tags
-which appear to use the post method and have action URLS that are never
-actually used. burp.cgi and echoform.cgi are never actually used. This
-should be cleaned up.
-
-3. The html files use <layer> tags which are supported only in Netscape
-Navigator and Netscape Communication 4.x browsers. The html files do
-not work as intended with Netscape 6.x, Mozilla or Microsoft IE browsers.
-The html files should be fixed to work with all those named browsers.
-
diff --git a/security/nss/cmd/certcgi/Makefile b/security/nss/cmd/certcgi/Makefile
deleted file mode 100644
index c2039d82b..000000000
--- a/security/nss/cmd/certcgi/Makefile
+++ /dev/null
@@ -1,48 +0,0 @@
-#! gmake
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#######################################################################
-# (1) Include initial platform-independent assignments (MANDATORY). #
-#######################################################################
-
-include manifest.mn
-
-#######################################################################
-# (2) Include "global" configuration information. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/config.mk
-
-#######################################################################
-# (3) Include "component" configuration information. (OPTIONAL) #
-#######################################################################
-
-#######################################################################
-# (4) Include "local" platform-dependent assignments (OPTIONAL). #
-#######################################################################
-
-include ../platlibs.mk
-
-#######################################################################
-# (5) Execute "global" rules. (OPTIONAL) #
-#######################################################################
-
-include $(CORE_DEPTH)/coreconf/rules.mk
-
-#######################################################################
-# (6) Execute "component" rules. (OPTIONAL) #
-#######################################################################
-
-
-
-#######################################################################
-# (7) Execute "local" rules. (OPTIONAL). #
-#######################################################################
-
-
-
-include ../platrules.mk
-
diff --git a/security/nss/cmd/certcgi/ca.html b/security/nss/cmd/certcgi/ca.html
deleted file mode 100644
index 3f3f08699..000000000
--- a/security/nss/cmd/certcgi/ca.html
+++ /dev/null
@@ -1,19 +0,0 @@
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
-<form method="post" name="ca_form" action="mailto:jerdonek@netscape.com">
-<input type="radio" name="caChoiceradio" value="SignWithDefaultkey"
- onClick="{parent.choice_change(this.form)}">
- Use the Cert-O-matic certificate to issue the cert</p>
-<input type="radio" name="caChoiceradio" value="SignWithRandomChain"
- onClick="{parent.choice_change(this.form)}"> Use a
- <input type="text" size="2" maxsize="2" name="autoCAs"> CA long
- automatically generated chain ending with the Cert-O-Matic Cert
- (18 maximum)</p>
-<input type="radio" name="caChoiceradio" value="SignWithSpecifiedChain"
- onClick="{parent.choice_change(this.form)}"> Use a
- <input type="text" size="1" maxlength="1" name="manCAs"
- onChange="{parent.ca_num_change(this.value,this.form)}"> CA long
- user input chain ending in the Cert-O-Matic Cert.</p>
-</form>
diff --git a/security/nss/cmd/certcgi/ca_form.html b/security/nss/cmd/certcgi/ca_form.html
deleted file mode 100644
index 452996b58..000000000
--- a/security/nss/cmd/certcgi/ca_form.html
+++ /dev/null
@@ -1,357 +0,0 @@
-<html>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
- <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
- <table border=0 cellspacing=10 cellpadding=0>
- <tr>
- <td>
- Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
- </td>
- <td></td><td></td><td>
- Mail: </td><td><input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}"></p>
- RFC 1274<input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">
- e-mail<input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)"></td>
- <tr>
- <td>
- Organization: </td><td> <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
- <td></td><td></td><td>
- Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
- <tr>
- <td>
- RFC 1274 UID: </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
- <td></td><td></td><td>
- Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
- <tr>
- <td>
- State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
- <td></td><td></td><td>
- Country: </td><td><input type="text" size="2" maxsize="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}"></p></td>
- </table>
- <table border=0 cellspacing=10 cellpadding=0>
- <tr>
- <td>
- Serial Number:</p>
- <DD>
- <input type="radio" name="serial" value="auto" checked> Auto Generate</P>
- <DD>
- <input type="radio" name="serial" value="input">
- Use this value: <input type="text" name="serial_value" size="8" maxlength="8"></p>
- </td>
- <td></td><td></td><td></td><td></td>
- <td>
- X.509 version:</p>
- <DD>
- <input type="radio" name="ver" value="1" checked> Version 1</p>
- <DD>
- <input type="radio" name="ver" value="3"> Version 3</P></td>
- <td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td><td></td>
- <td>
- Key Type:</p>
- <DD>
- <input type="radio" name="keyType" value="rsa" checked> RSA</p>
- <DD>
- <input type="radio" name="keyType" value="dsa"> DSA</P></td>
- </table>
- DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
- <Select name="keysize">
- <option>1024 (High Grade)
- <option>768 (Medium Grade)
- <option>512 (Low Grade)
- </select>
- </p>
- <hr>
- </p>
- <table border=1 cellspacing=5 cellpadding=5>
- <tr>
- <td>
- <b>Netscape Certificate Type: </b></p>
- Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
- Critical: <input type="checkbox" name="netscape-cert-type-crit">
- <td>
- <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
- <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
- <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
- <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>
- <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
- <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
- <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
- <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
- </tr>
- <tr>
- <td>
- <b>Netscape Base URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-base-url"></P>
- Critical: <input type="checkbox" name="netscape-base-url-crit">
- <td>
- <input type="text" name="netscape-base-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Revocation URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
- Critical: <input type="checkbox" name="netscape-revocation-url-crit">
- <td>
- <input type="text" name="netscape-revocation-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape CA Revocation URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
- Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
- <td>
- <input type="text" name="netscape-ca-revocation-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Certificate Renewal URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
- Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
- <td>
- <input type="text" name="netscape-cert-renewal-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape CA Policy URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
- Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
- <td>
- <input type="text" name="netscape-ca-policy-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape SSL Server Name:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
- Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
- <td>
- <input type="text" name="netscape-ssl-server-name-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Comment:</b></p>
- Activate extension: <input type="checkbox" name="netscape-comment"></P>
- Critical: <input type="checkbox" name="netscape-comment-crit">
- <td>
- <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
- </tr>
- </table>
- </p>
- <hr>
- </p>
- <table border=1 cellspacing=5 cellpadding=5>
- <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
- <tr>
- <td>
- <b>Key Usage: </b></p>
- Activate extension: <input type="checkbox" name="keyUsage"></P>
- Critical: <input type="checkbox" name="keyUsage-crit">
- <td>
- <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
- <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>
- <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>
- <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
- <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
- <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
- <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
- </tr>
- <tr>
- <td>
- <b>Extended Key Usage: </b></p>
- Activate extension: <input type="checkbox" name="extKeyUsage"></P>
- Critical: <input type="checkbox" name="extKeyUsage-crit">
- <td>
- <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
- <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
- <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
- <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
- <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
- <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
- <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
- <input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
- </tr>
- <tr>
- <td>
- <b>Basic Constraints:</b></p>
- Activate extension: <input type="checkbox" name="basicConstraints"></P>
- Critical: <input type="checkbox" name="basicConstraints-crit">
- <td>
- CA:</p>
- <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
- <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
- <input type="checkbox" name="basicConstraints-pathLengthConstraint">
- Include Path length: <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
- </tr>
- <tr>
- <td>
- <b>Authority Key Identifier:</b></p>
- Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
- <td>
- <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
- <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
- </tr>
- <tr>
- <td>
- <b>Subject Key Identifier:</b></p>
- Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
- <td>
- Key Identifier:
- <input type="text" name="subjectKeyIdentifier-text"></p>
- This is an:<p>
- <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
- <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
- </tr>
- <tr>
- <td>
- <b>Private Key Usage Period:</b></p>
- Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
- Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
- <td>
- Use:</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
- <b>Not to be used to sign before:</b></p>
- <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
- <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
- <dd><dd>(YYYY/MM/DD HH:MM:SS):
- <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
- <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
- <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2">
- <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
- <b>Not to be used to sign after:</b></p>
- <dd>(YYYY/MM/DD HH:MM:SS):
- <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
- <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
- <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2">
- <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
- </tr>
- <tr>
- <td>
- <b>Subject Alternative Name:</b></p>
- Activate extension: <input type="checkbox" name="SubAltName"></P>
- Critical: <input type="checkbox" name="SubAltName-crit">
- <td>
- <table>
- <tr>
- <td>
- General Names:</p>
- <select name="SubAltNameSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
- <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name,
- OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
- <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
- <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
- <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
- <input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
- </table>
- Name: <input type="text" name="SubAltNameText">
- Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
- </tr>
- </table>
- </tr>
-
-
- <tr>
- <td>
- <b>Issuer Alternative Name:</b></p>
- Activate extension: <input type="checkbox" name="IssuerAltName"></P>
- Critical: <input type="checkbox" name="IssuerAltName-crit">
- <td>
- <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
- <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
- <table>
- <tr>
- <td>
- General Names:</p>
- <select name="IssuerAltNameSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
- <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name,
- OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
- <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
- <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
- <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
- </table>
- Name: <input type="text" name="IssuerAltNameText">
- Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
- </tr>
- </table>
- </tr>
-
- <tr>
- <td>
- <b>Name Constraints:</b></p>
- Activate extension: <input type="checkbox" name="NameConstraints"></P>
- <td>
- <table>
- <tr>
- <td>
- Name Constraints:</p>
-
-
- <select name="NameConstraintSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
- <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
- OID: <input type="text" name="NameConstraintOtherNameOID" size="6"> </td><td>
- <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
- <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
- <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
- </table>
- Name: <input type="text" name="NameConstraintText">
- Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
- Constraint type:<p>
- <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
- <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
- Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
- Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
-
-
-
- </tr>
- </table>
- </tr>
- </table>
- </form>
-
-
-
-
-
-
-
-
-
-
diff --git a/security/nss/cmd/certcgi/certcgi.c b/security/nss/cmd/certcgi/certcgi.c
deleted file mode 100644
index 35409e250..000000000
--- a/security/nss/cmd/certcgi/certcgi.c
+++ /dev/null
@@ -1,2246 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/* Cert-O-Matic CGI */
-
-#include "nspr.h"
-#include "prtypes.h"
-#include "prtime.h"
-#include "prlong.h"
-
-#include "pk11func.h"
-#include "cert.h"
-#include "cryptohi.h"
-#include "secoid.h"
-#include "secder.h"
-#include "genname.h"
-#include "xconst.h"
-#include "secutil.h"
-#include "pk11pqg.h"
-#include "certxutl.h"
-#include "nss.h"
-
-/* #define TEST 1 */
-/* #define FILEOUT 1 */
-/* #define OFFLINE 1 */
-#define START_FIELDS 100
-#define PREFIX_LEN 6
-#define SERIAL_FILE "../serial"
-#define DB_DIRECTORY ".."
-
-static char *progName;
-
-typedef struct PairStr Pair;
-
-struct PairStr {
- char *name;
- char *data;
-};
-
-char prefix[PREFIX_LEN];
-
-const SEC_ASN1Template CERTIA5TypeTemplate[] = {
- { SEC_ASN1_IA5_STRING }
-};
-
-SECKEYPrivateKey *privkeys[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- NULL, NULL };
-
-#ifdef notdef
-const SEC_ASN1Template CERT_GeneralNameTemplate[] = {
- { SEC_ASN1_SEQUENCE_OF, 0, SEC_AnyTemplate }
-};
-#endif
-
-static void
-error_out(char *error_string)
-{
- printf("Content-type: text/plain\n\n");
- printf("%s", error_string);
- fflush(stderr);
- fflush(stdout);
- exit(1);
-}
-
-static void
-error_allocate(void)
-{
- error_out("ERROR: Unable to allocate memory");
-}
-
-static char *
-make_copy_string(char *read_pos,
- int length,
- char sentinal_value)
-/* copys string from to a new string it creates and
- returns a pointer to the new string */
-{
- int remaining = length;
- char *write_pos;
- char *new;
-
- new = write_pos = (char *)PORT_Alloc(length);
- if (new == NULL) {
- error_allocate();
- }
- while (*read_pos != sentinal_value) {
- if (remaining == 1) {
- remaining += length;
- length = length * 2;
- new = PORT_Realloc(new, length);
- if (new == NULL) {
- error_allocate();
- }
- write_pos = new + length - remaining;
- }
- *write_pos = *read_pos;
- ++write_pos;
- ++read_pos;
- remaining = remaining - 1;
- }
- *write_pos = '\0';
- return new;
-}
-
-static SECStatus
-clean_input(Pair *data)
-/* converts the non-alphanumeric characters in a form post
- from hex codes back to characters */
-{
- int length;
- int hi_digit;
- int low_digit;
- char character;
- char *begin_pos;
- char *read_pos;
- char *write_pos;
- PRBool name = PR_TRUE;
-
- begin_pos = data->name;
- while (begin_pos != NULL) {
- length = strlen(begin_pos);
- read_pos = write_pos = begin_pos;
- while ((read_pos - begin_pos) < length) {
- if (*read_pos == '+') {
- *read_pos = ' ';
- }
- if (*read_pos == '%') {
- hi_digit = *(read_pos + 1);
- low_digit = *(read_pos + 2);
- read_pos += 3;
- if (isdigit(hi_digit)) {
- hi_digit = hi_digit - '0';
- } else {
- hi_digit = toupper(hi_digit);
- if (isxdigit(hi_digit)) {
- hi_digit = (hi_digit - 'A') + 10;
- } else {
- error_out("ERROR: Form data incorrectly formated");
- }
- }
- if (isdigit(low_digit)) {
- low_digit = low_digit - '0';
- } else {
- low_digit = toupper(low_digit);
- if ((low_digit >= 'A') && (low_digit <= 'F')) {
- low_digit = (low_digit - 'A') + 10;
- } else {
- error_out("ERROR: Form data incorrectly formated");
- }
- }
- character = (hi_digit << 4) | low_digit;
- if (character != 10) {
- *write_pos = character;
- ++write_pos;
- }
- } else {
- *write_pos = *read_pos;
- ++write_pos;
- ++read_pos;
- }
- }
- *write_pos = '\0';
- if (name == PR_TRUE) {
- begin_pos = data->data;
- name = PR_FALSE;
- } else {
- data++;
- begin_pos = data->name;
- name = PR_TRUE;
- }
- }
- return SECSuccess;
-}
-
-static char *
-make_name(char *new_data)
-/* gets the next field name in the input string and returns
- a pointer to a string containing a copy of it */
-{
- int length = 20;
- char *name;
-
- name = make_copy_string(new_data, length, '=');
- return name;
-}
-
-static char *
-make_data(char *new_data)
-/* gets the data for the next field in the input string
- and returns a pointer to a string containing it */
-{
- int length = 100;
- char *data;
- char *read_pos;
-
- read_pos = new_data;
- while (*(read_pos - 1) != '=') {
- ++read_pos;
- }
- data = make_copy_string(read_pos, length, '&');
- return data;
-}
-
-static Pair
-make_pair(char *new_data)
-/* makes a pair name/data pair from the input string */
-{
- Pair temp;
-
- temp.name = make_name(new_data);
- temp.data = make_data(new_data);
- return temp;
-}
-
-static Pair *
-make_datastruct(char *data, int len)
-/* parses the input from the form post into a data
- structure of field name/data pairs */
-{
- Pair *datastruct;
- Pair *current;
- char *curr_pos;
- int fields = START_FIELDS;
- int remaining = START_FIELDS;
-
- curr_pos = data;
- datastruct = current = (Pair *)PORT_Alloc(fields * sizeof(Pair));
- if (datastruct == NULL) {
- error_allocate();
- }
- while (curr_pos - data < len) {
- if (remaining == 1) {
- remaining += fields;
- fields = fields * 2;
- datastruct = (Pair *)PORT_Realloc(datastruct, fields *
- sizeof(Pair));
- if (datastruct == NULL) {
- error_allocate();
- }
- current = datastruct + (fields - remaining);
- }
- *current = make_pair(curr_pos);
- while (*curr_pos != '&') {
- ++curr_pos;
- }
- ++curr_pos;
- ++current;
- remaining = remaining - 1;
- }
- current->name = NULL;
- return datastruct;
-}
-
-static char *
-return_name(Pair *data_struct,
- int n)
-/* returns a pointer to the name of the nth
- (starting from 0) item in the data structure */
-{
- char *name;
-
- if ((data_struct + n)->name != NULL) {
- name = (data_struct + n)->name;
- return name;
- } else {
- return NULL;
- }
-}
-
-static char *
-return_data(Pair *data_struct, int n)
-/* returns a pointer to the data of the nth (starting from 0)
- itme in the data structure */
-{
- char *data;
-
- data = (data_struct + n)->data;
- return data;
-}
-
-static char *
-add_prefix(char *field_name)
-{
- extern char prefix[PREFIX_LEN];
- int i = 0;
- char *rv;
- char *write;
-
- rv = write = PORT_Alloc(PORT_Strlen(prefix) + PORT_Strlen(field_name) + 1);
- for (i = 0; i < PORT_Strlen(prefix); i++) {
- *write = prefix[i];
- write++;
- }
- *write = '\0';
- rv = PORT_Strcat(rv, field_name);
- return rv;
-}
-
-static char *
-find_field(Pair *data,
- char *field_name,
- PRBool add_pre)
-/* returns a pointer to the data of the first pair
- thats name matches the string it is passed */
-{
- int i = 0;
- char *retrieved;
- int found = 0;
-
- if (add_pre) {
- field_name = add_prefix(field_name);
- }
- while (return_name(data, i) != NULL) {
- if (PORT_Strcmp(return_name(data, i), field_name) == 0) {
- retrieved = return_data(data, i);
- found = 1;
- break;
- }
- i++;
- }
- if (!found) {
- retrieved = NULL;
- }
- return retrieved;
-}
-
-static PRBool
-find_field_bool(Pair *data,
- char *fieldname,
- PRBool add_pre)
-{
- char *rv;
-
- rv = find_field(data, fieldname, add_pre);
-
- if ((rv != NULL) && (PORT_Strcmp(rv, "true")) == 0) {
- return PR_TRUE;
- } else {
- return PR_FALSE;
- }
-}
-
-static CERTCertificateRequest *
-makeCertReq(Pair *form_data,
- int which_priv_key)
-/* makes and encodes a certrequest */
-{
-
- PK11SlotInfo *slot;
- CERTCertificateRequest *certReq = NULL;
- CERTSubjectPublicKeyInfo *spki;
- SECKEYPrivateKey *privkey = NULL;
- SECKEYPublicKey *pubkey = NULL;
- CERTName *name;
- char *key;
- extern SECKEYPrivateKey *privkeys[9];
- int keySizeInBits;
- char *challenge = "foo";
- SECStatus rv = SECSuccess;
- PQGParams *pqgParams = NULL;
- PQGVerify *pqgVfy = NULL;
-
- name = CERT_AsciiToName(find_field(form_data, "subject", PR_TRUE));
- if (name == NULL) {
- error_out("ERROR: Unable to create Subject Name");
- }
- key = find_field(form_data, "key", PR_TRUE);
- if (key == NULL) {
- switch (*find_field(form_data, "keysize", PR_TRUE)) {
- case '0':
- keySizeInBits = 2048;
- break;
- case '1':
- keySizeInBits = 1024;
- break;
- case '2':
- keySizeInBits = 512;
- break;
- default:
- error_out("ERROR: Unsupported Key length selected");
- }
- if (find_field_bool(form_data, "keyType-dsa", PR_TRUE)) {
- rv = PK11_PQG_ParamGen(keySizeInBits, &pqgParams, &pqgVfy);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to generate PQG parameters");
- }
- slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
- privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN,
- pqgParams, &pubkey, PR_FALSE,
- PR_TRUE, NULL);
- } else {
- privkey = SECKEY_CreateRSAPrivateKey(keySizeInBits, &pubkey, NULL);
- }
- privkeys[which_priv_key] = privkey;
- spki = SECKEY_CreateSubjectPublicKeyInfo(pubkey);
- } else {
- spki = SECKEY_ConvertAndDecodePublicKeyAndChallenge(key, challenge,
- NULL);
- if (spki == NULL) {
- error_out("ERROR: Unable to decode Public Key and Challenge String");
- }
- }
- certReq = CERT_CreateCertificateRequest(name, spki, NULL);
- if (certReq == NULL) {
- error_out("ERROR: Unable to create Certificate Request");
- }
- if (pubkey != NULL) {
- SECKEY_DestroyPublicKey(pubkey);
- }
- if (spki != NULL) {
- SECKEY_DestroySubjectPublicKeyInfo(spki);
- }
- if (pqgParams != NULL) {
- PK11_PQG_DestroyParams(pqgParams);
- }
- if (pqgVfy != NULL) {
- PK11_PQG_DestroyVerify(pqgVfy);
- }
- return certReq;
-}
-
-static CERTCertificate *
-MakeV1Cert(CERTCertDBHandle *handle,
- CERTCertificateRequest *req,
- char *issuerNameStr,
- PRBool selfsign,
- int serialNumber,
- int warpmonths,
- Pair *data)
-{
- CERTCertificate *issuerCert = NULL;
- CERTValidity *validity;
- CERTCertificate *cert = NULL;
- PRExplodedTime printableTime;
- PRTime now,
- after;
- if (!selfsign) {
- issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
- if (!issuerCert) {
- error_out("ERROR: Could not find issuer's certificate");
- return NULL;
- }
- }
- if (find_field_bool(data, "manValidity", PR_TRUE)) {
- (void)DER_AsciiToTime(&now, find_field(data, "notBefore", PR_TRUE));
- } else {
- now = PR_Now();
- }
- PR_ExplodeTime(now, PR_GMTParameters, &printableTime);
- if (warpmonths) {
- printableTime.tm_month += warpmonths;
- now = PR_ImplodeTime(&printableTime);
- PR_ExplodeTime(now, PR_GMTParameters, &printableTime);
- }
- if (find_field_bool(data, "manValidity", PR_TRUE)) {
- (void)DER_AsciiToTime(&after, find_field(data, "notAfter", PR_TRUE));
- PR_ExplodeTime(after, PR_GMTParameters, &printableTime);
- } else {
- printableTime.tm_month += 3;
- after = PR_ImplodeTime(&printableTime);
- }
- /* note that the time is now in micro-second unit */
- validity = CERT_CreateValidity(now, after);
-
- if (selfsign) {
- cert = CERT_CreateCertificate(serialNumber, &(req->subject), validity, req);
- } else {
- cert = CERT_CreateCertificate(serialNumber, &(issuerCert->subject), validity, req);
- }
-
- CERT_DestroyValidity(validity);
- if (issuerCert) {
- CERT_DestroyCertificate(issuerCert);
- }
- return (cert);
-}
-
-static int
-get_serial_number(Pair *data)
-{
- int serial = 0;
- int error;
- char *filename = SERIAL_FILE;
- char *SN;
- FILE *serialFile;
-
- if (find_field_bool(data, "serial-auto", PR_TRUE)) {
- serialFile = fopen(filename, "r");
- if (serialFile != NULL) {
- size_t nread = fread(&serial, sizeof(int), 1, serialFile);
- if (ferror(serialFile) != 0 || nread != 1) {
- error_out("Error: Unable to read serial number file");
- }
- if (serial == -1) {
- serial = 21;
- }
- fclose(serialFile);
- ++serial;
- serialFile = fopen(filename, "w");
- if (serialFile == NULL) {
- error_out("ERROR: Unable to open serial number file for writing");
- }
- fwrite(&serial, sizeof(int), 1, serialFile);
- if (ferror(serialFile) != 0) {
- error_out("Error: Unable to write to serial number file");
- }
- } else {
- fclose(serialFile);
- serialFile = fopen(filename, "w");
- if (serialFile == NULL) {
- error_out("ERROR: Unable to open serial number file");
- }
- serial = 21;
- fwrite(&serial, sizeof(int), 1, serialFile);
- if (ferror(serialFile) != 0) {
- error_out("Error: Unable to write to serial number file");
- }
- error = ferror(serialFile);
- if (error != 0) {
- error_out("ERROR: Unable to write to serial file");
- }
- }
- fclose(serialFile);
- } else {
- SN = find_field(data, "serial_value", PR_TRUE);
- while (*SN != '\0') {
- serial = serial * 16;
- if ((*SN >= 'A') && (*SN <= 'F')) {
- serial += *SN - 'A' + 10;
- } else {
- if ((*SN >= 'a') && (*SN <= 'f')) {
- serial += *SN - 'a' + 10;
- } else {
- serial += *SN - '0';
- }
- }
- ++SN;
- }
- }
- return serial;
-}
-
-typedef SECStatus (*EXTEN_VALUE_ENCODER)(PLArenaPool *extHandle, void *value, SECItem *encodedValue);
-
-static SECStatus
-EncodeAndAddExtensionValue(
- PLArenaPool *arena,
- void *extHandle,
- void *value,
- PRBool criticality,
- int extenType,
- EXTEN_VALUE_ENCODER EncodeValueFn)
-{
- SECItem encodedValue;
- SECStatus rv;
-
- encodedValue.data = NULL;
- encodedValue.len = 0;
- rv = (*EncodeValueFn)(arena, value, &encodedValue);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to encode extension value");
- }
- rv = CERT_AddExtension(extHandle, extenType, &encodedValue, criticality, PR_TRUE);
- return (rv);
-}
-
-static SECStatus
-AddKeyUsage(void *extHandle,
- Pair *data)
-{
- SECItem bitStringValue;
- unsigned char keyUsage = 0x0;
-
- if (find_field_bool(data, "keyUsage-digitalSignature", PR_TRUE)) {
- keyUsage |= (0x80 >> 0);
- }
- if (find_field_bool(data, "keyUsage-nonRepudiation", PR_TRUE)) {
- keyUsage |= (0x80 >> 1);
- }
- if (find_field_bool(data, "keyUsage-keyEncipherment", PR_TRUE)) {
- keyUsage |= (0x80 >> 2);
- }
- if (find_field_bool(data, "keyUsage-dataEncipherment", PR_TRUE)) {
- keyUsage |= (0x80 >> 3);
- }
- if (find_field_bool(data, "keyUsage-keyAgreement", PR_TRUE)) {
- keyUsage |= (0x80 >> 4);
- }
- if (find_field_bool(data, "keyUsage-keyCertSign", PR_TRUE)) {
- keyUsage |= (0x80 >> 5);
- }
- if (find_field_bool(data, "keyUsage-cRLSign", PR_TRUE)) {
- keyUsage |= (0x80 >> 6);
- }
-
- bitStringValue.data = &keyUsage;
- bitStringValue.len = 1;
-
- return (CERT_EncodeAndAddBitStrExtension(extHandle, SEC_OID_X509_KEY_USAGE, &bitStringValue,
- (find_field_bool(data, "keyUsage-crit", PR_TRUE))));
-}
-
-static CERTOidSequence *
-CreateOidSequence(void)
-{
- CERTOidSequence *rv = (CERTOidSequence *)NULL;
- PLArenaPool *arena = (PLArenaPool *)NULL;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if ((PLArenaPool *)NULL == arena) {
- goto loser;
- }
-
- rv = (CERTOidSequence *)PORT_ArenaZAlloc(arena, sizeof(CERTOidSequence));
- if ((CERTOidSequence *)NULL == rv) {
- goto loser;
- }
-
- rv->oids = (SECItem **)PORT_ArenaZAlloc(arena, sizeof(SECItem *));
- if ((SECItem **)NULL == rv->oids) {
- goto loser;
- }
-
- rv->arena = arena;
- return rv;
-
-loser:
- if ((PLArenaPool *)NULL != arena) {
- PORT_FreeArena(arena, PR_FALSE);
- }
-
- return (CERTOidSequence *)NULL;
-}
-
-static SECStatus
-AddOidToSequence(CERTOidSequence *os, SECOidTag oidTag)
-{
- SECItem **oids;
- PRUint32 count = 0;
- SECOidData *od;
-
- od = SECOID_FindOIDByTag(oidTag);
- if ((SECOidData *)NULL == od) {
- return SECFailure;
- }
-
- for (oids = os->oids; (SECItem *)NULL != *oids; oids++) {
- count++;
- }
-
- /* ArenaZRealloc */
-
- {
- PRUint32 i;
-
- oids = (SECItem **)PORT_ArenaZAlloc(os->arena, sizeof(SECItem *) * (count + 2));
- if ((SECItem **)NULL == oids) {
- return SECFailure;
- }
-
- for (i = 0; i < count; i++) {
- oids[i] = os->oids[i];
- }
-
- /* ArenaZFree(os->oids); */
- }
-
- os->oids = oids;
- os->oids[count] = &od->oid;
-
- return SECSuccess;
-}
-
-static SECItem *
-EncodeOidSequence(CERTOidSequence *os)
-{
- SECItem *rv;
- extern const SEC_ASN1Template CERT_OidSeqTemplate[];
-
- rv = (SECItem *)PORT_ArenaZAlloc(os->arena, sizeof(SECItem));
- if ((SECItem *)NULL == rv) {
- goto loser;
- }
-
- if (!SEC_ASN1EncodeItem(os->arena, rv, os, CERT_OidSeqTemplate)) {
- goto loser;
- }
-
- return rv;
-
-loser:
- return (SECItem *)NULL;
-}
-
-static SECStatus
-AddExtKeyUsage(void *extHandle, Pair *data)
-{
- SECStatus rv;
- CERTOidSequence *os;
- SECItem *value;
- PRBool crit;
-
- os = CreateOidSequence();
- if ((CERTOidSequence *)NULL == os) {
- return SECFailure;
- }
-
- if (find_field_bool(data, "extKeyUsage-serverAuth", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_SERVER_AUTH);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-msTrustListSign", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-codeSign", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-emailProtect", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-timeStamp", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_TIME_STAMP);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-ocspResponder", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_OCSP_RESPONDER);
- if (SECSuccess != rv)
- goto loser;
- }
-
- if (find_field_bool(data, "extKeyUsage-NS-govtApproved", PR_TRUE)) {
- rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
- if (SECSuccess != rv)
- goto loser;
- }
-
- value = EncodeOidSequence(os);
-
- crit = find_field_bool(data, "extKeyUsage-crit", PR_TRUE);
-
- rv = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE, value,
- crit, PR_TRUE);
-/*FALLTHROUGH*/
-loser:
- CERT_DestroyOidSequence(os);
- return rv;
-}
-
-static SECStatus
-AddSubKeyID(void *extHandle,
- Pair *data,
- CERTCertificate *subjectCert)
-{
- SECItem encodedValue;
- SECStatus rv;
- char *read;
- char *write;
- char *first;
- char character;
- int high_digit = 0,
- low_digit = 0;
- int len;
- PRBool odd = PR_FALSE;
-
- encodedValue.data = NULL;
- encodedValue.len = 0;
- first = read = write = find_field(data, "subjectKeyIdentifier-text",
- PR_TRUE);
- len = PORT_Strlen(first);
- odd = ((len % 2) != 0) ? PR_TRUE : PR_FALSE;
- if (find_field_bool(data, "subjectKeyIdentifier-radio-hex", PR_TRUE)) {
- if (odd) {
- error_out("ERROR: Improperly formated subject key identifier, hex values must be expressed as an octet string");
- }
- while (*read != '\0') {
- if (!isxdigit(*read)) {
- error_out("ERROR: Improperly formated subject key identifier");
- }
- *read = toupper(*read);
- if ((*read >= 'A') && (*read <= 'F')) {
- high_digit = *read - 'A' + 10;
- } else {
- high_digit = *read - '0';
- }
- ++read;
- if (!isxdigit(*read)) {
- error_out("ERROR: Improperly formated subject key identifier");
- }
- *read = toupper(*read);
- if ((*read >= 'A') && (*read <= 'F')) {
- low_digit = *(read) - 'A' + 10;
- } else {
- low_digit = *(read) - '0';
- }
- character = (high_digit << 4) | low_digit;
- *write = character;
- ++write;
- ++read;
- }
- *write = '\0';
- len = write - first;
- }
- subjectCert->subjectKeyID.data = (unsigned char *)find_field(data, "subjectKeyIdentifier-text", PR_TRUE);
- subjectCert->subjectKeyID.len = len;
- rv = CERT_EncodeSubjectKeyID(NULL, &subjectCert->subjectKeyID, &encodedValue);
- if (rv) {
- return (rv);
- }
- return (CERT_AddExtension(extHandle, SEC_OID_X509_SUBJECT_KEY_ID,
- &encodedValue, PR_FALSE, PR_TRUE));
-}
-
-static SECStatus
-AddAuthKeyID(void *extHandle,
- Pair *data,
- char *issuerNameStr,
- CERTCertDBHandle *handle)
-{
- CERTAuthKeyID *authKeyID = NULL;
- PLArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- CERTCertificate *issuerCert = NULL;
- CERTGeneralName *genNames;
- CERTName *directoryName = NULL;
-
- issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (!arena) {
- error_allocate();
- }
-
- authKeyID = PORT_ArenaZAlloc(arena, sizeof(CERTAuthKeyID));
- if (authKeyID == NULL) {
- error_allocate();
- }
- if (find_field_bool(data, "authorityKeyIdentifier-radio-keyIdentifier",
- PR_TRUE)) {
- authKeyID->keyID.data = PORT_ArenaAlloc(arena, PORT_Strlen((char *)issuerCert->subjectKeyID.data));
- if (authKeyID->keyID.data == NULL) {
- error_allocate();
- }
- PORT_Memcpy(authKeyID->keyID.data, issuerCert->subjectKeyID.data,
- authKeyID->keyID.len =
- PORT_Strlen((char *)issuerCert->subjectKeyID.data));
- } else {
-
- PORT_Assert(arena);
- genNames = (CERTGeneralName *)PORT_ArenaZAlloc(arena, (sizeof(CERTGeneralName)));
- if (genNames == NULL) {
- error_allocate();
- }
- genNames->l.next = genNames->l.prev = &(genNames->l);
- genNames->type = certDirectoryName;
-
- directoryName = CERT_AsciiToName(issuerCert->subjectName);
- if (!directoryName) {
- error_out("ERROR: Unable to create Directory Name");
- }
- rv = CERT_CopyName(arena, &genNames->name.directoryName,
- directoryName);
- CERT_DestroyName(directoryName);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to copy Directory Name");
- }
- authKeyID->authCertIssuer = genNames;
- if (authKeyID->authCertIssuer == NULL && SECFailure == PORT_GetError()) {
- error_out("ERROR: Unable to get Issuer General Name for Authority Key ID Extension");
- }
- authKeyID->authCertSerialNumber = issuerCert->serialNumber;
- }
- rv = EncodeAndAddExtensionValue(arena, extHandle, authKeyID, PR_FALSE,
- SEC_OID_X509_AUTH_KEY_ID,
- (EXTEN_VALUE_ENCODER)
- CERT_EncodeAuthKeyID);
- if (arena) {
- PORT_FreeArena(arena, PR_FALSE);
- }
- return (rv);
-}
-
-static SECStatus
-AddPrivKeyUsagePeriod(void *extHandle,
- Pair *data,
- CERTCertificate *cert)
-{
- char *notBeforeStr;
- char *notAfterStr;
- PLArenaPool *arena = NULL;
- SECStatus rv = SECSuccess;
- CERTPrivKeyUsagePeriod *pkup;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (!arena) {
- error_allocate();
- }
- pkup = PORT_ArenaZNew(arena, CERTPrivKeyUsagePeriod);
- if (pkup == NULL) {
- error_allocate();
- }
- notBeforeStr = (char *)PORT_Alloc(16);
- if (notBeforeStr == NULL) {
- error_allocate();
- }
- notAfterStr = (char *)PORT_Alloc(16);
- if (notAfterStr == NULL) {
- error_allocate();
- }
- *notBeforeStr = '\0';
- *notAfterStr = '\0';
- pkup->arena = arena;
- pkup->notBefore.len = 0;
- pkup->notBefore.data = NULL;
- pkup->notAfter.len = 0;
- pkup->notAfter.data = NULL;
- if (find_field_bool(data, "privKeyUsagePeriod-radio-notBefore", PR_TRUE) ||
- find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
- pkup->notBefore.len = 15;
- pkup->notBefore.data = (unsigned char *)notBeforeStr;
- if (find_field_bool(data, "privKeyUsagePeriod-notBefore-radio-manual",
- PR_TRUE)) {
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-year",
- PR_TRUE));
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-month",
- PR_TRUE));
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-day",
- PR_TRUE));
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-hour",
- PR_TRUE));
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-minute",
- PR_TRUE));
- PORT_Strcat(notBeforeStr, find_field(data,
- "privKeyUsagePeriod-notBefore-second",
- PR_TRUE));
- if ((*(notBeforeStr + 14) != '\0') ||
- (!isdigit(*(notBeforeStr + 13))) ||
- (*(notBeforeStr + 12) >= '5' && *(notBeforeStr + 12) <= '0') ||
- (!isdigit(*(notBeforeStr + 11))) ||
- (*(notBeforeStr + 10) >= '5' && *(notBeforeStr + 10) <= '0') ||
- (!isdigit(*(notBeforeStr + 9))) ||
- (*(notBeforeStr + 8) >= '2' && *(notBeforeStr + 8) <= '0') ||
- (!isdigit(*(notBeforeStr + 7))) ||
- (*(notBeforeStr + 6) >= '3' && *(notBeforeStr + 6) <= '0') ||
- (!isdigit(*(notBeforeStr + 5))) ||
- (*(notBeforeStr + 4) >= '1' && *(notBeforeStr + 4) <= '0') ||
- (!isdigit(*(notBeforeStr + 3))) ||
- (!isdigit(*(notBeforeStr + 2))) ||
- (!isdigit(*(notBeforeStr + 1))) ||
- (!isdigit(*(notBeforeStr + 0))) ||
- (*(notBeforeStr + 8) == '2' && *(notBeforeStr + 9) >= '4') ||
- (*(notBeforeStr + 6) == '3' && *(notBeforeStr + 7) >= '1') ||
- (*(notBeforeStr + 4) == '1' && *(notBeforeStr + 5) >= '2')) {
- error_out("ERROR: Improperly formated private key usage period");
- }
- *(notBeforeStr + 14) = 'Z';
- *(notBeforeStr + 15) = '\0';
- } else {
- if ((*(cert->validity.notBefore.data) > '5') ||
- ((*(cert->validity.notBefore.data) == '5') &&
- (*(cert->validity.notBefore.data + 1) != '0'))) {
- PORT_Strcat(notBeforeStr, "19");
- } else {
- PORT_Strcat(notBeforeStr, "20");
- }
- PORT_Strcat(notBeforeStr, (char *)cert->validity.notBefore.data);
- }
- }
- if (find_field_bool(data, "privKeyUsagePeriod-radio-notAfter", PR_TRUE) ||
- find_field_bool(data, "privKeyUsagePeriod-radio-both", PR_TRUE)) {
- pkup->notAfter.len = 15;
- pkup->notAfter.data = (unsigned char *)notAfterStr;
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-year",
- PR_TRUE));
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-month",
- PR_TRUE));
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-day",
- PR_TRUE));
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-hour",
- PR_TRUE));
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-minute",
- PR_TRUE));
- PORT_Strcat(notAfterStr, find_field(data, "privKeyUsagePeriod-notAfter-second",
- PR_TRUE));
- if ((*(notAfterStr + 14) != '\0') ||
- (!isdigit(*(notAfterStr + 13))) ||
- (*(notAfterStr + 12) >= '5' && *(notAfterStr + 12) <= '0') ||
- (!isdigit(*(notAfterStr + 11))) ||
- (*(notAfterStr + 10) >= '5' && *(notAfterStr + 10) <= '0') ||
- (!isdigit(*(notAfterStr + 9))) ||
- (*(notAfterStr + 8) >= '2' && *(notAfterStr + 8) <= '0') ||
- (!isdigit(*(notAfterStr + 7))) ||
- (*(notAfterStr + 6) >= '3' && *(notAfterStr + 6) <= '0') ||
- (!isdigit(*(notAfterStr + 5))) ||
- (*(notAfterStr + 4) >= '1' && *(notAfterStr + 4) <= '0') ||
- (!isdigit(*(notAfterStr + 3))) ||
- (!isdigit(*(notAfterStr + 2))) ||
- (!isdigit(*(notAfterStr + 1))) ||
- (!isdigit(*(notAfterStr + 0))) ||
- (*(notAfterStr + 8) == '2' && *(notAfterStr + 9) >= '4') ||
- (*(notAfterStr + 6) == '3' && *(notAfterStr + 7) >= '1') ||
- (*(notAfterStr + 4) == '1' && *(notAfterStr + 5) >= '2')) {
- error_out("ERROR: Improperly formated private key usage period");
- }
- *(notAfterStr + 14) = 'Z';
- *(notAfterStr + 15) = '\0';
- }
-
- PORT_Assert(arena);
-
- rv = EncodeAndAddExtensionValue(arena, extHandle, pkup,
- find_field_bool(data,
- "privKeyUsagePeriod-crit",
- PR_TRUE),
- SEC_OID_X509_PRIVATE_KEY_USAGE_PERIOD,
- (EXTEN_VALUE_ENCODER)
- CERT_EncodePrivateKeyUsagePeriod);
- PORT_FreeArena(arena, PR_FALSE);
- PORT_Free(notBeforeStr);
- PORT_Free(notAfterStr);
- return (rv);
-}
-
-static SECStatus
-AddBasicConstraint(void *extHandle,
- Pair *data)
-{
- CERTBasicConstraints basicConstraint;
- SECItem encodedValue;
- SECStatus rv;
-
- encodedValue.data = NULL;
- encodedValue.len = 0;
- basicConstraint.pathLenConstraint = CERT_UNLIMITED_PATH_CONSTRAINT;
- basicConstraint.isCA = (find_field_bool(data, "basicConstraints-cA-radio-CA",
- PR_TRUE));
- if (find_field_bool(data, "basicConstraints-pathLengthConstraint", PR_TRUE)) {
- basicConstraint.pathLenConstraint = atoi(find_field(data, "basicConstraints-pathLengthConstraint-text",
- PR_TRUE));
- }
-
- rv = CERT_EncodeBasicConstraintValue(NULL, &basicConstraint,
- &encodedValue);
- if (rv)
- return (rv);
- rv = CERT_AddExtension(extHandle, SEC_OID_X509_BASIC_CONSTRAINTS,
- &encodedValue,
- (find_field_bool(data, "basicConstraints-crit",
- PR_TRUE)),
- PR_TRUE);
-
- PORT_Free(encodedValue.data);
- return (rv);
-}
-
-static SECStatus
-AddNscpCertType(void *extHandle,
- Pair *data)
-{
- SECItem bitStringValue;
- unsigned char CertType = 0x0;
-
- if (find_field_bool(data, "netscape-cert-type-ssl-client", PR_TRUE)) {
- CertType |= (0x80 >> 0);
- }
- if (find_field_bool(data, "netscape-cert-type-ssl-server", PR_TRUE)) {
- CertType |= (0x80 >> 1);
- }
- if (find_field_bool(data, "netscape-cert-type-smime", PR_TRUE)) {
- CertType |= (0x80 >> 2);
- }
- if (find_field_bool(data, "netscape-cert-type-object-signing", PR_TRUE)) {
- CertType |= (0x80 >> 3);
- }
- if (find_field_bool(data, "netscape-cert-type-reserved", PR_TRUE)) {
- CertType |= (0x80 >> 4);
- }
- if (find_field_bool(data, "netscape-cert-type-ssl-ca", PR_TRUE)) {
- CertType |= (0x80 >> 5);
- }
- if (find_field_bool(data, "netscape-cert-type-smime-ca", PR_TRUE)) {
- CertType |= (0x80 >> 6);
- }
- if (find_field_bool(data, "netscape-cert-type-object-signing-ca", PR_TRUE)) {
- CertType |= (0x80 >> 7);
- }
-
- bitStringValue.data = &CertType;
- bitStringValue.len = 1;
-
- return (CERT_EncodeAndAddBitStrExtension(extHandle, SEC_OID_NS_CERT_EXT_CERT_TYPE, &bitStringValue,
- (find_field_bool(data, "netscape-cert-type-crit", PR_TRUE))));
-}
-
-static SECStatus
-add_IA5StringExtension(void *extHandle,
- char *string,
- PRBool crit,
- int idtag)
-{
- SECItem encodedValue;
- SECStatus rv;
-
- encodedValue.data = NULL;
- encodedValue.len = 0;
-
- rv = CERT_EncodeIA5TypeExtension(NULL, string, &encodedValue);
- if (rv) {
- return (rv);
- }
- return (CERT_AddExtension(extHandle, idtag, &encodedValue, crit, PR_TRUE));
-}
-
-static SECItem *
-string_to_oid(char *string)
-{
- int i;
- int length = 20;
- int remaining;
- int first_value;
- int second_value;
- int value;
- int oidLength;
- unsigned char *oidString;
- unsigned char *write;
- unsigned char *read;
- unsigned char *temp;
- SECItem *oid;
-
- remaining = length;
- i = 0;
- while (*string == ' ') {
- string++;
- }
- while (isdigit(*(string + i))) {
- i++;
- }
- if (*(string + i) == '.') {
- *(string + i) = '\0';
- } else {
- error_out("ERROR: Improperly formated OID");
- }
- first_value = atoi(string);
- if (first_value < 0 || first_value > 2) {
- error_out("ERROR: Improperly formated OID");
- }
- string += i + 1;
- i = 0;
- while (isdigit(*(string + i))) {
- i++;
- }
- if (*(string + i) == '.') {
- *(string + i) = '\0';
- } else {
- error_out("ERROR: Improperly formated OID");
- }
- second_value = atoi(string);
- if (second_value < 0 || second_value > 39) {
- error_out("ERROR: Improperly formated OID");
- }
- oidString = PORT_ZAlloc(2);
- *oidString = (first_value * 40) + second_value;
- *(oidString + 1) = '\0';
- oidLength = 1;
- string += i + 1;
- i = 0;
- temp = write = PORT_ZAlloc(length);
- while (*string != '\0') {
- value = 0;
- while (isdigit(*(string + i))) {
- i++;
- }
- if (*(string + i) == '\0') {
- value = atoi(string);
- string += i;
- } else {
- if (*(string + i) == '.') {
- *(string + i) = '\0';
- value = atoi(string);
- string += i + 1;
- } else {
- *(string + i) = '\0';
- i++;
- value = atoi(string);
- while (*(string + i) == ' ')
- i++;
- if (*(string + i) != '\0') {
- error_out("ERROR: Improperly formated OID");
- }
- }
- }
- i = 0;
- while (value != 0) {
- if (remaining < 1) {
- remaining += length;
- length = length * 2;
- temp = PORT_Realloc(temp, length);
- write = temp + length - remaining;
- }
- *write = (value & 0x7f) | (0x80);
- write++;
- remaining--;
- value = value >> 7;
- }
- *temp = *temp & (0x7f);
- oidLength += write - temp;
- oidString = PORT_Realloc(oidString, (oidLength + 1));
- read = write - 1;
- write = oidLength + oidString - 1;
- for (i = 0; i < (length - remaining); i++) {
- *write = *read;
- write--;
- read++;
- }
- write = temp;
- remaining = length;
- }
- *(oidString + oidLength) = '\0';
- oid = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- oid->data = oidString;
- oid->len = oidLength;
- PORT_Free(temp);
- return oid;
-}
-
-static SECItem *
-string_to_ipaddress(char *string)
-{
- int i = 0;
- int value;
- int j = 0;
- SECItem *ipaddress;
-
- while (*string == ' ') {
- string++;
- }
- ipaddress = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- ipaddress->data = PORT_ZAlloc(9);
- while (*string != '\0' && j < 8) {
- while (isdigit(*(string + i))) {
- i++;
- }
- if (*(string + i) == '.') {
- *(string + i) = '\0';
- value = atoi(string);
- string = string + i + 1;
- i = 0;
- } else {
- if (*(string + i) == '\0') {
- value = atoi(string);
- string = string + i;
- i = 0;
- } else {
- *(string + i) = '\0';
- while (*(string + i) == ' ') {
- i++;
- }
- if (*(string + i) == '\0') {
- value = atoi(string);
- string = string + i;
- i = 0;
- } else {
- error_out("ERROR: Improperly formated IP Address");
- }
- }
- }
- if (value >= 0 && value < 256) {
- *(ipaddress->data + j) = value;
- } else {
- error_out("ERROR: Improperly formated IP Address");
- }
- j++;
- }
- *(ipaddress->data + j) = '\0';
- if (j != 4 && j != 8) {
- error_out("ERROR: Improperly formated IP Address");
- }
- ipaddress->len = j;
- return ipaddress;
-}
-
-static int
-chr_to_hex(char c)
-{
- if (isdigit(c)) {
- return c - '0';
- }
- if (isxdigit(c)) {
- return toupper(c) - 'A' + 10;
- }
- return -1;
-}
-
-static SECItem *
-string_to_binary(char *string)
-{
- SECItem *rv;
-
- rv = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- if (rv == NULL) {
- error_allocate();
- }
- rv->data = (unsigned char *)PORT_ZAlloc((PORT_Strlen(string)) / 3 + 2);
- rv->len = 0;
- while (*string && !isxdigit(*string)) {
- string++;
- }
- while (*string) {
- int high, low;
- high = chr_to_hex(*string++);
- low = chr_to_hex(*string++);
- if (high < 0 || low < 0) {
- error_out("ERROR: Improperly formated binary encoding");
- }
- rv->data[(rv->len)++] = high << 4 | low;
- if (*string != ':') {
- break;
- }
- ++string;
- }
- while (*string == ' ') {
- ++string;
- }
- if (*string) {
- error_out("ERROR: Junk after binary encoding");
- }
-
- return rv;
-}
-
-static SECStatus
-MakeGeneralName(char *name,
- CERTGeneralName *genName,
- PLArenaPool *arena)
-{
- SECItem *oid;
- SECOidData *oidData;
- SECItem *ipaddress;
- SECItem *temp = NULL;
- int i;
- int nameType;
- PRBool binary = PR_FALSE;
- SECStatus rv = SECSuccess;
- PRBool nickname = PR_FALSE;
-
- PORT_Assert(genName);
- PORT_Assert(arena);
- nameType = *(name + PORT_Strlen(name) - 1) - '0';
- if (nameType == 0 && *(name + PORT_Strlen(name) - 2) == '1') {
- nickname = PR_TRUE;
- nameType = certOtherName;
- }
- if (nameType < 1 || nameType > 9) {
- error_out("ERROR: Unknown General Name Type");
- }
- *(name + PORT_Strlen(name) - 4) = '\0';
- genName->type = nameType;
-
- switch (genName->type) {
- case certURI:
- case certRFC822Name:
- case certDNSName: {
- genName->name.other.data = (unsigned char *)name;
- genName->name.other.len = PORT_Strlen(name);
- break;
- }
-
- case certIPAddress: {
- ipaddress = string_to_ipaddress(name);
- genName->name.other.data = ipaddress->data;
- genName->name.other.len = ipaddress->len;
- break;
- }
-
- case certRegisterID: {
- oid = string_to_oid(name);
- genName->name.other.data = oid->data;
- genName->name.other.len = oid->len;
- break;
- }
-
- case certEDIPartyName:
- case certX400Address: {
-
- genName->name.other.data = PORT_ArenaAlloc(arena,
- PORT_Strlen(name) + 2);
- if (genName->name.other.data == NULL) {
- error_allocate();
- }
-
- PORT_Memcpy(genName->name.other.data + 2, name, PORT_Strlen(name));
- /* This may not be accurate for all cases.
- For now, use this tag type */
- genName->name.other.data[0] = (char)(((genName->type - 1) &
- 0x1f) |
- 0x80);
- genName->name.other.data[1] = (char)PORT_Strlen(name);
- genName->name.other.len = PORT_Strlen(name) + 2;
- break;
- }
-
- case certOtherName: {
- i = 0;
- if (!nickname) {
- while (!isdigit(*(name + PORT_Strlen(name) - i))) {
- i++;
- }
- if (*(name + PORT_Strlen(name) - i) == '1') {
- binary = PR_TRUE;
- } else {
- binary = PR_FALSE;
- }
- while (*(name + PORT_Strlen(name) - i) != '-') {
- i++;
- }
- *(name + PORT_Strlen(name) - i - 1) = '\0';
- i = 0;
- while (*(name + i) != '-') {
- i++;
- }
- *(name + i - 1) = '\0';
- oid = string_to_oid(name + i + 2);
- } else {
- oidData = SECOID_FindOIDByTag(SEC_OID_NETSCAPE_NICKNAME);
- oid = &oidData->oid;
- while (*(name + PORT_Strlen(name) - i) != '-') {
- i++;
- }
- *(name + PORT_Strlen(name) - i) = '\0';
- }
- genName->name.OthName.oid.data = oid->data;
- genName->name.OthName.oid.len = oid->len;
- if (binary) {
- temp = string_to_binary(name);
- genName->name.OthName.name.data = temp->data;
- genName->name.OthName.name.len = temp->len;
- } else {
- temp = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
- if (temp == NULL) {
- error_allocate();
- }
- temp->data = (unsigned char *)name;
- temp->len = PORT_Strlen(name);
- SEC_ASN1EncodeItem(arena, &(genName->name.OthName.name), temp,
- CERTIA5TypeTemplate);
- }
- PORT_Free(temp);
- break;
- }
-
- case certDirectoryName: {
- CERTName *directoryName = NULL;
-
- directoryName = CERT_AsciiToName(name);
- if (!directoryName) {
- error_out("ERROR: Improperly formated alternative name");
- break;
- }
- rv = CERT_CopyName(arena, &genName->name.directoryName,
- directoryName);
- CERT_DestroyName(directoryName);
-
- break;
- }
- }
- genName->l.next = &(genName->l);
- genName->l.prev = &(genName->l);
- return rv;
-}
-
-static CERTGeneralName *
-MakeAltName(Pair *data,
- char *which,
- PLArenaPool *arena)
-{
- CERTGeneralName *SubAltName;
- CERTGeneralName *current;
- CERTGeneralName *newname;
- char *name = NULL;
- SECStatus rv = SECSuccess;
- int len;
-
- len = PORT_Strlen(which);
- name = find_field(data, which, PR_TRUE);
- SubAltName = current = (CERTGeneralName *)PORT_ZAlloc(sizeof(CERTGeneralName));
- if (current == NULL) {
- error_allocate();
- }
- while (name != NULL) {
-
- rv = MakeGeneralName(name, current, arena);
-
- if (rv != SECSuccess) {
- break;
- }
- if (*(which + len - 1) < '9') {
- *(which + len - 1) = *(which + len - 1) + 1;
- } else {
- if (isdigit(*(which + len - 2))) {
- *(which + len - 2) = *(which + len - 2) + 1;
- *(which + len - 1) = '0';
- } else {
- *(which + len - 1) = '1';
- *(which + len) = '0';
- *(which + len + 1) = '\0';
- len++;
- }
- }
- len = PORT_Strlen(which);
- name = find_field(data, which, PR_TRUE);
- if (name != NULL) {
- newname = (CERTGeneralName *)PORT_ZAlloc(sizeof(CERTGeneralName));
- if (newname == NULL) {
- error_allocate();
- }
- current->l.next = &(newname->l);
- newname->l.prev = &(current->l);
- current = newname;
- newname = NULL;
- } else {
- current->l.next = &(SubAltName->l);
- SubAltName->l.prev = &(current->l);
- }
- }
- if (rv == SECFailure) {
- return NULL;
- }
- return SubAltName;
-}
-
-static CERTNameConstraints *
-MakeNameConstraints(Pair *data,
- PLArenaPool *arena)
-{
- CERTNameConstraints *NameConstraints;
- CERTNameConstraint *current = NULL;
- CERTNameConstraint *last_permited = NULL;
- CERTNameConstraint *last_excluded = NULL;
- char *constraint = NULL;
- char *which;
- SECStatus rv = SECSuccess;
- int len;
- int i;
- long max;
- long min;
- PRBool permited;
-
- NameConstraints = (CERTNameConstraints *)PORT_ZAlloc(sizeof(CERTNameConstraints));
- which = make_copy_string("NameConstraintSelect0", 25, '\0');
- len = PORT_Strlen(which);
- constraint = find_field(data, which, PR_TRUE);
- NameConstraints->permited = NameConstraints->excluded = NULL;
- while (constraint != NULL) {
- current = (CERTNameConstraint *)PORT_ZAlloc(sizeof(CERTNameConstraint));
- if (current == NULL) {
- error_allocate();
- }
- i = 0;
- while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
- i++;
- }
- *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
- max = (long)atoi(constraint + PORT_Strlen(constraint) + 3);
- if (max > 0) {
- (void)SEC_ASN1EncodeInteger(arena, &current->max, max);
- }
- i = 0;
- while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
- i++;
- }
- *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
- min = (long)atoi(constraint + PORT_Strlen(constraint) + 3);
- (void)SEC_ASN1EncodeInteger(arena, &current->min, min);
- while (*(constraint + PORT_Strlen(constraint) - i) != '-') {
- i++;
- }
- *(constraint + PORT_Strlen(constraint) - i - 1) = '\0';
- if (*(constraint + PORT_Strlen(constraint) + 3) == 'p') {
- permited = PR_TRUE;
- } else {
- permited = PR_FALSE;
- }
- rv = MakeGeneralName(constraint, &(current->name), arena);
-
- if (rv != SECSuccess) {
- break;
- }
- if (*(which + len - 1) < '9') {
- *(which + len - 1) = *(which + len - 1) + 1;
- } else {
- if (isdigit(*(which + len - 2))) {
- *(which + len - 2) = *(which + len - 2) + 1;
- *(which + len - 1) = '0';
- } else {
- *(which + len - 1) = '1';
- *(which + len) = '0';
- *(which + len + 1) = '\0';
- len++;
- }
- }
- len = PORT_Strlen(which);
- if (permited) {
- if (NameConstraints->permited == NULL) {
- NameConstraints->permited = last_permited = current;
- }
- last_permited->l.next = &(current->l);
- current->l.prev = &(last_permited->l);
- last_permited = current;
- } else {
- if (NameConstraints->excluded == NULL) {
- NameConstraints->excluded = last_excluded = current;
- }
- last_excluded->l.next = &(current->l);
- current->l.prev = &(last_excluded->l);
- last_excluded = current;
- }
- constraint = find_field(data, which, PR_TRUE);
- if (constraint != NULL) {
- current = (CERTNameConstraint *)PORT_ZAlloc(sizeof(CERTNameConstraint));
- if (current == NULL) {
- error_allocate();
- }
- }
- }
- if (NameConstraints->permited != NULL) {
- last_permited->l.next = &(NameConstraints->permited->l);
- NameConstraints->permited->l.prev = &(last_permited->l);
- }
- if (NameConstraints->excluded != NULL) {
- last_excluded->l.next = &(NameConstraints->excluded->l);
- NameConstraints->excluded->l.prev = &(last_excluded->l);
- }
- if (which != NULL) {
- PORT_Free(which);
- }
- if (rv == SECFailure) {
- return NULL;
- }
- return NameConstraints;
-}
-
-static SECStatus
-AddAltName(void *extHandle,
- Pair *data,
- char *issuerNameStr,
- CERTCertDBHandle *handle,
- int type)
-{
- PRBool autoIssuer = PR_FALSE;
- PLArenaPool *arena = NULL;
- CERTGeneralName *genName = NULL;
- char *which = NULL;
- char *name = NULL;
- SECStatus rv = SECSuccess;
- SECItem *issuersAltName = NULL;
- CERTCertificate *issuerCert = NULL;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- error_allocate();
- }
- if (type == 0) {
- which = make_copy_string("SubAltNameSelect0", 20, '\0');
- genName = MakeAltName(data, which, arena);
- } else {
- if (autoIssuer) {
- autoIssuer = find_field_bool(data, "IssuerAltNameSourceRadio-auto",
- PR_TRUE);
- issuerCert = CERT_FindCertByNameString(handle, issuerNameStr);
- rv = cert_FindExtension((*issuerCert).extensions,
- SEC_OID_X509_SUBJECT_ALT_NAME,
- issuersAltName);
- if (issuersAltName == NULL) {
- name = PORT_Alloc(PORT_Strlen((*issuerCert).subjectName) + 4);
- PORT_Strcpy(name, (*issuerCert).subjectName);
- PORT_Strcat(name, " - 5");
- }
- } else {
- which = make_copy_string("IssuerAltNameSelect0", 20, '\0');
- genName = MakeAltName(data, which, arena);
- }
- }
- if (type == 0) {
- EncodeAndAddExtensionValue(arena, extHandle, genName,
- find_field_bool(data, "SubAltName-crit",
- PR_TRUE),
- SEC_OID_X509_SUBJECT_ALT_NAME,
- (EXTEN_VALUE_ENCODER)
- CERT_EncodeAltNameExtension);
-
- } else {
- if (autoIssuer && (name == NULL)) {
- rv = CERT_AddExtension(extHandle, SEC_OID_X509_ISSUER_ALT_NAME, issuersAltName,
- find_field_bool(data, "IssuerAltName-crit", PR_TRUE), PR_TRUE);
- } else {
- EncodeAndAddExtensionValue(arena, extHandle, genName,
- find_field_bool(data,
- "IssuerAltName-crit",
- PR_TRUE),
- SEC_OID_X509_ISSUER_ALT_NAME,
- (EXTEN_VALUE_ENCODER)
- CERT_EncodeAltNameExtension);
- }
- }
- if (which != NULL) {
- PORT_Free(which);
- }
- if (issuerCert != NULL) {
- CERT_DestroyCertificate(issuerCert);
- }
- return rv;
-}
-
-static SECStatus
-AddNameConstraints(void *extHandle,
- Pair *data)
-{
- PLArenaPool *arena = NULL;
- CERTNameConstraints *constraints = NULL;
- SECStatus rv = SECSuccess;
-
- arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (arena == NULL) {
- error_allocate();
- }
- constraints = MakeNameConstraints(data, arena);
- if (constraints != NULL) {
- EncodeAndAddExtensionValue(arena, extHandle, constraints, PR_TRUE,
- SEC_OID_X509_NAME_CONSTRAINTS,
- (EXTEN_VALUE_ENCODER)
- CERT_EncodeNameConstraintsExtension);
- }
- if (arena != NULL) {
- PORT_ArenaRelease(arena, NULL);
- }
- return rv;
-}
-
-static SECStatus
-add_extensions(CERTCertificate *subjectCert,
- Pair *data,
- char *issuerNameStr,
- CERTCertDBHandle *handle)
-{
- void *extHandle;
- SECStatus rv = SECSuccess;
-
- extHandle = CERT_StartCertExtensions(subjectCert);
- if (extHandle == NULL) {
- error_out("ERROR: Unable to get certificates extension handle");
- }
- if (find_field_bool(data, "keyUsage", PR_TRUE)) {
- rv = AddKeyUsage(extHandle, data);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Key Usage extension");
- }
- }
-
- if (find_field_bool(data, "extKeyUsage", PR_TRUE)) {
- rv = AddExtKeyUsage(extHandle, data);
- if (SECSuccess != rv) {
- error_out("ERROR: Unable to add Extended Key Usage extension");
- }
- }
-
- if (find_field_bool(data, "basicConstraints", PR_TRUE)) {
- rv = AddBasicConstraint(extHandle, data);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Basic Constraint extension");
- }
- }
- if (find_field_bool(data, "subjectKeyIdentifier", PR_TRUE)) {
- rv = AddSubKeyID(extHandle, data, subjectCert);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Subject Key Identifier Extension");
- }
- }
- if (find_field_bool(data, "authorityKeyIdentifier", PR_TRUE)) {
- rv = AddAuthKeyID(extHandle, data, issuerNameStr, handle);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Authority Key Identifier extension");
- }
- }
- if (find_field_bool(data, "privKeyUsagePeriod", PR_TRUE)) {
- rv = AddPrivKeyUsagePeriod(extHandle, data, subjectCert);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Private Key Usage Period extension");
- }
- }
- if (find_field_bool(data, "SubAltName", PR_TRUE)) {
- rv = AddAltName(extHandle, data, NULL, NULL, 0);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Subject Alternative Name extension");
- }
- }
- if (find_field_bool(data, "IssuerAltName", PR_TRUE)) {
- rv = AddAltName(extHandle, data, issuerNameStr, handle, 1);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Issuer Alternative Name Extension");
- }
- }
- if (find_field_bool(data, "NameConstraints", PR_TRUE)) {
- rv = AddNameConstraints(extHandle, data);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Name Constraints Extension");
- }
- }
- if (find_field_bool(data, "netscape-cert-type", PR_TRUE)) {
- rv = AddNscpCertType(extHandle, data);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape Certificate Type Extension");
- }
- }
- if (find_field_bool(data, "netscape-base-url", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data, "netscape-base-url-text",
- PR_TRUE),
- find_field_bool(data,
- "netscape-base-url-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_BASE_URL);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape Base URL Extension");
- }
- }
- if (find_field_bool(data, "netscape-revocation-url", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data,
- "netscape-revocation-url-text",
- PR_TRUE),
- find_field_bool(data, "netscape-revocation-url-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_REVOCATION_URL);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape Revocation URL Extension");
- }
- }
- if (find_field_bool(data, "netscape-ca-revocation-url", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data,
- "netscape-ca-revocation-url-text",
- PR_TRUE),
- find_field_bool(data, "netscape-ca-revocation-url-crit", PR_TRUE),
- SEC_OID_NS_CERT_EXT_CA_REVOCATION_URL);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape CA Revocation URL Extension");
- }
- }
- if (find_field_bool(data, "netscape-cert-renewal-url", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data,
- "netscape-cert-renewal-url-text",
- PR_TRUE),
- find_field_bool(data, "netscape-cert-renewal-url-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_CERT_RENEWAL_URL);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape Certificate Renewal URL Extension");
- }
- }
- if (find_field_bool(data, "netscape-ca-policy-url", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data,
- "netscape-ca-policy-url-text",
- PR_TRUE),
- find_field_bool(data, "netscape-ca-policy-url-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_CA_POLICY_URL);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape CA Policy URL Extension");
- }
- }
- if (find_field_bool(data, "netscape-ssl-server-name", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data,
- "netscape-ssl-server-name-text",
- PR_TRUE),
- find_field_bool(data, "netscape-ssl-server-name-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape SSL Server Name Extension");
- }
- }
- if (find_field_bool(data, "netscape-comment", PR_TRUE)) {
- rv = add_IA5StringExtension(extHandle,
- find_field(data, "netscape-comment-text",
- PR_TRUE),
- find_field_bool(data,
- "netscape-comment-crit",
- PR_TRUE),
- SEC_OID_NS_CERT_EXT_COMMENT);
- if (rv != SECSuccess) {
- error_out("ERROR: Unable to add Netscape Comment Extension");
- }
- }
- CERT_FinishExtensions(extHandle);
- return (rv);
-}
-
-char *
-return_dbpasswd(PK11SlotInfo *slot, PRBool retry, void *data)
-{
- char *rv;
-
- /* don't clobber our poor smart card */
- if (retry == PR_TRUE) {
- return NULL;
- }
- rv = PORT_Alloc(4);
- PORT_Strcpy(rv, "foo");
- return rv;
-}
-
-SECKEYPrivateKey *
-FindPrivateKeyFromNameStr(char *name,
- CERTCertDBHandle *certHandle)
-{
- SECKEYPrivateKey *key;
- CERTCertificate *cert;
- CERTCertificate *p11Cert;
-
- /* We don't presently have a PK11 function to find a cert by
- ** subject name.
- ** We do have a function to find a cert in the internal slot's
- ** cert db by subject name, but it doesn't setup the slot info.
- ** So, this HACK works, but should be replaced as soon as we
- ** have a function to search for certs accross slots by subject name.
- */
- cert = CERT_FindCertByNameString(certHandle, name);
- if (cert == NULL || cert->nickname == NULL) {
- error_out("ERROR: Unable to retrieve issuers certificate");
- }
- p11Cert = PK11_FindCertFromNickname(cert->nickname, NULL);
- if (p11Cert == NULL) {
- error_out("ERROR: Unable to retrieve issuers certificate");
- }
- key = PK11_FindKeyByAnyCert(p11Cert, NULL);
- return key;
-}
-
-static SECItem *
-SignCert(CERTCertificate *cert,
- char *issuerNameStr,
- Pair *data,
- CERTCertDBHandle *handle,
- int which_key)
-{
- SECItem der;
- SECKEYPrivateKey *caPrivateKey = NULL;
- SECStatus rv;
- PLArenaPool *arena;
- SECOidTag algID;
-
- if (which_key == 0) {
- caPrivateKey = FindPrivateKeyFromNameStr(issuerNameStr, handle);
- } else {
- caPrivateKey = privkeys[which_key - 1];
- }
- if (caPrivateKey == NULL) {
- error_out("ERROR: unable to retrieve issuers key");
- }
-
- arena = cert->arena;
-
- algID = SEC_GetSignatureAlgorithmOidTag(caPrivateKey->keyType,
- SEC_OID_UNKNOWN);
- if (algID == SEC_OID_UNKNOWN) {
- error_out("ERROR: Unknown key type for issuer.");
- goto done;
- }
-
- rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
- if (rv != SECSuccess) {
- error_out("ERROR: Could not set signature algorithm id.");
- }
-
- if (find_field_bool(data, "ver-1", PR_TRUE)) {
- *(cert->version.data) = 0;
- cert->version.len = 1;
- } else {
- *(cert->version.data) = 2;
- cert->version.len = 1;
- }
- der.data = NULL;
- der.len = 0;
- (void)SEC_ASN1EncodeItem(arena, &der, cert, CERT_CertificateTemplate);
- if (der.data == NULL) {
- error_out("ERROR: Could not encode certificate.\n");
- }
- rv = SEC_DerSignData(arena, &(cert->derCert), der.data, der.len, caPrivateKey,
- algID);
- if (rv != SECSuccess) {
- error_out("ERROR: Could not sign encoded certificate data.\n");
- }
-done:
- SECKEY_DestroyPrivateKey(caPrivateKey);
- return &(cert->derCert);
-}
-
-int
-main(int argc, char **argv)
-{
- int length = 500;
- int remaining = 500;
- int n;
- int i;
- int serial;
- int chainLen;
- int which_key;
- char *pos;
-#ifdef OFFLINE
- char *form_output = "key=MIIBPTCBpzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7"
- "SLqjWBL9Wl11Vlg%0AaMqZCvcQOL%2FnvSqYPPRP0XZy9SoAeyWzQnBOiCm2t8H5mK7r2"
- "jnKdAQOmfhjaJil%0A3hNVu3SekHOXF6Ze7bkWa6%2FSGVcY%2FojkydxFSgY43nd1iyd"
- "zPQDp8WWLL%2BpVpt%2B%2B%0ATRhFtVXbF0fQI03j9h3BoTgP2lkCAwEAARYDZm9vMA0"
- "GCSqGSIb3DQEBBAUAA4GB%0AAJ8UfRKJ0GtG%2B%2BufCC6tAfTzKrq3CTBHnom55EyXc"
- "sAsv6WbDqI%2F0rLAPkn2Xo1r%0AnNhtMxIuj441blMt%2Fa3AGLOy5zmC7Qawt8IytvQ"
- "ikQ1XTpTBCXevytrmLjCmlURr%0ANJryTM48WaMQHiMiJpbXCqVJC1d%2FpEWBtqvALzZ"
- "aOOIy&subject=CN%3D%22test%22%26serial-auto%3Dtrue%26serial_value%3D%"
- "26ver-1%3Dtrue%26ver-3%3Dfalse%26caChoiceradio-SignWithDefaultkey%3Dt"
- "rue%26caChoiceradio-SignWithRandomChain%3Dfalse%26autoCAs%3D%26caChoi"
- "ceradio-SignWithSpecifiedChain%3Dfalse%26manCAs%3D%26%24";
-#else
- char *form_output;
-#endif
- char *issuerNameStr;
- char *certName;
- char *DBdir = DB_DIRECTORY;
- char *prefixs[10] = { "CA#1-", "CA#2-", "CA#3-",
- "CA#4-", "CA#5-", "CA#6-",
- "CA#7-", "CA#8-", "CA#9-", "" };
- Pair *form_data;
- CERTCertificate *cert;
- CERTCertDBHandle *handle;
- CERTCertificateRequest *certReq = NULL;
- int warpmonths = 0;
- SECItem *certDER;
-#ifdef FILEOUT
- FILE *outfile;
-#endif
- SECStatus status = SECSuccess;
- extern char prefix[PREFIX_LEN];
- SEC_PKCS7ContentInfo *certChain;
- SECItem *encodedCertChain;
- PRBool UChain = PR_FALSE;
-
- progName = strrchr(argv[0], '/');
- progName = progName ? progName + 1 : argv[0];
-
-#ifdef TEST
- sleep(20);
-#endif
- SECU_ConfigDirectory(DBdir);
-
- PK11_SetPasswordFunc(return_dbpasswd);
- status = NSS_InitReadWrite(DBdir);
- if (status != SECSuccess) {
- SECU_PrintPRandOSError(progName);
- return -1;
- }
- handle = CERT_GetDefaultCertDB();
-
- prefix[0] = '\0';
-#if !defined(OFFLINE)
- form_output = (char *)PORT_Alloc(length);
- if (form_output == NULL) {
- error_allocate();
- }
- pos = form_output;
- while (feof(stdin) == 0) {
- if (remaining <= 1) {
- remaining += length;
- length = length * 2;
- form_output = PORT_Realloc(form_output, (length));
- if (form_output == NULL) {
- error_allocate();
- }
- pos = form_output + length - remaining;
- }
- n = fread(pos, 1, (size_t)(remaining - 1), stdin);
- pos += n;
- remaining -= n;
- }
- *pos = '&';
- pos++;
- length = pos - form_output;
-#else
- length = PORT_Strlen(form_output);
-#endif
-#ifdef FILEOUT
- printf("Content-type: text/plain\n\n");
- fwrite(form_output, 1, (size_t)length, stdout);
- printf("\n");
-#endif
-#ifdef FILEOUT
- fwrite(form_output, 1, (size_t)length, stdout);
- printf("\n");
- fflush(stdout);
-#endif
- form_data = make_datastruct(form_output, length);
- status = clean_input(form_data);
-#if !defined(OFFLINE)
- PORT_Free(form_output);
-#endif
-#ifdef FILEOUT
- i = 0;
- while (return_name(form_data, i) != NULL) {
- printf("%s", return_name(form_data, i));
- printf("=\n");
- printf("%s", return_data(form_data, i));
- printf("\n");
- i++;
- }
- printf("I got that done, woo hoo\n");
- fflush(stdout);
-#endif
- issuerNameStr = PORT_Alloc(200);
- if (find_field_bool(form_data, "caChoiceradio-SignWithSpecifiedChain",
- PR_FALSE)) {
- UChain = PR_TRUE;
- chainLen = atoi(find_field(form_data, "manCAs", PR_FALSE));
- PORT_Strcpy(prefix, prefixs[0]);
- issuerNameStr = PORT_Strcpy(issuerNameStr,
- "CN=Cert-O-Matic II, O=Cert-O-Matic II");
- if (chainLen == 0) {
- UChain = PR_FALSE;
- }
- } else {
- if (find_field_bool(form_data, "caChoiceradio-SignWithRandomChain",
- PR_FALSE)) {
- PORT_Strcpy(prefix, prefixs[9]);
- chainLen = atoi(find_field(form_data, "autoCAs", PR_FALSE));
- if (chainLen < 1 || chainLen > 18) {
- issuerNameStr = PORT_Strcpy(issuerNameStr,
- "CN=CA18, O=Cert-O-Matic II");
- }
- issuerNameStr = PORT_Strcpy(issuerNameStr, "CN=CA");
- issuerNameStr = PORT_Strcat(issuerNameStr,
- find_field(form_data, "autoCAs", PR_FALSE));
- issuerNameStr = PORT_Strcat(issuerNameStr, ", O=Cert-O-Matic II");
- } else {
- issuerNameStr = PORT_Strcpy(issuerNameStr,
- "CN=Cert-O-Matic II, O=Cert-O-Matic II");
- }
- chainLen = 0;
- }
-
- i = -1;
- which_key = 0;
- do {
- extern SECStatus cert_GetKeyID(CERTCertificate * cert);
- i++;
- if (i != 0 && UChain) {
- PORT_Strcpy(prefix, prefixs[i]);
- }
- /* find_field(form_data,"subject", PR_TRUE); */
- certReq = makeCertReq(form_data, which_key);
-#ifdef OFFLINE
- serial = 900;
-#else
- serial = get_serial_number(form_data);
-#endif
- cert = MakeV1Cert(handle, certReq, issuerNameStr, PR_FALSE,
- serial, warpmonths, form_data);
- if (certReq != NULL) {
- CERT_DestroyCertificateRequest(certReq);
- }
- if (find_field_bool(form_data, "ver-3", PR_TRUE)) {
- status = add_extensions(cert, form_data, issuerNameStr, handle);
- if (status != SECSuccess) {
- error_out("ERROR: Unable to add extensions");
- }
- }
- status = cert_GetKeyID(cert);
- if (status == SECFailure) {
- error_out("ERROR: Unable to get Key ID.");
- }
- certDER = SignCert(cert, issuerNameStr, form_data, handle, which_key);
- CERT_NewTempCertificate(handle, certDER, NULL, PR_FALSE, PR_TRUE);
- issuerNameStr = find_field(form_data, "subject", PR_TRUE);
- /* SECITEM_FreeItem(certDER, PR_TRUE); */
- CERT_DestroyCertificate(cert);
- if (i == (chainLen - 1)) {
- i = 8;
- }
- ++which_key;
- } while (i < 9 && UChain);
-
-#ifdef FILEOUT
- outfile = fopen("../certout", "wb");
-#endif
- certName = find_field(form_data, "subject", PR_FALSE);
- cert = CERT_FindCertByNameString(handle, certName);
- certChain = SEC_PKCS7CreateCertsOnly(cert, PR_TRUE, handle);
- if (certChain == NULL) {
- error_out("ERROR: No certificates in cert chain");
- }
- encodedCertChain = SEC_PKCS7EncodeItem(NULL, NULL, certChain, NULL, NULL,
- NULL);
- if (encodedCertChain) {
-#if !defined(FILEOUT)
- printf("Content-type: application/x-x509-user-cert\r\n");
- printf("Content-length: %d\r\n\r\n", encodedCertChain->len);
- fwrite(encodedCertChain->data, 1, encodedCertChain->len, stdout);
-#else
- fwrite(encodedCertChain->data, 1, encodedCertChain->len, outfile);
-#endif
-
- } else {
- error_out("Error: Unable to DER encode certificate");
- }
-#ifdef FILEOUT
- printf("\nI got here!\n");
- fflush(outfile);
- fclose(outfile);
-#endif
- fflush(stdout);
- if (NSS_Shutdown() != SECSuccess) {
- exit(1);
- }
- return 0;
-}
diff --git a/security/nss/cmd/certcgi/index.html b/security/nss/cmd/certcgi/index.html
deleted file mode 100644
index 3ae6a10d4..000000000
--- a/security/nss/cmd/certcgi/index.html
+++ /dev/null
@@ -1,789 +0,0 @@
-<HTML> <!-- -*- Mode: Java; tab-width: 8 -*- -->
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-<HEAD>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-<SCRIPT LANGUAGE="JavaScript1.2">
-
-script_url = 'http://interzone.mcom.com/cgi-bin/certomatic/bin/certcgi.cgi'
-
-ext_page_ver1 =
- make_page_intro('Version 1 extensions', "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext1">' +
- 'Version 1 X.509 certs do not support extensions' +
- '</IFRAME>' +
- '</body></html>';
-
-num_ca = 0;
-
-your_certificate_index_label = 'Your Certificate';
-netscape_extensions_index_label = 'Netscape X.509 Extensions';
-standard_extensions_index_label = 'Standard X.509 Extensions';
-certifying_authorities_index_label = 'Certifying Authorities';
-add_sub_alt_name_index_label = 'Add Subject Alternative Name';
-
-index_list =
- '0, your_certificate_index_label,' +
- '0, netscape_extensions_index_label,' +
- '0, standard_extensions_index_label,' +
- '0, certifying_authorities_index_label';
-
-add_index_list = '';
-
-ver = 3
-
-max_pages = 13;
-cur_page = 1;
-
-ext_page_array = new Array(max_pages);
-
-index_label = 'Options';
-
-var main_page =
- make_page_intro('Your Key', "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="main" SRC="main.html">' +
- '</IFRAME>' +
- '</body></html>' ;
-
-function setSubAltNameType(form)
-{
- with(form) {
- if (SubAltNameRadio[0].checked) {
- return true;
- }
- if (SubAltNameRadio[3].checked || SubAltNameRadio[5].checked) {
- SubAltNameDataType.checked = true;
- return true;
- }
- if (SubAltNameRadio[1].checked || SubAltNameRadio[2].checked ||
- SubAltNameRadio[4].checked || SubAltNameRadio[6].checked ||
- SubAltNameRadio[7].checked || SubAltNameRadio[8].checked) {
- SubAltNameDataType.checked = false;
- return true;
- }
- }
- return true;
-}
-
-function setIssuerAltNameType(form)
-{
- with(form) {
- if (IssuerAltNameRadio[0].checked) {
- return true;
- }
- if (IssuerAltNameRadio[3].checked || IssuerAltNameRadio[5].checked) {
- IssuerAltNameDataType.checked = true;
- return true;
- }
- if (IssuerAltNameRadio[1].checked || IssuerAltNameRadio[2].checked ||
- IssuerAltNameRadio[4].checked || IssuerAltNameRadio[6].checked ||
- IssuerAltNameRadio[7].checked || IssuerAltNameRadio[8].checked) {
- IssuerAltNameDataType.checked = false;
- return true;
- }
- }
- return true;
-}
-
-
-function setNameConstraintNameType(form)
-{
- with(form) {
- if (NameConstraintRadio[0].checked) {
- return true;
- }
- if (NameConstraintRadio[3].checked || NameConstraintRadio[5].checked) {
- NameConstraintNameDataType.checked = true;
- return true;
- }
- if (NameConstraintRadio[1].checked || NameConstraintRadio[2].checked ||
- NameConstraintRadio[4].checked || NameConstraintRadio[6].checked ||
- NameConstraintRadio[7].checked || NameConstraintRadio[8].checked) {
- NameConstraintNameDataType.checked = false;
- return true;
- }
- }
- return true;
-}
-
-
-function addSubAltName(form)
-{
- with(form) {
- var len = SubAltNameSelect.length;
- var value;
- var i = 0;
- while(!(i == (SubAltNameRadio.length - 1)) &
- !(SubAltNameRadio[i].checked == true)) {
- i++;
- }
- if (i != 0) {
- value = SubAltNameText.value + " - " + (i + 1);
- } else {
- value = SubAltNameText.value + " - " +
- SubAltNameOtherNameOID.value + " - ";
- if (SubAltNameDataType.checked) {
- value += "1 - ";
- } else {
- value += "0 - ";
- }
- value += (i + 1);
- if (SubAltNameOtherNameOID.value == "") {
- alert("Other names must include an OID");
- return false;
- }
- }
-
- if ((SubAltNameText.value == "") | (SubAltNameRadio[i].checked != true)) {
- alert("Alternative Names must include values for name and name type.");
- } else {
- SubAltNameSelect.options[len] = new Option(value, value);
- }
- }
- return true;
-}
-
-function deleteSubAltName(form)
-{
- with(form) {
- while (SubAltNameSelect.selectedIndex >= 0) {
- SubAltNameSelect[SubAltNameSelect.selectedIndex] = null;
- }
- }
-}
-
-function addIssuerAltName(form)
-{
- with(form)
- {
- var len = IssuerAltNameSelect.length;
- var value;
- var i = 0;
-
- while(!(i == (IssuerAltNameRadio.length -1)) &
- !(IssuerAltNameRadio[i].checked == true)) {
- i++;
- }
- if (i != 0) {
- value = IssuerAltNameText.value + " - " + (i + 1);
- } else {
- value = IssuerAltNameText.value + " - " +
- IssuerAltNameOtherNameOID.value + " - ";
- if (IssuerAltNameDataType.checked) {
- value += "1 - ";
- } else {
- value += "0 - ";
- }
- value += (i + 1);
- if (IssuerAltNameOtherNameOID.value == "") {
- alert("Other names must include an OID");
- return false;
- }
- }
- if ((IssuerAltNameText.value == "") |
- (IssuerAltNameRadio[i].checked != true)) {
- alert("Alternative Names must include values for name and name type.")
- } else {
- IssuerAltNameSelect.options[len] = new Option(value, value);
- }
- }
- return true;
-}
-
-function deleteIssuerAltName(form)
-{
- with(form) {
- while (IssuerAltNameSelect.selectedIndex >= 0) {
- IssuerAltNameSelect[IssuerAltNameSelect.selectedIndex] = null;
- }
- }
-}
-
-
-
-function addNameConstraint(form)
-{
- with(form) {
- var len = NameConstraintSelect.length;
- var value;
- var i = 0;
- var min = NameConstraintMin.value;
- var max = NameConstraintMax.value;
-
- while(!(i == (NameConstraintRadio.length - 1) ) &
- !(NameConstraintRadio[i].checked == true)) {
- i++;
- }
- value = NameConstraintText.value + " - ";
- if (i == 0) {
- value += NameConstraintOtherNameOID.value + " - ";
- if (NameConstraintNameDataType.checked) {
- value += "1 - ";
- } else {
- value += "0 - ";
- }
- if (NameConstraintOtherNameOID.value == "") {
- alert("Other names must include an OID");
- return false;
- }
- }
- value += (i + 1) + " - ";
- if (NameConstraintTypeRadio[0].checked == true) {
- value += "p - ";
- } else {
- value += "e - ";
- }
- value += min + " - " + max;
- if ((min == "") | (NameConstraintText.value == "") |
- (NameConstraintRadio[i].checked != true)) {
- alert("Name Constraints must include values for minimum, name, and name type.")
- } else {
- NameConstraintSelect.options[len] = new Option(value, value);
- }
- }
- return true;
-}
-
-function deleteNameConstraint(form)
-{
- with(form) {
- while (NameConstraintSelect.selectedIndex >= 0) {
- NameConstraintSelect[NameConstraintSelect.selectedIndex] = null;
- }
- }
-}
-
-
-function submit_it()
-{
- save_cur_page(cur_page);
-
- var ver1 = (ver == 1);
- var ver3 = (ver == 3);
- var array_string;
- var serial = ext_page_array[0][10][0];
- var serial_number = ext_page_array[0][12][0];
- var manValidity = ext_page_array[0][19][0];
- var notBefore = ext_page_array[0][20][0];
- var notAfter = ext_page_array[0][21][0];
- var subject = ext_page_array[0][22][0];
-
- if (subject == "") {
- alert("The DN field must contain some data");
- return false;
- }
- if (!serial & serial_number == "") {
- alert("No serial number specified");
- return false;
- }
- if (ext_page_array[0][15][0]) {
- var keygen = "<keygen name=\"key\" challenge=\"foo\">";
- } else {
- switch (ext_page_array[0][17][0]) {
- case 2:
- var keygen = "<keygen keytype=\"dsa\" pqg=\"MIGdAkEAjfKklEkidqo9JXWbsGhpy+rA2Dr7jQz3y7gyTw14guXQdi/FtyEOr8Lprawyq3qsSWk9+/g3JMLsBzbuMcgCkQIVAMdzIYxzfsjumTtPLe0w9I7azpFfAkEAYm0CeDnqChNBMWOlW0y1ACmdVSKVbO/LO/8Q85nOLC5xy53l+iS6v1jlt5UhklycxC6fb0ZLCIzFcq9T5teIAg==\" name=\"key\" challenge=\"foo\">";
- break;
- case 1:
- var keygen = "<keygen keytype=\"dsa\" pqg=\"MIHaAmDCboVgX0+6pEeMlbwsasWDVBcJNHPKMzkq9kbCRK2U3k+tE15n+Dc2g3ZjDYr1um51e2iLC34/BwAAAAAAAAAAAAAAAAAAAAAAAAABbBhnlFN5Djmt0Mk8cdEBY5H8iPMCFMhUnFtbpjn3EyfH2DjVg3ALh7FtAmA2zWzhpeCwvOTjYnQorlXiv0WcnSiWmaC79CRYkFt5i+UEfRxwP1eNGJBVB1T+CPW6JGd4WhgsqtSf53pn5DEtv++O7lNfXyOhWhb3KaWHYIx8fuAXtioIWkWmpfEIVZA=\" name=\"key\" challenge=\"foo\">";
- break;
- case 0:
- var keygen = "<keygen keytype=\"dsa\" pqg=\"MIIBHAKBgId8SiiWrcdua5zbsBhPkKfFcnHBG7T/bQla7c6OixGjjmSSuq2fJLvMKa579CaxHxLZzZZXIHmAk9poRgWl2GUUkCJ68XSum8OQzDPXPsofcEdeANjw3mIAAAAAAAAAAAAAAAAAAAAAAAAIE+MkW5hguLIQqWvEVi9dMpbNu6OZAhTIA+y3TgyiwA0D8pt686ofaL1IOQKBgAiZQC6UCXztr2iXxJrAC+51gN5oX/R9Thilln9RGegsWnHrdxUOpcm5vAWp1LU8TOXtujE8kqkm3UxIRhUWQORe9IxLANAXmZJqkw9FEVHkxj6Cy9detwT2MyBzSwS6avsf7aLisgHmI/IHSeapJsQ3NQa3rikb6zRiqIV+TVa6\" name=\"key\" challenge=\"foo\">";
- break;
- }
- }
- array_string = build_array_string();
- hiddens = "<input type=\"hidden\" name=\"subject\" value=\'" + subject + "\'> \n" +
- "<input type=\"hidden\" name=\"serial-auto\" value=\"" + serial + "\"> \n" +
- "<input type=\"hidden\" name=\"serial_value\" value=\"" + serial_number + "\"> \n" +
- "<input type=\"hidden\" name=\"ver-1\" value=\"" + ver1 + "\"> \n" +
- "<input type=\"hidden\" name=\"ver-3\" value=\"" + ver3 + "\"> \n" +
- "<input type=\"hidden\" name=\"notBefore\" value=\"" + notBefore + "\"> \n" +
- "<input type=\"hidden\" name=\"notAfter\" value=\"" + notAfter + "\"> \n" +
- "<input type=\"hidden\" name=\"manValidity\" value=\"" + manValidity + "\"> \n" +
- array_string;
-
- var good_submit_page =
- '<html>' +
- '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" BGCOLOR="#FFFFFF">' +
- '<form method="post" action="' + script_url + '">' +
- 'Select size for your key:' + keygen + '</p>' +
- '<input type="submit"></p>' +
- hiddens +
- '</form>\n' +
- '</body>\n' +
- '</html>\n';
-
- window.frames['right'].document.write(good_submit_page);
- window.frames['right'].document.close();
- cur_page = max_pages + 1;
- make_left_frame(window);
- return false;
-}
-
-
-
-function build_array_string()
-{
- var pg;
- var array_string = '';
- var pages;
-
- if ((ext_page_array[3][4][0] > 0) && ext_page_array[3][3][0]) {
- pages = 4 + parseInt(ext_page_array[3][4][0]);
- } else {
- pages = 4;
- }
- for (pg = 1; pg < pages; pg++) {
- if ((pg > 1 || (ver == 3)) && (ext_page_array[pg].length > 1)) {
- if (pg < 4) {
- for (i = 0; i < ext_page_array[pg].length; i++) {
- if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
- if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
- array_string += '<input type=\"hidden\" name=\"' +
- ext_page_array[pg][i][1] + '\" value=\'' +
- ext_page_array[pg][i][0] + '\'> \n';
- } else {
- for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
- array_string += '<input type=\"hidden\" name=\"' +
- ext_page_array[pg][i][1] + k + '\" value=\'' +
- ext_page_array[pg][i][0][k] + '\'> \n';
- }
- }
- } else {
- array_string += '<input type=\"hidden\" name=\"' +
- ext_page_array[pg][i][1] + '-' +
- ext_page_array[pg][i][2] + '\" value=\'' +
- ext_page_array[pg][i][0] + '\'> \n';
- }
- }
- } else {
- for (i = 0; i < ext_page_array[pg].length; i++) {
- if (ext_page_array[pg][i][3].indexOf("radio") == -1) {
- if (ext_page_array[pg][i][3].indexOf("multiple") == -1) {
- array_string += '<input type=\"hidden\" name=\"' +
- 'CA#' + (pg - 3) + '-' +
- ext_page_array[pg][i][1] + '\" value=\'' +
- ext_page_array[pg][i][0] +'\'> \n';
- } else {
- for (k = 0; k < ext_page_array[pg][i][0].length; k++) {
- array_string += '<input type=\"hidden\" name=\"' +
- 'CA#' + (pg - 3) + '-' +
- ext_page_array[pg][i][1] + k + '\" value=\'' +
- ext_page_array[pg][i][0][k] + '\'> \n';
- }
- }
- } else {
- array_string += '<input type=\"hidden\" name=\"' +
- 'CA#' + (pg - 3) + '-' +
- ext_page_array[pg][i][1] + '-' +
- ext_page_array[pg][i][2] + '\" value=\'' +
- ext_page_array[pg][i][0] + '\'> \n';
- }
- }
- }
- }
- }
- return array_string;
-}
-
-
-
-function init_ext_page_array()
-{
- for (i = 0; i < max_pages; i++) {
- ext_page_array[i] = '';
- }
-}
-
-function ca_num_change(n,ca_form)
-{
- with(ca_form) {
- n = parseInt(n,10);
- if (caChoiceradio[2].checked) {
- if (n) {
- update_left_frame(n);
- } else {
- update_left_frame(0);
- }
- }
- }
-}
-
-function choice_change(ca_form)
-{
- with(ca_form) {
- if (caChoiceradio[2].checked) {
- ca_num_change(manCAs.value,ca_form);
- } else {
- update_left_frame(0);
- }
- }
-}
-
-function update_left_frame(n)
-{
- var add_string = '';
- for (var i = 0; i < n; i++) {
- var j = i + 1;
- add_string = add_string + ',1, \'CA #' + j + '\'';
- }
- top.add_index_list = add_string;
- num_ca = n;
- make_left_frame(window);
-}
-
-function set_ver1()
-// redraws the extensions page for version 1 certificates
-{
- ver = 1
- if (cur_page == 2 || cur_page == 3) {
- switch_right_frame(window, cur_page, cur_page);
- }
-}
-
-
-function set_ver3()
-// redraws the extensions page for version 3 certificates
-{
- ver = 3
- if (cur_page == 2) {
- switch_right_frame(window, 0, 2);
- } else if (cur_page == 3) {
- switch_right_frame(window, 0, 3);
- }
-}
-
-function reset_subject(marker, value, form)
-// Updates the subject field from a subordinate field
-{
- with(form) {
- var field_sep = '", ';
- var begin_index = subject.value.indexOf(marker);
- if (begin_index != 0 && subject.value[begin_index - 1] != ' ') {
- begin_index = subject.value.indexOf(marker, begin_index +1);
- }
- var end_index = subject.value.indexOf(field_sep, begin_index);
- if (begin_index > -1) { // is it a delete/change?
- if (end_index == -1) { // is it the last one (includes only one)?
- if (value.length > 0) { // do I have to change it?
- if (begin_index == 0) { // is is the only one?
- subject.value = marker + '"' + value + '"';
- } else { // it is the last of many
- subject.value = subject.value.substring(0,begin_index) +
- marker + '"' + value + '"';
- }
- } else { // must be a delete
- if (begin_index == 0) { // is it the only one?
- begin_index += 2;
- }
- subject.value = subject.value.substring(0,(begin_index - 2));
- }
- } else { // it is the first of many or a middle one
- if (value.length >0) { // do I have to change it?
- subject.value =
- subject.value.substring(0,(begin_index + marker.length + 1)) +
- value + subject.value.substring(end_index,subject.length);
- } else { // it is a delete
- subject.value = subject.value.substring(0,begin_index) +
- subject.value.substring((end_index + 3),subject.length);
- }
- }
- } else { // It is either an insert or a do nothing
- if (value.length > 0) { // is it an insert?
- if (subject.value.length == 0) { // is subject currently empty?
- subject.value = marker + '"' + value + '"';
- } else {
- subject.value = subject.value + ', ' + marker + '"' + value + '"';
- }
- }
- }
- }
-}
-
-
-
-function reset_subjectFields(form)
-// updates all the subordinate fields from the subject field of a form
-// **** move the strings to global variables, to make maintentance easier ****
-{
-
- update_subject_Field(form, 'CN=\"', form.name);
- update_subject_Field(form, 'MAIL=\"', form.email);
- update_subject_Field(form, 'O=\"', form.org);
- update_subject_Field(form, 'C=\"', form.country);
- update_subject_Field(form, ' L=\"', form.loc);
- update_subject_Field(form, 'ST=\"', form.state);
- update_subject_Field(form, 'E=\"', form.email);
- update_subject_Field(form, 'OU=\"', form.org_unit);
- update_subject_Field(form, 'UID=\"', form.uid);
-}
-
-function update_subject_Field(form, marker, update_field)
-//updates a single subordinate field from the subject field of a form
-// *** need to deal with the two types of e-mail addresses **************
-{
- with(form) {
- var field_sep = '", ';
- var begin_index = subject.value.indexOf(marker) + marker.length;
- var end_index = subject.value.indexOf(field_sep, begin_index);
- if (end_index == -1) {
- end_index = subject.value.indexOf('"',begin_index);
- }
- if (begin_index != (-1 + marker.length) ) {
- update_field.value = subject.value.substring(begin_index, end_index);
- } else {
- update_field.value = '';
- }
- }
-}
-
-
-function switch_mail(form)
-// **** Do I want to delete the other type of e-mail address ? ************
-{
- if (form.email_type[0].checked) {
- var del = 'E=';
- var ins = 'MAIL=';
- } else {
- var del = 'MAIL=';
- var ins = 'E=';
- }
- reset_subject(del, '', form);
- reset_subject(ins, form.email.value, form);
-}
-
-function make_page_intro(title, bgcolor)
-{
- var style = '<STYLE TYPE="text/css">BODY{' +
- 'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
- 'font-size: 10pt;' +
- '}' +
- 'TD{' +
- 'font-family: Geneva,MS Sans Serif,Arial,Lucida,Helvetica,sans-serif;' +
- 'font-size: 10pt;}' +
- '</STYLE>';
-
- if (bgcolor == null) { bgcolor = "#C0C0C0"; }
- return '<HTML><HEAD>' +
- '<TITLE>' + title + '</TITLE>' +
- '</HEAD>' +
- '<BODY TEXT="#000000" LINK="#000000" VLINK="#000000" ALINK="#FF0000" ' +
- 'BGCOLOR="' + bgcolor + '">';
-}
-
-
-function make_left_frame(window)
-{
- with (window.frames['index']) {
- eval ('index_string = make_left_frame_page(cur_page, '
- + index_list + add_index_list + ' )');
- fool1 = make_page_intro(index_label, "#FFFFFF") +
- index_string + '</BODY></HTML>';
- document.write(fool1);
- document.close();
- }
-}
-
-
-function save_cur_page(page_number)
-{
- var len;
- var pg = page_number - 1;
- if (window.frames['right'].document.forms.length != 0) {
- with (window.frames['right'].document) {
- if ((page_number != 2 && page_number != 3 && page_number <= max_pages) ||
- ver == 3) {
- ext_page_array[pg] = new Array(forms[0].elements.length);
- for (i = 0; i < forms[0].elements.length; i++) {
- ext_page_array[pg][i] = new Array(4);
- switch (forms[0].elements[i].type) {
- case 'radio':
- case 'checkbox':
- ext_page_array[pg][i][0] = forms[0].elements[i].checked;
- break;
- case 'select-one':
- ext_page_array[pg][i][0] = forms[0].elements[i].selectedIndex;
- break;
- case 'select-multiple':
- len = forms[0].elements[i].options.length;
- ext_page_array[pg][i][0] = new Array(len);
- for(k = 0; k < len; k++) {
- ext_page_array[pg][i][0][k] = forms[0].elements[i].options[k].value;
- }
- break;
- default:
- ext_page_array[pg][i][0] = forms[0].elements[i].value;
- }
- ext_page_array[pg][i][1] = forms[0].elements[i].name;
- ext_page_array[pg][i][2] = forms[0].elements[i].value;
- ext_page_array[pg][i][3] = forms[0].elements[i].type;
- }
- }
- }
- }
-}
-
-function reload_form(page_number)
-{
- var j = page_number - 1;
- with (window.frames['right'].document) {
- if (((page_number < 2 || page_number > 3) || ver == 3)
- && page_number != 0 && (ext_page_array[j].length > 1)) {
- for (i = 0; i < ext_page_array[j].length; i++) {
- switch (forms[0].elements[i].type) {
- case 'radio': case 'checkbox':
- forms[0].elements[i].checked = ext_page_array[j][i][0];
- break;
- case 'select-one':
- forms[0].elements[i].selectedIndex = ext_page_array[j][i][0];
- break;
- case 'select-multiple':
- for (k = 0; k < ext_page_array[j][i][0].length; k++) {
- forms[0].elements[i].options[k] =
- new Option(ext_page_array[j][i][0][k],
- ext_page_array[j][i][0][k]);
- }
- break;
- default:
- forms[0].elements[i].value = ext_page_array[j][i][0];
- }
- }
- }
- }
-}
-
-function switch_right_frame(top_window, old_pane, new_pane)
-{
- var ext_page_stnd =
- make_page_intro(standard_extensions_index_label, "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
- 'SRC="stnd_ext_form.html">' +
- '</IFRAME></body></html>';
-
- var ext_page_nscp =
- make_page_intro(netscape_extensions_index_label, "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
- 'SRC="nscp_ext_form.html">' +
- '</IFRAME></body></html>';
-
- var ext_page_ca =
- make_page_intro(certifying_authorities_index_label, "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
- 'SRC="ca.html">' +
- '</IFRAME></body</html>';
-
- var ext_page_ca_exp =
- make_page_intro('Certifying Authority Details', "#FFFFFF") +
- '<IFRAME WIDTH="100%" HEIGHT="100%" FRAMEBORDER=0 ID="ext" ' +
- 'SRC="ca_form.html">' +
- '</IFRAME></body></html>';
-
-
- if (old_pane > 0 && cur_page <= max_pages) {
- save_cur_page(old_pane);
- }
- cur_page = new_pane;
- make_left_frame(top_window);
- if (new_pane == 2 || new_pane == 3) {
- if (ver == 1) {
- frames['right'].document.write(ext_page_ver1);
- frames['right'].document.close();
- } else if (new_pane == 2) {
- frames['right'].document.write(ext_page_nscp);
- frames['right'].document.close();
- reload_form(new_pane);
- } else {
- frames['right'].document.write(ext_page_stnd);
- frames['right'].document.close();
- reload_form(new_pane);
- }
- } else if (new_pane == 4) {
- frames['right'].document.write(ext_page_ca);
- frames['right'].document.close();
- reload_form(new_pane);
- } else if (new_pane == 1) {
- frames['right'].document.write(main_page);
- frames['right'].document.close();
- reload_form(new_pane);
- } else {
- frames['right'].document.write(ext_page_ca_exp);
- frames['right'].document.close();
- reload_form(new_pane);
- }
-}
-
-function make_left_frame_page(selected)
-{
- var n_strings = ( make_left_frame_page.arguments.length - 1 ) / 2;
- var table_background;
- var command;
- var indent;
- var label;
- var ret_string = "";
-
- ret_string += '<TABLE CELLSPACING=4>';
- for ( var i = 1; i <= n_strings; i++ ) {
- if ( i == selected ) {
- table_background = 'BGCOLOR=#BBCCBB';
- } else {
- table_background = '';
- }
-
- indent = make_left_frame_page.arguments[(i*2) - 1];
- label = make_left_frame_page.arguments[(i*2)];
-
- if ( indent == 0 ) {
- ret_string += ('<TR><TD COLSPAN=2 ' + table_background + '>');
- } else {
- ret_string += ('<TR><TD>&nbsp;&nbsp;</TD><TD ' + table_background + '>');
- }
-
- command = "'parent.switch_right_frame(parent," + selected + "," + i + ")'";
- ret_string += ('<A HREF="javascript:void setTimeout(' + command + ',0)">');
- if ( indent == 0 ) { ret_string += "<B>"; }
- ret_string += label;
- if ( indent == 0 ) { ret_string += "</B>"; }
- ret_string += '</A></TD></TR>';
- }
- if (selected == (max_pages + 1)) {
- table_background = 'BGCOLOR=#BBCCBB';
- } else {
- table_background = '';
- }
- ret_string +=
- '<TR><TD COLSPAN=2 ' + table_background +
- '><b><A HREF="javascript:void setTimeout(\'top.submit_it()\', 0)">Finish</A></b>' +
- '</TD></TR>' +
- '<input type="submit"></form>' +
- '</TABLE>';
- return(ret_string);
-}
-
-
-function make_page(window)
-// Draws the initial page setup
-{
- selected = cur_page
- init_ext_page_array()
-
- with (window.frames['right']) {
- location="main.html";
-// document.write(main_page);
-// document.close();
- }
-
- make_left_frame(window);
-
-}
-</script>
-
-</HEAD>
-<title>Cert-O-Matic</title>
- <FRAMESET cols="150,*" BORDER=3 ONLOAD="make_page(window)">
- <FRAME SRC="about:blank" ID="index" NAME="index"
- MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
- <FRAME SRC="about:blank" ID="right" NAME="right"
- MARGINWIDTH=15 MARGINHEIGHT=10 BORDER=3>
- </FRAMESET>
-</HTML>
diff --git a/security/nss/cmd/certcgi/main.html b/security/nss/cmd/certcgi/main.html
deleted file mode 100644
index 05dd9daad..000000000
--- a/security/nss/cmd/certcgi/main.html
+++ /dev/null
@@ -1,76 +0,0 @@
-<HTML>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-<HEAD>
- <TITLE>Main Layer for CertOMatic</TITLE>
-</HEAD>
-
- <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
- <table border=0 cellspacing=10 cellpadding=0>
- <tr>
- <td>
- Common Name:</td><td> <input type="text" name="name" onChange="{window.top.reset_subject('CN=', value, form)}"></p>
- </td>
- <td></td><td></td>
- <td>
- Organization: </td><td> <input type="text" name="org" onChange="{window.top.reset_subject('O=', value, form)}"></p></td>
- <tr>
- <td>
- <input type="radio" name="email_type" value="1" onClick="window.top.switch_mail(form)">MAIL=
-
- <input type="radio" name="email_type" value="2" checked onClick="window.top.switch_mail(form)">E=
- </td>
- <td>
- <input type="text" name="email" onChange="var temp;{if (email_type[0].checked) {temp = 'MAIL='} else {temp = 'E='}} ;{window.top.reset_subject(temp, value, form)}">
- </td>
- <td></td><td></td><td>
- Organizational Unit: </td><td><input type="text" name="org_unit" onChange="{window.top.reset_subject('OU=', value, form)}"></p></td>
- <tr>
- <td>
- UID= </td><td><input type="text" name="uid" onChange="{window.top.reset_subject('UID=', value, form)}"></p></td>
- <td></td><td></td><td>
- Locality: </td><td><input type="text" name="loc" onChange="{window.top.reset_subject('L=', value, form)}"></p></td>
- <tr>
- <td>
- State or Province: </td><td><input type="text" name="state" onChange="{window.top.reset_subject('ST=', value, form)}"></p></td>
- <td></td><td></td><td>
- Country: </td><td><input type="text" size="2" name="country" onChange="{window.top.reset_subject('C=', value, form)}" maxlength="2"></p></td>
- <tr>
- <td COLSPAN=2>
- Serial Number:
- <DD><input type="radio" name="serial" value="auto" checked> Auto Generate
- <DD><input type="radio" name="serial" value="input">
- Use this hex value:&nbsp; <input type="text" name="serial_value" size="8" maxlength="8"></p>
- </td>
- <td></td> <td></td>
- <td COLSPAN=2>
- X.509 version:
- <DD><input type="radio" name="ver" value="1" onClick="if (this.checked) {window.top.set_ver1();}"> Version 1
- <DD><input type="radio" name="ver" value="3" checked onClick="if (this.checked) {window.top.set_ver3();}"> Version 3</P></td>
- <tr>
- <td COLSPAN=2>
- Key Type:
- <DD><input type="radio" name="keyType" value="rsa" checked> RSA
- <DD><input type="radio" name="keyType" value="dsa"> DSA</p>
- Intermediate CA Key Sizes:
- <DD><select name="keysize">
- <option>2048 (Very High Grade)
- <option>1024 (High Grade)
- <option>512 (Low Grade)
- </select>
- </td>
- <td></td> <td></td>
- <td COLSPAN=2>
- Validity:
- <DD><input type="radio" name="validity" value="auto" checked>
- Generate Automatically
- <DD><input type="radio" name="validity" value="man"> Use these values:
- <DD>Not Before:&nbsp; <input type="text" size="15" maxlength="17" name="notBefore">
- <DD>Not After:&nbsp;&nbsp;&nbsp; <input type="text" size="15" maxlength="17" name="notAfter">
- <DD>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
- <FONT SIZE=-1><TT>YYMMDDhhmm[ss]{Z|+hhmm|-hhmm} </TT></FONT>
- </table>
- DN: <input type="text" name="subject" size="70" onChange="{window.top.reset_subjectFields(form)}"></P>
- </form>
-</HTML>
diff --git a/security/nss/cmd/certcgi/manifest.mn b/security/nss/cmd/certcgi/manifest.mn
deleted file mode 100644
index 9e17cef9d..000000000
--- a/security/nss/cmd/certcgi/manifest.mn
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-CORE_DEPTH = ../..
-
-# MODULE public and private header directories are implicitly REQUIREd.
-MODULE = nss
-
-# This next line is used by .mk files
-# and gets translated into $LINCS in manifest.mnw
-REQUIRES = seccmd dbm
-
-DEFINES = -DNSPR20
-
-CSRCS = certcgi.c
-
-PROGRAM = certcgi
-
-USE_STATIC_LIBS = 1
-
diff --git a/security/nss/cmd/certcgi/nscp_ext_form.html b/security/nss/cmd/certcgi/nscp_ext_form.html
deleted file mode 100644
index f2a4a20c3..000000000
--- a/security/nss/cmd/certcgi/nscp_ext_form.html
+++ /dev/null
@@ -1,84 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
- <body>
- <table border=1 cellspacing=5 cellpadding=5>
- <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
- <tr>
- <td>
- <b>Netscape Certificate Type: </b></p>
- Activate extension: <input type="checkbox" name="netscape-cert-type"></P>
- Critical: <input type="checkbox" name="netscape-cert-type-crit">
- <td>
- <input type="checkbox" name="netscape-cert-type-ssl-client"> SSL Client</P>
- <input type="checkbox" name="netscape-cert-type-ssl-server"> SSL Server</P>
- <input type="checkbox" name="netscape-cert-type-smime"> S/MIME</P>
- <input type="checkbox" name="netscape-cert-type-object-signing"> Object Signing</P>
- <input type="checkbox" name="netscape-cert-type-reserved"> Reserved for future use (bit 4)</P>
- <input type="checkbox" name="netscape-cert-type-ssl-ca"> SSL CA</P>
- <input type="checkbox" name="netscape-cert-type-smime-ca"> S/MIME CA</P>
- <input type="checkbox" name="netscape-cert-type-object-signing-ca"> Object Signing CA</P>
- </tr>
- <tr>
- <td>
- <b>Netscape Base URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-base-url"></P>
- Critical: <input type="checkbox" name="netscape-base-url-crit">
- <td>
- <input type="text" name="netscape-base-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Revocation URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-revocation-url"></P>
- Critical: <input type="checkbox" name="netscape-revocation-url-crit">
- <td>
- <input type="text" name="netscape-revocation-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape CA Revocation URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ca-revocation-url"></P>
- Critical: <input type="checkbox" name="netscape-ca-revocation-url-crit">
- <td>
- <input type="text" name="netscape-ca-revocation-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Certificate Renewal URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-cert-renewal-url"></P>
- Critical: <input type="checkbox" name="netscape-cert-renewal-url-crit">
- <td>
- <input type="text" name="netscape-cert-renewal-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape CA Policy URL:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ca-policy-url"></P>
- Critical: <input type="checkbox" name="netscape-ca-policy-url-crit">
- <td>
- <input type="text" name="netscape-ca-policy-url-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape SSL Server Name:</b></p>
- Activate extension: <input type="checkbox" name="netscape-ssl-server-name"></P>
- Critical: <input type="checkbox" name="netscape-ssl-server-name-crit">
- <td>
- <input type="text" name="netscape-ssl-server-name-text" size="50">
- </tr>
- <tr>
- <td>
- <b>Netscape Comment:</b></p>
- Activate extension: <input type="checkbox" name="netscape-comment"></P>
- Critical: <input type="checkbox" name="netscape-comment-crit">
- <td>
- <textarea name="netscape-comment-text" rows="5" cols="50"></textarea>
- </tr>
-
- </table>
- </body>
-</html>
diff --git a/security/nss/cmd/certcgi/stnd_ext_form.html b/security/nss/cmd/certcgi/stnd_ext_form.html
deleted file mode 100644
index 60d4d86a0..000000000
--- a/security/nss/cmd/certcgi/stnd_ext_form.html
+++ /dev/null
@@ -1,219 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<!-- This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/. -->
-
- <body>
- <table border=1 cellspacing=5 cellpadding=5>
- <form method="post" name="primary_form" action="http://interzone.mcom.com/burp.cgi">
- <tr>
- <td>
- <b>Key Usage: </b></p>
- Activate extension: <input type="checkbox" name="keyUsage"></P>
- Critical: <input type="checkbox" name="keyUsage-crit">
- <td>
- <input type="checkbox" name="keyUsage-digitalSignature"> Digital Signature</P>
- <input type="checkbox" name="keyUsage-nonRepudiation"> Non Repudiation</P>
- <input type="checkbox" name="keyUsage-keyEncipherment"> Key Encipherment</P>
- <input type="checkbox" name="keyUsage-dataEncipherment"> Data Encipherment</P>
- <input type="checkbox" name="keyUsage-keyAgreement"> Key Agreement</P>
- <input type="checkbox" name="keyUsage-keyCertSign"> Key Certificate Signing</P>
- <input type="checkbox" name="keyUsage-cRLSign"> CRL Signing</P>
- </tr>
- <tr>
- <td>
- <b>Extended Key Usage: </b></p>
- Activate extension: <input type="checkbox" name="extKeyUsage"></P>
- Critical: <input type="checkbox" name="extKeyUsage-crit">
- <td>
- <input type="checkbox" name="extKeyUsage-serverAuth"> Server Auth</P>
- <input type="checkbox" name="extKeyUsage-clientAuth"> Client Auth</P>
- <input type="checkbox" name="extKeyUsage-codeSign"> Code Signing</P>
- <input type="checkbox" name="extKeyUsage-emailProtect"> Email Protection</P>
- <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
- <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
- <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
- <input type="checkbox" name="extKeyUsage-msTrustListSign"> Microsoft Trust List Signing</P>
- </tr>
- <tr>
- <td>
- <b>Basic Constraints:</b></p>
- Activate extension: <input type="checkbox" name="basicConstraints"></P>
- Critical: <input type="checkbox" name="basicConstraints-crit">
- <td>
- CA:</p>
- <dd><input type=radio name="basicConstraints-cA-radio" value="CA"> True</p>
- <dd><input type=radio name="basicConstraints-cA-radio" value="NotCA"> False</p>
- <input type="checkbox" name="basicConstraints-pathLengthConstraint">
- Include Path length: <input type="text" name="basicConstraints-pathLengthConstraint-text" size="2"></p>
- </tr>
- <tr>
- <td>
- <b>Authority Key Identifier:</b></p>
- Activate extension: <input type="checkbox" name="authorityKeyIdentifier">
- <td>
- <input type="radio" name="authorityKeyIdentifier-radio" value="keyIdentifier"> Key Identider</p>
- <input type="radio" name="authorityKeyIdentifier-radio" value="authorityCertIssuer"> Issuer Name and Serial number</p>
- </tr>
- <tr>
- <td>
- <b>Subject Key Identifier:</b></p>
- Activate extension: <input type="checkbox" name="subjectKeyIdentifier">
- <td>
- Key Identifier:
- <input type="text" name="subjectKeyIdentifier-text"></p>
- This is an:<p>
- <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="ascii"> ascii text value<p>
- <dd><dd><input type="radio" name="subjectKeyIdentifier-radio" value="hex"> hex value<p>
- </tr>
- <tr>
- <td>
- <b>Private Key Usage Period:</b></p>
- Activate extension: <input type="checkbox" name="privKeyUsagePeriod"></p>
- Critical: <input type="checkbox" name="privKeyUsagePeriod-crit">
- <td>
- Use:</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notBefore"> Not Before</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="notAfter"> Not After</p>
- <dd><input type="radio" name="privKeyUsagePeriod-radio" value="both" > Both</p>
- <b>Not to be used to sign before:</b></p>
- <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="auto"> Set to time of certificate issue</p>
- <dd><input type="radio" name="privKeyUsagePeriod-notBefore-radio" value="manual"> Use This value</p>
- <dd><dd>(YYYY/MM/DD HH:MM:SS):
- <input type="text" name="privKeyUsagePeriod-notBefore-year" size="4" maxlength="4">/
- <input type="text" name="privKeyUsagePeriod-notBefore-month" size="2" maxlength="2">/
- <input type="text" name="privKeyUsagePeriod-notBefore-day" size="2" maxlength="2">
- <input type="text" name="privKeyUsagePeriod-notBefore-hour" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notBefore-minute" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notBefore-second" size="2" maxlength="2"></p>
- <b>Not to be used to sign after:</b></p>
- <dd>(YYYY/MM/DD HH:MM:SS):
- <input type="text" name="privKeyUsagePeriod-notAfter-year" size="4" maxlength="4">/
- <input type="text" name="privKeyUsagePeriod-notAfter-month" size="2" maxlength="2">/
- <input type="text" name="privKeyUsagePeriod-notAfter-day" size="2" maxlength="2">
- <input type="text" name="privKeyUsagePeriod-notAfter-hour" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notAfter-minute" size="2" maxlength="2">:
- <input type="text" name="privKeyUsagePeriod-notAfter-second" size="2" maxlength="2"></p>
- </tr>
- <tr>
- <td>
- <b>Subject Alternative Name:</b></p>
- Activate extension: <input type="checkbox" name="SubAltName"></P>
- Critical: <input type="checkbox" name="SubAltName-crit">
- <td>
- <table>
- <tr>
- <td>
- General Names:</p>
- <select name="SubAltNameSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="SubAltName-add" value="Add" onClick="{parent.addSubAltName(this.form)}">
- <input type="button" name="SubAltName-delete" value="Delete" onClick="parent.deleteSubAltName(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="SubAltNameRadio" value="otherName" onClick="parent.setSubAltNameType(form)"> Other Name,
- OID: <input type="text" name="SubAltNameOtherNameOID" size="6"> </td><td>
- <input type="radio" name="SubAltNameRadio" value="rfc822Name" onClick="parent.setSubAltNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="dnsName" onClick="parent.setSubAltNameType(form)"> DNS Name </td><td>
- <input type="radio" name="SubAltNameRadio" value="x400" onClick="parent.setSubAltNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="directoryName" onClick="parent.setSubAltNameType(form)"> Directory Name</td><td>
- <input type="radio" name="SubAltNameRadio" value="ediPartyName" onClick="parent.setSubAltNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="URL" onClick="parent.setSubAltNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="SubAltNameRadio" value="ipAddress" onClick="parent.setSubAltNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="SubAltNameRadio" value="regID"onClick="parent.setSubAltNameType(form)"> Registered ID</td><td>
- <input type="radio" name="SubAltNameRadio" value="nscpNickname" onClick="parent.setSubAltNameType(form)"> Netscape Certificate Nickname</td><td></tr>
- </table>
- Name: <input type="text" name="SubAltNameText">
- Binary Encoded: <input type="checkbox" name="SubAltNameDataType" value="binary" onClick="parent.setSubAltNameType(form)"></p>
- </tr>
- </table>
- </tr>
-
-
- <tr>
- <td>
- <b>Issuer Alternative Name:</b></p>
- Activate extension: <input type="checkbox" name="IssuerAltName"></P>
- Critical: <input type="checkbox" name="IssuerAltName-crit">
- <td>
- <input type="radio" name="IssuerAltNameSourceRadio" value="auto"> Use the Subject Alternative Name from the Issuers Certificate</p>
- <input type="radio" name="IssuerAltNameSourceRadio" value="man"> Use this Name:
- <table>
- <tr>
- <td>
- General Names:</p>
- <select name="IssuerAltNameSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="IssuerAltName-add" value="Add" onClick="{parent.addIssuerAltName(this.form)}">
- <input type="button" name="IssuerAltName-delete" value="Delete" onClick="parent.deleteIssuerAltName(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="otherName" onClick="parent.setIssuerAltNameType(form)"> Other Name,
- OID: <input type="text" name="IssuerAltNameOtherNameOID" size="6"> </td><td>
- <input type="radio" name="IssuerAltNameRadio" value="rfc822Name" onClick="parent.setIssuerAltNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="dnsName" onClick="parent.setIssuerAltNameType(form)"> DNS Name </td><td>
- <input type="radio" name="IssuerAltNameRadio" value="x400" onClick="parent.setIssuerAltNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="directoryName" onClick="parent.setIssuerAltNameType(form)"> Directory Name</td><td>
- <input type="radio" name="IssuerAltNameRadio" value="ediPartyName" onClick="parent.setIssuerAltNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="URL" onClick="parent.setIssuerAltNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="IssuerAltNameRadio" value="ipAddress" onClick="parent.setIssuerAltNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="IssuerAltNameRadio" value="regID" onClick="parent.setIssuerAltNameType(form)"> Registered ID</td><td></tr>
- </table>
- Name: <input type="text" name="IssuerAltNameText">
- Binary Encoded: <input type="checkbox" name="IssuerAltNameDataType" value="binary" onClick="parent.setIssuerAltNameType(form)"></p>
- </tr>
- </table>
- </tr>
-
- <tr>
- <td>
- <b>Name Constraints:</b></p>
- Activate extension: <input type="checkbox" name="NameConstraints"></P>
- <td>
- <table>
- <tr>
- <td>
- Name Constraints:</p>
- <select name="NameConstraintSelect" multiple size="10">
- </select></p></p>
- <input type="button" name="NameConstraint-add" value="Add" onClick="{parent.addNameConstraint(this.form)}">
- <input type="button" name="NameConstraint-delete" value="Delete" onClick="parent.deleteNameConstraint(this.form)">
- </td><td>
- <table><tr><td>
- Name Type: </td></tr><tr><td>
- <input type="radio" name="NameConstraintRadio" value="otherName" onClick="parent.setNameConstraintNameType(form)"> Other Name,
- OID: <input type="text" name="NameConstraintOtherNameOID" size="6"> </td><td>
- <input type="radio" name="NameConstraintRadio" value="rfc822Name" onClick="parent.setNameConstraintNameType(form)"> RFC 822 Name</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="dnsName" onClick="parent.setNameConstraintNameType(form)"> DNS Name </td><td>
- <input type="radio" name="NameConstraintRadio" value="x400" onClick="parent.setNameConstraintNameType(form)"> X400 Address</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="directoryName" onClick="parent.setNameConstraintNameType(form)"> Directory Name</td><td>
- <input type="radio" name="NameConstraintRadio" value="ediPartyName" onClick="parent.setNameConstraintNameType(form)"> EDI Party Name</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="URL" onClick="parent.setNameConstraintNameType(form)"> Uniform Resource Locator</td><td>
- <input type="radio" name="NameConstraintRadio" value="ipAddress" onClick="parent.setNameConstraintNameType(form)"> IP Address</td></tr><td>
- <input type="radio" name="NameConstraintRadio" value="regID" onClick="parent.setNameConstraintNameType(form)"> Registered ID</td><td></tr>
- </table>
- Name: <input type="text" name="NameConstraintText">
- Binary Encoded: <input type="checkbox" name="NameConstraintNameDataType" value="binary" onClick="parent.setNameConstraintNameType(form)"></p>
- Constraint type:<p>
- <dd><input type="radio" name="NameConstraintTypeRadio" value="permited"> permited<p>
- <dd><input type="radio" name="NameConstraintTypeRadio" value="excluded"> excluded<p>
- Minimum: <input type="text" name="NameConstraintMin" size="8" maxlength="8"></p>
- Maximum: <input type="text" name="NameConstraintMax" size="8" maxlength="8"></p>
- </tr>
- </table>
- </tr>
-
- </table>
- </body>
-</html>
-
-
-
-
-
-
-
-
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c
index fbc752c1b..20722ae78 100644
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -194,6 +194,8 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
PLArenaPool *arena;
void *extHandle;
SECItem signedReq = { siBuffer, NULL, 0 };
+ SECAlgorithmID signAlg;
+ SECItem *params = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
@@ -211,11 +213,26 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
/* Change cert type to RSA-PSS, if desired. */
if (pssCertificate) {
+ params = SEC_CreateSignatureAlgorithmParameters(arena,
+ NULL,
+ SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+ hashAlgTag,
+ NULL,
+ privk);
+ if (!params) {
+ PORT_FreeArena(arena, PR_FALSE);
+ SECKEY_DestroySubjectPublicKeyInfo(spki);
+ SECU_PrintError(progName, "unable to create RSA-PSS parameters");
+ return SECFailure;
+ }
+
spki->algorithm.parameters.data = NULL;
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
- SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0);
+ SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+ hashAlgTag == SEC_OID_UNKNOWN ? NULL : params);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
+ SECKEY_DestroySubjectPublicKeyInfo(spki);
SECU_PrintError(progName, "unable to set algorithm ID");
return SECFailure;
}
@@ -256,16 +273,34 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType,
return SECFailure;
}
- /* Sign the request */
- signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
- if (signAlgTag == SEC_OID_UNKNOWN) {
- PORT_FreeArena(arena, PR_FALSE);
- SECU_PrintError(progName, "unknown Key or Hash type");
- return SECFailure;
+ PORT_Memset(&signAlg, 0, sizeof(signAlg));
+ if (pssCertificate) {
+ rv = SECOID_SetAlgorithmID(arena, &signAlg,
+ SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_FALSE);
+ SECU_PrintError(progName, "unable to set algorithm ID");
+ return SECFailure;
+ }
+ } else {
+ signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
+ if (signAlgTag == SEC_OID_UNKNOWN) {
+ PORT_FreeArena(arena, PR_FALSE);
+ SECU_PrintError(progName, "unknown Key or Hash type");
+ return SECFailure;
+ }
+ rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_FALSE);
+ SECU_PrintError(progName, "unable to set algorithm ID");
+ return SECFailure;
+ }
}
- rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len,
- privk, signAlgTag);
+ /* Sign the request */
+ rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq,
+ encoding->data, encoding->len,
+ privk, &signAlg);
if (rv) {
PORT_FreeArena(arena, PR_FALSE);
SECU_PrintError(progName, "signing of data failed");
@@ -365,7 +400,7 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot,
CERTCertificate *cert;
CERTCertTrust *trust;
- cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+ cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata);
if (!cert) {
SECU_PrintError(progName, "could not find certificate named \"%s\"",
name);
@@ -591,6 +626,10 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email,
{
SECStatus rv;
+ if (slot && PK11_NeedUserInit(slot)) {
+ printf("\nDatabase needs user init\n");
+ }
+
if (!ascii && !raw && !nickname && !email) {
PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n",
"Certificate Nickname", "Trust Attributes", "",
@@ -614,12 +653,12 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email,
}
static SECStatus
-DeleteCert(CERTCertDBHandle *handle, char *name)
+DeleteCert(CERTCertDBHandle *handle, char *name, void *pwdata)
{
SECStatus rv;
CERTCertificate *cert;
- cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+ cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata);
if (!cert) {
SECU_PrintError(progName, "could not find certificate named \"%s\"",
name);
@@ -635,12 +674,12 @@ DeleteCert(CERTCertDBHandle *handle, char *name)
}
static SECStatus
-RenameCert(CERTCertDBHandle *handle, char *name, char *newName)
+RenameCert(CERTCertDBHandle *handle, char *name, char *newName, void *pwdata)
{
SECStatus rv;
CERTCertificate *cert;
- cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+ cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata);
if (!cert) {
SECU_PrintError(progName, "could not find certificate named \"%s\"",
name);
@@ -1015,6 +1054,18 @@ ListModules(void)
}
static void
+PrintBuildFlags()
+{
+#ifdef NSS_FIPS_DISABLED
+ PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n");
+#endif
+#ifdef NSS_NO_INIT_SUPPORT
+ PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n");
+#endif
+ exit(0);
+}
+
+static void
PrintSyntax(char *progName)
{
#define FPS fprintf(stderr,
@@ -1044,15 +1095,10 @@ PrintSyntax(char *progName)
"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-#ifndef NSS_DISABLE_ECC
FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n",
progName);
-#else
- FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n",
- progName);
-#endif /* NSS_DISABLE_ECC */
FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
progName);
@@ -1066,6 +1112,7 @@ PrintSyntax(char *progName)
FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n",
progName);
FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n");
+ FPS "\t%s --build-flags\n", progName);
FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n",
progName);
FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName);
@@ -1184,6 +1231,8 @@ luC(enum usage_level ul, const char *command)
" -o output-cert");
FPS "%-20s Self sign\n",
" -x");
+ FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+ " --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
@@ -1244,17 +1293,10 @@ luG(enum usage_level ul, const char *command)
return;
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
" -k key-type");
FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
- " -k key-type");
- FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
- " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
" -y exp");
FPS "%-20s Specify the password file\n",
@@ -1263,7 +1305,6 @@ luG(enum usage_level ul, const char *command)
" -z noisefile");
FPS "%-20s read PQG value from pqgfile (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", "");
@@ -1285,7 +1326,6 @@ luG(enum usage_level ul, const char *command)
FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
FPS "%-20s sect131r1, sect131r2\n", "");
-#endif
FPS "%-20s Key database directory (default is ~/.netscape)\n",
" -d keydir");
FPS "%-20s Cert & Key database prefix\n",
@@ -1331,7 +1371,7 @@ luF(enum usage_level ul, const char *command)
{
int is_my_command = (command && 0 == strcmp(command, "F"));
if (ul == usage_all || !command || is_my_command)
- FPS "%-15s Delete a key from the database\n",
+ FPS "%-15s Delete a key and associated certificate from the database\n",
"-F");
if (ul == usage_selected && !is_my_command)
return;
@@ -1375,9 +1415,7 @@ luK(enum usage_level ul, const char *command)
" -h token-name ");
FPS "%-20s Key type (\"all\" (default), \"dsa\","
-#ifndef NSS_DISABLE_ECC
" \"ec\","
-#endif
" \"rsa\")\n",
" -k key-type");
FPS "%-20s The nickname of the key or associated certificate\n",
@@ -1520,11 +1558,7 @@ luR(enum usage_level ul, const char *command)
" -s subject");
FPS "%-20s Output the cert request to this file\n",
" -o output-req");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
" -k key-type-or-id");
FPS "%-20s or nickname of the cert key to use \n",
"");
@@ -1532,14 +1566,14 @@ luR(enum usage_level ul, const char *command)
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+ FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
+ " --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Specify the password file\n",
" -f pwfile");
FPS "%-20s Key database directory (default is ~/.netscape)\n",
@@ -1705,26 +1739,24 @@ luS(enum usage_level ul, const char *command)
" -c issuer-name");
FPS "%-20s Set the certificate trust attributes (see -A above)\n",
" -t trustargs");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
- FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
" -k key-type-or-id");
FPS "%-20s Name of token in which to generate key (default is internal)\n",
" -h token-name");
FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
" -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+ FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
+ " --pss");
FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
" -q pqgfile");
-#ifndef NSS_DISABLE_ECC
FPS "%-20s Elliptic curve name (ec only)\n",
" -q curve-name");
FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
"");
-#endif /* NSS_DISABLE_ECC */
FPS "%-20s Self sign\n",
" -x");
+ FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+ " --pss-sign");
FPS "%-20s Cert serial number\n",
" -m serial-number");
FPS "%-20s Time Warp\n",
@@ -1794,6 +1826,18 @@ luS(enum usage_level ul, const char *command)
}
static void
+luBuildFlags(enum usage_level ul, const char *command)
+{
+ int is_my_command = (command && 0 == strcmp(command, "build-flags"));
+ if (ul == usage_all || !command || is_my_command)
+ FPS "%-15s Print enabled build flags relevant for NSS test execution\n",
+ "--build-flags");
+ if (ul == usage_selected && !is_my_command)
+ return;
+ FPS "\n");
+}
+
+static void
LongUsage(char *progName, enum usage_level ul, const char *command)
{
luA(ul, command);
@@ -1807,6 +1851,7 @@ LongUsage(char *progName, enum usage_level ul, const char *command)
luU(ul, command);
luK(ul, command);
luL(ul, command);
+ luBuildFlags(ul, command);
luM(ul, command);
luN(ul, command);
luT(ul, command);
@@ -1889,46 +1934,119 @@ MakeV1Cert(CERTCertDBHandle *handle,
}
static SECStatus
+SetSignatureAlgorithm(PLArenaPool *arena,
+ SECAlgorithmID *signAlg,
+ SECAlgorithmID *spkiAlg,
+ SECOidTag hashAlgTag,
+ SECKEYPrivateKey *privKey,
+ PRBool pssSign)
+{
+ SECStatus rv;
+
+ if (pssSign ||
+ SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ SECItem *srcParams;
+ SECItem *params;
+
+ if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ srcParams = &spkiAlg->parameters;
+ } else {
+ /* If the issuer's public key is RSA, the parameter field
+ * of the SPKI should be NULL, which can't be used as a
+ * basis of RSA-PSS parameters. */
+ srcParams = NULL;
+ }
+ params = SEC_CreateSignatureAlgorithmParameters(arena,
+ NULL,
+ SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+ hashAlgTag,
+ srcParams,
+ privKey);
+ if (!params) {
+ SECU_PrintError(progName, "Could not create RSA-PSS parameters");
+ return SECFailure;
+ }
+ rv = SECOID_SetAlgorithmID(arena, signAlg,
+ SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+ params);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Could not set signature algorithm id.");
+ return rv;
+ }
+ } else {
+ KeyType keyType = SECKEY_GetPrivateKeyType(privKey);
+ SECOidTag algID;
+
+ algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag);
+ if (algID == SEC_OID_UNKNOWN) {
+ SECU_PrintError(progName, "Unknown key or hash type for issuer.");
+ return SECFailure;
+ }
+ rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Could not set signature algorithm id.");
+ return rv;
+ }
+ }
+ return SECSuccess;
+}
+
+static SECStatus
SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
SECOidTag hashAlgTag,
SECKEYPrivateKey *privKey, char *issuerNickName,
- int certVersion, void *pwarg)
+ int certVersion, PRBool pssSign, void *pwarg)
{
SECItem der;
SECKEYPrivateKey *caPrivateKey = NULL;
SECStatus rv;
PLArenaPool *arena;
- SECOidTag algID;
+ CERTCertificate *issuer;
void *dummy;
- if (!selfsign) {
- CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
+ arena = cert->arena;
+
+ if (selfsign) {
+ issuer = cert;
+ } else {
+ issuer = PK11_FindCertFromNickname(issuerNickName, pwarg);
if ((CERTCertificate *)NULL == issuer) {
SECU_PrintError(progName, "unable to find issuer with nickname %s",
issuerNickName);
- return SECFailure;
+ rv = SECFailure;
+ goto done;
}
-
privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg);
- CERT_DestroyCertificate(issuer);
if (caPrivateKey == NULL) {
SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName);
- return SECFailure;
+ rv = SECFailure;
+ CERT_DestroyCertificate(issuer);
+ goto done;
}
}
- arena = cert->arena;
-
- algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag);
- if (algID == SEC_OID_UNKNOWN) {
- fprintf(stderr, "Unknown key or hash type for issuer.");
+ if (pssSign &&
+ (SECKEY_GetPrivateKeyType(privKey) != rsaKey &&
+ SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) {
+ SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s",
+ issuerNickName);
rv = SECFailure;
+ if (!selfsign) {
+ CERT_DestroyCertificate(issuer);
+ }
goto done;
}
- rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0);
+ rv = SetSignatureAlgorithm(arena,
+ &cert->signature,
+ &issuer->subjectPublicKeyInfo.algorithm,
+ hashAlgTag,
+ privKey,
+ pssSign);
+ if (!selfsign) {
+ CERT_DestroyCertificate(issuer);
+ }
if (rv != SECSuccess) {
- fprintf(stderr, "Could not set signature algorithm id.");
goto done;
}
@@ -1947,7 +2065,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
+ rv = SECFailure;
+ goto done;
}
der.len = 0;
@@ -1960,7 +2079,8 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign,
goto done;
}
- rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID);
+ rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len,
+ privKey, &cert->signature);
if (rv != SECSuccess) {
fprintf(stderr, "Could not sign encoded certificate data.\n");
/* result allocated out of the arena, it will be freed
@@ -1993,6 +2113,7 @@ CreateCert(
certutilExtnList extnList,
const char *extGeneric,
int certVersion,
+ PRBool pssSign,
SECItem *certDER)
{
void *extHandle = NULL;
@@ -2053,7 +2174,7 @@ CreateCert(
rv = SignCert(handle, subjectCert, selfsign, hashAlgTag,
*selfsignprivkey, issuerNickName,
- certVersion, pwarg);
+ certVersion, pssSign, pwarg);
if (rv != SECSuccess)
break;
@@ -2306,6 +2427,7 @@ enum {
cmd_Merge,
cmd_UpgradeMerge, /* test only */
cmd_Rename,
+ cmd_BuildFlags,
max_cmd
};
@@ -2376,6 +2498,7 @@ enum certutilOpts {
opt_GenericExtensions,
opt_NewNickname,
opt_Pss,
+ opt_PssSign,
opt_Help
};
@@ -2407,7 +2530,9 @@ static const secuCommandFlag commands_init[] =
{ /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE,
"upgrade-merge" },
{ /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE,
- "rename" }
+ "rename" },
+ { /* cmd_BuildFlags */ 0, PR_FALSE, 0, PR_FALSE,
+ "build-flags" }
};
#define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0]))
@@ -2496,6 +2621,8 @@ static const secuCommandFlag options_init[] =
"new-n" },
{ /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE,
"pss" },
+ { /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE,
+ "pss-sign" },
};
#define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0]))
@@ -2592,6 +2719,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
exit(1);
}
+ if (certutil.commands[cmd_BuildFlags].activated) {
+ PrintBuildFlags();
+ }
+
if (certutil.options[opt_PasswordFile].arg) {
pwdata.source = PW_FROMFILE;
pwdata.data = certutil.options[opt_PasswordFile].arg;
@@ -2621,12 +2752,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
progName, MIN_KEY_BITS, MAX_KEY_BITS);
return 255;
}
-#ifndef NSS_DISABLE_ECC
if (keytype == ecKey) {
PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName);
return 255;
}
-#endif /* NSS_DISABLE_ECC */
}
/* -h specify token name */
@@ -2655,10 +2784,8 @@ certutil_main(int argc, char **argv, PRBool initialize)
keytype = rsaKey;
} else if (PL_strcmp(arg, "dsa") == 0) {
keytype = dsaKey;
-#ifndef NSS_DISABLE_ECC
} else if (PL_strcmp(arg, "ec") == 0) {
keytype = ecKey;
-#endif /* NSS_DISABLE_ECC */
} else if (PL_strcmp(arg, "all") == 0) {
keytype = nullKey;
} else {
@@ -2711,16 +2838,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
/* -q PQG file or curve name */
if (certutil.options[opt_PQGFile].activated) {
-#ifndef NSS_DISABLE_ECC
if ((keytype != dsaKey) && (keytype != ecKey)) {
PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
" (-k dsa) or a named curve for EC keys (-k ec)\n)",
progName);
-#else /* } */
- if (keytype != dsaKey) {
- PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
- progName);
-#endif /* NSS_DISABLE_ECC */
return 255;
}
}
@@ -3032,11 +3153,43 @@ certutil_main(int argc, char **argv, PRBool initialize)
/* If creating new database, initialize the password. */
if (certutil.commands[cmd_NewDBs].activated) {
- if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot)))
- PK11_InitPin(slot, (char *)NULL, "");
- else
- SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
- certutil.options[opt_NewPasswordFile].arg);
+ if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) {
+ rv = PK11_InitPin(slot, (char *)NULL, "");
+ } else {
+ rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
+ certutil.options[opt_NewPasswordFile].arg);
+ }
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Could not set password for the slot");
+ goto shutdown;
+ }
+ }
+
+ /* if we are going to modify the cert database,
+ * make sure it's initialized */
+ if (certutil.commands[cmd_ModifyCertTrust].activated ||
+ certutil.commands[cmd_CreateAndAddCert].activated ||
+ certutil.commands[cmd_AddCert].activated ||
+ certutil.commands[cmd_AddEmailCert].activated) {
+ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
+ char *password = NULL;
+ /* fetch the password from the command line or the file
+ * if no password is supplied, initialize the password to NULL */
+ if (pwdata.source == PW_FROMFILE) {
+ password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data);
+ } else if (pwdata.source == PW_PLAINTEXT) {
+ password = PL_strdup(pwdata.data);
+ }
+ rv = PK11_InitPin(slot, (char *)NULL, password ? password : "");
+ if (password) {
+ PORT_Memset(password, 0, PL_strlen(password));
+ PORT_Free(password);
+ }
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Could not set password for the slot");
+ goto shutdown;
+ }
+ }
}
/* walk through the upgrade merge if necessary.
@@ -3214,12 +3367,12 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
/* Delete cert (-D) */
if (certutil.commands[cmd_DeleteCert].activated) {
- rv = DeleteCert(certHandle, name);
+ rv = DeleteCert(certHandle, name, &pwdata);
goto shutdown;
}
/* Rename cert (--rename) */
if (certutil.commands[cmd_Rename].activated) {
- rv = RenameCert(certHandle, name, newName);
+ rv = RenameCert(certHandle, name, newName, &pwdata);
goto shutdown;
}
/* Delete key (-F) */
@@ -3237,7 +3390,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
if (certutil.commands[cmd_ChangePassword].activated) {
rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg,
certutil.options[opt_NewPasswordFile].arg);
- goto shutdown;
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Could not set password for the slot");
+ goto shutdown;
+ }
}
/* Reset the a token */
if (certutil.commands[cmd_TokenReset].activated) {
@@ -3362,6 +3518,25 @@ certutil_main(int argc, char **argv, PRBool initialize)
}
}
+ /* --pss-sign is to sign a certificate with RSA-PSS, even if the
+ * issuer's key is an RSA key. If the key is an RSA-PSS key, the
+ * generated signature is always RSA-PSS. */
+ if (certutil.options[opt_PssSign].activated) {
+ if (!certutil.commands[cmd_CreateNewCert].activated &&
+ !certutil.commands[cmd_CreateAndAddCert].activated) {
+ PR_fprintf(PR_STDERR,
+ "%s -%c: --pss-sign only works with -C or -S.\n",
+ progName, commandToRun);
+ return 255;
+ }
+ if (keytype != rsaKey) {
+ PR_fprintf(PR_STDERR,
+ "%s -%c: --pss-sign only works with RSA keys.\n",
+ progName, commandToRun);
+ return 255;
+ }
+ }
+
/* If we need a list of extensions convert the flags into list format */
if (certutil.commands[cmd_CertReq].activated ||
certutil.commands[cmd_CreateAndAddCert].activated ||
@@ -3499,6 +3674,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
(certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg
: NULL),
certVersion,
+ certutil.options[opt_PssSign].activated,
&certDER);
if (rv)
goto shutdown;
diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c
index 2878e3765..330284c61 100644
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -380,7 +380,6 @@ CERTUTIL_FileForRNG(const char *noise)
return SECSuccess;
}
-#ifndef NSS_DISABLE_ECC
typedef struct curveNameTagPairStr {
char *curveName;
SECOidTag curveOidTag;
@@ -495,9 +494,9 @@ getECParams(const char *curve)
ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
- /*
+ /*
* ecparams->data needs to contain the ASN encoding of an object ID (OID)
- * representing the named curve. The actual OID is in
+ * representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
ecparams->data[0] = SEC_ASN1_OBJECT_ID;
@@ -506,7 +505,6 @@ getECParams(const char *curve)
return ecparams;
}
-#endif /* NSS_DISABLE_ECC */
SECKEYPrivateKey *
CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
@@ -564,14 +562,12 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
params = (void *)&default_pqg_params;
}
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
mechanism = CKM_EC_KEY_PAIR_GEN;
/* For EC keys, PQGFile determines EC parameters */
if ((params = (void *)getECParams(pqgFile)) == NULL)
return NULL;
break;
-#endif /* NSS_DISABLE_ECC */
default:
return NULL;
}
@@ -580,8 +576,7 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
fprintf(stderr, "Generating key. This may take a few moments...\n\n");
privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
- attrFlags, opFlagsOn, opFlagsOn |
- opFlagsOff,
+ attrFlags, opFlagsOn, opFlagsOn | opFlagsOff,
pwdata /*wincx*/);
/* free up the params */
switch (keytype) {
@@ -589,11 +584,9 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
if (dsaparams)
CERTUTIL_DestroyParamsPQG(dsaparams);
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
SECITEM_FreeItem((SECItem *)params, PR_TRUE);
break;
-#endif
default: /* nothing to free */
break;
}
diff --git a/security/nss/cmd/crlutil/crlgen.c b/security/nss/cmd/crlutil/crlgen.c
index 1f9dc4b43..fce5e2a60 100644
--- a/security/nss/cmd/crlutil/crlgen.c
+++ b/security/nss/cmd/crlutil/crlgen.c
@@ -616,8 +616,7 @@ crlgen_CreateInvalidityDate(PLArenaPool *arena, const char **dataArr,
goto loser;
}
- PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) *
- sizeof(char));
+ PORT_Memcpy(encodedItem->data, dataArr[2], (encodedItem->len = length) * sizeof(char));
*extCode = SEC_OID_X509_INVALID_DATE;
return encodedItem;
diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c
index ab73e42a5..061f3dde0 100644
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -35,13 +35,11 @@
#include "../../lib/freebl/mpi/mpi.h"
#endif
-#ifndef NSS_DISABLE_ECC
extern SECStatus
EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
extern SECStatus
EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
const ECParams *srcParams);
-#endif
#define ENCRYPT 1
#define DECRYPT 0
@@ -2094,7 +2092,6 @@ get_next_line(FILE *req, char *key, char *val, FILE *rsp)
return (c == EOF) ? -1 : ignore;
}
-#ifndef NSS_DISABLE_ECC
typedef struct curveNameTagPairStr {
char *curveName;
SECOidTag curveOidTag;
@@ -2958,7 +2955,6 @@ loser:
}
fclose(ecdsareq);
}
-#endif /* NSS_DISABLE_ECC */
PRBool
isblankline(char *b)
@@ -5926,8 +5922,7 @@ tls(char *reqfn)
goto loser;
}
crv = NSC_DeriveKey(session, &master_mech, pms_handle,
- derive_template, derive_template_count -
- 1,
+ derive_template, derive_template_count - 1,
&master_handle);
if (crv != CKR_OK) {
fprintf(stderr, "NSC_DeriveKey(master) failed crv=0x%x\n",
@@ -6094,7 +6089,6 @@ main(int argc, char **argv)
/* Signature Verification Test */
dsa_sigver_test(argv[3]);
}
-#ifndef NSS_DISABLE_ECC
/*************/
/* ECDSA */
/*************/
@@ -6113,7 +6107,6 @@ main(int argc, char **argv)
/* Signature Verification Test */
ecdsa_sigver_test(argv[3]);
}
-#endif /* NSS_DISABLE_ECC */
/*************/
/* RNG */
/*************/
diff --git a/security/nss/cmd/fipstest/runtest.sh b/security/nss/cmd/fipstest/runtest.sh
index 99cefed77..5f8e66a08 100644
--- a/security/nss/cmd/fipstest/runtest.sh
+++ b/security/nss/cmd/fipstest/runtest.sh
@@ -7,9 +7,6 @@
TESTDIR=${1-.}
COMMAND=${2-run}
TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea"
-if [ ${NSS_ENABLE_ECC}x = 1x ]; then
- TESTS=${TESTS} ecdsa
-fi
for i in $TESTS
do
echo "********************Running $i tests"
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index cb4752df9..2b33f8963 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -54,6 +54,10 @@ static char consoleName[] = {
static PRBool utf8DisplayEnabled = PR_FALSE;
+/* The minimum password/pin length (in Unicode characters) in FIPS mode,
+ * defined in lib/softoken/pkcs11i.h. */
+#define FIPS_MIN_PIN 7
+
void
SECU_EnableUtf8Display(PRBool enable)
{
@@ -236,7 +240,8 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
sprintf(prompt,
"Press Enter, then enter PIN for \"%s\" on external device.\n",
PK11_GetTokenName(slot));
- (void)SECU_GetPasswordString(NULL, prompt);
+ char *pw = SECU_GetPasswordString(NULL, prompt);
+ PORT_Free(pw);
/* Fall Through */
case PW_PLAINTEXT:
return PL_strdup(pwdata->data);
@@ -276,10 +281,25 @@ secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
}
/* we have no password, so initialize database with one */
- PR_fprintf(PR_STDERR,
- "Enter a password which will be used to encrypt your keys.\n"
- "The password should be at least 8 characters long,\n"
- "and should contain at least one non-alphabetic character.\n\n");
+ if (PK11_IsFIPS()) {
+ PR_fprintf(PR_STDERR,
+ "Enter a password which will be used to encrypt your keys.\n"
+ "The password should be at least %d characters long,\n"
+ "and should consist of at least three character classes.\n"
+ "The available character classes are: digits (0-9), ASCII\n"
+ "lowercase letters, ASCII uppercase letters, ASCII\n"
+ "non-alphanumeric characters, and non-ASCII characters.\n\n"
+ "If an ASCII uppercase letter appears at the beginning of\n"
+ "the password, it is not counted toward its character class.\n"
+ "Similarly, if a digit appears at the end of the password,\n"
+ "it is not counted toward its character class.\n\n",
+ FIPS_MIN_PIN);
+ } else {
+ PR_fprintf(PR_STDERR,
+ "Enter a password which will be used to encrypt your keys.\n"
+ "The password should be at least 8 characters long,\n"
+ "and should contain at least one non-alphabetic character.\n\n");
+ }
output = fopen(consoleName, "w");
if (output == NULL) {
@@ -465,48 +485,6 @@ SECU_ConfigDirectory(const char *base)
return buf;
}
-/*Turn off SSL for now */
-/* This gets called by SSL when server wants our cert & key */
-int
-SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
- struct CERTDistNamesStr *caNames,
- struct CERTCertificateStr **pRetCert,
- struct SECKEYPrivateKeyStr **pRetKey)
-{
- SECKEYPrivateKey *key;
- CERTCertificate *cert;
- int errsave;
-
- if (arg == NULL) {
- fprintf(stderr, "no key/cert name specified for client auth\n");
- return -1;
- }
- cert = PK11_FindCertFromNickname(arg, NULL);
- errsave = PORT_GetError();
- if (!cert) {
- if (errsave == SEC_ERROR_BAD_PASSWORD)
- fprintf(stderr, "Bad password\n");
- else if (errsave > 0)
- fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
- else if (errsave == SEC_ERROR_BAD_DATABASE)
- fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
- else
- fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
- return -1;
- }
-
- key = PK11_FindKeyByAnyCert(arg, NULL);
- if (!key) {
- fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
- return -1;
- }
-
- *pRetCert = cert;
- *pRetKey = key;
-
- return 0;
-}
-
SECStatus
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
PRBool warnOnPrivateKeyInAsciiFile)
@@ -991,7 +969,7 @@ secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level)
for (s = my.data, d = tmp.data; len > 0; len--) {
PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
s += 4;
- if (!isprint(bmpChar))
+ if (!isprint(bmpChar & 0xFF))
goto loser;
*d++ = (unsigned char)bmpChar;
}
@@ -1215,7 +1193,7 @@ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
SECU_Indent(out, level + 1);
fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
} else {
- SECU_PrintInteger(out, &param.saltLength, "Salt Length", level + 1);
+ SECU_PrintInteger(out, &param.saltLength, "Salt length", level + 1);
}
} else {
SECU_Indent(out, level + 1);
@@ -1335,15 +1313,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
return;
}
- if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
- secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
- return;
- }
-
if (a->parameters.len == 0 ||
(a->parameters.len == 2 &&
PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
/* No arguments or NULL argument */
+ } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
} else {
/* Print args to algorithm */
SECU_PrintAsHex(out, &a->parameters, "Args", level + 1);
@@ -1390,7 +1365,6 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
}
}
-#ifndef NSS_DISABLE_ECC
static void
secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
{
@@ -1409,7 +1383,6 @@ secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
SECU_PrintObjectID(out, &curveOID, "Curve", level + 1);
}
}
-#endif /* NSS_DISABLE_ECC */
void
SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
@@ -1457,11 +1430,9 @@ secu_PrintSubjectPublicKeyInfo(FILE *out, PLArenaPool *arena,
SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1);
break;
-#ifndef NSS_DISABLE_ECC
case ecKey:
secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
break;
-#endif
case dhKey:
case fortezzaKey:
@@ -3614,44 +3585,6 @@ loser:
return rv;
}
-#if 0
-
-/* we need access to the private function cert_FindExtension for this code to work */
-
-CERTAuthKeyID *
-SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *scrl)
-{
- SECItem encodedExtenValue;
- SECStatus rv;
- CERTAuthKeyID *ret;
- CERTCrl* crl;
-
- if (!scrl) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return NULL;
- }
-
- crl = &scrl->crl;
-
- encodedExtenValue.data = NULL;
- encodedExtenValue.len = 0;
-
- rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID,
- &encodedExtenValue);
- if ( rv != SECSuccess ) {
- return (NULL);
- }
-
- ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
-
- PORT_Free(encodedExtenValue.data);
- encodedExtenValue.data = NULL;
-
- return(ret);
-}
-
-#endif
-
/*
* Find the issuer of a Crl. Use the authorityKeyID if it exists.
*/
@@ -3725,7 +3658,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
void *pwarg)
{
CERTCertificate *the_cert;
- the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+ the_cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwarg);
if (the_cert) {
return the_cert;
}
diff --git a/security/nss/cmd/libpkix/pkix/util/test_list2.c b/security/nss/cmd/libpkix/pkix/util/test_list2.c
index 7e4114e52..b802ff0e6 100644
--- a/security/nss/cmd/libpkix/pkix/util/test_list2.c
+++ b/security/nss/cmd/libpkix/pkix/util/test_list2.c
@@ -78,16 +78,14 @@ test_list2(int argc, char *argv[])
for (i = 0; i < size; i++)
for (j = 9; j > i; j--) {
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j, &obj, plContext));
- PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j -
- 1,
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_GetItem(list, j - 1,
&obj2, plContext));
PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_Compare(obj, obj2, &cmpResult, plContext));
if (cmpResult < 0) {
/* Exchange the items */
PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j, obj2, plContext));
- PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j -
- 1,
+ PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetItem(list, j - 1,
obj, plContext));
}
/* DecRef objects */
diff --git a/security/nss/cmd/listsuites/listsuites.c b/security/nss/cmd/listsuites/listsuites.c
index 458130e5e..8eb2c3553 100644
--- a/security/nss/cmd/listsuites/listsuites.c
+++ b/security/nss/cmd/listsuites/listsuites.c
@@ -10,7 +10,9 @@
#include <errno.h>
#include <stdio.h>
+#include "nss.h"
#include "secport.h"
+#include "secutil.h"
#include "ssl.h"
int
@@ -19,6 +21,43 @@ main(int argc, char **argv)
const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
int i;
int errCount = 0;
+ SECStatus rv;
+ PRErrorCode err;
+ char *certDir = NULL;
+
+ /* load policy from $SSL_DIR/pkcs11.txt, for testing */
+ certDir = SECU_DefaultSSLDir();
+ if (certDir) {
+ rv = NSS_Init(certDir);
+ } else {
+ rv = NSS_NoDB_Init(NULL);
+ }
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ ++errCount;
+ fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
+ goto out;
+ }
+
+ /* apply policy */
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ ++errCount;
+ fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
+ PORT_ErrorToString(err));
+ goto out;
+ }
+
+ /* update the default cipher suites according to the policy */
+ rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ ++errCount;
+ fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
+ PORT_ErrorToString(err));
+ goto out;
+ }
fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
@@ -58,5 +97,14 @@ main(int argc, char **argv)
info.isFIPS ? "FIPS" : "",
info.nonStandard ? "nonStandard" : "");
}
+
+out:
+ rv = NSS_Shutdown();
+ if (rv != SECSuccess) {
+ err = PR_GetError();
+ ++errCount;
+ fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
+ }
+
return errCount;
}
diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn
index 153384ce1..567c6bb9d 100644
--- a/security/nss/cmd/manifest.mn
+++ b/security/nss/cmd/manifest.mn
@@ -36,7 +36,6 @@ NSS_SRCDIRS = \
addbuiltin \
atob \
btoa \
- certcgi \
certutil \
chktest \
crlutil \
@@ -63,6 +62,7 @@ NSS_SRCDIRS = \
pp \
pwdecrypt \
rsaperf \
+ rsapoptst \
sdrtest \
selfserv \
signtool \
diff --git a/security/nss/cmd/modutil/error.h b/security/nss/cmd/modutil/error.h
index b328afebc..d9f06592f 100644
--- a/security/nss/cmd/modutil/error.h
+++ b/security/nss/cmd/modutil/error.h
@@ -57,6 +57,7 @@ typedef enum {
UNSPECIFIED_ERR,
NOCERTDB_MISUSE_ERR,
NSS_INITIALIZE_FAILED_ERR,
+ INITPW_FAILED_ERR,
LAST_ERR /* must be last */
} Error;
@@ -109,8 +110,9 @@ static char *errStrings[] = {
"ERROR: Failed to change default.\n",
"ERROR: Unable to read from standard input.\n",
"ERROR: Unknown error occurred.\n",
- "ERROR: -nocertdb option can only be used with the -jar command.\n"
- "ERROR: NSS_Initialize() failed.\n"
+ "ERROR: -nocertdb option can only be used with the -jar command.\n",
+ "ERROR: NSS_Initialize() failed.\n",
+ "ERROR: Unable to set initial password on the database.\n"
};
typedef enum {
diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c
index c8fef7897..030568762 100644
--- a/security/nss/cmd/modutil/install-ds.c
+++ b/security/nss/cmd/modutil/install-ds.c
@@ -975,8 +975,7 @@ Pk11Install_Platform_Print(Pk11Install_Platform* _this, int pad)
printf("Doesn't use equiv\n");
}
PAD(pad);
- printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile
- : "<NULL>");
+ printf("Module File: %s\n", _this->moduleFile ? _this->moduleFile : "<NULL>");
PAD(pad);
printf("mechFlags: %lx\n", _this->mechFlags);
PAD(pad);
diff --git a/security/nss/cmd/modutil/modutil.c b/security/nss/cmd/modutil/modutil.c
index 02972f7b4..c1b44be53 100644
--- a/security/nss/cmd/modutil/modutil.c
+++ b/security/nss/cmd/modutil/modutil.c
@@ -865,7 +865,7 @@ main(int argc, char* argv[])
errcode = ChangePW(tokenName, pwFile, newpwFile);
break;
case CREATE_COMMAND:
- /* The work was already done in init_crypto() */
+ errcode = InitPW();
break;
case DEFAULT_COMMAND:
errcode = SetDefaultModule(moduleName, slotName, mechanisms);
diff --git a/security/nss/cmd/modutil/modutil.h b/security/nss/cmd/modutil/modutil.h
index 127d0d0da..04aa908c8 100644
--- a/security/nss/cmd/modutil/modutil.h
+++ b/security/nss/cmd/modutil/modutil.h
@@ -29,6 +29,7 @@ Error AddModule(char *moduleName, char *libFile, char *ciphers,
Error DeleteModule(char *moduleName);
Error ListModule(char *moduleName);
Error ListModules();
+Error InitPW(void);
Error ChangePW(char *tokenName, char *pwFile, char *newpwFile);
Error EnableModule(char *moduleName, char *slotName, PRBool enable);
Error RawAddModule(char *dbmodulespec, char *modulespec);
diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c
index 834469af1..1efc1895c 100644
--- a/security/nss/cmd/modutil/pk11.c
+++ b/security/nss/cmd/modutil/pk11.c
@@ -670,6 +670,39 @@ loser:
/************************************************************************
*
+ * I n i t P W
+ */
+Error
+InitPW(void)
+{
+ PK11SlotInfo *slot;
+ Error ret = UNSPECIFIED_ERR;
+
+ slot = PK11_GetInternalKeySlot();
+ if (!slot) {
+ PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal");
+ return NO_SUCH_TOKEN_ERR;
+ }
+
+ /* Set the initial password to empty */
+ if (PK11_NeedUserInit(slot)) {
+ if (PK11_InitPin(slot, NULL, "") != SECSuccess) {
+ PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]);
+ ret = INITPW_FAILED_ERR;
+ goto loser;
+ }
+ }
+
+ ret = SUCCESS;
+
+loser:
+ PK11_FreeSlot(slot);
+
+ return ret;
+}
+
+/************************************************************************
+ *
* C h a n g e P W
*/
Error
@@ -695,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile)
ret = BAD_PW_ERR;
goto loser;
}
- } else {
+ } else if (PK11_NeedLogin(slot)) {
for (matching = PR_FALSE; !matching;) {
oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
diff --git a/security/nss/cmd/multinit/multinit.c b/security/nss/cmd/multinit/multinit.c
index a57c4819f..874263e56 100644
--- a/security/nss/cmd/multinit/multinit.c
+++ b/security/nss/cmd/multinit/multinit.c
@@ -502,8 +502,7 @@ do_list_certs(const char *progName, int log)
SECU_PrintCertNickname(node, stderr);
if (log) {
- fprintf(stderr, "* Slot=%s*\n", cert->slot ? PK11_GetTokenName(cert->slot)
- : "none");
+ fprintf(stderr, "* Slot=%s*\n", cert->slot ? PK11_GetTokenName(cert->slot) : "none");
fprintf(stderr, "* Nickname=%s*\n", cert->nickname);
fprintf(stderr, "* Subject=<%s>*\n", cert->subjectName);
fprintf(stderr, "* Issuer=<%s>*\n", cert->issuerName);
diff --git a/security/nss/cmd/pk11mode/pk11mode.c b/security/nss/cmd/pk11mode/pk11mode.c
index 2f1fa374e..99891096c 100644
--- a/security/nss/cmd/pk11mode/pk11mode.c
+++ b/security/nss/cmd/pk11mode/pk11mode.c
@@ -2169,36 +2169,22 @@ PKM_Mechanism(CK_FUNCTION_LIST_PTR pFunctionList,
PKM_LogIt(" ulMinKeySize = %lu\n", minfo.ulMinKeySize);
PKM_LogIt(" ulMaxKeySize = %lu\n", minfo.ulMaxKeySize);
PKM_LogIt(" flags = 0x%08x\n", minfo.flags);
- PKM_LogIt(" -> HW = %s\n", minfo.flags & CKF_HW ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> SIGN = %s\n", minfo.flags & CKF_SIGN ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> SIGN_RECOVER = %s\n", minfo.flags &
- CKF_SIGN_RECOVER
- ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> HW = %s\n", minfo.flags & CKF_HW ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> ENCRYPT = %s\n", minfo.flags & CKF_ENCRYPT ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> DECRYPT = %s\n", minfo.flags & CKF_DECRYPT ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> DIGEST = %s\n", minfo.flags & CKF_DIGEST ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> SIGN = %s\n", minfo.flags & CKF_SIGN ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> SIGN_RECOVER = %s\n", minfo.flags & CKF_SIGN_RECOVER ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> VERIFY = %s\n", minfo.flags & CKF_VERIFY ? "TRUE" : "FALSE");
PKM_LogIt(" -> VERIFY_RECOVER = %s\n",
minfo.flags & CKF_VERIFY_RECOVER ? "TRUE" : "FALSE");
- PKM_LogIt(" -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> GENERATE = %s\n", minfo.flags & CKF_GENERATE ? "TRUE" : "FALSE");
PKM_LogIt(" -> GENERATE_KEY_PAIR = %s\n",
minfo.flags & CKF_GENERATE_KEY_PAIR ? "TRUE" : "FALSE");
- PKM_LogIt(" -> WRAP = %s\n", minfo.flags & CKF_WRAP ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> WRAP = %s\n", minfo.flags & CKF_WRAP ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> UNWRAP = %s\n", minfo.flags & CKF_UNWRAP ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> DERIVE = %s\n", minfo.flags & CKF_DERIVE ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> EXTENSION = %s\n", minfo.flags & CKF_EXTENSION ? "TRUE" : "FALSE");
PKM_LogIt("\n");
}
@@ -3604,24 +3590,12 @@ PKM_FindAllObjects(CK_FUNCTION_LIST_PTR pFunctionList,
PKM_LogIt(" state = %lu\n", sinfo.state);
PKM_LogIt(" flags = 0x%08x\n", sinfo.flags);
#ifdef CKF_EXCLUSIVE_SESSION
- PKM_LogIt(" -> EXCLUSIVE SESSION = %s\n", sinfo.flags &
- CKF_EXCLUSIVE_SESSION
- ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> EXCLUSIVE SESSION = %s\n", sinfo.flags & CKF_EXCLUSIVE_SESSION ? "TRUE" : "FALSE");
#endif /* CKF_EXCLUSIVE_SESSION */
- PKM_LogIt(" -> RW SESSION = %s\n", sinfo.flags &
- CKF_RW_SESSION
- ? "TRUE"
- : "FALSE");
- PKM_LogIt(" -> SERIAL SESSION = %s\n", sinfo.flags &
- CKF_SERIAL_SESSION
- ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> RW SESSION = %s\n", sinfo.flags & CKF_RW_SESSION ? "TRUE" : "FALSE");
+ PKM_LogIt(" -> SERIAL SESSION = %s\n", sinfo.flags & CKF_SERIAL_SESSION ? "TRUE" : "FALSE");
#ifdef CKF_INSERTION_CALLBACK
- PKM_LogIt(" -> INSERTION CALLBACK = %s\n", sinfo.flags &
- CKF_INSERTION_CALLBACK
- ? "TRUE"
- : "FALSE");
+ PKM_LogIt(" -> INSERTION CALLBACK = %s\n", sinfo.flags & CKF_INSERTION_CALLBACK ? "TRUE" : "FALSE");
#endif /* CKF_INSERTION_CALLBACK */
PKM_LogIt(" ulDeviceError = %lu\n", sinfo.ulDeviceError);
PKM_LogIt("\n");
diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c
index 0ac1ba00e..70454a0d8 100644
--- a/security/nss/cmd/pk12util/pk12util.c
+++ b/security/nss/cmd/pk12util/pk12util.c
@@ -23,6 +23,7 @@
static char *progName;
PRBool pk12_debugging = PR_FALSE;
PRBool dumpRawFile;
+static PRBool pk12uForceUnicode;
PRIntn pk12uErrno = 0;
@@ -357,6 +358,7 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
SECItem p12file = { 0 };
SECStatus rv = SECFailure;
PRBool swapUnicode = PR_FALSE;
+ PRBool forceUnicode = pk12uForceUnicode;
PRBool trypw;
int error;
@@ -424,6 +426,18 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
SEC_PKCS12DecoderFinish(p12dcx);
uniPwp->len = 0;
trypw = PR_TRUE;
+ } else if (forceUnicode == pk12uForceUnicode) {
+ /* try again with a different password encoding */
+ forceUnicode = !pk12uForceUnicode;
+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
+ forceUnicode);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
+ pk12uErrno = PK12UERR_DECODEVERIFY;
+ break;
+ }
+ SEC_PKCS12DecoderFinish(p12dcx);
+ trypw = PR_TRUE;
} else {
SECU_PrintError(progName, "PKCS12 decode not verified");
pk12uErrno = PK12UERR_DECODEVERIFY;
@@ -431,6 +445,15 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
}
}
} while (trypw == PR_TRUE);
+
+ /* revert the option setting */
+ if (forceUnicode != pk12uForceUnicode) {
+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "PKCS12 decoding failed to set option");
+ pk12uErrno = PK12UERR_DECODEVERIFY;
+ }
+ }
/* rv has been set at this point */
done:
@@ -470,6 +493,8 @@ P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
{
SEC_PKCS12DecoderContext *p12dcx = NULL;
SECItem uniPwitem = { 0 };
+ PRBool forceUnicode = pk12uForceUnicode;
+ PRBool trypw;
SECStatus rv = SECFailure;
rv = P12U_InitSlot(slot, slotPw);
@@ -480,31 +505,62 @@ P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
return rv;
}
- rv = SECFailure;
- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
+ do {
+ trypw = PR_FALSE; /* normally we do this once */
+ rv = SECFailure;
+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
- if (p12dcx == NULL) {
- goto loser;
- }
+ if (p12dcx == NULL) {
+ goto loser;
+ }
- /* make sure the bags are okey dokey -- nicknames correct, etc. */
- rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
- if (rv != SECSuccess) {
- if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
- pk12uErrno = PK12UERR_CERTALREADYEXISTS;
- } else {
- pk12uErrno = PK12UERR_DECODEVALIBAGS;
+ /* make sure the bags are okey dokey -- nicknames correct, etc. */
+ rv = SEC_PKCS12DecoderValidateBags(p12dcx, P12U_NicknameCollisionCallback);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_PKCS12_DUPLICATE_DATA) {
+ pk12uErrno = PK12UERR_CERTALREADYEXISTS;
+ } else {
+ pk12uErrno = PK12UERR_DECODEVALIBAGS;
+ }
+ SECU_PrintError(progName, "PKCS12 decode validate bags failed");
+ goto loser;
}
- SECU_PrintError(progName, "PKCS12 decode validate bags failed");
- goto loser;
- }
- /* stuff 'em in */
- rv = SEC_PKCS12DecoderImportBags(p12dcx);
- if (rv != SECSuccess) {
- SECU_PrintError(progName, "PKCS12 decode import bags failed");
- pk12uErrno = PK12UERR_DECODEIMPTBAGS;
- goto loser;
+ /* stuff 'em in */
+ if (forceUnicode != pk12uForceUnicode) {
+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE,
+ forceUnicode);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "PKCS12 decode set option failed");
+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+ goto loser;
+ }
+ }
+ rv = SEC_PKCS12DecoderImportBags(p12dcx);
+ if (rv != SECSuccess) {
+ if (PR_GetError() == SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY &&
+ forceUnicode == pk12uForceUnicode) {
+ /* try again with a different password encoding */
+ forceUnicode = !pk12uForceUnicode;
+ SEC_PKCS12DecoderFinish(p12dcx);
+ SECITEM_ZfreeItem(&uniPwitem, PR_FALSE);
+ trypw = PR_TRUE;
+ } else {
+ SECU_PrintError(progName, "PKCS12 decode import bags failed");
+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+ goto loser;
+ }
+ }
+ } while (trypw);
+
+ /* revert the option setting */
+ if (forceUnicode != pk12uForceUnicode) {
+ rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "PKCS12 decode set option failed");
+ pk12uErrno = PK12UERR_DECODEIMPTBAGS;
+ goto loser;
+ }
}
fprintf(stdout, "%s: PKCS12 IMPORT SUCCESSFUL\n", progName);
@@ -947,6 +1003,7 @@ main(int argc, char **argv)
int keyLen = 0;
int certKeyLen = 0;
secuCommand pk12util;
+ PRInt32 forceUnicode;
#ifdef _CRTDBG_MAP_ALLOC
_CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
@@ -978,6 +1035,14 @@ main(int argc, char **argv)
Usage(progName);
}
+ rv = NSS_OptionGet(__NSS_PKCS12_DECODE_FORCE_UNICODE, &forceUnicode);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName,
+ "Failed to get NSS_PKCS12_DECODE_FORCE_UNICODE option");
+ Usage(progName);
+ }
+ pk12uForceUnicode = forceUnicode;
+
slotname = SECU_GetOptionArg(&pk12util, opt_TokenName);
import_file = (pk12util.options[opt_List].activated) ? SECU_GetOptionArg(&pk12util, opt_List)
diff --git a/security/nss/cmd/pp/pp.c b/security/nss/cmd/pp/pp.c
index 9f33d10a4..d6e276834 100644
--- a/security/nss/cmd/pp/pp.c
+++ b/security/nss/cmd/pp/pp.c
@@ -84,6 +84,8 @@ main(int argc, char **argv)
if (!inFile) {
fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
progName, optstate->value);
+ PORT_Free(typeTag);
+ PL_DestroyOptState(optstate);
return -1;
}
break;
@@ -93,6 +95,8 @@ main(int argc, char **argv)
if (!outFile) {
fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
progName, optstate->value);
+ PORT_Free(typeTag);
+ PL_DestroyOptState(optstate);
return -1;
}
break;
diff --git a/security/nss/cmd/rsaperf/rsaperf.c b/security/nss/cmd/rsaperf/rsaperf.c
index 556030f6a..2bb23856e 100644
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -671,8 +671,7 @@ main(int argc, char **argv)
printf("%ld iterations in %s\n",
iters, TimingGenerateString(timeCtx));
- printf("%.2f operations/s .\n", ((double)(iters) * (double)1000000.0) /
- (double)timeCtx->interval);
+ printf("%.2f operations/s .\n", ((double)(iters) * (double)1000000.0) / (double)timeCtx->interval);
TimingDivide(timeCtx, iters);
printf("one operation every %s\n", TimingGenerateString(timeCtx));
diff --git a/security/nss/cmd/rsapoptst/rsapoptst.c b/security/nss/cmd/rsapoptst/rsapoptst.c
index 81ddcd6c4..d9468e6d6 100644
--- a/security/nss/cmd/rsapoptst/rsapoptst.c
+++ b/security/nss/cmd/rsapoptst/rsapoptst.c
@@ -23,7 +23,7 @@ static const struct test_args test_array[] = {
{ "d_n_q", 0x02, "private exponent, modulus, prime2" },
{ "d_p_q", 0x04, "private exponent, prime1, prime2" },
{ "e_d_q", 0x08, "public exponent, private exponent, prime2" },
- { "e_d_n", 0x10, "public exponent, private exponent, moduls" }
+ { "e_d_n", 0x10, "public exponent, private exponent, modulus" }
};
static const int test_array_size =
(sizeof(test_array) / sizeof(struct test_args));
@@ -58,6 +58,7 @@ const static CK_ATTRIBUTE rsaTemplate[] = {
{ CKA_TOKEN, NULL, 0 },
{ CKA_SENSITIVE, NULL, 0 },
{ CKA_PRIVATE, NULL, 0 },
+ { CKA_ID, NULL, 0 },
{ CKA_MODULUS, NULL, 0 },
{ CKA_PUBLIC_EXPONENT, NULL, 0 },
{ CKA_PRIVATE_EXPONENT, NULL, 0 },
@@ -123,46 +124,77 @@ fail:
#define ATTR_STRING(x) getNameFromAttribute(x)
+static void
+dumphex(FILE *file, const unsigned char *cpval, int start, int end)
+{
+ int i;
+ for (i = start; i < end; i++) {
+ if ((i % 16) == 0)
+ fprintf(file, "\n ");
+ fprintf(file, " %02x", cpval[i]);
+ }
+ return;
+}
+
void
-dumpTemplate(CK_ATTRIBUTE *template, int start, int end)
+dumpTemplate(FILE *file, const CK_ATTRIBUTE *template, int start, int end)
{
- int i, j;
- for (i = 0; i < end; i++) {
+ int i;
+ for (i = start; i < end; i++) {
unsigned char cval;
CK_ULONG ulval;
- unsigned char *cpval;
+ const unsigned char *cpval;
- fprintf(stderr, "%s:", ATTR_STRING(template[i].type));
+ fprintf(file, "%s:", ATTR_STRING(template[i].type));
switch (template[i].ulValueLen) {
case 1:
cval = *(unsigned char *)template[i].pValue;
switch (cval) {
case 0:
- fprintf(stderr, " false");
+ fprintf(file, " false");
break;
case 1:
- fprintf(stderr, " true");
+ fprintf(file, " true");
break;
default:
- fprintf(stderr, " %d (=0x%02x,'%c')", cval, cval, cval);
+ fprintf(file, " %d (=0x%02x,'%c')", cval, cval, cval);
break;
}
break;
case sizeof(CK_ULONG):
ulval = *(CK_ULONG *)template[i].pValue;
- fprintf(stderr, " %ld (=0x%04lx)", ulval, ulval);
+ fprintf(file, " %ld (=0x%04lx)", ulval, ulval);
break;
default:
- cpval = (unsigned char *)template[i].pValue;
- for (j = 0; j < template[i].ulValueLen; j++) {
- if ((j % 16) == 0)
- fprintf(stderr, "\n ");
- fprintf(stderr, " %02x", cpval[j]);
- }
+ cpval = (const unsigned char *)template[i].pValue;
+ dumphex(file, cpval, 0, template[i].ulValueLen);
break;
}
- fprintf(stderr, "\n");
+ fprintf(file, "\n");
+ }
+}
+
+void
+dumpItem(FILE *file, const SECItem *item)
+{
+ const unsigned char *cpval;
+
+ if (item == NULL) {
+ fprintf(file, " pNULL ");
+ return;
+ }
+ if (item->data == NULL) {
+ fprintf(file, " NULL ");
+ return;
}
+ if (item->len == 0) {
+ fprintf(file, " Empty ");
+ return;
+ }
+ cpval = item->data;
+ dumphex(file, cpval, 0, item->len);
+ fprintf(file, " ");
+ return;
}
PRBool
@@ -184,13 +216,16 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src,
printf("Could read source key\n");
return PR_FALSE;
}
- readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES);
+ rv = readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES);
if (rv != SECSuccess) {
printf("Could read dest key\n");
return PR_FALSE;
}
for (i = 0; i < RSA_ATTRIBUTES; i++) {
+ if (srcTemplate[i].type == CKA_ID) {
+ continue; /* we purposefully make the CKA_ID different */
+ }
if (srcTemplate[i].ulValueLen != destTemplate[i].ulValueLen) {
printf("key->%s not equal src_len = %ld, dest_len=%ld\n",
ATTR_STRING(srcTemplate[i].type),
@@ -204,18 +239,22 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src,
}
if (!areEqual) {
fprintf(stderr, "original key:\n");
- dumpTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
+ dumpTemplate(stderr, srcTemplate, 0, RSA_ATTRIBUTES);
fprintf(stderr, "created key:\n");
- dumpTemplate(destTemplate, 0, RSA_ATTRIBUTES);
+ dumpTemplate(stderr, destTemplate, 0, RSA_ATTRIBUTES);
}
+ resetTemplate(srcTemplate, 0, RSA_ATTRIBUTES);
+ resetTemplate(destTemplate, 0, RSA_ATTRIBUTES);
return areEqual;
}
static int exp_exp_prime_fail_count = 0;
+#define LEAK_ID 0xf
+
static int
doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
- int mask, void *pwarg)
+ int mask, int round, void *pwarg)
{
SECKEYPrivateKey *rsaPrivKey;
SECKEYPublicKey *rsaPubKey;
@@ -227,7 +266,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
CK_OBJECT_CLASS obj_class = CKO_PRIVATE_KEY;
CK_KEY_TYPE key_type = CKK_RSA;
CK_BBOOL ck_false = CK_FALSE;
+ CK_BYTE cka_id[2] = { 0, 0 };
int failed = 0;
+ int leak_found; /* did we find the expected leak */
+ int expect_leak = 0; /* are we expecting a leak? */
rsaParams.pe = exponent;
rsaParams.keySizeInBits = keySize;
@@ -259,11 +301,15 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
tstTemplate[3].ulValueLen = sizeof(ck_false);
tstTemplate[4].pValue = &ck_false;
tstTemplate[4].ulValueLen = sizeof(ck_false);
- tstHeaderCount = 5;
+ tstTemplate[5].pValue = &cka_id[0];
+ tstTemplate[5].ulValueLen = sizeof(cka_id);
+ tstHeaderCount = 6;
+ cka_id[0] = round;
if (mask & 1) {
printf("%s\n", test_array[1].description);
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ cka_id[1] = 0;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PUBLIC_EXPONENT);
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
@@ -271,10 +317,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount + 2, CKA_PRIME_1);
- tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
- tstHeaderCount +
- 3,
- PR_FALSE);
+ tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+ tstHeaderCount +
+ 3,
+ PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: pubExp mod p\n");
failed = 1;
@@ -290,6 +336,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
printf("%s\n", test_array[2].description);
/* test the basic2 case, public exponent, modulus, prime2 */
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ cka_id[1] = 1;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PUBLIC_EXPONENT);
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
@@ -299,10 +346,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
/* test with q in the prime1 position */
tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
- tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
- tstHeaderCount +
- 3,
- PR_FALSE);
+ tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+ tstHeaderCount +
+ 3,
+ PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: pubExp mod q\n");
failed = 1;
@@ -318,6 +365,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
printf("%s\n", test_array[3].description);
/* test the medium case, private exponent, prime1, prime2 */
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ cka_id[1] = 2;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PRIVATE_EXPONENT);
@@ -329,10 +377,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
tstTemplate[tstHeaderCount + 2].type = CKA_PRIME_1;
tstTemplate[tstHeaderCount + 1].type = CKA_PRIME_2;
- tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
- tstHeaderCount +
- 3,
- PR_FALSE);
+ tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+ tstHeaderCount +
+ 3,
+ PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: privExp p q\n");
failed = 1;
@@ -348,6 +396,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
printf("%s\n", test_array[4].description);
/* test the advanced case, public exponent, private exponent, prime2 */
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ cka_id[1] = 3;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PRIVATE_EXPONENT);
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
@@ -355,10 +404,10 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount + 2, CKA_PRIME_2);
- tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
- tstHeaderCount +
- 3,
- PR_FALSE);
+ tstPrivKey = PK11_CreateManagedGenericObject(slot, tstTemplate,
+ tstHeaderCount +
+ 3,
+ PR_FALSE);
if (tstPrivKey == NULL) {
fprintf(stderr, "RSA Populate failed: pubExp privExp q\n");
fprintf(stderr, " this is expected periodically. It means we\n");
@@ -373,11 +422,12 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
if (tstPrivKey)
PK11_DestroyGenericObject(tstPrivKey);
}
- if (mask & 16) {
+ if (mask & 0x10) {
printf("%s\n", test_array[5].description);
/* test the advanced case2, public exponent, private exponent, modulus
*/
resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ cka_id[1] = LEAK_ID;
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount, CKA_PRIVATE_EXPONENT);
@@ -386,6 +436,7 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
copyAttribute(PK11_TypePrivKey, rsaPrivKey, tstTemplate,
tstHeaderCount + 2, CKA_MODULUS);
+ /* purposefully use the old version. This will create a leak */
tstPrivKey = PK11_CreateGenericObject(slot, tstTemplate,
tstHeaderCount +
3,
@@ -398,9 +449,59 @@ doRSAPopulateTest(unsigned int keySize, unsigned long exponent,
fprintf(stderr, "RSA Populate key mismatch: pubExp privExp mod\n");
failed = 1;
}
+ expect_leak = 1;
if (tstPrivKey)
PK11_DestroyGenericObject(tstPrivKey);
}
+ resetTemplate(tstTemplate, tstHeaderCount, RSA_ATTRIBUTES);
+ SECKEY_DestroyPrivateKey(rsaPrivKey);
+ SECKEY_DestroyPublicKey(rsaPubKey);
+
+ /* make sure we didn't leak */
+ leak_found = 0;
+ tstPrivKey = PK11_FindGenericObjects(slot, CKO_PRIVATE_KEY);
+ if (tstPrivKey) {
+ SECStatus rv;
+ PK11GenericObject *thisKey;
+ int i;
+
+ fprintf(stderr, "Leaking keys...\n");
+ for (i = 0, thisKey = tstPrivKey; thisKey; i++,
+ thisKey = PK11_GetNextGenericObject(thisKey)) {
+ SECItem id = { 0, NULL, 0 };
+
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, thisKey,
+ CKA_ID, &id);
+ if (rv != SECSuccess) {
+ fprintf(stderr, "Key %d: couldn't read CKA_ID: %s\n",
+ i, PORT_ErrorToString(PORT_GetError()));
+ continue;
+ }
+ fprintf(stderr, "id = { ");
+ dumpItem(stderr, &id);
+ fprintf(stderr, "};");
+ if (id.data[1] == LEAK_ID) {
+ fprintf(stderr, " ---> leak expected\n");
+ if (id.data[0] == round)
+ leak_found = 1;
+ } else {
+ if (id.len != sizeof(cka_id)) {
+ fprintf(stderr,
+ " ---> ERROR unexpected leak in generated key\n");
+ } else {
+ fprintf(stderr,
+ " ---> ERROR unexpected leak in constructed key\n");
+ }
+ failed = 1;
+ }
+ SECITEM_FreeItem(&id, PR_FALSE);
+ }
+ PK11_DestroyGenericObjects(tstPrivKey);
+ }
+ if (expect_leak && !leak_found) {
+ fprintf(stderr, "ERROR expected leak not found\n");
+ failed = 1;
+ }
PK11_FreeSlot(slot);
return failed ? -1 : 0;
@@ -517,7 +618,7 @@ main(int argc, char **argv)
exp_exp_prime_fail_count = 0;
for (i = 0; i < repeat; i++) {
printf("Running RSA Populate test run %d\n", i);
- ret = doRSAPopulateTest(keySize, exponent, mask, NULL);
+ ret = doRSAPopulateTest(keySize, exponent, mask, i, NULL);
if (ret != 0) {
i++;
break;
@@ -531,5 +632,9 @@ main(int argc, char **argv)
exp_exp_prime_fail_count, i,
(((double)exp_exp_prime_fail_count) * 100.0) / (double)i);
}
+ if (NSS_Shutdown() != SECSuccess) {
+ fprintf(stderr, "Shutdown failed\n");
+ ret = -1;
+ }
return ret;
}
diff --git a/security/nss/cmd/certcgi/certcgi.gyp b/security/nss/cmd/rsapoptst/rsapoptst.gyp
index 5ad2893e0..325a10909 100644
--- a/security/nss/cmd/certcgi/certcgi.gyp
+++ b/security/nss/cmd/rsapoptst/rsapoptst.gyp
@@ -8,26 +8,18 @@
],
'targets': [
{
- 'target_name': 'certcgi',
+ 'target_name': 'rsapoptst',
'type': 'executable',
'sources': [
- 'certcgi.c'
+ 'rsapoptst.c'
],
'dependencies': [
'<(DEPTH)/exports.gyp:dbm_exports',
'<(DEPTH)/exports.gyp:nss_exports',
- '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3'
]
}
],
- 'target_defaults': {
- 'defines': [
- 'NSPR20',
- 'NSS_USE_STATIC_LIBS'
- ]
- },
'variables': {
'module': 'nss',
- 'use_static_libs': 1
}
-} \ No newline at end of file
+}
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index 65b1ee304..fac428e10 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -38,6 +38,7 @@
#include "nss.h"
#include "ssl.h"
#include "sslproto.h"
+#include "sslexp.h"
#include "cert.h"
#include "certt.h"
#include "ocsp.h"
@@ -165,9 +166,7 @@ PrintUsageHeader(const char *progName)
" [-V [min-version]:[max-version]] [-a sni_name]\n"
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
-#ifndef NSS_DISABLE_ECC
" [-e ec_nickname]"
-#endif /* NSS_DISABLE_ECC */
"\n"
" -U [0|1] -H [0|1|2] -W [0|1]\n"
"\n",
@@ -1955,6 +1954,10 @@ server_main(
if (enabledVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
errExit("You tried enabling 0RTT without enabling TLS 1.3!");
}
+ rv = SSL_SetupAntiReplay(10 * PR_USEC_PER_SEC, 7, 14);
+ if (rv != SECSuccess) {
+ errExit("error configuring anti-replay ");
+ }
rv = SSL_OptionSet(model_sock, SSL_ENABLE_0RTT_DATA, PR_TRUE);
if (rv != SECSuccess) {
errExit("error enabling 0RTT ");
@@ -2343,7 +2346,6 @@ main(int argc, char **argv)
dir = optstate->value;
break;
-#ifndef NSS_DISABLE_ECC
case 'e':
if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) {
Usage(progName);
@@ -2351,7 +2353,6 @@ main(int argc, char **argv)
}
certNicknameArray[certNicknameIndex++] = PORT_Strdup(optstate->value);
break;
-#endif /* NSS_DISABLE_ECC */
case 'f':
pwdata.source = PW_FROMFILE;
@@ -2553,6 +2554,14 @@ main(int argc, char **argv)
tmp = PR_GetEnvSecure("TMPDIR");
if (!tmp)
tmp = PR_GetEnvSecure("TEMP");
+
+ /* Call the NSS initialization routines */
+ rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
+ if (rv != SECSuccess) {
+ fputs("NSS_Init failed.\n", stderr);
+ exit(8);
+ }
+
if (envString) {
/* we're one of the children in a multi-process server. */
listen_sock = PR_GetInheritedFD(inheritableSockName);
@@ -2607,13 +2616,6 @@ main(int argc, char **argv)
/* set our password function */
PK11_SetPasswordFunc(SECU_GetModulePassword);
- /* Call the NSS initialization routines */
- rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
- if (rv != SECSuccess) {
- fputs("NSS_Init failed.\n", stderr);
- exit(8);
- }
-
/* all SSL3 cipher suites are enabled by default. */
if (cipherString) {
char *cstringSaved = cipherString;
@@ -2681,9 +2683,7 @@ main(int argc, char **argv)
certNicknameArray[i]);
exit(11);
}
-#ifdef NSS_DISABLE_ECC
if (privKey[i]->keyType != ecKey)
-#endif
setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata);
}
diff --git a/security/nss/cmd/signtool/javascript.c b/security/nss/cmd/signtool/javascript.c
index 746f724f8..ffff2db59 100644
--- a/security/nss/cmd/signtool/javascript.c
+++ b/security/nss/cmd/signtool/javascript.c
@@ -1115,8 +1115,7 @@ extract_js(char *filename)
textStart = 0;
startLine = 0;
- while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) !=
- EOF) {
+ while (linenum = FB_GetLineNum(fb), (curchar = FB_GetChar(fb)) != EOF) {
switch (state) {
case TEXT_HTML_STATE:
if (curchar == '<') {
diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c
index 6e776069a..6f8e43946 100644
--- a/security/nss/cmd/signtool/sign.c
+++ b/security/nss/cmd/signtool/sign.c
@@ -43,6 +43,7 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
int status;
char tempfn[FNSIZE], fullfn[FNSIZE];
int keyType = rsaKey;
+ int count;
metafile = meta_file;
optimize = _optimize;
@@ -81,9 +82,18 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
}
/* rsa/dsa to zip */
- sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
- : "rsa"));
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa"));
+ if (count >= sizeof(tempfn)) {
+ PR_fprintf(errorFD, "unable to write key metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
+ if (count >= sizeof(fullfn)) {
+ PR_fprintf(errorFD, "unable to write key metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* Loop through all files & subdirectories, add to archive */
@@ -93,20 +103,44 @@ SignArchive(char *tree, char *keyName, char *zip_file, int javascript,
}
/* mf to zip */
strcpy(tempfn, "META-INF/manifest.mf");
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
+ if (count >= sizeof(fullfn)) {
+ PR_fprintf(errorFD, "unable to write manifest\n");
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* sf to zip */
- sprintf(tempfn, "META-INF/%s.sf", base);
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.sf", base);
+ if (count >= sizeof(tempfn)) {
+ PR_fprintf(errorFD, "unable to write sf metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
+ if (count >= sizeof(fullfn)) {
+ PR_fprintf(errorFD, "unable to write sf metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* Add the rsa/dsa file to the zip archive normally */
if (!xpi_arc) {
/* rsa/dsa to zip */
- sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
- : "rsa"));
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ count = snprintf(tempfn, sizeof(tempfn), "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa" : "rsa"));
+ if (count >= sizeof(tempfn)) {
+ PR_fprintf(errorFD, "unable to write key metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
+ count = snprintf(fullfn, sizeof(fullfn), "%s/%s", tree, tempfn);
+ if (count >= sizeof(fullfn)) {
+ PR_fprintf(errorFD, "unable to write key metadata\n");
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
}
@@ -408,6 +442,7 @@ static int
manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, void *arg)
{
char fullname[FNSIZE];
+ int count;
if (verbosity >= 0) {
PR_fprintf(outputFD, "--> %s\n", relpath);
@@ -421,7 +456,10 @@ manifesto_xpi_fn(char *relpath, char *basedir, char *reldir, char *filename, voi
if (!PL_HashTableLookup(extensions, ext))
return 0;
}
- sprintf(fullname, "%s/%s", basedir, relpath);
+ count = snprintf(fullname, sizeof(fullname), "%s/%s", basedir, relpath);
+ if (count >= sizeof(fullname)) {
+ return 1;
+ }
JzipAdd(fullname, relpath, zipfile, compression_level);
return 0;
diff --git a/security/nss/cmd/signtool/signtool.c b/security/nss/cmd/signtool/signtool.c
index 51857d638..915a00fbc 100644
--- a/security/nss/cmd/signtool/signtool.c
+++ b/security/nss/cmd/signtool/signtool.c
@@ -1033,9 +1033,7 @@ main(int argc, char *argv[])
if (errorCount > 0 || warningCount > 0) {
PR_fprintf(outputFD, "%d error%s, %d warning%s.\n",
errorCount,
- errorCount == 1 ? "" : "s", warningCount, warningCount == 1
- ? ""
- : "s");
+ errorCount == 1 ? "" : "s", warningCount, warningCount == 1 ? "" : "s");
} else {
PR_fprintf(outputFD, "Directory %s signed successfully.\n",
jartree);
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
index 10e743c6b..fe17f26a4 100644
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -1572,10 +1572,7 @@ main(int argc, char **argv)
{
unsigned int j;
for (j = 0; j < input.len; j++)
- fprintf(stderr, "%2x%c", input.data[j], (j > 0 &&
- j % 35 == 0)
- ? '\n'
- : ' ');
+ fprintf(stderr, "%2x%c", input.data[j], (j > 0 && j % 35 == 0) ? '\n' : ' ');
}
}
if (input.len > 0) { /* skip if certs-only (or other zero content) */
diff --git a/security/nss/cmd/ssltap/ssltap.c b/security/nss/cmd/ssltap/ssltap.c
index 197b1942d..a2471884e 100644
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -1637,8 +1637,7 @@ print_ssl3_handshake(unsigned char *recordBuf,
PR_snprintf(certFileName, sizeof certFileName, "cert.%03d",
++certFileNumber);
cfd =
- PR_Open(certFileName, PR_WRONLY |
- PR_CREATE_FILE | PR_TRUNCATE,
+ PR_Open(certFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0664);
if (!cfd) {
PR_fprintf(PR_STDOUT,
@@ -1722,8 +1721,7 @@ print_ssl3_handshake(unsigned char *recordBuf,
0 &&
sslhexparse) {
PR_fprintf(PR_STDOUT, " = {\n");
- print_hex(dnLen, hsdata +
- pos);
+ print_hex(dnLen, hsdata + pos);
PR_fprintf(PR_STDOUT, " }\n");
} else {
PR_fprintf(PR_STDOUT, "\n");
@@ -1796,8 +1794,7 @@ print_ssl3_handshake(unsigned char *recordBuf,
PR_snprintf(ocspFileName, sizeof ocspFileName, "ocsp.%03d",
++ocspFileNumber);
- ofd = PR_Open(ocspFileName, PR_WRONLY |
- PR_CREATE_FILE | PR_TRUNCATE,
+ ofd = PR_Open(ocspFileName, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE,
0664);
if (!ofd) {
PR_fprintf(PR_STDOUT,
@@ -2167,8 +2164,7 @@ print_ssl(DataBufferList *s, int length, unsigned char *buffer)
break;
case 22: /* handshake */
- print_ssl3_handshake(recordBuf, recordLen -
- s->hMACsize,
+ print_ssl3_handshake(recordBuf, recordLen - s->hMACsize,
&sr, s);
break;
diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c
index f65e31913..7d259bd0a 100644
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -886,8 +886,10 @@ PRBool
LoggedIn(CERTCertificate *cert, SECKEYPrivateKey *key)
{
if ((cert->slot) && (key->pkcs11Slot) &&
- (PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) &&
- (PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL))) {
+ (!PK11_NeedLogin(cert->slot) ||
+ PR_TRUE == PK11_IsLoggedIn(cert->slot, NULL)) &&
+ (!PK11_NeedLogin(key->pkcs11Slot) ||
+ PR_TRUE == PK11_IsLoggedIn(key->pkcs11Slot, NULL))) {
return PR_TRUE;
}
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 959afec59..1ad99502b 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -31,6 +31,7 @@
#include "ocsp.h"
#include "ssl.h"
#include "sslproto.h"
+#include "sslexp.h"
#include "pk11func.h"
#include "secmod.h"
#include "plgetopt.h"
@@ -95,6 +96,7 @@ PRBool verbose;
int dumpServerChain = 0;
int renegotiationsToDo = 0;
int renegotiationsDone = 0;
+PRBool initializedServerSessionCache = PR_FALSE;
static char *progName;
@@ -178,7 +180,7 @@ PrintUsageHeader(const char *progName)
"[-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
"[-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
"[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]] [-I groups]\n"
- "[-A requestfile] [-L totalconnections]\n"
+ "[-A requestfile] [-L totalconnections] [-P {client,server}] [-Q]\n"
"\n",
progName);
}
@@ -202,7 +204,7 @@ PrintParameterUsage(void)
fprintf(stderr, "%-20s Print certificate chain information\n", "-C");
fprintf(stderr, "%-20s (use -C twice to print more certificate details)\n", "");
fprintf(stderr, "%-20s (use -C three times to include PEM format certificate dumps)\n", "");
- fprintf(stderr, "%-20s Nickname of key and cert for client auth\n",
+ fprintf(stderr, "%-20s Nickname of key and cert\n",
"-n nickname");
fprintf(stderr,
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
@@ -251,6 +253,9 @@ PrintParameterUsage(void)
"%-20s The following values are valid:\n"
"%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
"-I", "", "");
+ fprintf(stderr, "%-20s Enable alternative TLS 1.3 handshake\n", "-X alt-server-hello");
+ fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
+ fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
}
static void
@@ -914,6 +919,12 @@ char *requestString = NULL;
PRInt32 requestStringLen = 0;
PRBool requestSent = PR_FALSE;
PRBool enableZeroRtt = PR_FALSE;
+PRBool enableAltServerHello = PR_FALSE;
+PRBool useDTLS = PR_FALSE;
+PRBool actAsServer = PR_FALSE;
+PRBool stopAfterHandshake = PR_FALSE;
+PRBool requestToExit = PR_FALSE;
+char *versionString = NULL;
static int
writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
@@ -996,12 +1007,129 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
writeBytesToServer(fd, requestString, requestStringLen);
}
}
+ if (stopAfterHandshake) {
+ requestToExit = PR_TRUE;
+ }
}
#define REQUEST_WAITING (requestString && !requestSent)
+static SECStatus
+installServerCertificate(PRFileDesc *s, char *nickname)
+{
+ CERTCertificate *cert;
+ SECKEYPrivateKey *privKey = NULL;
+
+ if (!nickname) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ cert = PK11_FindCertFromNickname(nickname, &pwdata);
+ if (cert == NULL) {
+ return SECFailure;
+ }
+
+ privKey = PK11_FindKeyByAnyCert(cert, &pwdata);
+ if (privKey == NULL) {
+ return SECFailure;
+ }
+ if (SSL_ConfigServerCert(s, cert, privKey, NULL, 0) != SECSuccess) {
+ return SECFailure;
+ }
+ SECKEY_DestroyPrivateKey(privKey);
+ CERT_DestroyCertificate(cert);
+
+ return SECSuccess;
+}
+
+static SECStatus
+bindToClient(PRFileDesc *s)
+{
+ PRStatus status;
+ status = PR_Bind(s, &addr);
+ if (status != PR_SUCCESS) {
+ return SECFailure;
+ }
+
+ for (;;) {
+ /* Bind the remote address on first packet. This must happen
+ * before we SSL-ize the socket because we need to get the
+ * peer's address before SSLizing. Recvfrom gives us that
+ * while not consuming any data. */
+ unsigned char tmp;
+ PRNetAddr remote;
+ int nb;
+
+ nb = PR_RecvFrom(s, &tmp, 1, PR_MSG_PEEK,
+ &remote, PR_INTERVAL_NO_TIMEOUT);
+ if (nb != 1)
+ continue;
+
+ status = PR_Connect(s, &remote, PR_INTERVAL_NO_TIMEOUT);
+ if (status != PR_SUCCESS) {
+ SECU_PrintError(progName, "server bind to remote end failed");
+ return SECFailure;
+ }
+ return SECSuccess;
+ }
+
+ /* Unreachable. */
+}
+
+static SECStatus
+connectToServer(PRFileDesc *s, PRPollDesc *pollset)
+{
+ PRStatus status;
+ PRInt32 filesReady;
+
+ status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
+ if (status != PR_SUCCESS) {
+ if (PR_GetError() == PR_IN_PROGRESS_ERROR) {
+ if (verbose)
+ SECU_PrintError(progName, "connect");
+ milliPause(50 * multiplier);
+ pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
+ pollset[SSOCK_FD].out_flags = 0;
+ pollset[SSOCK_FD].fd = s;
+ while (1) {
+ FPRINTF(stderr,
+ "%s: about to call PR_Poll for connect completion!\n",
+ progName);
+ filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
+ if (filesReady < 0) {
+ SECU_PrintError(progName, "unable to connect (poll)");
+ return SECFailure;
+ }
+ FPRINTF(stderr,
+ "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
+ progName, pollset[SSOCK_FD].out_flags);
+ if (filesReady == 0) { /* shouldn't happen! */
+ SECU_PrintError(progName, "%s: PR_Poll returned zero!\n");
+ return SECFailure;
+ }
+ status = PR_GetConnectStatus(pollset);
+ if (status == PR_SUCCESS) {
+ break;
+ }
+ if (PR_GetError() != PR_IN_PROGRESS_ERROR) {
+ SECU_PrintError(progName, "unable to connect (poll)");
+ return SECFailure;
+ }
+ SECU_PrintError(progName, "poll");
+ milliPause(50 * multiplier);
+ }
+ } else {
+ SECU_PrintError(progName, "unable to connect");
+ return SECFailure;
+ }
+ }
+
+ return SECSuccess;
+}
+
static int
-run_client(void)
+run(void)
{
int headerSeparatorPtrnId = 0;
int error = 0;
@@ -1017,13 +1145,23 @@ run_client(void)
requestSent = PR_FALSE;
/* Create socket */
- s = PR_OpenTCPSocket(addr.raw.family);
+ if (useDTLS) {
+ s = PR_OpenUDPSocket(addr.raw.family);
+ } else {
+ s = PR_OpenTCPSocket(addr.raw.family);
+ }
+
if (s == NULL) {
SECU_PrintError(progName, "error creating socket");
error = 1;
goto done;
}
+ if (actAsServer) {
+ if (bindToClient(s) != SECSuccess) {
+ return 1;
+ }
+ }
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_TRUE; /* default */
if (serverCertAuth.testFreshStatusFromSideChannel) {
@@ -1036,13 +1174,16 @@ run_client(void)
goto done;
}
- s = SSL_ImportFD(NULL, s);
+ if (useDTLS) {
+ s = DTLS_ImportFD(NULL, s);
+ } else {
+ s = SSL_ImportFD(NULL, s);
+ }
if (s == NULL) {
SECU_PrintError(progName, "error importing socket");
error = 1;
goto done;
}
-
SSL_SetPKCS11PinArg(s, &pwdata);
rv = SSL_OptionSet(s, SSL_SECURITY, 1);
@@ -1052,7 +1193,7 @@ run_client(void)
goto done;
}
- rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1);
+ rv = SSL_OptionSet(s, actAsServer ? SSL_HANDSHAKE_AS_SERVER : SSL_HANDSHAKE_AS_CLIENT, 1);
if (rv != SECSuccess) {
SECU_PrintError(progName, "error enabling client handshake");
error = 1;
@@ -1178,6 +1319,16 @@ run_client(void)
}
}
+ /* Alternate ServerHello content type (TLS 1.3 only) */
+ if (enableAltServerHello) {
+ rv = SSL_UseAltServerHelloType(s, PR_TRUE);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "error enabling alternate ServerHello type");
+ error = 1;
+ goto done;
+ }
+ }
+
/* require the use of fixed finite-field DH groups */
if (requireDHNamedGroups) {
rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
@@ -1212,7 +1363,21 @@ run_client(void)
if (override) {
SSL_BadCertHook(s, ownBadCertHandler, NULL);
}
- SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
+ if (actAsServer) {
+ rv = installServerCertificate(s, nickname);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "error installing server cert");
+ return 1;
+ }
+ rv = SSL_ConfigServerSessionIDCache(1024, 0, 0, ".");
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "error configuring session cache");
+ return 1;
+ }
+ initializedServerSessionCache = PR_TRUE;
+ } else {
+ SSL_GetClientAuthDataHook(s, own_GetClientAuthData, (void *)nickname);
+ }
SSL_HandshakeCallback(s, handshakeCallback, hs2SniHostName);
if (hs1SniHostName) {
SSL_SetURL(s, hs1SniHostName);
@@ -1220,56 +1385,27 @@ run_client(void)
SSL_SetURL(s, host);
}
- /* Try to connect to the server */
- status = PR_Connect(s, &addr, PR_INTERVAL_NO_TIMEOUT);
- if (status != PR_SUCCESS) {
- if (PR_GetError() == PR_IN_PROGRESS_ERROR) {
- if (verbose)
- SECU_PrintError(progName, "connect");
- milliPause(50 * multiplier);
- pollset[SSOCK_FD].in_flags = PR_POLL_WRITE | PR_POLL_EXCEPT;
- pollset[SSOCK_FD].out_flags = 0;
- pollset[SSOCK_FD].fd = s;
- while (1) {
- FPRINTF(stderr,
- "%s: about to call PR_Poll for connect completion!\n",
- progName);
- filesReady = PR_Poll(pollset, 1, PR_INTERVAL_NO_TIMEOUT);
- if (filesReady < 0) {
- SECU_PrintError(progName, "unable to connect (poll)");
- error = 1;
- goto done;
- }
- FPRINTF(stderr,
- "%s: PR_Poll returned 0x%02x for socket out_flags.\n",
- progName, pollset[SSOCK_FD].out_flags);
- if (filesReady == 0) { /* shouldn't happen! */
- FPRINTF(stderr, "%s: PR_Poll returned zero!\n", progName);
- error = 1;
- goto done;
- }
- status = PR_GetConnectStatus(pollset);
- if (status == PR_SUCCESS) {
- break;
- }
- if (PR_GetError() != PR_IN_PROGRESS_ERROR) {
- SECU_PrintError(progName, "unable to connect (poll)");
- error = 1;
- goto done;
- }
- SECU_PrintError(progName, "poll");
- milliPause(50 * multiplier);
- }
- } else {
- SECU_PrintError(progName, "unable to connect");
+ if (actAsServer) {
+ rv = SSL_ResetHandshake(s, PR_TRUE /* server */);
+ if (rv != SECSuccess) {
+ return 1;
+ }
+ } else {
+ /* Try to connect to the server */
+ rv = connectToServer(s, pollset);
+ if (rv != SECSuccess) {
+ ;
error = 1;
goto done;
}
}
pollset[SSOCK_FD].fd = s;
- pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT |
- (clientSpeaksFirst ? 0 : PR_POLL_READ);
+ pollset[SSOCK_FD].in_flags = PR_POLL_EXCEPT;
+ if (!actAsServer)
+ pollset[SSOCK_FD].in_flags |= (clientSpeaksFirst ? 0 : PR_POLL_READ);
+ else
+ pollset[SSOCK_FD].in_flags |= PR_POLL_READ;
pollset[STDIN_FD].fd = PR_GetSpecialFD(PR_StandardInput);
if (!REQUEST_WAITING) {
pollset[STDIN_FD].in_flags = PR_POLL_READ;
@@ -1319,9 +1455,11 @@ run_client(void)
** Select on stdin and on the socket. Write data from stdin to
** socket, read data from socket and write to stdout.
*/
+ requestToExit = PR_FALSE;
FPRINTF(stderr, "%s: ready...\n", progName);
- while ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) ||
- REQUEST_WAITING) {
+ while (!requestToExit &&
+ ((pollset[SSOCK_FD].in_flags | pollset[STDIN_FD].in_flags) ||
+ REQUEST_WAITING)) {
char buf[4000]; /* buffer for stdin */
int nb; /* num bytes read from stdin. */
@@ -1507,12 +1645,10 @@ main(int argc, char **argv)
}
}
- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
-
/* XXX: 'B' was used in the past but removed in 3.28,
* please leave some time before resuing it. */
optstate = PL_CreateOptState(argc, argv,
- "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+ "46A:CDFGHI:KL:M:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case '?':
@@ -1593,6 +1729,21 @@ main(int argc, char **argv)
};
break;
+ case 'P':
+ useDTLS = PR_TRUE;
+ if (!strcmp(optstate->value, "server")) {
+ actAsServer = 1;
+ } else {
+ if (strcmp(optstate->value, "client")) {
+ Usage(progName);
+ }
+ }
+ break;
+
+ case 'Q':
+ stopAfterHandshake = PR_TRUE;
+ break;
+
case 'R':
rootModule = PORT_Strdup(optstate->value);
break;
@@ -1610,14 +1761,16 @@ main(int argc, char **argv)
break;
case 'V':
- if (SECU_ParseSSLVersionRangeString(optstate->value,
- enabledVersions, &enabledVersions) !=
- SECSuccess) {
- fprintf(stderr, "Bad version specified.\n");
+ versionString = PORT_Strdup(optstate->value);
+ break;
+
+ case 'X':
+ if (!strcmp(optstate->value, "alt-server-hello")) {
+ enableAltServerHello = PR_TRUE;
+ } else {
Usage(progName);
}
break;
-
case 'Y':
PrintCipherUsage(progName);
exit(0);
@@ -1727,9 +1880,20 @@ main(int argc, char **argv)
break;
}
}
-
PL_DestroyOptState(optstate);
+ SSL_VersionRangeGetSupported(useDTLS ? ssl_variant_datagram : ssl_variant_stream, &enabledVersions);
+
+ if (versionString) {
+ if (SECU_ParseSSLVersionRangeString(versionString,
+ enabledVersions, &enabledVersions) !=
+ SECSuccess) {
+ fprintf(stderr, "Bad version specified.\n");
+ Usage(progName);
+ }
+ PORT_Free(versionString);
+ }
+
if (optstatus == PL_OPT_BAD) {
Usage(progName);
}
@@ -1758,7 +1922,7 @@ main(int argc, char **argv)
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
PK11_SetPasswordFunc(SECU_GetModulePassword);
-
+ memset(&addr, 0, sizeof(addr));
status = PR_StringToNetAddr(host, &addr);
if (status == PR_SUCCESS) {
addr.inet.port = PR_htons(portno);
@@ -1770,6 +1934,7 @@ main(int argc, char **argv)
addrInfo = PR_GetAddrInfoByName(host, PR_AF_UNSPEC,
PR_AI_ADDRCONFIG | PR_AI_NOCANONNAME);
if (!addrInfo) {
+ fprintf(stderr, "HOSTNAME=%s\n", host);
SECU_PrintError(progName, "error looking up host");
error = 1;
goto done;
@@ -1884,7 +2049,7 @@ main(int argc, char **argv)
}
while (numConnections--) {
- error = run_client();
+ error = run();
if (error) {
goto done;
}
@@ -1915,6 +2080,12 @@ done:
}
if (NSS_IsInitialized()) {
SSL_ClearSessionCache();
+ if (initializedServerSessionCache) {
+ if (SSL_ShutdownServerSessionIDCache() != SECSuccess) {
+ error = 1;
+ }
+ }
+
if (NSS_Shutdown() != SECSuccess) {
error = 1;
}