diff options
Diffstat (limited to 'security/nss/cmd/certutil')
-rw-r--r-- | security/nss/cmd/certutil/certutil.c | 334 | ||||
-rw-r--r-- | security/nss/cmd/certutil/keystuff.c | 13 |
2 files changed, 89 insertions, 258 deletions
diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 03f4478b7..fbc752c1b 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -194,8 +194,6 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, PLArenaPool *arena; void *extHandle; SECItem signedReq = { siBuffer, NULL, 0 }; - SECAlgorithmID signAlg; - SECItem *params = NULL; arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!arena) { @@ -213,26 +211,11 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, /* Change cert type to RSA-PSS, if desired. */ if (pssCertificate) { - params = SEC_CreateSignatureAlgorithmParameters(arena, - NULL, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag, - NULL, - privk); - if (!params) { - PORT_FreeArena(arena, PR_FALSE); - SECKEY_DestroySubjectPublicKeyInfo(spki); - SECU_PrintError(progName, "unable to create RSA-PSS parameters"); - return SECFailure; - } - spki->algorithm.parameters.data = NULL; rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag == SEC_OID_UNKNOWN ? NULL : params); + SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0); if (rv != SECSuccess) { PORT_FreeArena(arena, PR_FALSE); - SECKEY_DestroySubjectPublicKeyInfo(spki); SECU_PrintError(progName, "unable to set algorithm ID"); return SECFailure; } @@ -273,34 +256,16 @@ CertReq(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk, KeyType keyType, return SECFailure; } - PORT_Memset(&signAlg, 0, sizeof(signAlg)); - if (pssCertificate) { - rv = SECOID_SetAlgorithmID(arena, &signAlg, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, params); - if (rv != SECSuccess) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unable to set algorithm ID"); - return SECFailure; - } - } else { - signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); - if (signAlgTag == SEC_OID_UNKNOWN) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unknown Key or Hash type"); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, &signAlg, signAlgTag, 0); - if (rv != SECSuccess) { - PORT_FreeArena(arena, PR_FALSE); - SECU_PrintError(progName, "unable to set algorithm ID"); - return SECFailure; - } + /* Sign the request */ + signAlgTag = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); + if (signAlgTag == SEC_OID_UNKNOWN) { + PORT_FreeArena(arena, PR_FALSE); + SECU_PrintError(progName, "unknown Key or Hash type"); + return SECFailure; } - /* Sign the request */ - rv = SEC_DerSignDataWithAlgorithmID(arena, &signedReq, - encoding->data, encoding->len, - privk, &signAlg); + rv = SEC_DerSignData(arena, &signedReq, encoding->data, encoding->len, + privk, signAlgTag); if (rv) { PORT_FreeArena(arena, PR_FALSE); SECU_PrintError(progName, "signing of data failed"); @@ -400,7 +365,7 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot, CERTCertificate *cert; CERTCertTrust *trust; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -626,10 +591,6 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email, { SECStatus rv; - if (slot && PK11_NeedUserInit(slot)) { - printf("\nDatabase needs user init\n"); - } - if (!ascii && !raw && !nickname && !email) { PR_fprintf(outfile, "\n%-60s %-5s\n%-60s %-5s\n\n", "Certificate Nickname", "Trust Attributes", "", @@ -653,12 +614,12 @@ ListCerts(CERTCertDBHandle *handle, char *nickname, char *email, } static SECStatus -DeleteCert(CERTCertDBHandle *handle, char *name, void *pwdata) +DeleteCert(CERTCertDBHandle *handle, char *name) { SECStatus rv; CERTCertificate *cert; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -674,12 +635,12 @@ DeleteCert(CERTCertDBHandle *handle, char *name, void *pwdata) } static SECStatus -RenameCert(CERTCertDBHandle *handle, char *name, char *newName, void *pwdata) +RenameCert(CERTCertDBHandle *handle, char *name, char *newName) { SECStatus rv; CERTCertificate *cert; - cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwdata); + cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (!cert) { SECU_PrintError(progName, "could not find certificate named \"%s\"", name); @@ -1054,18 +1015,6 @@ ListModules(void) } static void -PrintBuildFlags() -{ -#ifdef NSS_FIPS_DISABLED - PR_fprintf(PR_STDOUT, "NSS_FIPS_DISABLED\n"); -#endif -#ifdef NSS_NO_INIT_SUPPORT - PR_fprintf(PR_STDOUT, "NSS_NO_INIT_SUPPORT\n"); -#endif - exit(0); -} - -static void PrintSyntax(char *progName) { #define FPS fprintf(stderr, @@ -1095,10 +1044,15 @@ PrintSyntax(char *progName) "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n" "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); +#ifndef NSS_DISABLE_ECC FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n" "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", progName); +#else + FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", + progName); +#endif /* NSS_DISABLE_ECC */ FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n"); FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n", progName); @@ -1112,7 +1066,6 @@ PrintSyntax(char *progName) FPS "\t%s -L [-n cert-name] [-h token-name] [--email email-address]\n", progName); FPS "\t\t [-X] [-r] [-a] [--dump-ext-val OID] [-d certdir] [-P dbprefix]\n"); - FPS "\t%s --build-flags\n", progName); FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n", progName); FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName); @@ -1231,8 +1184,6 @@ luC(enum usage_level ul, const char *command) " -o output-cert"); FPS "%-20s Self sign\n", " -x"); - FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", - " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1293,10 +1244,17 @@ luG(enum usage_level ul, const char *command) return; FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", " -k key-type"); FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", + " -k key-type"); + FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n", + " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n", " -y exp"); FPS "%-20s Specify the password file\n", @@ -1305,6 +1263,7 @@ luG(enum usage_level ul, const char *command) " -z noisefile"); FPS "%-20s read PQG value from pqgfile (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", ""); @@ -1326,6 +1285,7 @@ luG(enum usage_level ul, const char *command) FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", ""); FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", ""); FPS "%-20s sect131r1, sect131r2\n", ""); +#endif FPS "%-20s Key database directory (default is ~/.netscape)\n", " -d keydir"); FPS "%-20s Cert & Key database prefix\n", @@ -1415,7 +1375,9 @@ luK(enum usage_level ul, const char *command) " -h token-name "); FPS "%-20s Key type (\"all\" (default), \"dsa\"," +#ifndef NSS_DISABLE_ECC " \"ec\"," +#endif " \"rsa\")\n", " -k key-type"); FPS "%-20s The nickname of the key or associated certificate\n", @@ -1558,7 +1520,11 @@ luR(enum usage_level ul, const char *command) " -s subject"); FPS "%-20s Output the cert request to this file\n", " -o output-req"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", +#endif /* NSS_DISABLE_ECC */ " -k key-type-or-id"); FPS "%-20s or nickname of the cert key to use \n", ""); @@ -1566,14 +1532,14 @@ luR(enum usage_level ul, const char *command) " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); - FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n", - " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s See the \"-G\" option for a full list of supported names.\n", ""); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Specify the password file\n", " -f pwfile"); FPS "%-20s Key database directory (default is ~/.netscape)\n", @@ -1739,24 +1705,26 @@ luS(enum usage_level ul, const char *command) " -c issuer-name"); FPS "%-20s Set the certificate trust attributes (see -A above)\n", " -t trustargs"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", +#else + FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n", +#endif /* NSS_DISABLE_ECC */ " -k key-type-or-id"); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n", " -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS); - FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n", - " --pss"); FPS "%-20s Name of file containing PQG parameters (dsa only)\n", " -q pqgfile"); +#ifndef NSS_DISABLE_ECC FPS "%-20s Elliptic curve name (ec only)\n", " -q curve-name"); FPS "%-20s See the \"-G\" option for a full list of supported names.\n", ""); +#endif /* NSS_DISABLE_ECC */ FPS "%-20s Self sign\n", " -x"); - FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n", - " --pss-sign"); FPS "%-20s Cert serial number\n", " -m serial-number"); FPS "%-20s Time Warp\n", @@ -1826,18 +1794,6 @@ luS(enum usage_level ul, const char *command) } static void -luBuildFlags(enum usage_level ul, const char *command) -{ - int is_my_command = (command && 0 == strcmp(command, "build-flags")); - if (ul == usage_all || !command || is_my_command) - FPS "%-15s Print enabled build flags relevant for NSS test execution\n", - "--build-flags"); - if (ul == usage_selected && !is_my_command) - return; - FPS "\n"); -} - -static void LongUsage(char *progName, enum usage_level ul, const char *command) { luA(ul, command); @@ -1851,7 +1807,6 @@ LongUsage(char *progName, enum usage_level ul, const char *command) luU(ul, command); luK(ul, command); luL(ul, command); - luBuildFlags(ul, command); luM(ul, command); luN(ul, command); luT(ul, command); @@ -1934,119 +1889,46 @@ MakeV1Cert(CERTCertDBHandle *handle, } static SECStatus -SetSignatureAlgorithm(PLArenaPool *arena, - SECAlgorithmID *signAlg, - SECAlgorithmID *spkiAlg, - SECOidTag hashAlgTag, - SECKEYPrivateKey *privKey, - PRBool pssSign) -{ - SECStatus rv; - - if (pssSign || - SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - SECItem *srcParams; - SECItem *params; - - if (SECOID_GetAlgorithmTag(spkiAlg) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - srcParams = &spkiAlg->parameters; - } else { - /* If the issuer's public key is RSA, the parameter field - * of the SPKI should be NULL, which can't be used as a - * basis of RSA-PSS parameters. */ - srcParams = NULL; - } - params = SEC_CreateSignatureAlgorithmParameters(arena, - NULL, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - hashAlgTag, - srcParams, - privKey); - if (!params) { - SECU_PrintError(progName, "Could not create RSA-PSS parameters"); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, signAlg, - SEC_OID_PKCS1_RSA_PSS_SIGNATURE, - params); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set signature algorithm id."); - return rv; - } - } else { - KeyType keyType = SECKEY_GetPrivateKeyType(privKey); - SECOidTag algID; - - algID = SEC_GetSignatureAlgorithmOidTag(keyType, hashAlgTag); - if (algID == SEC_OID_UNKNOWN) { - SECU_PrintError(progName, "Unknown key or hash type for issuer."); - return SECFailure; - } - rv = SECOID_SetAlgorithmID(arena, signAlg, algID, 0); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set signature algorithm id."); - return rv; - } - } - return SECSuccess; -} - -static SECStatus SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, SECOidTag hashAlgTag, SECKEYPrivateKey *privKey, char *issuerNickName, - int certVersion, PRBool pssSign, void *pwarg) + int certVersion, void *pwarg) { SECItem der; SECKEYPrivateKey *caPrivateKey = NULL; SECStatus rv; PLArenaPool *arena; - CERTCertificate *issuer; + SECOidTag algID; void *dummy; - arena = cert->arena; - - if (selfsign) { - issuer = cert; - } else { - issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); + if (!selfsign) { + CERTCertificate *issuer = PK11_FindCertFromNickname(issuerNickName, pwarg); if ((CERTCertificate *)NULL == issuer) { SECU_PrintError(progName, "unable to find issuer with nickname %s", issuerNickName); - rv = SECFailure; - goto done; + return SECFailure; } + privKey = caPrivateKey = PK11_FindKeyByAnyCert(issuer, pwarg); + CERT_DestroyCertificate(issuer); if (caPrivateKey == NULL) { SECU_PrintError(progName, "unable to retrieve key %s", issuerNickName); - rv = SECFailure; - CERT_DestroyCertificate(issuer); - goto done; + return SECFailure; } } - if (pssSign && - (SECKEY_GetPrivateKeyType(privKey) != rsaKey && - SECKEY_GetPrivateKeyType(privKey) != rsaPssKey)) { - SECU_PrintError(progName, "unable to create RSA-PSS signature with key %s", - issuerNickName); + arena = cert->arena; + + algID = SEC_GetSignatureAlgorithmOidTag(privKey->keyType, hashAlgTag); + if (algID == SEC_OID_UNKNOWN) { + fprintf(stderr, "Unknown key or hash type for issuer."); rv = SECFailure; - if (!selfsign) { - CERT_DestroyCertificate(issuer); - } goto done; } - rv = SetSignatureAlgorithm(arena, - &cert->signature, - &issuer->subjectPublicKeyInfo.algorithm, - hashAlgTag, - privKey, - pssSign); - if (!selfsign) { - CERT_DestroyCertificate(issuer); - } + rv = SECOID_SetAlgorithmID(arena, &cert->signature, algID, 0); if (rv != SECSuccess) { + fprintf(stderr, "Could not set signature algorithm id."); goto done; } @@ -2065,8 +1947,7 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, break; default: PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - goto done; + return SECFailure; } der.len = 0; @@ -2079,8 +1960,7 @@ SignCert(CERTCertDBHandle *handle, CERTCertificate *cert, PRBool selfsign, goto done; } - rv = SEC_DerSignDataWithAlgorithmID(arena, &cert->derCert, der.data, der.len, - privKey, &cert->signature); + rv = SEC_DerSignData(arena, &cert->derCert, der.data, der.len, privKey, algID); if (rv != SECSuccess) { fprintf(stderr, "Could not sign encoded certificate data.\n"); /* result allocated out of the arena, it will be freed @@ -2113,7 +1993,6 @@ CreateCert( certutilExtnList extnList, const char *extGeneric, int certVersion, - PRBool pssSign, SECItem *certDER) { void *extHandle = NULL; @@ -2174,7 +2053,7 @@ CreateCert( rv = SignCert(handle, subjectCert, selfsign, hashAlgTag, *selfsignprivkey, issuerNickName, - certVersion, pssSign, pwarg); + certVersion, pwarg); if (rv != SECSuccess) break; @@ -2427,7 +2306,6 @@ enum { cmd_Merge, cmd_UpgradeMerge, /* test only */ cmd_Rename, - cmd_BuildFlags, max_cmd }; @@ -2498,7 +2376,6 @@ enum certutilOpts { opt_GenericExtensions, opt_NewNickname, opt_Pss, - opt_PssSign, opt_Help }; @@ -2530,9 +2407,7 @@ static const secuCommandFlag commands_init[] = { /* cmd_UpgradeMerge */ 0, PR_FALSE, 0, PR_FALSE, "upgrade-merge" }, { /* cmd_Rename */ 0, PR_FALSE, 0, PR_FALSE, - "rename" }, - { /* cmd_BuildFlags */ 0, PR_FALSE, 0, PR_FALSE, - "build-flags" } + "rename" } }; #define NUM_COMMANDS ((sizeof commands_init) / (sizeof commands_init[0])) @@ -2621,8 +2496,6 @@ static const secuCommandFlag options_init[] = "new-n" }, { /* opt_Pss */ 0, PR_FALSE, 0, PR_FALSE, "pss" }, - { /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE, - "pss-sign" }, }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -2719,10 +2592,6 @@ certutil_main(int argc, char **argv, PRBool initialize) exit(1); } - if (certutil.commands[cmd_BuildFlags].activated) { - PrintBuildFlags(); - } - if (certutil.options[opt_PasswordFile].arg) { pwdata.source = PW_FROMFILE; pwdata.data = certutil.options[opt_PasswordFile].arg; @@ -2752,10 +2621,12 @@ certutil_main(int argc, char **argv, PRBool initialize) progName, MIN_KEY_BITS, MAX_KEY_BITS); return 255; } +#ifndef NSS_DISABLE_ECC if (keytype == ecKey) { PR_fprintf(PR_STDERR, "%s -g: Not for ec keys.\n", progName); return 255; } +#endif /* NSS_DISABLE_ECC */ } /* -h specify token name */ @@ -2784,8 +2655,10 @@ certutil_main(int argc, char **argv, PRBool initialize) keytype = rsaKey; } else if (PL_strcmp(arg, "dsa") == 0) { keytype = dsaKey; +#ifndef NSS_DISABLE_ECC } else if (PL_strcmp(arg, "ec") == 0) { keytype = ecKey; +#endif /* NSS_DISABLE_ECC */ } else if (PL_strcmp(arg, "all") == 0) { keytype = nullKey; } else { @@ -2838,10 +2711,16 @@ certutil_main(int argc, char **argv, PRBool initialize) /* -q PQG file or curve name */ if (certutil.options[opt_PQGFile].activated) { +#ifndef NSS_DISABLE_ECC if ((keytype != dsaKey) && (keytype != ecKey)) { PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" " (-k dsa) or a named curve for EC keys (-k ec)\n)", progName); +#else /* } */ + if (keytype != dsaKey) { + PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)", + progName); +#endif /* NSS_DISABLE_ECC */ return 255; } } @@ -3153,43 +3032,11 @@ certutil_main(int argc, char **argv, PRBool initialize) /* If creating new database, initialize the password. */ if (certutil.commands[cmd_NewDBs].activated) { - if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) { - rv = PK11_InitPin(slot, (char *)NULL, ""); - } else { - rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, - certutil.options[opt_NewPasswordFile].arg); - } - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } - } - - /* if we are going to modify the cert database, - * make sure it's initialized */ - if (certutil.commands[cmd_ModifyCertTrust].activated || - certutil.commands[cmd_CreateAndAddCert].activated || - certutil.commands[cmd_AddCert].activated || - certutil.commands[cmd_AddEmailCert].activated) { - if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { - char *password = NULL; - /* fetch the password from the command line or the file - * if no password is supplied, initialize the password to NULL */ - if (pwdata.source == PW_FROMFILE) { - password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data); - } else if (pwdata.source == PW_PLAINTEXT) { - password = PL_strdup(pwdata.data); - } - rv = PK11_InitPin(slot, (char *)NULL, password ? password : ""); - if (password) { - PORT_Memset(password, 0, PL_strlen(password)); - PORT_Free(password); - } - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } - } + if (certutil.options[opt_EmptyPassword].activated && (PK11_NeedUserInit(slot))) + PK11_InitPin(slot, (char *)NULL, ""); + else + SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, + certutil.options[opt_NewPasswordFile].arg); } /* walk through the upgrade merge if necessary. @@ -3367,12 +3214,12 @@ certutil_main(int argc, char **argv, PRBool initialize) } /* Delete cert (-D) */ if (certutil.commands[cmd_DeleteCert].activated) { - rv = DeleteCert(certHandle, name, &pwdata); + rv = DeleteCert(certHandle, name); goto shutdown; } /* Rename cert (--rename) */ if (certutil.commands[cmd_Rename].activated) { - rv = RenameCert(certHandle, name, newName, &pwdata); + rv = RenameCert(certHandle, name, newName); goto shutdown; } /* Delete key (-F) */ @@ -3390,10 +3237,7 @@ certutil_main(int argc, char **argv, PRBool initialize) if (certutil.commands[cmd_ChangePassword].activated) { rv = SECU_ChangePW2(slot, 0, 0, certutil.options[opt_PasswordFile].arg, certutil.options[opt_NewPasswordFile].arg); - if (rv != SECSuccess) { - SECU_PrintError(progName, "Could not set password for the slot"); - goto shutdown; - } + goto shutdown; } /* Reset the a token */ if (certutil.commands[cmd_TokenReset].activated) { @@ -3518,25 +3362,6 @@ certutil_main(int argc, char **argv, PRBool initialize) } } - /* --pss-sign is to sign a certificate with RSA-PSS, even if the - * issuer's key is an RSA key. If the key is an RSA-PSS key, the - * generated signature is always RSA-PSS. */ - if (certutil.options[opt_PssSign].activated) { - if (!certutil.commands[cmd_CreateNewCert].activated && - !certutil.commands[cmd_CreateAndAddCert].activated) { - PR_fprintf(PR_STDERR, - "%s -%c: --pss-sign only works with -C or -S.\n", - progName, commandToRun); - return 255; - } - if (keytype != rsaKey) { - PR_fprintf(PR_STDERR, - "%s -%c: --pss-sign only works with RSA keys.\n", - progName, commandToRun); - return 255; - } - } - /* If we need a list of extensions convert the flags into list format */ if (certutil.commands[cmd_CertReq].activated || certutil.commands[cmd_CreateAndAddCert].activated || @@ -3674,7 +3499,6 @@ certutil_main(int argc, char **argv, PRBool initialize) (certutil.options[opt_GenericExtensions].activated ? certutil.options[opt_GenericExtensions].arg : NULL), certVersion, - certutil.options[opt_PssSign].activated, &certDER); if (rv) goto shutdown; diff --git a/security/nss/cmd/certutil/keystuff.c b/security/nss/cmd/certutil/keystuff.c index 330284c61..2878e3765 100644 --- a/security/nss/cmd/certutil/keystuff.c +++ b/security/nss/cmd/certutil/keystuff.c @@ -380,6 +380,7 @@ CERTUTIL_FileForRNG(const char *noise) return SECSuccess; } +#ifndef NSS_DISABLE_ECC typedef struct curveNameTagPairStr { char *curveName; SECOidTag curveOidTag; @@ -494,9 +495,9 @@ getECParams(const char *curve) ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len)); - /* + /* * ecparams->data needs to contain the ASN encoding of an object ID (OID) - * representing the named curve. The actual OID is in + * representing the named curve. The actual OID is in * oidData->oid.data so we simply prepend 0x06 and OID length */ ecparams->data[0] = SEC_ASN1_OBJECT_ID; @@ -505,6 +506,7 @@ getECParams(const char *curve) return ecparams; } +#endif /* NSS_DISABLE_ECC */ SECKEYPrivateKey * CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, @@ -562,12 +564,14 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, params = (void *)&default_pqg_params; } break; +#ifndef NSS_DISABLE_ECC case ecKey: mechanism = CKM_EC_KEY_PAIR_GEN; /* For EC keys, PQGFile determines EC parameters */ if ((params = (void *)getECParams(pqgFile)) == NULL) return NULL; break; +#endif /* NSS_DISABLE_ECC */ default: return NULL; } @@ -576,7 +580,8 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, fprintf(stderr, "Generating key. This may take a few moments...\n\n"); privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp, - attrFlags, opFlagsOn, opFlagsOn | opFlagsOff, + attrFlags, opFlagsOn, opFlagsOn | + opFlagsOff, pwdata /*wincx*/); /* free up the params */ switch (keytype) { @@ -584,9 +589,11 @@ CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size, if (dsaparams) CERTUTIL_DestroyParamsPQG(dsaparams); break; +#ifndef NSS_DISABLE_ECC case ecKey: SECITEM_FreeItem((SECItem *)params, PR_TRUE); break; +#endif default: /* nothing to free */ break; } |