diff options
Diffstat (limited to 'security/nss/cmd/lib/secutil.c')
-rw-r--r-- | security/nss/cmd/lib/secutil.c | 127 |
1 files changed, 97 insertions, 30 deletions
diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 2b33f8963..cb4752df9 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -54,10 +54,6 @@ static char consoleName[] = { static PRBool utf8DisplayEnabled = PR_FALSE; -/* The minimum password/pin length (in Unicode characters) in FIPS mode, - * defined in lib/softoken/pkcs11i.h. */ -#define FIPS_MIN_PIN 7 - void SECU_EnableUtf8Display(PRBool enable) { @@ -240,8 +236,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) sprintf(prompt, "Press Enter, then enter PIN for \"%s\" on external device.\n", PK11_GetTokenName(slot)); - char *pw = SECU_GetPasswordString(NULL, prompt); - PORT_Free(pw); + (void)SECU_GetPasswordString(NULL, prompt); /* Fall Through */ case PW_PLAINTEXT: return PL_strdup(pwdata->data); @@ -281,25 +276,10 @@ secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) } /* we have no password, so initialize database with one */ - if (PK11_IsFIPS()) { - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least %d characters long,\n" - "and should consist of at least three character classes.\n" - "The available character classes are: digits (0-9), ASCII\n" - "lowercase letters, ASCII uppercase letters, ASCII\n" - "non-alphanumeric characters, and non-ASCII characters.\n\n" - "If an ASCII uppercase letter appears at the beginning of\n" - "the password, it is not counted toward its character class.\n" - "Similarly, if a digit appears at the end of the password,\n" - "it is not counted toward its character class.\n\n", - FIPS_MIN_PIN); - } else { - PR_fprintf(PR_STDERR, - "Enter a password which will be used to encrypt your keys.\n" - "The password should be at least 8 characters long,\n" - "and should contain at least one non-alphabetic character.\n\n"); - } + PR_fprintf(PR_STDERR, + "Enter a password which will be used to encrypt your keys.\n" + "The password should be at least 8 characters long,\n" + "and should contain at least one non-alphabetic character.\n\n"); output = fopen(consoleName, "w"); if (output == NULL) { @@ -485,6 +465,48 @@ SECU_ConfigDirectory(const char *base) return buf; } +/*Turn off SSL for now */ +/* This gets called by SSL when server wants our cert & key */ +int +SECU_GetClientAuthData(void *arg, PRFileDesc *fd, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) +{ + SECKEYPrivateKey *key; + CERTCertificate *cert; + int errsave; + + if (arg == NULL) { + fprintf(stderr, "no key/cert name specified for client auth\n"); + return -1; + } + cert = PK11_FindCertFromNickname(arg, NULL); + errsave = PORT_GetError(); + if (!cert) { + if (errsave == SEC_ERROR_BAD_PASSWORD) + fprintf(stderr, "Bad password\n"); + else if (errsave > 0) + fprintf(stderr, "Unable to read cert (error %d)\n", errsave); + else if (errsave == SEC_ERROR_BAD_DATABASE) + fprintf(stderr, "Unable to get cert from database (%d)\n", errsave); + else + fprintf(stderr, "SECKEY_FindKeyByName: internal error %d\n", errsave); + return -1; + } + + key = PK11_FindKeyByAnyCert(arg, NULL); + if (!key) { + fprintf(stderr, "Unable to get key (%d)\n", PORT_GetError()); + return -1; + } + + *pRetCert = cert; + *pRetKey = key; + + return 0; +} + SECStatus SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii, PRBool warnOnPrivateKeyInAsciiFile) @@ -969,7 +991,7 @@ secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level) for (s = my.data, d = tmp.data; len > 0; len--) { PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3]; s += 4; - if (!isprint(bmpChar & 0xFF)) + if (!isprint(bmpChar)) goto loser; *d++ = (unsigned char)bmpChar; } @@ -1193,7 +1215,7 @@ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) SECU_Indent(out, level + 1); fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); } else { - SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); + SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); } } else { SECU_Indent(out, level + 1); @@ -1313,12 +1335,15 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) return; } + if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); + return; + } + if (a->parameters.len == 0 || (a->parameters.len == 2 && PORT_Memcmp(a->parameters.data, "\005\000", 2) == 0)) { /* No arguments or NULL argument */ - } else if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level + 1); } else { /* Print args to algorithm */ SECU_PrintAsHex(out, &a->parameters, "Args", level + 1); @@ -1365,6 +1390,7 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) } } +#ifndef NSS_DISABLE_ECC static void secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) { @@ -1383,6 +1409,7 @@ secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) SECU_PrintObjectID(out, &curveOID, "Curve", level + 1); } } +#endif /* NSS_DISABLE_ECC */ void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) @@ -1430,9 +1457,11 @@ secu_PrintSubjectPublicKeyInfo(FILE *out, PLArenaPool *arena, SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1); break; +#ifndef NSS_DISABLE_ECC case ecKey: secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1); break; +#endif case dhKey: case fortezzaKey: @@ -3585,6 +3614,44 @@ loser: return rv; } +#if 0 + +/* we need access to the private function cert_FindExtension for this code to work */ + +CERTAuthKeyID * +SECU_FindCRLAuthKeyIDExten (PLArenaPool *arena, CERTSignedCrl *scrl) +{ + SECItem encodedExtenValue; + SECStatus rv; + CERTAuthKeyID *ret; + CERTCrl* crl; + + if (!scrl) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + crl = &scrl->crl; + + encodedExtenValue.data = NULL; + encodedExtenValue.len = 0; + + rv = cert_FindExtension(crl->extensions, SEC_OID_X509_AUTH_KEY_ID, + &encodedExtenValue); + if ( rv != SECSuccess ) { + return (NULL); + } + + ret = CERT_DecodeAuthKeyID (arena, &encodedExtenValue); + + PORT_Free(encodedExtenValue.data); + encodedExtenValue.data = NULL; + + return(ret); +} + +#endif + /* * Find the issuer of a Crl. Use the authorityKeyID if it exists. */ @@ -3658,7 +3725,7 @@ SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle, void *pwarg) { CERTCertificate *the_cert; - the_cert = CERT_FindCertByNicknameOrEmailAddrCX(handle, name, pwarg); + the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name); if (the_cert) { return the_cert; } |