summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd/lib
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd/lib')
-rw-r--r--security/nss/cmd/lib/basicutil.c191
-rw-r--r--security/nss/cmd/lib/basicutil.h14
-rw-r--r--security/nss/cmd/lib/secutil.c149
-rw-r--r--security/nss/cmd/lib/secutil.h10
4 files changed, 245 insertions, 119 deletions
diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c
index dcd039391..de56fbdd9 100644
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -25,7 +25,6 @@
#endif
#include "secoid.h"
-#include "sslt.h"
extern long DER_GetInteger(const SECItem *src);
@@ -733,97 +732,135 @@ SECU_SECItemHexStringToBinary(SECItem *srcdest)
return SECSuccess;
}
-SSLNamedGroup
-groupNameToNamedGroup(char *name)
+SECItem *
+SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
{
- if (PL_strlen(name) == 4) {
- if (!strncmp(name, "P256", 4)) {
- return ssl_grp_ec_secp256r1;
- }
- if (!strncmp(name, "P384", 4)) {
- return ssl_grp_ec_secp384r1;
- }
- if (!strncmp(name, "P521", 4)) {
- return ssl_grp_ec_secp521r1;
- }
+ int i = 0;
+ int byteval = 0;
+ int tmp = PORT_Strlen(str);
+
+ PORT_Assert(arena);
+ PORT_Assert(item);
+
+ if ((tmp % 2) != 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
}
- if (PL_strlen(name) == 6) {
- if (!strncmp(name, "x25519", 6)) {
- return ssl_grp_ec_curve25519;
- }
- if (!strncmp(name, "FF2048", 6)) {
- return ssl_grp_ffdhe_2048;
- }
- if (!strncmp(name, "FF3072", 6)) {
- return ssl_grp_ffdhe_3072;
- }
- if (!strncmp(name, "FF4096", 6)) {
- return ssl_grp_ffdhe_4096;
- }
- if (!strncmp(name, "FF6144", 6)) {
- return ssl_grp_ffdhe_6144;
+
+ item = SECITEM_AllocItem(arena, item, tmp / 2);
+ if (item == NULL) {
+ return NULL;
+ }
+
+ while (str[i]) {
+ if ((str[i] >= '0') && (str[i] <= '9')) {
+ tmp = str[i] - '0';
+ } else if ((str[i] >= 'a') && (str[i] <= 'f')) {
+ tmp = str[i] - 'a' + 10;
+ } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
+ tmp = str[i] - 'A' + 10;
+ } else {
+ /* item is in arena and gets freed by the caller */
+ return NULL;
}
- if (!strncmp(name, "FF8192", 6)) {
- return ssl_grp_ffdhe_8192;
+
+ byteval = byteval * 16 + tmp;
+ if ((i % 2) != 0) {
+ item->data[i / 2] = byteval;
+ byteval = 0;
}
+ i++;
}
- return ssl_grp_none;
+ return item;
}
+/* mapping between ECCurveName enum and SECOidTags */
+static SECOidTag ecCurve_oid_map[] = {
+ SEC_OID_UNKNOWN, /* ECCurve_noName */
+ SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */
+ SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */
+ SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */
+ SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */
+ SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */
+ SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */
+ SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */
+ SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */
+ SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */
+ SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */
+ SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */
+ SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */
+ SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */
+ SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */
+ SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */
+ SEC_OID_ANSIX962_EC_PRIME192V2,
+ SEC_OID_ANSIX962_EC_PRIME192V3,
+ SEC_OID_ANSIX962_EC_PRIME239V1,
+ SEC_OID_ANSIX962_EC_PRIME239V2,
+ SEC_OID_ANSIX962_EC_PRIME239V3,
+ SEC_OID_ANSIX962_EC_C2PNB163V1,
+ SEC_OID_ANSIX962_EC_C2PNB163V2,
+ SEC_OID_ANSIX962_EC_C2PNB163V3,
+ SEC_OID_ANSIX962_EC_C2PNB176V1,
+ SEC_OID_ANSIX962_EC_C2TNB191V1,
+ SEC_OID_ANSIX962_EC_C2TNB191V2,
+ SEC_OID_ANSIX962_EC_C2TNB191V3,
+ SEC_OID_ANSIX962_EC_C2PNB208W1,
+ SEC_OID_ANSIX962_EC_C2TNB239V1,
+ SEC_OID_ANSIX962_EC_C2TNB239V2,
+ SEC_OID_ANSIX962_EC_C2TNB239V3,
+ SEC_OID_ANSIX962_EC_C2PNB272W1,
+ SEC_OID_ANSIX962_EC_C2PNB304W1,
+ SEC_OID_ANSIX962_EC_C2TNB359V1,
+ SEC_OID_ANSIX962_EC_C2PNB368W1,
+ SEC_OID_ANSIX962_EC_C2TNB431R1,
+ SEC_OID_SECG_EC_SECP112R1,
+ SEC_OID_SECG_EC_SECP112R2,
+ SEC_OID_SECG_EC_SECP128R1,
+ SEC_OID_SECG_EC_SECP128R2,
+ SEC_OID_SECG_EC_SECP160K1,
+ SEC_OID_SECG_EC_SECP160R1,
+ SEC_OID_SECG_EC_SECP160R2,
+ SEC_OID_SECG_EC_SECP192K1,
+ SEC_OID_SECG_EC_SECP224K1,
+ SEC_OID_SECG_EC_SECP256K1,
+ SEC_OID_SECG_EC_SECT113R1,
+ SEC_OID_SECG_EC_SECT113R2,
+ SEC_OID_SECG_EC_SECT131R1,
+ SEC_OID_SECG_EC_SECT131R2,
+ SEC_OID_SECG_EC_SECT163R1,
+ SEC_OID_SECG_EC_SECT193R1,
+ SEC_OID_SECG_EC_SECT193R2,
+ SEC_OID_SECG_EC_SECT239K1,
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */
+ SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */
+ SEC_OID_CURVE25519,
+ SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
+};
+
SECStatus
-parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
- unsigned int *enabledGroupsCount)
+SECU_ecName2params(ECCurveName curve, SECItem *params)
{
- SSLNamedGroup *groups;
- char *str;
- char *p;
- unsigned int numValues = 0;
- unsigned int count = 0;
-
- /* Count the number of groups. */
- str = PORT_Strdup(arg);
- if (!str) {
+ SECOidData *oidData = NULL;
+
+ if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
+ ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
- p = strtok(str, ",");
- while (p) {
- ++numValues;
- p = strtok(NULL, ",");
- }
- PORT_Free(str);
- str = NULL;
- groups = PORT_ZNewArray(SSLNamedGroup, numValues);
- if (!groups) {
- goto done;
- }
-
- /* Get group names. */
- str = PORT_Strdup(arg);
- if (!str) {
- goto done;
- }
- p = strtok(str, ",");
- while (p) {
- SSLNamedGroup group = groupNameToNamedGroup(p);
- if (group == ssl_grp_none) {
- count = 0;
- goto done;
- }
- groups[count++] = group;
- p = strtok(NULL, ",");
- }
-done:
- if (str) {
- PORT_Free(str);
- }
- if (!count) {
- PORT_Free(groups);
+ if (SECITEM_AllocItem(NULL, params, (2 + oidData->oid.len)) == NULL) {
return SECFailure;
}
+ /*
+ * params->data needs to contain the ASN encoding of an object ID (OID)
+ * representing the named curve. The actual OID is in
+ * oidData->oid.data so we simply prepend 0x06 and OID length
+ */
+ params->data[0] = SEC_ASN1_OBJECT_ID;
+ params->data[1] = oidData->oid.len;
+ memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
- *enabledGroupsCount = count;
- *enabledGroups = groups;
return SECSuccess;
}
diff --git a/security/nss/cmd/lib/basicutil.h b/security/nss/cmd/lib/basicutil.h
index 345fd91a4..de8c1b01e 100644
--- a/security/nss/cmd/lib/basicutil.h
+++ b/security/nss/cmd/lib/basicutil.h
@@ -13,7 +13,7 @@
#include "base64.h"
#include "secasn1.h"
#include "secder.h"
-#include "sslt.h"
+#include "ecl-exp.h"
#include <stdio.h>
#ifdef SECUTIL_NEW
@@ -82,6 +82,14 @@ SECStatus
SECU_SECItemHexStringToBinary(SECItem *srcdest);
/*
+** Read a hex string into a SecItem.
+*/
+extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item,
+ const char *str);
+
+extern SECStatus SECU_ecName2params(ECCurveName curve, SECItem *params);
+
+/*
*
* Utilities for parsing security tools command lines
*
@@ -113,10 +121,6 @@ SECU_ParseCommandLine(int argc, char **argv, char *progName,
char *
SECU_GetOptionArg(const secuCommand *cmd, int optionNum);
-SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
- unsigned int *enabledGroupsCount);
-SSLNamedGroup groupNameToNamedGroup(char *name);
-
/*
*
* Error messaging
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index f3c15d870..cb4752df9 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -32,7 +32,7 @@
#include "certt.h"
#include "certdb.h"
-/* #include "secmod.h" */
+#include "secmod.h"
#include "pk11func.h"
#include "secoid.h"
@@ -3229,6 +3229,10 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
SECStatus rv;
SECItem data;
CERTCertTrust certTrust;
+ PK11SlotList *slotList;
+ PRBool falseAttributeFound = PR_FALSE;
+ PRBool trueAttributeFound = PR_FALSE;
+ const char *moz_policy_ca_info = NULL;
data.data = cert->derCert.data;
data.len = cert->derCert.len;
@@ -3238,6 +3242,35 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert,
if (rv) {
return (SECFailure);
}
+
+ slotList = PK11_GetAllSlotsForCert(cert, NULL);
+ if (slotList) {
+ PK11SlotListElement *se = PK11_GetFirstSafe(slotList);
+ for (; se; se = PK11_GetNextSafe(slotList, se, PR_FALSE)) {
+ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(se->slot, cert, NULL);
+ if (handle != CK_INVALID_HANDLE) {
+ PORT_SetError(0);
+ if (PK11_HasAttributeSet(se->slot, handle,
+ CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE)) {
+ trueAttributeFound = PR_TRUE;
+ } else if (!PORT_GetError()) {
+ falseAttributeFound = PR_TRUE;
+ }
+ }
+ }
+ PK11_FreeSlotList(slotList);
+ }
+
+ if (trueAttributeFound) {
+ moz_policy_ca_info = "true (attribute present)";
+ } else if (falseAttributeFound) {
+ moz_policy_ca_info = "false (attribute present)";
+ } else {
+ moz_policy_ca_info = "false (attribute missing)";
+ }
+ SECU_Indent(stdout, 1);
+ printf("Mozilla-CA-Policy: %s\n", moz_policy_ca_info);
+
if (trust) {
SECU_PrintTrustFlags(stdout, trust,
"Certificate Trust Flags", 1);
@@ -3833,45 +3866,97 @@ SECU_ParseSSLVersionRangeString(const char *input,
return SECSuccess;
}
-SECItem *
-SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
+SSLNamedGroup
+groupNameToNamedGroup(char *name)
{
- int i = 0;
- int byteval = 0;
- int tmp = PORT_Strlen(str);
+ if (PL_strlen(name) == 4) {
+ if (!strncmp(name, "P256", 4)) {
+ return ssl_grp_ec_secp256r1;
+ }
+ if (!strncmp(name, "P384", 4)) {
+ return ssl_grp_ec_secp384r1;
+ }
+ if (!strncmp(name, "P521", 4)) {
+ return ssl_grp_ec_secp521r1;
+ }
+ }
+ if (PL_strlen(name) == 6) {
+ if (!strncmp(name, "x25519", 6)) {
+ return ssl_grp_ec_curve25519;
+ }
+ if (!strncmp(name, "FF2048", 6)) {
+ return ssl_grp_ffdhe_2048;
+ }
+ if (!strncmp(name, "FF3072", 6)) {
+ return ssl_grp_ffdhe_3072;
+ }
+ if (!strncmp(name, "FF4096", 6)) {
+ return ssl_grp_ffdhe_4096;
+ }
+ if (!strncmp(name, "FF6144", 6)) {
+ return ssl_grp_ffdhe_6144;
+ }
+ if (!strncmp(name, "FF8192", 6)) {
+ return ssl_grp_ffdhe_8192;
+ }
+ }
- PORT_Assert(arena);
- PORT_Assert(item);
+ return ssl_grp_none;
+}
- if ((tmp % 2) != 0) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return NULL;
- }
+SECStatus
+parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+ unsigned int *enabledGroupsCount)
+{
+ SSLNamedGroup *groups;
+ char *str;
+ char *p;
+ unsigned int numValues = 0;
+ unsigned int count = 0;
- item = SECITEM_AllocItem(arena, item, tmp / 2);
- if (item == NULL) {
- return NULL;
+ /* Count the number of groups. */
+ str = PORT_Strdup(arg);
+ if (!str) {
+ return SECFailure;
+ }
+ p = strtok(str, ",");
+ while (p) {
+ ++numValues;
+ p = strtok(NULL, ",");
+ }
+ PORT_Free(str);
+ str = NULL;
+ groups = PORT_ZNewArray(SSLNamedGroup, numValues);
+ if (!groups) {
+ goto done;
}
- while (str[i]) {
- if ((str[i] >= '0') && (str[i] <= '9')) {
- tmp = str[i] - '0';
- } else if ((str[i] >= 'a') && (str[i] <= 'f')) {
- tmp = str[i] - 'a' + 10;
- } else if ((str[i] >= 'A') && (str[i] <= 'F')) {
- tmp = str[i] - 'A' + 10;
- } else {
- /* item is in arena and gets freed by the caller */
- return NULL;
+ /* Get group names. */
+ str = PORT_Strdup(arg);
+ if (!str) {
+ goto done;
+ }
+ p = strtok(str, ",");
+ while (p) {
+ SSLNamedGroup group = groupNameToNamedGroup(p);
+ if (group == ssl_grp_none) {
+ count = 0;
+ goto done;
}
+ groups[count++] = group;
+ p = strtok(NULL, ",");
+ }
- byteval = byteval * 16 + tmp;
- if ((i % 2) != 0) {
- item->data[i / 2] = byteval;
- byteval = 0;
- }
- i++;
+done:
+ if (str) {
+ PORT_Free(str);
+ }
+ if (!count) {
+ PORT_Free(groups);
+ return SECFailure;
}
- return item;
+ *enabledGroupsCount = count;
+ *enabledGroups = groups;
+ return SECSuccess;
}
diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h
index 571615daa..fe07aca60 100644
--- a/security/nss/cmd/lib/secutil.h
+++ b/security/nss/cmd/lib/secutil.h
@@ -18,6 +18,7 @@
#include "basicutil.h"
#include "sslerr.h"
#include "sslt.h"
+#include "blapi.h"
#define SEC_CT_PRIVATE_KEY "private-key"
#define SEC_CT_PUBLIC_KEY "public-key"
@@ -402,11 +403,10 @@ SECStatus
SECU_ParseSSLVersionRangeString(const char *input,
const SSLVersionRange defaultVersionRange,
SSLVersionRange *vrange);
-/*
-** Read a hex string into a SecItem.
-*/
-extern SECItem *SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item,
- const char *str);
+
+SECStatus parseGroupList(const char *arg, SSLNamedGroup **enabledGroups,
+ unsigned int *enabledGroupsCount);
+SSLNamedGroup groupNameToNamedGroup(char *name);
/*
*