summaryrefslogtreecommitdiffstats
path: root/security/nss/cmd/lib
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/cmd/lib')
-rw-r--r--security/nss/cmd/lib/secutil.c127
1 files changed, 97 insertions, 30 deletions
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c
index 2b33f8963..cb4752df9 100644
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -54,10 +54,6 @@ static char consoleName[] = {
static PRBool utf8DisplayEnabled = PR_FALSE;
-/* The minimum password/pin length (in Unicode characters) in FIPS mode,
- * defined in lib/softoken/pkcs11i.h. */
-#define FIPS_MIN_PIN 7
-
void
SECU_EnableUtf8Display(PRBool enable)
{
@@ -240,8 +236,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
sprintf(prompt,
"Press Enter, then enter PIN for \"%s\" on external device.\n",
PK11_GetTokenName(slot));
- char *pw = SECU_GetPasswordString(NULL, prompt);
- PORT_Free(pw);
+ (void)SECU_GetPasswordString(NULL, prompt);
/* Fall Through */
case PW_PLAINTEXT:
return PL_strdup(pwdata->data);
@@ -281,25 +276,10 @@ secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg)
}
/* we have no password, so initialize database with one */
- if (PK11_IsFIPS()) {
- PR_fprintf(PR_STDERR,
- "Enter a password which will be used to encrypt your keys.\n"
- "The password should be at least %d characters long,\n"
- "and should consist of at least three character classes.\n"
- "The available character classes are: digits (0-9), ASCII\n"
- "lowercase letters, ASCII uppercase letters, ASCII\n"
- "non-alphanumeric characters, and non-ASCII characters.\n\n"
- "If an ASCII uppercase letter appears at the beginning of\n"
- "the password, it is not counted toward its character class.\n"
- "Similarly, if a digit appears at the end of the password,\n"
- "it is not counted toward its character class.\n\n",
- FIPS_MIN_PIN);
- } else {
- PR_fprintf(PR_STDERR,
- "Enter a password which will be used to encrypt your keys.\n"
- "The password should be at least 8 characters long,\n"
- "and should contain at least one non-alphabetic character.\n\n");
- }
+ PR_fprintf(PR_STDERR,
+ "Enter a password which will be used to encrypt your keys.\n"
+ "The password should be at least 8 characters long,\n"
+ "and should contain at least one non-alphabetic character.\n\n");
output = fopen(consoleName, "w");
if (output == NULL) {
@@ -485,6 +465,48 @@ SECU_ConfigDirectory(const char *base)
return buf;
}
+/*Turn off SSL for now */
+/* This gets called by SSL when server wants our cert & key */
+int
+SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
+ struct CERTDistNamesStr *caNames,
+ struct CERTCertificateStr **pRetCert,
+ struct SECKEYPrivateKeyStr **pRetKey)
+{
+ SECKEYPrivateKey *key;
+ CERTCertificate *cert;
+ int errsave;
+
+ if (arg == NULL) {
+ fprintf(stderr, "no key/cert name specified for client auth\n");
+ return -1;
+ }
+ cert = PK11_FindCertFromNickname(arg, NULL);
+ errsave = PORT_GetError();
+ if (!cert) {
+ if (errsave == SEC_ERROR_BAD_PASSWORD)
+ fprintf(stderr, "Bad password\n");
+ else if (errsave > 0)
+ fprintf(stderr, "Unable to read cert (error %d)\n", errsave);
+ else if (errsave == SEC_ERROR_BAD_DATABASE)
+ fprintf(stderr, "Unable to get cert from database (%d)\n", errsave);
+ else
+ fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave);
+ return -1;
+ }
+
+ key = PK11_FindKeyByAnyCert(arg, NULL);
+ if (!key) {
+ fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError());
+ return -1;
+ }
+
+ *pRetCert = cert;
+ *pRetKey = key;
+
+ return 0;
+}
+
SECStatus
SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii,
PRBool warnOnPrivateKeyInAsciiFile)
@@ -969,7 +991,7 @@ secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level)
for (s = my.data, d = tmp.data; len > 0; len--) {
PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
s += 4;
- if (!isprint(bmpChar & 0xFF))
+ if (!isprint(bmpChar))
goto loser;
*d++ = (unsigned char)bmpChar;
}
@@ -1193,7 +1215,7 @@ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
SECU_Indent(out, level + 1);
fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
} else {
- SECU_PrintInteger(out, &param.saltLength, "Salt length", level + 1);
+ SECU_PrintInteger(out, &param.saltLength, "Salt Length", level + 1);
}
} else {
SECU_Indent(out, level + 1);
@@ -1313,12 +1335,15 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level)
return;
}
+ if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
+ return;
+ }
+
if (a->parameters.len == 0 ||
(a->parameters.len == 2 &&
PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) {
/* No arguments or NULL argument */
- } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
- secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1);
} else {
/* Print args to algorithm */
SECU_PrintAsHex(out, &a->parameters, "Args", level + 1);
@@ -1365,6 +1390,7 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level)
}
}
+#ifndef NSS_DISABLE_ECC
static void
secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
{
@@ -1383,6 +1409,7 @@ secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
SECU_PrintObjectID(out, &curveOID, "Curve", level + 1);
}
}
+#endif /* NSS_DISABLE_ECC */
void
SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
@@ -1430,9 +1457,11 @@ secu_PrintSubjectPublicKeyInfo(FILE *out, PLArenaPool *arena,
SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1);
break;
+#ifndef NSS_DISABLE_ECC
case ecKey:
secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
break;
+#endif
case dhKey:
case fortezzaKey:
@@ -3585,6 +3614,44 @@ loser:
return rv;
}
+#if 0
+
+/* we need access to the private function cert_FindExtension for this code to work */
+
+CERTAuthKeyID *
+SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *scrl)
+{
+ SECItem encodedExtenValue;
+ SECStatus rv;
+ CERTAuthKeyID *ret;
+ CERTCrl* crl;
+
+ if (!scrl) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ crl = &scrl->crl;
+
+ encodedExtenValue.data = NULL;
+ encodedExtenValue.len = 0;
+
+ rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID,
+ &encodedExtenValue);
+ if ( rv != SECSuccess ) {
+ return (NULL);
+ }
+
+ ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue);
+
+ PORT_Free(encodedExtenValue.data);
+ encodedExtenValue.data = NULL;
+
+ return(ret);
+}
+
+#endif
+
/*
* Find the issuer of a Crl. Use the authorityKeyID if it exists.
*/
@@ -3658,7 +3725,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
void *pwarg)
{
CERTCertificate *the_cert;
- the_cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwarg);
+ the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
if (the_cert) {
return the_cert;
}